Enterprise Risk Management System

Agenda
| Why

| Risk, Risk Management and ERM

| How

| ERM Process

| Key Outcome

| ERM System Development Plan

Why?
 Key Questions
• What are the significant risks?
• How are we managing risk?
• How much risk can we take?
• How much risk we are willing to take?
• What is our current risk level/exposure?
 Corporate Governance
Listed Companies Corporate Governance Regulations 2017 (SECP)

BOD & its Members Responsibilities:

• Maintain policies for governance of risks
• CEO shall report to BOD on governance, risk management and compliance issues. Risks to be
considered shall include reputational risk and shall address risk analysis, risk management
and risk communication
• May constitute the risk management committee to carry out a review of effectiveness of risk
management procedures and present a report to the Board. The terms of reference of the
committee may include the following:
a) Monitoring and review of all material controls (financial, operational, compliance);

b) Risk mitigation measures are robust and integrity of financial information is ensured; and

c) Appropriate extent of disclosure of company’s risk framework and internal control system
in Directors report.
 Drivers
• BOD Responsibilities
• Objectives---Aggressive
• Strategy—Expansion, Fast growth
• Environment---Volatile, Integrated
• Culture---goal-oriented, innovation, taking calculated
business risk
• Industry Regulations---Compliance Issues
• Corporate Governance Laws---Future impact
Risk, Risk Management & ERM
 Definition of Risk

“effect of uncertainty on objectives”

(ISO 31000:2009, Guide 73 : 2009)
 The Essence of Risk
Threat – a risk that may HINDER the achievement of objectives
Opportunities - a risk that may HELP in the achievement of objectives

 Interest rates

 Foreign exchange rates

 Supply of service/product/resources

 Demand/uptake for service/product/resources

9
 Objectives & Risk Levels
Markets, Diversification,
Overseas Expansion, Strategic Long Term
Competitive Strategies Level

Projects, Mergers, Medium Term

Acquisitions and Product Management/
Developments. Tactical Level

Short Term
Routine Activities
Operational Level
 Example
Selection of a new IT system- Strategic Level Risk

Implementation Project on time & within budget

and to specification- Tactical Level Risk

Computer breakdown, loss of data, virus attacks

and operator errors- Operational Level Risk
 Risk Management
Risk management is the identification, evaluation, and
prioritization of risks followed by coordinated and
economical application of resources to minimize, monitor,
and control the probability or impact of unfortunate
events or to maximize the realization of opportunities.

Risk management’s objective is to assure uncertainty

does not deflect the endeavor from the business goals.
 Traditionally Risk Management- “silos”

Strategic Business Financial Operational

Risk Risk Risk Risk
• Board of • Business • CFO • Internal Audit
Directors Managers
Who • Compliance
• CEO • Project
• IT
Managers

• Strategic • Product plans • Credit limits • SOP’s

planning
• Project • Insurance • Audits
How management
• Hedging
 Risk Management Maturity Levels

Level 5: Comprehensive
Risk Management is
used to base both
Level 4: Managed individual decisions and
Risk Management strategic planning of
Standard and defined quantified values
Level 3: Repeatable processes used across
Risk Management organization.
Implemented into Quantitative Risk
Level 2: Initial routine business Analysis.
Risk awareness but no processes. Use of Risk
precedence or structure Registers, Real Options
Level 1: Ad Hoc for consistence etc.
Individual Dependent application
 Enterprise Risk Management
Enterprise risk management is a process

- implemented by an entity’s board of directors, management and

other personnel

- applied in strategy setting and across the enterprise,

- designed to identify potential events that may affect the entity, and

- to manage risk to be within the entity’s risk appetite to provide

reasonable assurance regarding the achievement of entity objectives.
(ERM Integrated Framework, COSO, September 2004)
 Purpose
• Develop a conceptually sound framework
• Common terminology
• Practical implementation guidance
• Systematic, Formal and Structured approach
• Defined Roles and Responsibilities
• Application across the entity
• Managing risk is to be within the entity’s risk appetite
• A portfolio view of risks at the entity-level is taken
• Monitoring the performance of ERM
 Benefits of Enterprise Risk Management

• Increasing positive outcomes and advantage while reducing

negative surprises
• Reducing performance variability
• Improving resource deployment
• Enhancing enterprise resilience
• Promote a “healthy” risk culture
 ERM System Elements
Hard Elements Motivation Elements Training Element
 Risk Policy  Reporting Structures  Training & Skill Development
 Risk Standards  KPI’s
 Methods & Tools  Performance Reviews
 Rules & Guidelines  Value Perception
 Information Management
How?
 Framework
Broad overview, outline, or skeleton of
interlinked items which supports a particular
approach to a specific objective, and serves as a
guide that can be modified as required by
adding or deleting items.
 ERM Framework
• Casualty Actuarial Society framework (2003)

• Risk Management Standard, AS/NZS 4360 (2004)

• COSO (Committee of Sponsoring Organizations) ERM framework (2004)

• RIMS Risk Maturity Model (2006)

• ISO 31000 : International Risk Management Standard (2009)

• Control Objectives for Information and Related Technologies (COBIT)

• Project Risk Management (PMBOK® Guide and Standards PMI)

• Quality Risk Management (QRM) (FDA, WHO etc.)

