FREE Lifelong Learning Event for Fasset Members

Risk Management Workshop

1
 Risk management workshop

Why do we Risk
Risk and
need risk assessment
control matrix
management process

Governance Risk appetite

Agenda for and risk Risk categories and risk
the day management tolerance

Risk
COSO model management Risk reporting
policy
 Risk management workshop

Why do we Risk
Risk and
need risk assessment
control matrix
management process

Governance Risk appetite

Agenda for and risk Risk categories and risk
the day management tolerance

Risk
COSO model management Risk reporting
policy
 Risk management workshop

Private companies and auditors

External audit firms
 Risk management workshop

Banking and government

 Risk management workshop

Steinhoff – value loss

 Risk management workshop

Risk management creates and protects value

Risk management is an integral part of all

organizational processes

Risk management is part of decision making

Need for risk
management Risk management explicitly addresses
uncertainty

Risk management is systematic, structured

and timely

Risk management facilitates continual

improvement of the organization
 Risk management workshop

Risk management is a
– systematic process
– to identify, evaluate and
address risks pro-actively
Definition – continuously
– before such risks can impact
negatively
– on the organization’s
achievement of objectives
 Risk management workshop

Why do we Risk
Risk and
need risk assessment
control matrix
management process

Governance Risk appetite

Agenda for and risk Risk categories and risk
the day management tolerance

Risk
COSO model management Risk reporting
policy
 Risk management workshop

The Risk Agenda

 Link between Risk Management and Corporate Governance?

Challenge and Appraisal Communication

Risk Business Risk Risk

Role of Management Management Business
the Board Appetite Strategy Framework
Strategy Operations

Board Reporting Measuring & monitoring

(Management Reporting)

• Board sets defines the business strategy and sets the risk appetite. This is reviewed on
a regular basis (at least once a year)
• The risk management strategy is executed by management who makes regular report
to the Board for monitoring

11
 Risk management workshop

Establishing reliable basis for strategic/

operational decision making + planning;
Risk
management Efficiently allocating and using resources
improves for risk treatment;
governance Improving operational effectiveness and
efficiency
 Risk management workshop

Increases prospects of success through

minimising negative outcomes and
optimising opportunities

Risk Clear and realistic objectives, develop

appropriate strategies aligned to
management objectives, understand intrinsic risks

Effective, efficient and transparent

systems of risk management and
internal control
 Risk management workshop

Increase likelihood of achieving objectives

Encourage proactive management

Continuously identify and treat risk

Identification of both opportunities and threats

Risk Comply with legislative requirements
management Improve stakeholder confidence/trust

Enhance health and safety performance, environmental protection

Improve controls/loss prevention/incident management

Improve organizational learning

 Risk management workshop

Why do we Risk
Risk and
need risk assessment
control matrix
management process

Governance Risk appetite

Agenda for and risk Risk categories and risk
the day management tolerance

Risk
COSO model management Risk reporting
policy
 Risk management workshop

Best practice risk management frameworks

 Risk management workshop

COSO model
 Risk management workshop

What is ERM? (cont’d)

To help assist with the implementation of the ERM process, COSO developed the ERM
Integrated Framework (2004), also known as the COSO Cube. This cube is an update to the
initial COSO I framework developed in 1992:

Refer page 20 of delegate handbook

 Risk management workshop

What is ERM? (cont’d)

These are the high level goals

that are aligned with and
support the institution’s mission.
 Risk management workshop

What is ERM? (cont’d)

Relate to the ongoing

management process and daily
activities of the organization.
 Risk management workshop

What is ERM? (cont’d)

Relates to the protection of the

organization’s assets and quality
of financial reporting.
 Risk management workshop

What is ERM? (cont’d)

Relates to the organization’s

adherence to applicable laws and
regulations.
 Risk management workshop

What is ERM? (cont’d)

The Internal Environment

relates to the general
culture, values and
environment in which an
organization or entity
operates (e.g. – Tone at the
top)
 Risk management workshop

What is ERM? (cont’d)

