Professional Documents
Culture Documents
Risk
Risk can be defined as the threat or probability that an action or event will adversely or beneficially affect an organization's ability to achieve its objectives
Source: Wikipedia
Risk Management
Risk management is essentially considered as a proactive approach to identification, estimation, management and mitigation of foreseeable risk areas in a manner which protects organizational value and minimizes the potential for unpleasant surprises.
(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
There is often ambiguity in distinguishing between the uncertainty faced by the business and the risk profile of the business. Lets clarify,
Uncertainty
Uncontrollable events which are rarely foreseen We can only attempt to minimize the adverse impact when such an event occurs
Risk
Risk differs from uncertainty due to three primary reasons:
Risk can be forecasted and estimated Risk can be managed or mitigated Risk is to a great extent within the control of the management
(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
Source: KPMG International, 2009 (The Evolving Role of the Head of Risk Publication)
(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
Types of Risk
A business enterprise faces many kinds of risks in its day-to-day operations. Some of the most common risk areas include:
Operational & Process risks productivity risk, quality risk, service risk, human resource risk and capacity risk. Financial & Investment risks working capital adequacy risk, gearing risk and profitability risk. Environmental risk political risk, economic risk, social risk, legislative risk and technological risk. Reputation risk brand risk, clientele & market share risk and fraud risk.
(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
Types of Risk
Process
Breach of mandate Incorrect / untimely transaction execution Loss of client assets Mis-pricing Incorrect asset allocation Compliance issues Corporate action errors Stock lending errors Accounting and taxation errors Inadequate record-keeping Subscription and redemption errors
People
Unauthorized trading Insider dealing Fraud Employee illness and injury Discrimination claims Compensation, benefit, and termination issues Problems recruiting or retaining staff Organized labour activity Other legal issues
External Events
Operational failure at suppliers Fire or natural disaster Terrorism Vandalism, theft, robbery
Systems
Hardware and/or software failure Unavailability and integrity of data Unauthorized access to information Telecommunications failure Utility outage Computer hacking or viruses
Far-reaching regulatory reforms of supervisory agencies in Korea, Malaysia, Thailand and Indonesia.
Cautious banking reform after the Ruble crisis, including enhancement of transparency of financial reports. US: Sarbanes-Oxley Act of 2002 introduced strong requirements for privately held companies in the US, from auditor independence to enhanced financial disclosure. Europe: The implementation of Basel II (extending international standards for rigorous risk and capital management requirements). Regulation changes will have a strong impact on all market participants within the financial market and the real economy. It can be expected that the disclosure requirements will increase sharply (in control statements and risk management) Source: KPMG (Risk Management in Turbulent Times)
(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
Is my investment secure? Is the company jeopardizing shareholder value? Is the company balancing its risk portfolio? Is the company stable? Is the company professional & ethical in its conduct? Is the company transparent of its risk profile? Is the company protecting its public image?
General Public Customers
Suppliers
Employees
Regulators
(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
There are several adverse consequences to a business which fails to adequately manage its risk environment.
Unpleasant Surprises
The impact of unforeseen events can have a detrimental impact if the organization is not prepared to respond to these challenges.
Destabilization
Risk impacts tend to have a shock effect on entities causing them to be less stable than they previously were. In recent times many finance companies experienced destabilization due to failures in credit risk management.
Cost of Recovery
Once a risk impact has taken place, the recovery process is painful and time consuming. The company would have to invest increased efforts and funds towards rebuilding reputation and correcting of failed processes. Sometimes the patient may become too ill to recover.
(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
Could effective risk management have averted the global financial crisis? How risk management could have helped,
Early detection of management malpractices Prevented uncontrolled lending Provided for more cautious investments Better balance of risk and return appetite Reduced overdependence between entities Provided for contingent strategies
(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
Board of Directors
CRO
CRO
RM Team
External Advisors
Divisional Teams
RM Team
RM Team
(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
10
Identify required controls, of which identify: Existing controls (eg: segregation of duties) Estimated controls (eg: risk management policy) Newly implemented controls
Identify control mechanisms, of which identify: Automated controls (eg: systems usage monitoring) Manual controls (eg: employee reference checks)
Identify control response, of which identify: detective controls (eg: forensic audits) preventive controls (eg: confidentiality contracts)
(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
11
Identification of (x axis): Total cost of risk mitigation measures Cost estimates of anticipated losses Extent of exposure
Identification of (y axis): Define business unit risk management target Identify risk movement Assess present status of risk response measures
The risk score card enables an entity to prioritize risk response initiatives.
(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
12
(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
13
3. Automated preventive Approach From ad-hoc to continuous approach 2. Automated detective Approach Automated reviews, embedded in a process (attestation / reporting) The periodicity and scope of the reviews are based on a risk assessment. Significant cost reductions as human involvement is reduced Lower total costs of assurance IAM Processes are designed, implemented and proven to be effective Significant cost reductions as operational excellence is improved by automation On business (access request processes) as well as on IT (provisioning)
1. Manual detective Approach Manual reviews Performed on ad-hoc basis. Mainly requires (costly) human involvement. The costs are not reduced when the verification is repeated.
(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
14
Focus on the future and take a proactive approach to identify risk Place the greatest investment into change management and empowering people Dont depend entirely on subjective risk perspectives collect real data Work with management to solve risk-related challenges Make sure that assurance processes permeate through the organization
(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
15
Be clear about the boards oversight objectives Work with management to agree on the types of risk information the board requires. Ensure that the culture encourages directors to question, challenge, and test management. Invite the right people to the boards conversations about risk. Focus on tone at the top, culture, and incentives. Enlist the CRO to support the board in its oversight of risk. Ensure that risk over sight responsibilities of the full board and its committees are clear.
(C) 2009 KPMG Ford, Rhodes, Thornton & Co, a Sri Lankan Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International, a Swiss cooperative. All rights reserved.
16
Provides credible risk governance Inputs to strategy formulation Integrates risk management and strategy execution Aggregates information to identify operational control weaknesses Addresses operational risks early Incorporates risk in programme management Focuses on risks to reputation Builds a risk management dashboard Uses behavioral change management techniques to maintain risk awareness
capabilities
17