ABC DEVELOPMENT ADVISORS PVT. LTD
ERM Study by Practus Advisors
Table of Contents
S.No.
Details
Slide#
1
ERM: Definition and Applicability
3
2
ERM: Objectives
4
3
Risk Appetite
5
4
External & Internal Factors
6
5
ERM: Framework
7-24
6
ERM: GovernanceStructure
25
7
Questions andAnswers
26
ERM: Definition and Applicability
Enterprise Risk Management (“ERM”) is a process,
effected by an entity’s board of directors, management and other personnel,
appliedin strategy-settingacross the enterprise,
designed to identify potential events that may affect the entity, and
manage risk to be within its risk appetite, to provide a reasonable assurance regarding the achievement of
entity objectives.
Applicableto all business functions and units of an organization,as indicated below:
Customer Facing Organization- Sales & Marketing
Product Organization- Operations, Consulting
Support Functions - Finance , Human Resource, Administration, Communications etc
Applicable only for enterprise wide and high level operational risks that have a strategic impact on theorganization.
ERM: Objectives
The objective of embarking on the ERM journey is to strengthen & formalize risk management practices and to manage
risk in a structuredand consistent manner.
The specific objectives include:
To enable organizational sustainability taking cognizance of the impact of its services & operations on
society & environment
Reduce potential gaps in achieving company’s objectives
Align & integrateexisting risk management practices in the organization
Build confidence of thestakeholders
Enhance Corporate Governance
Risk Appetite
Risk appetite is the amount of risk that an organization is willing to take or
retain for pursuing its objectives. The understanding of risk appetite is based
on the following key parameters:
Financial Parameters : Impact on annual revenue, cost and profit
(actual vs budgeted),impact on asset base.
Regulatory Parameters : Non compliance to company law matters
and other Government of India regulations with/ without financial
penalties.
Reputation Parameters : With respect to specific stakeholders such as ,
investors, analysts, key customers & vendors , employees, media &
general public.
Non - Financial and Other qualitative Parameters- Service disruption, delay
in service, attrition at senior & executivelevels.
Environmental Factors for Determining Risks
Internal Factors
Organizational strategy and
objectives
External Factors
Inherent strengths and weaknesses
• New/ changes in government
of the businesses
regulations and/or policies
Organizational structure, roles &
• Vendor group partners, alliances
responsibilities
Values & belief system
• Socio- Economic condition
Incentive and development
• Technological changes and
mechanisms, and how it is expected
advancements
to drive employee behaviour
Internal Systems and processes
Internal control and monitoring
mechanisms
ERM:Framework
Internal and External Environment
The ERM framework is a
systematic application of risk
management procedures and
Risk Identification
practices for establishing ERM.
Managed
Materialized Risk
A continuous process beginning
with risk
identification and
Risk Assessment
followed sequentially by risk
RiskMonitoring
assessment, risk evaluation and
and Review
risk response.
Risk Prioritization
Lays down activities for risk
Risk Escalation and
monitoring, review, control and
Control
managing materialized risks to
support the entire ERM process
Risk Response
Risk Identification & RiskDrivers
Risk Identification involves identifying any possible threat or vulnerability which may adversely affect the organization’s
vision or mission.
As a part of the risk identification process, it is also important to understand which of the business drivers are impacted by
the materialization of a risk .
Risks identified can be segregated into two levels:
Enterprise-wide Risks - These are strategic risks that have a mid to long term impact on the organization, including
operational risks that have a strategic impact on the organization. E.g ‘Reputational risk’.
Process level Risks - These are operational risks that have a current to short term impact on the operational activities
and tasks. These risks are faced by the operational teams on a periodic basis due to the ongoing operations of the
company.
E.g ‘duplicate invoices fromvendors , Manual invoicing to customers/clients
Suggestions for Risk IdentificationProcess
I.
Risk Register : Risks for each business line of an organization shall be documented in a risk register.
A risk register acts as a central repository for risks.
Purpose of the risk register is to identify and record risks and related information in a structured manner.
Ownership of the risk register shall lie with the Chief Risk Officer
Ownership of individual risks will lie with individual process owners within eachfunction.