Objective Setting relates to

the process management
uses to set its strategic
goals and objectives.
Establishes the
organization’s risk appetite
and risk tolerance.
 Risk management workshop

What is ERM? (cont’d)

Event Identification is the

process by which an
organization identifies
events that influence
strategy and objectives, or
could affect an
organization’s ability to
achieve its objectives.
 Risk management workshop

What is ERM? (cont’d)

Risk Assessment relates to

the organization’s process
of evaluating the impact
and likelihood of events,
and prioritizing related
risks.
 Risk management workshop

What is ERM? (cont’d)

Risk Response relates to

determining how
management will respond
to the risks an organization
faces. Will they avoid the
risk, share the risk, or
mitigate the risk through
updated practices and
policies.
 Risk management workshop

What is ERM? (cont’d)

Control Activities represent

policies and procedures
that an institution
implements to address the
risks the organization
chooses to accept.
 Risk management workshop

What is ERM? (cont’d)

Information and
Communication relate to
those practices that ensure
that the right information is
communicated at the right
time to the right people.
 Risk management workshop

What is ERM? (cont’d)

Monitoring consists of
ongoing evaluations to
ensure controls are
functioning as designed,
and taking corrective
action to enhance control
activities if needed.
 Risk management workshop

ERM Life Cycle

Evaluate
Performance
Implement
Confirm
Evaluate next
Identify and options steps
Goal prioritize
Cultur setting risks
e

Event Risk Information

Internal Objective Risk Control & Monitorin
Identificat Assessme Response Activities Communicat g
Environment Setting
ion nt ion
 Risk management workshop

Combined assurance
 Risk management workshop

Board steer and set strategic direction, approve policy and

planning, oversee, monitor + ensure accountability

Accounting Officer executes strategic direction, policies and

oversight responsibilities

Responsibilities Risk Owners manage risk and control (front line operating
management)

Risk Management monitors risk and control in support of

management (risk, control, and compliance functions put in
place by management);

Independent assurance by Internal and External Audit to

the Board via Audit Committee + senior management - the
effectiveness of the management of risk and control
Risk management workshop
 Risk management workshop

COSO and the three lines of defense

 Risk management workshop

Board provides direction to

Identify the principal (key)
senior management by
risks.
setting risk appetite.

Assures itself on an ongoing Delegates to the CEO and

Broad responsibilities basis that senior
management is responding
senior management primary
ownership and responsibility
of the Board appropriately to these risks
(oversight)
for operating risk
management and control.

Management provides
To ensure the effectiveness
leadership and direction re
of risk management, rely on
risk management, and to
adequate line functions –
control overall risk-taking
including monitoring and
activities in relation to the
assurance functions
agreed level of risk appetite.
 Risk management workshop

First line of defense

 Risk management workshop

Second line of defense

 Risk management workshop

Continuous risk management

 Risk management workshop

Third line of
defense
 Risk management workshop

Continuous risk management

 Risk management and the assurance
Continuous risk assessment Risk based audit plans
 Risk management workshop

Key Performance Indicators

(KPIs) help a firm see how it natural catastrophe risks (as
is performing in relation to % of group shareholder
its strategic goals and equity)
objectives.

Key Risk Indicators (KRIs)

are leading indicators of risk
asset-liability matching
to business performance,
(duration mismatch)
giving early warning about
potential risk event

KPI’s and Use KRIs to monitor risks

strategic asset allocation (%
allowed in investment
are in the areas such as:

KRI’s
category)

credit risk (weighted

average credit rating)

other risks specific to

business or functional areas
 Risk management workshop

Why do we Risk
Risk and
need risk assessment
control matrix
management process

Governance Risk appetite

Agenda for and risk Risk categories and risk
the day management tolerance

Risk
COSO model management Risk reporting
policy
 Risk management workshop

Alignment of risk-taking behaviour

with strategic business objectives

Objectives -
Promote a risk management culture
risk across the organization and
improve risk transparency to the
management stakeholders

policy
Maximise stakeholder’s value and
net worth by managing risks that
may impact the defined financial
and performance drivers
 Risk management workshop

