Enterprise Risk Management Training.

This course aims at equipping the staff with the basic knowledge on enterprise risk management, developing a risk culture among staff and lastly, educate the learner on their role in managing risks.

Enterprise Risk Management (ERM) Modules 2018

So, what exactly is meant by “enterprise risk management?”

Enterprise risk management (ERM) can be viewed as a natural evolution of the process of risk management. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines enterprise risk management as:

 “... a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

ISO 31000 Defines risk as uncertainty on objectives.  In this regard, we define a risk as anything that might impact achievement of the strategic objectives for our company.

Comparison Between Traditional Risk Management and Enterprise Risk Management

There are many names that describe the    approach used when looking at all risks across a company, organization or entity. Such an approach can be referred to as enterprise-wide, the whole of the entity, organization-wide, holistic, integrated, etc.

Organization-wide risk management is a holistic approach to managing and prioritizing responses to critical risks across the organization in a manner that will support business strategy and plans. Effective risk assessment essentially consists of risk identification and evaluation across all areas of the organization, followed by a process to ensure that critical risks are treated and managed in accordance with the organization’s risk appetite.

Organisation-wide risk management seeks to provide a consolidated view of risk across the organisation. The scope of organisation-wide risk management, therefore, encompasses the use of common risk language, risk assessment techniques and response strategies across all functional and risk/assurance functions within the organisation. Below are major differences between the traditional risk management and the enterprise-wide risk management.

Traditional vs modern ERM

Enterprise Risk Management (ERM) Process

Risk Treatment Options

Avoidance.

You can choose not to take on the risk by avoiding the actions that cause the risk. For example, if you feel that implementing a new strategy will be quite expensive, you avoid by doing away with the strategy.

Reduction.

You can take mitigation actions that reduce the risk. For example, coming up with a credit control policy to manage debtors.

You can transfer all or part of the risk to a third party. The two main types of transfer are insurance and outsourcing. For example, a company may choose to transfer a collection of project risks by outsourcing the project.

Acceptance

Risk acceptance, also known as risk retention, is choosing to face a risk. In general, it is impossible to profit in business or enjoy an active life without choosing to take on risk.

How are risks classified at Pacis? At Pacis, we have classified our risks into the following categories

Risk Aware Culture

Defining Culture

Culture is a way of doing things. It is a habit. The key to culture, in the context of ERM, is the impact it has on business decisions. A strong culture is one in which decisions are made in a disciplined way, taking into account considerations of risk and reward on an informed basis. This decision-making culture extends throughout the organization, from the largest strategic decisions to the most routine day-to-day business decisions.

As employees of Pacis, we must make decisions that optimize the company benefits and minimize the exposures.

.

The Goals of Culture

The goal of a risk-aware culture is to ensure that all business decision makers understand and behave, recognizing:

  • The importance of identifying and assessing risks in current and potential business activities.
  • The importance of communicating current and potential risks.
  • The importance of taking risk and reward into account in business decisions.

Again, it is worth stating that the goal is to ensure that decisions taken through- out the organization are taken with these goals in mind. That means that the risk- aware culture must extend throughout the organization, and not be limited to a group either outside of or even senior to the individuals responsible for making business decisions for the organization.

The Importance of Culture

If we agree that the goal of ERM is to ensure that business decisions are made to optimize stakeholder value through optimizing risk and reward, then a strong risk-aware culture is a necessary condition for success in ERM. If any elements are missing, then:

  • Not all relevant risks may be identified and assessed.
  • Decision makers may not be aware of some risks as decisions are being made.
  • Decisions may be made ignoring certain risks.

Clearly, if these circumstances were to occur, then we cannot be sure that good risk-adjusted business decisions were consistently being made and therefore, our company cannot have a strong ERM framework.

Setting a Risk-aware culture at Pacis

Setting a Risk-aware culture at Pacis.

  • All staff are accountable for their decisions.
  • Our Clients come first.
  • We have the right tone at the top. Management, Executive and the BOD commitment to risk management is guaranteed.
  • We have devolved risk management to all employees. We are all risk managers in our line of duties. Every decision we make should be to the interest of the Company whereby reward is maximized and the risk exposures minimized.
  • Incentives and rewards have been aligned to performance.
  • Identification, assessment, analysis and treatment of risks is done across all the departments.
  • Our integrity should be unquestionable.