Risks identified and assessed can arise from multiple categories, termed under ‘Risk type/ category’.
Effectiveness and efficiency of operations (Operational)
Reliability of financial reporting (Reporting)
Compliance with applicable laws and regulations (Compliance)
Sustenance/ Safeguarding of Assets (Strategic)
Format of the stipulated risk register is as follows:
Mitigation
Likelihood
Owner
Suggestions for Risk IdentificationProcess
II. Chief Risk Officer : The Chief Risk Office shall assist in risk identification, creating and updating risk registers.
However, it is the responsibility of each process owner to identify risks relevant to their department set up and
objectives.
Key Responsibilities of Chief RiskOfficer:
Providing overall leadership to ERM process in line with directions of the Board of Directors.
Developing and assuming ownership of the risk management policy, framework andprocess
Program manage implementation of the ERM framework
Liaising with Risk Steering Committee at various levels for deploying the ERM process
Maintain the risk registers and the risk response plan tracker
Promoting risk management culture through trainings, reporting and other internal communications
Risk Assessment
Risk assessment refers to the process followed for understanding the nature and level ofrisk
The onus of risk assessment lies with the risk identifier/ owner, who may choose to consult with the Central
Risk officer for assistance.
Risk assessment provides the inputs requisite for evaluating the risk response
Based on the results of the assessment, an appropriate action to be taken for risk response is decided.
Risk assessment is based on the followingparameters:
Time to manifest- How quickly is the risk likely tomanifest
Calculate likelihood of risk events
Calculate potential impact of the identified risk scenarios
Risk Assessment
Time to Manifest
Likelihood of RiskEvents
Potential Impact of IdentifiedRisk
Time to manifest shall be considered
It will be done in two stages:
It will also be calculated in the
only for external environment risks
same manner as likelihood of
that are beyond the management’s
Risk Events.
control.
Considering the impact and the
likelihood of the events without
•In order to assess the time to
taking any mitigation actions
manifest, the identifier (/owner) of the
Considering the impact and the
risk should define the following:
likelihood of the events if action
for mitigation are taken
The time horizon within which the
impact is likely to occur
The time horizon required to
actively respond to therisk
Elapsed time before the next
risk assessment
Risk Assessment
In order to visually depict the risk assessment based on ‘residual risk’, a “heat map” (graphical representation of
impact and likelihood) maybe used based on the risk analysis. ( Depicted in nextslide)
A five by five matrix shall be used for measuring likelihood and impact. The risk shall be evaluatedas:
Risk Priority = Likelihood * Impact
Legends to thematrix
Risk
Description
Likelihood*Impact (Range)
Risk Zone
1
Shortage of skilled Manpower
Score - less than 5
Low
2
Inadequate financial planning
3
Erosion of brand and reputation
Score - greater than or equal to 5 but
Medium
4
Poor forecasting and MIS
less than 12
Litigation due to regulatory
Score - greater than or equal to 12
High
5
violation
6
Time and cost overruns
7
Lack of innovation
8
Inconsistent quality of service
Risk Assessment: Matrix
Almostcertain
5
10
15
20
25
Likely
4
12
16
20
1
8
Possible
3
6
9
12
15
2
7
Likelihood
Unlikely
2
4
6
8
10
5
6
8
Rare
1
2
3
4
5
4
3
Insignificant
Minor
Moderate
Major
Catastrophic
Impact
Risk Assessment - Suggested Parameters
Ref.
Scale
Calculation
Insignificant
Minor
Moderate
Major
1
2
3
4
% of yearly
Less than or equal to
More than 2% but less
More than 3% but less
More than 4% but less
Financial
‘Total Revenue’
2%
than or equal to 3%
than or equal to 4%
than or equal to 5%
1.1
- Potential impact
Absolute value
on Profitability and
(whichever is
< Rs.2Cr
Rs.2 Cr - Rs.10 Cr
Rs.11 Cr - Rs.50 Cr
Rs.51 Cr - Rs.500 Cr
Cash flow
lesser)
More than 2% but less
More than 3% but less
More than 4% but less
Financial
% of yearly
Less than or equal to
than or equal to 3% of
than or equal to 4% of
than or equal to 5% of
‘EBITD
2% of EBITDA
EBITDA
EBITDA
EBITDA
1.2
Potential impact
Absolute value
on asset base
(whichever is
< Rs.2Cr
Rs.2 Cr - Rs.10 Cr
Rs.11 Cr - Rs.50 Cr
Rs.51 Cr - Rs.500 Cr
(Value at risk)
lesser)
Risk Assessment - Suggested Parameters
Ref.
