1 of 37

Enterprise Risk Management (ERM) The Human Resource Management Association of Jamaica (HRMAJ) Conference31:�"Innovating Through the Downturn…Creating Value for the Upturn” ��Presenter: �Bruce L Scott, FCA, FCCA, CISA, MBA, CISM, CBCP, CPA, CIA, CFE, CRISC�Partner – Risk & Internal Audit Services�PwC Jamaica

16 – 18 November 2011

www.pwc.com

bruce.scott@jm.pwc.com / 876-932-8335

2 of 37

ERM

Contents

  • Introduction
  • Risk management in the news
  • State of risk management in the Region versus the Globe
  • Risk management defined and key concepts
  • Embedding and implementing enterprise risk management in your company

PwC

2

3 of 37

Risk Management in the News

UBS trader Kweku Adoboli 'sorry' for bank's $2.3B loss, lawyer says

New York Post – 22 September 2011��

PwC

3

4 of 37

Risk Management in the News

The Event:

  • City rogue trader Kweku Adoboli arrested over $2bn UBS loss

  • Kweku Adoboli, a 31-year old trader at UBS, has been arrested by City of London police in connection with rogue trading that has cost the Swiss banking giant an estimated $2bn (£1.3bn).

The Telegraph – September 2011

PwC

4

5 of 37

Risk Management in the News

The Impact

  • The bank said that it may also be forced to report a loss for the third quarter due to the unauthorised trade. FINANCIAL

  • Credit ratings agency Moody’s on Thursday night put UBS on review for downgrade, saying the revelations could harm the bank’s reputation. REPUTATIONAL

  • The announcement is a major blow for UBS which had started to see client confidence return this year after it had to be rescued by the Swiss state in 2008 . REPUTATIONAL

The Telegraph – September 2011

PwC

5

6 of 37

Risk Management in the News

Root Cause:

Mr Adoboli’s potential involvement revived memories of rogue trader Jérôme Kerviel, who lost £4bn for French bank Société Générale in 2008. Like Mr Kerviel, the UBS trader started out in back office operations, building an understanding of trading systems ..SEGREGATION OF DUTIES / FAMILIARITY

Duration:

The prosecution said some of the unauthorized trades dated back to 2008.

The Telegraph – September 2011

��

PwC

6

7 of 37

Are you exposed?

Could your department or entity be losing millions over the last few years (similar to UBS) – which later crystallises into a newspapers headline?

PwC

7

8 of 37

Are you exposed?

Question:

Can anything be done to prevent or mitigate these types of massive operational exposures?

Answer:

Yes / Maybe / No

PwC

8

9 of 37

What is Risk?

“Risk is anything that could thwart the accomplishment of desired objectives.” (PwC)

PwC

9

10 of 37

What is Operational Risk?

“Risk of loss resulting from inadequate or failed internal processes, people and systems or from external events".

Basel Committee

PwC

10

11 of 37

Other Key Risk Concepts - Risk as Opportunity

Hazard

Compliance

& Prevention

Operating

Performance

Strategic

Initiatives

Opportunity

Uncertainty /

Variance

A

B

C

Risk as: 1)Hazard, 2)Uncertainty and 3)Opportunity

PwC

11

12 of 37

CEO Survey Overview

      • Nearly 1,400 CEOs surveyed world-wide
      • Conducted in late 2003
      • Survey objectives
        • CEOs perception of risks
        • ERM embedded in the organization
        • Companies demonstrating exceptional skill in ERM

PwC

12

13 of 37

The key driver of risk management is value creation : THE DNA OF BUSINESS SUCCESS

When ERM is integrated in strategic planning

Percentage reporting strong or considerable positive impact

23%

22%

22%

38%

33%

32%

21%

42%

38%

37%

35%

43%

45%

51%

51%

55%

56%

59%

59%

62%

66%

68%

0%

20%

40%

60%

80%

100%

Profitability

Meeting strategic goals

CEO's ability to think entrepreneurially and innovatively

Reporting to regulators

Communicating to stakeholders/shareholders

Reputation

Clarity of organisation-wide decision making and chain of command

Creating smooth governance procedures

Monitoring performance

CEO confidence in business operations

CEO's ability to take appropriate risks to help �create value

All others

ERM is a priority

Source: EXHIBIT 22BENEFITS OF ERM

PwC

13

14 of 37

What Then is Enterprise Risk Management?

Enterprise Risk Management is a process that includes:

      • Identification of potential events that may impact key business objectives
      • Risk assessment and response
      • Application across the entity
      • Managing risk is to be within the entity’s risk appetite
      • Risk is linked in the strategic planning process
      • Monitoring the performance of ERM
      • The goal of ERM is ultimately to improve the likelihood that your organization will perform as planned

PwC

14

15 of 37

ERM Around the World

When would you expect your organisation to have effective and efficient ERM in place?

