INTRODUCTION
The turmoil in the world is continuing – with increasing public unrest fluctuating oil prices, natural disasters of a scale thought unimaginable, volatile stock markets and world economic uncertainty.
In this time of global uncertainty how do you steer a course through these difficult waters?
Thankfully many organisations have realised that an Enterprise Risk Management (ERM) approach was needed. This has ensured that risks that were previously managed in isolation can be aggregated and prioritized across the entire business.
However, stopping here is like driving a plane on a highway – it might go faster than the cars but it hasn't reached its full potential.
Advanced ERM goes one step further. Risks are evaluated based on business materiality. A new understanding of the risks then emerge, and efficient controls can be implemented to tackle what really matters to the business. In short, the focus becomes strategic value creation instead of risk avoidance.
PROGRAMME OBJECTIVES
- Implement appropriate and varied techniques for the identification and assessment of risks
- Generate measurable value by aligning the Enterprise Risk Management (ERM) framework with corporate performance expectations
- Engage the Board in the analysis of enterprise risk scenarios
- Foster a culture that reinforces appropriate risk-taking to balance value creation and value protection
- Clarify Enterprise Risk Management (ERM) accountabilities of all employees from executives to the front line
- Implement Key Risk Indicators (KRI’s) for each line of business
- Enhance achievement of corporate objectives by linking performance targets, and risk management actions
WHO SHOULD ATTEND?
- Chief Risk Officers
- Risk Managers
- Managers and Directors responsible for the risk management function or process
- Heads of Internal Audit
- Heads of Assurance Functions
- Senior Finance Professionals
PROGRAM OUTLINE
Taking Enterprise Risk Management (ERM) to the Next Level
-
Characteristics of an Advanced Enterprise Risk Management (ERM) Process
- Board-level commitment to ERM as a critical decision framework
- A dedicated risk executive in a senior level position to drive the process
- An Enterprise Risk Management (ERM) culture that encourages full engagement and accountability at all levels of the organization
- Engagement of stakeholders in risk management strategy development and policy setting
- Transparency of risk communication
- Integration of financial and operational risk information into decision making
- Use of sophisticated quantification methods to understand risk and demonstrate added value through risk management
- Identification of new and emerging risks using internal data as well as information from external providers
- A move from focusing on risk avoidance and mitigation to leveraging risk and risk management options that extract value
- Enterprise Risk Management (ERM) case studies (banking and FMCG)
- New paper on Enterprise Risk Management (ERM) and the role of Executive management will be shared
Keeping Your Eye on the Big Prize
- Enterprise Risk Management (ERM) spans all lines of business and is governed at the enterprise level
- Enterprise Risk Management (ERM) spans all types of risks, across all business units, functions, processes, and systems
- Identifies and assesses risk events, plans and executes a response to them
- Identifying principal risk factors (Vodafone case study)
- Provides transparent, risk-adjusted business performance management
- ERM focuses on risk events that impair the enterprise from fully achieving objectives
Exploring Global Enterprise Risk Management (ERM) Scenarios
- In this interactive session, delegates will explore global risk scenarios and then discuss the implications for their organizations
- Risk Attitude
- The need to define risk as the need to get things right – not what can go wrong
- ‘Ring fencing’ risk exposure - never allow one part of the business to impact the whole organisation
- Determining and communicating your attitude to risk and your required risk culture to managers and stakeholders
- Recognising that reputation is both your biggest asset and the biggest risk you face – and one you cannot insure
- Not waiting until you are required to provide evidence of effective risk management by regulators or legislation – this will usually be too late
The Enterprise Risk Management (ERM) Roadmap
- Review the Current ERM Environment
- Conduct Gap Analysis
- Conduct management workshops and agree priorities
- Develop ERM roadmap of priorities for implementation
Characteristics of an Advanced Enterprise Risk Management (ERM) Process
- Board-level commitment to ERM as a critical decision framework
- A dedicated risk executive in a senior level position to drive the process
- An Enterprise Risk Management (ERM) culture that encourages full engagement and accountability at all levels of the organization
- Engagement of stakeholders in risk management strategy development and policy setting
- Transparency of risk communication
- Integration of financial and operational risk information into decision making
- Use of sophisticated quantification methods to understand risk and demonstrate added value through risk management
- Identification of new and emerging risks using internal data as well as information from external providers
- A move from focusing on risk avoidance and mitigation to leveraging risk and risk management options that extract value