The way in which The way in which risk

conflicts of interest management
regarding risk performance will be
management roles measured and

Objectives - risk are dealt with reported

management Assist the

policy (cont) A commitment to
Organization in
enhancing and
review and improve protecting those
the risk management opportunities that
system periodically represents the
greatest service
delivery benefits
 Risk management workshop

Risk management and internal control objectives (governance)

Statement of the attitude of the organization to risk (risk

philosophy and strategy)

Content of a Description of the risk culture or the control environment

risk Level and nature of risk that is acceptable (risk appetite)

management
Risk management structure and arrangements (risk architecture)
policy
Details of procedures for risk recognition and ranking (risk
assessment)

List of documentation for analysing and reporting risk (risk

protocols)
 Risk management workshop

Risk mitigation requirements and control

mechanisms (risk response)

Allocation of risk management roles and

responsibilities
Content of a
Risk management training topics and priorities
risk
management Criteria for monitoring and benchmarking of risks

policy (cont) Allocation of appropriate resources to risk

management

Risk activities and risk priorities for the coming year

 Risk management workshop

Why do we Risk
Risk and
need risk assessment
control matrix
management process

Governance Risk appetite

Agenda for and risk Risk categories and risk
the day management tolerance

Risk
COSO model management Risk reporting
policy
 Risk management workshop

Risk universe
 Risk categories

Strategic Operations Compliance Financial

Governance: Value Chain: Standards of Business Market:
► Board Structure & ► Design and Development Conduct : ► Interest Rate
Performance ► Supply Chain and Logistics ► Corporate Social ► Foreign Currency
► Corporate Monitoring ► Production Responsibility
► Commodity
► Organisational Structure ► Marketing and Sales ► Ethics

► Service ► Fraud Liquidity and Credit:

Planning and Resource ► Support Processes ► Cash Management
Allocation: Regulatory:
► Business Continuity ► Funding
► Strategic Planning ► Trade
► Physical Assets: ► Hedging
► Budgeting ► Labor
► Real Estate ► Credit and Collectables
► Acquisition and Divestiture ► Environmental
► Plant and Equipment ► Insurance
► Privacy
Stakeholders: ► Inventory
► Product Integrity
► Shareholder ► People:
Accounting and Reporting:
► Business Partner ► Culture
Legal:
► Customer / Supplier ► Recruitment & Retention ► Reporting and Disclosure
► Contract
► Development & Performance ► Internal Control
► Liability
Market Dynamics: ► Health and Safety ► Tax
► Competition ► Information Technology:
Capital Structure:
► Socio-Political ► IT Security and Access
► Economic Factors ► IT Availability and Continuity ► Debt
► IT Integrity ► Equity
► IT Infrastructure

51
 Risk management workshop

Risk Management

• Identifying areas of
threat to the business
• Assessing the potential
impacts and managing
these
• Growth and continued
existence of the
business
 Risk management workshop

Risk versus opportunity

 Internal risk categories
Knowledge and
Human resources information management

• Integrity & Honesty • Availability of information

• Recruitment • Stability of the information
• Skills & competence • Reliability and integrity of
• Employee wellness information data
• Employee relations • Relevance of the
• Retention information
• Occupational health & • Retention
safety • Safeguarding of data and
information
 Internal risk categories

Litigation Financial
• Claims by employees, public, • Cash flow adequacy
service providers, third parties • Liquidity and solvency
• Failure to exercise certain right • Financial losses
that is to its advantage. • Fruitless and wasteful
expenditure
• Budget allocations
• Financial statement integrity
• Revenue collection
• Increasing operational
expenditure
 Internal risk categories
Material resources (procurement risk) Information Technology

• Availability of material • Security concerns

• Costs and means of • Technology availability
acquiring \ procuring (uptime)
resources • Applicability of IT
• The wastage of material infrastructure
resources • Integration / interface of
the systems
• Effectiveness of technology
• Obsolescence of technology
 Internal risk categories
Disaster recovery
Third party performance and business continuity

• Outright failure to perform • Disaster management

• Not rendering the required procedures
service in time • Contingency planning
• Not rendering the correct
service
• Inadequate / poor quality of
performance
 Internal risk categories

