June 2013

Leading Risk Management Practices

Rob Newsome Partner PwC

PwC

Agenda

• Introduction

• Risk management objectives

• What does good risk management look like

• Building blocks to get there

• The risk appetite debate

• Implementation barriers of Risk Management

• Conclusion

2

PwC

Risk management objectives

Risk management is central to strategic management. It is the process where risks are methodically addressed through focusing on the identification and treatment of risk

• to achieve maximum sustainable value to all aspects of the organisation, and

• to create better transparency and accountability for the operations of the organisation.

3

PwC

Risk management objectives

• Link growth, risk and returns

• Rationalise resources

• Exploit opportunities

• Reduce operational surprises and losses

• Report with greater confidence

• Satisfy legal and regulatory requirements

• Greater management comfort in decision-making

• Know the risks you take

• Be able to control your risks

• Creating trust and credibility

• Focus on real issues

4

PwC

Legal requirements

1. In some countries there are legal requirements to affect risk management in corporation level legislation, specific regulatory provisions (Solvency II, Basel III, Health and Safety regimes)

2. Most corporate governance codes include risk management requirements

3. Risk management is a clear defence for proving compliance with fiduciary duties

5

PwC

What does good risk management look like?

6

PwC 7

1. Greater management comfort in decision making

2. Improving credit rating and cost of capital

3. Reducing insurance expenses

4. Reducing the overall cost of business contingency planning

5. Experiencing less loss events

6. Information and transparency on risks and opportunities

7. Assessment of management performance

8. Understanding the risk exposures

9. Leverage the response to SOX and internal audit

10. Developing and enhancing trust and credibility with stakeholders

11. Ensuring compliance with rules and regulations

What constitutes good risk management

PwC

Risk maturity

ERM Element Basic Developing Developed Advanced

Organisation and governance 1 3

Strategic Planning & Risk Appetite

1 2

Risk Policies and Standards 2

Risk Identification & Representation

1 2

Risk Measurement & Reporting 3 1

Risk Communication & Escalation

2 3

Infrastructure 2 1

Stakeholder Disclosure 1 1

TOTAL 1 9 12 4

9

PwC

S&P’s four-level scoring scale

• Limited capabilities to consistently identify, measure, and comprehensively manage risk exposures and thus, limit losses.

• Sporadic execution of its risk-management program.

Weak

• Manages risk in separate silos, but maintains complete control processes.

• Loss-/risk-tolerance guidelines less developed, but risk and risk management often considered.

Adequate

• Demonstrates an enterprise-wide view of risks, but still focused on loss control.

• Risk and risk management usually important considerations in the firm's corporate judgement.

Strong

• Demonstrates risk/reward optimisation. • Well-developed capabilities to consistently identify, measure,

and manage risk exposures and losses.

Excellent

Per S&P, “Standard & Poor’s to Apply Enterprise Risk Analysis to Corporate Ratings,” May 7, 2008

10

PwC 11

PwC 12

PwC 13

PwC

Combined assurance

14

Processes

Three lines of defence assurance providers

First line of defence -

Management

Second line of defence – Risk

and legal based assurance

Third line of defence –

Independent assurance

Control

self

assess

Mgt review Special

project

ERM SOX Complianc

e

External

audit

Internal

audit

Special

project

Strategic

Funding

Sustainability

Growth

Operational

Treasury

Products and

services

Finance

Extensive

assurance

Moderate

assurance

Inadequate assurance Not applicable

PwC 15

1. How do we integrate risk management with the corporation’s strategic direction and plan?

2. What are our principal business risks?

3. Are we taking the right amount of risk?

4. How effective are our processes for identifying, assessing and managing business risks?

5. How is risk coordinated across the organisation?

6. How do we ensure that the organisation is performing according to the business plan and within appropriate risk tolerances?

7. How does the Board help establish the “tone at the top” that reinforces the organisation’s values and promotes a “risk aware culture”?

Challenges facing Board’s today

PwC

Building blocks to get there

16

• Structures

• Frameworks

• Process for managing risks

• Responsibilities

PwC

Structures

17

Board of Directors

Audit Committee

Risk Committee

Exco

Group Risk Function

Group risk managers

Standards of good practice H

um

an

Re

so

urc

es

RISK

COMMITTEE

EXCO

Te

ch

no

log

y

an

d

sys

tem

s

Pro

ce

ss/

op

era

tio

nal

Go

ve

rna

nce

co

mp

lia

nce

& r

eg

ula

tory

Fin

an

cia

l

STRATEGIC RISK REGISTERS – TOP RISKS PER OPERATION OR DIVISION

EXTERNAL

ENVIRONMENT

CONTINUOUS / ONGOING RISK ASSESSMENTS

Checklists in terms of the Mine Safety Management/Planned Maintenance Systems

ISSUE BASED RISK ASSESSMENTS / CHANGE MANAGEMENT PROCEDURE

After an accident or when new equipment, methods or processes are introduced

BASE LINE RISK ASSESSMENTS AND RISK PROFILE

Initial hazard identification and risk assessment of all HSEC hazards and risks on the site

OP

ER

AT

ION

AL

RIS

K

S

TR

AT

EG

IC a

nd

BU

SIN

ES

S R

ISK

FOUNDATION OF RISK MANAGEMENT – RISK CULTURE

Country and

political risk

Operational

site legal

and

commercial

assessments

Strategic

King III COSO II

ISO 31000

PwC

Frameworks

The framework provides:

• A definition of enterprise risk management;

• The critical principles and components of an effective risk management process;

• Direction for organisations to use in determining how to enhance their risk management; and

• Criteria to determine whether their risk management is effective, and if not, what is needed.

