Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
June 2013
Leading Risk Management Practices
Rob Newsome Partner PwC
PwC
Agenda
• Introduction
• Risk management objectives
• What does good risk management look like
• Building blocks to get there
• The risk appetite debate
• Implementation barriers of Risk Management
• Conclusion
2
PwC
Risk management objectives
Risk management is central to strategic management. It is the process where risks are methodically addressed through focusing on the identification and treatment of risk
• to achieve maximum sustainable value to all aspects of the organisation, and
• to create better transparency and accountability for the operations of the organisation.
3
PwC
Risk management objectives
• Link growth, risk and returns
• Rationalise resources
• Exploit opportunities
• Reduce operational surprises and losses
• Report with greater confidence
• Satisfy legal and regulatory requirements
• Greater management comfort in decision-making
• Know the risks you take
• Be able to control your risks
• Creating trust and credibility
• Focus on real issues
4
PwC
Legal requirements
1. In some countries there are legal requirements to affect risk management in corporation level legislation, specific regulatory provisions (Solvency II, Basel III, Health and Safety regimes)
2. Most corporate governance codes include risk management requirements
3. Risk management is a clear defence for proving compliance with fiduciary duties
5
PwC
What does good risk management look like?
6
PwC 7
1. Greater management comfort in decision making
2. Improving credit rating and cost of capital
3. Reducing insurance expenses
4. Reducing the overall cost of business contingency planning
5. Experiencing less loss events
6. Information and transparency on risks and opportunities
7. Assessment of management performance
8. Understanding the risk exposures
9. Leverage the response to SOX and internal audit
10. Developing and enhancing trust and credibility with stakeholders
11. Ensuring compliance with rules and regulations
What constitutes good risk management
PwC
Risk maturity
ERM Element Basic Developing Developed Advanced
Organisation and governance 1 3
Strategic Planning & Risk Appetite
1 2
Risk Policies and Standards 2
Risk Identification & Representation
1 2
Risk Measurement & Reporting 3 1
Risk Communication & Escalation
2 3
Infrastructure 2 1
Stakeholder Disclosure 1 1
TOTAL 1 9 12 4
9
PwC
S&P’s four-level scoring scale
• Limited capabilities to consistently identify, measure, and comprehensively manage risk exposures and thus, limit losses.
• Sporadic execution of its risk-management program.
Weak
• Manages risk in separate silos, but maintains complete control processes.
• Loss-/risk-tolerance guidelines less developed, but risk and risk management often considered.
Adequate
• Demonstrates an enterprise-wide view of risks, but still focused on loss control.
• Risk and risk management usually important considerations in the firm's corporate judgement.
Strong
• Demonstrates risk/reward optimisation. • Well-developed capabilities to consistently identify, measure,
and manage risk exposures and losses.
Excellent
Per S&P, “Standard & Poor’s to Apply Enterprise Risk Analysis to Corporate Ratings,” May 7, 2008
10
PwC 11
PwC 12
PwC 13
PwC
Combined assurance
14
Processes
Three lines of defence assurance providers
First line of defence -
Management
Second line of defence – Risk
and legal based assurance
Third line of defence –
Independent assurance
Control
self
assess
Mgt review Special
project
ERM SOX Complianc
e
External
audit
Internal
audit
Special
project
Strategic
Funding
Sustainability
Growth
Operational
Treasury
Products and
services
Finance
Extensive
assurance
Moderate
assurance
Inadequate assurance Not applicable
PwC 15
1. How do we integrate risk management with the corporation’s strategic direction and plan?
2. What are our principal business risks?
3. Are we taking the right amount of risk?
4. How effective are our processes for identifying, assessing and managing business risks?
5. How is risk coordinated across the organisation?
6. How do we ensure that the organisation is performing according to the business plan and within appropriate risk tolerances?
7. How does the Board help establish the “tone at the top” that reinforces the organisation’s values and promotes a “risk aware culture”?
Challenges facing Board’s today
PwC
Building blocks to get there
16
• Structures
• Frameworks
• Process for managing risks
• Responsibilities
PwC
Structures
17
Board of Directors
Audit Committee
Risk Committee
Exco
Group Risk Function
Group risk managers
Standards of good practice H
um
an
Re
so
urc
es
RISK
COMMITTEE
EXCO
Te
ch
no
log
y
an
d
sys
tem
s
Pro
ce
ss/
op
era
tio
nal
Go
ve
rna
nce
co
mp
lia
nce
& r
eg
ula
tory
Fin
an
cia
l
STRATEGIC RISK REGISTERS – TOP RISKS PER OPERATION OR DIVISION
EXTERNAL
ENVIRONMENT
CONTINUOUS / ONGOING RISK ASSESSMENTS
Checklists in terms of the Mine Safety Management/Planned Maintenance Systems
ISSUE BASED RISK ASSESSMENTS / CHANGE MANAGEMENT PROCEDURE
After an accident or when new equipment, methods or processes are introduced
BASE LINE RISK ASSESSMENTS AND RISK PROFILE
Initial hazard identification and risk assessment of all HSEC hazards and risks on the site
OP
ER
AT
ION
AL
RIS
K
S
TR
AT
EG
IC a
nd
BU
SIN
ES
S R
ISK
FOUNDATION OF RISK MANAGEMENT – RISK CULTURE
Country and
political risk
Operational
site legal
and
commercial
assessments
Strategic
King III COSO II
ISO 31000
PwC
Frameworks
The framework provides:
• A definition of enterprise risk management;
• The critical principles and components of an effective risk management process;
• Direction for organisations to use in determining how to enhance their risk management; and
• Criteria to determine whether their risk management is effective, and if not, what is needed.
