Upload
loren-fisher
View
217
Download
0
Embed Size (px)
Citation preview
Risk Management ServicesRisk Management Services
WELCOMETo all RMS’ Guests to our First Seminar Addressing
Risk Management Techniques.
Risk Management Services
Risk Management - Removing the Mystery Agenda
• “INSURANCE IS NO SUBSTITUTE FOR GOOD RISK MANAGEMENT. OUR APPROACH TO RISK MANAGEMENT IS THAT IF WE EVER HAVE TO MAKE A CLAIM UNDER AN INSURANCE POLICY THEN IN ALMOST EVERY CASE THE BUSINESS HAS FAILED IN SOME WAY”
• Andy Kirby: Group Insurance Risk Manager
Carillion plc.
Risk Management ServicesRisk Management Services
Risk Management- Removing the MysteryA Practical Introduction to Risk Management and Enterprise Risk Management
Ray Mattholie- CRM, FIIRM, FCII
Oman, March 2015
Risk Management Services
Risk Management - Removing the Mystery Agenda
• The story of RM• The story of ERM• The story of REM
Risk Management Services
Risk Management - Removing the Mystery Agenda
• The story of RM• The story and Overview of ERM• The story of REM
– Case studies and anecdotes
• Outlining a model ERM Program• Applying the principles of RM to insurance and
risk financing• Conclusions and Q&A
Risk Management Services
The First Risk Manager?
Risk Management Services
The First Risk Manager?
“It is not about predicting the future, but about being prepared for it.”
Pericles, Greek statesman, ~500BC
Risk Management Services
Risk Management Services
The First Risk Manager
Douglas Barlow1907-1998
Risk Management Services
Hazard Risk Management Process
Risk Control
Risk Evaluation
Risk Financing
Risk Management Services
The Total Cost of Risk
• Insurance• Uninsured Losses• Risk Mitigation• Admin Costs
Risk Management Services
The Total Cost of Risk
Risk Management Services
Famous Risk Quotes- FRQs
‘All Management is Risk Management’
- Douglas Barlow
Risk Management Services
The 6 Decades of RM
• 60’s- The First Risk Manager• 70’s- Captives blossom• 80’s- Risk Management as a Profession• 90’s- Wider adoption of RM• 00’s- Enterprise Risk Management• 10’s- Strategic Risk Management….?
Risk Management Services
FRQs
• Jerry: ‘What makes them think you are a risk management expert?’
• George: I guess it’s on my resumé
Risk Management Services
The 5 decades of REM
• Chemicals– 1972-1991
• Communications– 1992-2003
• Conglomerate– 2003-2007
• Consultant– 2008- ?
Risk Management Services
Definitions
• Risk is: – something that impacts on objectives
• Risk Management is: – “A logical and systematic method of identifying,
analysing, assessing, treating, monitoring and communicating risks in a way that will enable organisations to minimise risk and maximize opportunities”
危 機
Risk Management Services
ERM Defined
• ERM is:– A comprehensive, organization-wide set of
processes and procedures used to document and manage risk. This process takes into account an organization’s strategic goals as well as its operational goals including an understanding of the current internal control environment.
Risk Management Services
ERM Described
• A risk-based approach to managing an enterprise, integrating concepts of internal control, (the Sarbanes Oxley Act) and strategic planning. ERM is evolving to address the needs of various stakeholders, who want to understand the broad spectrum of risks facing complex organizations to ensure they are appropriately managed. Regulators and debt rating agencies have increased their scrutiny on the risk management processes of companies.
Risk Management Services
The Holistic View of Risk
Financial Risk
StrategicRisk
OperationalRisk
HazardRisk
Enterprise Risk
Risk Management Services
The Holistic View of Risk
Financial Risk
StrategicRisk
OperationalRisk
HazardRisk
Enterprise Risk
Risk Management Services
Defining Enterprise
1. Project or undertaking, especially one that requires boldness or effort;
2. Participation in such projects;
3. Readiness to embark on new ventures; boldness or energy;
4. Initiative in business- the enterprise culture;
5. A company or firm
Enterprise-Wide? Enterprise-wise?
