Holistic risk management

Patrick Abdullah, vice president of enterprise risk management, Astro Overseas Limited Mohammad Azam, vice president of corporate internal audit, compliance and ethics, UPS Carol Fox, di

© The Economist Intelligence Unit Limited 2015

Contents

Introduction 3

Conclusion 8

About this report

Holistic risk management, written by The Economist

Intelligence Unit and sponsored by SAP, investigates the

organisational measures companies must take to address the

totality of the risks they face The report is based on interviews

with the following executives and experts

Patrick Abdullah, vice president of enterprise risk

management, Astro Overseas Limited

Mohammad Azam, vice president of corporate internal audit,

compliance and ethics, UPS

Carol Fox, director of strategic and risk management, the Risk

Management Society

Michael Kearney, managing partner, strategic risk services, Deloitte

Mark Newlands, head of risk management, Anglo American Brian Schwartz, US performance leader for governance, risk and compliance, PwC

The Economist Intelligence Unit would like to thank these interviewees for their time and insight The report was written

by Pamela Black and edited by Pete Swabey

© The Economist Intelligence Unit Limited 2015

Businesses have always been exposed to risk,

and the obligation to manage it is nothing new

However, there is a growing concern among

business leaders that they are exposed to

strategic risks that threaten the very existence of

their company

“Every company in every industry in every

country is at the risk of being disrupted or

supplanted—like Blockbuster or BlackBerry,”

says Michael Kearney, national managing partner

of strategic risk services at Deloitte While it

can be difficult to engage senior executives in

conversations about individual risks such as

succession planning, “there’s not a CEO in the

world who doesn’t want to talk about disruption”

They are right to be concerned According to the

Corporate Executive Board (CEB), a

member-based advisory company, 86% of the most

damaging risks to shareholder value over the

past decade have been strategic risks, such as

competitive incursions and falling demand for

core products

Most companies are not equipped to handle these

strategic risks, the CEB reports They may not

understand how to audit them, and responsibility

for individual risks—such as legal, audit, cyber

security and safety—is divided among separate

divisions Even different functions within

risk-management departments have their own

separate duties

Introduction

As a result, there is confusion as to which department is accountable for which risks, and senior managers are forced to wade through numerous, often contradictory reports with

no clear coherence or prioritisation This slows the process of making strategic decisions and creates a drag on growth, according to the CEB A survey it conducted in 2014 showed that 91% of organisations are therefore planning to reorganise their risk-management approach.1

There is evidence that a holistic and strategic approach to risk management pays off A

2015 PwC survey “Risk in Review,” shows that over the past three years, 55% of companies deemed leaders in risk management recorded increased profit margins, and 41% achieved an annual profit margin of more than 10% “When companies focus on this, they have an edge,” says Brian Schwartz, who leads the US governance, risk and compliance practice at PwC “There is a strong linkage with aligning risk management and strategy to driving performance.”2

But achieving a holistic and strategic approach

to risk management requires a number of organisational measures As this report explains, the aim of these measures is to improve cross-organisational communication and to link risk-management controls to the strategic objectives

of the company

1 http://www.

executiveboard.com/exbd/ executive-guidance/2014/ q3/index.page?

2 http://www.pwc.com/us/ en/risk-assurance-services/ risk-in-review.jhtml

Collaboration across functions 1

One of the first steps towards achieving a holistic view of risk is to get internal audit and compliance teams within individual departments

to collaborate effectively with the risk-management function This means opening lines

of communication between departments that might not otherwise interact

At logistics company UPS, for example, Mohammad Azam, vice president of corporate internal audit, compliance and ethics, meets regularly with an enterprise risk council comprised of some 25 top representatives from every large function in the corporation, including treasury, insurance and HR, to discuss risks and assign the right experts to work on solutions

This brings together disparate groups that would otherwise not collaborate “Right now, groups don’t have to talk to each other except through a risk forum,” says Mr Azam

The council is not a replacement for the existing, formal channels of communication but rests

on top of them as another, more open conduit

“How many times will people from different silos talk about risk across geography and function?”

asks Mr Azam “This process is a very healthy way of breaking down the barriers of who can talk to whom It makes the process much more transparent.”

