© 2010 Wipro Ltd - Confidential

ERM – What next?

ERM Summit The Breakers, Palm Beach

Richard Anderson22 August 2010

© 2010 Wipro Ltd - Confidential2 © 2010 Wipro Ltd - Confidential2

A spot of bother...

© 2010 Wipro Ltd - Confidential3 © 2010 Wipro Ltd - Confidential3

Almost voluntaryFierce investor pressures to do things not in best interests of organisationNXD oversight stretchedExternal audit all but bustInternal audit struggling

Regulators, financial analysts and rating agencies poor source of assuranceWhich leaves reliance on what? Perhaps internal RM, the Co Sec and line management

My reading...

Corporate Governance has been sorely tested – and found wanting:

© 2010 Wipro Ltd - Confidential4 © 2010 Wipro Ltd - Confidential4

COSO I and IIISO 31000BS 31100

The Risk Management offering

© 2010 Wipro Ltd - Confidential5 © 2010 Wipro Ltd - Confidential5

The Current Risk Management offering

BS 31100

ComprehensiveLevel of granularityAbout process and culture

ISO 31000

Very European feelHigh level of granularitySome obscure suggestionsMissing risk appetite

• Conceptual models

• No process• Used extensively

in the US for Sox

COSO

© 2010 Wipro Ltd - Confidential6 © 2010 Wipro Ltd - Confidential6

My conclusion

Risk Management failed...

And is not yet well positioned to do much better...

© 2010 Wipro Ltd - Confidential7

Risk Management has failedLong live Risk Management!

© 2010 Wipro Ltd - Confidential8 © 2010 Wipro Ltd - Confidential8

1. Better risk oversight2. Better risk management in the line

Two possible solutions

Both might use much of the same toolkit and many of the same approaches...

© 2010 Wipro Ltd - Confidential9 © 2010 Wipro Ltd - Confidential9

“The principle on internal control should be amended to state the board’s responsibility for defining the company’s risk appetite and tolerance and maintaining a sound risk management system, with a new provision stating that the board should satisfy itself that appropriate systems are in place to enable it to identify, assess and manage key risks.”Source: 2009 Review of the Combined Code: Final Report, issued by the Financial Reporting Council, December 2009

New Corporate Governance Code

© 2010 Wipro Ltd - Confidential10 © 2010 Wipro Ltd - Confidential10

The Board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives.

The UK Corporate Governance Code

Risk appetite by any other name...

© 2010 Wipro Ltd - Confidential11 © 2010 Wipro Ltd - Confidential11

The consensus that emerged was that:There was no consensus on what risk appetite really means in organisational terms;Most people agreed that the concept was indeed important; but Apart from a few participants, few were able to express risk appetite in a meaningful way.

Summarising early thoughts

© 2010 Wipro Ltd - Confidential12

What is risk appetite

© 2010 Wipro Ltd - Confidential13 © 2010 Wipro Ltd - Confidential13

ISO 31000Amount and type of risk that an organization is willing to pursue or retain.

But no further guidance

BS31100Amount and type of risk that an organization is prepared to seek, accept or tolerate.

Limited further guidance...

Guidance from standards

© 2010 Wipro Ltd - Confidential14 © 2010 Wipro Ltd - Confidential14

1. Provide direction and boundaries

2. Consider external context

3. Look at portfolio of

risks

4. Define delegations

5. Be reflected in policy

6. Deal with specifics

7. Deal with quantitative

aspects

BS31100: Para3.8: Risk appetite and risk profile

Risk appetite statement should be:

Continually monitoredFormally reviewed annually

© 2010 Wipro Ltd - Confidential15 © 2010 Wipro Ltd - Confidential15

Risk Appetite

Propensity to Take Risk

Type of Risk

Engage with Risk

Propensity to Exercise Control

Clock Speed Control

Yard Stick

SHV Model

Risk Appetite Model

Consists of:

Through these lenses:

© 2010 Wipro Ltd - Confidential16 © 2010 Wipro Ltd - Confidential16

Risk appetite in context of maturity

LevelPropensity to

take risk

Propensity to exercise control

Measurement

Strategic

Tactical

Project/ Operational

ShareholderValue

KRI’s

KCI’s

Risk Taking

Exercising Control

Business Context

Risk Management Culture

Proc

esse

s Systems

Maturity

MaturityM

atur

ityM

aturity

© 2010 Wipro Ltd - Confidential17 © 2010 Wipro Ltd - Confidential17

Proposed contents

Level Propensity to take risk

Propensity to exercise control

Measurement

Strategic

Tactical

Project/ Operational

ShareholderValue

KRI’s

KCI’s

Risk Taking

Exercising Control

Del

egat

ion

Escalation

This is not a data-free zone!

© 2010 Wipro Ltd - Confidential18 © 2010 Wipro Ltd - Confidential18

DATA

Strategy

Operating Model

PolicyProcess

Controls

But it needs to be implemented effectively.

