Enterprise Risk Management Survey 2011

Size: px

Start display at page:

Download "Enterprise Risk Management Survey 2011"

Francine Harris
5 years ago
Views:

Enterprise Risk Management Survey 2011 - A Driver of Enterprise Value in the Emerging

1 Enterprise Risk Management Survey A Driver of Enterprise Value in the Emerging Environment Governance, Risk and Compliance Services (GRCS) KPMG in India 6 April 2011 Neville Dumasia

Is Risk Management about realizing the upside or is it only about minimizing the downside that

2 About this survey (1 of 2) Respondent profile: Broad questions the survey addresses: Is Risk Management considered as fundamental to the achievement of business objectives? Is Risk Management about realizing the upside or is it only about minimizing the downside that businesses could be exposed to? Are today s Boards well equipped to deliver effective risk oversight? 4/27/2011 1

3 About this survey (2 of 2) Respondent profile: Financial Services Industrial Goods and Services Technology (Software and technology hardware) Construction and Materials Insurance Health Care Banks Telecommunications Oil and Gas Chemicals Others (please specify) Retail Food and Beverage Automobile and parts Utilities Basic resources (paper, metals and mining) Conglomerate Real Estate Personal and Household Goods Media Travel and Leisure 5% 4% 4% 4% 4% 4% 3% 3% 3% 3% 2% 2% 2% 2% 6% 6% 7% 7% 8% 10% 12% 4/27/2011 2

What is driving risk management today? What should be driving risk management?

Reducing cost of capital Long-term sustainability What is currently driving

Regulatory changes 50% respondents believe that regulations will influence

4 What is driving risk management today? What should be driving risk management? Bringing greater certainty over implementation/operation Avoiding surprises Reducing cost of capital Long-term sustainability What is currently driving risk management? Regulatory changes 50% respondents believe that regulations will influence risk management positively Leads to Leads to Risk management that drives enterprise value Box-ticking approach to risk management 4/27/2011 3

5 How do CEOs view risk management?

What value do CEOs seek from Risk Management? Are my strategies able to realize my business agenda? Do we have the capabilities to deliver on my key initiatives?

6 What value do CEOs seek from Risk Management? Are my strategies able to realize my business agenda? Do we have the capabilities to deliver on my key initiatives? Geo Political environment Risk informed business decisions Understanding the impact of key data points on your and business model Business Transformation Mergers & Acquisitions What are the show stopper risks which undermine my business model? Competitor portfolios & strategies Macro economic events and indicators

7 What value do CEOs seek from Risk Management? Are my strategies able to realize my business Empowered risk management infrastructure agenda? Do we have the capabilities to deliver on my key initiatives? What are the show stopper risks which undermine my business model? EMBEDDED RISK CULTURE IN BUSINESS ETHOS RISK INTELLIGENT BOARD BUSINESS PRACTICES LINKING RISK & STRATEGY RISK OFFICER/FUNCTION THAT CHALLENGE STRATEGIES & BUSINESS DECISIONS EMBEDDED RISK CULTURE IN BUSINESS ETHOS

8 What value do CEOs seek from Risk Management? Are my strategies able to realize my business agenda? To transform mindsets from being presentdriven to forward looking Do we have the capabilities to deliver on my key initiatives? To explore external and internal factors than being internal focused What are the show stopper risks which undermine my business model?

9 Is risk management delivering on the CEO agenda?

Key messages from the survey 1 A majority view

a strong risk culture is still in its infancy 3

strategic considerations 5 Chief Risk officers

10 Key messages from the survey 1 A majority view risk management with a safety lens 2 Embedding a strong risk culture is still in its infancy 3 Boards are yet to re-align their practices to tackle the complexities associated with oversight 4 Risk management is isolated from strategic considerations 5 Chief Risk officers (CROs) are overly focused on process level risks 4/27/2011 9

11 1 CEO vs. non-ceo view opportunity or safety? CEO s view risks with an opportunity lens while others view risks with safety lens Overall view CEO view Risk considered most critical Risks resulting from the financial crisis Growing overall complexity in the value chain Risks resulting from geopolitical environment Events with potential to cause reputation damage Impact of corporate restructuring, M & A and business transformation 4/27/

