Beruflich Dokumente
Kultur Dokumente
This quick checklist is designed to help risk managers mark their progress as they read through
the guide and implement the recommendations provided within as appropriate.
Objective 1:
Drive risk culture
Objective 2:
Help integrate risk
management into
business
Objective 3:
Become a trusted
advisor
CONTENTS
INTRODUCTION
A.
B.
C.
12
D.
15
16
E.
17
F.
18
G.
23
H.
24
I.
26
J.
27
29
K.
30
L.
31
M.
32
N.
33
O.
34
35
APPENDICES
36
37
Appendix B Bibliography
39
42
INTRODUCTION
Nowadays risk management is on
everyones corporate agenda; however,
this hasnt always been the case. We
began our research into the topic
back in 2007. At the time, this was
prompted by the fact that many large
corporations across Eastern Europe were
establishing risk-management teams
and implementing risk-management
frameworks. Our 2007 study highlighted
that risk management was largely
driven by the requirements of stock
exchanges and was very basic in nature.
We identified a number of challenges,
mainly relating to weak risk-management
culture and confusion around the roles
and responsibilities that the boards of
directors, executive management, and
the risk-management teams play in the
overall management of the companys
risks.
We also noted that back in 2007,
risk managers focused primarily on
fundamental activities, like developing
risk-management frameworks, conducting
risk assessments, and aggregating
risk reports. This resulted in a very
compliance-likeand sometimes overly
complexprocess of risk identification
and analysis. It often took months to
get any meaningful results and quickly
became a box-ticking exercise. Business
units resisted what was perceived as a
back office initiative, claiming that risks
were already known and under control.
Nevertheless, the drive to have a robust
independent analysis of major risks, an
enterprise-wide view of the same, and
a reliance upon the quality of the riskmanagement process soon became
INTRODUCTION
To achieve this objective, we have
revisited our own risk-management
experience, which we have acquired over
the course of ten years of risk consulting
to various businesses across Australia,
Singapore, Poland, Russia, Ukraine, and
Kazakhstan. Both authors have worked
as risk-management consultants and
corporate risk managers reporting directly
to Chief Risk Officers (CRO) and vicepresidents, have actively participated in
various discussions within the international
risk-management community to stay at
the forefront of the schools of thought
regarding risk management, and have
performed their own research of corporate
governance and risk-management
practices in 20062007, the results of
which were published in an international
journal.
We have also interviewed other risk
managers from large corporations in
Eastern Europe to leverage their practical
approaches in developing a risk-intelligent
culture and have prepared case studies of
risk-management practices in developed
countries. These are incorporated into our
practical guide.
Guide structure
This guide provides fifteen very specific
and actionable recommendations that
corporate risk managers will find useful in
building a robust and value-adding riskmanagement system. To provide a logical
structure, the authors have grouped the
fifteen recommendations into three highlevel objectives:
OBJECTIVE 1:
DRIVE RISK
CULTURE
Review available
risk-analysis
methodologies
2.
Select a methodology
appropriate for the
current risk culture of
the organization
3.
Take action:
1.
Shelf data review: The purpose of the review is to provide an insight into
the background and current status of the organizations operations. This
is a critical first step for any risk manager and must be completed before
fully engaging with the business, as you may find most of the necessary
information already captured and available for further analysis. This involves
the review of key documentation relating to the operation and its associated
risks, including:
2.
3.
4.
5.
6.
Identify potential
threats (both internal
and external)
Ensure all major
external forces and
internal sources of
risk are taken into
account
Prioritize the identified
risks using the
selected methodology
For the risks assessed
as significant,
management should
develop and execute
an action plan to
address the risk
Draft and validate the
risk profile
Communicate the
companys risk
profile to the relevant
stakeholders
Risk-measurement/analytical techniques
Key factors
HIGH
Statistical analysis (probabilistic models)
impacting
selection of riskScenario analysis/simulation
measurement
methodologies
Sensitivity analysis
Severity or
volatility of
MODERATE
risk
Position reports (exposure/volumetric)
Comlexity
Risk rating or scoring
Availability of
data
Risk indicator analysis
Desired
capability
Groupfacilitated qualitative prioritisation
Cost of
MANAGE
THE MOST SIGNIFICANT RISKS
implementation
LOW
Take action:
1.
