Risk Management

ENTERPRISE RISK MANAGEMENT

(ERM) AWARENESS

Confidential
Objectives

01 03
To cultivate risk-aware To assess/re-assess
culture through the Risk Profile for
Enterprise Risk continuous
Management (“ERM”) monitoring and
Awareness & update (i.e. Risk
Education. Register and Risk
Action Plan)
02 04

To establish To gain better

communication understanding of
channel between operational/department/
RMD and other division processes and
department/division. activities for
continuous
improvement.

Confidential
RMD Roles & Responsibilities

ERM Advisory
Services .

Independent & ERM Communication

Objective based & Education.
Risk Assessment.

Continuous Monitoring
& Reporting.
Introduction to Risk Management

Confidential
What is Risk

“The uncertainty of an event occurring that could have an impact on

the achievement of objectives’’.

“Uncertainty exists whenever the knowledge or understanding of an

event, consequence, or likelihood is inadequate or incomplete”.

6
Confidential
Risk Definition

01
The uncertainty of an event occurring that could have an impact on
the achievement of objectives.
COSO ERM (2017)

02 The effect of uncertainty on objectives.

ISO 31000:2018

Confidential
What is Risk Management

Risk Management is
a logical and systematic method of identifying, analysing, assessing,
treating, monitoring and communicating risks with any activity, function or
process in a way that will enable an organisation to meet its objective and
at the same time minimise losses and maximise opportunities.

BUT Managing Risk is NOT

about eliminating all risk. It is knowing the limits that are acceptable and
managing them to ensure achievement of organization’s objectives.

It IS a shared responsibility.

Confidential
Video on Risk Management

Confidential
Why we need to manage the risk

01 03 05
02 04
Achieve your Maintain trust and Better prepare for
objectives more confidence major negative
successfully events
Protect company Improve business
fund and assets strategic planning
and improve decision
making

Confidential
Benefits of ERM

Organisational and Operational Excellence

Strategic Planning

❑ Improve business strategy ❑ Better prepare for major

and business continuity negative events.
planning.
❑ Fewer unpleasant
❑ Quick grasp of new surprises/crises and
opportunities. associated costs.

❑ Confident and informed ❑ Respond quickly to changes

decision-making, planning in the business
and prioritisation. environment.

❑ Increase return on JV and ❑ Employees empowerment to

Investment. take risk in day-to-day
activities.
❑ Ensure the delivery of a
sustainable and profitable
business.

Confidential
Impact of poor Risk Management

Cyber Theft Late-running Projects Overspent Budgets

&
Project Failure

Unhappy Clients Reputational Damage

Confidential
ERM Framework

Confidential
Lines of Defence

1st Line of 2nd Line of 3rd Line of

Defence Defence Defence

Management Risk Management Internal Audit

Assurance
Control
Function that own, Coordinate, facilitate and Function that provide
manage and control risks oversee the effectiveness independent assurance
by implementation of of the risk management on the effectiveness of
necessary control function the internal control and
risk management
activities
Confidential
Risk Management Governance Structure

Board of Director

Risk Management
Management Committee
Committee

Risk Management
Department Upstream Downstream Support

Day to day embeded risk management

In Policies, Procedures and Work instructions

Confidential
Responsibility for Risk Management

Risk Management
Responsible for
Framework
risk management Board of Director
Assurance to
Stakeholders
Mandate on risk Management Committee
Management oversight
Risk profile
Establish structured RM Committee Issues to emerge
Risk management
Framewok
Risk management
RM Department Oversight
Ensure risk horizon
scanning
Current Risk Profile
Employee
Action plans
Risk aware culture

Confidential
Risk Register quarterly submission

Frequency Reporting Party Reporting To Types of Reports

• Signed Risk Register

Quarterly • Risk Owners • Risk Mgmt Dept
• Flash Report (if any)

Q1 Q2 Q3 Q4
of the of the of the of the
year year year year

Before / on 14 Before / on 14 Before / on 14 Before / on 14

April July Oct Jan

Confidential
Risk Owner / Co-Owner Roles & Responsibilities

Risk Owner Risk Co-Owner

Identification and assessment of Provide support to Risk Owners

risks. on key risks identified.

Implementation and monitoring of Assist in the implementation of

mitigation action plans and key risk action plans.
risk indicators.

Report to Risk Manager on a Engage and discuss with Risk

timely manner of reports and/or Owners on internal and external
flash reports in the event of any activities or circumstances that
risk(s) that requires urgent may give rise to new risks or
attention. changes on rating or control
Maintain highest alert on both effectiveness of existing risks.
internal and external activities or
circumstances that may have
adverse risk impacts and
consequences.

