IMPLEMENTING RISK MANAGEMENT PROGRAM ▒

07/23/2020
▒ COVERAGE
• Value creation proposal
• Benchmark Standards and Frameworks
• Existing Management Practices
• Set up Risk Management Function
• Awareness Training
• Framework Design
• Implement Risk Management Program
• Implementation Challenges
• Implementation Success Factors
07/23/2020
What would be the reason for your organization
to implement risk management?

07/23/2020
07/23/2020
▒ VALUE CREATION PROPOSAL
• What value will the Risk Management Program create in your organization?
–Improve overall management/Accountability

–Better financial performance

–Enhance reputation

–Respect laws and regulations

–Reducing losses

–Improve governance and internal controls

07/23/2020
▒ BENCHMARK STANDARDS/FRAMEWORKS
• What standard and/or framework you would like to
adopt?
–Basel II Accord: 2004

–Solvency II: EC 2009

– COSO 2004: Enterprise Risk Management - Integrated

Framework 2004

– ISO 31000:2018 Risk Management - Principles and

07/23/2020Guidelines
▒ EXISTING MANAGEMENT SYSTEMS
• Consider the existing management practices
–Compliance management

–Business continuity management

–Internal control systems

–Quality assurance

–Project management
07/23/2020
▒ EXISTING MANAGEMENT SYSTEMS
• Consider the existing management practices
–Physical security management

–Information security management

–Document management

–Records management

–Financial management
07/23/2020
▒ SET UP RISK MANAGEMENT FUNCTION
• Set up an autonomous risk management department[this
may depend on type and size of the organization]

• Appoint the Chief Risk Officer[CRO] to head the risk

management department

• The CRO should have the authority and responsibility to

effectively manage the risk management program and to
communicate its activities to the Senior Management[CEO]

• Recruit risk management specialists to help CRO to fulfill

his/her obligations
07/23/2020
▒ AWARENESS TRAINING
• The Board, Management, and staff should be aware of the
risk management including:
– Risk management conceptual framework

– Risk management challenges

– Approaches to risk management

– Risk management evolution

– Benefits of risk management

07/23/2020
▒ SUPPORT AND HELP
• Release a statement of intent to support the project signed by
the Board Chairman/Chief Executive Officer

• Who best understands the inherent organizational risks

– Identify c-suit members who best understands the inherent
risks that the organization is facing

– Form a team of Risk Champions representing all functional

areas within the organization.

– The Risk Champions should have the ability to coordinate,

communicate, cooperate and contribute to the management
system improvement
07/23/2020
▒ DESIGN THE FRAMEWORK
• Understanding the Organization
– Evaluating the external environment
• The social and cultural, political, legal, regulatory,
financial, technological, economic, natural and
competitive environment (international, national,
regional, or local)

• Key drivers and trends having impact on the

objectives of the organization

• Relationships with and perceptions and values of

07/23/2020
external stakeholders
▒ DESIGN THE FRAMEWORK
• Understanding the Organization
–Evaluating the internal environment
• Governance, organizational structure, roles
and accountabilities

• Policies, objectives, and the strategies that

are in place to achieve them

• Capabilitiesunderstood in terms of
resources and knowledge
07/23/2020
▒ DESIGN THE FRAMEWORK
• Understanding the Organization
– Evaluating the internal environment
• Relationship with and perceptions and values of
internal stakeholders

• The organization’s culture

• Standards, guidelines and models adopted by the

organization

07/23/2020
• The form and context of contractual relationship
▒ DESIGN THE FRAMEWORK
• Establish the Risk Management Policy
– The Policy should address the following:
• Why risk management will be undertaken

• Who within and outside the organization will undertake it

• How it will be undertaken by reference to the framework

and processes and internal functions

• What those who are responsible will be required to

undertake
07/23/2020
▒ DESIGN THE FRAMEWORK
• Establish the Risk Management Policy
– The Policy should also address:
• Interests of all stakeholders including shareholders,
customers, suppliers, and employees

• Where appropriate it should describe the relationship

between risk and corporate governance and internal
audit.

• The way in which conflicting interests are dealt with

07/23/2020
▒ DESIGN THE FRAMEWORK
• Establish the Risk Management Policy
– The Policy should also address:
• Commitment to make the necessary resources available
to assist those accountable and responsible for managing
risk

• The way in which risk management performance will be

measured and reported

• Commitment to review and improve the risk management

policy and framework periodically and in response to an
event or change in circumstances
07/23/2020
▒ DESIGN THE FRAMEWORK
• Establish the Risk Management Policy
–Possible Policy Statements:
• Value Creation and Sustainability

• Responsibility and Accountability

• Risk Communication and Information

07/23/2020
▒ DESIGN THE FRAMEWORK
• Establish the Risk Management Policy
–Possible Policy Statements
• Risk Management and Organizational Processes

• Risk Management Process

• Management of Conflict of Interest

• Resource Availability
07/23/2020
▒ DESIGN THE FRAMEWORK
• Establish the Risk Management Policy
–Responsibility and Accountability
• Process Owners and Business Units Management(first
line of defense in risk oversight) – include Risk
Champions and all other staff

