Enterprise Risk Management and Strategic Risk Management Khon Kaen University Risk Advisory, 16 January 2021
Disclaimer This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this communication. © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. 2
Speaker Profile Phansak Sethsathira Phansak has extensive experiences in both risk and management consulting. He managed and executed Partner, Risk Advisory various risk management services ranging from enterprise risk, strategic risk, and fraud risk management. He also led a national-level strategic clinical research roadmap project to align with a national policy Thailand 4.0. [email protected] Regarding management consulting, he is responsible for business process improvement to establish operational efficiencies with good internal controls, policy and procedure development/enhancement, standard costing review, and software evaluation and selection. He was also working with one of the largest commercial banks in Thailand and responsible for bank-wide fraud risk management including developed anti-fraud strategy, designed fraud management organization structure and job descriptions with skillsets required, designed fraud risk management framework as well as assisted the bank in enterprise fraud management system implementation. Phansak is an active speaker about fraud and risk management at several events and institutions including Institute of Internal Auditors of Thailand (IIAT), Federation of Accounting Professions (FAP), The Securities Exchange Commission (SEC), and many listed companies. He also prepared articles about comprehensive fraud management in high-risk countries, Corporate Governance, and family business that were published on the press. Phansak holds a MBA emphasis on Operations Quality and Technology Management, and Marketing. He is a Certified Fraud Examiner (CFE) and a member of ACFE (Association of Certified Fraud Examiner) Advisory Council. At Deloitte, he is responsible for strategic risk management, business processes and internal controls improvement, fraud risk management, crisis management, enterprise risk management, and family business advising. © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. 3
Speaker Profile Pilaivan is a Manager in Risk Advisory. She has more than 15 years experience in the consulting including internal audit, business risk advisory and external audit such as a enterprise risk management, compliance program review, quality assurance review for internal audit function, J-SOX review, US-SOX review, process improvement, and consultant in regulatory. She has a wide range of industry experience including banking, telecommunications, automobile trading, manufacturing, retail and wholesale and hospitality. Currently, she is active in providing a consultancy around the area of diverse business in Thailand. Pilaivan is a special instructor about internal audit at Kasetsart University. Pilaivan Vorrawutwitchayawong, CPA Manager, Risk Advisory [email protected] © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. 4
Key learning points and discussion 6 Understand risk and basic concepts of Enterprise Risk Management (ERM) Risk management framework What risk that management should concern How risk powers performance Growing expectation on risk management and transformation © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd.
Introduction to Risk Management Let’s redefine risk and explore a different way of working and thinking in risk management Let’s redefine Build trust and Risk powers risk confidence performance management Embrace technology and Set organizations free advanced analytics and make them agile Don’t let fear drive risk management Minimize traditional controls Empower people Fear makes Break through silos Risk management as a organizations rigid source of competitive Strengthen resilience and embrace uncertainty advantage © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. 7
Introduction to Risk Management The risks facing organizations Understanding the risk continue to grow in number and complexity. With their 2013 Risk is the possibility of an event occurring that will have an impact on the achievement of update to the Internal Control – objectives. * Integrated Framework, the Committee of Sponsoring Hence, we need to manage risk. Organizations (COSO) Mitigate acknowledged that “business and Avoid operating environments have Transfer changed dramatically, becoming Accept increasingly complex, technologically driven, and global.” The globalized business environment exposes organizations to increased fraud and corruption risks, which are further heightened when supply chains extend to countries with a high Corruption Perception Index rating. * Source: https://na.theiia.org/standards-guidance/mandatory-guidance/Pages/Standards-Glossary.aspx 8 © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd.
Introduction to Risk Management Understanding the enterprise risk Risk can be categorized into various areas. For example, strategic risk, operational risk, financial risk, legal & compliance risk, reputational risk or even fraud risk. All of these risks are connected. So, a combination of these key risks that impacts an organization’s ability to achieve its objectives are enterprise risks. So, Enterprise risk management (ERM) is an Existing Existing Effective end-to-end approach to risk management Control Control Control that includes identifying, assessing, measuring, monitoring, and responding to Inherent Risk Residual risks across an enterprise. Risk Risk An assessment result can be use as a baseline: Mitigation Risk Appetite / Tolerance Level to assure for board and/or management Plan oversight in strengthening an organization 9 systemic risk management; Residual Risk to augment both preventive and detective controls; and Appetite to understand any changes regarding external and internal business environment, and how to prepare for such incidents. © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd.
