ERM Summit The Breakers, Palm Beach Documents/Richar… · © 2010 Wipro Ltd - Confidential ERM...
Transcript of ERM Summit The Breakers, Palm Beach Documents/Richar… · © 2010 Wipro Ltd - Confidential ERM...
© 2010 Wipro Ltd - Confidential
ERM – What next?
ERM Summit The Breakers, Palm Beach
Richard Anderson22 August 2010
© 2010 Wipro Ltd - Confidential3 © 2010 Wipro Ltd - Confidential3
Almost voluntaryFierce investor pressures to do things not in best interests of organisationNXD oversight stretchedExternal audit all but bustInternal audit struggling
Regulators, financial analysts and rating agencies poor source of assuranceWhich leaves reliance on what? Perhaps internal RM, the Co Sec and line management
My reading...
Corporate Governance has been sorely tested – and found wanting:
© 2010 Wipro Ltd - Confidential4 © 2010 Wipro Ltd - Confidential4
COSO I and IIISO 31000BS 31100
The Risk Management offering
© 2010 Wipro Ltd - Confidential5 © 2010 Wipro Ltd - Confidential5
The Current Risk Management offering
BS 31100
ComprehensiveLevel of granularityAbout process and culture
ISO 31000
Very European feelHigh level of granularitySome obscure suggestionsMissing risk appetite
• Conceptual models
• No process• Used extensively
in the US for Sox
COSO
© 2010 Wipro Ltd - Confidential6 © 2010 Wipro Ltd - Confidential6
My conclusion
Risk Management failed...
And is not yet well positioned to do much better...
© 2010 Wipro Ltd - Confidential8 © 2010 Wipro Ltd - Confidential8
1. Better risk oversight2. Better risk management in the line
Two possible solutions
Both might use much of the same toolkit and many of the same approaches...
© 2010 Wipro Ltd - Confidential9 © 2010 Wipro Ltd - Confidential9
“The principle on internal control should be amended to state the board’s responsibility for defining the company’s risk appetite and tolerance and maintaining a sound risk management system, with a new provision stating that the board should satisfy itself that appropriate systems are in place to enable it to identify, assess and manage key risks.”Source: 2009 Review of the Combined Code: Final Report, issued by the Financial Reporting Council, December 2009
New Corporate Governance Code
© 2010 Wipro Ltd - Confidential10 © 2010 Wipro Ltd - Confidential10
The Board is responsible for determining the nature and extent of the significant risks it is willing to take in achieving its strategic objectives.
The UK Corporate Governance Code
Risk appetite by any other name...
© 2010 Wipro Ltd - Confidential11 © 2010 Wipro Ltd - Confidential11
The consensus that emerged was that:There was no consensus on what risk appetite really means in organisational terms;Most people agreed that the concept was indeed important; but Apart from a few participants, few were able to express risk appetite in a meaningful way.
Summarising early thoughts
© 2010 Wipro Ltd - Confidential13 © 2010 Wipro Ltd - Confidential13
ISO 31000Amount and type of risk that an organization is willing to pursue or retain.
But no further guidance
BS31100Amount and type of risk that an organization is prepared to seek, accept or tolerate.
Limited further guidance...
Guidance from standards
© 2010 Wipro Ltd - Confidential14 © 2010 Wipro Ltd - Confidential14
1. Provide direction and boundaries
2. Consider external context
3. Look at portfolio of
risks
4. Define delegations
5. Be reflected in policy
6. Deal with specifics
7. Deal with quantitative
aspects
BS31100: Para3.8: Risk appetite and risk profile
Risk appetite statement should be:
Continually monitoredFormally reviewed annually
© 2010 Wipro Ltd - Confidential15 © 2010 Wipro Ltd - Confidential15
Risk Appetite
Propensity to Take Risk
Type of Risk
Engage with Risk
Propensity to Exercise Control
Clock Speed Control
Yard Stick
SHV Model
Risk Appetite Model
Consists of:
Through these lenses:
© 2010 Wipro Ltd - Confidential16 © 2010 Wipro Ltd - Confidential16
Risk appetite in context of maturity
LevelPropensity to
take risk
Propensity to exercise control
Measurement
Strategic
Tactical
Project/ Operational
ShareholderValue
KRI’s
KCI’s
Risk Taking
Exercising Control
Business Context
Risk Management Culture
Proc
esse
s Systems
Maturity
MaturityM
atur
ityM
aturity
© 2010 Wipro Ltd - Confidential17 © 2010 Wipro Ltd - Confidential17
Proposed contents
Level Propensity to take risk
Propensity to exercise control
Measurement
Strategic
Tactical
Project/ Operational
ShareholderValue
KRI’s
KCI’s
Risk Taking
Exercising Control
Del
egat
ion
Escalation
This is not a data-free zone!
© 2010 Wipro Ltd - Confidential18 © 2010 Wipro Ltd - Confidential18
DATA
Strategy
Operating Model
PolicyProcess
Controls
But it needs to be implemented effectively.
