Organisational risk
management
Anton Usher
19 March 2014
Overview
 A whistle stop risk review
 Risk in Australian corporate governance
 The benefits of organisational risk maturity
 Risk management and in-house counsel
̵
The evolution of in-house counsel’s role
̵
In-house counsel’s contribution to risk management
 Integrating risk management within your organisation
̵
Using an enterprise risk management framework
̵
Using a compliance framework
̵
Using a risk based internal auditing approach
 Key takeaways
2
A whistle stop
risk review
3
A global view: top risks in 2013
Aon global
Lloyds global
Deloitte global
Aon Asia-Pac
Economic slowdown High taxation
/ slow recovery
Economic
trends
Brand & image
Regulatory /
legislative changes
Loss of customers
/ cancelled orders
Business
model
Market environment
(economic slowdown)
Increasing
competition
Cyber risk
Reputation
Regulative /
legislative changes
Damage to
reputation / brand
Price of material
inputs
Competition
Business interruption
Failure to attract or
retain top talent
Excessively strict
regulation
Human resources
Failure to innovate
Changing legislation
Lack of innovation
4
A selected industry view: top risks in 2013
Industry
1st risk concern
2nd risk concern
3rd risk concern
Banks, Insurance,
Investment &
Finance
Regulatory /
Economic slowdown
legislative changes
Brand & image
Education & not for
profit
Regulatory /
Brand & image
legislative changes
Human
resources
Government
Political risk &
uncertainties
Human resources
Business
interruption
Utilities
Political risk &
uncertainties
Regulatory /
legislative changes
Natural disasters
Natural resources
Property damage
Environmental risk
Commodity price
risk
Non-aviation
Transport Services
Economic
slowdown
Human resources
Injury to workers
5
Risk in
Australian
Corporate
Governance
6
Increasing risk management prominence (1)
 (Proposed) third edition of ASX Corporate
Governance Principles and Recommendations
 Increases risk management prominence by
recommending listed entities:
̵ establish a risk committee
̵ undertake risk management reviews at board / board
committee level at least annually
̵ disclose whether, and if so how, they have regard to economic,
environmental and social sustainability risks
7
Increasing risk management prominence (2)


New APRA risk governance measures:
•
New Risk Management standard - CPS 220
•
Revised Governance standard - CPS 510
Increases risk management prominence by requiring:
̵
a separate board risk committee & designated CRO
̵
a risk management framework that:
• includes a risk management appetite and strategy
• addresses material risk (financial, operational, strategic)
̵
• adopts a ‘three lines of defence’ risk governance model
annual risk management declarations and three yearly risk
management reviews at board risk committee level
8
Risk governance: three lines of defence model
Source: Draft Prudential Practice Guide CPG 220 Risk Management, APRA, January 2014, p19.
9
The benefits of
organisational
risk maturity
10
Prosperity is connected to risk maturity
P
r
o
s
p
e
r
i
t
y
Advanced
Operational
Defined
Basic
Lacking
Risk management maturity
11
Some characteristics of risk maturity
Board set risk management strategy & commit to it being critical in decision making
A senior executive drives & facilitates implementation of risk management
Transparency of risk communication
Risk culture encourages full engagement & accountability at all levels
Risk identification uses internal & external information
Operational & financial risk information included in decision making processes
Risk & risk management options are leveraged to extract value
12
Risk management
& in-house
counsel
13
Evolution of in-house counsel’s role
An Australian in-house counsel survey
% response
What does your executive team expect from you?

Contributions to risk management
75%

Help in making commercial decisions
51%
What recent development has most impacted your role?

Technological developments
66%

Increased regulations
53%
What is the greatest challenge for in-house counsel?

Maintaining a work/life balance
32%

Keeping pace with legislative changes
32%
14
In-house counsel’s contribution to risk management
 HELP your Executive/Board answer these questions:
̵
Do we have a handle on critical organisation risks and our ability to respond?
̵
Is the top-down strategic view of critical organisation risks right?
̵
Is the effort being put into risk processes aligned with the risk priorities?
̵
Are our systems and people capable of responding to these risks?
̵
Is risk management “built into” the way we do business or is it “added-on”?
 USE an enterprise risk management approach that is:
̵
Consistent with ISO AS/NZS 31000
̵
Tailored to your organisation
̵
Practical and value adding
15
Integrating risk
management
16
Enterprise risk management framework
17
Identifying risks that matter
Risks that
matter
Risks
that don’t
matter
Successfully achieved
corporate objectives
18
A risk to successful delivery of objective
Critical
success
factor 2
Risk
Critical
success
factor 1
Objective
19
Using sources of risk to identify risk
External
Internal
• Stakeholders
• Community
• Political / Government
• Clients
• Suppliers
• Competitors
• Reputation
• Regulatory / contractual
•
•
•
•
•
•
•
•
•
Stakeholders
Strategic and business
Budgetary
Governance
Legal
IT
Human resources and skills
Knowledge management
20
Change management
20
An example risk
Objective
Critical success factors
Reduce workers
Existing claims liability
compensation premium by reserves are reduced
10% by FY14/15 renewal
Systemic claim causes are
Risk: poor incident data mitigated
quality
21
Use a heat map to assess and report risk
22
Using a compliance framework
 A compliance framework defines what you:
̵ HAVE to do (legal and regulatory obligations)
̵ WANT to do (organisational requirements)
̵ VOLUNTARILY do (organisational
commitments)
23
An empowering compliance framework
 Compliance = achieving business objectives safely
GOVERNING BODY
EXTERNAL OBLIGATIONS
(Law, regulations, guidelines, codes etc)
Guidance
Enablement
Reinforcement
LEADERSHIP,
PEOPLE,
ACCOUNTABILITIES
POLICIES,
PROCEDURES,
TRAINING
MONITORING &
REPORTING
Management
Direction
Core Business
Functions
Measurement
Reporting & Risk
Profiling
Key Performance
Indicators
Policies
Controls SelfAssessment (CSA)
Empowered
Accountable
Employees/Agents/
Service Providers
Processes /
Procedures /
Training
External Audit &
Reviews
CHANGE MANAGEMENT & CONTINUOUS IMPROVEMENT
24
Prioritising legislative compliance obligations
25
Why use a risk based internal auditing approach
 Risk based internal auditing (RBIA):
̵ is independent and objective
̵ evaluates and improves risk management
effectiveness
̵ helps achieve corporate objectives
26
RBIA adds value
 RBIA is linked to the risk assessment process
 RBIA focusses on:
̵ areas of high risk
̵ key control systems for high risk areas, testing:
• control design – operational effectiveness
• control operation – operational compliance
27
Use risk based internal audit ratings
Internal audits should be given overall risk ratings reflecting the
level of inherent risk associated with the activity within the audit
scope and the effectiveness of internal controls
28
Key takeaways
 Risk management is becoming more prominent in
Australian corporate governance
 Risk mature organisations do better
 In-house counsel has a key role in contributing to
effective organisational risk management
 Enterprise risk management adds value by:
̵ prioritising risk mitigation effort
̵ prioritising and helping to ensure compliance obligations are met
̵ helping to ensure risk mitigation effectiveness
̵ helping to achieve corporate objectives
29
Thank you