Governance Of Risk - PwC
www.pwc.co.zaGovernanceof RiskWritten by Rob Newsome,Director of PwC12 June 2011
ContentsWhy the current focus on risk?1“Black Swans”3Risks vs. Risk Events4Risk Measurement5Risk Appetite8Risk management maturity/effectiveness11Loss events and remediation15Risk software16Role of the CRO18Risk assurance20Risk and Audit Committees24Risk Reporting26Key Risk Indicators27
Why the current focuson risk?Risk sound bites.Risk management is being acknowledgedas an increasingly important discipline.These sound bites are aimed at providingthe reader with succinct insight intosome of the key issues impacting on riskmanagement and governance.PwC1
Recent events have highlighted theneed to move risk management upon the importance scale for Boardsand executive management.These events include the Icelandicvolcano, the Gulf oil spill, Japan’stsunami and the Sishen miningrights. In the financial servicesindustry, the continuing focuson risk through Basel II and IIIfor banks and Solvency II (in SASolvency Adequacy Management[SAM]) for insurance companies has2Governance of Riskcreated more regulatory pressureon ensuring the adequacy of riskmanagement.The global credit crunch has alsodestroyed the myth that business willcontinue as it always has and nowbusiness needs to be far more ableto respond and react to changingconditions. Risk management isseen as one of the key disciplinesneeded to prosper and survive inthe world economy today. Note thatmany commentators have attributedpoor risk management as one of thecauses of the credit crunch.
‘Black Swans’The high impact low probabilityevents are called ‘Black Swans’. [InEurope, as legend has it, they onlyknew swans as white so black swanswere not possible].‘Black Swans’ are the events thatwipe millions off the marketcapitalisation of corporations suchas BP and Arcelor Mittal. CEOsand boards now want to knowwhat potential Black Swans thecorporations they are responsible formanaging could face.The Black Swans typically can’t beprevented but the responses to theconsequences are significant. Theapproach being followed now is inconsidering events that will havespecific consequences – e.g. collapseof distribution channels, loss ofkey suppliers, sudden significantexchange rate changes etc. The riskevent becomes less important as therecent history has shown that thesecan be off the radar!This has opened the debate aboutthe quantification of risk. Theseevents now need to be included inthe risk considerations. Typically,risk management quantificationidentified only those risks thatmanagement considered notsufficiently managed.PwC3
Risks vs. Risk EventsSolvency II and ISO 31000 havefocussed on the identification ofrisks. In Solvency II the capital thatneeds to be allocated to risk hasto establish what risk or risk eventneeds to be considered. A generalrisk of, say, loss of skills cannot bemeasured. Similarly, ‘undergroundfire’ in a mine is not sufficientlyarticulated to establish the possibleextent of the event – it could beat the stopes, or on moveablemachinery, or in the shaft etc.Risk events need to be distinguishedfrom the higher level risk names inorder for the risk to be managed.‘Competition risk’, for example,cannot be managed as a genericmatter.The risk event will be a new marketentrant in a region, specific productsubstitution, or product pricing;these potential or actual events canbe managed. Similarly ‘loss of skills’”needs to be unpacked to the eventsthat have to be managed, such aswhat to do when the aging engineersretire and no obvious replacementshave been identified.All risks that are evaluated as havinga potentially substantial impact onthe organisation/business should beunpacked to constituent risk events.4Governance of Risk
Risk MeasurementRisk measurement is an art and not ascience. There are certain risks thatthe actuaries will model to come upwith a very scientific assessment ofthe possible risk exposure. There areothers that achieve a high, mediumor low assessment [green, yellow orred, for us boring accountants].The key elements that should beincluded in the measurement are asfollows: There should be sufficientdifferentiation to allow ameaningful priority rating to beachieved. This can be on a 100basis points scale, on a monetaryscale, on a numeric scale. The risk exposure before controlor maximum possible loss shouldbe evaluated to determine theextent that existing mitigation/control is managing the risk; thisis often referred to as inherentrisk. The amount of risk that theorganisation is willing to acceptshould also be determined; this isknown as risk tolerance or desiredresidual risk. The residual risk gap should bedetermined to establish the extentthat remediation is required andto prioritise this remediation. The current risk position shouldbe established, taking intoconsideration the current riskmitigation/controls. This is knownas the residual risk.PwC5
