ERM- A Case
Study
AGENDA
Client Background
Introduction
ERM- Business Drivers
ERM - Approaches
ERM- Implemented
Lessons Learned
Background- Client
• A transnational BFSI BPO with operations in 6 countries and 8500
people with a turnover of 1.3 B $
• Has a software development centre to support its own insurance and
broking software with 1000 professionals in 5 countries
• Listed in UK, Need to comply with Turnbull recommendation
• Grown via acquisition, creating a complex structure and risks too
Client has risks spread in multiple countries with a challenge to
manage and report at the Board level
Accountability and responsibility for risks spread over different
units in different countries was not clear
There was no common process or framework for risk
management
Introduction
Enterprise Risk Management is
•
A process, effected by an entity’s board of directors, management, and other
personnel, applied in strategy setting and across the enterprise, designed to
identify potential events that may affect the entity, and manage risks to be
within its risk appetite, to provide reasonable assurance regarding the
achievement of entity objectives
[COSO Definition - ]
Business Drivers
•
Client is a listed company and hence needs to adhere to the
requirements of the Turnbull report and the Combined Code for
corporate governance.
•
Compliance to various contractual requirement, standard
requirement, continual improvement of internal controls within
Client’s business drives the need for Risk Management.
•
Client had a Risk Register process as a method by which the key
risks were being identified and the means of controlling these risks
were clearly documented and monitored. It was bottom-up
approach for identifying, documenting and managing risks. But it
failed to get the required board attention due to non strategic in
nature and was not broad based with scenarios inclusion
Current State
•
Different businesses are managing risk differently with no visibility to
the group’s objectives
•
Accountability and responsibility of the risk and its control was not
very clear and defined
•
Potential risks were identified and managed on an ad hoc basis
leading to a reactive approach and the potential for short-term
solutions.
•
Risk awareness was low due to limited communication between
management levels (Execs vs. Line Management) and across
business/functional units. Risk is viewed as a negative topic and is
not actively discussed.
•
Risk management activities were not prioritized and were not linked
to strategy and/or the company’s sources of value
Current State of Risk Management
•
Client has a process called as “Risk Register”, a bottom up
approach to report, manage and monitor risks
•
Client’s risk register process is a structured process to ensure that
key risks are identified, monitored, mitigated and – on an
aggregated level and reported at each level of the organisation
•
Risk register creates an accurate representation of the risk profile
to the business. It provide a framework through which the risks
facing the business, and the means of controlling those risks, are
clearly documented and monitored.
•
Risk register demonstrates the companies risk appetite by flagging
those areas where controls can be improved further to mitigate
these risk
Risk Register- Explained in Detail
1. Group risk register contain the risks which are pervasive
To the group as a whole and inventory risks which are material
From the group perspective
2. The group risk register is derived from operating unit, sector
Risk registers along with the input from XMB members and
Group performance function heads
3. The Group Risk Register is approved by the XMB and
the Group Board.
Group Risk
Register
Regional
Risk Register
Entity Level Risk Register
1.The sector of regional risk register is compiled from al
The operating unit risk registers which inventory all the risks
That a sector as a whole faces
2. Along with the amalgamated operating unit risk register, the
Sector heads draft risks which are applicable to the sector as
a whole
3. The sector unit risk is approved by sector head
1. Each entity performs risk assessment in their
own operating unit
2. Operating unit risk register documents key risks faced by
The entity as well as procedures and controls in place to
mitigate the risk
3. The operating unit risk is approved by operating unit head
Risk Register- Example
Performance
Risk No function/com Risk Owner
petency
1
Sales
Head of Sales
Risk
Date Risk
Source
Raised
Business Objective
Head of
Revenue to meet annual
8/12/2009
Sales
objective of £xxx
Inherent Risk
Root Cause
Economic
conditions
Lack of fast
reaction to
changing
conditions
4
Description
There is an operational risk that we
will not meet our sales targets for
the year for due to
Downturn puts
- external market conditions
pressure on achieving - main target customer negatively
sales and profit targets impacted by downturn
There is a probable impact on
Revenue and EBIT of £1 million
and £200k
Residual Risk
Cons
Likeli
Risk
equen
hood
(1ce
(1-4)
16)
(1-4)
4
Risk Title
Mitigating
Actions and
Controls
Increased SMT
Meetings to focus
16
on both sales and
cost
Cons
Likeli
eque
hood
nce
(1-4)
(1-4)
4
3
Risk
(1-16)
12
Embedded
Assurance
Future actions
monitors/
Actio
over mitigating
for where
Action
Early
n Due
controls that
residual scores Owner
warning
Date
help to reduce
are 8 or above
indicators, if
inherent risk of
relevant
8 or above
Monthly review
with Group
Finance team
Monthly review
Defined offerings
Sales Collateral
Monthly SC
The ability to
reporting
person 11/30/
leverage the new
Revenue and
X
2009
regional structure's
EBIT below
customer base
budget
Challenges of Bottom Up Risk Register
Process
•
Bottom up risk approach was not getting appropriately
connected to board members due to its non-strategic nature
and the way risk was being measured was not getting linked
to company’s objective
•
It was difficult to run scenario’s to justify probability
•
There was no linkage to value
•
Client asked to create a better model.
