Transcription
Risk ManagementA Driver of Enterprise Value inthe Emerging Environmentkpmg.com
Table ofContents 2011 KPMG International.KPMG International is a Swiss cooperative. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has anyauthority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
About the survey2Perceptionspost the meltdown57Executive summary11Summarizing key challengesand the way forward21Current trends and practicesRiskgovernance12Imperative 1Enhancing board governanceof riskCase study: Utilizing balancedscorecard to oversee risksRisk identification/assessmentRisk aggregation/mitigationRisk e 2Linking risks to strategythrough KRIsCase study: Linking objectives,strategy and risks to keyrisk indicators24Imperative 3Instilling a robust risk cultureCase study: Undertaking a riskculture survey as a precursorto ERM implementation26Imperative 4Position the CRO as a strategicbusiness advisorCase study: CRO helping riskfunction add value by bringingin the “outside in” perspective27Imperative 5Integrating risk managementat an enterprise levelCase study: Developing a singleview of risk by integratinggovernance, risk and compliance30 2011 KPMG International.KPMG International is a Swiss cooperative. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has anyauthority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
1 Risk Management – A Driver of Enterprise Value in the Emerging EnvironmentForewordIn the aftermath of the global financialcrisis, increasing pressure from corporateboards and senior leadership, investors,shareholders and regulators has elevatedEnterprise Risk Management (ERM)to a ‘corporate imperative’ status. Theconsequences of failing to see throughsystemic issues and test the long termviabilities of corporate strategies isnow well understood. Also exposedwere the inadequacies of regulatorystructures, which previously may haveproliferated a box ticking mindset to riskmanagement. Regulators have taken somesteps at ensuring that an integrated riskassessment and a proactive approach torisk oversight are central to sustainablegrowth.Influenced by growing regulatoryand governance requirements, manyorganizations have formed Board-level riskcommitteesto take a formal enterprisewide role in risk assessment, mitigationand oversight. Board members andcorporate leaders see the value of linkingrisk to strategy and using risk informationto make improved, risk-informed, strategicbusiness decisions. Developing, deployingand maintaining a practical, holistic riskmanagement approach can help themlead through immediate, long–term, andevolving risks and succeed in the newbusiness environment.The survey provides both timely and usefulinsights on where the challenges lie andwhat are the steps that organizationshave taken towards improving their riskmanagement practices. To keep youinformed, over the next 12 to 24 months,it would be our endeavor to engagewith CEOs, Board Members and riskpractitioners to share better practices andfacilitate onging thought leadership onemerging practices.We would like to thank all the respondentsfor taking the time to participate in thisimportant initiative.Eric HoltGlobal LeaderInternal Audit, Risk andCompliance ServicesKPMG LLP 2011 KPMG International.KPMG International is a Swiss cooperative. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has anyauthority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Risk Management – A Driver of Enterprise Value in the Emerging Environment 2About this surveyIt would probably be fair to state that theglobal financial crisis has brought thediscipline of Risk Management into thelimelight. The regulatory framework for RiskManagement and oversight has undergonea major overhaul in several countries. Asorganizations around the world are comingto grips with specific guidelines such asthe Board’s oversight of Risk Managementpractices, linkage of executivecompensation with risk, additionaldisclosures on Risk Management, etc.,it is important to step back and ask thesimple but pertinent questions about RiskManagement: Are today’s Boards well equipped todeliver effective risk oversight? Where are organizations mostchallenged in linking risk to strategy? Is Risk Management considered asfundamental to the achievement ofbusiness objectives? Is Risk Management about realizingthe upside or is it only about minimizingthe downside that businesses could beexposed to? Will Risk Management continue tobe equally important as ‘normalcy’ isrestored in the developed markets? What is it that organizations need todo to embed risk thinking into decisionmaking?KPMG’s survey on Enterprise RiskManagement - launched across Europe,Middle East, Africa and India is an attemptto get to the bottom of the above questionsand figure out what organizations aredoing to elevate risk oversight andmanagement to a different level. In additionto providing a perspective on currenttrends and practices, this report alsoincludes good practices that organizationsare implementing which we hope wouldbenefit the recipients of this report.Ashley SmithNeville DumasiaInternal Audit, Risk andCompliance ServicesInternal Audit, Risk andCompliance ServicesKPMG South AfricaKPMG in IndiaEMA LeaderIndia Leader, 2011 KPMG International.KPMG International is a Swiss cooperative. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has anyauthority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