19

PwC

Process for Managing Risks

20

Establishing the context

Risk treatment

Monitoring

and

review

Communication

and

consultation

Risk evaluation

Risk analysis

Risk identification

Risk assessment

PAGE

Risk and Control owner responsibility

for risk data and assessments

100 Basis points

Inherent risk Risk tolerance

Need for common rating scale

PAGE

Drilling down into the risk

PAGE

Causes and consequences

Prevent controls on causes

Risk resilience on consequences

PAGE

Please note the tabs for IAM

Alternate methodology is to derive Inherent Risk from residual risk and control effectiveness

PricewaterhouseCoopers Slide 25

Impact = Extreme

Inherent Probability = possible

Residual risk = Low

Risk tolerance = zero

PwC

Black swan

26

PwC 27

PwC 28

PwC

Responsibilities

29

ERM Stakeholders

Board

Audit Committee

Risk Committee

Executive Committee

Risk Owner

Risk Management Function (Risk Manager)

Business Unit Risk Managers

Operational staff

Internal Audit and the Chief Audit Executive

Other Assurance Providers

PwC 30

3. Simple inherent vs. residual risk (on 5*5 matrix)

4. HIRA

5. Value at risk models using subjective criteria

6. Measurement of risk tolerance (target risk)

7. Loss events and near miss integration

8. Value at risk models using statistical modelling techniques

9. Actuarial risk determination

Different models applied to risk management

PwC

Where risk management has worked and not worked – and why.....

• Wells Fargo Bank – avoiding the global credit crunch

• Global gold mining company – incident linking, yield improvement

• BP Gulf oil spill - abdication

• Sishen mineral rights - assumptions

• Newcastle furnace burn through - measurement

• Mining company forex – surprise?

• Logistics company – contract renewals, early completion of contract

• Black swans – contingencies planned – Hurricane Sandy

31

PwC

The risk appetite debate

Monetary value

Composite view

Profile view

32

PwC

Monetary value

20% Market cap

10% Assets

5 % Earnings for one event

15% Earnings for all events

Hurdle rates - a composite but usually limited by interest cover on loans

Gut feel – that just won’t fly with the board???

Meeting budget

33

RISK AREA ASPIRATIONS TOLERANCE LEVEL ACTUAL

C2009 TARGETS

ACTUAL

C2010 x\√

OP

TIM

ISE

OU

R

AS

SE

TS

Safety Zero Harm Zero Harm

0.14 FIFR - Zero 0.11 x

2.82 SIFR – 25% less 2.22 √

3.31 LTFR – 25% less 4.38 x

9.32 MTIFR – 25% less 6.98 √

Health Zero Harm Zero Harm On track 2013 milestones (Risk

11) On track √

Environment Zero Harm Zero - level 4 and 5

incidents Zero Zero Zero √

Business plan

delivery 5M oz / 2015

NCE 25%

95% compliance to

business plan

3.414

15%

3.6Moz

NCE 15 - 20%

3.6

19%

√

√

SE

CU

RIN

G

OU

R F

UT

UR

E Human

Resources

Pipeline of scarce and

critical skills 60% - successor cover

ratio 60% 50% x

License to

operate

Global leader in

sustainable gold mining Full Compliance to all

legal and social

requirements

100% 100% 100% √

Ethics and

Corporate

Governance

Full compliance –SOX

and Substantial

compliance to King III

No material / significant

failures Nil Nil Nil √

GR

OW

ING

GO

LD

FIE

LD

S

Capital

Projects

Project

delivered on

Time / budget

10 - 15% overrun - As per tolerance

South Deep

Athena

CCOGP

√

√

x

Mergers &

Acquisitions

Proper assessment of

risk and returns

commensurate with the

risk

IRR 5% - Brownfield

IRR 10% Greenfield - As per tolerance On track √

Exploration Appropriate balance

between geological

potential & political risk

Leaning towards greater

geological potential in

high risk areas

- As per tolerance On track √

Composite view (with permission from Goldfields)

PwC

Profile view

35

PwC

Implementation Barriers of Risk Management

• Governance fatigue

• Lack of buy-in from management;

• Risk management is positioned as compliance;

• Ignorance;

• Risk is being managed in silos;

• Too many other “turn around” type strategies;

• Board v management tension;

• Past mistakes are overlooked; and

• There is no clear road map for improvement.

36

PwC

Conclusion

37

PwC

ERM is not

• A method to eliminate all risks or a guarantee that the organisation will avoid loss;

• A collection of longstanding and disparate practices nor a rigid set of rules to be followed under all circumstances;

• Limited to compliance and disclosure requirements;

• A replacement for internal controls;

• Identical for all companies in all sectors;

• Exactly the same from year to year; and

• A passing fad.

38

Thank you...

© 2011 PwC. All rights reserved. Not for further distribution without the permission of PwC.

"PwC" refers to the network of member firms of PricewaterhouseCoopers International Limited

(PwCIL), or, as the context requires, individual member firms of the PwC network. Each

member firm is a separate legal entity and does not act as agent of PwCIL or any other

member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or

liable for the acts or omissions of any of its member firms nor can it control the exercise of their

professional judgment or bind them in any way. No member firm is responsible or liable for the

acts or omissions of any other member firm nor can it control the exercise of another member

firm's professional judgment or bind another member firm or PwCIL in any way.