Introduction to Risk Management Legal & Compliance Risk Some risk categories definition A risk that may enable or restrict the organization Strategic Risk and may lead to litigation or punishment. This may A risk that attacks the basis for competitive advantage include PDPA, AML, CTF, FCPA. and challenge the logic of strategic choices, and undermine an organization’s ability to achieve or Market Risk maintain exceptional performance. A risk of financial gain/loss resulting from movements Operational Risk in market prices which may result from interest rate, A risk that mainly arises from daily operations or day- exchange rate. to-day activities. It is normally found in business processes. Credit Risk Reputation Risk A possibility of a loss resulting from a borrower's A risk that can lead to change in the way an organization failure to repay a loan or meet contractual obligations. is perceived by relevant or selected key stakeholders. Fraud Risk © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. A risk of intentional deceive others to gain unfair benefits. 11
Introduction to Risk Management Understanding the enterprise risk Not all risks result in significant impact. 14 ERM should focus on key risks that could affect competitive advantage, market position and performance. © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd.
Introduction to Risk Management Have a single corporate set What do leading ERM programs focus on? of key enterprise risks, limited to 10-15 risks Establish strong risk governance, such as a board risk committee, executive- Are focused on helping the company level management risk committee, to develop strategic risk and/or a standalone Chief Risk Officer management capabilities, enabling focus on both value creation as well Evaluate specific operational risks as value preservation for changes; these risks are part of “business as usual” and managed by the appropriate business units / functions Have Internal Audit validate Use the strategic planning that the process is effective and process and other existing achieves its intended result processes to “embed” risk management vs. it being “bolted on” © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. 15
Introduction to Risk Management Typical groups involved in enterprise risk management © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. 16
The Three lines of defense 17 In effective risk management and controls © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd.
We are now living in a VUCA world 01 Volatility 01 03 03 Complexity 04 The nature and dynamics of The multiplex of forces, the change, and the nature and confounding of issues and speed of change forces and the chaos and confusion that change catalysts surround an issue or an organisation 02 Uncertainty 02 04 Ambiguity The lack of predictability, the prospects for surprise, and The haziness of reality, the the sense of awareness and potential for misreads, and understanding of issues and the mixed meanings of events conditions; cause-and-effect confusion
The strong interconnections between the different causes explain most systemic crises Several potential fires are ready to ignite at the same time © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. 19
Trends to cope with economic downturn Private companies are looking to gain a competitive edge Global private company owners and Boards are asking themselves various questions • What changes to our business models should we consider in response to competitive disruption? • Are we doing an effective job of communicating our strategy and values through all levels of organization? • What capabilities are we investing in to tap new markets? • What processes do we have in place to prioritize spending and measure success or potential opportunity? • Are we doing enough as an organization to develop future leaders and attract needed talent? • What role is technology playing in our innovation processes and are there other opportunities that we need to pursue? • What values define us a corporate citizen, and are they well-understood inside and outside the organization? © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. 20
Thailand growth momentum is slowdown Including trade war, Thai Baht appreciation, Government’s stability, and Covid-19 Pic Source: Internet Data as of 14 January 2021 21 Source: https://www.covidvisualizer.com/ © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd.