Below is an example of applying the measurement scales: Impact scale on 100 basis points. Inherent likelihood on a percentage scale. Control effectiveness on a percentage scale.Impact100Likelihood60%Inherent RiskImpact x LikelihoodControl EffectivenessResidual Risk6040%Inherent Risk x ControlEffectivenessDesired Control Effectiveness3680%Risk ToleranceInherent Risk x ControlEffectiveness12Residual Risk GapResidual Risk - Risk Tolerance24Other developments in measurement include Frequency of the risk exposure is receiving more attention now tounderstand the risk better. For example, the risks associated with plantoperations are a daily exposure, while contract risk is on an as and whenbasis. Risk controllability is the extent that the risk can be managed or mitigated.For example no organisation can control the Icelandic volcano thatdisrupted air travel to Europe – which in turn had a major impact on freshfruit exports. The only mitigation then is to manage the consequence. Using Monte Carlo simulations to assess more scientifically the potentialand residual exposures – often used for contingency funding assessmentson projects. There are many other quantitative models that are used.6Governance of Risk
The graph below demonstrates the results of applying the measurementconcepts discussed above. The residual risk gap provides the priority foraddressing the risk exposures.Residual Risk GapCurrent Residual RiskCritical skills attractionand retentionInternationalMarketsLeadershipProect DeliveryGong ConcernBusinessEfficiencyAlternativeRevenue .80.60.40.20OrganisationalSupport StructureStrategic Risk AssessmentBar Graph: Top 10 Residual Risk GapDesired Residual RiskThe results provide a basis for understanding the risk exposures withouthaving to get a precise measurement.Solvency II and Basel II have put the focus on measuring the incidence ofrisk and the extent that capital has to be matched against identified risk.Interestingly, Basel II requires reserves to be kept based on the experienceof residual risk without considering the other measurement criteria set outabove.PwC7
Risk AppetiteRisk appetite is the mostmisunderstood concept in riskmanagement. How much risk isan organisation willing to accept?Or does the organisation have anappetite for risk? How does this tieback to performance management?8Governance of RiskRisk appetite and tolerance are oftenmisunderstood and are thereforeoften not applied in practice.Financial Services (FS) have a betterpractical feel for the concepts withthe value at risk and how muchvalue can be risked – in total and perproduct/investment type. Non-FScompanies have a more difficult timein making the concepts realistic.
Below is an example of a typical risk appetite statement.Key elementsCapitalPeer example risk appetite statements Maintain an insurance insolvency ratio of at least 150%. Maintain a ratio of insurance risk economic capital to life insurance reserves below 10% at alltimes. Maintain a ratio of credit risk economic capital to total bank lending book exposure below 4% at alltimes. Hold as a minimum sufficient economic capital to withstand a one in 200 loss on a one year basis On an economic basis, we week to maintain an AFR/Ecap ratio of at least 100%. Hold sufficient capital to maintain the group’s published core financial strength ratings in the AArating range.Earnings Our earnings will not fall below budget by more than 10% more frequently than once every 5 years. No expected loss to a single customer within the loan portfolio will be greater than 10bps of ourown funds. Achieve steady, sustainable growth in operating profits o an EEV and IFRS basis. No one exposure to a single financial institution counterparty, other than intercompany exposures,will be greater than 5% of Group Available Financial Resources and exposure will only be tocounterparties recognised in the relevant policy (e.g. above A for derivatives).Liquidity/ALM Positive cashflows in extreme but plausible stress scenarios. No appetite for financing required cash-flows in a manner detrimental to its main externalstakeholder. General Insurance liabilities are matched as closely as possible with assets of appropriate amount,type (fixed or real) and currency.Reputation Our people will have the highest levels of competence and integrity. We will treat our customers fairly. We seek to continue to have top quartile customer satisfaction in all of our core markets.Other We target an S&P rating of A on our senior debt. We seek to fully meet all regulatory expectations. We will have no tolerance for international regulatory breaches.PwC9
