Accountants’ Annual Conference 2016

Enterprise Risk Management: The Next Step in Business Management

CPA Emmanuel Johannes FCCA, CFE, CIA

3 December, 2016

Course AgendaIntroduction to the Risk Management framework according to ISO 31000• Concepts and definitions related to Risk

Management• Background information

ERM linked to Strategic Risk Management• Practical experience• Risk analysis and risk evaluation

Case Studies

What is RiskThe International Organization for Standardization (ISO)produced an internationally recognised standard on riskmanagement in 2009.

ISO 31000:2009, Risk management – Principles and guidelines redefines risk as: ‘the effect of uncertainty on objectives’.

Quick facts

• The concept of risk management developed steadily throughout the 20th century out of a combination of wars, weather-related disasters, mathematical theories and business imperatives.

• The title of chief risk officer was first used in 1993 by James Lam at GE Capital to describe a function that involved managing ‘all aspects of risk’

• Peter Bernstein, in his influential book Against the Gods: The Remarkable Story of Risk summarised this changed attitude: ‘If everything is a matter of luck, risk management is a meaningless exercise. Invoking luck obscures truth because it separates an event from its cause.’

Definition of ERM

“… Enterprise Risk Management (“ERM”) is a strategic business discipline that supports the achievement of an

organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an

interrelated risk portfolio.

‘Risk management is a process to identify, assess, manage and control potential events or situations to provide reasonable assurance regarding the achievement of the organisation’s

objectives.’ ACCA

Structure: Three parts

Principles Framework

Strategic level

Process

Operational level

Principles : Why risk management?

Framework : How to integrate risk management in the exiting management system?

Process : How to integrate risk management in the existing management practices and processes?

1.4/4.6

ISO 31000 RM Principles

For Risk management to be effective, an organisation should comply with below principles:

a) Create valueb) Be an integral part of organisational processesc) Be part of decision makingd) Explicitly address uncertaintye) Be systematic and structuredf) Be based on the best available informationg) Be tailoredh) Take into account human factorsi) Be transparent and inclusivej) Be dynamic, iterative and responsive to changek) Be capable of continual improvement and enhancement

b)

c)

d)

e)

f)

g)

h)

i)

j)

k)

a)

1.4/3.7

Strategic Risk Management• A comprehensive process to identify, evaluate and manage strategic risks to reduce

uncertainty AND maximize opportunities

• Guiding Principles of SRM:– Primary component of an organization’s ERM process– Ultimate goal is protecting and enhancing shareholder value– Effected by boards of directors, executive management and others– A strategic approach to risk and managing uncertainty is necessary to achieve company objectives– Continuous process

Frequency & Severity

Related Impacts Interdependencies

Risk Profile Informed Decisions

Assess Analyze

Retain/Finance Or Transfer

Corporate Tolerance Risk/Opportunity

Mitigate/ControlIdentify

Align to Corporate Objectives

Monitor/Report

Adapt/Improve

12

Extended Enterprise & Value Chain

Setting strategy, objectives, tone, policies, risk appetite

and accountabilities; monitoring performance.

Operating in accordance with objectives;

ensuring adherence to laws and regulations, internal policies and

procedures, and stakeholder commitments.

Identifying and assessing risks that may

affect the ability to achieve objectives; determining risk response strategies

and control activities.

Establishing Context

New Strategy & Risks

Maximizing return on capital

Business Planning & Strategy Long term growth in shareholder

value

Risk Framework, Control & Monitoring

Optimizing volume and profitability

Operational & Change Mgmt (Systems, Processes, People)

10

Risk Strategy

Capital Management,

Business Performance Monitoring

Economic Capital

Allocation

Market, product, customer,

operational strategy

New ventures, risk/capital

impact

Compliance to

Regulations Corporate governance

Risk Identification

& Assessment

Maximizing operational cost

effectiveness

Projects (Objectives, Resources, Risk, Capital)

Strategic Risk Management Process

“A company needs to makes money and creates value by taking intelligent risks and loses money or gets in trouble by failing to manage risk effectively.”

Why Integrate ERM with Strategy?

14

Bill Gates, Microsoft and the success of Windows

Bill Gates founded Microsoft with Paul Allen in 1975. In the early years their main product was the operating system MS-DOS, which they developed initially for IBM computers but were also able to sell independently. Although the performance of MS-DOS was poor, it was quite successful because of its low price and compatibility.

Allen left Microsoft in 1982 because of health problems. By 1985 Gates faced a key decision. MS-DOS was a slow system and was unable to make use of some major innovations in hardware, so it was only a matter of time before it was out-competed by other systems.