A holistic approach Fast cycle market Strategy-to-Operations in a VUCA world Low loyalty customers and employees Technological advances Industry Analysis Rapidly evolving in laws and regulations Business Strategy Business strategy may not good enough to survive (e.g., assumption testing, trend analysis) Organization A structure and function that need to fully support the defined business strategy Competitive Not shielded from imitation Advantage What will we be doing in terms of governance, Direction business processes, people, and technology © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. Increased in spending does not guarantee that everything is under control Speed and flexibility are important 22
Point of view on risks The world is becoming increasingly more Volatile, Uncertain, Complex, and Ambiguous. Strategic risks are both external and internal. Organizational blind spots and personal biases can prevent insight from becoming actionable. Disruptions may come from unexpected places. Trends from outside your industry and non- traditional competitors are increasingly likely to cause disruption. “Disruption may be a risk, but it is Data gathering and insight development must be also a wonderful opportunity. It active and ongoing. The nature and pace of means customer needs are not change in today’s world demands a continual being met, so that’s an learning and discovery mode. opportunity.” Connections amplify the potency of trends and their — Peter Harmer, Managing Director and CEO, IAG ability to disrupt. The world is too interconnected and changing too fast to keep your eye on only one © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. ball at a time. 23
Observations on traditional ERM Many ERM practices emerged in the late 1990s and early 2000s for risk identification, assessment, mitigation, and reporting. However, many organizations modified their programs because of: Failure to prevent surprises Value for the investment Reputational and strategic risks continue to occur that Programs evolved into “chasing down” the business for were not on the ERM “radar” data vs. becoming risk management “centers of excellence” “False precision” Value for decision-making Over-emphasis on developing a heat map and quantifying risks vs. order of magnitude of impact to the business Information was largely retrospective and did not support future decision making or provide strategic risk insights Lack of effectiveness • Focused largely on internal “known” risks where developing partnerships with BUs was not top of mind • Even with ERM in place, known risks such as compliance events and recalls cost companies billions of dollars © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. 27
What does risk management mean for management? The Risk Management Transformation Increasingly, businesses have been arguing Value Protection Risk Value Creation Risk that Risk Management should contribute more Management Management to value creation instead of preserving the existing values of the organisation. Some of Focus on safeguarding the Rationalising the risks from both the philosophies put across the future state of existing value of the organisation opportunity and risks perspectives Risk Management includes: - Disconnected from strategic and - Embeds the strategic and • alignment of risk management operational decisions operational directions from the objectives to the strategic senior management directions - Focus on adverse and negative events - Considering the risks tradeoffs, the • preserving a healthy tension positive outcomes from undertaking between value creation and value - Compliance focused the risks protection - Risk mitigation - Usually functional - Value driven • fitting risk management - Risk optimisation responsibilities cascading down responsibilities - Entity wide and coordinated efforts all levels within the organisations - Inside and backward looking within the whole organisation These philosophies propel businesses to look - External and forward looking into a Risk Management Transformation journey to instill a value creation risk management model which as exhibited. © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. 28
Business needs are transforming enterprise-wide risk management from a compliance oriented focus to a more dynamic approach that drives strategy, builds resilience and delivers financial results. What are the biggest drivers What do senior executives want of value creation? from risk management? • Leading intelligence and foresight • Predictive capabilities (insight & foresight) • Top talent and operating model • Better decision making • Superior product development • Better awareness and understanding of risk • Strong supply chain & distribution channels • Better performance • Superb resiliency • More value protection • Innovative culture and mindset • Assurance (a more confident business) • Proactive brand and reputation management • Risk based resource allocation • More for less © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. • Sustained competitive advantage 29
Spotted early and handled well, strategic risks can point the way to game-changing moves that reorder the field © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. “The reality is, unless you dedicate senior resources to the activity, the management of risk just isn’t going to develop the way that you probably intend for it to develop.” — Dean Yoost, Board Member, Pacific Life Insurance Company and MUFG Union Bank; Advisory Committee Member, American Honda Finance Corporation 30
How strategic risks differ from operational risks Primary Area Strategic Risks Operational Risks of Focus Strategic Positioning Business Operations • Strategic risks arise from the organization’s • Operational risks refer to potential risks or strategic positioning losses arising from normal business operations Level of • Outside the direct control of the organization • Affect the day-to-day running of operations Control and business systems • Shaped by external forces driving the business environment in which a company operates • Largely under the control of the organization itself Tools for • Tools used to identify strategic risks aim to Identifying and surface insights about the competitive • Tend to arise from failure to comply with Managing landscape and the organization’s existing procedures or plans Risks preparedness to address market shifts • Operational risks typically identified through • Strategic risks may require changes in strategy an assessment process • Risks managed through treatment plans © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. 31
Some ERM programs have not traditionally focused on the right risks Even as strategic risks have proven to be the #1 ‘value killers, ERM and compliance functions traditionally focused on other risk categories. The proportion of significant losses in market value caused by each type of risk over the past decade1 The proportion of time companies traditionally spend on each type of risk Many factors contribute to a company’s failure, but three stand out: 32 • Failure to explicitly account for risk when formulating strategies • Failure to monitor and manage assumed risks • Failure to re-evaluate strategies in light of external change Source: Reducing Risk Management’s Organizational Drag, CEB, 2015 and “How To Live With Risks,” Harvard Business Review, July-August 2015 © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd.