•
Let’s see the top-down ONE
Top-Down
•
In a typical top down risk management approach, the Senior
Management (CxO), audit committee, and often the board members
have the overall responsibility for assessing and managing risks
•
The benefit of the top down risk management is that there is a buy-in
from Senior Management and risk is mitigated and perceived from
the top
•
For top down Risk management to succeed, Management should
have clear and measurable strategic objectives and then identify the
risks to those objectives
•
Typically the risk to achieving the objectives are scenario based and
depending on the probability of a scenario materializing and the
impact it has on attainment of the objectives, controls are designed
•
Out of multiple risks and scenarios obtained from the risk
management process, management prioritize the risk and then
appropriately treat the risk
Which one is Better
•
There is no right answer- Both the Bottom-up and Top-down
approach has its own merits and limitations.
•
Top down approach works best to identify the strategic risks and risk
scenarios while bottom up risk management approach works best for
measuring and managing specific risks including operational risks
•
A good Enterprise Risk Management approach relies on both a topdown structure and bottom-up information, this combined approach
also create a powerful synergy as it has Senior Management buy-in
and risk ownership at the origin of the risks.
•
Client’s current risk register process is bottom-up approach and its
STA (Strategy to Assurance) is its top-down approach, by this
powerful combination, Client intend to create an excellent risk
management framework
Top-Down Approach- ERM
Vision
Strategy
Vision is set by the Board
Strategy is set by the Board and driven
through the MC
Enterprise
Objectives
Risk
Risks
Mitigating
actions and
controls
Management
Assurance
Objectives are set by the Board, Regional
and BU management and in individual
PDRs. Reporting against objectives and
resulting actions is governed through MD
Significant risks are identified through top
down STA, bottom up risk analysis and
checked for completeness through risk
hierarchy process.
Mitigating actions are taken at Board, Region
and BU level. Controls are identified and
tested in the controls/compliance tool.
Assurance is provided either to meet specific
risks and associated objectives or as required
by regulatory or compliance needs – as set
out in the controls/compliance tool.
ERM- Linkages to Strategy/BO
Performanc
e
Risk
function/co
No
mpetency/
global
1
Finance
Risk
Owner
ABC
Person
Date
who
Strateg
Risk
identifie
y
Raised
d risk
XYZ
Business Objective
Risk Title
Lean Maintain cost arbitrage Exchange Rate
Process opportunity between
or
costs in US / UK / EMEA
and India
Risk Area
Risk Type
Foreign Exchange Financial
Description
Costs are in Indian Rupees
while all revenue is in USD,
GBP or Euros. Rates for
converting of USD, GBP or
Euros into INR impact the
net profit realized as well as
the effective cost of
operations in USD, GBP or
Euro terms. This impacts
the cost differential available
between the regions and
India.
Inherent Risk
Root Causes
Macro economic conditions
and money supply.
Risk owner of root causes
(if not the risk owner)
Residual Risk
Likeliho
od
(1-4)
Conseq
uence
(1-4)
Risk
(1-16)
3
4
12
Mitigating Actions and
Controls
Likelih
ood
(1-4)
Conse
quence
(1-4)
Risk
(1-16)
Draw up a FX management
policy and take up sufficient
forward covers / options to peg
in foreign exchange rates at
levels that we would be
comfortable with. Give up
some upside benefit, but
minimize downside risk.
3
2
6
ERM- the COSO way
Operating unit
Region
Risk assessment
Client’s Group
Control environment
•
Top of cube
•
Within the context of Client’s vision, management establishes strategic objectives and
sets aligned objectives to cascade through the company. The ERM framework is geared
to achieving client’s objectives, set out in four categories:
•
Strategic – high-level goals, aligned with and supporting its mission
•
Operations – effective and efficient use of its resources
•
Reporting – reliability of reporting
•
Compliance – Compliance with applicable laws and regulations
•
Facing side of cube
•
Client’s enterprise risk management consists of five interrelated components. These
components are
Control activities
Information &
communication
Monitoring
•
•
Control environment – “Controls and risk management tone” set by the Board - HR
policies, ethical guidelines. Quality is a an example of a strong “tone”.
•
Risk assessment – how risks are analysed and managed eg risk register and risk
summary report
•
Control activities – “hard” controls that address identified risks, such as IT application
controls and bank reconciliations
•
Information and communication – the level and quality of communications, IT strategy
and architecture
•
Monitoring – self assessments, PCQ, internal audit
Side of cube
•
Control objectives should be at each business unit, region and group level – for example
group delegated authorities should then be cascaded into a more detailed DA for each
region and then each BU
Benefits & Conclusion
•
Incorporate risk evaluation in decision making
•
Make informed risk aware decisions with respect to corporate
objectives and its linkages
•
Strategic and operational risks, all identified and monitored
•
Responsibility and accountability clearly defined
•
Common understanding of risk across regions
•
Local regulation mapping was done for local assessment but not
feasible for the same team to do it for every country as it needs
expertise in legal and compliance advisory for local regulation
(though mostly they are similar in nature but decoding is difficult
sometimes)
•
Process is not easily repeatable across every industry
•
Going forward the plan is to use a automated tool for tracking and
reporting