Roles of the employees will include:

Roles of the employees will include:

  • Risk culture- For every decision that we make in our line of duty, we must ensure that the company reaps maximum benefits.
  • Risk identification and reporting to the risk Manager.
  • Risk control.
  • Compliance to company policies and procedures.
  • Implementation of agreed upon improvement action plans.

Conclusion and way forward

In the recent past, the IRA (Insurance Regulatory Authority) moved from compliance- based supervision into Risk based supervision. In compliance-based supervision, insurance companies were supposed to hold equal amount of capital i.e. Kshs 600,000 for general business and Kshs 150,000 for life business. In risk-based supervision, all insurers are expected to hold capital that commensurate the level of risk exposures. This implies that the more the risks, the higher the amount of capital an insurer is expected to have and vice versa.

The risk exposures used to compute the risk- based capital are as shown below;

  • Insurance risks- Being a charge on all insurance liabilities (Claims & Premium reserves).
  • Market risks- Being a charge on the type of investment vehicles that we chose.
  • Counterparty risks – Being a charge on credit from receivables and reinsurers.
  • Operational risks- These are risks arising from failure of people, systems and processes. The capital charge is calculated as a percentage of the above risks.

For example;

  • If our debt is outstanding for 30days, we are supposed to increase our capital by 30% of the outstanding amount and if the debt has been outstanding for more than 30days, the expectations is that we increase the capital by 100% of the outstanding debt.

This therefore calls for all of us to be good risk managers in our line of duty.

1. What is the definition of risk?

  • Anything that occurs only in exceptional circumstances.
  • An activity that would pose if no controls are in place.
  • Anything that will prevent you from achieving your goals and objectives.
  • All of the options

2. What is the third step in risk management process?

  • Establishing the context.
  • Evaluating the risk.
  • Risk treatment.
  • Analyzing the risks.

3. What is the definition of residual risks?

  • The risk that an activity would pose if there are no controls in place.
  • The risk that an activity would pose in a maximized control environment.
  • The risk that remains after all controls are taken into account.
  • The risk that remains before controls are taken into account.

4. Who falls under the scope of risk management?

  • The Managing Director.
  • The Board
  • All stakeholders.
  • The Risk Manager

5. You can completely eliminate all risks if you think you have planned everything

  • True
  • False

6. Operational risks are risks as a result of failure arising from people, systems and processes.

  • True
  • False

7. All the following are risk categories except;

  • Liquidity risks
  • Marketing risks
  • Residual risks
  • Contagion and related party risks

8. A large organisation is assessing a risk using a typical risk management process and has just established and identified the risks to which it is exposed. What is likely to be the next stage in the process?

  • Analysing risks
  • Eliminating risks.
  • Evaluating risks
  • Treating risks.

9. Uncollected premium, poor customer service, mis selling, unresolved client complaints, fraud; ii. Inadequate pricing, over reserving/under reserving, poor product design, High claims ratios, & iii. Unpaid bills, disruptions to business operations (T/F)

  • True
  • False

10. Enterprise risk management (ERM) is considered to have a significant difference compared with the traditional risk management approaches because ERM;

  • Ensures that an organization’s objectives are met.
  • Takes an integrated or holistic approach.
  • Addresses strategic, tactical and operational risk management.
  • Identifies an organizations’ goals.

11. To ensure that we manage our capital well, ALL of us must ensure that we manage the risks within our area of operations.

  • True
  • False

12.True of False - The key to culture, in the context of ERM, is the impact it has on business decisions. A strong culture is one in which decisions are made in a disciplined way, taking into account considerations of risk and reward on an informed basis.

  • True
  • False

13. True or False - The goal of a risk-aware culture is to ensure that all business decision makers understand and behave, recognizing the importance of taking risk and reward into account in business decisions.

  • True
  • False

14. True or False - Incentives and rewards should not be aligned to performance in a risk-aware culture.

  • True
  • False

15. True or False -We have devolved risk management to all employees. We are all risk managers in our line of duties. Every decision we make should be to the interest of the Company whereby reward is maximized and the risk exposures minimized.

  • True
  • False