2.
3.
Identify and
document
interdependencies
between the
identified risks
Communicate the
interdependencies
to the risk owners
Keep track of
interdependencies
during risk mitigation
and monitoring
A
Take action:
1.
2.
Take action:
1.
2.
Allocate ownership for the top risk vulnerabilities: Once significant risks or
vulnerabilities have been identified, management should develop and execute
an action plan to address them. Any action designed to reduce the risk exposure
should be owned by a member of the management team and the responsibilities
and timeframes should be documented.
Check how effectively known risks are currently being controlled: One of
the low-hanging fruit is to analyse how well identified risks and vulnerabilities are
currently being controlled. Some risks are known and are easy to identifytake a
simple example of foreign exchange. If the company has loans in foreign currency
or has international sales or obligations, it has exposure. Risk managers can
provide significant value by analysing the extent of the exposure and identifying
whether there are any hedging or other controls currently in place. Other
known risks include any risks that may have quantifiable legal or compliance
implications, such as insurance or safety, for example.
Take action:
1.
2.
3.
4.
Draft risk-management
policy based on your
template
Interview selected
senior managers to
validate key drivers
and values relating to
risk management
Update the riskmanagement policy
and validate with the
CEO/board
Publish the riskmanagement policy on
the corporate website
Take action:
1.
2.
Include controls
measuring zero
tolerances into the
companys employee
performance reviews
3.
4.
Include both
monitoring and
forward-looking
indicators to track
company risk appetite
B
Take action:
1.
2.
3.
4.
Examine existing
Board agenda
Identify current
items that may
be used to trigger
risk management
conversation
Interview selected
Board members to
understand their
needs in terms of
risk management
information
Prepare for the first
meeting and be
present to answer
questions, agree
format and frequency
Take action:
1.
2.
3.
4.
10
Promote risk management both internally and externally: Once the company
achieves tangible results by managing certain risks well, share this information
both internally and externally. This can be done by presenting at various industry
events or publishing small articles in relevant magazines. This will reinforce a
positive risk-management image, both within the company (by creating pride) and
externally.
Take action:
Take action:
Motivate the staff to proactively identify and prevent risks. You may consider
introducing special awards. Discuss this with the senior management to get support
and buy-in. Create a no blame policy, and communicate it across the company.
2.
11
1.
2.
3.
1.
Identify opportunities
to present
Discuss these
opportunities with the
management
Present at external
opportunities
Communicate your
contact details and talk
to staff often
Create and
communicate no
blame policy
Take action:
1.
2.
3.
4.
Define a risk-governance model suitable for your company: Making sure that
risk-management roles and responsibilities are clearly defined and understood by
all levels of management and staff is critical to the success of risk-management.
One way to approach this is by implementing a risk-governance model. This was
recommended to us by one of the risk managers we interviewed. This supports
our view that ethical compliance (which is more about hidden information) does
not solve a principalagent dilemma here. Stakeholders should be looking not
only for hidden information, but for evidence of risk-management actions. It is
important to appoint and enable the right professionals with the right set of skills.
For example, it is important that a chief risk officer (CRO) understands the core
principles of business, ethics, risk management, and compliance.
A risk-governance model could be built upon the concept of three lines of
defence:
Frontline or business: Executives, business unit management, and staff are
responsible for timely risk identification, management, and reporting. They are
also responsible for applying tools and techniques designed for managing
risks.
Risk-management functions: Risk-management teams (including dedicated
teams responsible for dealing with safety, insurance, and financial risks)
are responsible for methodology development, facilitation, education,
guidance, and support. Sometimes, the risk-management team also plays
a role of quality control and aggregation of risk information. This is more
common sense, as the risk management team is not involved in day-to-day
management decisions and it would be unreasonable to expect the risk team
to be responsible for proactively managing risks.
Internal audit team and the board: Independent bodies like the internal audit
team and the board provide an independent oversight that the organizations
risk-management is in fact working as documented in the policies and
procedures, and key corporate risks are being managed.