12 1 CEO vs. non-ceo view opportunity or safety? CEO s view risks with an opportunity lens while others view risks with safety lens Overall view CEO view Basis of risk quantification/ assessment State of the control environment as assessed by audit and assurance reports Competitor benchmarking Assessment of loss events 4/27/

13 1 CEO vs. non-ceo view opportunity or safety? CEO s view risks with an opportunity lens while others view risks with safety lens Factors that pose biggest challenges Overall View Linking risks to Assessing non-financial risks that are difficult to quantify CEO View Identifying new and emerging risks 4/27/

2 Risk culture is still in its infancy Components of risk culture: Tone at the

the board Risk culture 14% 47% Personnel reward structures are aligned to risk

14 2 Risk culture is still in its infancy Components of risk culture: Tone at the top Does the organization consider risk management as important to achieving the enterprise objectives? Survey Results: 38% Management s compliance with risk appetite is monitored by the board Risk culture 14% 47% Personnel reward structures are aligned to risk adjusted measures Organization has committed sufficient resources to risk management Risk facilitation Risk ownership 4/27/

Risk culture Survey Results: 50% Clarity on risk appetite from senior management & the

15 2 Risk culture is still in its infancy Components of risk culture: Tone at the top Is there clarity about risk ownership, mitigating actions and the appetite? Risk culture Survey Results: 50% Clarity on risk appetite from senior management & the Board Risk facilitation Risk ownership 58% ERM is integrated into management s decision making processes 4/27/

for helping risk owners apply risk policies and tools in

Risk facilitation Risk ownership Survey Results: 25% CROs

16 2 Risk culture is still in its infancy Components of risk culture: Tone at the top Risk culture Is there a process for helping risk owners apply risk policies and tools in the way they make decisions? Risk facilitation Risk ownership Survey Results: 25% CROs have a role to play in strategic decisions 32% Risk management training is rolled out 4/27/

17 3 Boards are yet to re-align their practices 1 Lack of clarity on responsibilities of full board versus committees 2 No definitive processes to share risk information at the board level 3 Lack of coordination between board and its committees in understanding the linkages between risks 4 Lack of adequate involvement of board in approving Strategy is dealing with the unknown unknowns. Therefore board and senior management team members must spend quality time analyzing various scenarios and potential risks these scenarios bring about. - Head of Risk, Western European Utilities Company 16

18 4 Risk management is isolated from strategic considerations (1 of 2) Current practices in risk assessment, aggregation and mitigation do not promote linking risk management with While arriving at assessments on risks, which of the following information sources are considered? What is the time horizon covered by your risk assessments? 75% Industry trends 71% Audit/Assurance reports 69% Key risk indicators (lag KRIs) 64% Whistle blowing process to report ethical breaches 59% Risk workshops with employees 4/27/

4 Risk management is isolated from strategic considerations (1 of 2) Current practices in risk assessment, aggregation and mitigation do not promote linking risk management with What are companies

19 4 Risk management is isolated from strategic considerations (1 of 2) Current practices in risk assessment, aggregation and mitigation do not promote linking risk management with What are companies not doing enough? What is the time horizon covered by your risk assessments? Leveraging external and forward-looking sources Looking beyond a three-year horizon for risk assessments Utilizing useful tools such as scenario planning and stress testing Considering sustainability and climate changes issues 4/27/

20 4 Risk management is isolated from strategic considerations (2 of 2) How do you rate your organization's understanding of interdependencies between various risks in current risk management activities? 42% 49% 9% Good Average Satisfactory 63% feel challenged in aggregating and quantifying risks Key challenges are: Integration of risk, finance and business views Availability of data and data integrity Utilization of appropriate tools to quantify and measure the impact of risks 4/27/

21 4 Risk management is isolated from strategic considerations (2 of 2) How do you rate your organization's understanding of interdependencies between various risks in current risk management activities? 42% 49% 9% Good Average Satisfactory 60% indicate that the risk responses are developed at an individual-risk level rather than at a portfolio-level 60% do not utilize risk simulations for the business plans and budgets or stress test resilience of income statement/balance sheet There is a tendency to over-rely on process-level controls instead of considering broad range of mitigation measures that would include insurance, due diligence reviews, derivatives, etc. 4/27/

22 5 CRO role is not strategic enough (1 of 2) There is general agreement that appointing a Chief Risk Officers (CRO) has helped institutionalize risk management practices. However, a majority of the respondents indicate the CRO role is process-oriented. 4/27/

