Strategic Management of Risk - Session 3.
KristofferBerg3
7 views
68 slides
Aug 31, 2025
Slide 1 of 68
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
About This Presentation
Slide Content
Session 3: Enterprise Risk Management (ERM) Strategic Management of Risk 1
Corporate governance and risk management Enterprise Risk Management (ERM) Implementing ERM Core Reading Case Study: Lego Session Outline 2
Fully comprehend the emergence and core features of ERM Understand how ERM can help both combat risk and enhance competiveness Appreciate the range of difficulties that organizations face trying to implement ERM structures Learning Outcomes 3
4 Part I: Corporate Governance & Risk Management
Three key areas in which corporate governance and risk management intersect: Evaluation of business opportunities Management of stakeholder interests Monitoring of internal processes Corporate Governance <-> Risk Governance 5
Corporate Responsibilities 6
Principles-Based vs. Rules-Based Regulation 7
Formed in response to growing fears about scale of fraud in USA Dedicated to developing guidance and best practice on internal control procedures Joint initiative between: American Institute of Certified Public Accountants (AICPA) American Accounting Association (AAA) Financial Executives International (FEI) Institute of Internal Auditors (IIA) Institute of Management Accountants (IMA) Committee of Sponsoring Organizations of the Treadway Commission (COSO) 8
Defined internal control as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives” Recommended that control systems should be embedded in the organization infrastructure and not treated as separate … BUT positioned risk assessment as a sub-element of a broader internal control framework aimed at providing assurance to stakeholders COSO I (1992) 9
10 Original ERM ‘Pyramid’ (1992)
Chaired by Nigel Turnball Drawn up in collaboration with London Stock Exchange States that the Board of Directors should: Establish business objectives. Identify the associated key risks. Decide upon the controls to address the risks. Set up a system to implement the required controls Turnbull Report (UK) (1999) 11
Recommended that internal control systems should be: Embedded in the operation and form part of its culture Be flexible and capable of responding quickly to risks Include routine procedures for immediate reporting of any risks that appear “The directors should, at least annually, conduct a review of the effectiveness of the group's system of internal control and should report to shareholders that they have done so. The review should cover all controls, including financial, operational and compliance controls and risk management.” Turnbull Report (continued) 12
Set enhanced corporate governance standards for all American companies Led to the creation of the Public Company Accounting Oversight Board (PCAOB) Enacted as a US Federal Law in 2002 Sarbines -Oxley Act (SOX) (2002) 13
Introduced new statutory requirements (rather than guidelines) Section 404 : Every company required to submit an annual report to SEC that should: “state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.” SOX Requirements 14
Required to maintain evidence to support assessments Required to disclose any material weaknesses in internal control system SOX Requirements (continued) 15 “The most far-reaching reforms of American business practices since the time of Franklin D. Rosevelt ” [George Bush, 2002]
Takes up valuable management time and resources Added to the costs paid to external auditors Discourages foreign firms from listing their shares in the US Still reliant upon internal control frameworks Compliance-based Criticisms of SOX 16
Recognized weakness of having risk assessment as a sub-element of the internal control framework Renamed risk management as ‘ enterprise risk management ’ (ERM) and incorporated “the internal control framework within it” COSO Enterprise Risk Management-Integrated Framework (2004) 17 ERM becomes overarching framework for internal control
Defines ERM as “…a process, effected by an entity’s board of directors, management and other personnel, applied in strategy settings and across the enterprise , designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite , to provide reasonable assurance regarding the achievement of entity objectives” COSO ERM- Integrated Framework (continued) 18
19 Internal Environment Risk Management Philosophy; Board of Directors; Ethical Values; Structure; Assignment of Authority Objective Setting Strategic Objectives; Related Objectives; Risk Appetite; Risk Tolerances Event Identification Event Identification Techniques; Event categories; Interdependencies; Distinguishing Risks and Opportunities Risk Assessment Establishing Likelihood and Impact; Data Sources; Assessment Techniques; Risk Response Evaluating Possible Responses; Selected Responses Control Activities Integration with Risk Response; Policies and Procedures; Controls over Information Systems Information and Communication Information & Communication Monitoring Ongoing Monitoring Activities; Separate Evaluations; Reporting Deficiencies COSO ERM Cube (2004)
Set up to provide an international standard on the implementation of risk management Adopted around the world (UK, Canada, Australia, EU, etc.) Made up of three linked components: Risk management principles Risk management framework Risk management process ISO 31000 (2009) 20
