WELCOME To all RMS’ Guests to our First Seminar Addressing Risk Management Techniques

Risk Management ServicesRisk Management Services

WELCOMETo all RMS’ Guests to our First Seminar Addressing

Risk Management Techniques.

Risk Management Services

Risk Management - Removing the Mystery Agenda

• “INSURANCE IS NO SUBSTITUTE FOR GOOD RISK MANAGEMENT. OUR APPROACH TO RISK MANAGEMENT IS THAT IF WE EVER HAVE TO MAKE A CLAIM UNDER AN INSURANCE POLICY THEN IN ALMOST EVERY CASE THE BUSINESS HAS FAILED IN SOME WAY”

• Andy Kirby: Group Insurance Risk Manager

Carillion plc.


Risk Management- Removing the MysteryA Practical Introduction to Risk Management and Enterprise Risk Management

Ray Mattholie- CRM, FIIRM, FCII

Oman, March 2015



• The story of RM• The story of ERM• The story of REM



• The story of RM• The story and Overview of ERM• The story of REM

– Case studies and anecdotes

• Outlining a model ERM Program• Applying the principles of RM to insurance and

risk financing• Conclusions and Q&A


The First Risk Manager?


The First Risk Manager?

“It is not about predicting the future, but about being prepared for it.”

Pericles, Greek statesman, ~500BC



The First Risk Manager

Douglas Barlow1907-1998


Hazard Risk Management Process

Risk Control

Risk Evaluation

Risk Financing


The Total Cost of Risk

• Insurance• Uninsured Losses• Risk Mitigation• Admin Costs


The Total Cost of Risk


Famous Risk Quotes- FRQs

‘All Management is Risk Management’

- Douglas Barlow


The 6 Decades of RM

• 60’s- The First Risk Manager• 70’s- Captives blossom• 80’s- Risk Management as a Profession• 90’s- Wider adoption of RM• 00’s- Enterprise Risk Management• 10’s- Strategic Risk Management….?


FRQs

• Jerry: ‘What makes them think you are a risk management expert?’

• George: I guess it’s on my resumé


The 5 decades of REM

• Chemicals– 1972-1991

• Communications– 1992-2003

• Conglomerate– 2003-2007

• Consultant– 2008- ?

http://en.wikipedia.org/wiki/Image:ICI.png

http://images.google.com.hk/imgres?imgurl=http://newsimg.bbc.co.uk/media/images/39061000/jpg/_39061235_newbt203.jpg&imgrefurl=http://news.bbc.co.uk/1/hi/business/3300409.stm&h=152&w=203&sz=12&hl=en&start=6&tbnid=EAj9JZyU8_eBTM:&tbnh=74&tbnw=99&prev=/images%3Fq%3DBT%2Blogo%26svnum%3D10%26hl%3Den%26lr%3D%26sa%3DG




Definitions

• Risk is: – something that impacts on objectives

• Risk Management is: – “A logical and systematic method of identifying,

analysing, assessing, treating, monitoring and communicating risks in a way that will enable organisations to minimise risk and maximize opportunities”

危機


ERM Defined

• ERM is:– A comprehensive, organization-wide set of

processes and procedures used to document and manage risk. This process takes into account an organization’s strategic goals as well as its operational goals including an understanding of the current internal control environment.


ERM Described

• A risk-based approach to managing an enterprise, integrating concepts of internal control, (the Sarbanes Oxley Act) and strategic planning. ERM is evolving to address the needs of various stakeholders, who want to understand the broad spectrum of risks facing complex organizations to ensure they are appropriately managed. Regulators and debt rating agencies have increased their scrutiny on the risk management processes of companies.