Board and Senior Management
Vision
Risk Assurance Risk Appetite
© 2010 Wipro Ltd - Confidential19 © 2010 Wipro Ltd - Confidential19
Risk appetite:Is as much about “enabling” risk taking as “constraining” adverse risksRequires active “stakeholder” engagementNeeds to be built into “business as usual” processesShould be approved by the board (or risk oversight committee)Has to be actively monitored by managementHas to be reviewed regularly by the boardIs a management tool as well as a governance requirementNeeds measurement tools and techniques
Some thoughts
© 2010 Wipro Ltd - Confidential20 © 2010 Wipro Ltd - Confidential20
Better decision making;At an early stage (allowing more wriggle room to deal with risks);Reducing surprises;In a structured manner;That facilitates better achievement of long term objectives; andWhich brings sense to the risk process.
And the benefits
© 2010 Wipro Ltd - Confidential21 © 2010 Wipro Ltd - Confidential21
We need to revisit some old chestnuts (and a few new ones):
Balanced risk managementShareholder value and measurementRisk Management ClockspeedEthics programmesMaturing risk managementRisk management and assurance frameworkOrganisation
Seven developmental themes
Given time limitations we will ignore the last two of these today...
© 2010 Wipro Ltd - Confidential22 © 2010 Wipro Ltd - Confidential22
Achieving objectives depends on...
– risk of taking on too much risk which becomes unmanageable
Avoiding unnecessary problems
– risk of avoiding everything, resulting in total inaction
– risk of over-stretch resulting in burn-out
Creating the right performance culture
Setting appropriate corporate “ethics” and behaviours
– risk of sclerosis as every stakeholder of every decision is consulted
Taking more managed risk
© 2010 Wipro Ltd - Confidential23 © 2010 Wipro Ltd - Confidential23
And doing the right amount of each
Zone
3D
ead
Zone
Zone
1D
ead
Zone
Zone
2Pe
rfor
man
ceZo
ne
Long
Ter
m P
erfo
rman
ce
Low
Hig
h
Low High(i) Managed Risk Taking or (ii) Avoiding
Pitfalls or (iii) Performance Culture or (iv) Corporate Ethics and Behaviours
Attribute:
© 2010 Wipro Ltd - Confidential24 © 2010 Wipro Ltd - Confidential24
Risk management needs balance
PerformanceCulture
CorporateEthics
AvoidingPitfalls
More ManagedRisk
PerformanceZone
DeadZones
© 2010 Wipro Ltd - Confidential25 © 2010 Wipro Ltd - Confidential25
Enron? Or the Big Banks?
PerformanceCulture
CorporateEthics
AvoidingPitfalls
More ManagedRisk
PerformanceZone
DeadZones
© 2010 Wipro Ltd - Confidential26 © 2010 Wipro Ltd - Confidential26
UK plc?
PerformanceCulture
CorporateEthics
AvoidingPitfalls
More ManagedRisk
PerformanceZone
DeadZones
© 2010 Wipro Ltd - Confidential27 © 2010 Wipro Ltd - Confidential27
The objective
PerformanceCulture
CorporateEthics
AvoidingPitfalls
More ManagedRisk
PerformanceZone
DeadZones
© 2010 Wipro Ltd - Confidential28 © 2010 Wipro Ltd - Confidential28
Shareholder Value
Shareholder Value =
Cashflow from Operations, discounted by the Weighted Average Cost of
Capital -
Debt
Shareholder Value
= Cashflow from
Operations, discounted by the Weighted Average Cost
of Capital -
Debt
© 2010 Wipro Ltd - Confidential29 © 2010 Wipro Ltd - Confidential29
Shareholder Value
Shareholder ValueCashflow from Operations
Operational Issues
1 S
ales
Gro
wth
2
Ope
ratin
g
Mar
gin
3 C
ash
Tax
Rate
Investment Issues
4 C
APEX
5 W
orki
ng
Capi
tal
6 C
ompe
titiv
e Ad
vant
age
Perio
d
Dis
coun
t Rat
e Deb
t7
Cos
t of D
ebt
Shareholder Value
= Cashflow from
Operations, discounted by the Weighted Average Cost
of Capital -
Debt
© 2010 Wipro Ltd - Confidential30 © 2010 Wipro Ltd - Confidential30
The risk implications
Shareholder ValueCashflow from Operations
Operational Issues
1 S
ales
Gro
wth
2
Ope
ratin
g
Mar
gin
3 C
ash
Tax
Rate
Investment Issues
4 C
APEX
5 W
orki
ng
Capi
tal
6 C
ompe
titiv
e Ad
vant
age
Perio
d
Dis
coun
t Rat
e Deb
t7
Cos
t of D
ebt
© 2010 Wipro Ltd - Confidential31 © 2010 Wipro Ltd - Confidential31
One risk, many drivers
Shareholder ValueCashflow from Operations
Operational Issues
1 S
ales
Gro
wth
2
Ope
ratin
g
Mar
gin
3 C
ash
Tax
Rate
Investment Issues
4 C
APEX
5 W
orki
ng
Capi
tal
6 C
ompe
titiv
e Ad
vant
age
Perio
d
Dis
coun
t Rat
e Deb
t7
Cos
t of D
ebt
RISK
© 2010 Wipro Ltd - Confidential32 © 2010 Wipro Ltd - Confidential32
Audit speedTime for due considerationTime for moderationTime to develop responseTime to assess effectiveness of responseTime to seek expertiseTime to reviewTime to start again
Fast clock speed
Risk Management Clock Speed
Bang!