Cultural Compliance \ Regulatory

• Communication channels • Failure to monitor or
and its effectiveness enforce compliance
• Cultural integration • Monitoring and
• Entrenchment of ethics and enforcement mechanisms
values • Consequences of non-
• Goal alignment compliance
• Management operating • Fines and penalties paid
style
 External risk categories

Economic Environment Political Environment

• Credit downgrade • Political unrest
• Inflation, interest rates, • Local, Provincial and
forex National elections
• Oil prices • Changes in key office
• US/China trade war/Brexit bearers
 External risk categories

Social environment Natural environment

• Unemployment • Depletion of natural
• Migration of workers resources
• Environmental degradation
• Spillage
• Pollution
 External risk categories

Technological environment Legislative environment

• Advancements and changes • Changes in legislation,
in technology conflicting legislation.
 Risk management workshop

Why do we Risk
Risk and
need risk assessment
control matrix
management process

Governance Risk appetite

Agenda for and risk Risk categories and risk
the day management tolerance

Risk
COSO model management Risk reporting
policy
 Enterprise Risk Management (ERM) Approach
The structured ERM approach defines the key risks to business objectives across
the organization and evaluates the level of management preparedness to clearly
define opportunities to improve and/or monitor risks.

Define Inherent
Business Risks Define
Recommended
Course Of Action

Identify Significant Evaluate The Level of

Inherent Risks Link Risks To Management Preparedness
Strategic Strategic Objectives IMPROVE
Action Plan
Operations
Strategies &
Mgt. & Mgt. & Mgt. &
Business Control Control Control
Objectives Activities Activities Activities MONITOR
Financial
Risk and
Control Plan
Compliance

63
 Risk by organisational level

Category Description Example

Exposures, which impact the entire ► Lack of long-term business
organisation and are broader in strategy
Entity nature. ► Insufficient oversight by Audit
Upper management assumes Committee or Board of
responsibility for remediation. Directors
Exposures, which are specific to the ► High transaction volumes
processing of particular transactions. ► Complexity of transactions
Proces
Process owners usually assume processed
s
responsibility for remediation. ► Degree of subjectivity in the
valuation
Exposures, which result from the ► Lack of training
execution of particular work steps, ► Lack of policies and
Activity tasks, and/or activities. procedures
Process owners usually assume ► Poorly implemented IT
responsibility for remediation. functions

64
 Risk management workshop

Process universe
 Risk management workshop

Process risk assessment

 Risk management workshop

Mega, major,
minor process
analysis
 How do we assess risks?

• Risk is assessed first on an inherent basis at the entity-level

– That is, without consideration of the effect of controls
• Risk has two elements:
– Impact
– Likelihood
• Impact and Likelihood determine the overall risk rating
• Applied mitigating control strategies on key risks are identified, in
order to obtain the residual risk
• Residual risk: Represents the risk the business remains exposed to
after factoring in the perceived effectiveness of existing controls

68
 Risk management workshop

Assess the risk

Likelihood Impact

Plot on
Likelihood
the
x Impact
heatmap
 Risk management workshop

Likelihood
Likelihood
L I KE LIHOOD D ESC R IPTION

The risk is almost certain to occur more than once within the next
Almost certain
12 months. (Probability = 100% p.a.)

Likely The risk is almost certain to occur once within the next 12 months.
(Probability = 50 – 100% p.a.)

Moderate The risk could occur at least once in the next 2 – 10 years.
(Probability = 10 – 50% p.a.)

Unlikely
The risk could occur at least once in the next 10 - 100 years.

The risk will probably not occur, i.e. less than once in 100 years.
Rare Refer page 47 of delegate handbook
(Probability = 0 – 1% p.a.)
 Risk management workshop

Impact
Impact
Impact Description

Loss of ability to sustain ongoing operations. A situation that would cause a

Catastrophic
standalone business to cease operation.

Significant impact on achievement of strategic objectives and targets relating to the

Major
IDP of the organization.