These high level statements provide parameters for risk consideration andintersect with strategic objectives and corporate value statements.The above risk appetite statement describes the parameters of strategicpositioning as well as providing clarity on strategic intent. But it does noteasily reach to the actual risks that need to be addressed. Some organisationsare looking to the underlying risks.Other appetite statements include, for example, a statement that risk appetiteis described as an event that will impact 5% on EBITDA and will result ina 10% change in market capitalisation (share price). Potential risks areunpacked to risk event level and evaluated to provide a most likely value. Thisvalue is compared with the appetite.We have taken a view that risks should be measured on their potential impacton the achievement of strategic objectives.Risk levelsRisk decisionsRiskCategoryInherentRiskCurrentResidual RiskRiskAppetiteRisk Exposureabove 30%30%0%Systems22%33%15%18%LegendRisk Exposure Above Risk Appetite: Less than 30%Risk Exposure Above Risk Appetite: Greater than 30% but less than 60%Risk Exposure Above Risk Appetite: Greater than 60%The inherent risk for each strategic objective is assessed for the risks allocatedto the strategic objective. The current residual risks for all risks per objectiveare aggregated to be expressed as a percentage and this is compared with asimilar value achieved for risk tolerances, which in aggregation is termed as‘Appetite’. The difference highlights the extent that the current position isoutside of appetite. Ultimately, it identifies the risks exposures that need to bemanaged to achieve strategic objectives.A similar view per executive risk owner provides another interestingoversight.The real buy-in happens when the appetite is expressed per risk owner - the CSuite for enterprise wide risks!!10Governance of Risk
Risk managementmaturity/effectivenessStandards and Poors (S&P) isthe first rating agency to publishits criteria for assessing theeffectiveness of risk managementthat they include in their creditand investment ratings. This directlinking of availability, duration andcost of funds to risk managementhas elevated the focus on riskmanagement effectiveness.Many organisations are nowassessing the effectiveness ormaturity of their risk managementprocesses. This allows benchmarkingand focus on specific areas forimprovement.ImplicationsS&Ps four-level scoring scale provides a public gauge as to a company’s risk management capabilities andpractices.Weak Firm has limited capabilities to consistently identify, measure, andcomprehensively manage risk exposures and thus, limit losses. Sporadic execution of its risk-management program.Adequate Manage risk in separate silos, but maintains complete control processes. Firm loss-/risk-tolerance guidelines less developed, but risk and riskmanagement often considered.StrongExcellent Demonstrates an enterprise-wide view of risks, but still focused on losscontrol. Risk and risk management usually important considerations in the firm’scorporate judgement. Demonstrates risk/reward optimisation. Well-developed capabilities to consistently identify, measure and managerisk exposure and losses.PwC11
How is Risk Management structured?ERM Evaluation components for financial institutionsEconomic CapitalOperational RiskMarketRiskCreditRiskFundingandLiquidityTrading riskInterest rateRisk (ALM)UnderwritingprocessesCredit LiquiditymanagementStresstestingRisk governance (culture, appetite, disclosure)The base on the Parthenonprovides the framework on theactual management or risk. Theassessment of the effectiveness ofrisk management for the ‘pillars’ or‘rafter’ is a fundamental assessmentof management effectiveness.Typically, the following elements areassessed.The assessment of the base is wherethe focus of Risk Managementeffectiveness/maturity is positioned. Risk Policies and Standards Organisation and Governance Strategic Planning and RiskAppetite Risk Identification andRepresentation Risk Measurement and Reporting Risk Communication andEscalation Infrastructure Stakeholder Disclosure12Governance of Risk
