Enterprise risk

management for
Corporates
September 14, 2012
Sven Heiligtag
CONFIDENTIAL AND PROPRIETARY
Any use of this material without specific permission of McKinsey & Company is strictly prohibited
1
Abstract
Enterprise risk management (ERM) is not about trying
to manage every single risk centrally. It is more about
identifying the 10-20 key risks and defining the right
management approach and set-up for these. Finding the
best model to manage these risks successfully will
depend largely on a companys business model and risk
exposure. This is one of the CFOs central management
tasks. The challenge here is that qualitative elements
such as risk culture, organization, and governance play a
key role alongside more traditional quantitative analysis.
In this breakout, we will present the core elements of a
successful ERM system and show some best practice
examples. We will also draw on case studies of how
CFOs can use quantitative solutions, such as cash-flow-
at-risk models and mega-risk assessments, to identify
the right focus for their ERM solution
1
McKinsey & Company |
Why does Enterprise Risk Management create value?
Achieving compliance/satisfying regulatory
requirements
Ensuring value protection (Downside)
Driving profitability and growth ("Upside")
Providing stability, continuity and "ease of
mind" for stakeholders
2
EPNG with focus on
value protection as
significant bulk risks
(e.g., regulatory)
O&G focuses on
stability of revenues
AI with focus on
compliance regarding
quality and regulatory
issues, engrained in
business model
Overall, value
protection the most
important goal of risk
management
Value generation via
risk management with
lowest priority among
respondents
Ranking of importance of goals of ERM
Corporates mean different things when they talk about
Enterprise Risk Management
2,6
1,6
3,1
2,6
4. Stability 3. Capturing
the upside
2. Value pro-
tection
1. Regula-
tion/com-
pliance
4,0
3,0
2,0
1,0
3,6
2,4 2,4
1,6
2,5
1,0
2,5
4,0
1 = Low 4 = High
SUM
EPNG
O&G
AI
SOURCE: McKinsey
Effective risk management comprises five elements
Risk
insight and
transparency
Risk-related
decisions and
processes
Risk
organization
and
governance
Risk culture
and
performance
transformation
Integrated
Enterprise risk
management
Risks that affect our future
performance are well understood
We keep only risks that we are
competitively advantaged to own;
other risks are transferred or
mitigated; and our strategy is
aligned with our risk capacity
All critical business decisions are
made with a clear view of how
they change our companys risk
profile
Structures, systems, controls,
capabilities, and infrastructure are
in place for us to manage risk
Our culture reinforces risk
management principles; formal
and informal mechanisms support
the right mindsets and behaviors
SOURCE: McKinsey Risk Practice
1
2
3
4
5
1
2
Natural
ownership,
risk appetite,
and strategy
3
4
5
Conventional ERM approaches are often ineffective across all of these
elements
Clarity on specific risk culture
vulnerabilities and action plan in place to
strengthen risk culture
Risk culture is a fuzzy concept
Risk culture
Risk analysis done in conjunction and
supports key strategic and operational
decisions
No link between risk analysis and key
decision processes
Risk assessment lags major corporate
decisions
Risk-related
decisions and
processes
ERM is primarily a board priority that
management executes on
ERM team struggles to have traction with
line management
ERM perceived as a bureaucratic
exercise
No explicit decisions on risk ownership and
desired overall risk level
Hundreds of risks
Data reporting without insights
Typical compliance-focused ERM
ERM is a board and top management
priority
Line takes explicit ownership of key risks,
with ERM support
ERM perceived as core to managing the
business
Deliberate choices on risk ownership and
risk level, based on risk capacity and
strategic aspirations
Clarity on top 5-10 mega risks
Deep insight into root causes, indirect
effects, early warning signals
Best-practice ERM focused on improving
decision-making
Risk
organization
and governance
Risk appetite
and strategy
Element
Insight and risk
transparency
Four archetypes of Risk DNA for Corporations
Decentral risk
ownership
Central risk
ownership
Checks and
balances
Aggregated insight
Examples
1
Priority
Line management owns
risks
Light touch central
support as needed
Risk optimization
ensured by a strong
business and risk
culture
Risk function owns
and actively manages
certain key risks
centrally (e.g., FX
hedging)
Business heads get
approval on other risk
strategies from CRO
Line management owns
risks
Strong central risk team
led by Chief Risk
Officer with a seat at
the table, acting as
counterweight for
important strategic
decisions
CRO acts as thought
partner (blend of
collaboration and
challenge) to business
heads
Line management owns
risks
Small central risk team
aggregates risk insight,
integrates across
enterprise, and shares
across the organization
Risk optimization
achieved by line with
support from central
risk team
We do not believe in a
separate risk
organization. Risk
management is a line
management direct
responsibility
SVP &
Treasurer
The risk function
provides analytics,
reporting, advise and
process support to
management and
Board committees
Head of ERM
I spend my time talking
with others. My main
role is to discuss and
challenge their thinking
- CRO
"The risk function
hedges or takes out
insurance as they see
fit" CFO
Description
1. Based on filed public reports, speeches, and press articles
SOURCE: McKinsey Risk Practice
Typical for financials
(banks, asset mgmt)
Overall trend, nonfinancial institutions
The archetypes of different industries Risk DNA
differ among risk types
SOURCE: McKinsey Risk Practice
Decentral risk
ownership
Central risk
ownership
Checks and
balances
Aggregated
insight
Financial risk
Commodity
FX
Credit
Operational/
technical and
project risk
Political/
regulatory
and portfolio/
enterprise
risk
AI
O&G
EPNG
AI
EPNG
O&G
AI
EPNG
O&G
Financial Risk: AI more
independent
1
, rest more
centralized
Operational/ Technical:
O&G majors with stronger
centralization than rest
Political/ regulatory:
Dependent on reliance on
politics (EPNG and O&G)
and geographical
operations
1 in particular Commodity risk
McKinsey & Company |
We believe an integrated approach to risk matters
Improve
transparency
and measure
Manage and
decide on
improvement
levers
Enhance
processes to
facilitate risk
mitigation
Empower
skilled risk
organi-
zation
Build a risk
conscious
mitigation
culture
Enterprise Risk
Leadership
Focus of today
Ensure early warnings
are monitored and facilitate
ongoing risk management
Embed risk optimization in
each major strategic decision
before launch/positive decision
Redistribute risk to other
market participants and seek
to improve flexibility to act
Proactively manage the cycle
and price risk
Translate into risk
tolerances, limits and
triggers
Build insights into all relevant risk and
their interdependencies
Develop early-warning "KPIs" to
identify issues faster than others
Establish information system that
facilitates proactive actions for top
management
8
McKinsey & Company |

