Download RSK2601 presentation 2020

Document related concepts
no text concepts found
Transcript
RSK2601
ENTERPRISE RISK
MANAGEMENT
Developed by
Ms. S Maré
Overview
•
•
•
•
•
•
•
•
Introduction
Topic 1: ERM in Context & Corporate Governance
Topic 2: ERM process
Topic 3: Internal Influences- Micro Factors
Topic 4: External Influences- Macro Factors
Eskom Case Study
Barings Bank
Exam guidelines
Introduction
“For those organisations that choose to weather this economic storm with the aid of
ERM, the benefits of their efforts today will likely remain long thereafter”
Grant Thornton
Risk
“Risk is the effect of uncertainty on objectives.”
The effect may be positive, negative or a
deviation from the expected. Risk is often
described by an event, a change in
circumstances or a consequence.
(ISO 31000)
Topic 1: ERM in context
ERM aims to provide a
coherent framework to
deal with all risks that
result from operating
Image placeholder
in the ever-changing
economic
environment.
“We’ve considered every potential risk except the
risks of avoiding all risks.”
Elements for ERM
1.
Corporate
Governance
(board oversight)
2.
Internal control
(sound system of
internal control)
3.
Implementation
( internal & external
support)
4.
Risk Management
Framework
(design, improve,
implement & monitor)
5.
Risk Management
Policy
(policy and policy
statement)
6.
Risk Management
process
(7 stages)
7.
Sources of risk
(internal and external
business risks)
Corporate Governance
Definition
“Corporate governance refers to the
relationships among the management of an
organisation, its board, its shareholders and
other relevant stakeholders. It also refers to
the specific responsibilities of boards of
directors and management to maintain
established relationships.”
Corporate Governance cont...
Good corporate governance contributes to
shareholders’ wealth and a key factor in the
investor decision-making process.
•
•
•
•
•
•
King I Report (1994)
King II Report (2002)
King III Report (2009)
King IV Report (2016)
Companies Act 61 of 1973
Companies Act 71 of 2008
King III Report
• Leadership, sustainability & corporate
citizenship
• Integration of social, environmental & economic
issues
• Inclusive stakeholder approach
• Integrated reporting
• Emerging governance trends incorporated in
the report
King IV Report
•
•
•
•
•
Outcome based approach
Replaced King III in its entirety (1 April 2017)
17 Principles
Principle 11 focuses on the governance of risk
Complexity of risks and the need to strengthen
risk oversight.
• Major change: Risk committee compromises
of a majority of non-executive members.
Corporate Governance Collapses
Year
Country
Company
Underlying cause
1995
UK
Barings Bank
Mismanagement
(poor internal controls)
2000
US
Tyco
Accounting fraud
2001
US
Enron
Accounting fraud and fictitious SPEs (special
purpose entities)
2001
Australia
HIH
Mismanagement
(poor strategic decisions)
2002
US
WorldCom
Mismanagement and poor internal controls
(Arthur Anderson)
2003
Nederland's
Royal Ahold
Accounting fraud
(fictitious earnings)
Corporate governance handbook, 2019, 3rd,
JW Hendrikse & L Hefer-Hendrikse
Corporate Governance Collapses cont...
Year
Country
Company
Underlying cause
2003
Italy
Parmalat
Accounting fraud (fictitious earnings)
Kickback scheme
2004
Singapore
China Aviation Oil
Mismanagement
(poor strategic decisions)
2005
South Africa
Regal Treasury
Accounting fraud and Mismanagement
2006
South Africa
Leisurenet
Mismanagement
2008
India
SATYAM
Accounting fraud (inflated earnings and
assets)
2009
South Africa
Fidentia
Accounting fraud and Mismanagement
2017
South Africa
Steinhoff
Accounting irregularities
Corporate governance handbook, 2019, 3rd,
JW Hendrikse & L Hefer-Hendrikse
Corporate Scandals
Corporate
Scandal
Jobs
lost
Shareholders wealth
lost (US $)
Enron
Created off balance sheet exposures to
hide debts and losses
4 500
80 bn
Xerox
Impropriety reports $6.5 bn in revenue
(over 5 years)
13 600
3 bn
WorldCom
Hidden expenses ($3.9 bn) to raise
bottom line
17 000
100 bn
Merck
Over $14 bn revenue reported for many
years, never collected
N/A
43 bn
Quest.com
Inflated revenue through equipment
sales/swaps
11 000
33 bn
Corporate governance handbook, 2019, 3rd,
JW Hendrikse & L Hefer-Hendrikse
Corporate governance best practices
Governance countdown
Yes
No
Action
Are the following corporate governance practice areas being implemented in your company?
