Uploaded by Thomas Boegballe

RM Handbook

advertisement
RISK MANAGEMENT HANDBOOK
Carlsberg Group
December 2010
Approved by EB December 2010
Version 1.1
Carlsberg Group Risk Management Handbook
Chapter 1: Introduction to Risk Management in Carlsberg Group .................................3
1.1 What is Risk and Risk Management?.............................................................................3
1.2 What does Risk Management mean for Carlsberg Group? ............................................3
1.3 What does Risk Management mean for our entity?........................................................4
1.4 Risk Management Approach ..........................................................................................4
1.5 Corporate Governance structure ....................................................................................6
1.6 Risk management maturity.............................................................................................8
1.7 Risk appetite...................................................................................................................9
Chapter 2: The Risk Management Process – A Practical Guideline .............................10
2.1 Risk Management workshop process...........................................................................10
2.2 Carrying out the Risk Management process.................................................................11
Appendix I – Glossary of terms ..........................................................................................18
Appendix II – Risk Management Policy..............................................................................20
Appendix III – Risk Management workshop templates.....................................................23
Appendix IV – Additional risk list .......................................................................................30
2
Chapter 1:
Introduction to Risk Management in Carlsberg Group
1.1 What is Risk and Risk Management?
Risk
‘An event that, if it happens, may have an impact upon the ability of Carlsberg Group to
achieve its defined objectives'.
Risk therefore includes a level of uncertainty of outcome (whether positive outcome or
negative threat). Risk is ever present and some amount of risk taking is inevitable if
Carlsberg Group is to achieve its objectives.
However, Carlsberg Group needs to be aware of what these risks are and to put measures in
place to reduce them to an acceptable level. This process is defined as "Risk Management".
Risk Management
Risk management involves:
•
•
•
•
Having processes in place to identify, analyse, evaluate, monitor and record/report risks;
Having access to up to date and reliable information about risks;
Ensure the right balance of mitigation is in place to deal with risks;
A decision making process that is supported by a framework of risk assessment including
risk identification, analysis and evaluation.
1.2 What does Risk Management mean for Carlsberg Group?
In Carlsberg Group risk management is relevant because:
•
•
•
•
Carlsberg Group operates in an uncertain world;
Change brings even more uncertainty than normal;
Uncertainty brings risk;
Risks need to be effectively managed to ensure that the Carlsberg Group achieves the
positive aspects of change;
• Carlsberg Group owes it to the stakeholders to effectively manage the risks that are taken
on their behalf and will be judged on their ability to do so.
In order to reduce uncertainty, achieve the Group's strategic objectives and ensure value
creation for all stakeholders, Carlsberg views effective risk management as an integral part of
running its business operations.
Risk is viewed as something that can and should be managed and managed risks are viewed
as something that can be turned into opportunities.
3
1.3 What does Risk Management mean for our entity?
Risk Management provides the following benefits to an entity:
•
•
•
•
•
•
•
•
Supports strategic and business planning at an entity level;
Supports the effective use of resources;
Promotes continuous improvement;
Fewer shocks and unwelcome surprises;
Quick grasp of new opportunities;
Enhances alignment between the local entity and the Group;
Provides reassurance to stakeholders;
Helps to focus on issues to the entity;
1.4 Risk Management Approach
Carlsberg Group's approach to risk management is summarised below:
“Risk management involves the identification, assessment and economic
management of those risks which might prevent the Carlsberg Group from achieving
its objectives”.
An improved and more formal approach to risk management has been developed to:
• Ensure risk is identified and managed, and in a more inclusive way;
• Send messages both internally and externally that the Carlsberg Group takes risk
•
•
•
•
•
•
management seriously;
Provide a framework for the cascade of risk management throughout the Carlsberg
Group;
Provide a structure for people to work to and learn from;
Ensure consistency and co-ordination in the Carlsberg Group;
Supplement and evidence instinct and professional judgement;
Provide a sounder basis for decision making;
Demonstrate effective risk management and corporate governance.
Benefits of effective Risk Management
• Risk Management will alert the Board of Directors and management within the Carlsberg
Group to the major risks faced, enabling a proper and clear focus on the issues that really
matter;
• It will contribute to better decision making, and the process of achieving objectives. When
embedded within existing planning and decision taking, risk management provides a
basis for ensuring implications are thought through, the impact of other decisions,
initiatives and projects are considered, and conflicts are balanced. This will influence
success and improve company performance;
4
• It will provide assurance to the Board of directors and management as to the adequacy of
arrangements for the conduct of business and the use of resources. It will demonstrate
openness and accountability to all major stakeholders;
• It will lead to greater risk awareness and an improved control environment, which should
mean fewer risk incidents and other control failures. This will lead to a better and more
efficient achievement of our business objectives throughout Carlsberg Group;
These are not intangible benefits. By identifying risks earlier, by making sure processes are
not over engineered and are fit for purpose, and achieving a behavioural shift, risk
management will be a process that will pay for itself many times over.