• Central Bank Guidelines (SBP, Basel Accords)

COSO ERM Framework
Entity objectives can be viewed in the
context of four categories:
• Strategic
• Operations
• Reporting
• Compliance
COSO ERM Framework
ERM considers activities at all levels
of the organization:
• Enterprise-level
• Division or
subsidiary
• Business unit
processes
COSO ERM Framework
The eight components
of the framework
are interrelated …
ISO 31000:2009
Framework
ERM Process
Process
ESTABLISH THE CONTEXT
 Establishing the Context
“defining the external and internal parameters
to be taken into account when managing risk,
and setting the scope and risk criteria for the
risk management policy”
(ISO 31000:2009)
 Establishing the Context
• External context can include:
– The culture, social, political, legal, regulatory,
financial, technological, economic, natural and
competitive environment, whether international,
national, regional or local;
– Key drivers and trends having impact on the
objectives of the organization; and
– Relationships with, and perceptions and values of
external stakeholders
 Establishing the Context
• Internal context can include:
– Governance, organizational structure, roles and accountabilities
– Policies, objectives and the strategies that are in place to achieve them
– The capabilities, understood in terms of resources and knowledge (capital,
time, people, processes, systems and technologies)
– Information systems, information flows and decision-making processes (both
formal and informal)
– Relationships with, and perceptions and values of , internal stakeholders
– The organization’s culture
– Standards, guidelines and models adopted by the organization
RISK IDENTIFICATION
 Identify the Risks
Health, Safety
IT systems Asset Integrity
& Environment

Customers Financial

Natural events Reputation

People Laws &

Regulations
Research &
development
Partnering

Integrity
 Risk Identification
“process of finding, recognizing and describing risks”
(ISO 31000:2009)
• Risk identification involves the identification of risk
sources, events, their causes and their potential
consequences
• Risk identification can involve historical data,
theoretical analysis, informed and expert opinions, and
stakeholder’s needs
 Risk Identification
When identifying risks, it is important to consider the
following:
– Event: it is the factor, certainty or uncertainty that may have
consequences on our objectives
» Event can be one or more occurrences, and can have several causes
» Event can consist of something not happening
– Cause: Single of multiple reason that precipitates the event to
occur
– Consequence: Single or multiple effect that the event has on our
objectives when it occurs (may be defined in terms of the worst
case or the best case)
 Risk Identification
• The organization should identify sources of risk, areas of impacts,
events (including changes in circumstances) and their causes and
their potential consequences.
• Generate a comprehensive list of risks (events that might create,
enhance, prevent, degrade, accelerate or delay the achievement of
objectives).
• It is important to identify the risks associated with not pursuing an
opportunity.
• Comprehensive identification is critical, because a risk that is not
identified at this stage will not be included in further analysis.
 Risk Identification
• Choose suitable risk identification tools and
techniques.
• Select suitable people to identify your
organization’s risks.
• Use your tools and techniques to identify the
risks that could affect the achievement of your
organization’s objectives.
 Risk Identification Tools &Techniques
• Questionnaires and Checklists
• Workshops and brainstorming
• Inspection and audits
• Flowcharts and dependency analysis
• HAZOP (Hazard and Operability Studies)
• FMEA (Failure Modes Effects Analysis)
• SWOT & PESTLE analysis
 Risk Identification
When identifying risks, review of the following can help:
– Objectives
– Functional Responsibilities
– KPI’s
– Deliverables
– Stakeholder needs analysis
– Performance drivers
– Risk drivers
– Factors most likely to impact objectives
– Past Experiences
– Projects
– Industry Benchmarks
– Risk Categories/Groups
 Risk Categories-Examples
– Political or Reputational Risk
– Financial Risk
– Service Delivery or Operational Risk
– People / HR Risk
– Information/Knowledge Risk
– Strategic / Policy Risk
– Stakeholder Satisfaction / Public Perception Risk
– Legal / Compliance Risk
– Technology Risk
– Governance / Organizational Risk
– Privacy Risk
– Security Risk
– Equity Risk
– Patient Safety Slide 41 41
 EXAMPLES OF RISK
Human resource Information Technology Finance
• Key employees leaving • Systems usage versus • Increase in Financial Cost
• Turnover increasing capacity • Exchange rate hike
• Low employee engagement • IT Licensing • Inaccurate reports
score • Virus attacks • Receivables default
• Data leakage/Hacking • Regulatory Compliance
Issues

