What is Risk?

Risk
Risk can be defined as the threat or probability that an action or event will adversely or beneficially affect an organization's ability to achieve its objectives
Source: Wikipedia

Risk Management
Risk management is essentially considered as a proactive approach to identification, estimation, management and mitigation of foreseeable risk areas in a manner which protects organizational value and minimizes the potential for unpleasant surprises.

(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.

Uncertainty vs. Risk

There is often ambiguity in distinguishing between the uncertainty faced by the business and the risk profile of the business. Lets clarify,

Uncertainty
Uncontrollable events which are rarely foreseen We can only attempt to minimize the adverse impact when such an event occurs

Risk
Risk differs from uncertainty due to three primary reasons:

Risk can be forecasted and estimated Risk can be managed or mitigated Risk is to a great extent within the control of the management

(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.

Types of Risk in Enterprise Risk Management

Source: KPMG International, 2009 (The Evolving Role of the Head of Risk Publication)

(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.

Types of Risk

A business enterprise faces many kinds of risks in its day-to-day operations. Some of the most common risk areas include:
Operational & Process risks productivity risk, quality risk, service risk, human resource risk and capacity risk. Financial & Investment risks working capital adequacy risk, gearing risk and profitability risk. Environmental risk political risk, economic risk, social risk, legislative risk and technological risk. Reputation risk brand risk, clientele & market share risk and fraud risk.

Industry & Sector specific risks

credit risk, claim risk.

(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.

Types of Risk

Process
Breach of mandate Incorrect / untimely transaction execution Loss of client assets Mis-pricing Incorrect asset allocation Compliance issues Corporate action errors Stock lending errors Accounting and taxation errors Inadequate record-keeping Subscription and redemption errors

People

Unauthorized trading Insider dealing Fraud Employee illness and injury Discrimination claims Compensation, benefit, and termination issues Problems recruiting or retaining staff Organized labour activity Other legal issues
External Events
Operational failure at suppliers Fire or natural disaster Terrorism Vandalism, theft, robbery

Systems
Hardware and/or software failure Unavailability and integrity of data Unauthorized access to information Telecommunications failure Utility outage Computer hacking or viruses

Source: KPMG International (Managing Operational Risk Publication)

(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.

Impacts of risk management failures in environments

Regulatory changes due to financial crises or temporal interferences with financial crises:
Crises (chosen examples) Wall Street Crash (1929) Oil shock and stock market shock (1973/74) Black Monday (1987) Japanese Asset Price Bubble (1990) Asian Financial Crisis (1997) Russian Financial Crisis (1998) Dot-com Bubble Crash (2000) Regulatory Changes
Establishment of the Securities and Exchange Commission (SEC), the Federal Deposit Insurance Corporation (FDIC), separation of commercial and retail banking through the Glass-Steagall Act. Establishment of the Basel Committee on Banking Supervision (BCBS) 1974 and the G-10 Basle Concordat on the supervision of global banks 1975. BCBS published the Basel Accord in 1988, setting minimal capital and credit risk requirements for banks, being enforced by the G-10.

Sweeping reform of bank regulation in Japan, establishment of a Financial Supervisory Agency.

Far-reaching regulatory reforms of supervisory agencies in Korea, Malaysia, Thailand and Indonesia.

Cautious banking reform after the Ruble crisis, including enhancement of transparency of financial reports. US: Sarbanes-Oxley Act of 2002 introduced strong requirements for privately held companies in the US, from auditor independence to enhanced financial disclosure. Europe: The implementation of Basel II (extending international standards for rigorous risk and capital management requirements). Regulation changes will have a strong impact on all market participants within the financial market and the real economy. It can be expected that the disclosure requirements will increase sharply (in control statements and risk management) Source: KPMG (Risk Management in Turbulent Times)

Subprime and Credit Crunch Crisis (2007/08)

(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.

Changing attitudes towards risk management

Risk takers and influencers Investors

Stakeholder interest in risk management:

Is my investment secure? Is the company jeopardizing shareholder value? Is the company balancing its risk portfolio? Is the company stable? Is the company professional & ethical in its conduct? Is the company transparent of its risk profile? Is the company protecting its public image?
General Public Customers

Suppliers

Employees

Regulators

(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.

Consequences of Risk to a Business

There are several adverse consequences to a business which fails to adequately manage its risk environment.

