Holistic risk management Organisational measures to create a strategic view of risk Contents About this report Introduction3 Collaboration across functions Strategic planning Conclusion8 © The Economist Intelligence Unit Limited 2015 Holistic risk management Organisational measures to create a strategic view of risk About this report Holistic risk management, written by The Economist Intelligence Unit and sponsored by SAP, investigates the organisational measures companies must take to address the totality of the risks they face The report is based on interviews with the following executives and experts Patrick Abdullah, vice president of enterprise risk management, Astro Overseas Limited Mohammad Azam, vice president of corporate internal audit, compliance and ethics, UPS Michael Kearney, managing partner, strategic risk services, Deloitte Mark Newlands, head of risk management, Anglo American Brian Schwartz, US performance leader for governance, risk and compliance, PwC The Economist Intelligence Unit would like to thank these interviewees for their time and insight The report was written by Pamela Black and edited by Pete Swabey Carol Fox, director of strategic and risk management, the Risk Management Society © The Economist Intelligence Unit Limited 2015 Holistic risk management Organisational measures to create a strategic view of risk Introduction Businesses have always been exposed to risk, and the obligation to manage it is nothing new However, there is a growing concern among business leaders that they are exposed to strategic risks that threaten the very existence of their company “Every company in every industry in every country is at the risk of being disrupted or supplanted—like Blockbuster or BlackBerry,” says Michael Kearney, national managing partner of strategic risk services at Deloitte While it can be difficult to engage senior executives in conversations about individual risks such as succession planning, “there’s not a CEO in the world who doesn’t want to talk about disruption” They are right to be concerned According to the Corporate Executive Board (CEB), a memberbased advisory company, 86% of the most damaging risks to shareholder value over the past decade have been strategic risks, such as competitive incursions and falling demand for core products Most companies are not equipped to handle these strategic risks, the CEB reports They may not understand how to audit them, and responsibility for individual risks—such as legal, audit, cyber security and safety—is divided among separate divisions Even different functions within risk-management departments have their own separate duties As a result, there is confusion as to which department is accountable for which risks, and senior managers are forced to wade through numerous, often contradictory reports with no clear coherence or prioritisation This slows the process of making strategic decisions and creates a drag on growth, according to the CEB A survey it conducted in 2014 showed that 91% of organisations are therefore planning to reorganise their risk-management approach.1 There is evidence that a holistic and strategic approach to risk management pays off. A 2015 PwC survey “Risk in Review,” shows that over the past three years, 55% of companies deemed leaders in risk management recorded increased profit margins, and 41% achieved an annual profit margin of more than 10% “When companies focus on this, they have an edge,” says Brian Schwartz, who leads the US governance, risk and compliance practice at PwC “There is a strong linkage with aligning risk management and strategy to driving performance.”2 But achieving a holistic and strategic approach to risk management requires a number of organisational measures As this report explains, the aim of these measures is to improve crossorganisational communication and to link riskmanagement controls to the strategic objectives of the company © The Economist Intelligence Unit Limited 2015 http://www executiveboard.com/exbd/ executive-guidance/2014/ q3/index.page? http://www.pwc.com/us/ en/risk-assurance-services/ risk-in-review.jhtml Holistic risk management Organisational measures to create a strategic view of risk Collaboration across functions One of the first steps towards achieving a holistic view of risk is to get internal audit and compliance teams within individual departments to collaborate effectively with the riskmanagement function This means opening lines of communication between departments that might not otherwise interact At logistics company UPS, for example, Mohammad Azam, vice president of corporate internal audit, compliance and ethics, meets regularly with an enterprise risk council comprised of some 25 top representatives from every large function in the corporation, including treasury, insurance and HR, to discuss risks and assign the right experts to work on solutions This brings together disparate groups that would otherwise not collaborate “Right now, groups don’t have to talk to each other except through a risk forum,” says Mr Azam The council is not a replacement for the existing, formal channels of communication but rests on top of them as another, more open conduit “How many times will people from different silos talk about risk across geography and function?” asks Mr Azam “This process is a very healthy way of breaking down the barriers of who can talk to whom It makes the process much more transparent.” © The Economist Intelligence Unit Limited 2015 This transparency helps prevent risks from slipping through unnoticed According to Mr Azam, the concept of an enterprise-wide risk programme first gained currency at UPS about eight or nine years ago because of fears about a bird flu outbreak As a company that runs its own airline, UPS has to worry about such health epidemics, as well as terrorism The lines of communication the company established in response “capture such risks that don’t fall under the purview of any one person or function,” Mr Azam says