Confidential
Division Risk Coordinator Roles & Responsibilities
Division Risk Coordinator
Work closely with RMD to
coordinate ERM awareness /
workshop and risk facilitation
with the Risk Owners and Risk
Co-owners for respective
division/company.
Provide assistance to Risk
Owners and Risk Co-owners on
key risks identified and to
support the implementation of
risk action plans
Coordinate with Risk Owner and
Risk Co-owners to ensure self-
risk assessment is conducted on
quarterly basis and risk register
is updated.
Provide RMD with status report
of risk action plans on quarterly
basis.
Escalate on the emerging risks to
RMD.
Inform RMD immediately when
risk crystalizes and to coordinate
with Risk Owner and Co-owner
to submit flash report on any
positive/negative influence on
risk.
Attend meeting with pertaining to
Risk
Management matters as and
when
required. Confidential
ERM Methodology

Confidential
ERM Methodology

1 2 3 4 5

Risk Risk Action Continuous

Building ERM Assessment Planning Risk Action Monitoring &
Framework Process Implementation Monitoring Communication
Process Process Process

To help avoiding To identify the risk. To select the Risk To continuously To periodically
ineffective Treatment. monitor and report and review
response. To analyse and ensuring the the identified risks.
evaluate the risk. mitigation plans are
To ensure its completed and
ongoing To prioritise the risk implemented as
effectiveness via and resources. planned.
strong mandate and
commitment by the
Management.

Confidential
Risk Management Process
Confidential

Confidential
Details Risk Assessment Process

RISK RISK ANALYSIS RISK EVALUATION

IDENTIFICATION
❑ Identify business ❑ Determine root
Objectives causes
❑ Determine the ❑ Determine existing
❑ Identify the specific
likelihood & controls
risk affecting the
Consequence ❑ Determine control
objective and
❑ Determine gross risk effectiveness
describe the risk
rating & residual risk
rating
❑ Risk profiling
 ERM Perspective on Risk Identification

❖ Organization’s objectives,
mission, vision, goals
❖ Strategic planning, Culture

Strategic Risk

❖ Public Image Financial ❖ Safeguarding assets

▪ i.e. Branding, Reputation Risk Risk ❖ Foreign Exchange
Perception
ERM ❖ Cash Flows
Perspective

Compliance Risk Operational Risk

❖ Laws and Regulations

❖ Processes to achieve goals
▪ i.e. Contractual
▪ i.e. Product Development,
Liability, Safety &
and Security Procedures
Health

Confidential
Sample Risk Register

Risk Title Risk ID

Description Risk Treatment

Date Raised Date Review

Root causes: Existing key controls:

Control effectiveness Satisfactory

Matrix Likelihood Impact Risk Rating
Residual rating

Risk Owner / Co-owner Risk Coordinator

Mitigation Action Plan Status Target start date Target end date / Progress update PIC
Timeline (%)
1.

2.

3.

Remarks:

Confidential
Likelihood

Likelihood Description

High The risk is expected to occur in most circumstances

Medium The risk is expected to occur many / several circumstances

The risk is likely to occur less frequently but at least once

Low

Confidential
Impact

Impact Description

A critical event which requires extraordinary management effort and

Major immediate attention by senior management and may threaten the health but
not leading to collapse of organization in the long term.

A serious event with significant effect which requires additional

Moderate
management effort but do not threaten the existence of the
organization.
An adverse event that has an impact but can be managed withoutserious
Minor damage to ECERDC and where the impact can be absorbed with some
Management effort.

Confidential
Control Effectiveness

Weak Some Weaknesses Satisfactory

Unsatisfactory controls Some control weaknesses Controls are well

and do not meet / inefficiencies have been managed, operated
acceptable standards, as identified. Although the do properly, and meet
many control weaknesses not present serious risk compliance requirements.
/ inefficiencies have been exposures but
identified improvements in the
control are required

Confidential
Risk Rating Matrix

Magnitude Of Impact/ Consequence

Likelihood
Minor Moderate Major

6 3 1
Medium High High

8 5 2
High
Low Medium

9 7 4
Low Low Medium
Risk Treatment Options

A R M S
Avoid Retain Modify Share

Cease to Management Take steps to Transfer and/or

undertake the decide to retain minimize its share the risk (in
business activity and/or impact of the total or part) with
altogether consciously likelihood and/or an external party
accept the risk occurrence via outsourcing
and/or purchase of
insurance

Confidential
Salient Points To Take Home

❑ ERM is a continuous journey, not a

destination.

❑ ERM is aimed to reduce the likelihood and

lessen the impact of the risks.

❑ Be prepared of any possibilities ahead.

❑ Continuous horizon scanning and aware what is

happening around you and the world

❑ Risk Management is everyone’s responsibility

Confidential
Contact me:
Radzi bin Ahmad
[email protected]
018-2856400

Confidential