This transparency helps prevent risks from slipping through unnoticed According to Mr Azam, the concept of an enterprise-wide risk programme first gained currency at UPS about eight or nine years ago because of fears about

a bird flu outbreak As a company that runs its own airline, UPS has to worry about such health epidemics, as well as terrorism The lines of communication the company established in response “capture such risks that don’t fall under the purview of any one person or function,” Mr Azam says

Mark Newlands, head of risk management for Anglo American, a multinational mining company based in the UK, has also achieved a better insight into the organisation’s risk profile by improving communication When Mr Newlands joined the company eight years ago, one of the first things he did was to consolidate the channels of risk-related communication through him At that time each commodity division had its own audit managers, who could influence which risks were reported by frontline employees Workers in the platinum mine reported to their own internal audit managers, for example, as did iron ore workers

“Now they report directly to me and not to their on-site managers,” Mr Newlands says

© The Economist Intelligence Unit Limited 2015

He, in turn, reports to an audit committee of

independent, non-executive board directors,

in addition to reporting separately to the CFO

According to him, this structure preserves

everyone’s independence

Although internal audit managers still exist

at each mine site, they can no longer filter

information coming from below As Mr Newlands

explains: “There’s no reporting line to that

management team.” Those who disagreed with

such new policies have left, he adds

When Mr Newlands arrived, Anglo American

also lacked other risk protection measures,

such as a way to manage bribery “In mining,

we work in some areas that have a high risk

from a corruption point of view,” he says “Our

competitor, BHP, was fined US$25m for paying for

entertainment at the Beijing games.”3

Mr Newlands has therefore instituted policies

to ensure that the company knows what level

of entertainment is being provided, and that

the people being entertained are not in current

contract negotiations with Anglo American

Encouraging disparate groups to work together

and participate in a firm-wide risk-management

programme requires board sponsorship and often monetary incentives

At Astro Overseas Limited, a media company based in Malaysia, “the biggest challenge has been the need to convince employees—especially senior executives and key personnel from different countries—to take risk management seriously,” says Patrick Abdullah, vice president

of enterprise risk management

Mr Abdullah controls risk management at the both the Astro Overseas parent company and

at numerous companies it has acquired in the region At many of the acquisitions, “C-level executives are predominantly driven by financial and operational targets, so risk management becomes secondary,” he says As a result, they tend to take risks for short-term gain, which may have an adverse impact on long-term goals and sustainability

To manage this problem, the board first linked a small percentage of compensation to responsibility for risk management Now, says

Mr Abdullah, the board is planning to introduce incentive plans and rewards for long-term risk-management responsibilities

3 http://www.theguardian com/business/2015/ may/21/bhp-billiton- fined-us25m-for-gift-trips- to-beijing-olympics-for-foreign-officials

Beyond cross-functional collaboration and communication, another key component

of holistic risk management is the ability

to understand risks in the context of the organisation’s strategy

This understanding allows business leaders

to make decisions more effectively—which is, after all, the ultimate aim of risk management

“At the end of the day, this is not about risk professionals, but about executive teams making sure that they understand risks,” says PwC’s Mr Schwartz

The inability to tie a given risk to a company’s strategy makes it harder to take strategic decisions, according to the CEB, which in turn slows down its ability to respond to changes in the market

It can also make companies unnecessarily risk-averse For example, an enterprise-wide risk assessment by the Danish toymaker Lego revealed that it was leaving money on the table

by being too conservative According to Carol Fox, director of strategic and risk management

at RIMS, the company took the decision to move beyond risk avoidance and create new opportunities, products and profits following this assessment.4

Strategic planning 2

Building this understanding begins with risk assessment Most risk-management functions periodically survey departmental managers

to identify risks, and then prioritise the 10 or

20 most pressing risks These are determined primarily by two factors: each risk’s potential impact on the performance of the firm, and the likelihood of its occurrence based on controls that are currently in place A newer factor, according to PwC’s Mr Schwartz, is velocity, or how quickly the impacts of a risk occurring are felt

Of course, there are many risks beyond the top tier Some firms create integration maps to see how all their risks are interrelated, how a low-ranked risk might affect a higher-low-ranked one, or the knock-on effect of one risk on others Each risk needs to be identified, prioritised, profiled, mitigated and monitored

At Anglo American, Mr Newlands takes his strategic risk plan to the audit committee each year High-risk items are audited on a yearly basis, while lower-impact items are audited every five years “If something is given a poor reading, we’ll go back and fix it,” he says “Our process requires us to have local managers agree with what we’ve found and how to fix it by agreed dates.”