Risk Management Services
FRQ
• “People can dismiss enterprise-wide risk management but to our thinking, that’s just putting your head in the sand”
– Rick Buy, EVP & Chief Risk Officer, Enron
Risk Management Services
Major steps in the growth of ERM
• 2002- Sarbanes Oxley ('Public Company Accounting Reform and Investor Protection Act' )-response to major accounting scandals Enron, WorldCom, Tyco etc.
• 2004- COSO (Committee of Sponsoring Organizations) issued ‘ERM- Integrated Framework’
• 2007- SEC Guidance ‘Top down’ risk assessment• 2007- S&P reviews RM in corporate debt ratings for
financial companies, and in…• 2009- S&P begins to review in rating all companies• 2009- ISO 31000 International RM Standard
Risk Management Services
COSO Framework
Risk Management Services
‘A structured approach to ERM and the requirements of ISO 31000’
• Risk has an upside and a downside • What RM involves• How should it be implemented• What it can achieve:
– Compliance with governance requirements– Assurance to ‘stakeholders’– Improved decision making (= risk taking!)
Risk Management Services
Risk Management Process-7 Rs and 4 Ts
• recognition or identification of risks• ranking or evaluation of risks• responding to significant risks
– tolerate– treat– transfer– terminate
• resourcing controls• reaction planning• reporting and monitoring risk performance• reviewing the risk management framework
Risk Management Services
Steps in Implementing ERM
• Board mandate and commitment• RM Policy- updated regularly• RM Procedures- Risk assessment in all
strategy papers and projects• Risk appetite and tolerances• Establishing a Risk Register
Risk Management Services
Risk Register ‘musts’
• Reflects views of Executive• Constantly reviewed and updated• Every risk has an owner• ‘Heat Map’ Impact and Likelihood ratings• Clear definitions of ratings• Mitigation measures identified• Inherent and Residual• Regular reporting to Board/Audit Committee
Risk Management Services
FRQs
• ‘It takes about 20 years to build a reputation and 5 minutes to ruin it…’
– Warren Buffett
Risk Management Services
Risk Register ‘desirables’
• Reputational Risk• Risk appetite• Risk tolerance• Risk velocity• Emerging risks
Risk Management Services
FRQ
• ‘There are known knowns. These are things we know that we know.There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know.’
– Donald Rumsfeld
Risk Management ServicesRisk Management Services
WEF Global Risks Review- 2015 results
Likelihood• Interstate conflict • Extreme weather events• Failure of national governance• State collapse or crisis • Unemployment or
underemployment• Natural catastrophes• Failure of climate-change
adaptation• Water crises• Data fraud or theft• Cyber attacks
Impact• Water crises• Weapons of mass destruction• Interstate conflict• Energy price shock• Failure of climate-change
adaptation• Fiscal crises• Unemployment/underemployment• Biodiversity loss and ecosystem
collapse• Spread of infectious diseases• Critical information infrastructure
breakdown
Risk Management Services
FRQs
• ‘A black swan is by definition a surprise. Nevertheless, people tend to concoct expectations for them after the fact’
– Nassim Nicholas Taleb
Risk Management Services
Creating a Risk Register
• Creating a greater awareness of key risks• Worst case scenarios – specific, not generic• Strategic focus - what could impact objectives• Starting the risk mapping process
Risk Management Services
Risk Summary Report 11 October 2011XYZ IncCategories: All
Risk Management Services
Risk Summary Report 11 October 2011XYZ Inc.Categories: All
Risk Management Services
Risk Summary Report 11 October 2011XYZ Inc.Categories: All
Risk Management Services
RRR- Risk ‘Dashboard’
70% & >chance occurring in a year (occur once per year)
30% - 49% chance occurring in a year (occurs
once/twice every 3 yrs.)
