* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
RSK2601 ENTERPRISE RISK MANAGEMENT Developed by Ms. S Maré Overview • • • • • • • • Introduction Topic 1: ERM in Context & Corporate Governance Topic 2: ERM process Topic 3: Internal Influences- Micro Factors Topic 4: External Influences- Macro Factors Eskom Case Study Barings Bank Exam guidelines Introduction “For those organisations that choose to weather this economic storm with the aid of ERM, the benefits of their efforts today will likely remain long thereafter” Grant Thornton Risk “Risk is the effect of uncertainty on objectives.” The effect may be positive, negative or a deviation from the expected. Risk is often described by an event, a change in circumstances or a consequence. (ISO 31000) Topic 1: ERM in context ERM aims to provide a coherent framework to deal with all risks that result from operating Image placeholder in the ever-changing economic environment. “We’ve considered every potential risk except the risks of avoiding all risks.” Elements for ERM 1. Corporate Governance (board oversight) 2. Internal control (sound system of internal control) 3. Implementation ( internal & external support) 4. Risk Management Framework (design, improve, implement & monitor) 5. Risk Management Policy (policy and policy statement) 6. Risk Management process (7 stages) 7. Sources of risk (internal and external business risks) Corporate Governance Definition “Corporate governance refers to the relationships among the management of an organisation, its board, its shareholders and other relevant stakeholders. It also refers to the specific responsibilities of boards of directors and management to maintain established relationships.” Corporate Governance cont... Good corporate governance contributes to shareholders’ wealth and a key factor in the investor decision-making process. • • • • • • King I Report (1994) King II Report (2002) King III Report (2009) King IV Report (2016) Companies Act 61 of 1973 Companies Act 71 of 2008 King III Report • Leadership, sustainability & corporate citizenship • Integration of social, environmental & economic issues • Inclusive stakeholder approach • Integrated reporting • Emerging governance trends incorporated in the report King IV Report • • • • • Outcome based approach Replaced King III in its entirety (1 April 2017) 17 Principles Principle 11 focuses on the governance of risk Complexity of risks and the need to strengthen risk oversight. • Major change: Risk committee compromises of a majority of non-executive members. Corporate Governance Collapses Year Country Company Underlying cause 1995 UK Barings Bank Mismanagement (poor internal controls) 2000 US Tyco Accounting fraud 2001 US Enron Accounting fraud and fictitious SPEs (special purpose entities) 2001 Australia HIH Mismanagement (poor strategic decisions) 2002 US WorldCom Mismanagement and poor internal controls (Arthur Anderson) 2003 Nederland's Royal Ahold Accounting fraud (fictitious earnings) Corporate governance handbook, 2019, 3rd, JW Hendrikse & L Hefer-Hendrikse Corporate Governance Collapses cont... Year Country Company Underlying cause 2003 Italy Parmalat Accounting fraud (fictitious earnings) Kickback scheme 2004 Singapore China Aviation Oil Mismanagement (poor strategic decisions) 2005 South Africa Regal Treasury Accounting fraud and Mismanagement 2006 South Africa Leisurenet Mismanagement 2008 India SATYAM Accounting fraud (inflated earnings and assets) 2009 South Africa Fidentia Accounting fraud and Mismanagement 2017 South Africa Steinhoff Accounting irregularities Corporate governance handbook, 2019, 3rd, JW Hendrikse & L Hefer-Hendrikse Corporate Scandals Corporate Scandal Jobs lost Shareholders wealth lost (US $) Enron Created off balance sheet exposures to hide debts and losses 4 500 80 bn Xerox Impropriety reports $6.5 bn in revenue (over 5 years) 13 600 3 bn WorldCom Hidden expenses ($3.9 bn) to raise bottom line 17 000 100 bn Merck Over $14 bn revenue reported for many years, never collected N/A 43 bn Quest.com Inflated revenue through equipment sales/swaps 11 000 33 bn Corporate governance handbook, 2019, 3rd, JW Hendrikse & L Hefer-Hendrikse Corporate governance best practices Governance countdown Yes No Action Are the following corporate governance practice areas being implemented in your company? Composition of board Audit committee Board committees Directors' duties, performance and accountability Management duties, performance and accountability Code of ethics (ethical code of conduct) Compliance with governance legislation and regulations Compliance with King IV code Accountability, transparency and disclosure of information (Integrated reporting/integrates sustainability reporting) Risk management Strategic leadership of the board Corporate governance handbook, 2019, 3rd, JW Hendrikse & L Hefer-Hendrikse Corporate governance best practices cont … Governance countdown Yes No Action Internal audit and internal controls Board and shareholder relationships Independent external auditors Company and stakeholder relationships Board and management relationships Shareholder relationships and rights Corporate social responsibility (triple bottom line) Corporate citizen - sustainable Responsible remuneration policies and practices Board and director performance assessment Balance of ownership and control Change management Corporate strategy plan Corporate governance handbook, 2019, 3rd, JW