Objectives of an effective Risk Management system
•
•
•
•
•
•
Integrate risk management into the culture of the Carlsberg Group so that identifying,
assessing and managing risks are a part of day to day operations. It is imperative that risk
management is built into the Carlsberg way of doing business and not simply ‘bolted on’
as an additional business process. In this way, risks identified at the annual Risk
Management workshop, can be integrated into the business planning process and annual
budget process;
Manage risk in accordance with best practice in a systematic and structured way thereby
creating value for the Group;
Anticipate and respond to changing social, political, environmental and legislative
requirements;
Prevent injury, damage and losses and reduce the cost of risk;
Raise awareness of the need for risk management within the organisation;
Ensure there are adequate arrangements for reporting on risk management
arrangements;
These objectives will be achieved by:
•
•
•
•
•
Establishing clear roles, responsibilities and reporting lines within the Carlsberg Group for
risk management;
Providing opportunities for shared learning on risk management across the Carlsberg
Group;
Incorporating risk management considerations into all levels of business and service
planning;
Monitoring risk management arrangements on an ongoing basis;
Incorporating risk management considerations into partnership working and any
contractual arrangements that Carlsberg Group may have.
5
1.5 Corporate Governance structure
The Corporate Governance structure for Risk Management within the Carlsberg Group is as
follows:
Each function and business unit within the Carlsberg Group has an important part to play in
the Risk Management process. In order to ensure that the Risk Management process
functions in a logical manner, a framework has been developed within the Carlsberg Group
that assigns roles and responsibilities to each part of the organisation. The agreed roles and
responsibilities are outlined in the table below.
6
Group / Individual
Role and Responsibility
Board of Directors (via the Audit
Committee)
•
Responsible for monitoring the effectiveness of Risk Management
within the Carlsberg Group.
Executive Committee (ExCom)
•
Monitor the effectiveness of Risk Management arrangements,
based on regular reports on Risk Management that include the
actions taken to manage risks.
To assist with the ongoing development and review of the
corporate risk management strategy and methodology.
Ensure that the Risk Management policy provides a structured
basis for protecting the shareholders investments and the Group's
assets.
Review and approve any changes made to the Risk Management
Policy.
Identify strategic risks at a Group level and develop action plans to
effectively mitigate those risks.
Delegate the operational responsibility to monitor and control the
risk to a risk owner (risk responsible individuals) at a Group level
who must take ownership, prepare action plans and be
accountable to ExCom for the management and reporting of the
risks.
To advise Group Internal Audit of new and emerging risks at an
ExCom level (see escalation procedures)
•
•
•
•
•
•
Risk responsible
(ExCom)
•
A member of ExCom or local management who has the
responsibility to ensure that risk reducing activities have been
implemented to a satisfactory level.
Risk owner
(ExCom)
•
Has the operational responsibility to monitor and control the risk.
The person must take ownership and be accountable for the
management and reporting of the risk.
Business Unit
(Local)
•
Identification, evaluation, qualification, recording and reporting the
management of risk at a local business unit level.
Appoint a risk officer as the person responsible for the risks that
have been identified and the subsequent follow up of action plans.
•
Risk officer
(Local – appointed by the local
entity)
•
•
•
Group Internal Audit
(HQ)
•
•
•
Responsible for holding risk management workshops for each
department or function e.g. finance, sales, marketing etc. and
aggregating those risks into an entity heat map.
Has the operational responsibility to monitor and control the
business unit risks. The person must take ownership and be
accountable for the management and reporting of the risk.
To advise Group Internal Audit of new and emerging risks at a local
level (see escalation procedures)
Collection and aggregation of risks identified at a Group or local
level follow up on the action plans and deadlines agreed upon and
reporting of the status of such risks.
Provide quarterly and yearly reports on Risk Management to Audit
Committee and ExCom
Update of the Risk Management handbook and policy.
7
1.6 Risk management maturity
Risk Management Maturity is “the extent to which a robust risk management approach has
been adopted and applied, as planned, by management across the Group to identify, assess,
decide on responses to and record/report on opportunities and threats that may have an
impact on the achievement of Carlsberg Group's objectives.”
The level of risk maturity is considered in the following terms:
•
Basic - The business does the minimum to remain in line with the expectations of internal
and external stakeholders.
•
Developed - Additional activities and techniques are employed to increase the
confidence of the Board and ExCom that risk is being managed within operations and in
order to protect the bottom line.
•
Advanced - Risk Management is seen as a strategic tool to support the top line and is of
core value to the business.
The following framework provides a more detailed explanation of the key differences between
each maturity level.
Framework element
High-level definition
Risk governance
Risk assessment
Risk qualification
Monitoring and
reporting
Risk and control
optimisation
Basic
Developed
Advanced
The business does the minimum
to remain in line with the
expectations of internal and
external stakeholders
Additional activities and
techniques are employed to
increase the confidence of the
Board and ExCom that risk is
being managed within operations
and protecting the bottom line
Risk Management is seen as a
strategic tool to support the top
line and is a core value in the
business
A central risk management policy
to support listing compliance
A risk management structure with
clear accountability to support risk
management objectives
Risk management accountability
integrated with performance
management and a central value
of the organisation
Annual risk assessment with
limited analysis and interpretation
Frequent risk assessment in line
with normal management
reporting and including analysis
Risk and control activities
imbedded in business processes
and supporting decision making
Simple probability and impact
descriptors without aggregation
A range of qualitative and
quantitative tools and techniques
to provide robust views of risk
levels
Risk based capital allocation
capabilities based on risk
assessment information
Business risk registers submitted
to support external reporting
requirements
Extensive reporting to the Board
and audit committee on current
risk levels and future risk issues
Use of KRI's, early warning
mechanisms and risk dashboard
to provide a comprehensive single
view of risk
A tick in the box supported by
limited external reporting
Risk information supports the
modification of key controls to
improve their effectiveness over
time
Risk-adjusted strategy and
optimised control investment and
approach
8
Carlsberg Group maturity level
In respect of the Carlsberg Group, the maturity level is currently positioned between "Basic"
and "Developed" (as denoted in the table above) but is moving towards a more developed
approach. The Carlsberg Group has developed a top-down approach to risk management to
ensure that risks are identified on both a strategic level (ExCom) and operational level (HQ
functions and local entities) and that where possible risk reducing activities are in place to
mitigate the risks. The Audit Committee and ExCom receive quarterly reports that evaluate
and rate the level of focus on risk management within the Group.