• Risk Management Function(second line of defense in risk

oversight)

• Internal Audit Function(third line of defense in risk

oversight)
07/23/2020
▒ DESIGN THE FRAMEWORK
• Establish the Risk Management Policy
– Responsibility and Accountability
• Executive Management(fourth line of defense in risk
oversight) - include CEO and the EXCOM(RMC)

• The Board of Directors(fifth and final line of defense in risk

oversight) - include the Board and the Board Risk Committee

• Relationship between Risk Management Function and

Internal Audit Function – Avoid gaps and minimize overlaps
in oversight activities
07/23/2020
▒ DESIGN THE FRAMEWORK
• Establish the Risk Management Policy
–Role of Business Unit Management
• Maintain effective internal controls and executing risk control
procedures on a day to day basis.

• Identifies, analyses, evaluate and mitigate key risks.

• Guiding the development and implementation of internal policies

and procedures.

• Ensuring that Business Unit activities are consistent with

corporate objectives.
07/23/2020
▒ DESIGN THE FRAMEWORK
• Establish the Risk Management Policy
–Role of Risk Management Function
• Establishes risk management framework and process.

• Assists Management in developing processes and controls to

manage risks and issues.

• Provides guidance, training, and coaching on risk management

process.

• Alerts Process Owners and Business Unit Management to

emerging issues and changing regulatory and risk scenarios.
07/23/2020
▒ DESIGN THE FRAMEWORK
• Establish the Risk Management Policy
–Role of Risk Management Function
• Identification, analysis, evaluation, monitoring, controlling, and
reporting on the overall risk exposure.

• Contribute risk perspectives to business decisions to ensure the

alignment of business and risk strategies.

• Ensures an in-depth understanding of all business activities and

their implications to the organization risk profile.

• Monitors the adequacy and effectiveness of internal control.

07/23/2020
▒ DESIGN THE FRAMEWORK
• Establish the Risk Management Policy
–Role of Internal Audit Function
• Reviewing the Management of critical risks.

• Evaluating the reporting of critical risks.

• Evaluating Risk Management Process.

• Giving assurance that risks are correctly evaluated.

07/23/2020
▒ DESIGN THE FRAMEWORK
• Establish the Risk Management Policy
– Role of Management Committee
• Reviews and make recommendations to the Board for the
approval of Risk Management Policies, and Risk Management
Plan.

• Deliberate and approves the Risk Management Guide/Manual.

• Deliberate on the risk management performance report.

• Take necessary actions for issues that affect objectives of risk

management.
07/23/2020
▒ DESIGN THE FRAMEWORK
• Establish the Risk Management Policy
– Role of the Board Risk Committee
• Understand the most significant risks and approves
the risk appetite.

• Ensure that Executive Management has established

effective risk management;

• Review organization portfolio of risk against the

07/23/2020
approved risk appetite.
▒ DESIGN THE FRAMEWORK
• Establish the Risk Management Policy
– Role of the Board Risk Committee
• Be appraised of the most significant risks and whether
Executive Management is responding appropriately.

• Approves Risk Management Policies, and Risk

Management Plan.

• Makes necessary disclosures on risk management

activities in the annual financial statements.
07/23/2020
▒ DESIGN THE FRAMEWORK
• Establish the Risk Management Policy
–Relationship between Risk and Audit Function
• Avoid gaps and minimize overlaps in oversight activities

• Internal Audit reviews and make recommendations but

not taking action to implement

• Riskmanagement function reviews controls, make

recommendations and taking active role in the
implementation
07/23/2020
▒ DESIGN THE FRAMEWORK
• Establish the Risk Management Policy
–Relationship between Risk and Audit Function
• Riskmanagement functions uses audit results to
assess risks and design risk response strategies

• Internal audit uses result of risk assessment to prepare

risk-based audit plan

• Internal audit uses risk report to assess the

effectiveness of risk management practice
07/23/2020
▒ DESIGN THE FRAMEWORK
• Establish the Risk Management Guide
– Documented procedures to enforce policy statements

– Documented details of the risk management process

– Presents tools, techniques and methods applied in the

execution of the risk management process

– Provide tools, techniques, and methods for risk

communication and reporting
07/23/2020
▒ IMPLEMENT RISK MANAGEMENT
• Implement awareness and implementation training
to inculcate the corporate risk management culture:
–Awareness and implementation training to
enlighten participants with the components of the
Risk Management Policy and Guide

–3 – 5 days training to the Risk Champions to

provide them with the depth and breadth of the
ERM, Risk Management Policy and Guide

07/23/2020
▒ IMPLEMENT RISK MANAGEMENT
• Implement awareness and implementation training
to inculcate the corporate risk management culture:

–1 day training to the rest of the staff is adequate

to highlight the components of Risk Management
Policy and Guide

–Continuous training through risk management

sessions slotted during in-house training,
workshops, and departmental meetings
07/23/2020
▒ IMPLEMENT RISK MANAGEMENT
• Inculcate Corporate Risk Culture through tone from
the Top demonstrated by the following key features:

–Being approachable (i.e availability of Chief

Executive Officer and the Board to discuss risk
management issues and engage CRO as much
as possible)

–Being consistent (i.e consistency in taking

actions against offenders)
07/23/2020
▒ IMPLEMENT RISK MANAGEMENT
• Inculcate Corporate Risk Culture through tone from the
Top demonstrated by the following key features:

– Make risk management function trusted adviser(i.e any

decision made should be supported by the opinion of
risk management function; the CEO and the Board
should always ask "have you shared with risk
department?"