An assessment can produce the following result.ERM ElementBasicDevelopingOrganisation and Governance(1)1Strategic Planning and Risk Appetite(3)2Risk Policies and Standards(2)Risk Identification and Representation(1)[1]Risk Measurement and Reporting(3)[3]3Risk Communication and Escalation(6)[3](3)[1]Infrastructure[1]Stakeholder Disclosure(2)[1](21) [8][4]2(2 ancedDeveloped10(5)[15] 11(2)[1]2[1]7(UK) [SA] PwCThis is based on the details as set out below.#12Key ERMelementOrganisation& GovernanceCriteriaIllustrativePracticesMaturity eniormanagementdirection andoversightThe structuresand policieshave recentlybeen introducedand established.The governancestructures donot identify theEnterprise RiskManagementFramework.An EnterpriseRisk ManagementFramework hasbeen preparedthat defines therisk policy andprocedures butdoes not fullyestablish roles andresponsibilities.The EnterpriseRisk ManagementFramework clearlydefines key rolesand responsibilities.The ERM frameworkprovides the structureand purpose of the riskmanagement activitiesand its continualrelevance is assessedat least on an annualbasis.CoherentBoard andmanagementcommitteestructuresto facilitateeffectivereporting andoversightThe Auditand RiskCommittee hasrecently beenconstituted andan Audit andRisk Committeehas beencombined.Audit and Riskcommitteeshave not beenspecificallyestablished toconsider risk.Audit and Riskcommittees havebeen established.Mandates arenot clearlyestablished andthere is substantialoverlap of riskconsiderationat the variouscommittees.Audit and Riskcommittees havebeen establishedwith approvedmandatesand reportingrequirements.Formal reportingto the committeestakes place withsome overlap ofrisk considerations.The board committeesset risk strategy,approve limits andpolicy, oversee riskprofiles and validate riskappetite on a periodicbasis.Risks areconsidered tobe addressedthrough theperformancereview structuresonly.The managementcommittees integrateall aspects of risks,including risk specificcommittees thataddress market,credit, operational andcompliance risks. Theyreview the enterpriserisk profile, evaluate keyrisk drivers, approvedetailed policies andescalate key relevantissues to the Board.The effectiveness of thecommittees is reviewedannually.PwC13
#34Key ERMelementCriteriaIllustrativePracticesMaturity levelBasicDevelopingDevelopedAdvancedThe CROfunction isincorporated intoline managers’responsibilities –.A dedicated CROis appointed withreporting throughto Chief Actuary orequivalent.The CRO isappointed at a seniormanagement levelwith direct reporting tothe CEO and he/ sheattends/ is representedon Exco.Centralised riskfunction led bya Chief RiskOfficer (CRO)with credibility,stature andclear reportingrelationshipwith CEOThe CROposition hasbeen recentlyestablished andan appointmentmade. TheCRO issupported bya departmentthat overseesthe assuranceactivities andthe operationaland bank riskfunctions.No CRO isappointed. Riskmanagementactivities arecompleted byCompliance orInternal Audit.Clear definitionand allocationof companywide roles andresponsibilitiesThe CROposition hasbeen recentlyestablished andan appointmentmade. TheCRO issupported bya departmentthat overseesthe assuranceactivities andthe operationaland bank riskfunctions.The riskmanagementresponsibilitiesin the bankhave notbeen fullyimplemented.Riskmanagementresponsibilitiesare notspecificallyidentified.Reliance isplaced on theperformancemanagementand specialistrisk processes(such asactuarialmodelling, etc.)to manage riskexposures.The CROhas effectiveinteraction withCorporate GroupRisk Management.Risk managementprocesses areestablished toconsider market,credit, operationaland fiduciaryrisks.Risk managementis clearlydefined as a linemanagementresponsibility.A specialist riskfunction (such asactuarial modelling,etc.) providesinput to thebusiness unit forrisk managementconsiderations.Internal auditreviews theeffectiveness of theERM processes.Business unitshave allocated riskchampions.These assessments are typically reported to the Board through the Audit or Risk Committees.14Governance of RiskThe risk managementfunction has adequateresources (people,support tools, etc.).Risk and controlowners are establishedwith specificresponsibility toensure that the risk/control information isaccurate and frequentlyassessed and remedialaction is completed.Accountability forrisk is reflected inincentives and rewards.
