Sie sind auf Seite 1von 3

Risk management in practice: integrating ERM at Coca-Cola Amatil

Effective enterprise risk management can add real value to organisations, shareholders and the community. Gerold Knight explains how Coca-Cola Amatil is approaching its ERM journey Risk management integration can be a challenging experience, particularly where there is no regulatory requirement. Where such an environment exists it is vital that the practitioner implementing enterprise risk management (ERM) has three factors in play: Firstly, they need both credibility and the communications skill to drive the process. Secondly, they must fully understand their organisation, its processes and objectives. And thirdly, they must have endorsement and support from the board and the executive team. Coca-Cola Amatil (CCA) falls in the category of being risk aware, but not driven by regulatory requirement. CCA is developing its risk management model to operate enterprise-wide and contribute to the ultimate profitability of the business. This outcome will be achieved not only by supporting sound business decisions but also through alignment of the organisations strategies with our shareholders and investors desire to ensure that effective corporate governance is in place. CCA, within the broader Coca-Cola system, is on an ERM journey. We are striving to remove the traditional fragmented and siloed approach that often exists in companies and we are doing so by driving acceptance and ownership of the risk management process. At CCA we understand the importance of the fundamental principles of the ERM process. These are: a commitment to the journey; an understandable framework that embraces a common language; a uniform approach to risk management no matter the nature of the business unit or its objectives; a communication model that identifies stakeholders, communicates the direction and objectives; and drives cultural change; and ensuring feedback of the results through a removal of black holes or silos. Ultimately, if you have these principles in place you will be able to effectively move forward on your ERM journey thereby benefiting not only the business, stakeholders and shareholders but the community in general. It is important, before embarking on the ERM journey to understand the concepts and meaning of ERM as they relate to your organisation. Essentially ERM is a structured and disciplined approach to risk management through which you can align strategy, processes, people, technology and knowledge company-wide with the objective of evaluating and managing opportunities and uncertainties that your organisation, as a whole, may face. To be enterprise-wide means just that the elimination of functional, departmental or cultural barriers so that a truly holistic, integrated, proactive and process-orientated approach is taken to management of key business risk and opportunities not just financial risks as has been a tradition with the objective of maximising shareholder value for the business as a whole. If we examine the shift in the risk management paradigm brought about through the conceptualisation of ERM we want to move in the directions shown in the diagram. I also agree with the proposition that ERM redefines the value proposition of risk management by providing the processes and tools which we need to be more effective at identifying, evaluating, embracing and responding to the uncertainties that are created as we drive to enhance shareholder value. If we get it right there are a number of benefits for our business. The first being that if management are presented with compelling information that can be conveyed to investors, this in turn can lead to higher price/earnings multiples in share valuations. Secondly, it enables the company to pursue strategic growth opportunities with greater speed and confidence. Thirdly, and perhaps most importantly it enhances both internal and external confidence in the business as managers and investors understand that risks inherent in existing or planned operations are being identified and managed. External confidence in particular drives our growth, our share value and our return on investment. Ultimately, people manage risk in their day-to-day work environments and the ERM framework is really just a formalised mechanism for providing structure and direction around what many of our employees already do. So as you commence your journey there are two key areas in which focus is necessary. The first is a commitment to the journey. This requires the board and executive management to endorse and fully support the outcomes and having this endorsement in CCA has been vital. In fact the CCA strategic direction is well-documented in the 2006 annual report, which notes that: The audit and risk committee reviews reports by members of the management team (and independent advisers, where appropriate) during the year and, where appropriate, makes recommendations to the board in respect of strategic, operational and financial risk. The committee also reviews and, where appropriate, makes recommendations to the board in respect of policies relating to the above matters. This includes ensuring that CCA has systems that identify, assess, monitor and manage risk. Linked to this then is the establishment of some ERM key best practice components: (a) Stakeholder identification while ultimately the board and executive are the ultimate information recipients, operationally the client base must be identified and engaged (b) Establishment of a framework with a common language for example AS/NZS 4360: 2004 (c) Implementation of uniform processes for the identification and evaluation of risks (d) Agreed tolerances for risk within the business (e) Define and aggregate risk measures (f) Centralised reporting, consolidation and evaluation with feedback on emergent trends being provided to the key stakeholders These are supplemented by the identification and understanding of the enterprise-wide processes that contribute to the profitability and sustainability of operations. It is within these processes that risk can emerge, and therefore, the creation of practices that allow us to monitor our processes will assist in leveraging business capabilities. Again, this is where a common language assists, as communication of the framework, objectives and outcomes is essential for communication is the corner stone for the cultural change that will be required. Let me now turn to CCA to illustrate how we are developing and employing the concept of ERM. Firstly, some background to the company. CCA is an Australian publicly listed company employing over 17,000 people and producing a wide range of fast moving consumer goods in the Asia-Pacific region. Building on its traditional role in the production of non-alcoholic ready to drink products, including the Coca-Cola trademarked range, CCA has expanded its portfolio into food and coffee with the acquisition of SPCA Ardmona and Grinders Coffee in 2005. Further diversification occurred in 2006 through our expansion into alcoholic beverages with our joint venture with SAB Miller, the worlds second-largest brewer, to sell and distribute imported premium beer in Australia starting with Peroni Nastro Azzuro, Pilsner Urquell and Miller Genuine Draft. In April 2007 our alcohol strategy grew by entering into agreement to produce alcoholic ready to drink products for Maxxium and additionally distribute their range of spirits in Australia. Overall, this is in line with our CEOs strategy of making CCA the third-largest player in the Australian beer category by 2012.