On an annual basis, ExCom reviews their attitude in relation to the maturity of the Risk
Management model within the Carlsberg Group based upon a cost/benefit analysis.
Carlsberg Group has not set up a target for a preferred maturity level but strives for risk
management to be an integral part of the day to day business processes.
1.7 Risk appetite
The risk appetite is “the amount of risk that the Carlsberg Group is prepared to accept,
tolerate, or be exposed to at any point in time.”
Risk appetite can be defined in the following categories:
Risk averse
Risk exposure must be managed down as soon as possible. Carlsberg will rather let an
opportunity go than undertake an unmanaged risk. Competitors are allowed to move on
evolving risks and opportunities in the market before Carlsberg to avoid unnecessary
uncertainty. Risk exposures are maintained at a low level and with low tolerance for short
term increases.
Risk neutral
Encourages decisions based upon calculated risks with a close focus on safe rewards.
Carlsberg accepts a balanced risk and reward structure that allows them to maintain a more
stable but slightly lower reward level. Carlsberg will seldom accept added risks above
acceptable levels and only cautiously.
Risk seeking
The desire to be entrepreneurial and have the courage to choose options based upon
potentially higher rewards. Carlsberg is prepared to accept the added risks that are inherent
in our preferred way of doing business because they are determined to be effective in
managing risk downwards to normal and acceptable levels.
9
The approach to risk appetite within the Carlsberg Group is set by the Board of Directors and
implemented by ExCom and is dependant upon the type of risk under consideration. In
respect of financial risks, the risk perception is to actively manage exposure through financial
instruments, implying that no positions are taken on a purely speculative basis. In respect of
operational and strategic risks, there is a consensus that the appetite for risk is increasing as
ExCom is willing to take chances and pursue opportunities whenever considered reasonable
and attractive. Overall, the risk appetite within Carlsberg is deemed to be risk neutral. As a
general guideline Carlsberg Group operates with a risk limit of 1% net revenue
(approximately DKK 600m). Any risk above this limit will be deemed to be critical to the
business.
Chapter 2:
The Risk Management Process – A Practical Guideline
The following section provides a practical guideline to the Risk Management process within
Carlsberg Group and incorporates the following areas:
• The Risk Management workshop process;
• Carrying out the Risk Management process;
2.1 Risk Management workshop process
Step by step guide for 2011
A local Risk
Officer is
appointed
Risk
Management
workshop
Information
is distributed
Individual
department
RM workshops
are held and
department
heat maps are
produced
Risk
Management
workshop
is scheduled
Local
management
RM Workshop
is held to
consolidate
the heat maps
into an entitywide heat
map incl.
action plans
The entitywide heat map
and action
plans are
reported to
Group Internal
Audit
1. It is the responsibility of the Risk Officer to carry out risk workshops. If no risk officer has
been appointed then it is the responsibility of local management to appoint a suitably
qualified person to carry out this task;
2. The Risk Officer should send out the standard Carlsberg presentation (see appendix III)
to provide employees and managers with more information on the Risk Management
workshop and the Risk Management process prior to holding the workshop;
3. Once the presentation has been sent out, the Risk Officer should arrange a suitably
convenient date with the respective employees and management to undertake the
workshop and identify and evaluate risks in a heat map;
4. The Risk Officer should carry out a Risk Management workshop for each department in
the organisation, e.g. finance, sales, marketing etc. together with departmental
employees to identify risks and prepare a heat map in relation to their specific area of the
business;
5. The purpose of the workshop is to identify, assess and evaluate risks within the relevant
function to provide input to management in respect of major functional risks;
10
6. Finally, a Risk Management workshop should be held at an entity level with senior
management e.g. CEO, CFO, and VP Sales etc. to consolidate all departmental heat
maps into an entity-wide heat map;
7. The entity-wide heat map together with the risk action plans (see separate section) should
be sent to Group Internal Audit in accordance with the timelines set;
8. The approach is both "bottom-up" and "top-down". On a "bottom-up" approach, risks
should be identified at a departmental level and then escalated up to an entity level. On a
"top-down" approach, strategic risks should be identified by management;
9. Action plans should identify the risk, the risk responsible person, risk owner, risk reducing
activities and deadlines in respect of the risk.
2.2 Carrying out the Risk Management process
Introduction
This section gives a brief overview of what the risk management process within the Carlsberg
Group should look like and is supplemented by more detail in appendix III (How to hold a
Risk Management workshop). The main stages within the Risk Management process are as
follows:
• How to identify risks;
• How to assess and rate risks;
• How to map risks;
• How to record and report risks;
• How to develop and monitor risk reducing activities;
• How to comply with the activity schedule.
These stages are discussed in more detail below.
How to identify risks
The purpose of the exercise is to identify the major events that may have an impact on the
entity's ability to achieve its objectives. Risks are events that, when triggered, cause
problems. Hence, identification of the risk can start with the source of problems, or with the
problem itself.
11
Risk Idenfication
When either the source or problem is known, the events that
a source or problem may trigger can be investigated.
