Enterprise Risk Management (Erm) : Geodita Woro Bramanti, ST, Mengsc

Download as pptx, pdf, or txt
Download as pptx, pdf, or txt
You are on page 1of 72

Enterprise Risk Management (ERM)

Geodita Woro Bramanti, ST, MEngSc


OUTLINE

• INTRODUCTION

• WHAT IS ENTERPRISE

• WHAT IS RISK

• DEFINE ERM
OUTLINE

• BENEFITS Of ERM

• ERM STRUCTURE

• KEY QUALITIES of AN EFFECTIVE ERM

• CASE STUDY
INTRODUCTION
INTRODUCTION

• In the financial world is not immune to systemic failure, as


demonstrated by many stories such as Barings Bank collapse
in 1995, the failure of Long-Term Capital Management in
1998.

• And Also, In late August 2005 Hurricane Katrina struck,


reportedly the costliest natural disaster in US history. Oil
production, importation and refining were interrupted.At
least 20 offshore oil platforms went missing, sunk or adrift.

• Businesses were suddenly exposed to a surge in energy


prices, continuity failures and shipping disruption. Costs of
production rose and sales fell
INTRODUCTION

• Failure to properly understand and manage risk has


been cited as the root cause for the global financial
crisis of 2007–2010.

• There is no doubt that risk management is an


important and growing area in the uncertain world.
Before we are defining the term
“Enterprise Risk Management”, we
should know the definition of enterprise
and risk .
What Is Enterprise ?
WHAT IS ENTERPRISE ?

• Enterprise = Organization

• Enterprise is A unit of
economic organization or
activity, especially a business
organization

• Enterprise is a group of legal


vehicles, divisions, business
units and so forth that make
up an organization
What is Risk ?
WHAT IS RISK ?

Risk as a meaning “uncertainty“


(distribution of outcomes and
associated probabilities)
What is Risk ?

• Risk thrives on risk drivers or causes and manifests


itself in events that have consequences (or outcomes)

• Risk manifests itself in events that have


consequences
Risk Universe
Risk Drivers & Control

• Factors that influence the outcome

1. Risk drivers are factors that increase uncertainty

2. Controls are factors that are intended to reduce


uncertainty or help soften the blow of an adverse
outcome

• Their impact on the distribution of possible outcomes


NO RISK DRIVER

Certain
Outcome
THE PRESENCE OF RISK DRIVER

Simple Distribution of
Outcome
THE DISTRIBUTION OF
OUTCOMES-RISK DRIVERS

Distribution Of Outcomes Influence Influenced By a


Different Number of Risk Drivers
CONTROLS

• Controls are intended to reduce uncertainty or


soften the blow

• Distributions influenced by controls should be taller


and narrower than distributions not influenced by
controls

• Controls are measures that are put in place to


reduce the probability or severity of an adverse
outcome
INHERENT & RESIDUAL RISK

• Inherent risk is the raw or untreated risk that


produces the set of possible outcomes, without
controls

• Controls are the vehicles to mitigate inherent risk 🡪


mitigated risk as ‘‘residual risk.’’

• In the absence of controls, residual risk equals


inherent risk
RESIDUAL RISK

RESIDUAL RISK = INHERENT RISK - IMPACT OF


CONTROLS
THE DISTRIBUTION OF
OUTCOME : CONTROLS

DISTRIBUTIONS OF OUTCOMES INCLUDING AND


EXCLUDING THE INFLUENCE OF CONTROLS (INHERENT
AND RESIDUAL RISK)
RESIDUAL RISK

• Residual risk should be the main focus of the


enterprise risk manager as residual risk drives the
distribution of possible outcomes and it is the
distribution of possible outcomes that managements
are aiming to understand and manage
EVENT

1. They evidence the presence of risk

2. Corporates can learn from them

3. They have consequences, and these consequences are


the things that corporates are trying to achieve or
avoid.

4. They precede an outcome, so corporates may still


have the ability to influence the outcome.
OUTCOMES

• Outcomes are the consequences of events.