The Holistic View of Risk

Financial Risk

StrategicRisk

OperationalRisk

HazardRisk

Enterprise Risk



Financial Risk

StrategicRisk

OperationalRisk

HazardRisk

Enterprise Risk


Defining Enterprise

1. Project or undertaking, especially one that requires boldness or effort;

2. Participation in such projects;

3. Readiness to embark on new ventures; boldness or energy;

4. Initiative in business- the enterprise culture;

5. A company or firm

Enterprise-Wide? Enterprise-wise?


FRQ

• “People can dismiss enterprise-wide risk management but to our thinking, that’s just putting your head in the sand”

– Rick Buy, EVP & Chief Risk Officer, Enron


Major steps in the growth of ERM

• 2002- Sarbanes Oxley ('Public Company Accounting Reform and Investor Protection Act' )-response to major accounting scandals Enron, WorldCom, Tyco etc.

• 2004- COSO (Committee of Sponsoring Organizations) issued ‘ERM- Integrated Framework’

• 2007- SEC Guidance ‘Top down’ risk assessment• 2007- S&P reviews RM in corporate debt ratings for

financial companies, and in…• 2009- S&P begins to review in rating all companies• 2009- ISO 31000 International RM Standard


COSO Framework


‘A structured approach to ERM and the requirements of ISO 31000’

• Risk has an upside and a downside • What RM involves• How should it be implemented• What it can achieve:

– Compliance with governance requirements– Assurance to ‘stakeholders’– Improved decision making (= risk taking!)


Risk Management Process-7 Rs and 4 Ts

• recognition or identification of risks• ranking or evaluation of risks• responding to significant risks

– tolerate– treat– transfer– terminate

• resourcing controls• reaction planning• reporting and monitoring risk performance• reviewing the risk management framework


Steps in Implementing ERM

• Board mandate and commitment• RM Policy- updated regularly• RM Procedures- Risk assessment in all

strategy papers and projects• Risk appetite and tolerances• Establishing a Risk Register


Risk Register ‘musts’

• Reflects views of Executive• Constantly reviewed and updated• Every risk has an owner• ‘Heat Map’ Impact and Likelihood ratings• Clear definitions of ratings• Mitigation measures identified• Inherent and Residual• Regular reporting to Board/Audit Committee


FRQs

• ‘It takes about 20 years to build a reputation and 5 minutes to ruin it…’

– Warren Buffett


Risk Register ‘desirables’

• Reputational Risk• Risk appetite• Risk tolerance• Risk velocity• Emerging risks


FRQ

• ‘There are known knowns. These are things we know that we know.There are known unknowns. That is to say, there are things that we know we don't know. But there are also unknown unknowns. There are things we don't know we don't know.’

– Donald Rumsfeld


WEF Global Risks Review- 2015 results

Likelihood• Interstate conflict • Extreme weather events• Failure of national governance• State collapse or crisis • Unemployment or

underemployment• Natural catastrophes• Failure of climate-change

adaptation• Water crises• Data fraud or theft• Cyber attacks

Impact• Water crises• Weapons of mass destruction• Interstate conflict• Energy price shock• Failure of climate-change

adaptation• Fiscal crises• Unemployment/underemployment• Biodiversity loss and ecosystem

collapse• Spread of infectious diseases• Critical information infrastructure

breakdown


FRQs

• ‘A black swan is by definition a surprise. Nevertheless, people tend to concoct expectations for them after the fact’

– Nassim Nicholas Taleb


Creating a Risk Register

• Creating a greater awareness of key risks• Worst case scenarios – specific, not generic• Strategic focus - what could impact objectives• Starting the risk mapping process


Risk Summary Report 11 October 2011XYZ IncCategories: All


Risk Summary Report 11 October 2011XYZ Inc.Categories: All


Risk Summary Report 11 October 2011XYZ Inc.Categories: All


RRR- Risk ‘Dashboard’

70% & >chance occurring in a year (occur once per year)

30% - 49% chance occurring in a year (occurs

once/twice every 3 yrs.)