Board and Senior Management

Vision

Risk Assurance Risk Appetite

© 2010 Wipro Ltd - Confidential19 © 2010 Wipro Ltd - Confidential19

Risk appetite:Is as much about “enabling” risk taking as “constraining” adverse risksRequires active “stakeholder” engagementNeeds to be built into “business as usual” processesShould be approved by the board (or risk oversight committee)Has to be actively monitored by managementHas to be reviewed regularly by the boardIs a management tool as well as a governance requirementNeeds measurement tools and techniques

Some thoughts

© 2010 Wipro Ltd - Confidential20 © 2010 Wipro Ltd - Confidential20

Better decision making;At an early stage (allowing more wriggle room to deal with risks);Reducing surprises;In a structured manner;That facilitates better achievement of long term objectives; andWhich brings sense to the risk process.

And the benefits

© 2010 Wipro Ltd - Confidential21 © 2010 Wipro Ltd - Confidential21

We need to revisit some old chestnuts (and a few new ones):

Balanced risk managementShareholder value and measurementRisk Management ClockspeedEthics programmesMaturing risk managementRisk management and assurance frameworkOrganisation

Seven developmental themes

Given time limitations we will ignore the last two of these today...

© 2010 Wipro Ltd - Confidential22 © 2010 Wipro Ltd - Confidential22

Achieving objectives depends on...

– risk of taking on too much risk which becomes unmanageable

Avoiding unnecessary problems

– risk of avoiding everything, resulting in total inaction

– risk of over-stretch resulting in burn-out

Creating the right performance culture

Setting appropriate corporate “ethics” and behaviours

– risk of sclerosis as every stakeholder of every decision is consulted

Taking more managed risk

© 2010 Wipro Ltd - Confidential23 © 2010 Wipro Ltd - Confidential23

And doing the right amount of each

Zone

3D

ead

Zone

Zone

1D

ead

Zone

Zone

2Pe

rfor

man

ceZo

ne

Long

Ter

m P

erfo

rman

ce

Low

Hig

h

Low High(i) Managed Risk Taking or (ii) Avoiding

Pitfalls or (iii) Performance Culture or (iv) Corporate Ethics and Behaviours

Attribute:

© 2010 Wipro Ltd - Confidential24 © 2010 Wipro Ltd - Confidential24

Risk management needs balance

PerformanceCulture

CorporateEthics

AvoidingPitfalls

More ManagedRisk

PerformanceZone

DeadZones

© 2010 Wipro Ltd - Confidential25 © 2010 Wipro Ltd - Confidential25

Enron? Or the Big Banks?

PerformanceCulture

CorporateEthics

AvoidingPitfalls

More ManagedRisk

PerformanceZone

DeadZones

© 2010 Wipro Ltd - Confidential26 © 2010 Wipro Ltd - Confidential26

UK plc?

PerformanceCulture

CorporateEthics

AvoidingPitfalls

More ManagedRisk

PerformanceZone

DeadZones

© 2010 Wipro Ltd - Confidential27 © 2010 Wipro Ltd - Confidential27

The objective

PerformanceCulture

CorporateEthics

AvoidingPitfalls

More ManagedRisk

PerformanceZone

DeadZones

© 2010 Wipro Ltd - Confidential28 © 2010 Wipro Ltd - Confidential28

Shareholder Value

Shareholder Value =

Cashflow from Operations, discounted by the Weighted Average Cost of

Capital -

Debt

Shareholder Value

= Cashflow from

Operations, discounted by the Weighted Average Cost

of Capital -

Debt

© 2010 Wipro Ltd - Confidential29 © 2010 Wipro Ltd - Confidential29

Shareholder Value

Shareholder ValueCashflow from Operations

Operational Issues

1 S

ales

Gro

wth

2

Ope

ratin

g

Mar

gin

3 C

ash

Tax

Rate

Investment Issues

4 C

APEX

5 W

orki

ng

Capi

tal

6 C

ompe

titiv

e Ad

vant

age

Perio

d

Dis

coun

t Rat

e Deb

t7

Cos

t of D

ebt

Shareholder Value

= Cashflow from

Operations, discounted by the Weighted Average Cost

of Capital -

Debt

© 2010 Wipro Ltd - Confidential30 © 2010 Wipro Ltd - Confidential30

The risk implications

Shareholder ValueCashflow from Operations

Operational Issues

1 S

ales

Gro

wth

2

Ope

ratin

g

Mar

gin

3 C

ash

Tax

Rate

Investment Issues

4 C

APEX

5 W

orki

ng

Capi

tal

6 C

ompe

titiv

e Ad

vant

age

Perio

d

Dis

coun

t Rat

e Deb

t7

Cos

t of D

ebt

© 2010 Wipro Ltd - Confidential31 © 2010 Wipro Ltd - Confidential31

One risk, many drivers

Shareholder ValueCashflow from Operations

Operational Issues

1 S

ales

Gro

wth

2

Ope

ratin

g

Mar

gin

3 C

ash

Tax

Rate

Investment Issues

4 C

APEX

5 W

orki

ng

Capi

tal

6 C

ompe

titiv

e Ad

vant

age

Perio

d

Dis

coun

t Rat

e Deb

t7

Cos

t of D

ebt

RISK

© 2010 Wipro Ltd - Confidential32 © 2010 Wipro Ltd - Confidential32

Audit speedTime for due considerationTime for moderationTime to develop responseTime to assess effectiveness of responseTime to seek expertiseTime to reviewTime to start again

Fast clock speed

Risk Management Clock Speed

Bang!

