OPERATIONAL RISK MANAGEMENT IMPLEMENTATION Best practices and experience from EPF

1
OPERATIONAL RISK MANAGEMENT IMPLEMENTATION
Best practices and experience from EPF

• Ong Hock Chye
• Senior Manager (Operational Risk)
• Risk Management Department
• Employees Provident Fund
• Malaysia.

2
Content

• Risk Management and Its Benefits
• Implementing Operational Risk Management (ORM)
• Challenges
• Standards and Best Practices
• Approach and Methodology
• Our Experience
• Key Success Factors

   
3
Risk

• The chance of something happening that will have
  an impact on objectives.
• A risk is often specified in terms of an event or
  circumstance and the consequences that may flow
  from it.
• Risk is measured in terms of a combination of the
  consequences of an event and their likelihood.
• Risk may have a positive or negative impact.
• (AS/NZ 43602004).

4
(No Transcript)
5
Why implement risk management?

• Success Vision Achievement Associated
  Strategic Objectives.
• Ultimately, must know the risks faced in
  achieving these goals, manage the risks
  effectively and ensure that effective risk
  treatments are, and continue to be in place as
  the environment changes over time.
• Risk management is importance for EPF.
  Alternative is risky management which will not
  ensure desired outcomes.

   
6
Benefits of risk management to EPF

• Increase risk awareness at all level of staff in
  order for them to effectively manage their risks.
  No unexpected surprises! Staff personal wellbeing
  
• Enable EPFs BOD to comply with its
  organisational obligations and duties of care and
  diligence in accordance with the Malaysian Code
  on Corporate Governance (MCCG).
• Accountability, assurance and governance -
  Maintain integrity and confidence amongst EPFs
  stakeholders and the public in general.
• Strengthening EPFs competitive strategic and
  operational efficiency to increase long term
  stakeholders value.
• Safeguarding EPFs assets and resources.
• Exploitation of opportunities
• Improved planning, performance and effectiveness 
• Improved information for decision making   
• Minimise unexpected impact to earnings and
  returns to Members.

.  
6
7
Malaysian Code of Corporate Governance

• Best Practices Provision AA I
• The board should explicitly assume the following
  specific responsibilities, which facilitate the
  discharge of the boards stewardship
  responsibilities
• Identifying principal risks and ensure the
  implementation of appropriate systems to manage
  these risk
• Reviewing the adequacy and the integrity of the
  companys internal control systems and management
  information systems, including systems for
  compliance with applicable laws, regulations,
  rules, directives and guidelines.

8
Enterprise Risk Framework
Strategic Risk
Market Risk
Investment Risk
Credit Risk
Liquidity Risk
Operational Risk
Regulatory Risk
Project Risk
Reputational Risk
9
Challenges in Implementing Risk Management
(adapted from draft BS 31100 document)

• Limited commitment from the Board.
• Risk Manager has limited/ambiguous/ no mandate.
• No risk management orientation/awareness program
  for senior management, executive and staff.
• No uniform approach to risk management and
  reporting to ensure adoption of best practices.
• No readily available formal risk management
  training and tools.
• No buy-in from middle, junior managers and staff.
• No regular assessment of risk management training
  needs.
• No standard process/ procedure for addressing
  concerns about risk management tools or
  practices.
• Inadequate budget for embedding and executing
  risk management.
• No corporate process for identifying good
  practices or documenting them.
• No sharing of good practices across the
  organization on a regular basis.

10
Risk Management Standards

• Risk Management Standard (IRM, ALARM and AIRMIC)
  U.K.
• AZ/NZS 43602004 Risk Management Standard.
• COSO Enterprise Risk Management, U.S.
• Canadian Government Sector Standard.
• Draft
• ISO 31000 Risk Management Guidelines on
  principles and implementation of risk management.
• ISO Guide 73 Risk Management Vocabulary.
• BS 31100 Code of practice for risk management.

11
Risk Management

• Risk management is the culture, processes and
  structures that are directed towards the
  effective management of potential opportunities
  and adverse effects within the organisation
  environment.
• It is an enterprise wide process multifaceted in
  dimension.
• It is best achieved by a multidisciplinary team.
• Risks must be appropriately communicated and
  shared.

12
Risk Management Process

• Adopted the Corporate Risk Scorecard (CRS)
  methodology to implement Risk Management in EPF.
• CRS methodology is consistent with Australian/New
  Zealand Standard AS/NZS 43602004 on Risk
  Management.
• Spelt out in the Risk Management Framework.

13
Risk Management Process

• Establish the Context for strategic,
  organisational and risk management and the
  criteria against which busineess risks will be
  evaluated.
• Identify Risk that could prevent, degrade,
  delay or enhance the achievement of an
  organisations business and strategic objectives.
• Analyse Risk consider the range of potential
  consequences and the likelihood that those
  consequences could occur.
• Evaluate Risks compare risks against the firms
  pre-established criteria and consider the balance
  between potential benefits and adverse outcomes.
• Treat Risks develop and implement plans for
  increasing potential benefits and reducing
  potential costs of those risks identified as
  requiring to be treated.
• Monitor and Review the performance and cost
  effectiveness of the entire risk management
  system and the progress of risk treatment plans
  with a view to continuous improvement through
  learning from performance failures and
  deficiencies.
• Communicate and Consult with internal and
  external stakeholders at each stage of the risk
  management process.