- Enterprise Risk Management (ERM) case studies (banking and FMCG)
- New paper on Enterprise Risk Management (ERM) and the role of Executive management will be shared
Keeping Your Eye on the Big Prize
- Enterprise Risk Management (ERM) spans all lines of business and is governed at the enterprise level
- Enterprise Risk Management (ERM) spans all types of risks, across all business units, functions, processes, and systems
- Identifies and assesses risk events, plans and executes a response to them
- Identifying principal risk factors (Vodafone case study)
- Provides transparent, risk-adjusted business performance management
- ERM focuses on risk events that impair the enterprise from fully achieving objectives
Exploring Global Enterprise Risk Management (ERM) Scenarios
- In this interactive session, delegates will explore global risk scenarios and then discuss the implications for their organizations
- Risk Attitude
- The need to define risk as the need to get things right – not what can go wrong
- ‘Ring fencing’ risk exposure - never allow one part of the business to impact the whole organisation
- Determining and communicating your attitude to risk and your required risk culture to managers and stakeholders
- Recognising that reputation is both your biggest asset and the biggest risk you face – and one you cannot insure
- Not waiting until you are required to provide evidence of effective risk management by regulators or legislation – this will usually be too late
The Enterprise Risk Management (ERM) Roadmap
- Review the Current ERM Environment
- Conduct Gap Analysis
- Conduct management workshops and agree priorities
- Develop ERM roadmap of priorities for implementation
Enterprise Risk Management (ERM) Risk Measurement Techniques
-
Risk Measurement Methods
- The need for quantative risk analysis
- Structured Interviews
- Risk workshops
- Delphi (expert analysis)
- Ishikawa diagrams (fishbone analysis)
- Failure mode and effect analysis (FMEA)
- Scenario planning
- Root cause analysis
- Monte Carlo analysis
- Bayesian networks
- The pros and cons of the various methods
Risk Workshops
- The power of workshops
- Techniques for successful risk workshops
- The need to involve peer groups
- Establishing a risk workshop
- Facilitation techniques
Delphi (Expert Analysis)
- Getting consensus from experts of different backgrounds and perspectives
- Comparing the opinions of qualified experts from different fields
- Determining acceptable risk by using experts to assess e.g. total credit given versus credit available or to establish creditworthiness criteria
- Worked example
Ishikawa (Fishbone) Analysis
- Very effective in evaluating risks with multiple causes
- Steps in fishbone analysis
- Problem identification
- Primary and secondary causes
- Establishing priority criteria
- Preparing fishbone diagram
- Analysing the output
Failure Mode and Root Cause Analysis
- Evaluation of potential failure modes for processes
- The likely effect on outcomes and/or product performance
- Risk reduction measures to eliminate, reduce or control the potential failures
- Impact, probability and detection criteria
- Determination of RPN (risk priority number)
- Worked example of FMEA
Scenario Planning
- Why risks identified are often too generalised e.g. loss of key personnel
- The need to evaluate various scenarios for each generic risk
- The techniques and success factors
Risk Measurement Methods
- The need for quantative risk analysis
- Structured Interviews
- Risk workshops
- Delphi (expert analysis)
- Ishikawa diagrams (fishbone analysis)
- Failure mode and effect analysis (FMEA)
- Scenario planning
- Root cause analysis
- Monte Carlo analysis
- Bayesian networks
- The pros and cons of the various methods
Risk Workshops
- The power of workshops
- Techniques for successful risk workshops
- The need to involve peer groups
- Establishing a risk workshop
- Facilitation techniques
Delphi (Expert Analysis)
- Getting consensus from experts of different backgrounds and perspectives
- Comparing the opinions of qualified experts from different fields
- Determining acceptable risk by using experts to assess e.g. total credit given versus credit available or to establish creditworthiness criteria
- Worked example
Ishikawa (Fishbone) Analysis
- Very effective in evaluating risks with multiple causes
- Steps in fishbone analysis
- Problem identification
- Primary and secondary causes
- Establishing priority criteria
- Preparing fishbone diagram
- Analysing the output
Failure Mode and Root Cause Analysis
- Evaluation of potential failure modes for processes
- The likely effect on outcomes and/or product performance
- Risk reduction measures to eliminate, reduce or control the potential failures
- Impact, probability and detection criteria
- Determination of RPN (risk priority number)
- Worked example of FMEA
Scenario Planning
- Why risks identified are often too generalised e.g. loss of key personnel
- The need to evaluate various scenarios for each generic risk
- The techniques and success factors
More Risk Assessment Techniques
-
Fault Tree Analysis
- Systematic method of System Analysis
- Examines the system top down
- Used to investigate potential faults
- Quantify contribution to system unreliability
- Worked example
Monte Carlo Simulations
- Mathematical technique that allows people to account for risk in quantitative analysis and decision making.
