XYZ Pvt. Ltd.
ERM Study by Practus Advisors
Table of Contents
S.No.
Details
Slide#
1
ERM: Definition and Applicability
3
2
ERM: Objectives
4
3
Risk Appetite
5
4
ERM: Framework
6-25
5
ERM: Governance Structure
26
6
Questions and Answers
27
ERM: Definition and Applicability
Enterprise Risk Management (“ERM”) is “a process, effected by an entity’s board of directors, management and other personnel, applied in
strategy- setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its
risk appetite, to provide a reasonable assurance regarding the achievement of entity objectives.
This framework applicable to all business functions and units of an organization, as indicated below:
Customer Facing Organization- Sales & Marketing
Product Organization- Operations
Technical Organization - Quality Assurance & Technical Services, EDP & Engineering
Supply Chain - Procurement & Logistic
Support Functions - Finance , Legal Secretarial & Corporate Affairs & Human Resource.
This framework is applicable only for enterprise wide and high level operational risks that have a strategic impact on the organization.
ERM: Objectives
The objective of embarking on the ERM journey is to strengthen & formalize risk management practices and to manage risk in a structured and
consistent manner. The specific objectives include:
To enable organizational sustainability taking cognizance of the impact of its products , service & operations on society &
environment
Reduce potential gaps in achieving company’s ‘s objectives
Align & integrate existing risk management practices in theorganization
Build confidence of the stakeholders
Enhance Corporate Governance
Risk Appetite
Risk appetiteis the amount of risk that an organization is willing to pursue or retain for pursuing its objectives. The understanding of risk
appetite is based on the following key parameters:
FinancialParameters : Impact on annual revenue,cost and profit ( actual vs budgeted),impact on asset base.
Regulatory Parameters : Non compliance to company law matters and other Government of India regulations with/ without financial
penalties.
Reputation Parameters : With respect to specific stakeholders such as , investors, analysts, key customers & vendors , employee s, media&
general public.
Non - Financial and other qualitative Parameters- Service disruption, delay in service / product launch, attrition at senior & executive levels.
The above parameters of risk appetite are used as a basis of ERM Framework.
ERM: Framework
Internal and External Environment
The ERM framework is a systematic
application of risk management
procedures and practices for
Risk Identification
establishing ERM.
Managed
Materialized Risk
The ERM framework is a continuous
process
beginning
with risk
identification
and
followed
Risk Assessment
sequentially by risk assessment, risk
evaluation and risk response.
Risk Monitoring
and Review
The framework also lays down
activities for risk monitoring, review,
Risk Prioritization
control and managing materialized
Risk Escalation and
risks to support the entire ERM
Control
process across organization.
Risk Response
Environmental Factors for Determining Risks:
External Factors
Risks may arise from changes or developments in internal and external environment of an organization. It is imperative to
understand and identify signals of change in external and internal context of theorganization.
External Factors
These Factors can be determinedby:
Porter's Five Forces Model:
PESTLE Analysis:
SWOT Analysis:
New/ changes in government
Threat of New Entrants
Political Factors
Strengths
regulations and/or policies
Intensity of Competitive
Economic Factors
Weaknesses
Rivalry
Social Factors
Opportunities
Vendor group partners, alliances
Bargaining Power of
Technological Factors
Threats
Socio- Economic condition
Customers
Legal Factors
Bargaining Power of
Environmental Factors
Technological changes and
Suppliers
Threats of Substitute of
advancements
Products/Services
Environmental Factors for Determining Risks:
Internal Factors
Internal Environment:
The following are indicative factors/ signals of change from an internal environment perspective:
Organizational strategy and objectives
Inherent strengths and weaknesses/ vulnerabilities of businesses
Organizational structure and roles & responsibilities
The organization values & belief system
Incentive and development mechanisms, and how it is expected to drive employeebehavior
Internal Systems and processes
Internal control and monitoring mechanisms
Risk Identification- Risk Drivers
Risk Management begins with Risk Identification, which involves identifying any possible threat or vulnerability which may adversely affect
the organization’s vision or mission.
As a part of the risk identification process, it is also important to understand which of the business drivers are impacted by the materialization
of a risk .
Category
Event
Risks identified can be segregated into two levels:
Consumers
Change in customer needs
Standardization/ customization of
Enterprise-wide Risks - These are strategic risks that have a mid
product reducing company margin
to long term impact on the organization, including operational
Change in customer landscape
risks that have a strategic impact on the organization. E.g
Suppliers and
Overdependence on a vendor / group of
‘Reputational risk’.
