Faisal Ahmad Al Maghribi - The 3rd Kuwait Enterprise Risk

Transcription

Enterprise Risk Management
3rd Kuwait ERM Conference
29th March 2015
1
“Enhancing ERM Performance Through
Developing Key Risk Indicators”
3rd Kuwait ERM Conference
McKinsey & Company
|
Speaker’s Background
MBA, Thesis: In Financial Risk Management (2011).
Chartered Operational Risk Management Specialist
certificate by “IABFM”, USA (2013)
CPRM Certificate, from ARiMI, Singapore (2014)
Faisal Ahmad AlMaghribi
Risk Analyst, ERM.
Joined KNPC in June, 2012.
Nearly 3 years in ERM/ Risk Management Dept.
With previous exposure to RM in Financial industry.
ERM- Risk Management
Mar. - 2015
3
3
Abstract
The objective of this paper is to present an effective “risk tool” that is
capable of assisting management in tracking the risk behavior of highly
ranked organizational risks. This presentation aims at sharing the
importance of setting Key Risk Indicators (KRIs) for monitoring risk behavior
effectively.
The presentation covers various areas: KRIs definition, types of KRIs, Linking
KRIs to Strategy, “RCA” technique, Methods for identifying KRIs, the
process of setting KRIs in KNPC, advantages & limitations of KRI, and,
finally, risk reporting stage.
In conclusion, developing Key Risk Indicators is a pro-active, value-adding
tool for driving business performance in KNPC that accounts for risks and
risk behaviors in compliance with Risk Appetite.
Mar. - 2015
4
4
Agenda
Introduction
Time: 30 mnts
Risk definition
Key Risk Indicators definition
Types of KRIs
Linking KRI to strategy
Root Cause Analysis Techniques
Thresholds & limits
Example: Cyber Risk
Methods for identifying KRIs
The process for setting KRIs in KNPC
Advantages & Limitations of KRIs
What happens if limits are crossed?
Risk Reporting
References
Mar. - 2015
5
Risk Definition
• It is a bout “Uncertainty of return”!
Risk is defined as:
“an uncertain event or condition that, if it occurs, has a
positive or negative effect on objectives”(KNPC ERM Manual).
Mar. - 2015
6
Key Risk Indicators Definition
• KRIs –”relate to a specific risk and demonstrate a change in the
likelihood or impact of the risk event occurring” (ARiMI,2009).
• KRIs - are metrics used by organizations to provide an early signal of
increasing risk exposures in various areas of the enterprise (COSO,
2010).
• KRIs – can be regarded as “early-warning systems” for managers
(ARiMI, 2009).
Mar. - 2015
7
Key Indicators- Definitions
1
Key Management Indicators (KMIs) – monitor the evolution of
achievement of specific business objectives (e.g. volumes of
business, share price, revenue, earnings, etc).
2
Key Performance Indicators (KPIs) – monitor changes in
performance of business/operational activities/processes that
have an impact on specific business objectives.
3
Key Risk Indicators (KRIs) relate to a specific risk and demonstrate
a change in the likelihood or impact of the risk event occurring.
4
Key Control Indicators (KCIs) – relate to monitoring control’s
application and effectiveness.
Note: KPIs or Key Performance Measures (KPMs) drive KRIs in the
following sense. KRIs includes many metrics used by KPMs (ARiMI,2009).
Mar. - 2015
8
Types of KRIs
Indicator type
Description
Examples
1) Leading indicators
A metric that changes
before the occurrence of
risk (investopedia.com) .
It is used to predict risk
behavior.
On Job Training.
No. of HSE Near misses.
Re-order Point for
inventory
2) Lagging indicators
A metric that changes
after the occurrence of
risk (investopedia.com). It
is used to confirm long
firm trend.
Employees Attendance
No of HSE Incidents
No., of power failures
at refinery/ factory.
Mar. - 2015
9
Linking KRI to Strategy
• Why KRI is applied in organizations?
• Why KRI is being implemented in KNPC?
Mar. - 2015
11
Linking KRI to Strategy
• Developing KRIs will provide early warning signals of increasing risk
exposures in various areas of the enterprise, and allow the
monitoring of risk behavior.
• Setting Key Risk indicators (KRIs) is one of the primary activities as
per KPC ERM- 2030 strategy, and KNPC ERM strategic initiative :
Quick Hit Enhancements: Identify KRIs, develop monitoring plans,
and implement in ERM IS Software