7th Annual Global CEO Survey US Findings

PwC

15

16 of 37

ERM in the Region

    • How many regional co.s have comprehensive ERM programs?

      • Less than 15% of large Caribbean companies have formal and comprehensive risk management programs

    • Many have pieces of what are required in a solid risk management program

    • Financial institutions tend to have strong financial and compliance risk management programs

PwC

16

17 of 37

ERM in the Region

    • Operational risks however, are not usually formally indentified and monitored to the levels required by the Australian New Zealand Risk Management Standard (now ISO 31000) as well as the COSO ERM Integrated Framework

    • Operational risks (e.g. quality issues in a manufacturing plant or recruiting errors, IT failures, rogue trading) can be equally destructive when compared to financial and other types of risks

PwC

17

18 of 37

How to Embed ERM as a Process in Your Company: Summary

    • Increase ERM awareness and its benefits
    • Develop a risk management policy and framework
    • Establish a risk management governance structure
    • Develop the risk universe (company and dept. level)
    • Do a risk analysis (H,M,L) and identify risk treatments
    • Assign risks to categories (e.g. technological, social)
    • Provide risk management training, tools and templates (e.g. risk and controls self assessment)
    • Monitor compliance with the risk policy (e.g. internal audit)

PwC

18

19 of 37

How to ERM as a Process in Your Company

    • Increase ERM awareness and its benefits to senior management and the Board
      • Do a risk awareness presentation and let the CEO do the opening remarks
    • Develop a Risk Management Policy and Framework
      • Sets out the Board’s commitment to the policy
      • Sets out how risk management will work and what is expected of all stakeholders
      • States that all stakeholders must comply with the requirements of the policy
      • Communicate the policy and related sanctions

PwC

19

20 of 37

How to Embed ERM as a Process in Your Company

    • Establish a Risk Management Governance Structure
      • Board
      • Executive Risk Management Committee
      • Risk Manager
      • Risk Owners (Departmental Heads, Executives)
      • Treatment Owners
      • Departmental Risk Champions
      • Internal Audit

PwC

20

21 of 37

How to Embed ERM as a Process in Your Company

Executive Risk Management Committee

Department Heads / Risk Owners

Internal Audit

Board Gets Key Risk Reports/Updates

Risk Manager

Risk Champions

VP / Risk Manager

Establish a Risk Management Governance Structure:

PwC

21

22 of 37

How to Embed ERM as a Process in Your Company

    • Develop the risk universe
      • Start with business objectives (company, department or business processes)
      • Risk identification and inventory
        • Risk evaluation criteria (what determines the ranking of a risk)
          • Impact & Frequency
          • High impact and low frequency risks – special attention
        • Inherent risks v residual risks
        • Risk workshops vs. questionnaires and interviews
        • Loss experiences and losses in similar industries

PwC

22

23 of 37

How to Embed ERM as a Process in Your Company

    • Do a risk analysis (assessment) and identify the current control activities and treatments
      • Risk ratings: High, Medium or Low Risks
      • Risk response and treatments
        • Prevent
        • Mitigate
        • Avoid
        • Transfer
        • Accept

PwC

23

24 of 37

How to Embed ERM as a Process in Your Company

Risk Assessment

High

LIKELIHOOD

Moderate

Low

IMPACT

High Priority

Moderate Priority

Low Priority

High

Moderate

Low

PwC

24

25 of 37

How to Embed ERM as a Process in Your Company

    • Prepare and distribute the risk register and categorise the risks affecting the company
      • Risk Register
        • Lists all risks and their rank for all departments

      • Risk Categories: shows the categories of risk affecting the co. and the categories that are most pervasive across the company
        • Technology
        • People
        • Financial
        • Fraud

PwC

25

26 of 37

How to Embed ERM as a Process in Your Company

    • Provide risk management training, tools and templates to all concerned parties
        • Risk and Control Self Assessment Templates
        • Risk Treatment Templates

    • Risk Monitoring
        • Role of the Internal Auditors
        • Role of Self Assessments
          • Risk Owners, Risk Manager, Executive Risk Committee, Board
        • Role of KPIs

PwC

26

27 of 37

Summary : COSO ERM Integrated Framework

The 8 steps above can be summarised using the COSO cube

PwC

27

28 of 37

This Process of Embedding Risk Management seems Long and Expensive – Any Short Cuts?

    • Technically “No”

    • Practically “Yes”
        • Employing a rigorous internal audit program , including follow-up audits can help to reduce your company’s risk exposures

        • However – the use of internal auditors alone – without the full ERM process will still leave exposures

        • Why is this the case?