Source analysis
Problem analysis
the source of the risk may be internal or external
to the entity, e.g. employees, customers, competitors,
environment etc.
risks are related to specific threats. For example:
the threat of losing market share, the threat of abuse
of confidential information or the threat of accidents
and casualties. The threats may exist with entities,
customers, suppliers and legislative bodies.
Common risk identification methods are:
•
Objective-based - any event that may endanger achieving a strategic or business related
objective identified in the business planning or budget process either partially or
completely is identified as a risk.
•
Scenario-based - in this analysis different scenarios ("what if") are created. The
scenarios may be alternative ways to achieve an objective, in, for example, a market. Any
event that triggers an undesired scenario is identified as a risk.
•
Common-risk checking - in several industries, lists with known risks are available. Each
risk in the list can be checked for application to a particular situation. See appendix IV for
a detailed list applicable to the FMCG industry.
To enable the risks to be clearly and properly identified they can be considered within the
following categories (strategic, operational, financial and compliance), which are shown in
more detail in the table below:
12
A more detailed list of examples within each category above is included within appendix III
(Gross Risk List) and appendix IV (Further risks to consider).
These risks in the attached appendices should not be considered as the total list of risks as
additional risks may be present depending upon the environment in which individual entities
operate.
When holding the risk workshop and risk identification exercise, entities should have focus
on:
• Scope – Identify the major risks to the entity;
• Timeframe – 1 year – focus on the impact to the business for the next 12 months;
• Depth – Sufficient depth of detail for the reader to understand the risk and its impact on
the business.
How to assess and rate risks
When assessing risk it is important that inherent risk is considered. The inherent risk is the
risk to the entity in the absence of any risk reducing activities.
It is important to first analyse the specific issue in terms of cause and effect. This will then
allow the risk manager to carry out an assessment of impact and likelihood. Root cause is a
term that reflects the facts that risks can also arise out of strengths and opportunities. It also
reflects the fact that risks can arise out of external or internal situations.
Once the root cause and effect has been considered, the relevant risks can be rated and
assessed in terms of impact (on the business) and likelihood (probability).
Carlsberg Group uses the following "traffic light" rating system to evaluate impact and
likelihood:
Impact guide
Impact Descriptor
1 – Low
Outcome from risk events that is unlikely to have a permanent or significant effect on the
entity.
2 – Moderate
Outcome from risk events that will have a significant impact on the entity in the short term
but can be managed without a major impact in the medium to longer term.
3 – High
Outcome from risk events that will require major effort to manage and resolve in the
medium/long term or risk events that could threaten the existence of the local entity
13
As an example, ExCom uses the following approximate thresholds as a guideline to each
impact level:
• High impact:
• Moderate impact:
• Low impact:
1. 0% of net revenue ≈ DKK 600 m at a Group level
Or > 10% EBITA ≈ DKK 570m at a Group level
0. 7% of net revenue ≈ DKK 400 m at a Group level
Or 5-10% EBITA ≈ DKK 427m at a Group level
0. 3% of net revenue ≈ DKK 200 m at a Group level
Or < 5% EBITA ≈ DKK 285m at a Group level
Likelihood guide
Description
Likelihood
1 – Unlikely / Very low (0-10%)
The risk event is unlikely to occur
2 – Low (11-25%)
The likelihood of the risk event occurring is low but
possible
3 – Likely (26-50%)
The risk event is likely to occur
4 – Very likely (50%+)
The risk event is very likely to occur
The above percentages may be used as a guideline; however they may not be applicable to
all entities whilst some risks can be difficult to quantify in monetary amounts. That is why
each entity must individually evaluate which risks have a high, moderate or low impact on the
entity's business and also the likelihood (probability) of the event occurring.
14
How to map risks on a risk heat map
Once risks have been identified and developed, every risk must be evaluated and mapped in
the heat map according to the risk impact and likelihood assessment (see above). An
example of the top 10 risks of an entity could be mapped as follows. In this example, risks 3,
5, 7 and 10 are regarded as high risks in that they have a moderate to high impact and a
likelihood level of likely to very likely.
How to record and report risks
Once risks have been identified and assessed in the heat map above, they need to be
recorded and reported. The identified high risks (per the heat map above) should be
documented through action plans. The heat map and action plans should be reported to
Group Internal Audit using the Group templates in appendix III. An example of an action plan
is given below:
Risk
Responsible
Owner
1. Loss of
critical IT
CFO
IT Manager
Risk reducing activities
Deadline
• Service Level Management
31.12.10
• IT disaster recovery plans
Ongoing
• Business continuity plans
Ongoing
• Backup and restore procedures
Ongoing
• IT Security Policy
31.03.11
15
How to develop and monitor risk reducing activities
Each entity is responsible for keeping its own risk register and merely identifying, assessing
and recording/reporting risks is insufficient. On a quarterly basis, risk owners (e.g. IT
manager in the example above), will be required to review the risks for which they are
responsible and to explain the status of risk reducing activities that are in place to manage
these risks and are in accordance with the deadlines set. The risk responsible person (e.g.
CFO) has the responsibility to ensure that risk reducing activities are acceptable in mitigating
the risk identified. The entity will then be required to provide assurance to ExCom and the
Audit Committee, via Group Internal Audit, that this is in fact the case in accordance with the
activity schedule (see below).