Our operating environment Diversity of operations (including production diversity) and geographic spread creates specific business challenges which are then influenced by an operating environment that has changed dramatically in recent years. Since the events of September 11, business has faced a changing world that is experiencing increased threats from terrorism; potential for high value losses; and increased regulation. All in all a challenging risk environment for any business. When considering the role of ERM in driving opportunity, sustainability and ongoing viability of the business it is relevant to touch on some of the changes to the business world. I believe Deloitte summed this aspect up in their report Prospering in the Secure Economy which highlighted the complexities of our global operational environment and argued that the business environment is driven by five new realities: The first is rapid change in the operating environment as exhibited by a global business climate that has been nothing if not tumultuous in recent years; The second is the new regulatory requirements which have seen many multinationals spending billons of dollars complying with governance regulations such as Sarbanes-Oxley and which now find themselves confronting a host of new government security requirements. The third is the heightened threat levels that generally exist and greater business uncertainty with many companies unclear as to what kind of threats warrant the greatest concern,

how they would be affected if a particular kind of attack occurred, what marketplace conditions would follow particular kinds of attacks, and when the heightened threat will pass. These are of course classical considerations from a business continuity perspective as this knowledge will assist in the overall response. The fourth relates to the complexity and interdependent nature of risk. The advantages of the extended enterprise and its interdependent supply chains are many, however this organisational model also puts businesses at greater security risk due to multiple partners and handoffs in both production and distribution. Finally, we have media globalisation by which the 24/7 news cycle means companies now have only minutes to respond proactively to a security or threat incident before risking possible damage to their brand and reputations. This also contributes to the ability of terrorists to actively spread their message quickly around the globe.

Risk management in CCA So, how do we manage risk at CCA and what can we learn from our ERM journey to date? As with many companies CCA is undertaking the journey towards full alignment of risk in the business and faces many of the same challenges, in particular the removal of a silo mentality. Traditionally, we have focused on different components in different ways, each of which have ultimately supported the board as our key stakeholder. But where isolation prevails there is always the reality that not all risks are effectively identified and addressed. On this point, Paul Franks from Deloitte pointed out silos are very, very good for specialisation in terms of knowledge and how you should respond to certain risk events the challenge becomes how do you share that risk information, in the sense of quality of data but, more importantly, what is the medium by which you do that. Information sharing is, I believe, critical. Without the feedback, our risk management fulfilment loop is incomplete. Looking specifically at our traditional siloed response, Treasury has focused on credit and financial risk, risk and insurance has been responsible for risk transfer and review, and the audit and risk department (which includes myself) has been accountable for assessing and responding to strategic and operational risks. Each component works in a highly effective way, but risk ownership has to cascade throughout the organisation. Our objective is therefore to enhance our risk management capabilities, and with board and executive endorsement we have developed a number of strategies to ensure that the risk processes are integrated into the whole organisation with buy-in, leadership, ownership and accountability at all levels. Additionally, in line with risk management practices, risk must be managed at the point where the risk occurs but always within a broader structured framework. Thereby project owners are able to determine: the risks that they will accept to drive opportunity; those which they will avoid because they are deemed too risky; and those risks to which control, mitigation or transfer measures can be applied. To this end CCA has developed an operational risk management framework that builds on the AS/NZS 4360 risk management standard and drives a process focus to its business units. Focus is directed to critical business processes. From my security-related point of view of daily operations, this enables assessment of threats and a view of the ramifications if harm is sustained, all within the boundaries of the agreed framework. Specifically from a security perspective we are integrating risk management methods into our process. Evaluation, including assessment of current and proposed mitigators, assists further in the prioritisation of response. The process also involves a cost-benefit analysis which is presented to the relevant business unit, for ultimately they will determine the level of risk that they are willing to accept with sound risk acceptance linked to attaining competitive advantage.