10% - 29% chance occurring in a year (an event that

occurs once/twice in a 10yr period )

Control of Working Capital

Uncompetitive Cost Base

Management of Markets

Structure of the Business

Misappropriation of Assets

Corporate Governance

Business Process

Management

Loss of Site

Major Litigation

(excl. E&O)

Employee Engagement

Money Laundering

Employee Retention

Key Employees

Dependency

= Direction of travel= New/Emerging Risks = Connected Risks

Appetite Shell Key = Within Appetite = Outside Appetite = Significantly Outside Appetite = Appetite not Rated= Below Appetite limits

£10.01M - £25M of PBT

Less than 4% chance occurring in a year (an event that occurs once in life span

of a human being)

4% - 5% chance occurring in a year (occurs once/twice of

working life)

50% - 69% chance occurring in a year (occurs once/twice

every 2 yrs.)

£0 - £0.1m of PBT

>£25M of PBT£0.11M - £0.25M of PBT

£0.26m - £0.75m of PBT

£0.76M - £1.5M of PBT

£1.51M - £5.0M of PBT

£5.01M - £10M of PBT

Net Impact

Likelihood

Bribery & Corruption

E&O Claims

Information Security

Loss of ITIT

Infrastructure

Failure to Deliver Growth

Financial Reporting

Change Management

Service from Outsource Providers


RRR- Risk ‘Radar’

FINANCIAL

SERVICE AND MARKETS

IT

PEOPLE

OPERATIONS

LEGAL & COMPLIANCE

STRATEGIC

Watching Brief

Risk Register/Dashboard Impact

Service from Outsource Providers

Money Laundering

Loss of IT

IT infrastructure instability

Failure to Deliver Growth

Financial Reporting

Major Litigation (excl E&O)

Business Process Management

E&O Claims

Bribery & Corruption

Failure of Corporate Governance

Information Security

Business Interruption

Change Management

Employment Engagement

EmployeeRetention

Key Employees Dependency

Management of Markets

Misappropriation of Assets

Inadequate Management of working Capital

Uncompetitive Cost Base

Structure of Business

Risk Management Services41

3. Identify owners of each top

risk

6. At regular risk management meetings, management will present for discussion:- Completed Risk

Tolerance Statements for top risks

- The Risk Tolerance Summary

8. Reassess risks every 6 months and feedback into the risk register to repeat the cycle:- Residual

risk- Tolerance- KRIs

4. Tolerance Statements should be drafted by owners which include:- Business

objective- Risk tolerance- KRIs- KRIs limit

7. Monitoring of KRIs

1. Current ranked

risk register

2. Top risks

selected

5. CompletedNote1

Tolerance Statements

must be discussed by

BU management

Note 1: This will also require CEO/CFO signoff on the relevant business objectives

Completing a Risk Tolerance Statement – the process flow

Risk Management Services42

Appendix 2Mock up Risk Tolerance Summary for the top risks (A hypothetical BU risk register)

Risk Event Residual Risk Status(Insignificant, Minor, Moderate, Major or

Catastrophic)

Risk Tolerance Level(VH, H, M, L or VL)

Description of Tolerance Level

E.g. Interruption to systems and network services

Moderate VL

The risk tolerance level is Very Low. We expect compliance on all group IT policies and can only tolerate a minimal system downtime (at most no more than 4 hours / year for level 1 and 10 hours / year for level 2 IT systems) provided there is full data restoration upon system recovery. (See Appendix 4)

E.g. Mass scale food poisoning / foreign objects/ allergens in sold products

Minor VL

The risk tolerance is Very Low as such events have the potential to result in fatalities. As such the BU focuses heavily on this to avoid the risk through full compliance with our containment measures at all times and through continuous test checking on ingredients / dishes. We will accept no more than 5 minor reported incidents provided these do not result in public concerns. (See Worked example #3 on page 33)

E.g. Major investment of competitors on store expansion, upgrade, store revamp plus investment on advertising may reduce our market share.