Disruption of normal operations with a limited effect on the achievement of

Moderate
strategic objectives or targets relating to the IDP.

Minor No material impact on achievement of the organization’s strategy or objectives.

Negligible impact.
Insignificant

Refer page 46 of delegate handbook

 Risk management workshop

Plotting the risks

Almost certain
5 10 15 20 25

Likely
4 8 12 16 20

Moderate
3 6 9 12 15

Unlikely
2 4 6 8 10

Rare
1 2 3 4 5

Likelihood Insignificant Minor Moderate Major Catastrophic

Impact
 Assessing Risk – Likelihood cont…

Score Rating Probability Frequency

5 Expected > 90% Yearly

4 Highly Likely < 90% Every 1-2 Years

3 Likely < 60% Every 3-5 Years

2 Not Likely < 30% Every 6-9 Years

Every 10 Years and

1 Slight < 10%
Beyond

73
 Assessing risk – Impact cont …

SCORE RATING FINANCIAL OPERATIONS COMPLIANCE STRATEGIC

EBIT / EPS Value Disclosure Scope Legal/Regulatory Reputational Market Share Strategy

Enterprise-wide; Management Indictments

> 25% >25% Loss of Fiscal Year Inability to continue normal Loss of confidence in Potentially Irrecoverable Potential acquisition or
5 Critical Large Scale Class Actions
EBIT / EPS Market Value Restatement business operations across all stakeholder groups (i.e., 24-36 months) bankruptcy
all business units Regulatory Sanctions

2 or more changes in
3 Business Units; Management Challenged
> 20% Loss of confidence by Long Term Recovery senior leadership,
>20% Loss of Fiscal Quarter Significant interruptions to
4 Significant Large Legal Liabilities 3 or more stakeholder (i.e., financial restructuring,
EBIT / EPS Market Value Restatement business operations within
Regulatory Fines / DPAs groups 12-24 months) significant changes to
3 or more business units
strategic plan.

1 or more changes in
2 Business Unit(s); Management Reviewed
> 15% Loss of confidence by senior leadership,
>15% Loss of Significant Moderate interruptions Mid-term Recovery (i.e.,
3 High Legal Reserve Established 2 or more stakeholder significant changes to
EBIT / EPS Market Value Deficiency within 2 or more business 6-12 months)
Regulatory Investigation groups operating plans and
unit(s).
execution.

1 Business Unit; Management Unaffected Loss of confidence Refinements or

> 10% >10% Loss of Short-term Recovery (i.e.,
2 Moderate Control Weakness Interruptions restricted to 1 Minimal Liabilities limited to 1 stakeholder adjustments to operating
EBIT / EPS Market Value less than 6 months)
business unit. Regulatory Attention group plans and execution.

> 5% >5% Loss of Additional Risk Limited interruptions within Limited Liabilities or Limited impact to 1 Limited Recovery (i.e., Limited Adjustment
1 Low
EBIT / EPS Market Value Disclosure 1 business unit Regulatory Impact stakeholder group less than 3 months) Necessary

74
 Risk Assessment Criteria (“RAC”)

• Defines likelihood and consequence ratings

• Maps the likelihood and impact ratings to determine the overall
risk rating
• Is used to consistently evaluate risk and help guide the
prioritization and focus of Improve and Monitor activities

Assessing Risk – Impact

H M H H
M L M H
Impact
L L L M
L M H
Likelihood
75
 Risk map profile

All Options Apply;

However, Risk
Controls Limited
All Options Apply; Must
Manage Effectively
Over Long Term
The degree of High 2 1
potential loss or Extraordinary Strategic
harm to the financial Events Imperatives
or operational Apply Preventive
capabilities within
3 and Detective
IMPACT

the business 4 Risk Controls

process Operating and
Irrelevant Compliance
or Insignificant Issues
Low
Low High
Accept at Present
The likelihood and duration of a LIKELIHOOD Level and Monitor
threat or vulnerability impacting a Over Time
key business process.