Because of the strong uncertainty in the operating software sector at the time, reliable foresight was not possible. This was a classic risk dilemma. Gates had several possibilities: sell Microsoft to one of its competitors; exit the operating systems market and focus on developing applied solutions; or invest in a new operating system.

This last option carried the greatest downside risk: it was expensive, the resources of Microsoft at the time were small compared with competitors like IBM and Apple; and failure would have meant the end of the company. But it also offered significant opportunities: there was no technical standard set for the new generation of computer systems and if Microsoft could achieve ‘first-mover’ status it would be able to secure long-term monopoly revenues.

Gates was not reckless; he hedged his bets for some time: for example, by starting a joint venture with IBM and also developing some applications for the Apple operating system. However, he did invest in the development of the Windows system. Although in the first years Windows sold poorly and suffered some serious technical flaws, by the early 1990s it turned out to be the lead product in the operating systems market, defining the new technical standard. Microsoft Windows came to dominate the world’s personal computer market with over 90% market share.

Internal Forces “Enabling Activities”

External Pressures

Strategic Process

Board of Directors

Political

Strategy

Cultural

Appetite

Tolerance

Ethics

Objectives

ShareholderExpectations Regulators Rating Agencies Stakeholders

Info

rmat

ion G

uidance

Risk

Opportunity

ERMProcess

Protect and Enhance Shareholder Value

Board & Executive Engagement

Company Strategy“We are focused on achieving strong, long-term financial performance by…”

“Our future results of operations are subject to anumber of risks and uncertainties. These risksand uncertainties could cause actual results todiffer materially from historical and currentresults and from our projections…”

Corporate Governance“…lead the Board, particularly as it focuses on strategic risks and opportunities facingthe Company.”

Risk Oversight“One of the functions of the Board is oversight of risks inherent in the operation of theCompany’s business. The Board fulfills this function through reports from officers foroversight of particular risks within the Company, through legal review of the Company’sstrategic plan, and through delegation of certain risk oversight functions…”

Strategic Risk Management• A comprehensive process to identify, evaluate and manage strategic risks to reduce

uncertainty AND maximize opportunities

• Guiding Principles of SRM:– Primary component of an organization’s ERM process– Ultimate goal is protecting and enhancing shareholder value– Effected by boards of directors, executive management and others– A strategic approach to risk and managing uncertainty is necessary to achieve company objectives– Continuous process

Frequency & Severity

Related Impacts Interdependencies

Risk Profile

Informed Decisions

Assess Analyze

Retain/Finance Or Transfer

Corporate Tolerance Risk/Opportunity

Mitigate/ControlIdentifyAlign to

Corporate Objectives

Monitor/Report

Adapt/Improve

Culture: Enabling Activities: “Become a part of the company’s DNA”

Mission: Protect and enhance shareholder value

Infrastructure

Vision/GoalsGovernanceOversight structureCommon languagePoliciesTechnologyToolsTechniquesTolerance/appetiteMonte Carlo simulation

Process Integration

OperationalprocessesStrategic planningQuality processCompetency modelsProduct developmentCapital projectsPerformance management

The Paychex ERM Framework

Identify Risks & Opportunities

Businessgoals,

objectivesand

strategies

Assess Risks & Opportunities

Develop Action Plans

Implement Strategy

Integrate Results

Monitor & Report Results

•Risk management is recognized as a key contributor to value creation.

•The risk culture is defined and enshrined to give managers and employees the requisite freedom of maneuver.

•An awareness of risk and the need to manage it pervades the enterprise.

•Risks are identified, reported, and quantified to the greatest possible extent.

•Equal attention is paid to both quantifiable and unquantifiable risks.

•Risk management is everyone’s responsibility and is not fragmented into compartments and silos.

•The enterprise avoids products and businesses it does not understand.

•Scenario planning embraces uncertainty and considers all possible developments.

19

Example ERM Framework

20

Identify & Assess RiskIdentifying the effectiveness of processes and controls via interactive participation with subject matter experts.