Scale
Calculation
Insignificant
Minor
Moderate
Major
1
2
3
4
Regulatory Impact
Potential
Regulatory and legal
Regulatory and legal
Regulatory and legal
Regulatory and legal non
financial
non compliances
non compliances with
non compliances with
compliances with
- Potential impact
1.3
penalties from
resulting in a notice/
potential financial
potential financial
potential financial
on business owing
regulator
warning from the
penalties up to Rs.5
penalties betweenRs.6
penalties up to Rs.51 Lacs
to applicable
regulator
Lacs
Lacs and Rs.50 Lacs
to Rs.1 Cr
regulations
Reputational
Impact on brand
Impact on brand image
Reputational loss
Reputational loss at circle
Qualitative
image but can be
but contained within
contained within the
level, with mass reach (i.e.
Potential impact on
impact
1.4
prevented through
the organization within
organization but with a
media and public)
brand image
(Reputational)
immediate correctivea specific circle
reach across multiple
action
circles
-
Risk Assessment - Suggested Parameters
Ref.
Scale
Calculation
Insignificant
Minor
Moderate
Major
1
2
3
4
-Non- Financial
No risk of litigation
Arbitration with
Court litigation
Court litigation
Qualitative and
Disruption in
financial penalty
with possible
with possible
Potential impactQuantitative
relation with non-
as above.
penalty as above
penalty as above.
on the control
Impact
strategic vendor
Disruption in
Disruption in
Disruption in
environment
Attrition rate of
relation with non-
relation with non-
relation with
and relationships
skilled personnel
strategic vendor
strategic vendors,
strategic vendor
(internal and
lower than industry
Attrition rate of
Attrition of
Attrition of
1.5
external)
levels or attrition of
skilled personnel
personnel at the
personnel at the
unskilled staff
higher than
Senior
Executive
Impacts 0.10% to
industry level.
Management level
Committee level.
0.15% of the
Impacts 0.05% to
(non-Executive
Impacts 0.25% to
customer base
0.10% of the
Committee
0.50% of the
customer base
Impacts 0.10% to
customer base
0.25% of the
customer base
Risk Prioritization
Risk prioritization is the process for prioritizing risks having a residual risk, based on whether the risk and its magnitude
is acceptableor tolerable within the organizations riskappetite.
The intent of risk prioritization is to:
Enable escalation to the appropriate level of management as per risk measurementcriteria
Prioritize the implementation of the risk response
Risk prioritization helps to ensure appropriate resource allocation within the acceptable ‘potential cost of risk
mitigation’ for the purpose of creating an ongoing risk response
Channeling of management focus towards risks of significant concern.
Risk Response
Risk response is treatment of the risk identified post assessment and prioritization
This phase of the ERM process is intendedto:
Understand and ensure existing controls/ mitigation mechanisms are in place for managing and treating risks
Generate a new risk response plan if the existing controls are ineffective and/ or need to be strengthened to
respond to the identified risk
Continuously assess the effectiveness of such response plans
A risk response falls into the following 4 categories:
Avoid - Exiting the activity giving rise to the risk
Reduce - Action is taken to reduce risk likelihood or impact, or both
Share - Reducing risk likelihood / impact by transferring /sharing a portion of the risk
Accept - No action is taken to affect risk likelihood orimpact
The choice of an appropriate response option must consider the following:
•Net effect of potential response on risk likelihood and impact
•Cost versus benefit of potential response
Risk Response
High levels steps for riskresponse:
Evaluate the mitigations in place for key risks
Evaluate control requirements
Verify and evaluate the controls currently in place for key risks
Take decisions on the acceptability of identified risks and controls
Document action plans for riskmitigation
Use the outputs of risk assessments for budgeting and capital allocationprocesses
The chosen risk response plan has to be supported by a detailed implementation plan.