(AVANON) across KNPC departments.
• Defining and using appropriate KRIs & measures typically comes
with the maturity of an organization's ERM capability (Deloitte’s
ERM Capability Maturity Model).
Mar. - 2015
12
Elements of Risk& KRIs
• A typical risk description includes the following
elements:
Cause
→
Event
→
Impact
• Identifying all risk elements enables better
understanding of the risk & helps determine the relevant
indicators to be used for measuring changing risk levels
(ARiMI).
Mar. - 2015
13
Root Cause Analysis (RCA)
Techniques
“understanding the root causes of key risks is at the heart of
preventive KRI identification” (Dr. Chapelle, 2015).
1) Risk Tree Map:
A diagram that map outs the causes and consequences of a risk
event from an analytical approach.
Note: This is the technique utilized by KNPC ERM Team.
2) Fish Diagram: It is also called a fish bone diagram.
3) Bow Tie: It resembles the “tie” shape.
Mar. - 2015
14
DEFINING RISK ELEMENTS:
Crisis (Roots)
CAUSES
DISRUPTION
RISK TREE MAP
Crisis
CONSEQUENCES
Event
Key Process
or Asset
Focus above to manage Crisis
Focus above to prevent Crisis
15
‫إحدى شركات مؤسسة البترول الكويتية‬
A Subsidiary of Kuwait Petroleum Corporation
Thresholds & Limits
• In order to monitor risks effectively, it is important to
measure them to determine the quantitative amounts
of risk the company is exposed to.
• “KRI thresholds are one way of expressing Risk Appetite
throughout the organizations operations, with lower
thresholds typically linked to lower risk appetite” (Dr.
Chapelle, 2015).
Value
Description
Threshold Value
(Alarm. Point # 1)
Minimal value a certain risk
indicator may have
(Key word: Monitor).
Limit Value
(Alarm. Point # 2)
Maximum tolerable value a
certain risk indicator may have
(Key word: Act).
Mar.- 2015
16
Example: Cyber Risk
The Risk of Insufficient Security- IT Online Threat:
Risk #
KNPC195
Risk ID
KRIs Name
1) No. of
critical
incidents
KNPC195
2) No. of
emergency
incidents
Risk Name
SS IT Inefficient Security Online Threats
KRIs
Description
Risk Description
The risk of online threats (e.g. viruses, intruders) due to
inadequacy of technology-centric security of IT environment,
potentially affecting data integrity and/or business continuity.
Threshold
Value
Limit
Value
Monitor number
4 per Day
7 per Day
of critical
(4*30*3)=
(7*30*3)=
IT security
360/qtr.
630/qtr.
incidents
Monitor number
3 in a Month
of emergency
2 in a Month
(3*3)=
IT security
(2*3) = 6/qtr.
9/qtr.
incidents
3) No. of open Monitor
vulnerabilities the number
and severity
of vulnerabilities
2 per IP
Address per
Qtr.
4 per IP
Address per
Qtr.
Mar. - 2015
17
2013
(Q4)
No. of Actual Incidents
2014
2014
2014
(Q1)
(Q2)
(Q3)
2014
(Q4)
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
Methods for identifying KRIs
What is the source of information when developing KRIs?
Workshop (KNPC)
Focus groups
Interviews
Surveys
Courtesy visits
Other sources
(i.e., market/industry
reports “Solomon
Studies”).
Mar. - 2015
18
The Process of Setting KRIs in KNPC
Extract Very High & High Risks
from Department’s Risk Register
Develop proposed K.R.Is for
corresponding risks by ERM
analysts.
Repeat the same process for
Departments with similar activity &
Conduct Workshop for “Aggregation”
purposes.
Circulate for consultation within
ERM Team.
Issue a Memo to responsible Dept. to
confirm KRIs & request ERM IS,
Software “Avanon” data uploading.
Send proposed KRIs to WTM for
review/modify & approval from Dept.
Monitor updating KRIs periodically
during the year.
Advantages of KRIs
• Effective KRIs can provide value to the company in various ways:
1) Risk Appetite
2) Risk and Opportunity
Identification
3) Risk Treatment
4) Risk Reporting
5) Compliance Efforts
6) Improved Performance
7) Improved Processes
8) Improved Workplace
Environment
Mar.- 2015
26
Advantages of KRIs
1) Risk Appetite:
“By mapping KRI measures to identified risk appetite and tolerance
levels, KRIs can be a useful tool for better articulating the risk
appetite that best represents the organizational mindset” (COSO).
2) Risk and Opportunity Identification:
“KRIs can be designed to alert management to trends that may