3 Risk Management – A Driver of Enterprise Value in the Emerging Environment 2011 KPMG International.KPMG International is a Swiss cooperative. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has anyauthority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Risk Management – A Driver of Enterprise Value in the Emerging Environment 4Respondent profileRegionProfileCFO/Head of Finance10%26%25%18%Head of RiskCEO/Managing Director/Chairman17%8%14%Head of Internal AuditExecutive Director5%57%Audit Committee Member/Independent DirectorIndiaMiddle EastEuropeAny other (e.g: Eg President,Group President, Vice President, etc)AfricaSource: KPMG Risk Management Survey 20112%18%Source: KPMG Risk Management Survey 2011Sector12%Financial Services10%Industrial Goods and ServicesTechnology (Software and technology hardware)8%7%Construction and MaterialsInsurance7%6%Health Care6%Banks5%Telecommunications4%Oil and GasChemicals4%Retail4%Food and Beverage4%Automobile and parts3%Utilities3%Basic resources (paper, metals and mining)3%Conglomerate3%Real Estate2%Personal and Household Goods2%Media2%Travel and Leisure2%OthersSource: KPMG Risk Management Survey 20114% 2011 KPMG International.KPMG International is a Swiss cooperative. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has anyauthority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
5 Risk Management – A Driver of Enterprise Value in the Emerging EnvironmentExecutive summary1Risks haveincreased andbecome morecomplex, however,opinion is dividedon the need formore regulationRisks emanating from uncertainties in theglobal market place and growing complexityin the value chain are cited by most as theimportant factors contributing to increasedrisks. However, doubts still linger about theextent of commitment and sponsorship forgood Risk Management practices at the CEOand Board-levels. Consequently, nearly halfof the respondents consider regulations asbeing important to drive Risk Managementforward.2Both CEOs and Board members considerRisk Management to be equally important.CEOs/business leaders would like to seemore focus on reputation risk, political riskand the impact of corporate restructuring andM & A on business performance. CEOs viewRisk Management through an opportunitylens whereas others view it with a “keep usout of trouble” lens.3The gist of the regulatory developmentsacross various countries in Europe, MiddleEast, Asia and Africa is that the Boards havebeen tasked with the onerous responsibilityof ensuring alignment between strategy,risks, rewards and executive compensation.However clarity is lacking on how Boardsare responding to these expectations. Onlyaround a third of the respondents indicatethat risk oversight is actually treated as a“full Board” responsibility. Boards expressthe view that companies lack definitiveprocesses to share risk information withthem and there is less confidence in theBoard’s ability to monitor adherence to theestablished appetite.CEOperceptionsabout RiskManagementdiffers from thatof the BoardRisk oversightresponsibilitiesof Boards havebecome onerous,however thereis a questionmark over whatBoards are doingto re-align theirpractices 2011 KPMG International.KPMG International is a Swiss cooperative. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has anyauthority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Risk Management – A Driver of Enterprise Value in the Emerging Environment 64While attention is being given to improvingexisting Risk Management systemsand processes, the softer and morefundamental issue of embedding risk intothe organization’s culture and making it anintegral part of the business is not gettingthe attention it deserves. Inadequatesponsorship at the top, inability to commitadequate resources and lack of adequatetraining in the use of Risk Managementtools and techniques are proving to beimpediments.6Nearly two thirds of the respondents in oursurvey indicated that their organizationsdeveloped risk responses at an individualrisk/process level rather than at a portfoliolevel.Embeddinga strong riskculture is still inits infancyOrganizationsdo not fullyunderstandinterdependenciesbetween thevarious risks theyfaceThis is partly fallout of the challenges thatorganizations are facing in risk aggregation/quantification at the organizational-level.Specifically, organizations have issueswith ‘integration of risk, finance andbusiness views’; ‘availability of data anddata integrity’ and ‘utilization of appropriatetools to quantify and measure the impactof risks’. ‘Lack of adequate training on riskquantification/usage of quantification tools’certainly adds to these challenges.5Driven by regulatory requirements anddemands from Boards, Audit and RiskCommittees, a majority of respondentsre-visit their risk profiles once a quarter.However, risk identification and assessmentprocesses are not geared to provide anearly indicator of likely risks or potentialloss events that organizations could face inthe future. Information sources are largelyinward focused as compared to beingforward looking and external focused.Detailed analysis of competitor strategies/benchmarking and scenario planning arenot widely used. Over 80 percent of theorganizations surveyed do not considermore than a three year horizon in their riskassessment and of these respondents,nearly 40 percent do not look beyond ayear. Issues such as sustainability andclimate change seldom feature in the riskassessments.7Non-financial companies are beginning toembrace the concept of appointing ChiefRisk Officers. Two-third of the respondentsbelieve that having a CRO will bring abouta perceptible change to the quality of RiskManagement practices prevalent in theirorganizations.Current trendsand practicesindicate thatthere is still along way to goin linking risksto strategyChief RiskOfficers (CROs)need to becomestrategicbusinessadvisorsCROs have tended to focus on known risksand on the process and operational aspectsof the business. Going forward, CROsare expected to validate the assumptionsunderlying strategy with benchmarkingdata, competitive trends and sector analysisand use this to advise the business on risktaking. 2011 KPMG International.KPMG International is a Swiss cooperative. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has anyauthority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