Composition of board
Audit committee
Board committees
Directors' duties, performance and accountability
Management duties, performance and accountability
Code of ethics (ethical code of conduct)
Compliance with governance legislation and regulations
Compliance with King IV code
Accountability, transparency and disclosure of information (Integrated
reporting/integrates sustainability reporting)
Risk management
Strategic leadership of the board
Corporate governance handbook, 2019, 3rd,
JW Hendrikse & L Hefer-Hendrikse
Corporate governance best practices
cont …
Governance countdown
Yes
No
Action
Internal audit and internal controls
Board and shareholder relationships
Independent external auditors
Company and stakeholder relationships
Board and management relationships
Shareholder relationships and rights
Corporate social responsibility (triple bottom line)
Corporate citizen - sustainable
Responsible remuneration policies and practices
Board and director performance assessment
Balance of ownership and control
Change management
Corporate strategy plan
Corporate governance handbook, 2019, 3rd,
JW Hendrikse & L Hefer-Hendrikse
Enron Scandal
View the video at http://www.youtube.com/watch?v=Mi2O1bH8pvw
Enron Scandal
Governance failures
• Enron’s leadership – its Board & senior executives, failed
to protect all stakeholders in the company
• Illegal activities & fraudulent reporting
• Corporate culture failure & massive incompetence
• Self interest and greed
• Massive failures & internal culture of accounting earnings
& self enrichment
• Power trading fell between the cracks of many regulatory
systems
• Profits at all costs regime
“Risk, return and responsibility are the three
sides of the coin of business opportunity.
The financial crisis, as we see it today, is not so
much a crisis of greed or the failure of
accounting standards.
It is a failure of risk management systems”
Accountancy SA – August 2009
Top 10 Risk of Business
Allianz Risk Barometer 2020
1.
Cyber incidents
5.
Market
developments
2.
Business
interruption
3.
Changes in
legislation
4.
Natural
catastrophes
6.
Fire, explosion
7.
Climate change/
increasing volatility
of the weather
8.
Loss of reputation
or brand value
9.
New technologies
10.
Macroeconomic
developments
https://www.agcs.allianz.com/news-and-insights/expert-risk-articles/allianz-risk-barometer-2020-business-risks.html
Top Twelve South African Risks 2020
1.
Sparseness of unified
ethical and visionary
leadership
5.
Ill-conceived NHI policy
and/or sub-optimal
implementation
9.
Insufficient electricity
and/or energy
2.
Continuing private and
public governance
failures
3.
Failure to root out
deeply entrenched
corruption
4.
Changes in legislation
and regulations
6.
Ill-conceived land reform
policy and/or suboptimal implementation
7.
Failure to develop,
attract and/or retain
talent
8.
Extreme weather events,
natural disasters and
climate change
11.
Cyberattacks, data fraud
and data theft
12.
Failure, delay, and/or
sub-optimal
implementation of
economic reform
initiatives
10.
Disruptive technology
IRMSA Risk Report South Africa Risks 2020
Source: www.irmsa.org.za
Governance of risk
King IV principles summary
The governing body should
• assume responsibility for the governance of
risk and opportunities
• approve a policy that articulates and gives
effect to its set direction on risk
• evaluate and agree on the nature and extent
of the risks that the organisation should be
willing to take in pursuit of its strategic
objectives (risk appetite)
Governance of risk
King IV principles summary cont...
• consider the need to receive periodic
independent assurance on the effectiveness of
risk management
• exercise ongoing oversight of risk
management
• delegate to management the responsibility to
implement and execute effective risk
management
Governance of risk
King IV principles summary cont...