Hendrikse & L Hefer-Hendrikse Enron Scandal View the video at http://www.youtube.com/watch?v=Mi2O1bH8pvw Enron Scandal Governance failures • Enron’s leadership – its Board & senior executives, failed to protect all stakeholders in the company • Illegal activities & fraudulent reporting • Corporate culture failure & massive incompetence • Self interest and greed • Massive failures & internal culture of accounting earnings & self enrichment • Power trading fell between the cracks of many regulatory systems • Profits at all costs regime “Risk, return and responsibility are the three sides of the coin of business opportunity. The financial crisis, as we see it today, is not so much a crisis of greed or the failure of accounting standards. It is a failure of risk management systems” Accountancy SA – August 2009 Top 10 Risk of Business Allianz Risk Barometer 2020 1. Cyber incidents 5. Market developments 2. Business interruption 3. Changes in legislation 4. Natural catastrophes 6. Fire, explosion 7. Climate change/ increasing volatility of the weather 8. Loss of reputation or brand value 9. New technologies 10. Macroeconomic developments https://www.agcs.allianz.com/news-and-insights/expert-risk-articles/allianz-risk-barometer-2020-business-risks.html Top Twelve South African Risks 2020 1. Sparseness of unified ethical and visionary leadership 5. Ill-conceived NHI policy and/or sub-optimal implementation 9. Insufficient electricity and/or energy 2. Continuing private and public governance failures 3. Failure to root out deeply entrenched corruption 4. Changes in legislation and regulations 6. Ill-conceived land reform policy and/or suboptimal implementation 7. Failure to develop, attract and/or retain talent 8. Extreme weather events, natural disasters and climate change 11. Cyberattacks, data fraud and data theft 12. Failure, delay, and/or sub-optimal implementation of economic reform initiatives 10. Disruptive technology IRMSA Risk Report South Africa Risks 2020 Source: www.irmsa.org.za Governance of risk King IV principles summary The governing body should • assume responsibility for the governance of risk and opportunities • approve a policy that articulates and gives effect to its set direction on risk • evaluate and agree on the nature and extent of the risks that the organisation should be willing to take in pursuit of its strategic objectives (risk appetite) Governance of risk King IV principles summary cont... • consider the need to receive periodic independent assurance on the effectiveness of risk management • exercise ongoing oversight of risk management • delegate to management the responsibility to implement and execute effective risk management Governance of risk King IV principles summary cont... • The nature and extent of the risks and opportunities the organisation is willing to take should be discussed without compromising sensitive information • Disclosure of the governance and management of risk • Key areas of focus and key risks (future focus) • Actions taken to monitor the effectiveness of risk management Note: Study the section on “King IV” (Appendix 1) Topic 2: ERM process Definition “The risk management process entails the planning, arranging and controlling of activities and resources to minimise the negative impacts of all risks to levels that can be tolerated by stakeholders whom the board has identified as relevant to the business of the company, as well as to optimise the opportunities or positive impacts of all risks.” Topic 2: ERM process Stage 1 Establishing the context Stage 2 Risk identification Stage 3 Risk analysis Stage 6 Monitoring & Review Stage 5 Risk treatment Stage 4 Risk evaluation Stage 7 Communication & Consultation Stage 1: Establishing the context • Foundation for all the other stages. • To acquire accurate data & information about the whole business. • Will assist in determining the sources of risks & the participants in the risk identification process. Stage 1: Establishing the context cont... Stage 1: Establishing the context cont... • To acquire accurate data and information about the whole business. • A risk breakdown structure must be constructed These activities include: Clarifying & recording business objectives Understanding the business plan Examining the industry (business operates) Establishing business processes Stage 1: Establishing the context cont... Evaluate financial statements Identify resources available Change management Marketing plan Compliance system Evaluate financial statements Identify resources available Stage 2: Risk identification • Identification of the risks/risk events & opportunities (upside & downside) • Understanding how they fit into the overall business. • As a business grows, expands or improves, the exposure to risk will also change. • Assist in formulating a business strategy. Stage 2: Risk identification cont... Stage 2: Risk identification cont... • Activities to capture & record the risks: Clarify business objectives Reviewing the business analysis of Stage 1 Need for risk & opportunity identification Risk and opportunity identification Facilitation (interactive workshops) Consensus on risks, opportunities & interdependencies Stage 3: Risk analysis • Provides info on the likelihood of risks & opportunities occurring & impact. • Assess all the risks identified in the risk register. • To separate the minor, acceptable risks from the major risks. Stage 3: Risk analysis