adversely affect the achievement of organizational objectives or may
indicate the presence of new opportunities”.
3) Risk Treatment:
KRIs can initiate action to mitigate developing risks by serving as
“triggering mechanisms” for organizations.
Mar. - 2015
27
Advantages of KRIs
4) Risk Reporting:
KRIs can provide measurable data conducive to aggregation and
useful to management after reporting.
5) Compliance Efforts:
KRIs may be useful in demonstrating compliance with established
requirements in areas such as reserve levels, environmental
regulations (K-EPA), and other stakeholders.
6) Improved Performance :
The use of KRIs to anticipate emerging risks and changes in risks over
time can decrease losses, identify opportunities for strategic
manipulations, and potentially reduce the cost of capital by
mitigating perceptions of risk that lending parties may face.
Mar. - 2015
28
Advantages of KRIs
7) Improved Processes:
KRIs can help reduce service disruptions, improve supply chain
management, and enhance customer satisfaction by potentially
avoiding certain decisions that may unknowingly create risks affiliated
with these processes (i.e., the risk of long life project cycle).
8) Improved Workplace Environment:
The use of KRIs can lead to less utilization of crisis management, and
maybe faster business recovery to deal with critical or emergency
incidents. (i.e., Risk of HSE events, & Risk of Labor Strike).
Mar. - 2015
29
Limitations of KRIs
The followings are some of the shortfalls of KRIs:
• Can be costly to implement and update (Frequently).
• Can be hard to measure in some cases.
• Requires a good understanding of risk cause (for
likelihood drivers), and consequence (for impact
drivers).
• Level of usefulness vary from risk to risk.
• Depends on organizational maturity and risk culture.
Mar.- 2015
30
• Crossing the Limit means that the Risk Appetite has been
breached!
• Senior Management monitors the activity of risks by
monitoring the changing levels of thresholds & limits. Once
the limit is crossed, top management would: 1) Analyze the
new situation, and 2) Determine the best ways to deal with it.
• The company is expected to take corrective actions (to
decreases the likelihood and/or impact of the event).
Mar. - 2015
31
Potential solutions vary based on management’s
assessment of the intensity of emerging risk. It include:
• Modifying the Risk Category (elevate from High to Very
High).
• Reviewing controls (MCSs).
• Treating risks immediately by implementing risk
mitigation plans.
Mar. - 2015
32
Risk Reporting
• You can’t manage what you cannot measure &
monitor!
Mar. - 2015
33
Why Risk Reporting is Important?
Code of Corporate Governance:
• “Key Principle: Organizations should implement a process to
regularly monitor their risk profiles, and material exposures to
losses. There should be regular reporting of pertinent
information to senior management, and the board of
directors that supports the proactive management of risk”
(ARiMI).
• The main elements that should be in any executive risk report:
(1) Losses, (2)Incidents, (3) Management assessments, and (4)
KRIs.
Mar.- 2015
34
Reporting to KPC
• KNPC reports to KPC annually
as part of the ERM Cycle.
• This is achieved by updating
ERM IS software, Avanon
periodically.
• KNPC –ERM utilizes “Avanon”
system for monitoring &
reporting KRIs for
management purposes.
Mar. - 2015
35
References
•
KNPC ERM Manual (2015).
• McKinsey (2013).
• Deloitte (2013).
• COSO (2010).
• ARiMI training material for CPRM Certificate (2009).
• Investopedia.com (2015), viewed 10 January 2015 <Investopedia.com>.
• “Root cause analysis” training material by Bureau Veritas (2013).
• Dr. Chapelle, A 2015, Six Steps for preventive KRIs, viewed 10 March 2015, <Risk.net>.
Mar.- 2015
36
Thank You
ERM– Risk Management
Mar. - 2015
37

Faisal Ahmad Al Maghribi - The 3rd Kuwait Enterprise Risk

Transcription

Similar documents

Orgasmic Birth Overview

Contra dance - Maple Leafs Regroup

Speaker Glossy (FROM SPACE!)

Kris Brossett - Church Plants

Home Screen: This is what appears after you login (Login at: https

meredith willson meredith willson

To Sponsorship or Vendor forms, click here.

Learn More - Baptist Health System