Note that Identify, Analyse and Evaluate
Risks are collectively grouped as Risk
Assessment.
14
Sample Risk Scorecard
Gross risk
Nett risk
Target risk
15
For every risk

• Identify Causes and Consequences.
• Rate gross risk in term of possibility and impact
  (without controls or controls totally
  ineffective).
• Identify Primary Controls (preventive, detective
  and corrective) and Secondary Controls
• Rate control effectiveness (to reduce possibility
  and impact).
• Risk software calculate Nett Risk Rating Gross
  Risk Control Effectiveness.
• Set Risk Targets
• Identify management actions to mitigate the
  risks.

16
Employees Provident FundAssurance Framework
Ministry of Finance
Investment Panel
Board of Directors
Investment Panel Risk Committee
Board Risk Management Committee
Board Audit Committee
Management Risk Committee
Risk Management Department
Management Operations Risk Committee
Internal Audit
External Audit
Investment Risk Management Section
Operational Risk Management Section
17
Who manages risks?
18
Who manages risks in business units?
19
Development of ORM Framework Project.
20
Establish Context

• Year 2005
• Establishment of Operational Risk Section (May
  2005), Management Operations Risk Committee
  (MORC) and Board Risk Management Committee
  (BRMC).
• Year 2006
• Approval of ORM Policy and Framework by BRMC
  (4.4.06) and Board (12.6.06) and HoDs were
  informed (19.6.06).
• ORM System and users training (March 2006).
• Implementation of Digital Assurance (1.7.06).
• Year 2007
• ORM Policy and Framework and other risk documents
  uploaded to Knowledge Management portal.
• Establishment of Risk Champions discussion
  forum.
• Access to ORM system provided to all users.
• Discussion on Single sign-on to ORM system and
  access anywhere through internet with IT
  Department.
• ORM Satisfaction Service Survey.

21
Risk Process

• Commencement of Project (1 August 2005).
• Year 2005
• Development of Corporate/Strategic, 5
  departments and one State Office Risk Scorecards
• Year 2006
• Development of 10 departments, 11 state offices
  and investment function risk scorecards.
• Year 2007
• Updating of 10 departments and 65
  branches/Service Advisory Outlets/Enforcement
  Offices risk scorecards to EPF new organisation
  structure.
• Development of 102 risk scorecards completed by
  30 November 2007.
• Year 2008
• Key Risk Indicators
• Loss Events Collection

22
Communication and Consult

• Year 2005
• Two risk awareness courses.
• 7 risk facilitation workshops.
• 1 Train the trainers course.
• Year 2006
• Two risk awareness courses.
• 13 risk facilitation workshops.
• 3 risk champion courses.
• 4 ORM software users training.
• Circulation of 3 risk articles.
• Consultation service through e-mails, visitation
  and telephone.
• Year 2007
• Development of risk management portal under the
  Knowledge Management initiative and circulation
  or risk articles.
• Help Desk and tutorial.
• Risk awareness courses.
• Risk Facilitation workshops.
• Risk Champion trainings.
• Discussion with departments/sections.

23
Monitor and Review

• Year 2005
• Establishment of ORM Section (May 2005),
  Management Operations Risk Committee (MORC) and
  Board Risk Management Committee (BRMC).
• Year 2006
• 6 MORCs Meetings, 5 BRMCs Meetings and 3
  Boards Meetings.
• Setting of risk targets rating for 22 risk
  scorecards.
• 3 digital assurance sessions.
• Presentation of risk consolidation and scoring
  methodology.
• Year 2007
• 8th. Digital Assurance.
• Risk Consolidation and Scoring.
• Risk Based Auditing by Internal Audit
  Department.
• Year 2008
• Key Risk Indicators.

24
SAMPLE REPORTS AND SCREENS
25
Sample top 20 nett risks report
26
Sample Management Action Plan Report Status
27
Digital Assurance
28
Digital Assurance
29
Statement of Internal Control

• Assurance provided digitally every two months
• By
• All owners of risk scorecards, risks, controls
  and action plans.
•  

30
Risk Based Auditing
31
Sample Risk Consolidation Analysis
32
Sample Report by Risk Theme
33
Key Risk Indicators (KRIs) Extracted from
Operational Risk Management Introduction, Status
and Requirements by Christoph Sidler, EDS, Global
Risk Management Practice.
34
Example of Loss Event Recording
35
Sample Individual Dashboard
36
Risk Management Maturity Level (extracted from
draft BS 31100 document)

• Risk management mandated by Board/senior
  management.
• Established risk management organization.
• Risk management policy.
• Risk management process.
• Defined method for embedding risk management.
• Explicit reporting requirements.
• Type of risk management tools used.
• Risk management information captured in a
  consistent way.
• Frequency of risk management carried out.
• Organizational activities that include risk
  management.
• Risk management being used to support opportunity
  seeking behaviour.
• Risk management increased Board confidence in
  pursuing new opportunities.
• Process of continual improvement.

37
Key Success Factors

• Full support from the Board, Investment Panel,
  CEO and Management.
• Committed Risk Champions.
• Competence and committed consultant.
• Effective Project Management.
• Risk Awareness Training and Facilitation
  Workshops.
• Computerised System.
• Organisation culture

38
Thank You