- Provides a range of possible outcomes and the probabilities they will occur
- Determines a probability distribution
- The types of distribution
- Normal(bell curve)
- Uniform
- Triangular
- Uses of Monte Carlo simulations
- Used to price complex financial instruments
- To determine the VAR (value at risk)
- Determining the option to expand, contract, or postpone a project
Bayesian Networks
- Bayes theorem
- Adding more data to an original idea to enhance decision making
- Use of Bayesian networks
- Will it rain tomorrow
- Visiting the doctors
- Banking sector
Emergent Risks
- There is no clear boundary with other types of risk
- Emergent Risks cannot often be easily anticipated
- At early stages they are often low probability / high impact
- Areas for consideration
- Political
- Regulatory
- Legal
- Security
- Technology
- Environmental
- Knowledge
Crisis Management
- The need for preparation
- Pre-prepared media statements
- Types of crisis
- The difference between emergency and crisis management
Key Risk Indicators (KRI’s)
- The banana skins
- Identifying these in advance
- Examples of KRI’s
- New KRI guidance
- How to develop effective KRI’s
Fault Tree Analysis
- Systematic method of System Analysis
- Examines the system top down
- Used to investigate potential faults
- Quantify contribution to system unreliability
- Worked example
Monte Carlo Simulations
- Mathematical technique that allows people to account for risk in quantitative analysis and decision making.
- Provides a range of possible outcomes and the probabilities they will occur
- Determines a probability distribution
- The types of distribution
- Normal(bell curve)
- Uniform
- Triangular
- Uses of Monte Carlo simulations
- Used to price complex financial instruments
- To determine the VAR (value at risk)
- Determining the option to expand, contract, or postpone a project
Bayesian Networks
- Bayes theorem
- Adding more data to an original idea to enhance decision making
- Use of Bayesian networks
- Will it rain tomorrow
- Visiting the doctors
- Banking sector
Emergent Risks
- There is no clear boundary with other types of risk
- Emergent Risks cannot often be easily anticipated
- At early stages they are often low probability / high impact
- Areas for consideration
- Political
- Regulatory
- Legal
- Security
- Technology
- Environmental
- Knowledge
Crisis Management
- The need for preparation
- Pre-prepared media statements
- Types of crisis
- The difference between emergency and crisis management
Key Risk Indicators (KRI’s)
- The banana skins
- Identifying these in advance
- Examples of KRI’s
- New KRI guidance
- How to develop effective KRI’s
Advanced Enterprise Risk Management (ERM) Issues
-
The Risk Register Challenges
- Why the Enterprise Risk Management (ERM) process often fails to engage management
- Risks recorded are much too general
- Causes and effects are confused with risks
- Only residual risk is concentrated on
- Various different methods are used for scoring risks
- Benefits are difficult to determine
- The register is spread sheet based
- The process is far too complex
- The Risk register solution
Enterprise Risk Management (ERM) Tips for Success
- Use a risk assessment framework to assess your risk maturity and prepare a plan to enhance this maturity (if required)
- Adopt ISO31000 (the International risk standard) and apply the principles across the business
- Only use one risk matrix for the Business – every function should not develop their own
- Ensure that you have common risk terminology and communicate it widely
- Recognise risks may have multiple scenarios e.g. loss of key personnel (how many, in which area etc)
- Set meaningful Key risk indicators (KRI’s) to warn you before risks materialize
- Prepare a graphical or tabular record of key risk for the Board
- Recognize that understanding risk is the key to successful corporate governance
- Arrange a reputation risk workshop for senior management
- Get the whole risk process benchmarked
Risk Appetite and Risk Tolerance
- What is risk appetite?