Moderate L

Our risk tolerance is Low. Given that the competitors are backed by strong conglomerates, we will monitor them very closely. Our market share growth rate has been 10% over the last 5 years leading to our current share of 23%. Growth needs to be at 30% per annum to increase market share by our targeted 2%. We would not expect growth to be less than 20%.We will continuously monitor the 1) brand equity index, 2) the difference in the number of store openings / under re-modelings and 3) share-of-spending on advertising etc., and develop a response plan to achieve our objectives. (See Worked example #5 on page 35)













Case Study #1 - Chemicals

• Captive formed in 1920’s• Bermuda Captives in 1960’s• Risk Engineering team• Rating plan• Responding to difficult to insure risks• Insurance or Risk Management?


Case Study #1- Chemicals

• Insurance or Risk Management?• 1983-1991 Risk Manager C-I-L inc• 1988 President of Ontario Chapter of RIMS• Risk Management ‘Evangelist’












“The global demand for cars will never be above 1 million – simply because there are not enough chauffeurs”

(Gottlieb Daimler, 1901)

“Nobody will be able to rise into the air with a metal airplane within the next 50 years”

(Wilbur Wright, 1901)

“640k should be all, that any application will ever need”

(Bill Gates, 1981)

FRQs

http://images.google.com.hk/imgres?imgurl=http://www.microsoft.com/presspass/images/gallery/execs/web/gates-2.jpg&imgrefurl=http://www.microsoft.com/billgates/bio.asp&h=840&w=600&sz=136&hl=en&start=1&tbnid=QTP5Hbhx7_3soM:&tbnh=143&tbnw=102&prev=/images%3Fq%3DBill%2BGates%26ndsp%3D20%26svnum%3D10%26hl%3Den%26lr%3D%26sa%3DN


Case Study #2 - Communications

• Privatization – Maggie Thatcher’s legacy• ‘POTS’ to dot.com• Global ambitions• Risk management challenges• 3G licence auction


Case Study #2 - Communications

• Captive – Continuous development• Risk assessment is key

– Business interruption– ‘e-Risks’

• Forming partnerships• Communicating Risk Management• Corporate governance - Turnbull


3G - Risk and Opportunity


Corporate Governance in the UK

• UK’s “Enrons” were in the 80’s• ‘Turnbull’ / The Combined Code• Code of Practice v Legislation• “Effective Risk Management ….. Key

component of Corporate Governance”


Embedding Risk Management in BT

• Board Audit Committee driven• Risk culture RM as core competence• Group Risk Register Finding the next 3G• Risk Management ‘Champion’


BT Group Risk Manager’s Role

• Job Description agreed with BAC– To create a risk aware culture– To develop a Centre of Excellence for managing

risks– To establish and maintain an effective process for

identifying, evaluating, managing key risks

• Reporting to Finance Director• Access to Main Board


BT Group Risk RegisterRisk Review Panel Members

• Group Risk Manager (Chair)

• Group Chief Internal Auditor

• Company Secretary• Director, Group

Financial Control• Group Treasurer

• Director, Human Resource Strategy

• Chief Information Officer

• Manager, Strategic Planning

• Manager, Corporate Finance

• Director of Security


BT Group Risk Register

Risk Panel

Management Council

Board

Board Audit Committee


The willingness to take risk is essential……..(if all) invested only in risk-free assets, the potential for business growth would never be realized”

Alan Greenspan, 1994

FRQ’s

http://images.google.com.hk/imgres?imgurl=http://www.scoop.co.nz/stories/images/0209/be85891cfe786e8db81a.jpeg&imgrefurl=http://www.scoop.co.nz/stories/HL0209/S00081.htm&h=304&w=230&sz=11&hl=en&start=68&tbnid=fQwCvGPDbIxz_M:&tbnh=112&tbnw=84&prev=/images%3Fq%3DAlan%2BGreenspan%26start%3D60%26ndsp%3D20%26svnum%3D10%26hl%3Den%26lr%3D%26sa%3DN
