• Despite the fact that they are the ultimate element in


the flow of risk, they can be controlled (i.e., they can
be subject to the impact of controls).
SO ENTERPRISE RISK
MANAGEMENT IS…
DEFINE ERM
DEFINE ERM

• ERM satisfy a series of parameter

• ERM must be embedded in a business’s system of internal


control, while at the same time it must respect, reflect and
respond to the other internal controls

• ERM must be multifaceted and addressing all aspects of the


business plan from strategic plan through to business
control. (strategic plan, marketing plan, operation plan,
research & development, management & organisations,
forecast & financial data, financing, risk management
processes, business controls)
DEFINE ERM

• ERM defined as a comprehensive and integrated


framework for managing company wide risk in order
to maximise a company value

• ERM = a process affected by an entities Board of


Directors, management and other personnel applied
in as tragic setting and across the enterprise designed
to identify potential events that may the entity and
manage risk to be within its risk appetite, to provide
reasonable assurance regarding the achievement of
entity objectives.
DEFINE ERM

• ERM is The Capability of Organization to


understand, control, and articulate the nature and
level of risks taken in pursuit of a risk adjusted
return.

• The Risk can be categorised as credit, liquidity,


Strategic/Business/Reputation, Market, Operational,
Compliance/Legal, Financial and Capital Adequacy.
DEFINE ERM
BENEFITS OF
ERM
BENEFITS of ERM

ERM providers enhances capability to such as ;

• Increase the likelihood of a business realising its


objectives.

• Build confidence in stakeholders and the investment


community.
BENEFITS of ERM

• Comply with relevant legal and regulatory


requirements.

• Align risk appetite and strategy.

• Improve organisational resilience.


BENEFITS of ERM

• ERM Enhance corporate governance.

• Embed the risk process throughout the organisation.

• Minimise operational surprises and losses.


BENEFITS of ERM

• Enhance risk response decisions.

• Optimise allocation of resources.

• Identify and manage cross-enterprise risks.


BENEFITS of ERM

• Link growth, risk and return. R

• Rationalise capital.

• Seize opportunities.

• Improve organisational learning.


ERM STRUCTURE
ERM STRUCTURE

A Structured for understanding ERM is composed of seven elements.


CORPORATE GOVERNANCE

• Corporate governance now forms an essential


component of ERM because it provides the top-
down monitoring and management of risk
management.

• It places responsibility on the board for ensuring


that appropriate systems and policies for risk
management are in place.

• Good board practices and corporate governance are


crucial for effective ERM.
INTERNAL CONTROL

• Examination of internal controls provides an understanding


of what should be controlled and how.

• There is more of a focus on formal approaches. Internal


controls are a subset of corporate governance.

• Risk management is a subset of internal controls

• The aim is to accomplish this through the identification and


assessment of risks facing the business and responding to
them by either removing or reducing them or, where it is
economic to do so, to transfer them to a third party
IMPLEMENTATION

• Implementation of risk management (forming part


of a business’s internal control processes) can be
resourced from within a business or be supported by
external consultants.
RISK MANAGEMENT FRAMEWORK

• The purpose of the risk management framework is to assist an organisation in integrating


risk management into its management processes so that it becomes a routine activity.

• The framework is aimed at ensuring that information about risk derived from the risk
management process is adequately reported and is used as a basis for informed decision
making.

• The framework is composed of five step;

1. Mandate & Commitment

2. Design Framework

3. Implement Framework

4. Monitor Framework

5. Improve Framework
RISK MANAGEMENT FRAMEWORK

Mandate and Commitment

• "RIsk management cannot be delivered from the bottom up within an


organisation, but must come from the top down”.

• Management have to be seen to be both implementing and driving risk


management in recognition that risk management is one of the organisation’s
“vital organs”

• The risk management objectives must reflect and serve the organisation’s
objectives and performance indicators should be defined to measure the
effectiveness of risk management over time.

• The relationship with internal audit should be established so that the


organisation is ensuring legal and regulatory compliance
RISK MANAGEMENT FRAMEWORK

Design Framework

• The design of the framework entails

• understanding the organisation and its context

• establishing the risk management policy

• determining accountability for risk management

• embedding risk management in all of the organisation’s practices and


processes

• allocating appropriate experienced and competent risk resources

• establishing tailored internal and external communication and allied


reporting.
RISK MANAGEMENT FRAMEWORK

Implementing Framework

• The timing of the implementation of the framework should be


planned.

• Introduction into the organisation should be managed with


training sessions held as required.

• Ensure as far as possible that decision making is based on the


output of the risk management .