- The difference between risk appetite and risk tolerance
- Defining risk limits
- Risk profiling
- Developing risk appetite statements
- Examples of risk appetite statements
Enterprise Risk Management (ERM) and Decision-making
- For every key proposal passed to the Board or senior management for decision, insist that a full risk analysis is submitted
- Match key risks to corporate objectives each year.
- Ensure that you under promise and over perform – not the other way round
- Invite all your key stakeholders to a risk workshop
- Analyse the major surprises and near misses that you have had in the last 12 months
- Recognise that ‘if it seems too good to be true’ it probably is
- Prepare media statements in advance to cover all possible crises
- Twice a year ask all key executives to identify 3 opportunities and set up a high level workshop to discuss and prioritise them
- Develop a corporate opportunity register
- Offer special incentives for the best ideas to reduce risk or exploit opportunities
- Do not commit time and money in risk mitigation unless a monetary or other significant benefit can be demonstrated
- Calculate the value of income required to cover each dollar/dirham/riyal wasted due to poor risk management – use this multiplier as a business driver.
The Risk Register Challenges
- Why the Enterprise Risk Management (ERM) process often fails to engage management
- Risks recorded are much too general
- Causes and effects are confused with risks
- Only residual risk is concentrated on
- Various different methods are used for scoring risks
- Benefits are difficult to determine
- The register is spread sheet based
- The process is far too complex
- The Risk register solution
Enterprise Risk Management (ERM) Tips for Success
- Use a risk assessment framework to assess your risk maturity and prepare a plan to enhance this maturity (if required)
- Adopt ISO31000 (the International risk standard) and apply the principles across the business
- Only use one risk matrix for the Business – every function should not develop their own
- Ensure that you have common risk terminology and communicate it widely
- Recognise risks may have multiple scenarios e.g. loss of key personnel (how many, in which area etc)
- Set meaningful Key risk indicators (KRI’s) to warn you before risks materialize
- Prepare a graphical or tabular record of key risk for the Board
- Recognize that understanding risk is the key to successful corporate governance
- Arrange a reputation risk workshop for senior management
- Get the whole risk process benchmarked
Risk Appetite and Risk Tolerance
- What is risk appetite?
- The difference between risk appetite and risk tolerance
- Defining risk limits
- Risk profiling
- Developing risk appetite statements
- Examples of risk appetite statements
Enterprise Risk Management (ERM) and Decision-making
- For every key proposal passed to the Board or senior management for decision, insist that a full risk analysis is submitted
- Match key risks to corporate objectives each year.
- Ensure that you under promise and over perform – not the other way round
- Invite all your key stakeholders to a risk workshop
- Analyse the major surprises and near misses that you have had in the last 12 months
- Recognise that ‘if it seems too good to be true’ it probably is
- Prepare media statements in advance to cover all possible crises
- Twice a year ask all key executives to identify 3 opportunities and set up a high level workshop to discuss and prioritise them
- Develop a corporate opportunity register
- Offer special incentives for the best ideas to reduce risk or exploit opportunities
- Do not commit time and money in risk mitigation unless a monetary or other significant benefit can be demonstrated
- Calculate the value of income required to cover each dollar/dirham/riyal wasted due to poor risk management – use this multiplier as a business driver.