Step 1: Pre-work:

• Top-ranked risks are identified and reviewed to assess counter-measures

• Key risks are identified and better understood creating awareness and accountability

• Business unit identifies risks associated with operational errors. • Voting technology is utilized to score/rank the risks

Step 2: Workshop

Step 3: Mitigation Step 4: Results

Impa

ct

Likelihood

Operating Risk

Vendor Failure

Failed Systems

Human Error

Failed Processes

Internal Fraud

Interactive Risk Assessments

Assurance of preparedness

Redeploy resources

Enhance risk mitigation

Measure for cumulative impact

Impa

ct

Vulnerability

5

4

3

2

1 2 3 4 5

15

2

3

456

7

8

9

10

11

12

1314

1

Possible - “might” happen (future knowledge)

Plausible - “could” happen (current knowledge)

Distance into the future

Uncertainty

Predictability

F S H

Forecasting Scenario Planning “Hoping”

Ranges of Usefulness

time

U

Risk Scenario Planning“The present moment used to be the unimaginable future”

Probable - “likely to” happen (current trends)

Preferable - “want to” happen (value judgements)

Results – what happened after mitigationResults – what happened after mitigation

Key Risks Detail

Primary Organization Owner(s) - Risk Management

Risk Type - (K) Known

Primary IndicatorsBad debt write-offs, National Economic Indicators,regional/industry factors, credit agency

Mitigation Strategies•Branch and client transaction thresholds•Credit bureau monitoring; consumer and commercial creditreview•Credit policies, including secured funding and security deposits•Monitoring for credit deterioration, industry/economic data andbankruptcy•Allowance for doubtful accounts (reserve)•Fraud industry coalition

1.

Primary Organization Owner(s) – Risk Management

Risk Type - U1 (Unknown)

Primary IndicatorsRegulatory activity, laws enacted, warranties/penalties, lawsuits,enforcement activity, regulatory inquiries

Mitigation Strategies•Monitoring enforcement trends, relevant publications and industrynews•Strong regulatory agency relationships•Ongoing review and audit of compliance•Increased training for applicable personnel•Change management control process

.

2. Risk DescriptionRisk of financial loss due to client defaults, dependencies on bankingpartner lines of credit. The case of Treasury Registrar and liquidity inTanzania

Credit1. Risk DescriptionMaintaining compliance for all products and services with applicable laws and regulations; ensuring timeliness and accuracy of regulatory change on Paychex platforms

Regulatory Compliance2.

22

Providing the Board and senior management with greater risk transparency

Compliance with risk policies and regulations• Exposures vs. policy limits • Regulatory compliance

Earnings-at-risk• Major internal drivers• Key external variables

Risk/return performance tracking• Business units• Customer segments• Products

Real time risk reporting• One touch visibility• Drill down capabilities• 24x7 escalation• Early warning signals

ERM Dashboards

The discipline of risk management has

evolved from strictly a value preservation-

based focus to a balanced focus

between protecting assets and creating or

enhancing value.

OperatingRisk

Credit Risk

Model Risk

Entrepreneurial Risk

Regulatory Compliance Risk

Future/White Space

•Target Models (3B); Lifetime Value Models•Churn Models; Discount Engine Models•Upsell Models; Sales Territory Models

Risk Management

A flexible and dynamic risk management

discipline is uniquely positioned to quickly adapt to change and identify opportunistic

risk to create new streams of revenue and increase value

Value Preservation to Value Creation

Example: Brexit The UK’s referendum on membership of the European Union (EU) in June 2016 resulted in a

majority of British citizens voting to leave. The implications for businesses are unclear and are

likely to remain so for some time; it will take many years for the UK to disentangle from the EU.

Brexit is an excellent example of uncertainty providing both threats and opportunities to

businesses. Consider the travel and leisure industry. The fall in the value of sterling after the

referendum result might reduce demand by travellers for holidays abroad as costs go up, but it is

likely to be good news for hotels, restaurants and tour companies providing holidays in the UK as

foreign tourist spending is set to surge.

All organisations should be trying to identify and assess their own areas of exposure to Brexit risks. A failure to do so smacks of complacency and could be damaging. The sudden collapse into administration of Lowcost Travel Group in July 2016 illustrates the risk of Brexit.

Avoid a tick-box attitude

Finally, a word of warning for those accountants in larger organisations

looking to put in place comprehensive, detailed risk management

systems, including policies, registers and regular reporting. These

systems will not be sufficient to drive improvements or add value unless

they are accompanied by intelligent review and analysis of what the data

is saying about the business and its risk profile. There is a danger of

becoming obsessed with the detail of the process, where the focus is

hitting reporting deadlines in order to tick a box. This is not effective risk

management.

Conclusion

.Risk affects all organizations. It can have far-reaching consequences in terms of economic performance, environmental and safety outcomes, and professional reputation. Managing risk effectively and risk optimization, therefore, will help enterprises of all sizes and in all business sectors to perform well in an increasingly uncertain environment.

http://www.accaglobal.com/uk/en/technical-activities/technical-resources-search/2016/october/tf-effective-risk-management.html

Questions?