Future directions As we develop our framework and continue our journey we will be doing this through the application of commonly accepted practices and those that have been found to be effective from other companies with a focus on the areas of risk governance; risk identification and assessment; risk response; monitoring, escalation and reporting; risk assurance; and sustainability and continuous improvement. Within each of these areas we are currently at various levels of maturity with our framework and response model, focusing on achieving a desired goal in each of these fundamental areas. That is, a state that sees a realistic, practical position being adopted that maximises our investment in ERM and therefore provides optimal value to the business. This is the categorised response that will see ultimate acceptance across the business and within the Coca-Cola system in general. At the same time attainment of the ERM model relies on the effective design of the underlying framework, a robust process of identification of cross-organisational risks and the manner in which results and actions are communicated. At CCA we understand risk and the importance of effective management to the business as a whole. And, in addition to driving focus on key areas, we are embarking on a strategy that acknowledges the differing roles that positions within the business play. For example, in order to support this direction further we have recently realigned accountabilities and objectives with the risk services area.

Culture Successful process implementation is contingent on the business possessing a culture that embraces the components of risk management and the objectives and outcomes. The issue confronting business is that a structured and interrelated response does not manifest itself overnight. That said, CCA has been proactive in this area through the development of relevant policies and frameworks which are endorsed by executive management, operational programs and education and awareness strategies. This has involved the risk services management team interacting closely with local operational and executive management, thereby building respect and understanding of the roles and the ways in which risk management adds value and supports the business. This includes new project management, consumer engagements and promotions and the independent review of capital expenditure requests where required. To enhance CCAs general risk and incident response culture our company will be using a variety of techniques including the intranet, induction training, awareness videos, and presentations at management development programs. As a total package these assist in developing a risk management culture that promotes ownership. So, ultimately for a business with poor risk management practices and acceptance, behavioural change is vital; for without this no matter how good the supporting framework the process will be ineffective. Therefore you must aim for a change in the mindset from risk management operating in isolation to one where these processes are accepted as a responsibility of all management hence enterprise-wide acceptance. This is attained by establishing a framework that has executive endorsement, leadership and support. In effect, the process must be driven from the top down. Where this is in place, and is supported by awareness and training strategies, ownership and accountability will flow. Linked to this is the importance of feeding back information from risk assessments, thereby ensuring the fulfilment loop is complete. The challenge in CCA is no different to any other organisation and we need to utilise mechanisms that enhance employee understanding of the importance of risk management through illustrating alignment to the values and objectives of the business and the benefits that the process brings. In your organisation this may require a fundamental change and change takes time as cultures are not physical entities. Cultures, as Paul Bate says in Strategies for Cultural Change, are a human product not a natural product. People create them, people sustain them and people change them. This is where education and awareness of risk management and related involvement in areas such as commercial activities, distribution, security, and business continuity comes into play as, according to Esther Cameron and Mike Green in Making Sense of Change Management, it is the process of acquiring knowledge through experience which leads to a change in behaviour. The change in culture will involve changing individual, team and business attitudes and providing experience and examples of success will aid in this process. Best practice and full integration of risk management and its alignment with the values and objectives of the business, can be attained in any industry. Risk management must be ingrained into every aspect of corporate culture board and executive support is not enough. We need to alter the perception of risk management being someone elses responsibility to being everyones responsibility. From a pure security risk perspective, Prudential in the US did this by developing lines of communication, awareness and education programs, mature policies and procedures (which of course need to be aligned to standards), and defining clear roles and responsibilities throughout the corporate hierarchy. As Joyce Leibowitz, the senior vice-president for corporate operations and systems at Prudential noted: We understand the risk, and tailor the policy to address that risk Its not one size fits all. Just doing things like that walking the walk lets employees know its important to do it. Therefore it is the risk management culture that you develop and drive that will define the value-based stance employees are expected to take in any situation where business uncertainty may arise, instances that are too numerous to predict or outline in policies and plans. Culture therefore, plays a pivotal role in the integration of ERM into your organisation. At CCA we continue on the ERM journey and will continue to focus on driving cultural change for a risk aware culture, which is driven with top-down support, and is the cornerstone for successful implementation. Where this culture exists, I believe that any organisation will be able to effectively move forward on their ERM journey thereby benefiting not only the business but its stakeholders and its shareholders.

Gerold Knight is group general manager security, fraud and risk services at Coca-Cola Amatil. This article is based on his recent address at Risk Management magazines conference in Sydney

17 September 2007