Alliances
vendors
Change in bargaining power of suppliers
Process level Risks - These are operational risks that have a
current to short term impact on the operational activities and
Competitors
Change in value offered - product / price/
tasks. These risks are faced by the operational teams on a
service
periodic basis due to the ongoing operations of the company.
New competitors from - other markets/
E.g ‘duplicate invoices from vendors
adjacent industries
Aggressive competition from new
entrants
Macro- Economic
Sudden regulatory changes
Suggestions for Risk Identification Process
I.
Risk Register : Risks for each business line of an organization shall be documented in a risk register. A risk register acts as a central
repository for risks. The purpose of the risk register is to identify and record risks and related information in a structured manner.
The ownership of the risk register shall lie with the chief risk officer while the ownership of individual risks will lie with individual
process owners within each function.
Risks identified and assessed can arise from multiple categories, termed under ‘Risk type/category’.
Effectiveness and efficiency of operations (Operational)
Reliability of financial reporting (Reporting)
Compliance with applicable laws and regulations (Compliance)
Sustenance/ Safeguarding of Assets (Strategic)
Format of the stipulated risk register is as follows:
Suggestions for Risk Identification Process
II. Chief Risk Officer : The Chief Risk Office shall assist in risk identification, creating and updating risk registers. However, it is the
responsibility of each process owner to identify risks relevant to their department set up and objectives.
Key Responsibilities of Chief RiskOfficer:
Providing overall leadership to ERM process in line with directions of the Board of Directors.
Developing and assuming ownership of the risk management policy, framework and process
Program manage implementation of the ERM framework
Liaising with Risk Steering Committee at various levels for deploying the ERM process
Maintain the risk registers and the risk response plan tracker
Promoting risk management culture through trainings, reporting and other internal communications
Risk Assessment
Risk assessment refers to the process followed for understanding the nature and level ofrisk
The onus of risk assessment lies with the risk identifier/ owner, who may choose to consult with the Central Risk officer for
assistance.
Risk assessment provides the inputs requisite for evaluating the risk response
Based on the results of the assessment, an appropriate action to be taken for risk response is decided.
Risk assessment is based on the followingparameters:
Time to manifest - How quickly is the risk likely to manifest
Calculate likelihood of risk events
Calculate potential impact of the identified risk scenarios
Risk Assessment
Time to Manifest
Likelihood of Risk Events
Potential Impact of Identified Risk
Time to manifest shall be considered only
It will be done in two stages:
It will also be calculated in the same
for external environment risks that are
manner as likelihood of Risk Events.
beyond the management’s control.
Considering the impact and the
In order to assess the time to manifest, the
likelihood of the events without taking
identifier (/owner) of the risk should define
any mitigation actions
the following:
Considering the impact and the
likelihood of the events if action for
The time horizon within which the
mitigation are taken
impact is likely to occur
The time horizon required to actively
respond to the risk
Elapsed time before the next risk
assessment
Risk Assessment
In order to visually depict the risk assessment based on ‘residual risk’, a “heat map” (graphical representation of impact and likelihood)
maybe used based on the risk analysis. ( Depicted in nextslide)
A five by five matrix shall be used for measuring likelihood and impact. The risk shall beevaluated as:
Risk Priority = Likelihood * Impact
Legends to the matrix:
Likelihood*Impact (Range)
Risk zone
Risk
Description
Score - less than 5
Low
1
Shortage of skilled Manpower
Score - greater than or equal to 5
Medium
2
Inadequate financial planning
but less than 12
Score - greater than or equal to 12 High
3
Erosion of brand and reputation
4
Poor forecasting and MIS
Litigation due to regulatory
5
violation
6
Time and cost overruns
7
Lack of innovation
8
Inconsistent quality of service
Risk Assessment: Matrix
Almost certain
5
10
15
20
25
Likely
4
8
12
16
20
1
Possible
3
6
9
12
15
2
7
Likelihood
Unlikely
2
4
6
8
10
5
6
8
Rare
1
2
3
4
5
4
3
Insignificant
Minor
Moderate
Major
Catastrophic
Impact
Risk Assessment - Parameters
Insignificant
Minor
Moderate
Major
Ref.