Risk Management activity schedule requirements
Timing:
Step:
Description:
31/3/10
Quarterly update
The risk owner needs to review the risks for which they are
responsible, explain the status of the risk reducing activities
and verify that they are in accordance with the deadlines
set. The risk responsible person has to ensure that the
activities are acceptable in mitigating the risk identified.
Once this has been performed, details of the action plans
need to be reported to Group Internal Audit.
30/6/10
Quarterly update
The risk owner needs to review the risks for which they are
responsible, explain the status of the risk reducing activities
and verify that they are in accordance with the deadlines
set. The risk responsible person has to ensure that the
activities are acceptable in mitigating the risk identified.
Once this has been performed, details of the action plans
need to be reported to Group Internal Audit.
30/9/10
Yearly workshop
/ quarterly update
Preparation and undertaking of Risk Management
workshops. Following which, the entity wide heat map and
action plans need to be reported to Group Internal Audit.
31/12/10 Quarterly update
The risk owner needs to review the risks for which they are
responsible, explain the status of the risk reducing activities
and verify that they are in accordance with the deadlines
set. The risk responsible person has to ensure that the
activities are acceptable in mitigating the risk identified.
Once this has been performed, details of the action plans
need to be reported to Group Internal Audit.
16
The diagram below gives an overview of the ongoing Risk Management process in the entity:
1.Risk identification
•Objective based
•Scenario based
•Common-risk checking
5. Risk monitoring
•Quarterly review
2. Risk assessment
•Impact
•Likelihood
4. Risk recording
•Action Plans
3. Risk Mapping
•Heat map
New and emerging risks – escalation procedure
Any new and emerging risks (strategic, operational, financial or compliance) that occur after
a Risk Management workshop has been held and before the next annual Risk Management
workshop and which have a material impact upon the business must be identified, assessed
and recorded/reported by the responsible business unit as soon as possible to Group Internal
Audit. Group Internal Audit will co-ordinate this information and aggregate the new and
emerging risk into a quarterly report to the Audit Committee and ExCom. If necessary, and at
the discretion of Group Internal Audit, the issue will be raised to the Audit Committee and
ExCom under separate notification.
Link to the Carlsberg Group Risk Management Policy:
http://www.carlsberg.net/enUS/Policies+and+Guidelines/Policy+Portal/All+Group+Policies.htm
17
Appendix I – Glossary of terms
Below are stated some of the most common Risk Management definitions with a short
explanation for each. This is to ensure that everybody within Carlsberg Group speaks the
same language when addressing Risk Management issues.
Risk
An event that, if it happens, may have an impact on Carlsberg Group's ability to
achieve its objectives.
Risk Management
The identification, assessment, and prioritization of risks (see definition above)
followed by coordinated and economical application of resources to minimise,
monitor, and control the probability and/or impact of unfortunate events or to
maximise the realisation of opportunities.
Risk Categories
• Strategic – risks appertaining to the strategy of the business including:
- Market development
- Competition
- Stakeholders
- Political
• Financial – risks relating to financial areas including:
- Reporting
- Investments
- Capital structure
- Market development
• Operational – risks dealing with day to day operations including:
- Technology
- People
- Processes
- Infrastructure
- Information
• Compliance – risks in relation to legal, statutory, Corporate Governance including:
- CSR
- Legal
- Tax
Inherent (or gross) risk
The level of risk before taking account of any mitigation put in place.
Residual (or net) risk
The remaining level of risk after risk treatment measures has been taken. If falling
within the Group’s risk tolerance then residual risk is acceptable; if falling outside then
other actions may need to be taken.
18
Risk appetite/tolerance
The level of risk that Carlsberg Group is prepared to accept. This is likely to be
different dependant on the area of the Group.
Risk assessment
Is the systematic three step process of risk identification, analysis and evaluation
within the operational, financial, compliance and strategic areas of the business.
Risk identification
The process of determining what can happen, why and how.
Risk mitigation
The systematic process of identifying ways in which risks can be reduced.
Risk escalation
The process of raising the profile of a risk through predetermined channels to senior
Group management.
Risk register
The formal process in which high risks issues are identified and monitored.
Risk heat map
The process by which identified risks are evaluated and mapped based upon a
combination of impact and likelihood.
Risk owner (both ExCom and local level)
The individual responsible for monitoring and controlling the risk.
Risk responsible (both ExCom and local level)
The individual responsible for ensuring that risk reducing activities have been
implemented to a satisfactory level.
Risk officer (local level)
The individual at a business unit level who is responsible for holding risk management
workshops for department functions and aggregating those risks into a business unit
heat map and monitoring and controlling the risk.
Risk likelihood
The number of times (probability) that an event will occur based upon expected
norms.
Risk impact
The effect on the business based upon a percentage of turnover or absolute value.
Risk reducing activities
The process by which risks within a business are mitigated.
19
Appendix II – Risk Management Policy
RISK MANAGEMENT POLICY
Author
VIBEKE AGGERHOLM
Document owner
VP, GROUP INTERNAL AUDIT
Introduction and purpose
The Carlsberg Group Risk Management Policy (supported by the Risk Management
Handbook) sets out the detailed requirements necessary to implement a risk management
process within the Carlsberg Group. The policy covers the Carlsberg Group, all Group
subsidiary companies and all Head Office functions. The policy is for internal purposes only.
Taking and managing appropriate levels of risk is an integral part of the business activities. A
proactive Risk Management approach will uncover both the risks and the opportunities and
support the Carlsberg Group's corporate governance and the preservation and creation of
shareholder value.
Definitions
Risk is defined as the product of likelihood and impact of events that may prevent
achievement of the aims or goals of one or more key business or project stakeholders.