Jardine Matheson

Group

Jardine Lloyd Thompson Group plc



Risk Management of Jardine

• “Risk Aware, not Risk Averse”



Quote from the Taipan…

• “We have the ability to identify and nurture the right people with the skills to build our businesses; and we are ready to take calculated risks and make bold decisions.”– Anthony Nightingale, 2011 Annual

Address to Senior Executives of JM




Financial Risk

StrategicRisk

OperationalRisk

HazardRisk

Enterprise Risk


Role of Group Risk Management in JLT

Financial Risk

StrategicRisk

OperationalRisk

HazardRisk

Enterprise Risk

Coordinating Group Risk

Financing

Championing “best practice”

Risk Management


Championing “Best Practice” Risk Management

• RM Committees• Report to Board• ERM Steering Group• Captive Audit and Risk• Risk Forum

Financial Risk

StrategicRisk

OperationalRisk

HazardRisk

Enterprise Risk

Coordinating Group Risk Financing


Risk Management




ERM in JM

• Is Not:– Regulatory driven– Bureaucratic– “One size fits all”

• Is:– Business owned– Emphasis on “Enterprise”– Work in progress













Case Study # 4- Consultant

• RM Risk Management Limited– Independent consultancy– Risk Management reviews

• Non executive Directorships– JLT Canada– Lockhart Insurance, Bermuda

• Chair of Audit and Risk Committees


Case Study # 4: NED=‘Creative Contributor’

• Role of the Non-Executive Director• Cadbury Report 1992 ‘they should bring an

independent judgment to bear on issues of strategy, performance, and resources including key appointments and standards of conduct’

• Functions of the NED– Independence– Impartiality– Wide experience– Specialist knowledge– Personal qualities


Case Study # 4: Audit & Risk Committee

• Composition:– Depends on corporate status and jurisdiction, but

common theme is requirement of independent non-executive directors

• Responsibilities and roles: – Oversight of financial reporting and accounting– Oversight of the external auditor– Oversight of regulatory compliance– Monitoring effectiveness of internal control process – Oversight of risk management



Case Study # 4: Audit & Risk Committee

• Composition:– Depends on corporate status and jurisdiction, but

common theme is requirement of independent non-executive directors

• Responsibilities and roles: – Oversight of financial reporting and accounting– Oversight of the external auditor– Oversight of regulatory compliance– Monitoring effectiveness of internal control process – Oversight of risk management- incl Risk Register



Developing a Risk Management Strategy

• Gaining consensus with internal partners – The Virtual Team

• Aligning with strategic objectives– Emphasis on Enterprise

• Implementing as part of overall ERM

• Communicating internally & externally





• Implementing as part of overall ERM – Keep it simple!

• Communicating internally & externally





• Implementing as part of overall ERM – Keep it simple!

• Communicating internally & externally– Championing ‘best practice’


FRQs

• “The policy of being too cautious is the greatest risk of all”

– Jawaharlal Nehru


Why Enterprise Risk Management is Important

• Company policy?

• Corporate governance?

• Stakeholder expectations?• Reducing insurance costs?• Avoiding uninsured

losses?• Taking the right risks


FRQs

• ‘Only those who risk going too far can possibly find out how far one can go’

– T.S. Eliot


Conclusions – Cultivating the Culture of ERM

• Command• Collaborative

• Continuity

• Communication & Clarity• Customization• Contribution

• commitment from the top • committee or Steering Group,

the ‘virtual team’• ongoing development &

refinement • Avoiding ‘Risk Fatigue’• keep it simple and clearly

understood• fitting with the corporate

culture • to Strategic Focus and

Planning



Risk Management- Removing the Mystery Agenda

• The story of RM• The story and Overview of ERM• The story of REM

– Case studies and anecdotes

• Outlining a model ERM Program• Applying the principles of RM to insurance

and risk financing• Conclusions and Q&A


Exercise

Consider what you have heard so far on RM and ERM, and think of ways it could support your approach to risk financing and insurance purchase, including:

• making decisions on risk retention• Marketing insurance renewals• Choosing insurers, brokers and consultanants


FRQs

• ‘There are worst things in life than death. Have you ever spent an evening with an insurance salesman?’