76
 Risk management workshop

Minimum Lean six

sigma
Root cause
expert
Data
mining
IT auditing
skills
Boardroom
presence

tools in the Fishbone

diagram
Pareto analysis
toolbox
 Lean Six Sigma - Integration of Two
Powerful Business Improvement Approaches...
Lean Six Sigma
Speed + Waste Elimination Quality, Cost
• Goal – Improve performance on items
• Goal – Reduce waste and increase
Critical to Customer Quality (CTQs)
process speed
• Focus – Use DMAIC with (TQM) tools to
• Focus – Implementing Waste reduction
eliminate variation
tools
• Method – Management engagement,
• Method – Improvement events Value
dedicated team effort
Stream Mapping

Lean Speed Enables Six Sigma Quality Enables

Six Sigma Quality Lean Speed
(Faster Cycles of (Fewer Defects Means
Experimentation/learning) Less Time Spent on Rework)

Efficiency Effectiveness
78
 Fishbone Diagram

Material Machine Methods Discovery of different

discount rates occurs too
late in process
Computer screens

Too many “jumps” Billing process not

Updates
accurate
Product
Shortages
Master customer discount
table not up-to-date Effect: Too many price
adjustments at
Incomplete Training on check-out
Power Failures
Management Policies common complaints
Not enough staffing during
peak times
Marketing metrics
counterproductive Unfamiliarity with procedures

For vacation Notification of

Mother Nature Measurements Manpower notification absence

Root Cause Analysis

79
 Risk management workshop

Pareto Chart of Processing Errors

140

100
120

100 80

Percent
80
Count

60
60
40
40

20
20

0 0
Exception HHG TQ/TA GHS AT New Res Other
Count 73 18 13 8 7 5
Percent 58.9 14.5 10.5 6.5 5.6 4.0
Cum % 58.9 73.4 83.9 90.3 96.0 100.0

2019/11/11
 Risk management workshop

Why do we Risk
Risk and
need risk assessment
control matrix
management process

Governance Risk appetite

Agenda for and risk Risk categories and risk
the day management tolerance

Risk
COSO model management Risk reporting
policy
 Risk management workshop

Process overview flowchart

 Risk management workshop

Design of RCM
 Risk management workshop

Populating the
risk and control
matrix
 Risk management workshop

Input and access controls

 Risk management workshop

Processing
controls
 Risk management workshop

Output controls
 Risk management workshop

Avoid

Accept
Risk
management
strategy Transfer

Mitigate
 Risk management workshop

Set reward/loss
Cannot be avoided Intentionally
targets and
/ fully accepted pursue
tolerance levels
Typical risk
response Develop recovery
Investigate and
take follow-up
Develop fall-back
plans arrangements
strategies - action

Accept Finance the

Explicitly stated,
understood,
Residual risk
consequences monitored and
approved
 Risk management workshop

Share (joint
Insure ventures, alliances,
partnerships)

Typical risk
response
Contract out
strategies - Diversify/spread
(outsource, assign)
Transfer

Hedge
 Risk management workshop

Risk management require companies to be

proactive rather than passive

Typical risk Some degree of mitigation in response to most

significant risks.
response
strategies - Options for risk mitigation are :
Mitigate • Organisation
• People & Relationships
• Direction
• Operational
• Monitoring
 Risk management workshop

Cease activity Pull out of market

Typical risk
response Change or
strategies - Divest recalibrate
objective
Avoid

Redesign (e.g.
Business processes, Reduce scale
systems, tools)
 How do I choose the right mix of
responses?
Previous slides provide a ‘menu’ of choices. However, given that the
desired result is a structured and integrated portfolio of risk responses,
the choices must be carefully considered; intentional rather than ad
hoc, and linked together.