Create and protect value Be an integral part of all organizational processes Be part of decision-making Address uncertainty explicitly Be systematic, structured and timely Be based on the best available information Be tailored to meet the needs of the organization Take into account human and cultural factors Promote transparency and inclusiveness Be dynamic and responsive to change Facilitate continual improvement ISO 31000: Risk Management Principles 21 According to ISO 31000, risk management should :
22
23 ‘Three Lines of Defence Model’ (2013)
24 COSO ERM Cube (2013) Control Environment Risk Assessment Control Activities Information & Communication Monitoring Activities Demonstrates commitment to integrity and ethical values Exercises oversight responsibility Establishes structure, authority and responsibility Demonstrates commitment to competence Enforces accountability Specifies suitable objectives Identifies and analyzes risk Assesses fraud risk Identifies and analyzes significant change Selects and develops control activities 11. Selects and develops general controls over technology Deploys through policies and procedures Uses relevant information Communicates internally Communicates externally Conducts ongoing and/or separate evaluations Evaluates and communicates deficiencies
25 The framework is relatively broad in scope and lacks a significant amount of prescriptive guidance It is broken into a series of rigid categories – organizations often find that there are certain processes that could conceivably fall into multiple categories, or that do not align well with any of the categories It begins with the internal and not the external environment. Critics claim that it does not reflect sufficiently the impact of the competitive environment, regulation and external stakeholders on risk appetite and management and culture. An excessive focus on internal factors, for which the model has been criticised, could result in a concentration on operational risks and a failure to analyse strategic dangers sufficiently Discusses risks primarily in terms of events, particularly sudden events with major consequences. Critics claim that the guidance insufficiently emphasises slow changes that can give rise to important risks Criticisms of COSO Frameworks
26 Key Updates Provides greater insight into the value of enterprise risk management when setting and carrying out strategy. Enhances alignment between performance and enterprise risk management to improve the setting of performance targets and understanding the impact of risk on performance. Recognizes the globalization of markets and operations and the need to apply a common, albeit tailored, approach across geographies. Presents new ways to view risk to setting and achieving objectives in the context of greater business complexity Expands reporting to address expectations for greater stakeholder transparency COSO ERM Framework (2017)
27 ISO 31000 (2018 Update)
28 Part II: Enterprise Risk Management (ERM)
“ ERM recognizes that risk management occurs throughout the company and either explicitly or implicitly is part of virtually every decision. The goal of ERM is to ensure that structures, processes, and communications are in place to promote the achievement of the following three critical elements of ERM: Risk governance oversight and leadership; risk identification assessment, mitigation and monitoring; and risk quantification and reporting .” [Todd Perkin, 2008] What is ERM? 29
In business, a silo is a function of the organization that is structurally/physically/culturally isolated from the rest of the organization. This generally means they are not fully involved in the strategic decision-making process of the organization. Risk Management Silos 30
31
Silos occur because of: lack of communication between different groups within an organization neglect of risk management function unintegrated risk management functions Why are they potentially dangerous? Leave senior management ill-informed about risk Strategic planning takes place independently of risk management No comprehensive view of an organization’s risk exposure Risks get ignored Risk Management Silos 32
ERM Unintegrated vs. Integrated Risk Management 33 Finance Legal Department Human Resources Compliance Audit Committee Security Board of Directors Line Managers IT
34 Integrating ERM
“ In some sense, ERM is a mind-set, a culture that permeates your entire organization. With the goal ultimately of having your employees, your managers, your executives, your board of directors, all risk aware, risk intelligent, looking for both opportunities and threats that add greater value to the enterprise .” [Bruce Branson, 2008] ERM and Culture 35
“ When ERM is implemented successfully then you have: fewer surprises, a common understanding and alignment of goals, risks and mitigants ,…reduced cost of capital due to meeting rating agency expectations, better comfort for shareholders and the investment community that the business is well managed, and better morale among staff in knowing that resources are allocated fairly across the organization based on agreed risk tolerances .” [John R. S. Fraser, 2008] General Benefits of ERM 36
37 General Benefits of ERM
38 Part III: Implementing ERM
39
40 Implementing ERM: Common Challenges
41 The rise of the Chief Risk Officer
Responsibilities can include: Advising senior management on risk management topics Assisting senior management in developing risk management strategies Facilitating risk assessment procedures Promoting a risk-aware culture Implementing risk reporting systems Communicate risks to stakeholders Help develop overall business strategy The Role of the Chief Risk Officer 42