Scale
Calculation
1
2
3
4
% of yearly
Less than or equal to
More than 2% but less
More than 3% but less
More than 4% but less
Financial
‘Total Revenue’
2%
than or equal to 3%
than or equal to 4%
than or equal to 5%
1.1
- Potential impact
Absolute value
on Profitability and
(whichever is
< Rs.2 Cr
Rs.2 Cr - Rs.10 Cr
Rs.11 Cr - Rs.50 Cr
Rs.51 Cr - Rs.500 Cr
Cash flow
lesser)
More than 2% but less
More than 3% but less
More than 4% but less
Financial
% of yearly
Less than or equal to
than or equal to 3% of
than or equal to 4% of
than or equal to 5% of
‘EBITD
2% of EBITDA
EBITDA
EBITDA
EBITDA
1.2
Potential impact
Absolute value
on asset base
(whichever is
< Rs.2 Cr
Rs.2 Cr - Rs.10 Cr
Rs.11 Cr - Rs.50 Cr
Rs.51 Cr - Rs.500 Cr
(Value at risk)
lesser)
Risk Assessment - Parameters
Insignificant
Minor
Moderate
Major
Ref.
Scale
Calculation
1
2
3
4
Regulatory Impact
Potential
Regulatory and legal
Regulatory and legal
Regulatory and legal
Regulatory and legal non
financial
non compliances
non compliances with
non compliances with
compliances with
- Potential impact
1.3
penalties from
resulting in a notice/
potential financial
potential financial
potential financial
on business owing
regulator
warning from the
penalties up to Rs.5
penalties betweenRs.6
penalties up to Rs.51 Lacs
to applicable
regulator
Lacs
Lacs and Rs.50 Lacs
to Rs.1 Cr
regulations
Reputational
Impact on brand
Impact on brand image
Reputational loss
Reputational loss at circle
Qualitative
image but can be
but contained within
contained within the
level, with mass reach (i.e.
Potential impact on
impact
1.4
prevented through
the organization within
organization but with a
media and public)
brand image
(Reputational)
immediate correctivea specific circle
reach across multiple
action
circles
-
Risk Assessment - Parameters
Insignificant
Minor
Moderate
Major
Ref.
Scale
Calculation
1
2
3
4
-Non- Financial
No risk of litigation
Arbitration with
Court litigation
Court litigation
Qualitative and
Disruption in
financial penalty
with possible
with possible
Potential impactQuantitative
relation with non-
as above.
penalty as above
penalty as above.
on the control
Impact
strategic vendor
Disruption in
Disruption in
Disruption in
environment
Attrition rate of
relation with non-
relation with non-
relation with
and relationships
skilled personnel
strategic vendor
strategic vendors,
strategic vendor
(internal and
lower than industry
Attrition rate of
Attrition of
Attrition of
1.5
external)
levels or attrition of
skilled personnel
personnel at the
personnel at the
unskilled staff
higher than
Senior
Executive
Impacts 0.10% to
industry level.
Management level
Committee level.
0.15% of the
Impacts 0.05% to
(non-Executive
Impacts 0.25% to
customer base
0.10% of the
Committee
0.50% of the
customer base
Impacts 0.10% to
customer base
0.25% of the
customer base
Risk Prioritization
Risk prioritization is the process for prioritizing risks having a residual risk, based on whether the risk and its magnitude is acceptable or
tolerable within the organizations risk appetite.
The intent of risk prioritization is to:
Enable escalation to the appropriate level of management as per risk measurement criteria
Prioritize the implementation of the risk response
Risk prioritization helps to ensure appropriate resource allocation within the an acceptable ‘potential cost of risk mitigation’ for the
purpose of creating an ongoing risk response
Channeling of management focus towards risks of significant concern.
Risk Response
Risk response is treatment of the risk identified post assessment and prioritization
This phase of the ERM process is intended to:
Understand and ensure existing controls/ mitigation mechanisms are in place for managing and treating risks
Generate a new risk response plan if the existing controls are ineffective and/ or need to be strengthened to respond to
the identified risk
Continuously assess the effectiveness of such responseplans
A risk response falls into the following 4 categories:
Avoid - Exiting the activity giving rise to the risk
Reduce - Action is taken to reduce risk likelihood or impact, or both
Share - Reducing risk likelihood / impact by transferring /sharing a portion of the risk
Accept - No action is taken to affect risk likelihood orimpact
The choice of an appropriate response option must consider the following:
Net effect of potential response on risk likelihood and impact
Cost versus benefit of potential response
Risk Response
High levels steps for risk response:
Evaluate the mitigations in place for key risks
Evaluate control requirements
Verify and evaluate the controls currently in place for key risks
Take decisions on the acceptability of identified risks and controls
Document action plans for risk mitigation
Use the outputs of risk assessments for budgeting and capital allocation processes
The chosen risk response plan has to be supported by a detailed implementation plan.