– Woody Allen


(Consider introducing a break-out exercise at this stage during Day 2 event for clients and prospects).Possible topic:

Consider what you have heard so far on RM and ERM, and think of ways it could support your approach to risk financing, insurance purchase and risk retention.



Hazard Risk Management Process

Risk Control

Risk Evaluation

Risk Financing



• Informed risk retention• Long term relationships with insurers• Strategic partnership with brokers/consultants• Proactive approach

to claimsFinancial

RiskStrategic

Risk

OperationalRisk

HazardRisk

Enterprise Risk



Risk Management



Informed risk retention

• Risk evaluation– Effective risk identification, quantification and

control provides confidence to retain risk• ‘Swapping $’ with insurers is short-termism• Corporate cover should be aimed at significant

balance sheet damage• Those who understand and are prepared to retain their

own risks are preferred customers• Building a data base of losses to focus risk control



Long term relationships with insurers

• Benefits:– Building their confidence in quality of your risks– Lower admin costs = preferred customer status– Minimising impact of market volatility- more

predictable cost– Loyalty will be rewarded in claims negotiations

• Key ways to build:– Know your underwriters– Invite to visit your risks (beyond risk engineering)– Consider annual renewal ‘Roadshow’



Strategic partnerships with brokers/consultants

• Thinking long term enables:– Investment in time and effort to build a true

understanding of your business, its risks and culture– Development of effective long term risk financing

strategies– Creation of innovative solutions– Tailoring of policy wordings to your needs– Exploring wider services- e.g. risk management – Strong support in major claims or disputes



Strategic partnerships with brokers/consultants

• Separate reviews/RFPs for broker appointments from marketing to insurers– Don’t just choose on price– Look for range of services offered and innovation– Think 5 year terms (3 yrs minimum)– Do they have the expertise in Oman?

• Managing the relationship– Clear understanding of role and timelines– Consider a ‘Service Level Agreement’ (SLA)– Carry out stewardship reviews at least annually



Proactive approach to claims

• An often neglected aspect of insurance- this is after all why you buy it!

• If you can, choose your loss adjuster• Establish a claims process- for major or minor• Educate your organisation on claims reporting• Track/monitor all claims (incl ‘near misses’)• Share experiences to drive future loss control



Conclusions

• RM should be about maximising opportunities– Be Risk Aware, not risk averse

• Keep it simple and relevant to the organisation– Avoid complicated processes and bureaucracy

• Remember the origins of RM responded to Hazard or Insurable risk– Don’t take a short-term view– Understanding your risks enables creative, stable

and long term risk financing solutions


Conclusions

• RM should be about maximising opportunities– Be Risk Aware, not risk averse

• Keep it simple and relevant to the organisation– Avoid complicated processes and bureaucracy

• Remember the origins of RM responded to Hazard or Insurable risk– Don’t take a short-term view– Understanding your risks enables creative, stable

and long term risk financing solutions– Choose your Risk Partners wisely!


Thank you!Ray Mattholie

[email protected]



Suggestions for Further Reading

• A structured approach to ERM and the requirements of ISO 31000– Airmic publication

• Against the Gods- the remarkable story of risk– Peter L Bernstein

• The Black Swan– Nassim Nicholas Taleb

• Enterprise Risk Management for Dummies– RIMS Bookshop

• Taipan– James Clavell

• World Economic Forum Global Risk Review– www.weforum.org/docs/WEF_Global_Risks_Report15

Documents

WELCOME To all RMS’ Guests to our First Seminar Addressing Risk Management Techniques