7 Risk Management – A Driver of Enterprise Value in the Emerging EnvironmentPerceptions post the meltdownIn the immediate aftermath of theglobal meltdown, two separateresearch projects sponsored byKPMG* and undertaken by theEconomist revealed the following:1. Fearful of both business failure and the penaltiesof non-compliance, many organizations havereacted by swelling their governance, RiskManagement and compliance departments (GRC).This has led to a costly and complex web of oftenuncomplicated structures, policies, committeesand reports creating duplication of effort. Worsestill, GRC has lost sight of its prime objective; toimprove efficiency and performance. In essence,the solution has become part of the problem.2. Risk Managers are spending a disproportionateamount of their time on controls, compliance andmonitoring activities although their real prioritieslie elsewhere.The above aptly summarize the key challengesconfronting the discipline of Risk Management - it isyet to make the leap to a strategic level.Over the past 18 months, a number of changeshave been made to regulations particularly aimed atstrengthening risk oversight processes at the Boardlevel across several countries. A brief illustrativesnapshot of these changes across select countriessuch as the UK, South Africa, India and Nigeria is setout in the following table.* KPMG - EIU Report titled “The convergence challenge”, February 2010KPMG - EIU Report titled “Beyond box-ticking: A new era of RiskGovernance”, 2009 2011 KPMG International.KPMG International is a Swiss cooperative. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has anyauthority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
Risk Management – A Driver of Enterprise Value in the Emerging Environment 8UK (Revised CorporateGovernance Code)The Board is responsible fordetermining the nature andextent of the significant risks itis willing to take in achieving itsstrategic objectives. The Boardshould maintain sound RiskManagement and internal controlsystems.The Board’s role is to provideentrepreneurial leadership of thecompany within a framework ofprudent and effective controlswhich enables risk to beassessed and managed.Non-Executive Directors (NEDs)should satisfy themselves on theintegrity of financial informationand that financial controls andsystems of Risk Managementare robust and defensible.They are also responsible fordetermining appropriate levelsof remuneration of executivedirectors.South Africa (King III)India (Draft Companies Bill)The Board should comment inthe integrated report on theeffectiveness of the system andprocess of Risk Management.The Board to affirm and disclosein its report to members aboutcritical Risk Management policyfor the company.The Board’s responsibility for riskgovernance should be expressedin the Board charter.Board of Directors report shouldinclude a statement indicatingdevelopment and implementationof a Risk Management policyfor the company includingidentification therein ofelements of risk, if any, whichin the opinion of the Board maythreaten the existence of thecompany.The induction and ongoingtraining programs of theBoard should incorporate riskgovernance.The Board should review theimplementation of the RiskManagement plan at least oncea year.The Board should ensure thatthe implementation of the RiskManagement plan is monitoredcontinually.The Board should set the levelsof risk tolerance once a year.The Board may set limits for therisk appetite.Nigeria (Guidelines onRisk Management)The Board should:Oversee the establishment ofa management framework thatdefines the company’s risk policy,risk appetite and risk limits. Theframework should be formallyapproved by the Board.Ensure that the RiskManagement framework isintegrated into the day-to-day,operations of the businessUndertake at least annually,a thorough risk assessmentcovering all aspects of thecompany’s business.Obtain and review periodicallyrelevant reports to ensure theongoing effectiveness of thecompany’s Risk Managementframework.Ensure that the company’sRisk Management policies andpractices are disclosed in theannual report.The Board should monitorthat risks taken are within thetolerance and appetite levels.Source: KPMG Risk Management Survey 201150%of the respondents overall still believe thatregulations will influence Risk Managementpositively. This view perhaps stems from the beliefthat stringent regulations are required to make thetop management, viz., the CEO and the Board, morecommitted to effective Risk Management. 2011 KPMG International.KPMG International is a Swiss cooperative. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International provides no client services. No member firm has anyauthority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm. All rights reserved.
9 Risk Management – A Driver of Enterprise Value in the Emerging EnvironmentView fromNon-ExecutiveIndependentdirectorsWe interviewed a select group of independent directors togather their views on the slew of new regulatory developmentsand what it means for Board oversight of risk. A majority agreethat Boards need to play a more pro-active role in oversight ofRisk Management, however there is also an apprehension thatregulatory developments will result in an excessive focus on theprocesses of risk oversight with lesser attention been given torisk content and the quality of risk mitigation actions. When wequeried independent directors on the areas where they are mostchallenged in providing effective risk oversight, they cited thelack of adequate involvement in strategy and the quality of riskinformation as being the most important challenges.View
About the survey Perceptions post the meltdown Current trends and practices Summarizing key