19
PwC
Process for Managing Risks
20
Establishing the context
Risk treatment
Monitoring
and
review
Communication
and
consultation
Risk evaluation
Risk analysis
Risk identification
Risk assessment
PAGE
Risk and Control owner responsibility
for risk data and assessments
100 Basis points
Inherent risk Risk tolerance
Need for common rating scale
PAGE
Drilling down into the risk
PAGE
Causes and consequences
Prevent controls on causes
Risk resilience on consequences
PAGE
Please note the tabs for IAM
Alternate methodology is to derive Inherent Risk from residual risk and control effectiveness
PricewaterhouseCoopers Slide 25
Impact = Extreme
Inherent Probability = possible
Residual risk = Low
Risk tolerance = zero
PwC
Black swan
26
PwC 27
PwC 28
PwC
Responsibilities
29
ERM Stakeholders
Board
Audit Committee
Risk Committee
Executive Committee
Risk Owner
Risk Management Function (Risk Manager)
Business Unit Risk Managers
Operational staff
Internal Audit and the Chief Audit Executive
Other Assurance Providers
PwC 30
3. Simple inherent vs. residual risk (on 5*5 matrix)
4. HIRA
5. Value at risk models using subjective criteria
6. Measurement of risk tolerance (target risk)
7. Loss events and near miss integration
8. Value at risk models using statistical modelling techniques
9. Actuarial risk determination
Different models applied to risk management
PwC
Where risk management has worked and not worked – and why.....
• Wells Fargo Bank – avoiding the global credit crunch
• Global gold mining company – incident linking, yield improvement
• BP Gulf oil spill - abdication
• Sishen mineral rights - assumptions
• Newcastle furnace burn through - measurement
• Mining company forex – surprise?
• Logistics company – contract renewals, early completion of contract
• Black swans – contingencies planned – Hurricane Sandy
31
PwC
The risk appetite debate
Monetary value
Composite view
Profile view
32
PwC
Monetary value
20% Market cap
10% Assets
5 % Earnings for one event
15% Earnings for all events
Hurdle rates - a composite but usually limited by interest cover on loans
Gut feel – that just won’t fly with the board???
Meeting budget
33
RISK AREA ASPIRATIONS TOLERANCE LEVEL ACTUAL
C2009 TARGETS
ACTUAL
C2010 x\√
OP
TIM
ISE
OU
R
AS
SE
TS
Safety Zero Harm Zero Harm
0.14 FIFR - Zero 0.11 x
2.82 SIFR – 25% less 2.22 √
3.31 LTFR – 25% less 4.38 x
9.32 MTIFR – 25% less 6.98 √
Health Zero Harm Zero Harm On track 2013 milestones (Risk
11) On track √
Environment Zero Harm Zero - level 4 and 5
incidents Zero Zero Zero √
Business plan
delivery 5M oz / 2015
NCE 25%
95% compliance to
business plan
3.414
15%
3.6Moz
NCE 15 - 20%
3.6
19%
√
√
SE
CU
RIN
G
OU
R F
UT
UR
E Human
Resources
Pipeline of scarce and
critical skills 60% - successor cover
ratio 60% 50% x
License to
operate
Global leader in
sustainable gold mining Full Compliance to all
legal and social
requirements
100% 100% 100% √
Ethics and
Corporate
Governance
Full compliance –SOX
and Substantial
compliance to King III
No material / significant
failures Nil Nil Nil √
GR
OW
ING
GO
LD
FIE
LD
S
Capital
Projects
Project
delivered on
Time / budget
10 - 15% overrun - As per tolerance
South Deep
Athena
CCOGP
√
√
x
Mergers &
Acquisitions
Proper assessment of
risk and returns
commensurate with the
risk
IRR 5% - Brownfield
IRR 10% Greenfield - As per tolerance On track √
Exploration Appropriate balance
between geological
potential & political risk
Leaning towards greater
geological potential in
high risk areas
- As per tolerance On track √
Composite view (with permission from Goldfields)
PwC
Profile view
35
PwC
Implementation Barriers of Risk Management
• Governance fatigue
• Lack of buy-in from management;
• Risk management is positioned as compliance;
• Ignorance;
• Risk is being managed in silos;
• Too many other “turn around” type strategies;
• Board v management tension;
• Past mistakes are overlooked; and
• There is no clear road map for improvement.
36
PwC
Conclusion
37
PwC
ERM is not
• A method to eliminate all risks or a guarantee that the organisation will avoid loss;
• A collection of longstanding and disparate practices nor a rigid set of rules to be followed under all circumstances;
• Limited to compliance and disclosure requirements;
• A replacement for internal controls;
• Identical for all companies in all sectors;
• Exactly the same from year to year; and
• A passing fad.
38
Thank you...
© 2011 PwC. All rights reserved. Not for further distribution without the permission of PwC.
"PwC" refers to the network of member firms of PricewaterhouseCoopers International Limited
(PwCIL), or, as the context requires, individual member firms of the PwC network. Each
member firm is a separate legal entity and does not act as agent of PwCIL or any other
member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or
liable for the acts or omissions of any of its member firms nor can it control the exercise of their
professional judgment or bind them in any way. No member firm is responsible or liable for the
acts or omissions of any other member firm nor can it control the exercise of another member
firm's professional judgment or bind another member firm or PwCIL in any way.