Together, the three lines of defence provide a sound foundation for establishing
robust risk-management within the company. More recommendations on how to
roll out the risk governance model are provided below.
12
Take action:
1.
2.
3.
4.
13
Select a risk-management
benchmark that you think
would be appropriate
for your organization.
ISO31000:2009 would
suit most companies
Perform a selfassessment to set the
current state to measure
against
Chose the desired
state of risk culture that
would be appropriate for
your company and the
frequency of assessment.
Perform periodic riskculture surveys
C
Take action:
1.
2.
Develop a set of
risk-management
KPIs for each level
in accordance with
the companys risk
governance model
(executive, business
unit management,
risk- management,
internal audit, etc.)
Review the existing
annual performance
review process, and
develop a strategy for
incorporating riskmanagement KPIs into
the process. This has
to be done together
with HR and followed
by an extensive
communication
program
3.
Track employee
performance against
risk-management KPIs
for the first year as a
trial
4.
Reward positive
signs of riskmanagement culture
and reinforce good
risk-management
behaviour beginning
with year two. Signs of
poor risk management
should be identified
and fixed
14
CASE STUDY
One of the strongest examples of risk-culture growth we have observed
took place at one of Australias airports, which happens to be the busiest
airport in the Southern Hemisphere by plane movement.
For almost two years, we (at the time working as risk consultants) would
meet with the management team every quarter to discuss and map
out the major company risks. Normally, we would conduct a series of
interviews, where we would track the progress of the risk mitigations that
we had previously designed and agreed upon. A summary report would
be prepared, showing the progress in managing the known risks plus any
emerging risks that had come to managements attention. Then we would
gather the management team together for a joint discussion around what
the risks were and how well the company was able to deal with them.
Then the financial crisis hit andwithout noticingthe management team
shifted from quarterly risk reviews to real-time risk management. Just one
remarkable example was when the airports CFO decided to conduct a risk
analysis of their key customers, as he was alarmed that financial crisis may
impact the customers financial stability and, in turn, the airports revenues.
He followed the analysis with an action plan to counteract the potential
impact on the company.
There were other examples as well where the management team identified
emerging risks and took active steps to prevent them. Now, imagine what
a risk specialist working at the company full-time can do to shift the CEOs
perspective of risk management.
15
16
OBJECTIVE 2:
HELP INTEGRATE
RISK-MANAGEMENT
INTO BUSINESS
Take action:
At the end of the day, the success of risk-management is all about corporate
culture. To make sure that the process is not alien to the staff, risk managers
need to involve the employees in the process from the very beginning. This
means involving them in the way that is accepted in the company (e.g.,
workshops and/or individual meetings). Make sure that all important riskmanagement messages from the board or the senior executive team are
communicated throughout the company. Where particular risks affect several
business units, facilitate collaboration between the units to agree on the risks
causes, consequences, magnitude, and actions.
1.
2.
3.
It is considered good practice when a risk manager does the preliminary risk
research, comes up with some suggestions for potential vulnerabilities and
risk-management strategies, and then brings in the management and staff to
actualize the risk identification, assessment, and mitigation.
17
Identify internal
stakeholder groups
Consider how each
group can be involved
to provide the most
value
Dont overcomplicate
it, but keep track
of the important
stakeholders, as it
is easy to lose sight
sometimes
F
Take action:
1.
2.
3.
Provide adequate
training/ guidance to
the users of the form
4.
ALIGN RISK-MANAGEMENT,
STRATEGIC PLANNING, BUDGETING,
AND PERFORMANCE MANAGEMENT
Risk-management plays an important role in developing a robust strategy. It is
instrumental in challenging strategic plans and prompting executives to think
about the other side of the coin. Risk-management objectives help a company
reasonably articulate which risks associated with strategy the company is
prepared to take on and which risks the company should manage at all costs, or
when the company should alter its strategy if the unacceptable risks cannot be
managed.