PwC

28

29 of 37

How to Embed ERM as a Process in Your Company: Summary

    • Increase ERM awareness and its benefits
    • Develop a risk management policy and framework
    • Establish a risk management governance structure
    • Develop the risk universe (company and dept. level)
    • Do a risk analysis (H,M,L) and identify risk treatments
    • Assign risks to categories (e.g. technological, social)
    • Provide risk management training, tools and templates (e.g. risk and controls self assessment)
    • Monitor compliance with the risk policy (e.g. internal audit)

PwC

29

30 of 37

Top Ten HR Risk from a Recent Study of Two Large Jamaican Companies

No.

Risks / Treatments

Type of Risk

1

Risk: Poor work/life balance among staff

Operational/

Strategic

Treatment: Flexitime and telecommuting. Telecommuting requires a greater investment in technology and triggers its own administrative requirements and may not suit all industries.

2

Risk: Absence of “issue intake and escalation procedures” for situations where staff notice suspicious activities such as fraud or sexual harassment

Fraud

Treatment: Develop an independent hotline and a clear fraud policy. Fraud prevention is better (fire safety expert) than fraud investigation (fire fighter)

PwC

30

31 of 37

Top Ten HR Risk from a Recent Study of Two Large Jamaican Companies

No.

Risks

Type of Risk

3

Risk: Absence of a Code of Ethics and company leadership that “walk the walk”

Treatment: Implement Code of Ethics and apply sanctions where breaches occur. Companies with Code of Ethics that works, experience less fraud (PWC 2007 Economic Crime survey)

People

4

Risk: Absence of an IT disaster recovery plan for recovering critical personnel information or recovering personnel information that are kept in hard copies in the event of data loss

Treatment: Work with IT to develop IT disaster recovery plan and a document management system

Technology

PwC

31

32 of 37

Top Ten HR Risk from a Recent Study of Two Large Jamaican Companies

No.

Risks

Type of Risk

5

Risk: Risk of unauthorised changes to payroll rates on the IT systems (fraud). Also inaccurate calculations of incentive payment, redundancies, net pay. The foregoing can be embarrassing

Treatment: Strong password controls and a system of independent review of other people’s work. Work with internal audit to assist with the monitoring of these issues

Fraud /

Operational

6

Risk: Fraudulent expense claims and overtime being charged to the company. Also the risk of fraudulent credentials being submitted

Treatment: Do a fraud risk assessment and develop antifraud controls. Work with internal audit to assist with the monitoring of these fraud risks

Fraud / People

PwC

32

33 of 37

Top Ten HR Risk from a Recent Study of Two Large Jamaican Companies

No.

Risks

Type of Risk

7

Risk: Screening of new staff not being done or HR not asking specifically if new entrants have a history of fraud. Be careful of new rules about privacy and what can be said about a staff who has left your company

Treatment: Do proper fraud screening of new staff and check privacy rules with your attorney

Recruiting / Fraud

8

Risk: Fire related hazards and controls not functioning properly. Also staff not trained to challenge strangers and suspicious persons

Treatment: Train staff in physical security awareness and implement emergency response planning

Occupational Safety

PwC

33

34 of 37

Top Ten HR Risk from a Recent Study of Two Large Jamaican Companies

No.

Risks

Type of Risk

9

Risk: Staff members are sometimes under a false impression that their compensation is not competitive

Treatment: Educate your staff by “showing off” all that your company is doing and let them see the total value. Do this for the monetary and non monetary things your company is doing. Also “show off” the accomplishments of your co.’s alumni.

People / Financial

PwC

34

35 of 37

Top Ten HR Risk from a Recent Study of Two Large Jamaican Companies

No.

Risks

Type of Risk

10

Risk: Poor succession planning and pre mature lost of talented staff

Treatment: Greater investment in recruiting and early communication to staff who have executive level potential about their future prospects in the company

People

PwC

35

36 of 37

Conclusion & Questions

PwC

36

37 of 37

Presenter Profile : Bruce Scott, FCA, FCCA, CISA, MBA, CISM, CBCP, CPA, CIA, CFE, CRISC

Bruce L. Scott is the Partner, responsible for Risk and Internal Audit Services at PwC Jamaica.  He has many years of internal audit and operational risk management experience within the firm.  He spent six months in the Risk and Controls practice of PwC office in Toronto Canada. ��Bruce is Certified in Risk and Information System Control (CRISC) among several other certifications and holds a MBA degree from Manchester Business School. He has extensive experience in helping companies build out their enterprise and operational risk management infrastructures. He is the regional ERM subject matter expert in PwC Caribbean Region.� �

PwC

37