Design decisions are influenced by factors such as:

• The business environment and constraints
• The level and relative importance of the business objective (e.g. strategic
vs. operational)
• The nature of the risk, and whether it has an ‘upside‘ or ‘downside’ potential
• The perceived significance of the risks (impact and likelihood)
• The ‘risk appetite’ (level of acceptable risk)
• The cost and desirability of applying various risk responses
• The ability to directly or indirectly influence outcomes
• What has been done in the past, how well it has (or has not) worked,
93
lessons learned
 Assessing response to risks – Management preparedness

Score Rating Action Description

Controls and/or Management Activities properly designed and
5 Very High Effective
operating as intended
Limited Improvement Controls and/or Management Activities properly designed and
4 High
Opportunity operating, with opportunities for improvement identified
Moderate Improvement Key controls and/or Management Activities in place, with
3 Moderate
Opportunity significant opportunities for improvement identified
Significant Improvement Limited controls and/or Management Activities in place, high
2 Low
Opportunity level of risk remains
Critical Improvement Controls and/or Management Activities are non-existent or
1 Very Low
Opportunity have major deficiencies and don’t operate as intended

94
 Entity level residual risk profile
Representative Example Residual
High 25.0 risk no. Tier 1 residual risks

Credit Risk– Customer

1
default
Improve 1
Liquidity — Cash
Monitor 2
Management
20.0
6 Controls 3
Access to capital to
finance expansion
3
2 5 Inability to reach some
(Impact x likelihood)

4 niche markets (local or

15.0
Risk exposure

overseas)
9
4 5 Failing to plan for LT
7
Inability to recruit and
6
10.0 retain talent
8
High dependency on
7 few decision-makers /
owners

Monitor Accept
5.0 Increased demand for
Risks Optimize more timely and
8 comprehensive
reporting and
disclosure

0.0
Low 9
Greater vulnerability re.
changes in economic
1.0 2.0 3.0 4.0 5.0 factors

Low Management preparedness High

Residual risk = ((impact x likelihood) x (1-(management and control level /5)) + (0.2 x (impact x likelihood)))
NOTE: The quadrants on this chart are intended to provide directional guidance for potential mitigation activities for each risk, based on the risk impact
and likelihood rating, and level of management/control activities. Desired risk mitigation actions for each risk will vary based on the risk appetite of the
organization and the desired level of management/control activities.

95
 Management action plans for key risks
Representative Example –Risk Action Plan Tracking
Key Business Risks Assess Improve Monitor
Risk Risk Classification Inherent Management Existing Management Enhancement Action Audit Other Monitoring Key
Risk Description Impact Likelihood Exposure Effectiveness and Control Activities Opportunities Owner Coverage Activity Metrics
Tier 1 Risk Profile
Raw Material Pricing: Operations 4.8 4.3 20.6 1.6

● ● ● ●
Purchases of raw materials, and energy represent a large portion Value Chain
of the Company’s costs. Increases in the costs of these inputs
may increase the Company’s costs, and the Company may not
be able to pass these costs on to customers through higher
prices. Increases in the costs of materials may adversely impact
our customers’ demand for printing and related services.

Vehicle Inventories / Sales Incentives Strategic 4.1 4.8 19.7 1.9

● ● ● ●
Slower-than-expected sales in the first two months of 2004 have Customer
nudged inventories slightly above the industry’s “normal” level of
60-day supply, increasing dealer carrying costs and the prospect
of production cuts later this year if the trend continues. Sales
incentives will remain high as a result, at least through the first
quarter of 2004, to mitigate a further rise in inventories that would
be even more expensive to clear out once new
GM/Ford/DaimlerChrysler car models start arriving later this year.
Warranty Costs and Liabiliites Operations 4.8 3.4 16.3 2.2

● ● ● ●
As manufacturers look to push warranty exposure down the Value Chain
supply chain, the risks for suppliers are potentially
catastrophic—the liability for a single component defect, spread
over a large number of vehicles, especially if the defect is
determined to be safety related, could jeopardize the future of a
company. The number of vehicle recalls is rising, and TREAD Act
compliance (a result of the Firestone/Ford debacle) in particular
is increasing costs for tire makers and vehicle manufacturers.
Integration of Acquired Businesses: Strategic 4.6 2.8 12.9 2.0

● ● ● ●
Achieving the anticipated benefits of acquisitions, including the Acquisition & Divestiture
recent acquisitions, will depend in part upon the Company’s
ability to integrate these businesses in an efficient and effective
manner. The integration of companies that have previously
operated independently may result in significant challenges, and
the Company may be unable to accomplish the integration
Supply Chain Sustainability: Operational 3.4 4.0 13.6 2.4