10% - 29% chance occurring in a year (an event that
occurs once/twice in a 10yr period )
Control of Working Capital
Uncompetitive Cost Base
Management of Markets
Structure of the Business
Misappropriation of Assets
Corporate Governance
Business Process
Management
Loss of Site
Major Litigation
(excl. E&O)
Employee Engagement
Money Laundering
Employee Retention
Key Employees
Dependency
= Direction of travel= New/Emerging Risks = Connected Risks
Appetite Shell Key = Within Appetite = Outside Appetite = Significantly Outside Appetite = Appetite not Rated= Below Appetite limits
£10.01M - £25M of PBT
Less than 4% chance occurring in a year (an event that occurs once in life span
of a human being)
4% - 5% chance occurring in a year (occurs once/twice of
working life)
50% - 69% chance occurring in a year (occurs once/twice
every 2 yrs.)
£0 - £0.1m of PBT
>£25M of PBT£0.11M - £0.25M of PBT
£0.26m - £0.75m of PBT
£0.76M - £1.5M of PBT
£1.51M - £5.0M of PBT
£5.01M - £10M of PBT
Net Impact
Likelihood
Bribery & Corruption
E&O Claims
Information Security
Loss of ITIT
Infrastructure
Failure to Deliver Growth
Financial Reporting
Change Management
Service from Outsource Providers
Risk Management Services
RRR- Risk ‘Radar’
FINANCIAL
SERVICE AND MARKETS
IT
PEOPLE
OPERATIONS
LEGAL & COMPLIANCE
STRATEGIC
Watching Brief
Risk Register/Dashboard Impact
Service from Outsource Providers
Money Laundering
Loss of IT
IT infrastructure instability
Failure to Deliver Growth
Financial Reporting
Major Litigation (excl E&O)
Business Process Management
E&O Claims
Bribery & Corruption
Failure of Corporate Governance
Information Security
Business Interruption
Change Management
Employment Engagement
EmployeeRetention
Key Employees Dependency
Management of Markets
Misappropriation of Assets
Inadequate Management of working Capital
Uncompetitive Cost Base
Structure of Business
Risk Management Services41
3. Identify owners of each top
risk
6. At regular risk management meetings, management will present for discussion:- Completed Risk
Tolerance Statements for top risks
- The Risk Tolerance Summary
8. Reassess risks every 6 months and feedback into the risk register to repeat the cycle:- Residual
risk- Tolerance- KRIs
4. Tolerance Statements should be drafted by owners which include:- Business
objective- Risk tolerance- KRIs- KRIs limit
7. Monitoring of KRIs
1. Current ranked
risk register
2. Top risks
selected
5. CompletedNote1
Tolerance Statements
must be discussed by
BU management
Note 1: This will also require CEO/CFO signoff on the relevant business objectives
Completing a Risk Tolerance Statement – the process flow
Risk Management Services42
Appendix 2Mock up Risk Tolerance Summary for the top risks (A hypothetical BU risk register)
Risk Event Residual Risk Status(Insignificant, Minor, Moderate, Major or
Catastrophic)
Risk Tolerance Level(VH, H, M, L or VL)
Description of Tolerance Level
E.g. Interruption to systems and network services
Moderate VL
The risk tolerance level is Very Low. We expect compliance on all group IT policies and can only tolerate a minimal system downtime (at most no more than 4 hours / year for level 1 and 10 hours / year for level 2 IT systems) provided there is full data restoration upon system recovery. (See Appendix 4)
E.g. Mass scale food poisoning / foreign objects/ allergens in sold products
Minor VL
The risk tolerance is Very Low as such events have the potential to result in fatalities. As such the BU focuses heavily on this to avoid the risk through full compliance with our containment measures at all times and through continuous test checking on ingredients / dishes. We will accept no more than 5 minor reported incidents provided these do not result in public concerns. (See Worked example #3 on page 33)
E.g. Major investment of competitors on store expansion, upgrade, store revamp plus investment on advertising may reduce our market share.
Moderate L
Our risk tolerance is Low. Given that the competitors are backed by strong conglomerates, we will monitor them very closely. Our market share growth rate has been 10% over the last 5 years leading to our current share of 23%. Growth needs to be at 30% per annum to increase market share by our targeted 2%. We would not expect growth to be less than 20%.We will continuously monitor the 1) brand equity index, 2) the difference in the number of store openings / under re-modelings and 3) share-of-spending on advertising etc., and develop a response plan to achieve our objectives. (See Worked example #5 on page 35)
Risk Management Services
The 5 decades of REM
• Chemicals– 1972-1991
• Communications– 1992-2003
• Conglomerate– 2003-2007
• Consultant– 2008- ?