cont... Stage 3: Risk analysis cont... Likelihood & impact of potential risks Stage 3: Risk analysis cont... Risk map example Stage 3: Risk analysis • Tasks necessary to capture the likelihood of risk occurring and impact are: Casual analysis Decision analysis & influence diagrams Pareto analysis CAPM analysis Defining risk evaluation categories & values Stage 4: Risk evaluation • Evaluate the financial impact (loss or gain) of a risk. • Assessment & measurement of the risk exposures with the aim to manage & control the risks that can negatively influence the business strategy/objectives. • Understand the combined effect of a group of risks & opportunities. Stage 4: Risk evaluation cont... Stage 4: Risk evaluation cont... Risk attitudes Stage 4: Risk evaluation cont... • Activities in risk evaluation: Basic concepts of probability Sensitivity analysis Scenario analysis Simulation Monte Carlo simulation Latin hypercube sampling Probability distributions Stage 5: Risk Treatment • Designing of a specific action plan to address the risks and opportunities. • Response strategies must be implemented effectively in the business. • Commonly it is not possible to remove a risk in its entirety. Stage 5: Risk Treatment cont... Stage 5: Risk Treatment cont... • Activities to construct the priority list of risks into a concrete action plan is: Understanding risk appetite Risk response strategies Risk reduction (mitigate) Risk removal (avoid) Risk transfer (third party) Risk retention (accept) Stage 5: Risk Treatment cont... Mapping of losses Stage 6: Monitoring & Review • Ever changing environment. • Review all the previous stages (continuous process). • Early warning system in order to identify areas which could potentially lead to risk exposures & financial losses. • Business is constantly reacting, registering, reviewing & reporting. Stage 6: Monitoring & Review cont... Stage 6: Monitoring & Review • Activities necessary to ensure this stages is managed proactively to execute responses are the following: Executing actions to respond to risks Monitoring the progress Controlling for decision making Stage 7: Communication & Consultation • Used across all the other ERM stages. • How effective each stages is communicated & understood by decision makers. • Effectively communicated to all levels of employees? • Support the implementation of a risk management culture in a business. Stage 7: Communication & Consultation cont.. Stage 7: Communication & Consultation cont... • Activities to ensure the overall risk management process is effective: Internal communication External communication Key risk indicators Key performance indicators Note: Study the additional information on Study Unit 3 under additional resources on MyUnisa Case Study: Eskom Background • ESKOM CASE STUDY.pdf • Power outages caused by incidents. • Loss of income & human life, dented reputation as a reliable electricity supplier. • Questions risk management culture?? • Downgrading of credit rating. • Management lack of awareness of problems. Case Study: Eskom cont... Process Case Study: Eskom cont... Duvha Power Station Turbine explosion (Unit 4) February’11 Image placeholder Boiler overheats (Unit 3) March’ 14 Case Study: Eskom cont... Duvha Power Station Incidents Feb’11 Feb’11 Case Study: Eskom cont... Duvha Power Station Incidents March’14 Feb’11 Case study Eskom application Establish the context • Electricity supplier to the national power grid. • Recording losses for the last three years. • Management created perception that they stumble from crisis to crisis. • No credible answers on the way ahead or how to turn company around. • Credit downgrading: difficult to obtain credit • Concerns on Boards commitment on good governance. Case study Eskom application Risks identified - People may be injured/killed in an accident - Equipment can be damaged or destroyed - Insufficient production - Damage to roads - Unavailability of computer systems & data - Weather conditions – flood damage - Legal claims by the community Case study Eskom application Example of a risk register Risk/Event Cause Control 1. People may be injured/ killed in an accident Supervisors do not have the required experience and skills to supervise workers. Supervisors with the right experience and skills must be appointed. Supervisors must be trained to refresh or develop the skills. Workers are negligent and take unapproved short cuts to feed the boilers. Workers must be trained in the correct processes and must be disciplined where the negligence was intentional. People do not wear safety equipment (hard hats, safety glasses, overalls and boots) in dangerous areas. All dangerous areas must be designated and people who do not adhere to the requirements must leave the designated areas. Repeat offenders must be disciplined. Case study Eskom application Example of a risk register Risk/Event Cause Control 2. Equipment damage & destruction Lack of maintenance A register of maintenance planned and completed must be kept. The maintenance activities must also be reported to EXCO. Below standard coal Quality inspection at the delivery point and reporting to EXCO if coal is below standard. Shift crews must also be trained to identify coal of inferior standard. Case study Eskom application Example of a risk register Risk/Event Cause Control 4. Damage to roads Transport by trucks Review appropriateness of the transport method in line of the expected lifetime of the power station. Overloading of trucks Arrange with traffic authorities for periodic load inspection. Virus attacks Load patches received from head office. Backup servers and systems to enable minimum disruption in case the main system is unavailable. Data corruption Backup data regularly to ensure that data can be restored in case it gets corrupted. 