Slow clock speed
© 2010 Wipro Ltd - Confidential33 © 2010 Wipro Ltd - Confidential33
Risk Management Clock Speed
Policy Driven
Process Oriented
Loud Signals Cognitive
Slow
Ethically Driven
Behaviour Oriented
Weak Signals Affective
Fast
© 2010 Wipro Ltd - Confidential34 © 2010 Wipro Ltd - Confidential34
Ethics – all black and white
Legal
Illegal
© 2010 Wipro Ltd - Confidential35 © 2010 Wipro Ltd - Confidential35
Ethics – all black and white
Legal
Illegal
Shades of Grey
© 2010 Wipro Ltd - Confidential36 © 2010 Wipro Ltd - Confidential36
5% of employees use hotlines in any given year. Of those, 1% are reporting a problem and 4% are seeking guidance.Two surveys show some conflicting evidence: – 74% of employees witnessed wrongdoing at work in previous twelve months.
– 56% of employees personally observed conduct that violated company ethics standards, policy, or the law.
The reasons given by employees for not reporting misconduct they witnessed at work were – Futility of reporting—nothing would change – 54%; and – Fear of retaliation – 36%.
The evidence from ethics surveys
Source: KPMG’s Integrity Survey 2008-09
Source: Ethics Resource Center’s National Business Ethics Survey (2007)
Source: ERC, National Business Ethics Survey p.6, 2007
© 2010 Wipro Ltd - Confidential37 © 2010 Wipro Ltd - Confidential37
But they didn’t put forward recommendations for improvements either.For the same reasons:
How can you re-engage your staff?
The evidence from ethics surveys
The “DANGEROUS SILENCE”
© 2010 Wipro Ltd - Confidential38 © 2010 Wipro Ltd - Confidential38
Dangerous silence
Sensitivity to weak signals...
Needs a taser... Needs valium...
© 2010 Wipro Ltd - Confidential39 © 2010 Wipro Ltd - Confidential39
Weak signals
Roo
m fo
r Act
ion
Time
Degree of U
ncertainty
Strength of signals
Options for
Action
Importance of Acting Early in response to a given risk
© 2010 Wipro Ltd - Confidential40 © 2010 Wipro Ltd - Confidential40
Holding a mirror up is an essential part of assessing maturity…
Executive
© 2010 Wipro Ltd - Confidential41 © 2010 Wipro Ltd - Confidential41
…and it can show an interesting picture.
Front Line Supervisors
© 2010 Wipro Ltd - Confidential43 © 2010 Wipro Ltd - Confidential43
The risk intelligent organisation
Risk management is about bringing a perspective tothe management of complicated issues in complexorganisations. It is about the management (and notthe avoidance) of risk. It helps to prioritise your workand that of others in a fast moving context with anapproach that is better than simple intuition andwhich facilitates communication between people.
It is a style of thought, and is definitely not a paperchase.
© 2010 Wipro Ltd - Confidential44 © 2010 Wipro Ltd - Confidential44
Risk managementAND
Corporate governance failed
MUST DO BETTER
History…
And they weren’t helped much by Internal Audit either...
© 2010 Wipro Ltd - Confidential45 © 2010 Wipro Ltd - Confidential45
Better risk management led by an understanding of risk appetiteAND
Better risk oversight (corporate governance)CAN lead to better performance
The future…
© 2010 Wipro Ltd - Confidential46 © 2010 Wipro Ltd - Confidential46
Do those things and we WILL see:A new level of risk managementEmerging Risk Intelligent OrganisationsMore awareness of weak signalsIntelligently given and well-received challengeBetter engagement from staffHigher stakeholder confidence
Do those things...
© 2010 Wipro Ltd - Confidential47 © 2010 Wipro Ltd - Confidential47
Will the Governance changes happen? Not without:Massive campaigns by subject matter experts;Enormous awareness campaigns;The development of truly influential professional bodiesGlobal buy-in
Conclusion
© 2010 Wipro Ltd - Confidential48 © 2010 Wipro Ltd - Confidential48
And a last word
Risk management – a motto:
The disruptive intelligence that pierces “perfect-place”
arrogance
© 2010 Wipro Ltd - Confidential
Thank You
Richard Anderson
European GRC Regional Practice Leader