Risk Management Services
Risk Management Services
Case Study #1 - Chemicals
• Captive formed in 1920’s• Bermuda Captives in 1960’s• Risk Engineering team• Rating plan• Responding to difficult to insure risks• Insurance or Risk Management?
Risk Management Services
Case Study #1- Chemicals
• Insurance or Risk Management?• 1983-1991 Risk Manager C-I-L inc• 1988 President of Ontario Chapter of RIMS• Risk Management ‘Evangelist’
Risk Management Services
The 5 decades of REM
• Chemicals– 1972-1991
• Communications– 1992-2003
• Conglomerate– 2003-2007
• Consultant– 2008- ?
Risk Management Services
“The global demand for cars will never be above 1 million – simply because there are not enough chauffeurs”
(Gottlieb Daimler, 1901)
“Nobody will be able to rise into the air with a metal airplane within the next 50 years”
(Wilbur Wright, 1901)
“640k should be all, that any application will ever need”
(Bill Gates, 1981)
FRQs
Risk Management Services
Case Study #2 - Communications
• Privatization – Maggie Thatcher’s legacy• ‘POTS’ to dot.com• Global ambitions• Risk management challenges• 3G licence auction
Risk Management Services
Case Study #2 - Communications
• Captive – Continuous development• Risk assessment is key
– Business interruption– ‘e-Risks’
• Forming partnerships• Communicating Risk Management• Corporate governance - Turnbull
Risk Management Services
3G - Risk and Opportunity
Risk Management Services
Corporate Governance in the UK
• UK’s “Enrons” were in the 80’s• ‘Turnbull’ / The Combined Code• Code of Practice v Legislation• “Effective Risk Management ….. Key
component of Corporate Governance”
Risk Management Services
Embedding Risk Management in BT
• Board Audit Committee driven• Risk culture RM as core competence• Group Risk Register Finding the next 3G• Risk Management ‘Champion’
Risk Management Services
BT Group Risk Manager’s Role
• Job Description agreed with BAC– To create a risk aware culture– To develop a Centre of Excellence for managing
risks– To establish and maintain an effective process for
identifying, evaluating, managing key risks
• Reporting to Finance Director• Access to Main Board
Risk Management ServicesRisk Management Services
BT Group Risk RegisterRisk Review Panel Members
• Group Risk Manager (Chair)
• Group Chief Internal Auditor
• Company Secretary• Director, Group
Financial Control• Group Treasurer
• Director, Human Resource Strategy
• Chief Information Officer
• Manager, Strategic Planning
• Manager, Corporate Finance
• Director of Security
Risk Management Services
BT Group Risk Register
Risk Panel
Management Council
Board
Board Audit Committee
Risk Management Services
The willingness to take risk is essential……..(if all) invested only in risk-free assets, the potential for business growth would never be realized”
Alan Greenspan, 1994
FRQ’s
Risk Management Services
The 5 decades of REM
• Chemicals– 1972-1991
• Communications– 1992-2003
• Conglomerate– 2003-2007
• Consultant– 2008- ?
Risk Management Services
Risk Management ServicesRisk Management Services
Risk Management ServicesRisk Management Services
Risk Management ServicesRisk Management Services
Jardine Matheson
Group
Jardine Lloyd Thompson Group plc
Risk Management Services
Risk Management Services
Risk Management of Jardine
• “Risk Aware, not Risk Averse”
Risk Management Services
Quote from the Taipan…
• “We have the ability to identify and nurture the right people with the skills to build our businesses; and we are ready to take calculated risks and make bold decisions.”– Anthony Nightingale, 2011 Annual
Address to Senior Executives of JM
Risk Management Services
The Holistic View of Risk
Financial Risk
StrategicRisk
OperationalRisk
HazardRisk
Enterprise Risk
Risk Management Services
Role of Group Risk Management in JLT
Financial Risk
StrategicRisk
OperationalRisk
HazardRisk
Enterprise Risk
Coordinating Group Risk
Financing
Championing “best practice”
Risk Management
Risk Management Services
Championing “Best Practice” Risk Management
• RM Committees• Report to Board• ERM Steering Group• Captive Audit and Risk• Risk Forum
Financial Risk
StrategicRisk
OperationalRisk
HazardRisk
Enterprise Risk
Coordinating Group Risk Financing
Championing “best practice”
Risk Management
Risk Management Services
Risk Management Services
ERM in JM
• Is Not:– Regulatory driven– Bureaucratic– “One size fits all”
• Is:– Business owned– Emphasis on “Enterprise”– Work in progress
Risk Management Services
The 5 decades of REM
• Chemicals– 1972-1991
• Communications– 1992-2003
• Conglomerate– 2003-2007
• Consultant– 2008- ?