This implementation plan should clearly outline:
Activity plan with the various steps to be performed
Intended outcome of the activityplan
Resource requirements to achieve successful implementation
Accountability and responsibility for the activityplan
Implementation time schedule
Risk Escalation & Control
A critical element of ERM is an effective system of escalation which ensures that specific issues are promptly
communicated to relevant authorities.
Enterprise Risk organization structure establishes clear reporting lines and defines responsibilities of the
various levels of the ERM structure.
Risk escalation may stem from one or more of thefollowing:
Identification of new risks at business line and entity level
Change in impact/ likelihood of identified risks causing a change in the risk evaluation
Unforeseencontingencies
Risk control refers to policies and procedures that help ensure that the risk responses identified as
determined by the risk owners are carried out.
Risk Reviews
Periodic risk monitoring, review and reporting are critical components for the success of the ERM process. The intent of monitoring
and reviewing risks and their respective response plans is to:
Analyzeand track events,changes, trends which effect identifiedrisks
Assess the impact of such changes to risk assessment andevaluation
Assess the impact of such changes on responseplans
Risk monitoring should be conducted on a periodic basis, for the identified risks, in order to track the status of response plans and
to consequently update changes to risk profiles.
The risk profiles contain measurable indicators for proactively monitoring the performance of the mitigations plans. The indicators
can be defined as:
Key Risk Indicator (KRI): These are qualitative or quantitative indicators that proactively highlight the potential existence and
magnitude of the risk
Key Control Indicator (KCI): These are qualitative or quantitative indicators that indicate the effectiveness of the control
implemented through the mitigation plan for the risk.
Risk reviews involves re-examination of the risk register, risk assessment and risk response including the risk profiles. The risk
reviews should be carried out on a quarterly basis (minimum) and updated in the risk report. The Chief Risk Office function
shall initiate and assist the risk monitoring and risk reviewprocess.
ERM Calendar
#
Activities of the Chief RiskOfficer
Frequency
Timelines
M1
M2
M3
M4
M5
M6
M7
M8
M9
M10
M11
M12
Assessment and approval of Risk
1
Appetite ( including risk
parameters
Annual
X
2
Revaluate top enterprise risk
Annual
X
Review , update ( where
3
necessary) and communicate ERM
policy
Annual
X
Inputs on Risk from CRO in
4
preparation of AOP, Risk validation
& Risk Identification
Annual
X
5
Periodic Self- certification
Quaterly
X
X
X
X
6
Review & Update the Risk Register
Ongoing
X
X
X
X
X
X
X
X
X
X
X
X
7
Monitor and update / create risk
profiles including mitigation plan
Ongoing
X
X
X
X
X
X
X
X
X
X
X
X
Managing MaterializedRisk
It is necessary to have crisis/ incident response plan for timely and effective management of an event of risk
materializing.
The crisis management plan should detail out the following:
The situations for which action plans shall be invoked
The manner in which such plans shall be actioned
The individuals/ departments involved in such planning and execution
Tracking data pertaining to materialized risks is an essential input to the development and functioning of ERM
and should be captured in a Loss event database.
Format of a Loss EventDatabase:
Loss eventDatabase
Incident
Incident
Incident
Incident
Reporting
Total actual
Worst case
Realistic loss
Actions
Actions
description
type
owner
cause
Month
cost to date
potential loss
expected
completed
( INR )
( INR)
(INR)
Ideal ERM Governance Structure
RiskChampions:
Facilitator and Coordinator w.r.t. risk
management activities within the function.
Report to Functional head and Chief Risk
Board of
MD
Officer.
Directors
Facilitate the implementation of ERM
initiatives and mitigation plans within the
CFO
function.
Internal
Steering
Auditors
Committee
Chief Legal
Role of SteeringCommittee:
Officer
Review the decisions taken by the ffunctional
AllFunctional
heads.
Heads
Chief Risk
Responsible for strategic direction setting.
Officer
Report to the Board of Directors.
RiskChampions
Work with Internal Auditors who will be
in each Dept.
responsible for review of ERM Process, and
question the non-compliance in the system.
Formulating and deploying risk
management policies.
Questions and Answers