Opportunities exist to achieve a better alignment among risk-management,
strategic management, and business-planning processes. This could involve
establishing more transparent links between strategic risks and strategic
objectives, considering outcomes of strategic risk profiling in preparation of
strategic planning assumptions, and incorporating risk-mitigating strategies in the
organizations business plans.
The starting point for embedding risk-management is to link the risk-identification
process to the companys strategic and business plan objectives, using risk
assessment as an element in strategic and business plans. Risk and performance
are managed and monitored in an integrated manner to help achieve better
overall governance.
Practically, risk-management objectives can be aligned to strategic objectives
through:
Improving planning processes by enabling the key focus to remain on the core
business and helping to ensure the continuity of service delivery;
18
ALIGN RISK-MANAGEMENT,
STRATEGIC PLANNING, BUDGETING,
AND PERFORMANCE MANAGEMENT
ALIGNMENT TO STRATEGIC AND BUSINESS PLANNING
Take action:
1.
2.
3.
Strategic risks are those that may have a direct and significant impact on the
plans. The strategic risks are managed by the executives collectively and each
member of the executive committee individually.
The key to success is to include a strategic risk agenda for the annual senior
executive strategy sessions. This is where the CRO or risk manager should
manifest himself/herself as a strategist, being able to facilitate challenging
conversations with senior executives. These discussions may involve a range of
areas: major strategic uncertainties to strategic objectives (including emerging
risks and opportunities), consideration of how these may evolve in the middle term
(scenario planning), and what strategies a company may need to develop to seize
opportunities or deal with a potential downside (e.g., mitigate it or change the
strategy). Considering the risk upside may involve a risk-based approach to the
prioritization of opportunities and evaluating opportunities as part of the strategic
risk-assessment process.
The executives should achieve an agreement on major risks at the entity-level,
prioritize them, and agree on a management approach; initiate implementation of
risk-mitigating actions; and collectively analyse a report on the major risks and the
companys progress on the actions on a regular basis. Outcomes of strategic risk
profiling should be considered in finalizing strategic planning assumptions and
incorporating risk-mitigating strategies into divisional business plans.
It is important that this link to strategic and business planning is maintained
throughout the business period (e.g., a financial year). The effectiveness of riskmanagement actions can be demonstrated through:
19
ALIGN RISK-MANAGEMENT,
STRATEGIC PLANNING, BUDGETING,
AND PERFORMANCE MANAGEMENT
ALIGNMENT TO BUDGETING
Risk information helps identify resourcing requirements and assists in the
prioritization of available resources as follows:
The budget prioritization process takes into account the company-wide and
business unit risk profiles.
The risk-management framework allows the escalation of risks throughout the year,
with any financial considerations being subject to the executive and the board of
directors decision as appropriate. However, the identification and assessment of
risks will not necessarily be a trigger for additional funding. If additional funding
is available, then this can be used to accommodate the risk-treatment activities
required to manage the areas of high risk. In most cases, however, the reduction
of the risk exposure in a particular area will be accommodated by reprioritizing the
available activities, resources, funds, or other investment into that area.
20
ALIGN RISK-MANAGEMENT,
STRATEGIC PLANNING, BUDGETING,
AND PERFORMANCE MANAGEMENT
RISK MANAGEMENT AND PERFORMANCE MANAGEMENT
Take action:
The executives (members of the executive board) and their direct reports
performance agreements incorporate risk-management objectives such as
high and extreme risks, target (or acceptable) risk ratings, risk-management
strategies, KPIs, and due dates.
1.
2.
3.
4.
21
F
Take action:
1.
2.
3.
Provide adequate
training/ guidance to
the users of the form
4.
ALIGN RISK-MANAGEMENT,
STRATEGIC PLANNING, BUDGETING,
AND PERFORMANCE MANAGEMENT
ALIGNMENT TO DECISION MAKING
To slowly shift the corporate culture toward risk-management, it is important
to steer away from the perception that risk-management is detached from the
business. One of the most useful, yet simple, ways of doing this is to integrate
elements of risk analysis into decision making. This can be done in a way that
suits your company best. Here are two examples:
22
Another useful technique that is being adopted by companies with mature risk
cultures is establishing a network of risk champions. Risk champions are the
glue between the risk-management team and the business unit staff. Risk
champions could either be a representative from the management team or a staff
member, although in each of these cases, the roles would differ. The management
risk champion would be responsible for driving the risk-management agenda
and reinforcing risk culture within his/her business unit. The staff risk champion
would be responsible for coordinating risk-identification activities, working with
risk owners to define risk-mitigation actions, monitoring their execution, and
aggregating risk reports.