Risk Management Services
Case Study # 4- Consultant
• RM Risk Management Limited– Independent consultancy– Risk Management reviews
• Non executive Directorships– JLT Canada– Lockhart Insurance, Bermuda
• Chair of Audit and Risk Committees
Risk Management Services
Case Study # 4: NED=‘Creative Contributor’
• Role of the Non-Executive Director• Cadbury Report 1992 ‘they should bring an
independent judgment to bear on issues of strategy, performance, and resources including key appointments and standards of conduct’
• Functions of the NED– Independence– Impartiality– Wide experience– Specialist knowledge– Personal qualities
Risk Management Services
Case Study # 4: Audit & Risk Committee
• Composition:– Depends on corporate status and jurisdiction, but
common theme is requirement of independent non-executive directors
• Responsibilities and roles: – Oversight of financial reporting and accounting– Oversight of the external auditor– Oversight of regulatory compliance– Monitoring effectiveness of internal control process – Oversight of risk management
Risk Management Services
Case Study # 4: Audit & Risk Committee
• Composition:– Depends on corporate status and jurisdiction, but
common theme is requirement of independent non-executive directors
• Responsibilities and roles: – Oversight of financial reporting and accounting– Oversight of the external auditor– Oversight of regulatory compliance– Monitoring effectiveness of internal control process – Oversight of risk management- incl Risk Register
Risk Management Services
Developing a Risk Management Strategy
• Gaining consensus with internal partners – The Virtual Team
• Aligning with strategic objectives– Emphasis on Enterprise
• Implementing as part of overall ERM
• Communicating internally & externally
Risk Management Services
Developing a Risk Management Strategy
• Gaining consensus with internal partners – The Virtual Team
• Aligning with strategic objectives– Emphasis on Enterprise
• Implementing as part of overall ERM – Keep it simple!
• Communicating internally & externally
Risk Management Services
Developing a Risk Management Strategy
• Gaining consensus with internal partners – The Virtual Team
• Aligning with strategic objectives– Emphasis on Enterprise
• Implementing as part of overall ERM – Keep it simple!
• Communicating internally & externally– Championing ‘best practice’
Risk Management Services
FRQs
• “The policy of being too cautious is the greatest risk of all”
– Jawaharlal Nehru
Risk Management Services
Why Enterprise Risk Management is Important
• Company policy?
• Corporate governance?
• Stakeholder expectations?• Reducing insurance costs?• Avoiding uninsured
losses?• Taking the right risks
Risk Management Services
FRQs
• ‘Only those who risk going too far can possibly find out how far one can go’
– T.S. Eliot
Risk Management ServicesRisk Management Services
Conclusions – Cultivating the Culture of ERM
• Command• Collaborative
• Continuity
• Communication & Clarity• Customization• Contribution
• commitment from the top • committee or Steering Group,
the ‘virtual team’• ongoing development &
refinement • Avoiding ‘Risk Fatigue’• keep it simple and clearly
understood• fitting with the corporate
culture • to Strategic Focus and
Planning
Risk Management Services
Risk Management Services
Risk Management- Removing the Mystery Agenda
• The story of RM• The story and Overview of ERM• The story of REM
– Case studies and anecdotes
• Outlining a model ERM Program• Applying the principles of RM to insurance
and risk financing• Conclusions and Q&A
Risk Management Services
Exercise
Consider what you have heard so far on RM and ERM, and think of ways it could support your approach to risk financing and insurance purchase, including:
• making decisions on risk retention• Marketing insurance renewals• Choosing insurers, brokers and consultanants
Risk Management Services
FRQs
• ‘There are worst things in life than death. Have you ever spent an evening with an insurance salesman?’