43 Are CRO’s Useful?
44 Inconclusive evidence as to whether CROs do significantly increase the quality of risk management. However, research does suggest: Firms that hire a CRO tend to be more committed towards establishing an effective ERM framework Firms in industries with high levels of litigation threats tend to benefit more from CRO appointments CROs can be useful in terms of reducing internal conflict related to the implementation of an ERM framework Firms with CROs tend to be able to produce a clearer articulation of their overall risk management ethos CROs: The Evidence
45 Percentage of firms with ERM in place* Source: Deloitte, ‘Global Risk Management Survey, 11 th Edition’ (2019).
46 Room for Improvement?* Source: Deloitte, ‘Enterprise Risk Management Survey’ (2016).
47 Room for Improvement?* Source: Deloitte, ‘UK Enterprise Risk Management Survey’ (2021).
48
ERM differs from other risk management frameworks in that it promotes embedded risk management and aligning risk management with strategic decision-making Many organizations are still yet to introduce effective ERM frameworks Successfully implementing ERM is challenging for many organizations Summary 49
50 Part IV: Core Reading
51 Based on your reading of the Bromiley et al. (2015) text, please consider the following questions: Based on the article, what are some of the key gaps in our current understandings of the effectiveness of ERM? What do Bromiley et al. suggest are some of the main challenges related to the implementation of ERM? What do you think would be the most challenging aspect for a firm that want to introduce ERM? Core Reading Exercise
52 Part V: Lego Case Study
On average, every person on earth owns 94 Lego bricks If Lego figurines were real people, they would be the world's largest population Lego is the world's largest manufacturer of tyres Size and Scale 53
54 1. Background & History
Founded in 1932 by Ole Kirk Kristiansen Name changed to ‘Lego’ in 1934 Initially built small wooden toys Acquires a plastic injection- moulding machine in 1946 Releases the ‘Lego Automatic Binding Brick’ in 1949 The current stud-and-tube Lego brick is patented in 1958 Origins 55
Godtfred Kirk Christiansen becomes head of firm in 1958 Lego begins operations in UK, Germany, Sweden, Italy, France, Belgium, Singapore, Australia and USA Legoland opens in Billund in 1968 First minifigure introduced in 1978 Kjeld Kirk Kristiansen is appointed CEO in 1979 By 1990, Lego is one of the world’s top ten toy manufacturers Expansion 56
‘Lego’ = “play well” “Only the best is good enough” “To nurture the child in each of us” “To inspire and develop the builders of tomorrow” Lego’s Core Values 57 Lego DNA
58 2. Expansion & Diversification
Evolution of the Toy Industry 59 Source: R. D. Ireland et al., Understanding Business Strategy: Concepts and Cases (2008)
Turned to Poul Ploughmann to help revive Lego Known as the ‘miracle man’ for his work in reviving Bang & Olufsen Seeking Outside Help 60 Kristiansen ceded full control to Ploughmann Brought in ‘brand expert’ Francesco Ciccolella to ‘reinvent’ Lego’s image
30 new designers were hired from Europe’s best design colleges Signed licensing deals with major film studios (e.g. Star Wars ) Expanded into new markets (e.g. clothes, books) Triples its product offerings A New Strategy for a New Generation 61
Product Diversification 62
… the company's management team, which consisted of 12 senior vice presidents who oversaw 6 market regions as well as such traditional functions as the direct-to-consumer business and the global supply chain, was “highly dysfunctional,” recalled Knudstorp. “They didn't work together. They operated in silos.” [Robertson, 2013] Lack of Group-Wide Strategic Vision 63
Example: The Lego Technic Fibre Optic Multi Set 64
“ We are on a burning platform, losing money with negative cash flow and a real risk of debt default which could lead to the breakup of the company ” [J. V. Knudstorp, 2003] Ballooning production costs Lost $300 million in 2003 Net sales fall by 26% Crisis 65
66 As you are reading/watching through the material provided below, please consider the following questions: What were the main issues with Lego's ERM approach prior to 2007? How did Læssøe try to align Lego's risk management & strategy setting processes? Do you think other companies would benefit from using similar risk management tools? How 'mature' do you think Lego's ERM framework sounds? Case Study
Return to Profitability 67
When the risk management and strategic decision-making process are not aligned, business can get into trouble Conclusions 68 ERM frameworks need to be tailored to the specific needs of the organization Risk management is not just about preventing losses
Tags
Categories
BusinessDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 7
- Slides 68
- Age 91 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
28 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
30 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
28 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
26 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
27 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
29 views