• The nature and extent of the risks and
opportunities the organisation is willing to take
should be discussed without compromising
sensitive information
• Disclosure of the governance and management
of risk
• Key areas of focus and key risks (future focus)
• Actions taken to monitor the effectiveness of
risk management
Note: Study the section on “King IV” (Appendix 1)
Topic 2: ERM process
Definition
“The risk management process entails the
planning, arranging and controlling of activities
and resources to minimise the negative
impacts of all risks to levels that can be
tolerated by stakeholders whom the board has
identified as relevant to the business of the
company, as well as to optimise the
opportunities or positive impacts of all risks.”
Topic 2: ERM process
Stage 1
Establishing
the context
Stage 2
Risk
identification
Stage 3
Risk analysis
Stage 6
Monitoring &
Review
Stage 5
Risk
treatment
Stage 4
Risk
evaluation
Stage 7
Communication
& Consultation
Stage 1: Establishing the context
• Foundation for all the other stages.
• To acquire accurate data & information about
the whole business.
• Will assist in determining the sources of risks &
the participants in the risk identification process.
Stage 1: Establishing the context cont...
Stage 1: Establishing the context cont...
• To acquire accurate data and information about
the whole business.
• A risk breakdown structure must be constructed
These activities include:
Clarifying & recording business objectives
Understanding the business plan
Examining the industry (business operates)
Establishing business processes
Stage 1: Establishing the context cont...
Evaluate financial statements
Identify resources available
Change management
Marketing plan
Compliance system
Evaluate financial statements
Identify resources available
Stage 2: Risk identification
• Identification of the risks/risk events &
opportunities (upside & downside)
• Understanding how they fit into the overall
business.
• As a business grows, expands or improves,
the exposure to risk will also change.
• Assist in formulating a business strategy.
Stage 2: Risk identification cont...
Stage 2: Risk identification cont...
• Activities to capture & record the risks:
Clarify business objectives
Reviewing the business analysis of Stage 1
Need for risk & opportunity identification
Risk and opportunity identification
Facilitation (interactive workshops)
Consensus on risks, opportunities &
interdependencies
Stage 3: Risk analysis
• Provides info on the likelihood of risks &
opportunities occurring & impact.
• Assess all the risks identified in the risk
register.
• To separate the minor, acceptable risks from
the major risks.
Stage 3: Risk analysis cont...
Stage 3: Risk analysis cont...
Likelihood
& impact of
potential
risks
Stage 3: Risk analysis cont...
Risk map
example
Stage 3: Risk analysis
• Tasks necessary to capture the likelihood of
risk occurring and impact are:
Casual analysis
Decision analysis & influence diagrams
Pareto analysis
CAPM analysis
Defining risk evaluation categories & values
Stage 4: Risk evaluation
• Evaluate the financial impact (loss or gain) of
a risk.
• Assessment & measurement of the risk
exposures with the aim to manage & control
the risks that can negatively influence the
business strategy/objectives.
• Understand the combined effect of a group of
risks & opportunities.
Stage 4: Risk evaluation cont...
Stage 4: Risk evaluation cont...
Risk attitudes
Stage 4: Risk evaluation cont...
• Activities in risk evaluation:
Basic concepts of probability
Sensitivity analysis
Scenario analysis
Simulation
Monte Carlo simulation
Latin hypercube sampling
Probability distributions
Stage 5: Risk Treatment
• Designing of a specific action plan to address
the risks and opportunities.
• Response strategies must be implemented
effectively in the business.
• Commonly it is not possible to remove a risk in
its entirety.
Stage 5: Risk Treatment cont...
Stage 5: Risk Treatment cont...
• Activities to construct the priority list of risks
into a concrete action plan is:
Understanding risk appetite
Risk response strategies
 Risk reduction (mitigate)
 Risk removal (avoid)
 Risk transfer (third party)
 Risk retention (accept)
Stage 5: Risk Treatment cont...
Mapping
of
losses
Stage 6: Monitoring & Review
• Ever changing environment.
• Review all the previous stages (continuous
process).
• Early warning system in order to identify areas
which could potentially lead to risk exposures
& financial losses.
• Business is constantly reacting, registering,
reviewing & reporting.
Stage 6: Monitoring & Review cont...