How do Management spend their time today? Where should Management spend more time in the future? © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. 33
What do leading ERM programs focus on? Establish strong risk governance, such Have a single corporate set as a board risk committee, executive- of key enterprise risks, level management risk committee, limited to 10-15 risks and/or a standalone Chief Risk Officer Are focused on helping the company Evaluate specific operational risks to develop strategic risk for changes; these risks are part of management capabilities, enabling “business as usual” and managed focus on both value creation as well by the appropriate business units / as value preservation functions Use the strategic planning Have Internal Audit validate process and other existing that the process is effective and processes to “embed” risk achieves its intended result management vs. it being “bolted on” © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. 34
What does this risk mean to you? 37 …Pace of innovation… © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. Source: Blognone, BrandBuffet, Bangkokbiznews, and Internet
What does this risk mean to you? 38 …Pace of innovation… Pics Source: ThaiQuote, TechSauce, SmartSME, Blognone, BrandBuffet © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd.
Boards and management expect more from ERM given our VUCA world Most leaders believe the risks they face are Opportunities exist to better integrate risk complex and numerous management and strategic planning • About 70% of organizations believe the volume • One-quarter of respondents describe their and complexity of risks have increased in the past processes as a key strategic tool 5 years • 34% of companies indicated they do not complete • This has been the case for several years, indicating formal assessments of emerging strategic, market, the risk environment continues to be challenging or industry risks to manage • Of the organizations that consider strategic risks, • Most companies indicated they dealt with the assessments of risk exposures are primarily significant operational surprises in the past 5 years qualitative But… risk management processes are still less More organizations are investing in strengthening advanced their risk leadership • 25% of companies describe their risk management • 58% of companies have a risk committee, which has processes as “mature” or “robust” increased from 45% last year • Large organizations, public companies and financial • Almost 80% of large organizations, public services entities have more mature processes, yet companies and financial services entities had less then 50% are “mature” or “robust” management-level risk committees, an increase of ~10% points from last year • Most organizations do not believe their processes reflect “complete” or formal enterprise-wide risk • The number of leaders designated as Chief Risk management Officer or equivalent has increased from prior years Strong majority of boards are asking for more involvement of senior executives in overseeing risks • 67% of boards wanted to see more involvement, with an even higher percentage of boards asking for that at large organizations, public companies or financial services entities • This trend is consistent with prior years, suggesting that boards continue to push their companies to focus on strengthening risk oversight Source: The State of Risk Oversight: An Overview of Enterprise Risk Management Practices, NC State ERM Initiative, 8th Edition (March 2017) 39 © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd.
Optional activities: Deep dives to take ERM to the next level Techniques for enterprise risk and strategic initiatives risk assessment deep dives With these optional activities, they can help to conduct deep dives into your top enterprise risks and strategic initiatives to gather additional insights and mitigation techniques, to identify the indicators with which to track them, and to gain the appropriate tools to monitor, identify, and manage your key risks. Root cause analysis on a top risk An approach, such as bow-tie analysis, to understand the root causes, drivers, and consequences of a risk and to enable more targeted development of risk management strategies and Key Risk Indicators to monitor. War gaming A process for improving decision-making under uncertainty, by providing opportunities to rehearse, refine, and test strategies by considering potential second and third tier effects of decisions. Assumptions testing An approach to identifying the explicit and implicit assumptions underlying strategies in order to identify potential vulnerabilities and impacts should assumptions not turn out as planned. © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. Scenario planning 40 A structured approach for exploring multiple plausible scenarios / futures for your business environment and how existing strategies may fare in alternative futures, in order to better understand key risks and opportunities and develop action plans / indicators to monitor.