Mark Newlands, head of risk management for Anglo American, a multinational mining company based in the UK, has also achieved a better insight into the organisation’s risk profile by improving communication When Mr Newlands joined the company eight years ago, one of the first things he did was to consolidate the channels of risk-related communication through him At that time each commodity division had its own audit managers, who could influence which risks were reported by frontline employees Workers in the platinum mine reported to their own internal audit managers, for example, as did iron ore workers “Now they report directly to me and not to their on-site managers,” Mr Newlands says Holistic risk management Organisational measures to create a strategic view of risk He, in turn, reports to an audit committee of independent, non-executive board directors, in addition to reporting separately to the CFO According to him, this structure preserves everyone’s independence Although internal audit managers still exist at each mine site, they can no longer filter information coming from below As Mr Newlands explains: “There’s no reporting line to that management team.” Those who disagreed with such new policies have left, he adds When Mr Newlands arrived, Anglo American also lacked other risk protection measures, such as a way to manage bribery “In mining, we work in some areas that have a high risk from a corruption point of view,” he says “Our competitor, BHP, was fined US$25m for paying for entertainment at the Beijing games.”3 Mr Newlands has therefore instituted policies to ensure that the company knows what level of entertainment is being provided, and that the people being entertained are not in current contract negotiations with Anglo American Encouraging disparate groups to work together and participate in a firm-wide risk-management programme requires board sponsorship and often monetary incentives At Astro Overseas Limited, a media company based in Malaysia, “the biggest challenge has been the need to convince employees—especially senior executives and key personnel from different countries—to take risk management seriously,” says Patrick Abdullah, vice president of enterprise risk management Mr Abdullah controls risk management at the both the Astro Overseas parent company and at numerous companies it has acquired in the region At many of the acquisitions, “C-level executives are predominantly driven by financial and operational targets, so risk management becomes secondary,” he says As a result, they tend to take risks for short-term gain, which may have an adverse impact on long-term goals and sustainability To manage this problem, the board first linked a small percentage of compensation to responsibility for risk management Now, says Mr Abdullah, the board is planning to introduce incentive plans and rewards for long-term riskmanagement responsibilities http://www.theguardian com/business/2015/ may/21/bhp-billitonfined-us25m-for-gift-tripsto-beijing-olympics-forforeign-officials © The Economist Intelligence Unit Limited 2015 Holistic risk management Organisational measures to create a strategic view of risk Strategic planning Beyond cross-functional collaboration and communication, another key component of holistic risk management is the ability to understand risks in the context of the organisation’s strategy This understanding allows business leaders to make decisions more effectively—which is, after all, the ultimate aim of risk management “At the end of the day, this is not about risk professionals, but about executive teams making sure that they understand risks,” says PwC’s Mr Schwartz The inability to tie a given risk to a company’s strategy makes it harder to take strategic decisions, according to the CEB, which in turn slows down its ability to respond to changes in the market http://www.imanet org/docs/default-source/ sf/02_2012_frigo_laessoe_ reduced-pdf.pdf?sfvrsn=0 It can also make companies unnecessarily risk-averse For example, an enterprise-wide risk assessment by the Danish toymaker Lego revealed that it was leaving money on the table by being too conservative According to Carol Fox, director of strategic and risk management at RIMS, the company took the decision to move beyond risk avoidance and create new opportunities, products and profits following this assessment.4 © The Economist Intelligence Unit Limited 2015 Building this understanding begins with risk assessment Most risk-management functions periodically survey departmental managers to identify risks, and then prioritise the 10 or 20 most pressing risks These are determined primarily by two factors: each risk’s potential impact on the performance of the firm, and the likelihood of its occurrence based on controls that are currently in place A newer factor, according to PwC’s Mr Schwartz, is velocity, or how quickly the impacts of a risk occurring are felt Of course, there are many risks beyond the top tier Some firms create integration maps to see how all their risks are interrelated, how a lowranked risk might affect a higher-ranked one, or the knock-on effect of one risk on others Each risk needs to be identified, prioritised, profiled, mitigated and monitored At Anglo American, Mr Newlands takes his strategic risk plan to the audit committee each year High-risk items are audited on a yearly basis, while lower-impact items are audited every five years “If something is given a poor reading, we’ll go back and fix it,” he says “Our process requires us to have local managers agree with what we’ve found and how to fix it by agreed dates.” Holistic risk management Organisational measures to create a strategic view of risk Assigning accountability for risk and ensuring that risk owners carry out their duties is a critical part of the process “While the risk management team works proactively with the various businesses to identify risks and mitigation plans with risk owners for implementation, our internal audit will