23 5 CRO role is not strategic enough (2 of 2) How can CROs play a more strategic role? Evaluating alternate strategic choices with business intelligence Tracking risks emanating from change management and people initiatives Working with management to solve risk-related challenges Incorporating risk in program management Relying on real data while arriving at risk assessments than on perspectives and perceptions Helping the business through risk management training and tools GO HEADER & FOOTER TO EDIT THIS TEXT 4/27/

24 What does an effective risk management framework look like?

25 Companies need to marry the top-down and bottom-up approaches to risk management (1 of 2) Nature of risk Addressed through Information on strategic risks Information on execution risks Enterprise-level: Risks at this level impact the sustainability of existing business model Business Unit/Functional Level: Risks at this level impact the business performance as a whole and core competencies Process Level: Risks at this level affect day to day operational efficiency and returns Strategic or business risks Financial risks Geo-political risks Governance risks Reputation risks Strategic or business risks Financial risksregulatory risks IT risks Outsourcing risks Operational risk Policy non compliance risks Vendor risks Enterprise wide risk management Due Diligence reviews Business Plan Scenario Analysis Business unit risk management Project risk management Due Diligence reviews Business Plan Scenario Analysis Risk based internal audit Process performance reviews MIS reviews Control embedded processes Other operational reviews GO HEADER & FOOTER TO EDIT THIS TEXT 4/27/

26 Companies need to marry the top-down and bottom-up approaches to risk management (2 of 2) Top-down approach Create Re-align Optimize risks Identify execution risks Execute GO HEADER & FOOTER TO EDIT THIS TEXT 4/27/

27 Companies need to marry the top-down and bottom-up approaches to risk management (2 of 2) Create Bottom-up approach Re-align Optimize risks Identify execution risks Execute GO HEADER & FOOTER TO EDIT THIS TEXT 4/27/

28 Companies need to marry the top-down and bottom-up approaches to risk management (2 of 2) Create An FMCG company decides to enter the Chinese market with a predefined portfolio of products Re-align Optimize risks Identify execution risks Execute GO HEADER & FOOTER TO EDIT THIS TEXT 4/27/

include: Political risks Regulatory risks Supply chain risks Cultural

29 Companies need to marry the top-down and bottom-up approaches to risk management (2 of 2) Create Re-align Optimize risks Strategic risks include: Political risks Regulatory risks Supply chain risks Cultural risks Identify execution risks Execute GO HEADER & FOOTER TO EDIT THIS TEXT 4/27/

Companies need to marry the top-down and bottom-up approaches to risk management (2 of 2) Create Re-align Optimize risks Identify execution risks

30 Companies need to marry the top-down and bottom-up approaches to risk management (2 of 2) Create Re-align Optimize risks Identify execution risks Execute Execution risks include: Decline in sales Decline in profitability Decline in market share GO HEADER & FOOTER TO EDIT THIS TEXT 4/27/

the root cause Re-evaluate entry and product portfolio Identify

31 Companies need to marry the top-down and bottom-up approaches to risk management (2 of 2) Create Re-align Optimize risks Investigate the root cause Re-evaluate entry and product portfolio Identify execution risks Execute GO HEADER & FOOTER TO EDIT THIS TEXT 4/27/

32 and focus on a few critical success factors Key Elements of an effective risk management framework: 1 Evaluation of risk culture forms the basis of ERM implementation 2 Adequate separation of risk content and process 3 Utilization of Balanced Scorecard to identify the right risks and monitor performance in the context of the changing risk profile 4 Utilization of lead KRIs to link risk and 5 A proactive CRO who works with the management to arrive at informed and optimal business decisions GO HEADER & FOOTER TO EDIT THIS TEXT 4/27/

Thank you Neville M Dumasia Executive Director and Head - Governance, Risk and Compliance Services KPMG in India Ph: +91 (22) 3090 1690 Email: ndumasia@kpmg.

33 Thank you Neville M Dumasia Executive Director and Head - Governance, Risk and Compliance Services KPMG in India Ph: +91 (22) ndumasia@kpmg.com 2011 KPMG, an Indian Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. The KPMG name, logo and "cutting through complexity" are registered trademarks or trademarks of KPMG International Cooperative ("KPMG International").