Leading companies are now looking to take a more strategic approach to ERM Many companies are beginning to transform their ERM programs to something more strategic including linkage of risks to strategy and identification of strategic risks, and the use of advanced techniques such as sensing and scenario planning. Traditional ERM Strategic risk focused ERM Risk Culture: Risk management is embedded in the operating rhythm of the business and “Check the box” compliance view of risk integrated into strategic planning and other existing business processes management; stand-alone activity Team acts as a Center of Excellence to advise the business, deploy tools, Role of Function: and provide insights to better identify, prepare for & manage risk. Serves as the “scorekeeper” of risks; not well integrated with the rest of the business Focus on uncovering emerging risks versus the known risk universe, while providing a process for managing and escalating “business as usual” risk. Risk Management Process: Plan for emerging risks and continuously monitor leading indicators to Identifying and tracking known risk understand when you should change course or put actions into place. through look-back analysis Provide a risk lens to the company’s strategy, business and reputation, and Risk Focus: identify risks that can threaten or enhance competitive advantage – Focus on operational and compliance risks informing decisions around risk with “eyes wide open”. Link to Strategy: Bringing outside-in perspectives and helping confront cognitive and Identifying and mitigating risks institutional biases, in order to help identify and analyze emerging risks that that could impact strategic execution may impact strategic assumptions or require changes to strategy/direction. © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. 41
A framework for leading ERM capabilities • Risk integrated into strategy setting, Alignment Governance • Executive leadership / board business planning and performance with Strategy & Culture establish common risk culture management ERM • Board oversight of top risks and • Focus on both risks of the strategy Framework overall risk management program and risks to strategy execution Reporting & Business & • Management level risk committee • Deploy tools such as scenario Technology Operating discuss strategic and emerging risks, planning, assumptions testing and and response strategies war-gaming to better understand Model impact of risks on strategies and plans • Defined risk tolerances • Position risk as a strategic enabler • Roles, responsibilities, reporting lines, processes, policies, controls • Common risk reporting framework and criteria • Processes and tools for identifying, assessing, managing, and monitoring • Continuous risk monitoring and known and emerging risks prioritization • ERM linked with other areas (e.g. • Executive risk dashboard reporting cybersecurity, crisis management, and decision support systems brand, compliance, internal audit) • Outside-in view combined with data 42 (risk sensing, risk analytics) to help identify and monitor emerging risks © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd.
Coffee break 43
COSO 2017 Enterprise Risk Management — Integrating with Strategy and Performance COSO: Committee of Sponsoring Organizations of the Treadway Commission is dedicated to providing thought 44 leadership through the development of frameworks and guidance on enterprise risk management, internal control and fraud deterrence. © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd.
COSO 2017 Enterprise Risk Management — Integrating with Strategy and Performance The COSO ERM framework consists of five interrelated components with 20th principles : 1) The supporting aspect components I. Governance and culture and II. Information, communication, and reporting. 2) The common process components I. Strategy and objective-setting, II. Performance, and III. Review & revision © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. 45
ISO 31000 – Principles, Framework, and Process ISO 31000 is a principles-based approach to risk management. Communicate the characteristics, value and purpose of effective and efficient risk management. Value creation and protection are the purposes of risk management. © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. 46
Deloitte Risk Governance Framework 47 Assessing the adequacy of the risk governance structure Common Definition of Risk Common Risk Framework Roles & Responsibilities Transparency for Governing Bodies Common Risk Infrastructure Executive Management Responsibility Objective Assurance and Monitoring Business Unit Responsibility Support of Pervasive Functions © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd.