This implementation plan should clearly outline:
Activity plan with the various steps to be performed
Intended outcome of the activity plan
Resource requirements to achieve successful implementation
Accountability and responsibility for the activity plan
Implementation time schedule
Risk Escalation & Control
A critical element of ERM is an effective system of escalation which ensures that specific issues are promptly communicated
to relevant authorities.
Enterprise Risk organization structure establishes clear reporting lines and defines responsibilities of the various levels of
the ERM structure.
Risk escalation may stem from one or more of thefollowing:
Identification of new risks at business line and entitylevel
Change in impact/ likelihood of identified risks causing a change in the risk evaluation
Unforeseen contingencies
Risk control refers to policies and procedures that help ensure that the risk responses identified as determined by the
risk owners are carried out.
Risk Reviews
Periodic risk monitoring, review and reporting are critical components for the success ofthe ERM process.
The intent of monitoring and reviewing risks and their respective response plans isto:
Analyze and track events, changes, trends which effect identifiedrisks
Assess the impact of such changes to risk assessment and evaluation
Assess the impact of such changes on response plans
Risk monitoring should be conducted on a periodic basis, for the identified risks, in order to track the status of response plans andto
consequently update changes to risk profiles.
The risk profiles contain measurable indicators for proactively monitoring the performance of the mitigation plan
The indicators can be defined as:
Key Risk Indicator (KRI): These are qualitative or quantitative indicators that proactively highlight the potential existence and magnitude of
the risk
Key Control Indicator (KCI): These are qualitative or quantitative indicators that indicate the effectiveness of the control implemented
through the mitigation plan for the risk.
Risk reviews involves re-examination of the risk register, risk assessment and risk response including the risk profiles.
The risk reviews should be carried out on a quarterly basis (minimum) and updated in the risk report.
The Chief Risk Office function shall initiate and assist the risk monitoring and risk reviewprocess.
ERM Calendar
#
Activities of the Chief RiskOfficer
Frequency
Timelines
M1
M2
M3
M4
M5
M6
M7
M8
M9
M10
M11
M12
Assessment and approval of Risk
1
Appetite ( including risk
parameters
Annual
X
2
Revaluate top enterprise risk
Annual
X
Review , update ( where
3
necessary) and communicate ERM
policy
Annual
X
Inputs on Risk from CRO in
4
preparation of AOP, Risk validation
& Risk Identification
Annual
X
5
Periodic Self- certification
Quaterly
X
X
X
X
6
Review & Update the Risk Register
Ongoing
X
X
X
X
X
X
X
X
X
X
X
X
7
Monitor and update / create risk
profiles including mitigation plan
Ongoing
X
X
X
X
X
X
X
X
X
X
X
X
Managing Materialized Risk
It is necessary to have timely crisis/ incident response plan for timely and effective management of an event of risk materializing.
The crisis management plan should detail out the following:
The situations for which action plans shall be invoked
The manner in which such plans shall be actioned
The individuals/ departments involved in such planning and execution
Tracking data pertaining to materialized risks is an essential input to the development and functioning of ERM and should be
captured in a Loss event database.
Format of a Loss EventDatabase:
Loss event Database
Incident
Incident type
Incident
Incident
Reporting
Total actual
Worst case
Realistic loss
Actions
Actions
description
owner
cause
Month
cost to date(
potential loss
expected (
completed
INR )
( INR)
INR)
ERM: Governance Structure
Risk Champions:
Facilitator and Coordinator w.r.t. risk
management activities within the function.
Board of
MD
Report to Functional head and Chief Risk
Directors
Officer.
Facilitate the implementation of ERM
initiatives and mitigation plans within the
CFO
Internal
Steering
function.
Auditors
Committee
Chief Legal
Role of SteeringCommittee:
Officer
Review the decisions taken by the financial
AllFunctional
heads.
Heads
Responsible for strategic direction setting.
Chief Risk
Report to the Board of Directors.
Officer
Work with Internal Auditors who will be
RiskChampions
responsible for review of ERM Process, and
in each Dept.
question the non-compliance in the system.
Formulating and deploying risk
management policies.
Questions and Answers