2015
2014
2013
Time horizon
Revenues
Cost of goods sold
Gross margin
Operative costs
EBITDA
Amortizations
Adjustments on receivables
EBIT
+ Net financial expenses
Net profit
+ Amortizations
CAPEX
Operating cash flow
2012
Commodity risks
Commodity volatility
(impacting both
revenues and costs)
Operations risk
Operative costs
volatility
Plant under-
performance
Accidents
Completion
investments delay
CAPEX overrun

Credit risk
Counterparties
defaults
Exchange rate risk
Exchange rate
volatility
Regulatory risk
Changes on the
regulation of fuels in
Europe
Changes on drilling
regulation in major
countries

Interest rate risk
Interest rates
volatility
Macro-economic
GDP volatility
affecting production
volumes and prices
Identifying the key risks across your drivers of cash flow
9
McKinsey & Company |
will allow you to understand your cash flow distribution
and how it can be affected
Revised operating cash flow
distribution, levers include (e.g.)
Commodity hedging
Capital structure changes
Portfolio changes
Others (e.g., contracting, etc.)
Higher probability of funding
strategic capex
Pre-CFAR operating cash flow
distribution
Lower probability of funding strategic
capex
2
1
Operating cash flow Prioritization
of cash needs
Cash flow
probability
(Monte Carlo)
Commodity
price
scenarios
Business
outcomes
Potential stress
Interest &
principal
payments
Divi-
dends
Ongoing
maintenance
capex
Sustaining
capex
Growth
capex
Strategic
capex
Oil and gas example
10
McKinsey & Company |
A tailored overall risk report is a key part of risk transparency
Mega risks identified and
assigned executive ownership
Mega risks update and
action plans
Financial risk update
Leading indicators
Sensitivity analysis
Liquidity
Market
scenarios
Stakeholders risk update
Resource tax stakeholder summary
Project #1 stakeholder summary
Project risk update
Project-specific deep dive
Operation risk update
Asset overview
Country risk
overview
HSE
update
Key project
summary
11
McKinsey & Company | 12
Understand your credit rating exposure based on your cash flow
distribution
Probability
FFO/debt
below target
Percent
31 42 48 78 53 60
Year
Target
50
Debt/EBITDA
percent
SOURCE: McKinsey Risk Practice 12
McKinsey & Company | SOURCE: McKinsey Risk Practice
Risk management can provide different types of support to key
corporate decisions
Potential specific risk contribution
Mitigate
new risks
Coordinate sufficient lock-in of fuel purchases, power sales,
and fx rates to satisfy funding covenants
Customize
tools
Pricing tool for valuing risk sharing options in project contract
negotiations
Share best
practices
Aid project leaders to systematically incorporate risk
assessment and mitigation into overall project management
process
Challenge
assumptions
Sit down with business case preparers and challenge every
assumption for reasonableness prior to decision
Independent
review
Review and form independent view from BU management on
risk and return tradeoff in entering Asian market
Provide agreed upon assumptions for scenarios used by
each BU for its business plan
Centralize
information
13
McKinsey & Company |
Closing remarks
Do you have a full understanding of the biggest risks
for your company and a warning for detecting early?
Can you improve the way you are managing and
addressing risks?
How important is mitigating these risks for your
company (e.g. through cash flow, rating / funding,
reputation, etc.)?
What do you think is missing the most to better
address your risks?
14