Legal/compliance Quality Supply Chain

• Outstanding litigation cases • Customer complaints • Short supply of Key Materials
going against • Quality defects reported to • Sudden rise in prices
• Compliance investigations MOH • Sudden fall/increase in RSF
• Successive batch rejections • Inaccuracies in planning
• CMO Quality Issues

42
 Risk Identification Template
Ref# Objective/ Risk (Event Category Source Key Risk Consequences Upside
Deliverable Occurring-Not Driver/ Risk/Down
Occurring) Cause Side Risk
RISK ANALYSIS
 Risk Analysis
“process to comprehend the nature of risk and to
determine the level of risk”
(ISO 31000:2009)
• Risk analysis provides the basis for risk evaluation
and decisions about risk treatment
• Risk identification can involve historical data,
theoretical analysis, informed and expert
opinions, and stakeholder’s needs analysis.
 Risk Analysis
When analyzing risks, it is important to consider the following:
– Consequence (Impact): outcome of an event affecting objectives
» An event can lead to a range of consequences
» A consequence can be certain or uncertain and can have positive or negative
effects on objectives
» Consequences can be expressed qualitatively or quantitatively
» Initial consequences can escalate through knock-on effects
– Likelihood (Probability): Chances of something happening
» Can be defined, measured or determined objectively or subjectively, qualitatively
or quantitatively
– Level of Risk: Magnitude of a risk or combination of risks, expressed
in terms of the combination of consequences and their likelihood
 Risk Analysis
Risk Equation:

Risk
Impact Probability
Level
RISK EVALUATION
 Risk Evaluation
“process of comparing the results of risk analysis with risk
criteria to determine whether the risk and/or its
magnitude is acceptable or tolerable”
(ISO 31000:2009)
• Risk evaluation assists in the decision about risk
treatment
– Risk criteria: terms of reference against which the
significance of a risk is evaluated
» Risk criteria are based on organizational objectives, and external and internal context
» Risk criteria can be derived from standards, laws, policies and other requirements
 Risk Evaluation
• Base Level (Without referring to existing Controls)
• After Accounting for Existing controls
– Also involves evaluation on existing Controls in
terms of their quantity and effectiveness
 Impact vs. Probability
High Medium Risk High Risk

I
M Share Mitigate & Control
P
A Low Risk Medium Risk
C
T
Accept Control

Low PROBABILITY High

 Risk rating
RISK PRIORITIZATION MATRIX

RISK
4 IxL

IMPACT RISK
3 IxL

RISK
1 IxL

1 2 3 4 5

LIKELIHOOD
Slide 52 52
54
RISK TREATMENT
 Risk Treatment
“process to modify risk”
(ISO 31000:2009)
• Risk treatment can involve
– Avoiding the risk be deciding not to start or continue the activity that gives rise to the
risk
– Taking risk in order to pursue an opportunity
– Removing the risk sources
– Changing the likelihood
– Changing the consequence
– Sharing the risk with another party or parties
• Risk treatments is also termed as risk mitigation, risk
elimination, risk prevention and risk reduction
 Risk Treatment
Risk treatment is the process of developing, selecting and implementing controls. The purpose of risk
treatment is to modify the risk into an acceptable risk.

– Controls: measures that modify risk

– Controls include any process, policy, device, practice, or other actions that modify risk

In modifying risk, risk treatment involves the following activities:

• Assessing risk treatment options;
• Assessing cost benefit to choose option
• Implementing the risk treatment plan
• Deciding whether residual risk is acceptable; if not, generating new risk treatment;
• Monitoring and assessing the effectiveness of that treatment

– Residual Risk: risk remaining after risk treatment

– Residual risk can contain unidentified risk. It is also known as retained risk.
 Risk Treatment: Four Principles
• Constraints: Social acceptability, technical, organizational, legal or
Feasibility regulatory implementation difficulties

• Difference between current risk mitigation efficiency and expected

Efficiency Gains risk mitigation efficiency after implementing the improvement plan

Implementation • Short term, Medium term, Long terms

Timelines
• Implementation or adaptation cost of the new mitigation techniques
Cost • Maintenance and operating cost
COMMUNICATION & CONSULTATION
 Communication & Consultation
“continual and iterative processes that an organization conducts to
provide, share or obtain information and to engage in dialogue with
stakeholders regarding the management of risk”
(ISO 31000:2009)