– Being constructive (i.e construction opinions for system

improvement, avoid scapegoat and blame game).
07/23/2020
▒ IMPLEMENT RISK MANAGEMENT
• Create the enterprise – wide risk management organization:
– Establish a risk management group of specialist to
support the CRO. The group should possess the
following features amongst others:

• The group should be more active to monitor events

as well as initiating programs of corrective actions

• Cover all aspects of enterprise in terms of specialities

and business lines or locations. Must have people of
understanding of different specialities in the
07/23/2020
organization or work together with specialists.
▒ IMPLEMENT RISK MANAGEMENT
• Create the enterprise – wide risk management organization:
– Establish a risk management group of specialist to support the
CRO. The group should possess the following features amongst
others:

• Some specialists may not be able to work under the risk

management function, these can be assigned the role of risk
champions or co-opted during the risk assessment exercises.

• Must have good understanding of risk impacting the

organization in any given area

– Establish corporate risk management guidance to communicate

risk related objectives and plans to the top management
07/23/2020
▒ IMPLEMENT RISK MANAGEMENT
• Policies, Standards, Processes, and Procedures:
– Policies, standards, processes, and procedures form
part of the internal control system necessary to
respond to significant risks

– Policies, standards, processes, and procedures

should be developed and communicated. They
should enable members of the staff taking decisions
to consider organization concerns and consideration

– Implement the risk management process as integral

part of organizational processes
07/23/2020
▒ IMPLEMENT RISK MANAGEMENT
• Internal Risk Communication and Reporting
–Risk Management Policy, and Risk Management
Guide

–Risk Management Plan

–Risk Management Report

–Risk Management Reporting Responsibilities

–Risk Escalation
07/23/2020
▒ IMPLEMENT RISK MANAGEMENT
• Internal Risk Communication and Reporting
–Risk Communication and Awareness Programs
• Risk Management Workshops

• Risk Management Committee Meetings[

• Risk Management Feedback Meetings

• In-house Seminars and Trainings

• Risk Management Newsletter

07/23/2020
• Internal Emails
▒ IMPLEMENT RISK MANAGEMENT
• External Risk Communication and Reporting
–Disclosure _Risk Management Report

–Risk Communication and Awareness Programs

• Risk Management Newsletter

• Annual General Meeting(AGM)

• Crisis Communication

• Risk Management Information System(RMIS)

07/23/2020
▒ ERM IMPLENETATION CHALLENGES
• Resistance from people
– Departmental competition, egoism and rivalries

– Information filtering conflict avoidance

– Sticking to familiar routines (changes are BAD)

– Blaming Game: Finding a SCAPEGOAT

– Avoiding taking responsibility for risk Management: ‘Hiding’

behind the ‘specialist’
07/23/2020
▒ ERM IMPLENETATION CHALLENGES
• Lack of power for the Risk Manager
– Formal Power

– Expert Power

– Network Power

07/23/2020
▒ ERM SUCCCESS FACTORS
• Key Risk Management implementation success
factors
– Implement within the Risk Maturity level of the
organization
– Gain support of leadership and develop a clear vision
– Build a strong Risk Aware Corporate Culture
– Acquire Strong Project Management Capabilities
– Ensure Adequate Resource Allocation and Team
Involvement

07/23/2020
▒ ERM SUCCCESS FACTORS
• Key Risk Management implementation success factors
– Build Organization Network

– Provide the Right RM knowledge, Skills & Training

– Link Reward System to RM objectives

– Go for Quick Wins, Communicate about RM success and share

knowledge

– Use External Consultants Effectively

07/23/2020
▒ ERM SUCCCESS FACTORS
• RM Implementation Principles and
Practices – Dos and Don’ts
– Do not jump on Solutions, DIAGNOSTIC
FIRST
– Do not do it alone, build a STRONG
NETWORK first
– RESISTANCE is NORMAL, anticipate and
engage proactively
– Don’t force, CONVINCE AND EMPOWER

07/23/2020
▒ ERM SUCCCESS FACTORS
• RM Implementation Principles and Practices
– Dos and Don’ts
– People are SELF INTEREST, give them a value
proposal pay peanuts, get monkeys
– Start small and where you can gather resources
and support. CHOOSE YOUR TERRAIN AND
YOUR BATTLE
– Go Top Bottom and Bottom up
– Be opportunistic, GO FOR QUICK WINS and
Publicize results to create momentum.

07/23/2020
 Thank You

07/23/2020