There is no one-size-fits-all approach in regards to risk champions. For some
smaller companies, it may be appropriate to have one or two risk champions
supporting the core risk-management team. People who are naturally motivated
toward risk-management are usually given this extra opportunity. It goes without
saying that extra responsibility should be reinforced with extra motivation as well.
You will find more information about this in the risk and reward section below.
For larger organizations, it may be required to allocate a risk champion for every
geographic location where the company is present, or even a risk champion for
each major line of business. As our experience shows, having a network of risk
champions within each business unit usually proves to be excessive and overly
time-consuming.
23
Take action:
1.
2.
Determine
appropriate number
of risk champions
3.
Provide adequate
training to allow risk
champions to fulfil
their new duties
4.
Develop an
appropriate
motivational package
for risk champions
(this could be extra
recognition at the
annual performance
review or a slight
salary increase)
H
Take action:
1.
2.
3.
4.
Take action:
1.
2.
3.
4.
Risk-management terminology;
Risk-management processes;
24
25
I
Take action:
1.
2.
Identify financial,
reputational, safety,
environmental, etc.,
risks associated with
the project
Identify and test key
external drivers that
may affect the project
in the future
26
Take action:
1.
2.
3.
4.
Source: Risk e-Views Vol 4, December 2010, Risk Leadership: How to be Heard, Bryan
Whitefield, Director, Risk Management Partners
Include risk messages in external company communications: Riskmanagement disclosure is very important. Increasingly, stakeholders look to
companies to provide evidence of effective management of not only the financial
risks, but also other nonfinancial material business risks in such areas as
community affairs, human rights, employment practices, health and safety, and the
environment.
It is recommended for disclosures to include the following items:
A summary of the companys risk-management policy on the companys
website in a section clearly titled corporate governance
A corporate governance statement for the annual report, including:
An overview of your companys risk-management processes
Progress made since last year in managing risks
The governance structure in place to manage risks
Any major achievements in managing risks.
1.
2.
3.
The following disclosures are optional, and you may choose to exclude them from
the annual report, as they may be considered commercially sensitive information:
Details of the companys risk profile
Details of the risk mitigations
Historical losses from specific risks
When a company discloses information elsewhere in the annual report or on its
website, it can cross-reference that information to avoid duplicating disclosures.
SECRET RECIPE FOR RISK MANAGERS
Take action:
27
J
Take action:
1.
2.
Inform everyone
about the companys
risk profile
3.
Document lessons
learned, and share
them across locations
and divisions
4.
Share positive
examples of riskmanagement with
everyone in the
company
Take action:
1.
2.
Develop a simple
escalation mechanism
for reporting emerging
risks (provide contact
details on the intranet,
or develop a very
simple and short form)
Communicate the
escalation mechanism
to all staff
28
OBJECTIVE 3:
BECOME A
TRUSTED ADVISOR
29
K
Take action:
1.
Identify key
assumptions used
during company
planning
2.
Develop a program
for periodically testing
these assumptions
(you may consider
using key risk
indicators)
3.
Identify a set of
plausible scenarios
4.
30
Take action:
Threat overview
31
1.
2.
If the perceived
threat is judged to be
significant, prepare
the communication
and present it to senior
management
M
Take action:
1.
Seek to understand
the background
behind the request
2.
32
Take action:
Obviously, every country is different. The risk conferences and events that
I had an opportunity to attend in Russia were absolutely useless in terms
of new knowledge. However, they did serve as a wonderful networking
platform.
33
1.
2.
Network during
external riskmanagement events
3.
O
Take action:
1.
Learn as much as
possible about your
business by attending
meetings and studying
internal reports and
industry publications
2.
