1 / 30

Embedding Risk Culture in your Organization’s DNA

Embedding Risk Culture in your Organization’s DNA. Agenda. About KNPC What is ERM? Why is ERM important? What do we mean by : Risk Culture Embedding How to embed ERM in your organization A- Assess your As-Is situation B- Plan for Embedding C- Implementation of plans

onofre
Download Presentation

Embedding Risk Culture in your Organization’s DNA

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Embedding Risk Culture in your Organization’s DNA

  2. Agenda • About KNPC • What is ERM? • Why is ERM important? • What do we mean by : • Risk Culture • Embedding • How to embed ERM in your organization • A-Assess your As-Is situation • B- Plan for Embedding • C- Implementation of plans • Key success factors

  3. About KNPC • KNPC established in Oct. 1960 as joint venture between the government & private sector • In 1975 State of Kuwait acquired full ownership of KNPC • In 1980 Kuwait Petroleum Corporation (KPC) was established as the state owned asset & mother company for all oil companies in Kuwait • KNPC is one of KPC’s subsidiaries is responsible for all domestic Crude Oil Refining & Gas Processing along with fuels retailing for the local market in Kuwait. • KNPC has 3 operating refineries working as a refining complex has a total capacity of 936,000Bbls/day • KPC started an Enterprise Risk Management (ERM) Program in late 2005, • After the approval of the KPCEnterprise Risk Management Policy, all subsidiaries were required to set up their own ERM capability • On December 2007 KNPC decided ERM implementation project to define and implement an ERM frameworkin order to improve management of the risks that could affect the company’s objectives

  4. What is ERM? • The Committee of Sponsoring Organizations (COSO) points out that ERM, among other things: Is an ongoing process Is designed to identify & manage potential events that, may affect the enterprise objectives • ISO 31000 states that risk management is an integral part of organizational processes as well as a part of decision making. We believe Enterprise Risk Management (ERM) can be summed up as follows: ERM is systematic approach to identify, categorize, quantify, and proactively deal with all risks within an organization, that may effect achieving your strategic goals in order to protect and enhance value. ERM provides performance and compliance to optimize decision-making across the organization.

  5. Why is ERM important? In his book, The Upside, Adrian J. Slywotzky Presents a profound case for ERM andpreparedness: Unmanaged risk is the greatest source of waste in your business and in our economy as a whole. -Major projects fail; -Customer shifts make our offers irrelevant; -Billion-dollar brands erode, then collapse; -Entire industries stop making money; -Technology shifts -Companies deteriorate needlessly. When these risk events happen, -Thousands of jobs get lost, - Brilliant organizations are disassembled, - Expertise gets lost, and assets are destroyed. Yet all of these risks can be understood, identified, anticipated, mitigated, or reversed, thereby averting hundreds of billions of dollars in unnecessary losses

  6. Why is ERM important? • Proactively deal with all threats & opportunities to protect & enhance value • Optimizes the balance between risk and return • Enables organization to prioritize and allocate resources against those risks • Enhances value creation opportunities • Optimizes capital allocation of risk • Provides confidence on external & internal compliance (polices& procedures) • Enables a company to make intelligent risk-based decisions • Prevention hundreds of billions of dollars in unnecessary losses

  7. What do we mean by: Risk culture • Risk culture is complex and multidimensional • Simply, it is how ‘risk management’ is factored into decision making • How management is rewarded for taking appropriate risks • How senior management encourage communication on risk and respond to bad news A common definition of risk culture is: 'an organization's system of ethics, values and risk-based behaviors ,from the beliefs of the chair of the board, to the attitudes of the most junior staff members'.

  8. What do we mean by: Embedding • ERM is • an integral or natural part of the organizational processes and procedures • fundamental part of business planning and decision making; • done at all levels (strategic, tactical and operational) • seen and understood in the organization as a value enhancing As a conclusion embedding means :  - Making a fundamental part of the day-to-day activities of the business , Or - under Solvency II more accurately… Providing evidence of embedding and demonstrating ‘it’ is happening

  9. How to embed ERM in your organization A Assess your As –Is- situation Embedding Risk Culture C Implementation of plans B Plan for Embedding

  10. A Risk Culture C B How to embed ERM in your organization A- Assess your As-Is situation To determine the steps to be taken in moving from : a current ERM Maturity level to a desired ERM future-level "Where are we?“ TO "Where do we want to be?" Use known techniques to evaluate risk management implementation and identify gaps related to ERM embedding in your organization such as: 1- Assess adequacy of ERM using ISO 31000 2-Maturity Model Approach 3-Consider best practices

  11. A Risk Culture C B A- Assess your As-Is situation 1-Assess adequacy of ERM using ISO 31000 1-Institute of Internal Auditors issued a paper December 2010 – “Assessing the adequacy of risk management using ISO 31000.”