5. Unavailability of computer systems & data Case study Eskom application Example of a risk register Risk/Event Cause Control 6. Weather conditions – flood damage due to heavy rains Damage to infrastructure at the power station Inspect the holding bays (stockpile, stations, boiler bunkers) and other infrastructure for the adequacy of drainage systems. Improve if necessary. Inspect internal roads for drainage and improve where necessary. Damage to coal Insure against damage. Noise pollution Review appropriateness of the transport method. Upgrade road surfaces to decrease noise levels. 7. Legal claims by the Case study Eskom application • Eskom Risk profile.xlsx Topic 3: Internal Influences- Micro Factors Financial Risk Health & Safety Operational Risk Internal sources of risk Business Ethics Technology Risk Project Risk Financial risk mang. Definition “Financial risk is the exposure of an enterprise to adverse events.” Liquidity risk Currency risk Derivatives risk Credit risk Funding risk Systems risk Interest rate risk Foreign investment risk Outsourcing risk Operational risk mang. Definition “Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or form external events.” Strategy Processes & Systems People External events Business risk Crime risk Disaster risk Legal risk Regulatory risk Systems risk Technological risk mang. Information technology Mitigating technology risk by IT governance, investment & projects. Technology Type Control technology Communication technology Cyber attacks & data breaches Gemalto Breach Level Index (BLI) Source: www.gemalto.com & www.breachlevelindex.com Project risk mang. • Integrating risk management with a project. PRM process Risk treatment Risk monitoring & review Establish the context Risk evaluation Communication & consultation Risk identification Risk analysis Business ethics mang. Definition “Ethical risk is the exposure to events, which may result in criminal prosecution, civil law suits or erosion of reputation.” Bribery False accounting Child labour Tax evasion Money laundering Invasion of privacy Health & Safety mang. • Losses may result from non-compliance to rules and regulations relating to health and safety. • Improve human reliability in the work place (reward schemes, job satisfaction, appraisal schemes, selection & training) Topic 4: External Influences- Macro Factors Economic Risk Environ -mental Risk Social Risk External Sources of Risk Legal Risk Market Risk Political Risk Economic risk • Influence of national macroeconomics on the performance of individual business. • Example Micro-economics Macro-economics Government policy Inflation International trade & protection etc.. Environmental risk • Threat of adverse effects on the environment by wastes, emissions, resource depletion (etc..) arising out of business activities. • Environmental sustainability • Example Global warming Pollution Energy sources Legal risk • Risk arising from violations of non-compliance with laws, rules, regulations, prescribed policies and ethical standards. • Example Intellectual property (copy right) Employment law Criminal law Computer misuse Political risk • Macro political risks Terrorism, labour disputes, high inflation, civil war escalating crime & economic recession • Micro political risks New regulations, taxations, tariffs and quotas on specific business or politically motivated violence against a specific industry Market risk • The exposure to a potential loss arising from diminishing sales/margins due to changes in market conditions outside the control of the business. • Understand the opportunities and threats from exciting and potential competitors. • Adapt to changes in market environment. Social risk • The society’s impact on business. • Example Education Crime Population movements Social-cultural patterns and trends Lifestyles & social attitudes (stress, smoking, long working hours & home situations) Case Study Eskom application Micro risks identified: • Operational risk (Senior management & reputation) • Financial risk (credit risk: downgrading credit rating) • Project risk (Medupi, delay of ±2yrs, budget cost doubled, strikes) • IT risk (EGMS system updates & backups & virus attack) • Health & Safety (Explosions & not wearing protective gear) Case Study Eskom application Macro risks identified: • Environmental risks (impact of power stations) • Social risks (community claims & noise pollution) • Political risks (Minister of Energy) Barings Bank View the video at http://www.youtube.com/watch?v=Vfz5HlYkDi8 Barings Bank Lessons Learned • People risk (Too much power) - Activities of traders must be controlled, monitored & audited – oversight - Management control (did not understand the risks & no knowledge of activities) - Ignored internal audit reports Exam guidelines • 70 Mark paper, 2 hours • Section A: 40 MCQ • Section B: Essay Questions (30 Marks) • Please refer to your TL201 for more specific exam guidelines. • Consult your lecturer or eTutor if you have any questions regarding the study material. Revise all your assignments!! Good luck!!!