Risk Management is a systematic process that protects business resources and income
against losses so that the objectives of the Group can be achieved without unnecessary
interruption.
Risk Assessment is the systematic three step process of risk identification, risk analysis and
risk evaluation within the operational, financial, compliance and strategic areas of the
business.
The Risk Management Handbook sets out the detailed guidelines by which the Risk
Management process is implemented within the Carlsberg Group.
Objectives and Commitment
Carlsberg Group is committed to implementing appropriate strategies and processes that
identify, analyse and manage the risks associated with the Group's activities as a means of
managing the impact of undesired and unexpected events in order to add shareholder value
to the Group. As a result, Carlsberg Group will therefore:
• identify business objectives that reflect the interests of key stakeholders;
• identify the threats to the achievement of those objectives;
20
• control and manage the exposure to risk by appropriate and cost effective risk reduction
and mitigation actions;
• regularly review the key risks the organisation faces as a result of the business activities
and of the business and economic climate in which it operates;
• regularly review key risk controls and key risk indicators to ensure that they are
implemented in a timely manner and that they remain relevant, robust and effective;
• educate and train Carlsberg employees in Risk Management;
Carlsberg Group will demonstrate successful achievement of the implementation of the Risk
Management Policy through its ability to influence the business strategy and planning
process. This will be performed through the preparation of documented procedures, the
reporting and review of risks at all levels of the Group and the implementation of an effective
monitoring and audit review process. This is described in more detail in the Risk
Management Handbook.
Roles and Responsibilities
The Carlsberg Group Board of Directors (through the Audit Committee) is responsible for
overseeing the effectiveness of Risk Management within the Carlsberg Group.
The Executive Committee (ExCom) of Carlsberg Group approves the Risk Management
policy to ensure that it provides a structured basis for protecting the shareholders
investments and the Group's assets.
The Risk Management Policy will be reviewed for appropriateness on an annual basis with
any changes reviewed and approved by ExCom.
Group Level Risk
ExCom is responsible for identifying strategic risks at a Group level and developing action
plans to effectively mitigate those risks. ExCom delegates the operational responsibility to
monitor and control the risk to individuals at a Group level who must take ownership, prepare
action plans and be accountable to ExCom for the management and reporting of the risks.
Local Entity Level Risk
Senior local management is responsible for the identification, reporting and management of
risk at a local level. For each entity, a risk manager is appointed as responsible for the risks
that have been identified and the subsequent follow up of action plans.
Group Internal Audit
Group Internal Audit is responsible for the collection and aggregation of risks identified at a
Group and local entity level, follow up on the action plans and deadlines agreed upon and
reporting of the status of such risks.
A more detailed description of roles and responsibilities is provided in the Risk Management
Handbook.
21
Process
Risk identification within the Carlsberg Group is founded on a combination of topdown/bottom-up approach in order to identify potential risks at both a strategic Group level
and a local entity level. In order to identify the risks appertaining to the business, risk
workshops will be held at appropriate intervals or at a minimum on an annual basis at both a
Group (ExCom) level and entity level. At each level, risks will be identified and assessed
utilising the appropriate qualitative or quantitative tools and grouped according to their
likelihood and impact on a heat map. An action plan for all high risks identified will be
developed that includes a description of the risk responsible individuals, risk owners and risk
reducing activities assigned to measure and monitor the risks. The identified risks and action
plans will be submitted to Group Internal Audit.
The process is described in more detail within the Risk Management Handbook.
Reporting
All risk reporting will be timely, accurate and action orientated and in line with the risk
management activity schedule defined in the Risk Management Handbook.
Further, Group Internal Audit will:
•
Prepare a quarterly review of the risk reducing activities and action plans in respect of
each of the high risk issues identified at the annual risk workshop at both a Group level and
local entity level and present a report to ExCom and the Audit Committee.
•
Facilitate and provide to the Audit Committee, on an annual basis, an aggregated
summary of all the major risks to enable them to gain assurance over the effectiveness of
Risk Management within the Carlsberg Group;
The detailed reporting process, including the aggregation of risk, reporting requirements, use
of methodology, templates and reporting tools are described further within the Risk
Management Handbook.
22
Appendix III – Risk Management workshop templates
Risk Management workshop 2010
• Identify important risks
• Prioritize risks (mapping)
• Assign ownership of identified risks
• Risk action plans
• Next steps
23
Purpose of the workshop
Identifying, describing and mapping key
financial and business risks within Carlsberg
The result of the work will be risk action plans
for top 10 risks
Slide 3
Risk Management – in short
• Risk is something to manage not something to fear
• Managed risk = Opportunities
• If you know neither the enemy nor yourself, you will succumb in
every battle” Sun Tzu – ‘The Art of War’
• Risk is the probability (and possible effect) of some unfavorable
event occurring or of some favorable event not occurring
Slide 4
24
Why RM and the advantages
Why?
•
Managing risks is common sense
•
Corporate Governance codes – new requirements and laws in 2009
•
Stakeholders continue to demand greater disclosure on key risks and processes
•
Credit rating agencies apply Enterprise Risk Management as a section/factor in
credit ratings
Advantages
•
Clear picture of the most important risks and opportunities
•
Fewer shocks and unwelcome surprises
•
Keep it simple and get lots of benefits
Slide 5
Risk Analysis
In our world we use a risk analysis which is
developed by dividing the risks in to four
basic risk categories:
•
Financial risks deal with Market risks,
Liquidity & Credit risks, Accounting &
Reporting risks and Capital Structure risks.