Slow clock speed

© 2010 Wipro Ltd - Confidential33 © 2010 Wipro Ltd - Confidential33

Risk Management Clock Speed

Policy Driven

Process Oriented

Loud Signals Cognitive

Slow

Ethically Driven

Behaviour Oriented

Weak Signals Affective

Fast

© 2010 Wipro Ltd - Confidential34 © 2010 Wipro Ltd - Confidential34

Ethics – all black and white

Legal

Illegal

© 2010 Wipro Ltd - Confidential35 © 2010 Wipro Ltd - Confidential35

Ethics – all black and white

Legal

Illegal

Shades of Grey

© 2010 Wipro Ltd - Confidential36 © 2010 Wipro Ltd - Confidential36

5% of employees use hotlines in any given year. Of those, 1% are reporting a problem and 4% are seeking guidance.Two surveys show some conflicting evidence: – 74% of employees witnessed wrongdoing at work in previous twelve months.

– 56% of employees personally observed conduct that violated company ethics standards, policy, or the law.

The reasons given by employees for not reporting misconduct they witnessed at work were – Futility of reporting—nothing would change – 54%; and – Fear of retaliation – 36%.

The evidence from ethics surveys

Source: KPMG’s Integrity Survey 2008-09

Source: Ethics Resource Center’s National Business Ethics Survey (2007)

Source: ERC, National Business Ethics Survey p.6, 2007

© 2010 Wipro Ltd - Confidential37 © 2010 Wipro Ltd - Confidential37

But they didn’t put forward recommendations for improvements either.For the same reasons:

How can you re-engage your staff?

The evidence from ethics surveys

The “DANGEROUS SILENCE”

© 2010 Wipro Ltd - Confidential38 © 2010 Wipro Ltd - Confidential38

Dangerous silence

Sensitivity to weak signals...

Needs a taser... Needs valium...

© 2010 Wipro Ltd - Confidential39 © 2010 Wipro Ltd - Confidential39

Weak signals

Roo

m fo

r Act

ion

Time

Degree of U

ncertainty

Strength of signals

Options for

Action

Importance of Acting Early in response to a given risk

© 2010 Wipro Ltd - Confidential40 © 2010 Wipro Ltd - Confidential40

Holding a mirror up is an essential part of assessing maturity…

Executive

© 2010 Wipro Ltd - Confidential41 © 2010 Wipro Ltd - Confidential41

…and it can show an interesting picture.

Front Line Supervisors

© 2010 Wipro Ltd - Confidential42

Summary and conclusions

© 2010 Wipro Ltd - Confidential43 © 2010 Wipro Ltd - Confidential43

The risk intelligent organisation

Risk management is about bringing a perspective tothe management of complicated issues in complexorganisations. It is about the management (and notthe avoidance) of risk. It helps to prioritise your workand that of others in a fast moving context with anapproach that is better than simple intuition andwhich facilitates communication between people.

It is a style of thought, and is definitely not a paperchase.

© 2010 Wipro Ltd - Confidential44 © 2010 Wipro Ltd - Confidential44

Risk managementAND

Corporate governance failed

MUST DO BETTER

History…

And they weren’t helped much by Internal Audit either...

© 2010 Wipro Ltd - Confidential45 © 2010 Wipro Ltd - Confidential45

Better risk management led by an understanding of risk appetiteAND

Better risk oversight (corporate governance)CAN lead to better performance

The future…

© 2010 Wipro Ltd - Confidential46 © 2010 Wipro Ltd - Confidential46

Do those things and we WILL see:A new level of risk managementEmerging Risk Intelligent OrganisationsMore awareness of weak signalsIntelligently given and well-received challengeBetter engagement from staffHigher stakeholder confidence

Do those things...

© 2010 Wipro Ltd - Confidential47 © 2010 Wipro Ltd - Confidential47

Will the Governance changes happen? Not without:Massive campaigns by subject matter experts;Enormous awareness campaigns;The development of truly influential professional bodiesGlobal buy-in

Conclusion

© 2010 Wipro Ltd - Confidential48 © 2010 Wipro Ltd - Confidential48

And a last word

Risk management – a motto:

The disruptive intelligence that pierces “perfect-place”

arrogance

© 2010 Wipro Ltd - Confidential

Thank You

Richard Anderson

European GRC Regional Practice Leader

richard.anderson@wipro.com