Deloitte Risk Governance Framework Assessing the adequacy of the risk governance structure The nine principles will Governing Bodies Governing bodies (e.g., Boards, Audit Committees, etc.) have appropriate transparency and visibility help leverage current risk Responsibility into the organizations risk management practices to discharge their responsibilities management processes and develop an enterprise Roles & Responsibilities Key roles, responsibilities, and authority relating to risk management are clearly defined and perspective on risks and delineated within the organization opportunities Common Definition of Risk A common definition of risk, which addresses both value preservation and value creation, is used consistently throughout the organization Common Risk Framework A common risk framework supported by appropriate standards is used throughout the organization to Common Risk Infrastructure manage risks A common risk management infrastructure that is used to support the business units and functions in the performance of their risk responsibilities Executive Management Executive management is charged with designing, implementing and maintaining an effective risk Responsibility program Objective Assurance and Monitoring Other functions (e.g., internal audit, risk management, compliance) provide objective assurance as well as monitor and report on the effectiveness of an organization's risk program to governing bodies and executive management Business Unit Responsibility Business units are responsible for the performance of their business and the management of risks they take within the risk framework established by executive management Support of Pervasive Certain functions have a pervasive impact on the business and not only provide support to the Functions business units as it relates to the organization's risk program, but also enhance and enable success when strategically aligned and considered as essential elements of the program © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. 48
Risk management process Establish the Identify Analyze Evaluate Treat Context Establishing the Context defines environment, criteria, and processes necessary to manage risks. Key activities include: 1) Determine the levels of impacts and vulnerability 2) Define the criteria of impacts (i.e., financial which is quantitative aspect, and non-financial which is Vulnerability more on qualitative aspect) and vulnerability © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. Financial Non financial Impact Asset damage Employee morale Operations / Loss of revenues business Reputation and disruption brand damage Laws & Regulation Loss of profits Customer HSE For illustration only 49
Risk management process Establish the Identify Analyze Evaluate Treat Context 3) Design definition of both impacts and vulnerability 4) Define the risk appetite (i.e., how much risk an organization is willing to accept, or ability to meet the set goals) 5) Define scoring, weighting and calculation methods including agree on decimal round up/down of final scoring Level Estimated loss amount (Thai Baht) Low Medium < X Baht High Very high X – X1 Baht X2 – X3 Baht X4 – X5 Baht © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. 50
Deloitte’s risk appetite concept Risk Capacity The maximum level of risk at which a firm can operate, while Risk Profile remaining within constraints implied by capital and funding needs and its obligations to stakeholders. The firm’s entire risk landscape reflecting the nature and scale of its risk exposures aggregated within and across each relevant risk category. The risk a firm is willing to take in the Risk Appetite pursuit of its strategy. The level of risk which, if breached by the Risk Appetite Limit firm’s risk profile, would necessitate immediate escalation and corrective action. © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. 51
Sample heat map and risk summary breaking down by categories © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. 52
Risk management process Establish the Identify Analyze Evaluate Treat Context Identifying Risks and their triggers and consequences is a first step in understanding the risks that 53 may prevent an organization from achieving its objectives, its overall risk exposure, and how risks should be managed. Using a robust process is critical, because a risk not identified at this stage may be excluded in the Analyze phase. The following should be considered: What can happen, where and when? Generate a list of sources of risks and events. Why and how it can happen? Consider possible root causes and scenarios. Risk identification should cover past, present and near future events. Key issues found include, but not limited to: do not have a good understanding of risk management concepts; lack of supporting information; and do not identify root caused (but focus on the consequence). © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd.
Root cause analysis on a top risk Each root cause can be further drilled down to understand risk drivers Root Cause Level 3 Root Cause Factors Root Cause Level 1 Risk Lack of diversity and open culture Root Cause Level 2 Failure to motivate and retain key talent may Ineffective communication of departments goals and growth Ineffective Employee turnover plans in conjunction with corporate strategy communication result in loss of Challenges driven by important capabilities, Inability to define critical skills before they can recruit for them procedures external environment knowledge and Poor or ineffective communication plan Ineffective career Employee performance of outsourcing / downsizing plans development plan engagement and Perceived bureaucratic influence on and competitive cultural concerns 54 promotions/transfer decisions training programs Lack of in-house Certified Trainers for technical programmes, Other internal Safety aspects to enhance coverage organization processes/ methods Ineffective coaching / mentoring skills hampering the at middle management level cultural dynamics Lack of incentives such as intellectual property sharing or sales royalties upon product launch (from patent realization) Lack of industry competitive/ cross functional training opportunities Inconsistent execution/deployment of initiatives (e.g., Internship/job-rotation policy, knowledge transfer) Ineffective design and operation of retirement plans and administration © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd.