The majority of the mentioned risk types
are related to the Group Treasury and
Group Finance departments.
•
Strategic risks deal with Governance
risks, Stakeholder risks and Market
dynamics risks. These risk types are linked
to the strategy defined by the executive
management.
•
Operational risks deal with Value Chain
risks, Physical Assets risks, People risks,
Knowledge risks and Information
Technology risks.
•
Compliance risks deal with Legal risks,
Regulatory risks and compliance with
Standard of Business Conduct risks.
Slide 6
25
Risk Assesment and Rating:
Heatmap
Impact
(Net profit or
Brand/Image)
1. ????
2. ????
3. ????
4. ????
5. ????
6. ????
7. ????
8. ????
9. ????
10. ???
High
Moderate
Low
Likelihood
Unlikely/
Very low
Low
Likely
Very
likely
1
2
3
4
5
6
7
8
9
10
Slide 7
Heatmap
Impact
(Net profit or
Brand/Image)
High Risks
5
High
>10% EBITA
6
Moderate
3
10
4
5-10% EBITA
Low
<5% EBITA
7
2
1
1. ????
2. ????
3. ????
4. ????
5. ????
6. ????
7. ????
8. ????
9. ????
10. ???
9
8
Likelihood
Unlikely/
Very low
Low
Likely
Very
likely
Slide 8
26
Top 10 Risks
Step 1
In advance of RM workshop
•
Identify the most significant risks (gross risks –
i.e. before mitigating actions) relevant to your
business unit (minimum 10 risks) - the Gross
Risk list on the following three pages can be
used for inspiration
(this should be done on an individual basis)
During the RM workshop
•
Presentation and discussion of Risks
•
Mapping (Impact and Likelihood)
Slide 9
Gross Risk List - Strategic
No.
Risk Headline
1
2
3
Political stability of a country
Taxes/duties
Partnerships/JV´s
4
5
International regulation
Terrorisme
6
7
Downturn in economy
Pandemic
8
9
10
11
Marketing & Sales
Competition
Substitution
New competitors
12
13
14
15
16
17
18
19
20
21
22
23
Country/industry dependence
Abilty to retain existing business
Customer preference
Brands
Co-branding (i.e. sporting events)
Seasonality
Investments/Divestments (M&A)
Improvement of transformation initiatives
Achievement of growth objectives
Innovation
Compliance to Corp. Governance principles
Stakeholder relations
24
Ethics
Rate TOP 10
TOP 10 RISK Tick 1 -10 ; 1=
most important
(tick X)
Elaboration on risk and trigger
Political instability of a country leading to risk of seize of assets, reduced ability to transfer funds,
revoke of license to operate or general reduced ability to manage company/market.
New taxes and/or duties enforced or increase in existing
Financial difficulties with partner, disputes on how to operate, investments etc.
I.e. acohol advertising ban, drinking age, smoking ban, legal restrictions on sale of beer, restriction
in communication
Terrorist attack on CB site leading to loss of assets or loss of life
Decline in consumption or negative change in consumption patterns (a shift away from premium
products) as a result of a recession
Avian Flue outbreak, closing of borders
Marketing spend, marketing quality not being effective enough to match competition and/or ComEx
not meeting goals
Wine, spirits and other beverages
Entry of new competitors in local markets or on international scene
The portfolio of brands/markets leading to a strong dependence on one or few markets and brands
Consolidation of customers
Strength of brands (gross profit vs. volume)
Drug or doping of athletes sponsored or terrorist attack at sponsored event
Reduced turnover as a result of bad weather, reduced summer temperatures etc.
High acquisition price
Excellence project objectives are not achieved
Lack of innovation
Media attack due to political, social or legal issues
Behavior or lack of actions on ethical issues that damage the brand and name of Carlsberg, i.e
beer girls, insider trading, bribery
Slide 10
27
Gross Risk List - Financial
No.
25
26
27
Risk Headline
Equity/Debt level
Accounting risks
Impairment of goodwill
28
29
30
31
32
33
Management reporting
Net debt
Off balance sheet obligations
Cash management
Receivables
Financial counterparty (banking/ credit)
34
Pension risk
Rate TOP 10
TOP 10 RISK Tick 1 -10 ; 1=
most important
(tick X)
Elaboration on risk and trigger
Capital accessibility/availability
Wrongful statement of financial statements based on accounting errors or misstatement
Value of brand reduced leading to write-off on goodwill
Unintentional misstatement or lack of relevant information in management reporting leading to
delay in decisionmaking or bad decisions
Default on loans, liquidity shortage
Trade credits, on-trade financing structure
Default on counterparts leading to losses
The value of assets not meeting expected liabilities / life expectancy of employees increading
liabilities vs. value of assets
Slide 11
Gross Risk List - Operational
No.