● ● ● ●
Many vehicle component suppliers have been pushed to the Value Chain
financial brink by years of cost-cutting by their customers. Many
suppliers have high debt levels, cash flow deficiencies, and
marginal businesses. In addition, Tier 1 suppliers face an
increasing risk that their production will be disrupted because
troubled second- and third-tier suppliers won’t be able to deliver
parts.
Intellectual Property Protection: Operational 3.4 3.7 12.6 2.4

● ● ● ●
The problem of counterfeit aftermarket parts being sold in the US Knowledge
market continues to increase, with most of the fraudulent parts
coming from China. The Chinese government has taken only
token steps to shore up the legal framework around intellectual
property rights in that country, and automakers and suppliers
remain under threat of having their IP rights subverted and
having little recourse against the proliferation of potential
dangerous fakes by enterprises that are difficult to bring to

96
 Design, build and implementation of Key Risk Indicators
Example KPI, KCI and KRIs
Design
▪ Establish extent of existing management information and other Control:
Risk:
data flows – indicators in place if applicable Clients default on deals
Daily monitoring, Point of entry
▪ Identify committees, forums, management meetings etc procedures, Collateral cover
currently in place that can be used to discuss risk and control
issues on an ongoing basis
KPI: KCI:
▪ Define and document roles and responsibilities of risk and Number of deals executed for clients who Number of clients identified with
control owners have defaulted in the past insufficient collateral cover

Build Process
▪ Assign ownership for risks and controls KRI:
▪ Communication with risk and control owners relating to their Number of deals executed for clients who have defaulted in the past who do not
ongoing responsibilities have sufficient collateral cover
▪ Carry out workshops with all risk and control owners to design
indicators to be put in place
▪ Define how existing information flows and committees etc are to
be used to minimise additional workload Control:
▪ Risk and control owners refine the indicator monitoring process Risk: Adequate remuneration & motivation
▪ Overall analysis of indicators for gaps and dual coverage Loss of key personnel packages allied to communication.
▪ Design reporting protocols Bonus Pool

Ongoing Operation of Process KCI:

▪ Design review mechanism (i.e. Corporate Risk department or KPI:
Number of employees kept as a
Number of staff leaving without a
Internal Audit, etc.) planned successor
result of remuneration change /
▪ Create storage mechanism for information bonus payment
▪ Perform ongoing consistency checks of indicators set up across
the organisation KRI:
Number of staff leaving without a planned successor due to remuneration / bonuses
not being sufficient

97
 Risk management workshop

Why do we Risk
Risk and
need risk assessment
control matrix
management process

Governance Risk appetite

Agenda for and risk Risk categories and risk
the day management tolerance

Risk
COSO model management Risk reporting
policy
 Risk management workshop

Residual risk
versus risk
appetite
 Risk management workshop

Why do we Risk
Risk and
need risk assessment
control matrix
management process

Governance Risk appetite

Agenda for and risk Risk categories and risk
the day management tolerance

Risk
COSO model management Risk reporting
policy
 Reporting and disclosures

Risk Committee of the Board meets at least twice a year

The typical template report pack submitted to the Risk Committee for
review:
• Updated Risk Map Profile
• Updated Risk & Control Register as an attachment
• Comments to be escalated
• Exception reports to be attached (List of failed controls, List of controls not
yet implemented )

Typical comments to be escalated are as follows:

• New risks identified and associated controls
• Suggested changes to the ratings of existing risks and controls, with
rationale behind suggested changes
• Status on implementation actions (Actions implemented/ Actions not yet
implemented as per agreed timeframe/Actions in progress)
•101 Movement in risk trend : Worsening/ Improving
 Risk management workshop

Example: Risk Coverage Plan

 Risk management workshop

Integrated LOD (Lines of Defense) Model

Source: Maximising Value from your lines of defense – EY, December 2013
 Risk management workshop

Example: Risk Status Report

 Thank you

105