• The delivery process of the risk management process, is


depending on where in the organisation risk management is being
implemented
RISK MANAGEMENT FRAMEWORK

Monitor Framework

• Periodically review with internal and external


stakeholders whether the risk management
framework, policy, plan and process require
amendment as a result of changes in the
organisation’s internal or external context.
RISK MANAGEMENT FRAMEWORK

Improve Framework

• Based on the results of the monitor framework

• Decisions should be made on whether the risk


management framework step, and the policy and
process which support it, should be amended with
the aim of improving the effectiveness of the
organisation’s risk management practices.
RISK MANAGEMENT POLICY

• Policy = why risk management will be undertaken, who within and


outside the organisation will undertake it, how it will be undertaken
by reference to the framework and process and internal functions,
and what those who are responsible will be required to undertake

• the policy should state its purpose, objectives, scope (where it applies
within the organisation), related and supporting policies, its degree of
confidentiality (any limitations on disclosure), the frequency of its
review and the date it was last updated.

• The policy should address the interests of all stakeholders, including


shareholders, customers, suppliers, regulators and employees.
RISK MANAGEMENT POLICY

• It should describe the relationship between risk and corporate


governance and internal audit (" the specific responsibilities of the
board – and (depending on the size of the organisation) internal audit,
external audit, the risk committee, the corporate governance committee,
the central risk function, employees and third-party contractors in
implementing risk management).

• It should describe the policy’s relationship to the process and the


framework.

• In addition, ideally any standalone policy statement prepared for


display (alongside, say, the health and safety policy and the business
continuity policy), should be short, concise and lucid (and is commonly
more effective when confined to a single page).
Risk Management Process

• The mechanisms for implementing a risk


management process is to break it down into its
component parts and examine what each part
should contribute to the whole.

• The risk management process is broken down into


seven stages: context, identification, analysis,
evaluation, treatment, monitoring/review and
communication/consultation.
Sources of Risk

• The sources of business risk comes from two primary


areas:

• from within the business itself (relating to the actions


it takes)

• from the environment or context within which the


business operates

• these sources are labelled “internal processes (internal


business context)”and “business operating environment
(external business context)”
KEY QUALITIES of
AN EFFECTIVE
ERM
INTRO

• The key qualities of an effective ERM environment


are numerous and varied

• they must be strategically aligned with the


organization in order to be highly effective

• ERM must have all of the key fundamental


components
1. HIGH - LEVEL CORPORATE
SCHOLARSHIP

• One component that is essential for an effective ERM


environment is for the board of directors and senior
executives to take it extremely seriously -> means
that support for the initiative must be consistent and
unflappable.

• An essential element is the presence of a strong and


highly knowledgeable Chief Risk Officer (CRO). This
person must be a visionary who is not locked into the
antiquated practices of the current predominant
thought processes.
2.WELL-DEFINED RISK STRUCTURE FOR
EVALUATING THE ENTIRE ENTERPRISE

• This must include thorough and complete mapping of


the entire enterprise.

• One of the maps would include all of the operating


subsets of the enterprise.

• A second map would include all of the administrative


or cross-functional types of support mechanisms.

• The reason for this is that the risks of the various parts
of the enterprise are quite different and they need to be
evaluated separately and distinctly from each other.
3.PROPERLY DETERMINED RISK
APPETITE

• Management must determine a proper risk appetite:


in other words, how much risk can we take long
before it is too much?

• One thing that is tricky about determining the risk


appetite is the variety of risks that have to be taken
into account.

• When establishing a risk appetite on a portfolio


basis we must be sure to include all types of business
risks
4.WELL-DEFINED RISK LANGUAGE USED
THROUGHOUT THE ENTERPRISE

• The risk language must be developed the details


terminologies and methodologies

• The risk language should be communicated to all


persons in the organization and then utilised
continuously to build an understanding of its
meaning and content.

• The risk terminology should be published and


distributed across the enterprise
5.CLEARLY DEFINED RISK
CULTURE

• Every organization that is going to effectively


employee ERM must have defined a risk culture

• The risk culture can be highly conservative, highly


aggressive, or essentially neutral.