4 http://www.imanet.

org/docs/default-source/

sf/02_2012_frigo_laessoe_

reduced-pdf.pdf?sfvrsn=0

© The Economist Intelligence Unit Limited 2015

Assigning accountability for risk and ensuring

that risk owners carry out their duties is a critical

part of the process “While the risk management

team works proactively with the various

businesses to identify risks and mitigation plans

with risk owners for implementation, our internal

audit will test existing controls to ensure their

effectiveness,” says Mr Abdullah

The audit team will then make recommendations

that are communicated via reports to the risk

functions and top managers, and work with

risk owners to determine the best method to

implement them

For risk management to be tied to company

strategy, risks must be understood in relation

to the objectives the departments are trying to

pursue

At Anglo American, risk assessments used to

be done via a simple checklist of risks, with no

discussion of a given unit’s particular objective

The same checklist would be used across

all geographical divisions, according to Mr

Newlands

Now the risk team works with mine managers

to create a business plan and prioritise their

goals to achieve certain production and safety

objectives in a given timeframe “When we

changed the system, we talked to the mine

managers and said the starting point is to

assess the risks to achieving your business plan

objectives,” he says

Whether it’s the C-suite or the mine operator,

“the starting point is the objective,” Mr Newlands

points out “It could be financial or not, it could

be to produce 40m tonnes of iron ore this year,

to deliver a new mine by the end of 2018, or to implement a new IT system The starting point is:

what are we trying to achieve?”

For example, if the price of iron ore falls off significantly, a strategic goal may be to reduce costs by cutting staff “But if you are reducing 10% of your headcount, you have to ask: what could prevent you from achieving it by that date?” asks Mr Newlands “What are the risks to the business of achieving that goal long-term?

If you achieved it, could you respond to a sudden change in the market in a positive direction?”

“If you’re going to have an internal audit deliver real value, you have to be looking at real risks and controls,” he adds “To do that, you need an organisational view.”

According to RIMS, the biggest challenge now facing risk managers is shifting an organisation’s risk focus from a “rear-window view” to a current and even predictive assessment of risk

This may still be an elusive goal Mr Azam believes that UPS is ahead of its peers in terms of viewing risk holistically, but“we still can’t foresee which risks will be coming our way six months down the road”

The need for this predictive view will only increase

as the risk of disruption grows, Mr Azam says For example, Uber, the popular taxi-booking app,

is now exploring the possibility of launching delivery services

“Everyone is trying to get into the delivery business,” he says “I’m not sure they’ve figured

it out, but we need to make sure we’re ahead of the curve.”

Conclusion

The process of moving from siloed and fragmentary risk management to a more holistic approach is a journey that will be different for every organisation As Mr Azam from UPS explains: “The whole journey is an evolutionary process, and it will take a different course and timeline depending on the nature of the business, the structure of the organisation and—

very importantly—the culture of the company.”

But there are some common characteristics that define success, Mr Azam believes These are:

l Proactive identification and appropriate visibility of risks

l Appropriate ownership assignment and effective monitoring of risk-mitigation efforts

l Oversight of key risks and the remediation efforts by senior management and the board of directors

l Standard terminology and measurement processes that are implemented throughout the organisation

For Mr Newlands of Anglo American, the key

to success it to ensure that risk-management practices are “part of the way business is conducted, and not a ‘bolt-on’ or separate activity”

“That will need executive management buy-in and a demonstration to line management what benefits they can expect to see,” he adds According to the CEB, engaging the whole organisation in risk management, not just the most senior executives, is something that the majority of companies could do better: “Most organisations need to worry more about their middle managers and frontline employees than about their senior leaders,” the CEB writes.5

Articulating the benefits of risk management

to employees at every level of the organisation, not just the board, is therefore critical if the organisation is to achieve truly holistic risk management

5 http://www.

executiveboard.com/exbd/

executive-guidance/2014/

q3/index.page?

Ltd cannot accept any responsibility or liability for reliance by any person on this report or any of the information, opinions or conclusions set out

in this report