Wider Aspects of Enterprise Risk Management (ERM)
-
Assurance and Enterprise Risk Management (ERM)
- Ensuring your assurance providers roles e.g. Internal Audit, Compliance, Risk Management, Insurance, Security etc are co-ordinated to avoid duplication of effort
- Why you should incorporate internal audit agreed actions in your risk register
- Ensure environmental risk is taken seriously (even if you are in a sector such as Financial Services
- Ensure that your Business Continuity plan covers all eventualities and ensure it is fully tested
- Identify new ways to benefit the least able section of the wider community you serve
- New guidance on coordinating RM & assurance
Energising Your Staff to Manage Risk
- Ensure that your staff know that risk management is not a fad or the latest initiative – it is a business process
- Get risk management as an agenda item in staff meetings
- Recognise that your employees will only be interested in managing risks if there is a benefit for them in doing so
- Not give too many risks to the same manager
- Complete as much of the risk programme with your own managers – do not over rely on consultants – you have to own the process
- Realise that if managers want to get a proposal through, they will tend to understate the risk (if you let them)
- Recognise that risk is the pulse of the organization and make sure that you have personnel to regularly take this pulse
Enterprise Risk Management (ERM) in Projects and Joint Ventures
- Determine the associated risks at the very earliest stage of a project
- Recognise that it is most unlikely that the project can be delivered to time, to budget and meet all the objectives outlined
- Decide up front which of the 3 elements, time, financial budget or functionality you are willing to compromise first.
- Hold risk workshops with the shortlisted suppliers or contractors before awarding a contract
- Give executives a clear brief regarding the decisions that may or not be made by them before they attend each meeting with partners
- Require your executives to provide written feedback from all such meetings
- Determine a clear protocol for reviewing JV’s and partnerships
- Not assume that because a JV is effective in year one it will necessarily be the same in year 2 and beyond
- Ask your internal audit function to be involved in all key systems and projects at key stages during the development phase
- Ensure you have a right to audit clause for all outsourced operations and exercise that right
Enterprise Risk Management (ERM) in Projects Golden Rules (with case studies)
- Make risk management an integral part of the project
- Identify risks early in the project
- Communicate the risks widely
- Consider both risks and opportunities
- Prioritise the risks
- Analyse the risks properly
- Plan and implement risk responses
Assurance and Enterprise Risk Management (ERM)
- Ensuring your assurance providers roles e.g. Internal Audit, Compliance, Risk Management, Insurance, Security etc are co-ordinated to avoid duplication of effort
- Why you should incorporate internal audit agreed actions in your risk register
- Ensure environmental risk is taken seriously (even if you are in a sector such as Financial Services
- Ensure that your Business Continuity plan covers all eventualities and ensure it is fully tested
- Identify new ways to benefit the least able section of the wider community you serve
- New guidance on coordinating RM & assurance
Energising Your Staff to Manage Risk
- Ensure that your staff know that risk management is not a fad or the latest initiative – it is a business process
- Get risk management as an agenda item in staff meetings
- Recognise that your employees will only be interested in managing risks if there is a benefit for them in doing so
- Not give too many risks to the same manager
- Complete as much of the risk programme with your own managers – do not over rely on consultants – you have to own the process
- Realise that if managers want to get a proposal through, they will tend to understate the risk (if you let them)
- Recognise that risk is the pulse of the organization and make sure that you have personnel to regularly take this pulse
Enterprise Risk Management (ERM) in Projects and Joint Ventures
- Determine the associated risks at the very earliest stage of a project
- Recognise that it is most unlikely that the project can be delivered to time, to budget and meet all the objectives outlined
- Decide up front which of the 3 elements, time, financial budget or functionality you are willing to compromise first.
- Hold risk workshops with the shortlisted suppliers or contractors before awarding a contract
- Give executives a clear brief regarding the decisions that may or not be made by them before they attend each meeting with partners
- Require your executives to provide written feedback from all such meetings
- Determine a clear protocol for reviewing JV’s and partnerships
- Not assume that because a JV is effective in year one it will necessarily be the same in year 2 and beyond
- Ask your internal audit function to be involved in all key systems and projects at key stages during the development phase
- Ensure you have a right to audit clause for all outsourced operations and exercise that right
Enterprise Risk Management (ERM) in Projects Golden Rules (with case studies)
- Make risk management an integral part of the project
- Identify risks early in the project
- Communicate the risks widely
- Consider both risks and opportunities
- Prioritise the risks
- Analyse the risks properly
- Plan and implement risk responses