Root cause analysis on a top risk Heat maps allow for visualization of risks along multiple criteria and enable a quick snapshot of prioritization Root Cause Factors Risk Root Cause Level 1 Employee turnover Failure to motivate and retain key talent may Challenges driven by external environment result in loss of important capabilities, Employee engagement and knowledge and cultural concerns performance © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. 55
Root cause analysis on a top risk Response plans should be developed based on the root cause Root Cause Factors Risk Existing controls Response plans Root Cause Level 1 AVOID • Avoid scarcity of resources by aligning the Town halls communication and Senior management expansion plans in the resource rich locations communication plan ACCEPT Employee turnover Failure to motivate and Job Description and role description • Introduce panel/committee based decision on retain key talent may for every identified new position Challenges driven by internal transfer selection process and external environment result in loss of Internal mobility / promotions important capabilities, Job rotation policy Employee MITIGATE engagement and knowledge and Competitive training programs with • Ensure a certain percentage of women, cultural concerns performance industry accreditation differently abled candidates at each Middle management leader skill organizational level /during recruitment development training programs • Conduct regular cross department meetings and involve representatives from all divisions Role and performance based in the leadership meetings compensation and incentive program • Document critical positions, competencies and succession planning strategies every 6 Retirement Benefits and months Accident cover benefits • Set up Counselling desk for redundant positions to explore internal transfer © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. • Framework to identify experts and further enhance their skillset through company paid industry popular certification courses • Implement a confidential listening post help desk number to address the employee grievances TRANSFER • Renegotiate better cover terms with Insurer to enhance employee health & safety incident 56 compensation
Risk management process Establish the Identify Analyze Evaluate Treat Context Risk category Risk ID Risk Definition / Scenarios SR-001 Analyzing Risks SR-002 BR-001 helps us Strategic risk BR-002 Corporate strategy and/or Organization’s industry is undergoing significant transformation due to understand the SI-001 business model is probably industry/business environment, new and emerging technology or customer SI-002 outdated. preference changes. magnitude of Management transition FR-001 Top management/C-Suite are in transition. both the positive FR-002 Negative publicity Unable to attract/retain top talents or successors. and the negative Brand & Lack of standard protocol to Customers, employees or relevant parties post a negative message on the Reputational risk cope with unwelcome social media or public website (e.g., Facebook, Pantip) which deteriorates consequences of incidents company public image. Supplier risk a risk event. This No standard policy, procedures or protocols found in the company regarding Inventory management potential fraud or serious misconduct. will enable an Asset misappropriation Unable to maintain confidentiality during investigation. organization to Bribery & Corruption Key supplier is unable to deliver the orders as committed or on expectation prioritize risks, date. and therefore Supplier and The delivery ordered is below expected quality and unable to sell to customers. initiate its risk inventory risk Ineffective inventory management (overstock) that causes a high non- treatments movement inventory level (or risk of having dead stock). effectively. Ineffective inventory management (understock) that causes an inventory shortage which impacts to both company’s revenue and profit. Fraud risk Lack of substitute products. © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. Theft of company inventories including cash and non-cash. Misuse of company assets (e.g., for person use and not for business purposes). Ask for or offer an under table money. Conflict of interest. 57
Risk management process Establish the Identify Analyze Evaluate Treat Context Evaluating risks helps an organization to prioritize risks for treatment by comparing them to the pre- established risk appetite. This enables decisions about treatment to be made that optimize risk taking in a way that maximizes the likelihood of achieving objectives. A risk matrix (heat map) is useful for prioritizing risks for treatment by: Rating risks, considering both vulnerability and impact. Creating categories (e.g., Low, Medium, High, and Very High) that have predetermined treatment requirements. Enabling management to allocate resources based on priorities. © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. 58
Risk management process Establish the Identify Analyze Evaluate Treat Context Treating risks involves identifying risk options, assessing them, and implementing treatment plans. A combination of response strategies are used to reduce the residual risk below a defined risk tolerance threshold. Once a risk treatment is implemented, the actual residual risk is measured and compared to the expected residual risk to determine if further action is required. TRANSFER AVOID Avoid: the risk cannot be mitigated and must be ACCEPT MITIGATE eliminated. © 2021 Deloitte Touche Tohmatsu Jaiyos Advisory Co., Ltd. Transfer or share: another party bears or shares part of the risk. NOTE: This does not mean the risk is no longer present or not the responsibility of the organization. Mitigate or control: the risk must be beared and its threat can not be avoided or transferred. Risks are reduced until residual risk falls below the risk tolerance threshold. Accept: the cost of implementing mitigation strategies outweighs the benefits. 59
Search