Continue to develop
your risk-management
skills by staying upto-date on the latest
thought leadership
(large consulting
firms regularly publish
articles)
3.
Consider riskmanagement
certification
4.
Be familiar with
the common riskmanagement
standards
ISO31000:2009
ISO/IEC31010:2009
ISO 73:2009
King III
ASX Principles
Basel III
Solvency II
Assessing the Adequacy of Risk Management Using ISO 31000 from The
Institute of Internal Auditors
CobiT (Control Objectives for Information and Related Technology), and so on.
34
Risk-management is as much about the tools and techniques as it is about the cultural change
and the mindset of employees. In order to strengthen the risk-culture risk managers should
start by defining the overall risk profile, while helping to set the tone at the top and defining the
risk-management roles and responsibilities. And remember overcomplicating may do more
damage to risk-culture than good.
Risk managers should aim to become a trusted advisor to the company senior management
and the Board. Some tips include regular scanning of the horizon for emerging and external
risks, critically testing management assumptions and brining in in a risk perspective to the
discussion wherever possible.
In the appendix we have provided two indicative roadmaps that help prioritise the 15 action points
covered in the guide depending on the risk-maturity of your organisation. Implementing risk
management is not an overnight process, it is a journey. We hope you enjoyed your journey so far!
An honest warning: there will be a time when you will experience pressure to produce quick results.
Stay true to the risk- management profession! Breakdown your work into two streams:
Here and now help management identify and manage immediate threats or risks that have
been neglected before. The good news for risk managers (the not-so-good for the business)
is that there will always be risks that are poorly managed or completely ignored.
Future value dont lose focus on the development of risk-culture within the organisation. It
may take time for senior management and employees to embrace the positive aspects of riskmanagement, however the payoff will be great.
Good luck and thank you for taking the time to study this guide!
35
A RISK-MANAGEMENT ROADMAPS
B BIBLIOGRAPHY
36
APPENDICES
APPENDIX A
RISK-MANAGEMENT ROADMAPS
FOR THOSE NEW TO THE RISK-MANAGEMENT ROLE
37
APPENDIX A
RISK-MANAGEMENT ROADMAPS
FOR THOSE TRYING TO RAISE THE RISK-MANAGEMENT PROFILE IN THE COMPANY
38
APPENDIX B BIBLIOGRAPHY
Chryssides, G. and Kaler, J. (1996), Essentials of Business Ethics, McGrawHill International (UK) Limited, England.
Davies, H. and Lam, P.L. (2001) Managerial economics. 3rd ed., Bell & Bain
Ltd., Glasgow.
European Union (2006), Article 41. Audit Committee, 8th Company Law
Directive
Hickson, D.J. and Pugh, D. (2003), Management Worldwide. 2nd ed., Penguin
Global, London.
39
APPENDIX B BIBLIOGRAPHY
KPMG (2009). Never again? Risk management in banking beyond the credit
crisis. http://www.kpmg.com
RBCC (2006), Capital Markets: The next move for Russian business Bulletin,
Issue. 3, February, pp. 24-25.
40
APPENDIX B BIBLIOGRAPHY
Standard and Poors. (2010) Insurers In EMEA See The Value Of Enterprise
Risk Management. RatingsDirect on the Global Credit Portal,
www.standardandpoors.com/ratingsdirec
The Russian Federal Commission for Stock Markets (2003), The FCSM Code
for Corporate Governance [online]. www.fcsm.ru; www.copr-gov.ru.
Towers Perrin (2008). Highlights and Implications of A.M. Bests New ERM
Methodology.
Vedomosti (2005), Russia: Going Global, Forum, The Wall Street Journal &
Financial Times Magazine, November.
41
42
Copyright
This document is subject to copyright which is retained by the authors. No part of it may in any form or by any
means be reproduced, adapted, transmitted or communicated without the prior written permission of the authors.
This document is provided as general information only and does not consider your specific objectives, situation
or needs. You should not rely on the information in this document or disclose it or refer to it in any document. The
authors accept no duty of care or liability to you or anyone else regarding this document and we are not responsible
to you or anyone else for any loss suffered in connection with the use of this document or any of its content.