Stage 6: Monitoring & Review
• Activities necessary to ensure this stages is
managed proactively to execute responses
are the following:
Executing actions to respond to risks
Monitoring the progress
Controlling for decision making
Stage 7: Communication & Consultation
• Used across all the other ERM stages.
• How effective each stages is communicated &
understood by decision makers.
• Effectively communicated to all levels of
employees?
• Support the implementation of a risk
management culture in a business.
Stage 7: Communication & Consultation
cont..
Stage 7: Communication & Consultation
cont...
• Activities to ensure the overall risk management
process is effective:
Internal communication
External communication
Key risk indicators
Key performance indicators
Note: Study the additional information on Study Unit 3
under additional resources on MyUnisa
Case Study: Eskom
Background
• ESKOM CASE STUDY.pdf
• Power outages caused by incidents.
• Loss of income & human life, dented
reputation as a reliable electricity supplier.
• Questions risk management culture??
• Downgrading of credit rating.
• Management lack of awareness of problems.
Case Study: Eskom cont...
Process
Case Study: Eskom cont...
Duvha Power Station
Turbine explosion
(Unit 4) February’11
Image placeholder
Boiler overheats
(Unit 3) March’ 14
Case Study: Eskom cont...
Duvha Power Station Incidents
Feb’11
Feb’11
Case Study: Eskom cont...
Duvha Power Station Incidents
March’14
Feb’11
Case study Eskom application
Establish the context
• Electricity supplier to the national power grid.
• Recording losses for the last three years.
• Management created perception that they stumble
from crisis to crisis.
• No credible answers on the way ahead or how to
turn company around.
• Credit downgrading: difficult to obtain credit
• Concerns on Boards commitment on good
governance.
Case study Eskom application
Risks identified
- People may be injured/killed in an accident
- Equipment can be damaged or destroyed
- Insufficient production
- Damage to roads
- Unavailability of computer systems & data
- Weather conditions – flood damage
- Legal claims by the community
Case study Eskom application
Example of a risk register
Risk/Event
Cause
Control
1.
People may
be injured/
killed in an
accident
Supervisors do not have the
required experience and
skills to supervise workers.
Supervisors with the right experience and
skills must be appointed. Supervisors must be
trained to refresh or develop the skills.
Workers are negligent and
take unapproved short cuts
to feed the boilers.
Workers must be trained in the correct
processes and must be disciplined where the
negligence was intentional.
People do not wear safety
equipment (hard hats, safety
glasses, overalls and boots)
in dangerous areas.
All dangerous areas must be designated and
people who do not adhere to the
requirements must leave the designated
areas. Repeat offenders must be disciplined.
Case study Eskom application
Example of a risk register
Risk/Event
Cause
Control
2.
Equipment
damage &
destruction
Lack of maintenance
A register of maintenance planned and
completed must be kept. The maintenance
activities must also be reported to EXCO.
Below standard coal
Quality inspection at the delivery point and
reporting to EXCO if coal is below standard.
Shift crews must also be trained to identify coal
of inferior standard.
Case study Eskom application
Example of a risk register
Risk/Event
Cause
Control
4.
Damage to
roads
Transport by trucks
Review appropriateness of the transport method in
line of the expected lifetime of the power station.
Overloading of
trucks
Arrange with traffic authorities for periodic load
inspection.
Virus attacks
Load patches received from head office.
Backup servers and systems to enable minimum
disruption in case the main system is unavailable.
Data corruption
Backup data regularly to ensure that data can be
restored in case it gets corrupted.
5.
Unavailability
of computer
systems &
data
Case study Eskom application
Example of a risk register
Risk/Event
Cause
Control
6.
Weather
conditions –
flood damage
due to heavy
rains
Damage to
infrastructure at the
power station
Inspect the holding bays (stockpile, stations, boiler
bunkers) and other infrastructure for the adequacy of
drainage systems. Improve if necessary.
Inspect internal roads for drainage and improve
where necessary.
Damage to coal
Insure against damage.
Noise pollution
Review appropriateness of the transport method.
Upgrade road surfaces to decrease noise levels.
7.
Legal claims
by the
Case study Eskom application
• Eskom Risk profile.xlsx
Topic 3: Internal Influences- Micro Factors
Financial
Risk
Health
&
Safety
Operational
Risk
Internal
sources
of risk
Business
Ethics
Technology
Risk
Project
Risk
Financial risk mang.
