10Minutes
in companies in Russia, the CIS and CEE
What you need to know about emerging topics essential to your business. Brought to you by PricewaterhouseCoopers
Organisations of all types
and sizes face internal
and external factors
that create uncertainty.
The effect this uncertainty
has on an organisation's
objectives is “risk”1.
1 ISO31000:2009 Risk management — Principles and guidelines
on building Enterprise Risk Management
Companies around the world must today deal Many organisations across the CEE region are re-evaluating
with risks that are much more interconnected and the need to develop robust Enterprise Risk Management (ERM).
therefore more challenging to manage than those Some are at the start of the journey, with unintegrated or
they were dealing with under more favourable
economic conditions2. Never before has sound
no framework in place; others are looking to move from small,
established risk management functions at the group level
risk management been so important for company to a function that extends deeper within the organisation.
profitability and, in some cases, survival.
Risk management is by no means a new initiative;
Whatever the case may be, establishing ERM is not an overnight
process and companies should take a staged approach:
it has been around since the 1980s. Indeed,
1. Prepare for the mind shift. Building ERM will require changes
companies inherently have always been managing
risks. Active discussion at the executive level
to the organisation’s culture and processes. Before you embark
on the journey, prepare: read the available literature, familiarise
around investment decisions and successful
change management activities are all examples yourself with the available standards, be ready for tough questions
of risk management in action, even though and have a plan.
sometimes applied informally. 2. Take it one step at the time. Obtain the commitment and
support of senior management. Know the end game, but change
The investment community, credit rating agencies
and regulators are putting pressure on company
the company mindset one step at a time.
management and boards within Russia, the CIS 3. Achieve quick wins and win people over. Show management
and CEE to further raise the bar in terms results to prove that risk management can significantly improve
of formalisation and consistency of risk the way the company operates. Don’t wait a year until ERM
management approach. There is a general industry is fully implemented – share the success stories as you go.
push to make risk management a continuous
process that supports internal changes and
decisions and allows the organisation to respond
well to external changes.
Regardless whether your company has already
established a risk management foundation
or is only starting out the process, this document
will be a useful resource.
2 Global Risks 2010, A Global Risk Network Report, World Economic Forum
pwc
 At a glance Risk management is the systematic application
of management policies, procedures and practices
The global perspective on risk management
Responses to this year’s 13th Annual Global CEO
to the activities of communicating, consulting,
Survey signal that risk management is becoming
identifying, analysing, evaluating, treating, monitoring
a permanent element of the organisational strategic
and reviewing risks3.
planning process.

More CEOs intend to change their risk

Strategy and governance management process than any other element
People and organisation
Vision of their strategy, organisation or business model.
Processes and strategy And more boards are increasing their engagement
Technology Culture and risk
appetite
with strategic risk assessment than any other item
on the boardroom agenda.
Communications

Policies and procedures Risk is not only moving up the corporate agenda in
Organisation and responsibilities response to the crisis, but is seen as something that
needs to be embraced by the organisation as a whole.
Trainind and HR development

Risk management, compliance and business processes Clearly, Global CEOs are becoming more risk aware:
41% anticipate a ‘major change’ to their risk
Technology support
management approach4.

Risk management is not a stand-alone activity. It is part

management’s responsibilities and an integral part of all
organisational processes, including strategic planning
and the project and change management processes.
It is what great companies do every day.

3 PricewaterhouseCoopers: Management Barometer, 2007 г.

2 PricewaterhouseCoopers
01
Introducing sound risk Before you embark on the journey, make sure you
are prepared to answer some tough questions along
the way. The good news is, you are not alone.
management will There is a wealth of literature on the subject, and many
require changes recognised international organisations have published
risk management standards and best practice guides
to the organisation’s that will help you. ISO 31000:2009 Risk management
— Principles and guidelines and FERMA Risk
Management Standard, 2002 are just some of the
culture and processes – examples. Attending risk management forums to listen
to new ideas, share experiences and get to know your
be prepared peers is also effective.
Build a business case for ERM
Integrating risk management requires making changes,
and you should prepare a business case to justify these
proposed changes. The business case should not only
highlight the benefits of ERM, but also clearly articulate the
need for change, key roles and responsibilities,
timeframes and expected short-, medium- and long-term
deliverables. Information provided in this 10 minutes
brochure will help you put together a business case.
Get support and buy in
Risk management must start at the top, so before you
begin, identify key stakeholders at the board and executive
levels. Identify one or two historic examples specific to
your company to show how sound risk management could
have prevented or minimised adverse impacts (do so with-
out attributing blame to anyone).
It may help to determine one or two existing business
processes within the organisation that could be significant-
ly improved by integrating an element of risk management
(for example, board reporting or investment decision-mak-
ing) and get support from the process owners before pre-
senting the business case for ERM.
Have a plan!
Risk management is a journey and, regardless whether
your company has an established risk management foun-
dation or is just starting out, having a plan is essential. The
plan should clearly highlight the staged approach, identify
quick and longer term wins, and show roles and responsi-
bilities and timeframes.
PricewaterhouseCoopers 3
02