  12. A Risk Culture C B A- Assess your As-Is situation 2-Maturity Model Approach By Embedding ERM

  13. A Risk Culture C B A- Assess your As-Is situation 3-Consider best practices Score each department against key element of a framework or ‘culture tests’ EXAMPLE 1

  14. A Risk Culture C B A- Measure & assess your As-Is situation 3-Consider best practices The 7 embedding ‘tests EXAMPLE 2

  15. How to embed ERM in your organization A Assess your As –Is- situation Embedding Risk Culture C Implementation of plans B Plan for Embedding

  16. A Risk Culture C B How to embed ERM in your organization B- Plan for Embedding • List out effective Key elements to be in your plan for risk culture embedding • Describe each key element & define the ‘embedding’ plans per element • Break the plans down into action plans (activities) • Define what is most important to the organization & prioritize the quick wins • Schedule the activities in a timeline and get management buy-in • Make it visible and link delivery to Key performance management targets • Track progress and provide support • Report progress and address issues that arise

  17. How to embed ERM in your organization B- Plan for Embedding KEY ELEMENTS FOR EMBEDDING RISK CULTURE 1 Scorecards, JD’s & appraisals ERM process & Risk reporting Directors 2 3 5 Responsibility & accountability in org. risk governance Strategic Intent Benefits of good risk management Lessons learnt 6 4 7 List out effective Key elements Describe each key element Break the plans down into action plans

  18. How to embed ERM in your organization A Assess your As –Is- situation Embedding Risk Culture C Implementation of plans B Plan for Embedding

  19. A Risk Culture C B How to embed ERM in your organization C- Implementation of Embedding Plans Element -1- Action plans : Description • Develop training plan to grow & sharpen director’s overall knowledge set to explain how risk management is built into decision-making • To include a member of the directorsin risk committee who is passionate about proper and effective risk management • Put risk on agenda of directorsat least quarterly • Design and roll-out risk reporting and dashboards for the directors. • Define direct communication channel between the risk functions and BOD • Invite representatives from all departments to Risk Oversight Committee • Restructure ROC meetings to focus on detailed analysis of Top Risks

  20. A Risk Culture C B How to embed ERM in your organization C- Implementation - Embedding plans Description Element – 2-Action plans : • Update job descriptions with risk management roles and responsibilities • Implement risk management performance metrics for Directors & management line and staff • Develop recruiting and training plans to support job requirements • Develop necessary performance standard • Develop ERM function resourcing plan & implement • Provide special risk management trainingincluding certified training by known institutes

  21. A Risk Culture C B How to embed ERM in your organization C- Implementation - Embedding plans Element -3- Action plans : Description Prepare and distribute clear & simple ERM processes & procedures Update department business processes and procedures documentation with risk management activities Propose uniform risk categories, sub categories, and risk names Update company assessment scales to reflect risk appetite and tolerance statement Identify Key Risk Indicators, develop monitoring plans, and Implement risk treatment plans Design and roll-out loss event tracking system Establish easy link for transparent risk reporting (Risk Proposal System)

  22. A Risk Culture C B How to embed ERM in your organization C- Implementation - Embedding plans Element -4- Action plans : Description Develop hiring plan to match required knowledge and skill set in ERM team Develop training plans to support job requirements Develop competency model with HR to include knowledge, skills and abilities mapped to different levels for different types of positions Develop a catalog of risk expertise [pool model (Internal & External)] ERM team to provide training & awareness sessions for all company staff Conduct ERM survey / audit on departments to measure ERM awareness Conduct ERM events , campaigns & celebrations , send emails & quizzes through webmaster, distribute booklets ,flyers , posters ,…

  23. A Risk Culture C B How to embed ERM in your organization C- Implementation - Embedding plans Key Element 5 Responsibilities and accountabilities are clearly defined in a well described governance Element -5- Action plans : • BOD Description Develop necessary performance standard &ROC charter Review & Update Risk Governance Structure ERM meet with BOD quarterly ,for communication & decision making Update ERM policies with risk governance changes Internal & External Audits to review ERM strategy implementation Roles & Responsibilities Strategic Level Internal Audit CRO & ROC Tactical Level Operational level ERM Team Business Level Departments & Business unit

  24. A Risk Culture C B How to embed ERM in your organization C- Implementation - Embedding plans Element -6- Action plans : Description Focus on strategic risks in ROC , Leadership and Board meetings Include Strategic Planning manager as a member in the risk oversight committee (ROC) Link risks with performance and achievement of strategic objectives & strategic projects execution

  25. A Risk Culture C B How to embed ERM in your organization C- Implementation - Embedding plans Element - 7 -Action plans : Description Knowledge-sharing sessions Training for BOD, top management and ERM team Conduct meetings & risk discussions with other companies of similar industry Attend ERM related conferences , workshops ,training sessions Write papers ,articles in ERM magazines Participate as a case study in one of the universities

  26. How to embed ERM in your organization A Assess your As –Is- situation Repeat the process when it is necessary Embedding Risk Culture C Implementation of plans B Plan for Embedding

  27. Key Success factors • Top management & BOD support • Dedication, buy in & alignment with the  plans • all strategic and operational goals are linked to appropriate risk management • commitment to the plans & completion of tasks within the timeframe • Risk Management department • There are structures to support risk management e.g risk department • All departments own risk management and only seek guidance from specialist departments such as risk management, internal audit ,etc; • Key issues should be solved by a single entity with clear decisions for specific milestones • Clear processes & Single ownership • Risk management processes are understood by all (simplicity) • Everyone in the company is risk aware and everyone recognizes his/her • responsibility for risk • Detailed execution plan • Carry out detail planning and scheduling for the ERM embeddingimplementation • Budget estimate and approval • Proper budget estimation and required approval for implementing plans • Effective communication plan • Assuring timely and accurate communication plans with stakeholders in place • Qualified manpower • Attract/Retain skilled manpower and experts for the implementation stage

  28. THANK YOU

  29. Questions ?

More Related