• It can be avoided if sales and marketing acts within


the criteria of the risk culture that has been
established. In other words, they will adhere to the
established guidelines for promise dates and lead
times
6.HIGHLY AUTOMATED AND DATA
CENTRIC REPORTING CONTROL

• The effective risk management methodology that


should be established must be data/fact based

• Using data or facts will lead to rapid and accurate


evaluation of risk and timeliness of reporting
7.WELL DEFINED INVENTORY OF
KEY RISK INDICATORS

• Key Risk Indicators (KRIs) are critical to the


successful implementation of any type of near-time
or real-time ERM environment

• KRIs should not be confused with Key Process


Indicators (KPIs), as in most cases they are not at all
alike
7.WELL DEFINED INVENTORY OF
KEY RISK INDICATORS

Key Risk Indicator

• Measure that indicates how risky an activity is

• Provide early warning to identify potential events


that may disrupt the activity/project

• Key components of operational risk analyses


7.WELL DEFINED INVENTORY OF
KEY RISK INDICATORS

• Differ from key performance indicators (KPI) in that


KPIs measure how well something is being done
while KRIs are indicators of the possibility of future
adverse impacts

• Example : the company’s stock price drops and


continues to drop that could indicate a loss of
investor interest in the stock and the company •
Changes in the value of this indicator could indicate
that the company needs to make major changes in its
operations and/or business model Stock Prices
Dropping
7.WELL DEFINED INVENTORY OF
KEY RISK INDICATORS

Example 2

• Objectives : Manage the collection of account receivables to reduce write off


and financial loss

• Risks : Slowing Economy, Customer Default, Negative impact on cash flow can
effect the ability to pay the bills on time

• Strategies : Issue payment reminders 5 days before due date, Call customer 5
days after due date if not paid, Escalate to CFO after 15 days overdue

• KRI : Account receivables turnover/month, payment trend for top 25


customers

• KPI : Bad Debts written off < 5% provision of doubtful debts/month


8.STRAIGHTFORWARD AND HIGHLY
USABLE SYSTEM OF ANALYTICS

• When employing data, it is imperative to use an


effective set of analytics because data is only as good
as your ability to use and interpret it

• The best practice is of course the old KIS theory,


Keep It Simple-> a number of straightforward,
highly functional analytics that anyone can
understand and interpret quickly and easily
9.EFFECTIVE BUT UNCOMPLICATED
CATEGORISATION Of RISK SCHEME

• The categorization of risk is extremely helpful , but When utilizing


risk categories, it is helpful to keep in mind a couple of fundamental
concepts and facts.

1. Risk cannot be neatly categorised

2. More is not necessarily better : A much more complicated scheme


with numerous subclassification schemes is contained in the
COSO/ERM model. When the scheme is too complex, it tends to
drive the discussion into a debate instead of focusing on the risk
and how it is going to be managed day to day

• Remember, it is the risk and the management of it that is the object


of the exercise, not a perfect categorisation scheme.
10.STRATEGIC PLAN FOR CONSTANTLY
IMPROVING THE RISK MANAGEMENT
SYSTEM

• Risk is a dynamic process and never ceases to change

• All ERM environments should have a strategic plan for


constant migration of the risk management system to the
highest plateau of performance

• The strategic plan should constantly be re-evaluated to ensure


that it is keeping pace with the movement of the business, the
market, the technology, and the world.

• The strategic plan for every ERM environment, it should be


synchronised directly with the IT strategic plan of the
organization
11. ABILITY TO EVENTUALLY MIGRATE THE
METHODOLOGY TO FACILITATE PREDICTING
THE FUTURE

• The ultimate objective of any ERM environment is


the ability to see the future before the future arrives
and undermines the organization

• The organization needs somebody to look into the


future and start to take an inventory of those types
of undesirable events. At the same time, executives
should be trying to identify opportunities that may
be present so that the organization may avail itself of
these positive events.
11. ABILITY TO EVENTUALLY MIGRATE THE
METHODOLOGY TO FACILITATE PREDICTING
THE FUTURE

• Example : the significant impact on the newspaper


industry of the Internet and its diversion of
advertising dollars and loss of readership.
Recognising earlier on that there was an imminent
shift in the technological savvy of the consumer, the
tastes of the consumer, and the form of consumption
would have bode well for the organizations still
running the printing presses
BARING BANK COLAPSE

• Barings Bank, founded in 1762, was one of the


world’s oldest merchant banks, renowned for having
facilitated the Louisiana Purchase. The bank
declared bankruptcy in 1995 after losing £827
million (approximately $1.3 billion) due to
unauthorized trading activities from one of its
employees, Nick Leeson
REFERENCE

• Chapman,Robert J, (2011). Simple Tools and


Techniques for Enterprise Risk Management, John
Willey & Sons,Ltd.

• Duckert,Gregory H, (2011). Practical Enterprise


Risk Management : A Business Approach, John
Willey & Sons,Ltd.

You might also like