Risk management The risk management approach should be unique

for every organisation – there is no “one size fits all”
Know the end game
Risk management has long been considered
solution. The complexity and maturity of the overall risk
is a journey – take it management effort should be directly linked to the board’s
willingness to accept risk, stakeholder expectations and
to be an integral part of the organisational framework
and one of the key elements of corporate governance.
one step at the time the external environment in which the company operates. Risk management should not be a “bolt on”
to the company’s existing processes; it should
Consider two extremes: A small speculative company be something management considers every day
operating in a high-risk environment will have a very as part of their job.
different ERM process from that of a large “pillar of society”
company owned by a large number of risk-averse
shareholders and operating in a highly regulated Take it one step at a time
environment. Clearly, the latter would need a much more
formal and integrated ERM system. Similarly, if a company While your longer term aim should be to change
has significant exposure to a particular risk type the way the company thinks about risk and operates,
(for example, currency risk), the company may choose don’t try to tackle changing all the processes at once –
to develop additional procedures to deal with that risk. take it one step at a time. Organisations that have been
successful at implementing ERM had a plan and shared
Whatever the required complexity, risk management the common end vision, but took a staged approach.
should be looked at in the context of the overall
organisational framework. Consider which of the organisational elements could
benefit most from integrating risk management.
Internal and For example, pick board reporting and expand the scope
Strategic
external a bit by adding information about significant emerging
planning
reporting
and existing risks and what is being done to mitigate
Effective
Integrating Change
Riskoversight organisational them. This will help to improve the reports and highlight
ERM management
framework the value of risk management.
Decision Project
making management

4 PricewaterhouseCoopers
03
Aim for quick wins Make risk management stick in the organisation by
sharing success stories and delivering quick wins.
and win people over Understanding the underlying values of sound risk man-
agement will help you to aim for quick wins first:
1. Transparency of information. Providing board
members and the executive team with adequate
information about key exposures (risks), their
significance to the company and what is currently
being done to prevent or mitigate them.
2. Informed decision-making. Decisions put before
executive management require a full appreciation
of the risks surrounding them and how these risks
might be controlled to ensure successful outcomes.
3. Dealing with uncertainty and surprises. Risk
management helps to minimise uncertainty
surrounding the achievement of organisational goals.
Having in place mechanisms for early risk detection
will help to reduce surprises.
4. Increase efficiency and reduce costs. Risk
management can also help to achieve significant
operational efficiencies and reduce costs. Consider
a procurement function where through upfront risk
identification, counterparty risk levels are recorded
and appropriate controls are implemented. This
could significantly reduce the level of bad debt.
Every organisation is different, and it is important
to focus your risk management efforts on the areas that
will be of the most benefit for you.
We will use a couple of case studies to show how quick
wins can be implemented:
Case study 1
Management at large international airport decided
to enhance the quality of their financial and operational
board reporting by including additional information about
significant emerging and existing risks and what
management is doing to mitigate them. This helped
to create a level of transparency and risk oversight
at the board level, thus building trust and confidence
in the management team and further strengthening
the risk management culture within the organisation.
Case study 2
A large real estate development company incorporated
risk assessment within their annual strategy and
planning cycle. This allowed senior management
to better understand the risks that may prevent
achieving the company’s strategy and strengthened
their responsibility and ownership over company risk
management.
PricewaterhouseCoopers 5
 Take action

Benefits of sound risk Integrating risk management into the organisational

framework provides numerous benefits, including: ERM checklist

management far • Improved strategic and operational planning

and budgeting
outweigh the costs • The ability to make critical business decisions with
better data, improving your chance of success
Do a stock take of existing risk management
practices
Research and select a risk management

involved. Inaction • Less time spent reacting to risk issues, and more
methodology to be consistently applied across
the organisation
time on using risk management to tell you more
can be a value killer about emerging risks Have a plan
• Improved ability to prevent, quickly detect, correct,
and escalate critical risk issues Get commitment and support

• The ability to provide a ‘comfort level’ to the board Pick a pilot/aim for quick wins
and other stakeholders that the full range of risks
are understood and managed Roll out the staged ERM programme

Analyse the results and share success stories

Organisations that focus their attention on understanding
risks and actively managing them are the ones to most
often reap the rewards. Take action!m

6 PricewaterhouseCoopers
How can PwC help Our governance, risk and compliance team can provide
your company with an independent assessment of your
John Wilkinson
Partner
risk management maturity and provide practical and
Governance, risk and compliance
objective advice to optimise your risk management
leader CEE, Russia and CIS
processes during this time of change.
Tel.: + 7 (495) 223-5046
john.d.wilkinson@ru.pwc.com

Alexei Sidorenko
Manager
Governance, risk and compliance
Tel.: + 7 (495) 967-6162
alexei.sidorenko@ru.pwc.com

PricewaterhouseCoopers 7
www.pwc.ru

© 2010 PricewaterhouseCoopers LLP. All rights reserved. “PricewaterhouseCoopers” refers to PricewaterhouseCoopers LLP, a Delaware limited liability partnership, or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network, each of which
is a separate and independent legal entity. This document is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.