test existing controls to ensure their effectiveness,” says Mr Abdullah The audit team will then make recommendations that are communicated via reports to the risk functions and top managers, and work with risk owners to determine the best method to implement them For risk management to be tied to company strategy, risks must be understood in relation to the objectives the departments are trying to pursue At Anglo American, risk assessments used to be done via a simple checklist of risks, with no discussion of a given unit’s particular objective The same checklist would be used across all geographical divisions, according to Mr Newlands Now the risk team works with mine managers to create a business plan and prioritise their goals to achieve certain production and safety objectives in a given timeframe “When we changed the system, we talked to the mine managers and said the starting point is to assess the risks to achieving your business plan objectives,” he says Whether it’s the C-suite or the mine operator, “the starting point is the objective,” Mr Newlands points out “It could be financial or not, it could be to produce 40m tonnes of iron ore this year, to deliver a new mine by the end of 2018, or to implement a new IT system The starting point is: what are we trying to achieve?” For example, if the price of iron ore falls off significantly, a strategic goal may be to reduce costs by cutting staff “But if you are reducing 10% of your headcount, you have to ask: what could prevent you from achieving it by that date?” asks Mr Newlands “What are the risks to the business of achieving that goal long-term? If you achieved it, could you respond to a sudden change in the market in a positive direction?” “If you’re going to have an internal audit deliver real value, you have to be looking at real risks and controls,” he adds “To that, you need an organisational view.” According to RIMS, the biggest challenge now facing risk managers is shifting an organisation’s risk focus from a “rear-window view” to a current and even predictive assessment of risk This may still be an elusive goal Mr Azam believes that UPS is ahead of its peers in terms of viewing risk holistically, but “we still can’t foresee which risks will be coming our way six months down the road” The need for this predictive view will only increase as the risk of disruption grows, Mr Azam says For example, Uber, the popular taxi-booking app, is now exploring the possibility of launching delivery services “Everyone is trying to get into the delivery business,” he says “I’m not sure they’ve figured it out, but we need to make sure we’re ahead of the curve.” © The Economist Intelligence Unit Limited 2015 Holistic risk management Organisational measures to create a strategic view of risk Conclusion The process of moving from siloed and fragmentary risk management to a more holistic approach is a journey that will be different for every organisation. As Mr Azam from UPS explains: “The whole journey is an evolutionary process, and it will take a different course and timeline depending on the nature of the business, the structure of the organisation and— very importantly—the culture of the company.” For Mr Newlands of Anglo American, the key to success it to ensure that risk-management practices are “part of the way business is conducted, and not a ‘bolt-on’ or separate activity”.  But there are some common characteristics that define success, Mr Azam believes These are: According to the CEB, engaging the whole organisation in risk management, not just the most senior executives, is something that the majority of companies could better: “Most organisations need to worry more about their middle managers and frontline employees than about their senior leaders,” the CEB writes.5 l Proactive identification and appropriate visibility of risks l Appropriate ownership assignment and effective monitoring of risk-mitigation efforts l Oversight of key risks and the remediation efforts by senior management and the board of directors l Standard terminology and measurement processes that are implemented throughout the organisation http://www executiveboard.com/exbd/ executive-guidance/2014/ q3/index.page? © The Economist Intelligence Unit Limited 2015 “That will need executive management buy-in and a demonstration to line management what benefits they can expect to see,” he adds Articulating the benefits of risk management to employees at every level of the organisation, not just the board, is therefore critical if the organisation is to achieve truly holistic risk management While every effort has been taken to verify the accuracy of this information, The Economist Intelligence Unit Ltd cannot accept any responsibility or liability for reliance by any person on this report or any of the information, opinions or conclusions set out in this report LONDON 20 Cabot Square London E14 4QW United Kingdom Tel: (44.20) 7576 8000 Fax: (44.20) 7576 8500 E-mail: london@eiu.com NEW YORK 750 Third Avenue 5th Floor New York, NY 10017 United States Tel: (1.212) 554 0600 Fax: (1.212) 586 1181/2 E-mail: newyork@eiu.com HONG KONG 1301 Cityplaza Four 12 Taikoo Wan Road Taikoo Shing Hong Kong Tel: (852) 2585 3888 Fax: (852) 2802 7638 E-mail: hongkong@eiu.com GENEVA Rue de l’Athénée 32 1206 Geneva Switzerland Tel: (41) 22 566 2470 Fax: (41) 22 346 93 47 E-mail: geneva@eiu.com ... strategic and risk management, the Risk Management Society © The Economist Intelligence Unit Limited 2015 Holistic risk management Organisational measures to create a strategic view of risk Introduction... Economist Intelligence Unit Limited 2015 Holistic risk management Organisational measures to create a strategic view of risk About this report Holistic risk management, written by The Economist Intelligence... Limited 2015 Holistic risk management Organisational measures to create a strategic view of risk Conclusion The process of moving from siloed and fragmentary risk management to a more holistic approach