– Woody Allen
Risk Management Services
(Consider introducing a break-out exercise at this stage during Day 2 event for clients and prospects).Possible topic:
Consider what you have heard so far on RM and ERM, and think of ways it could support your approach to risk financing, insurance purchase and risk retention.
Risk Management Services
Hazard Risk Management Process
Risk Control
Risk Evaluation
Risk Financing
Risk Management Services
Coordinating Group Risk Financing
• Informed risk retention• Long term relationships with insurers• Strategic partnership with brokers/consultants• Proactive approach
to claimsFinancial
RiskStrategic
Risk
OperationalRisk
HazardRisk
Enterprise Risk
Coordinating Group Risk Financing
Championing “best practice”
Risk Management
Risk Management Services
Informed risk retention
• Risk evaluation– Effective risk identification, quantification and
control provides confidence to retain risk• ‘Swapping $’ with insurers is short-termism• Corporate cover should be aimed at significant
balance sheet damage• Those who understand and are prepared to retain their
own risks are preferred customers• Building a data base of losses to focus risk control
Risk Management Services
Long term relationships with insurers
• Benefits:– Building their confidence in quality of your risks– Lower admin costs = preferred customer status– Minimising impact of market volatility- more
predictable cost– Loyalty will be rewarded in claims negotiations
• Key ways to build:– Know your underwriters– Invite to visit your risks (beyond risk engineering)– Consider annual renewal ‘Roadshow’
Risk Management Services
Strategic partnerships with brokers/consultants
• Thinking long term enables:– Investment in time and effort to build a true
understanding of your business, its risks and culture– Development of effective long term risk financing
strategies– Creation of innovative solutions– Tailoring of policy wordings to your needs– Exploring wider services- e.g. risk management – Strong support in major claims or disputes
Risk Management Services
Strategic partnerships with brokers/consultants
• Separate reviews/RFPs for broker appointments from marketing to insurers– Don’t just choose on price– Look for range of services offered and innovation– Think 5 year terms (3 yrs minimum)– Do they have the expertise in Oman?
• Managing the relationship– Clear understanding of role and timelines– Consider a ‘Service Level Agreement’ (SLA)– Carry out stewardship reviews at least annually
Risk Management Services
Proactive approach to claims
• An often neglected aspect of insurance- this is after all why you buy it!
• If you can, choose your loss adjuster• Establish a claims process- for major or minor• Educate your organisation on claims reporting• Track/monitor all claims (incl ‘near misses’)• Share experiences to drive future loss control
Risk Management Services
Conclusions
• RM should be about maximising opportunities– Be Risk Aware, not risk averse
• Keep it simple and relevant to the organisation– Avoid complicated processes and bureaucracy
• Remember the origins of RM responded to Hazard or Insurable risk– Don’t take a short-term view– Understanding your risks enables creative, stable
and long term risk financing solutions
Risk Management Services
Conclusions
• RM should be about maximising opportunities– Be Risk Aware, not risk averse
• Keep it simple and relevant to the organisation– Avoid complicated processes and bureaucracy
• Remember the origins of RM responded to Hazard or Insurable risk– Don’t take a short-term view– Understanding your risks enables creative, stable
and long term risk financing solutions– Choose your Risk Partners wisely!
Risk Management Services
Thank you!Ray Mattholie
Risk Management Services
Suggestions for Further Reading
• A structured approach to ERM and the requirements of ISO 31000– Airmic publication
• Against the Gods- the remarkable story of risk– Peter L Bernstein
• The Black Swan– Nassim Nicholas Taleb
• Enterprise Risk Management for Dummies– RIMS Bookshop
• Taipan– James Clavell
• World Economic Forum Global Risk Review– www.weforum.org/docs/WEF_Global_Risks_Report15