Unpleasant Surprises
The impact of unforeseen events can have a detrimental impact if the organization is not prepared to respond to these challenges.

Destabilization
Risk impacts tend to have a shock effect on entities causing them to be less stable than they previously were. In recent times many finance companies experienced destabilization due to failures in credit risk management.

Cost of Recovery
Once a risk impact has taken place, the recovery process is painful and time consuming. The company would have to invest increased efforts and funds towards rebuilding reputation and correcting of failed processes. Sometimes the patient may become too ill to recover.

(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.

Importance of Risk Management

Could effective risk management have averted the global financial crisis? How risk management could have helped,
Early detection of management malpractices Prevented uncontrolled lending Provided for more cautious investments Better balance of risk and return appetite Reduced overdependence between entities Provided for contingent strategies

(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.

Steps in Establishing a Risk Management Process

Board of Directors

Establish Risk Management Initiative

CRO

Risk Identification & Estimation

CRO

Develop Risk Response Strategy

RM Team

External Advisors

Establish Risk Control & Mitigation Systems

Divisional Teams

Implement Risk Control & Mitigation Systems

RM Team

RM Team

Appraise Effectiveness of Risk Controls

(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.

10

Tools used in Risk Management

The control matrix attempts to:

Identify required controls, of which identify: Existing controls (eg: segregation of duties) Estimated controls (eg: risk management policy) Newly implemented controls

Identify control mechanisms, of which identify: Automated controls (eg: systems usage monitoring) Manual controls (eg: employee reference checks)

Identify control response, of which identify: detective controls (eg: forensic audits) preventive controls (eg: confidentiality contracts)

Source: KPMG (Risk Management in Turbulent Times)

(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.

11

Tools used in Risk Management

The scorecard approach to risk management

Assists in the development of a risk response strategy through;

Identification of (x axis): Total cost of risk mitigation measures Cost estimates of anticipated losses Extent of exposure

Identification of (y axis): Define business unit risk management target Identify risk movement Assess present status of risk response measures

The process to be repeated for each risk area.

Source: KPMG International (Managing Operational Risk Publication)

The risk score card enables an entity to prioritize risk response initiatives.

(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.

12

Tools used in Risk Management

Choice of risk management tools often depends on:

The contextual scenario and nature of the organization Availability of management know-how in implementing such risk management tools Extent of risk exposure faced by the business and foreseeable impacts Financial viability (affordability) of the risk management tools

(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.

13

Changing approaches to risk management

3. Automated preventive Approach From ad-hoc to continuous approach 2. Automated detective Approach Automated reviews, embedded in a process (attestation / reporting) The periodicity and scope of the reviews are based on a risk assessment. Significant cost reductions as human involvement is reduced Lower total costs of assurance IAM Processes are designed, implemented and proven to be effective Significant cost reductions as operational excellence is improved by automation On business (access request processes) as well as on IT (provisioning)

1. Manual detective Approach Manual reviews Performed on ad-hoc basis. Mainly requires (costly) human involvement. The costs are not reduced when the verification is repeated.

What maturity level does your organisation require?

From manual to preventive approach

Source: KPMG (Risk Management in Turbulent Times)

(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.

14

Enterprise Risk Management

Key considerations in developing ERM processes

Focus on the future and take a proactive approach to identify risk Place the greatest investment into change management and empowering people Dont depend entirely on subjective risk perspectives collect real data Work with management to solve risk-related challenges Make sure that assurance processes permeate through the organization

(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.

15

Strengthening Risk Oversight

Be clear about the boards oversight objectives Work with management to agree on the types of risk information the board requires. Ensure that the culture encourages directors to question, challenge, and test management. Invite the right people to the boards conversations about risk. Focus on tone at the top, culture, and incentives. Enlist the CRO to support the board in its oversight of risk. Ensure that risk over sight responsibilities of the full board and its committees are clear.

(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.

16

Emerging risk practices

Emerging risk practices at leading organizations

Provides credible risk governance Inputs to strategy formulation Integrates risk management and strategy execution Aggregates information to identify operational control weaknesses Addresses operational risks early Incorporates risk in programme management Focuses on risks to reputation Builds a risk management dashboard Uses behavioral change management techniques to maintain risk awareness
capabilities

Coordinates with assurance providers to provide an opinion on the control

environment KPMG International, 2009 (The Evolving Role of the Head of Risk Publication) Source:
(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.

17