Loss events andremediation Loss events occur throughout thebusiness/operations throughoutthe year. There are many audits/reviewedconducted throughout thebusiness that identify potentialloss events. Self assessments and planningevents also identify areas ofbusiness that need improvement.All of the above inform on theeffectiveness of the management ofrisk. The events etc should be linkedto the risk exposures to determineif the underlying risks have beenidentified or if the current riskevaluation is accurate.The challenge is to capture theevents, near misses, improvementopportunities and to link them to therisks.Some organisations have processesand systems to record loss events,usually through the health andsafety efforts. Basel II enforcesthe recording of events forbanks. Usually there are diversepractices in recording the eventsand improvement opportunitiesand there is no attempt to linkthese to risk and to provide acentralised record of the events andimprovement opportunities.Following on from the loss eventsand improvement opportunitiesis the remediation effort requiredto address the loss event andimprovement area.A centralised approach where risksare linked to risks will provideeffective remediation consideration,as priorities can be established.The tracking of remediation isthen enabled and can be reportedto management and governancelevels. Targets can be set to addressa priority percentage of identifiedremediation.Such an approach prevents ashopping list of actions that keepgetting ca
Risk management is being acknowledged as an increasingly important discipline. These sound bites are aimed at providing the reader with succinct insight into some of the key issues impacting on risk management and governance.
PWC Driving Licence In NSW it is compulsory for every person driving a PWC to hold a current PWC driving licence. There are two types of PWC driving licence: 1. PWC driving licence for those aged 16 years and over. 2. Young Adult PWC driving licence for people aged from 12 to less than 16 years. A Young Adult PWC driving licence
Cyber Security Business Systems Data Governance & Quality Technology Mega Trends Global IT IT Governance Compliance with Regulation. PwC Business impact when trust is broken 15 Costs of remediation & investigation Financial losses Share price. PwC 16 4 How to build trust in the Digital Age PwC. PwC What all these mean for your business
On May 12, at approximately 2:30 pm, two personal watercraft (PWC) were operating in Biscayne Bay. The PWC were jumping the wakes of other vessels in the area. PWC #1 jumped the wake of a vessel and . Boating Accidents Statistical Report PWC (private) 128,319 98% PWC (rental) 2,838 2% PWC O WNERSHIP BY R EGISTRATION Private vessels 694 / 77% .
Initial Temp of PWC was(27 ), and Electric Heater exchanges its thermal energy to PWC, a PWC heated up to melting Temp(saving energy as a sensible heat). After that, the heat stored as latent heat, thus the PWC melts and becomes liquids phase. Then the energy saved as sensible heat as a liquids phase PWC. The Temp PWC is registered at a period of
In this document, "PwC" refers to PricewaterhouseCoopers Priv ate Limited (a limited liability com MS 219-September 2011 S&R .indd Designed by: PwC Brand and Communications, India www.pwc.in Contacts Shashank Tripathi Executive Director 91 98196 78900 shashank.tripathi@in.pwc.com Anurag Garg Senior Manager 91 9711701799 anurag.garg@in.pwc .
PwC Myanmar is located at: PricewaterhouseCoopers Myanmar Co., Ltd Room 9A, 9th Floor, Centrepoint Towers, No. 65, Corner of Sule Pagoda Road and Merchant Road, Kyauktada Township, Yangon, Myanmar Jovi Seet Senior Executive Director PwC Myanmar Office: 959 440230 341 jovi.s@mm.pwc.com Jasmine Thazin Aung Director PwC Myanmar Mobile: 959 .
*) PwC Suomen konserniin kuuluvat ja raportointiin sisältyvät PricewaterhouseCoopers Oy ja PwC Suomen 100-prosenttisesti omistama PwC Strategy& (Finland) OY. Konserniin kuuluu myös liiketoimintaa harjoittamaton PwC Services Oy, jonka toiminta ei ole raportissa mukana.
PWC Port warrants to the original owner all polyethylene plastic components for two (2) years [one (1) year for commercial use] from date of purchase to be free of defects in material and workmanship. All other accessories have a one (1) year limited warranty. For a copy of the PWC Port complete warranty call PWC Port. PWC Port — Cleat