35
Risk Headline
Price risk
36
38
39
40
41
42
43
Supply risk
Fire, explosion and breakdown of production
facility
Serious injury or death involving Carlsberg
employee
Natural hazards
Product quality
Labour disputes
Distribution relationships/Management
Delivery bottlenecks
44
45
46
47
48
Violence due to drinking at sponsored event
Pollution, contamination of soil
Legislative & regulatory
Contracts
Violation of anti-trust laws /Competition
49
Liability
37
50
51
Intellectual property violations (both ways)
Succession planning
52
Structure/Administration
53
Labour costs (incl. benefits)
54
55
Ability to attract and retain talent
Organisational risk
56
Loss of critical IT systems/Data
Breach of confidential info, leak, theft or
espionage
Insider trading or fraud by Carlsberg
employee or manager
57
58
Rate TOP 10
TOP 10 RISK Tick 1 -10 ; 1=
most important
(tick X)
Elaboration on risk and trigger
Energy, malt etc. Unexpected price rises
Dependency of suppliers, supplier relations, coca-cola/pepsi relations (concentrate price), major
shortfall in supply due to lack of raw materials or packaging
Fire or explosion, loss of power or utilities (steam, refrigeration, etc) on production site leading to
loss of production capacity or loss of life, lack of water or quality of water
Lack of Health & Safety procedures or other procedures or controls leading to accident involving a
Carlsberg employee
Windstorm, earthquake, flooding
Accidental or malicious contamination leading to the recall of products
Major strikes at one or more sites (production and/or distribution)
Consolidation of wholesalers
Competition in distribution
Environmental liabilities, limitations in license to operate
Raid by authorities (antitrust, bribery)
Bad entry into or bad management of contracts
Carlsberg causing serious injury or death to 3rd party or failure to satisfy contractual obligations
Carlsberg being accused of violating 3rd party patent with new product or 3rd party violating
Carlsberg patents or IP by use of name or design leading to lost marketshare and/or bad reputation
Kidnapping, loss of key managers (i.e. airplane crash, car accident)
Complexity of organisation or failure in how to manage people (hiring, dismissing, promoting)
leading to harassment claims
Salary costs, incl. pension costs increasing beyond expectations in the market leading to higher
costs and loss of price competitiveness
Lack of leaders and new employees to fill the gap of retirees and employees leaving for other
companies
Untimely or inaccurate disclosure of information
Breakdown in critical IT (SAP, Hyperion, external data center, LAN, etc.) or malicious intrusion
/hacking in IT system. Vital data deleted and/or distorted
Untimely or inaccurate disclosure of important information to the stock exchange
Slide 12
28
Step 2 – action required for High Risks
Risk
Responsible
Owner
Risk reducing activities
Deadline
1. Loss of
critical IT
CFO
IT Manager
• Service Level Management
31.12.10
• IT disaster recovery plans
Ongoing
• Business continuity plans
Ongoing
• Backup and restore procedures
Ongoing
• IT Security Policy
31.03.11
Responsible is at local Management level.
Owner has the operational responsibility to monitor and control the risk. The person
must take ownership and is accountable for the management and reporting of the risk.
Risk reducing activities are steps to mitigate the risk to an acceptable level.
Please note that already existing risk reducing activities could be relevant to identify in
order to limit the need for further actions.
Slide 13
Next Steps
• Agreed upon risk action plans, risk reducing activities and deadlines.
• Completion of the action plans with all the inputs from today.
Return to Vibeke Aggerholm, Group Internal Audit within 10 business
days at vibeke.aggerholm@carlsberg.com
• Appointment of a local Risk Management responsible person (point of
entry)
• Next RM workshop will be held in 2011 facilitated by local Risk
Management responsible person.
Slide 16
29
Appendix IV – Additional risk list
Further risks to consider:
- Ability to Attract & Retain Clients
- Ability to Develop / Market New / Existing
Products
- Advertising, Marketing and Cross-Selling
Success
- Consumer Demands /Preferences
- Effective Product Mix
- Financial Planning / Strategy
- Legal / Regulatory / Environmental
Changes
- Perception of product (customer
problems, pricing, efficiency, safety)
- Pricing of products /services
- Risk-Based capital requirements /
Management
- Third party exposure (suppliers, vendors,
manufacturers, distributors)
- Ability to retain existing business
- Adverting & Marketing expense /Success
- Brand management / Divestitures / Image
/ Co-branding
- Business model
- International tariffs and other regulations
- M&A Strategy /Execution /Integration
- Product Supply (stability, sourcing, costs)
- Tax Requirements / Tax treatment
- Achievement of Growth Objectives
- Asset Impairment / Material or Real
Estate Dispositions
- Cash Flow Management
- Debt Level / Ability to Pay Down Debt
- Economic Conditions /Trends
- Operation and system risks
- Competitive Actions (pricing,
conveniences, services or amenities)
- Distribution Relationship / Management
- Partnerships / Joint Venture Investments
- Achievement of Cost reduction
Objectives or Synergies
-
Unanticipated Industry trends
Assumptions used for pricing
Business Conditions
Capital Accessibility / Availability
Environmental liabilities / Concerns
General Risks to Strategies / Execution
Increase in Operating costs
Litigation /Intellectual Capital Issues
Manage Volatility (hedging activities)
Shareholder relationship
Ability to Attract & Retain Talent
Accounting policies (estimations,
changes to rules/standards)
Efficient manufacturing operations
Impairment of Investment Portfolio
Supplier relationship
Contingent liabilities resolution
Fair Value of investment assumption
Franchises and Licenses
Impairment of Goodwill
Natural Disasters / Severe Weather
Pension Fund obligations
Assumptions used for defining liabilities
/reserves
Closing of land sale transactions
Construction conditions
Contractual provisions (failure to satisfy)
Dependency on One or Two products
/clients /suppliers
Improvement /Transformation Initiatives
Insurance cost
Interruption of computer and
communication systems
Inventory management
Labour costs (including benefits)
Labour Disputes /Actions
Price of crude oil, energy prices,
commodities
Seasonality /Cyclicality
Technology
Download