• Communication and consultation with external and internal stakeholders should

take place during all stages of the risk management process. It is necessary for:

– Help establish the context appropriately

– Interests of stakeholders are understood and considered
– Help ensure that risks are adequately identified
– Different areas of expertise are brought together for analyzing risk
– Secure endorsement and support for a treatment plan
MONITOR & REVIEW
 Monitor & Review
• Both monitoring and review should be a planned part of
the risk management process and involve regular checking
or surveillance.
• The organization’s monitoring and review processes should
encompass all aspects of the risk management process
• Responsibilities for monitoring and review should be
clearly defined.
• The results of monitoring and review should be recorded
and externally and internally reported as appropriate.
KEY OUTCOME
 Key Outcome
• Risk Register
• Risk Action Plans
• ERM Culture
• Risk Reporting
• Performance Reviews
 Risk Register
Log of risks of all kinds that threaten an organization’s success
in achieving declared aims and objectives.
• Dynamic living document
• Populated through the organizations risk assessment and
evaluation process.
• Risk quantified and ranked.
• Structure for collating information about risks
• Analysis of risks and decisions about whether or how risks
should be treated.
 Risk Register Contents
Further risk treatment
Existing Controls Residual plans to be
Level Inherent Assessment Control effectiveness Level Target Timing Progress
Risk Related Risk (High level) Assessment Risk implemented
2 Description Acceptabl Risk (high level)
no. Objective category Owner
risk e? Yes/No Level
Likeli Risk Preventiv Corrective Preventiv Corrective Likely Risk Preventive Corrective
Impact Impact Start End Q1 Q2 Q3 Q4
hood level e (P) (C) e (P) (C) hood level (P) (C)
 Risk reporting and communications

Risk Level Action and Level of Involvement Required

 Inform Chief Executive Officer and Board of Directors

Critical Risk
 Immediate action required

 Inform Chief Executive Officer

High Risk  Strategy Team involvement/attention is essential to manage risks
– provide report to Board as appropriate

 Management mitigation and ongoing monitoring required

Moderate Risk
 Inform relevant Strategy Team members

 Accept, but monitor risks

Low Risk
 Manage by routine procedures within the program and site

68
 Key Players & Responsibilities

BOARD & CEO

Determine strategic Risk Owner (Department/BU Head)
approach to risk and set
risk appetite
Build risk aware culture Employees
Establish the structure for within the unit
risk management
Agree risk management Understand, accept and Risk Manager
Understand the most performance targets
significant risks implement RM processes
Ensure implementation of
Manage the organisation risk improvement Report inefficient, Develop the risk Internal Audit
in a crisis unnecessary or management policy and
recommendations unworkable controls keep it up to date
Identify and report Report loss events and Develop a risk-based
changed circumstances / Document the internal internal audit Programme
near miss incidents risk policies and
risks Audit the risk processes
Co-operate with structures
management on incident across the organisation
Co-ordinate the risk
investigations management (and Receive and provide
internal control) activities assurance on the
management of risk
Compile risk information
and prepare reports for Report on the efficiency
the Board and effectiveness of
internal controls
ERM DEVELOPMENT PLAN
 1st Phase
• Risk Identification
– Input from BU/Departmental Heads [15th April]
– Concluding Consultation with Stakeholders for
understanding, refining and shortlisting [30th April]
 Overall Plan
Key Tasks Timelines

Risk Identification April 2018

Risk Analysis & Evaluation May 2018

Risk Treatment Alternatives June 2018

ERM Policy & Framework June 2018

Enterprise Risk Management Plan
• Integrated Risk Treatment Plan
Jul-Sep 2019
• Business Continuity Plan
• Disaster Recovery Plan
 Coordinating Team
Risk Areas Team Lead Input Areas-Stakeholders
Supply Chain
Production
Quality
Muhammad Waqas Siddiqui Research & Development
Operational Risk Assessment
Engineering
Corporate Communications
HR
IT
IntOps
PakOps
Business Development
Marketing Services
Commercial Risk Assessment Ahsan Saeed
Commercial Effectiveness
SFE
Sales Training
Medical Affairs
Finance
Financial Risk Assessment Usman Zafar
Internal Audit
Legal Affairs
Regulatory
Compliance Risk Assessment Syed Sabir Hussain Bukhari
Internal Audit
Finance
Board of Directors
Strategic Risk Assessment Noor Ul Huda Ashraf
Management Committee
 Final Thoughts
The only alternative to risk management is crisis management --- and crisis
management is much more expensive, time consuming and embarrassing.
JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003

Risk management means more than preparing for the worst; it also means
taking advantage of opportunities to improve services or lower costs.
Sheila Fraser, Auditor General of Canada

74