Definition
“Financial risk is the exposure of an enterprise
to adverse events.”
Liquidity risk
Currency risk
Derivatives risk
Credit risk
Funding risk
Systems risk
Interest rate risk Foreign
investment risk
Outsourcing risk
Operational risk mang.
Definition
“Operational risk is the risk of loss resulting from
inadequate or failed internal processes, people and
systems or form external events.”
Strategy
Processes & Systems
People
External events
Business risk
Crime risk
Disaster risk
Legal risk
Regulatory risk
Systems risk
Technological risk mang.
Information
technology
Mitigating
technology risk by
IT governance,
investment &
projects.
Technology
Type
Control
technology
Communication
technology
Cyber attacks & data
breaches
Gemalto Breach Level Index (BLI)
Source: www.gemalto.com & www.breachlevelindex.com
Project risk mang.
• Integrating risk management with a project.
PRM process
Risk treatment
Risk monitoring
& review
Establish the
context
Risk evaluation
Communication
& consultation
Risk
identification
Risk analysis
Business ethics mang.
Definition
“Ethical risk is the exposure to events, which
may result in criminal prosecution, civil law
suits or erosion of reputation.”
Bribery
False accounting
Child labour
Tax evasion
Money laundering
Invasion of privacy
Health & Safety mang.
• Losses may result from non-compliance to
rules and regulations relating to health and
safety.
• Improve human reliability in the work place
(reward schemes, job satisfaction, appraisal
schemes, selection & training)
Topic 4: External Influences- Macro Factors
Economic
Risk
Environ
-mental
Risk
Social
Risk
External
Sources
of Risk
Legal
Risk
Market
Risk
Political
Risk
Economic risk
• Influence of national macroeconomics on the
performance of individual business.
• Example
Micro-economics
Macro-economics
Government policy
Inflation
International trade & protection etc..
Environmental risk
• Threat of adverse effects on the environment by
wastes, emissions, resource depletion (etc..)
arising out of business activities.
• Environmental sustainability
• Example
Global warming
Pollution
Energy sources
Legal risk
• Risk arising from violations of non-compliance
with laws, rules, regulations, prescribed
policies and ethical standards.
• Example
Intellectual property (copy right)
Employment law
Criminal law
Computer misuse
Political risk
• Macro political risks
Terrorism, labour disputes, high inflation, civil
war escalating crime & economic recession
• Micro political risks
New regulations, taxations, tariffs and quotas on
specific business or politically motivated violence
against a specific industry
Market risk
• The exposure to a potential loss arising from
diminishing sales/margins due to changes in
market conditions outside the control of the
business.
• Understand the opportunities and threats from
exciting and potential competitors.
• Adapt to changes in market environment.
Social risk
• The society’s impact on business.
• Example
Education
Crime
Population movements
Social-cultural patterns and trends
Lifestyles & social attitudes (stress, smoking, long
working hours & home situations)
Case Study Eskom application
Micro risks identified:
• Operational risk (Senior management & reputation)
• Financial risk (credit risk: downgrading credit rating)
• Project risk (Medupi, delay of ±2yrs, budget cost
doubled, strikes)
• IT risk (EGMS system updates & backups & virus
attack)
• Health & Safety (Explosions & not wearing
protective gear)
Case Study Eskom application
Macro risks identified:
• Environmental risks (impact of power stations)
• Social risks (community claims & noise pollution)
• Political risks (Minister of Energy)
Barings Bank
View the video at http://www.youtube.com/watch?v=Vfz5HlYkDi8
Barings Bank Lessons Learned
• People risk (Too much power)
- Activities of traders must be controlled, monitored
& audited – oversight
- Management control (did not understand the
risks & no knowledge of activities)
- Ignored internal audit reports
Exam guidelines
• 70 Mark paper, 2 hours
• Section A: 40 MCQ
• Section B: Essay Questions (30 Marks)
• Please refer to your TL201 for more specific exam
guidelines.
• Consult your lecturer or eTutor if you have any
questions regarding the study material.
Revise all your assignments!!
Good luck!!!