Post on 23-May-2020
transcript
Enterprise risk management for Corporates
September 14, 2012
Sven Heiligtag
CONFIDENTIAL AND PROPRIETARYAny use of this material without specific permission of McKinsey & Company is strictly prohibited
1
Abstract
Enterprise risk management (ERM) is not about trying
to manage every single risk centrally. It is more about
identifying the 10-20 key risks and defining the right
management approach and set-up for these. Finding the
best model to manage these risks successfully will
depend largely on a company’s business model and risk
exposure. This is one of the CFO’s central management
tasks. The challenge here is that qualitative elements
such as risk culture, organization, and governance play a
key role alongside more traditional quantitative analysis.
In this breakout, we will present the core elements of a
successful ERM system and show some best practice
examples. We will also draw on case studies of how
CFOs can use quantitative solutions, such as cash-flow-
at-risk models and mega-risk assessments, to identify
the right focus for their ERM solution
1
McKinsey & Company |
Why does Enterprise Risk Management create value?
▪ Achieving compliance/satisfying regulatory requirements
▪ Ensuring value protection (“Downside”)
▪ Driving profitability and growth ("Upside")
▪ Providing stability, continuity and "ease of mind" for stakeholders
2
▪ EPNG with focus on
value protection as
significant bulk risks
(e.g., regulatory)
▪ O&G focuses on
stability of revenues
▪ AI with focus on
compliance regarding quality and regulatory
issues, engrained in
business model
▪ Overall, value
protection the most
important goal of risk
management
▪ Value generation via
risk management with
lowest priority among respondents
Ranking of importance of goals of ERM
Corporates mean different things when they talk about “Enterprise Risk Management”
2,61,6
3,12,6
4. Stability3. Capturing the upside
2. Value pro-tection
1. Regula-tion/com-
pliance
4,03,0
2,01,0
3,62,4 2,41,6
2,51,0
2,54,0
1 = Low 4 = High
SUM
EPNG
O&G
AI
SOURCE: McKinsey
Effective risk management comprises five elements
Riskinsight and
transparency
Risk-related decisions and
processes
Risk organization
and governance
Risk culture and
performance transformation
IntegratedEnterprise risk management
Risks that affect our future performance are well understood
We keep only risks that we are competitively advantaged to own; other risks are transferred or mitigated; and our strategy is aligned with our risk capacity
All critical business decisions are made with a clear view of how they change our company’s risk profile
Structures, systems, controls, capabilities, and infrastructure are in place for us to manage risk
Our culture reinforces risk management principles; formal and informal mechanisms support the right mindsets and behaviors
SOURCE: McKinsey Risk Practice
1
2
3
4
5
1
2
Natural
ownership,
risk appetite,
and strategy
3
4
5
Conventional ERM approaches are often ineffective across all of these elements
▪ Clarity on specific risk culture
vulnerabilities and action plan in place to
strengthen risk culture
▪ Risk culture is a “fuzzy” conceptRisk culture
▪ Risk analysis done in conjunction – and
supports – key strategic and operational
decisions
▪ No link between risk analysis and key
decision processes
▪ Risk assessment lags major corporate
decisions
Risk-related decisions and processes
▪ ERM is primarily a board priority that
management executes on
▪ ERM team struggles to have traction with
line management
▪ ERM perceived as a “bureaucratic
exercise”
▪ No explicit decisions on risk ownership and
desired overall risk level
▪ Hundreds of risks
▪ Data reporting without insights
Typical compliance-focused ERM
▪ ERM is a board and top management
priority
▪ Line takes explicit ownership of key risks,
with ERM support
▪ ERM perceived as core to managing the
business
▪ Deliberate choices on risk ownership and
risk level, based on risk capacity and
strategic aspirations
▪ Clarity on top 5-10 mega risks
▪ Deep insight into root causes, indirect
effects, early warning signals
Best-practice ERM focused on improving
decision-making
Risk organization and governance
Risk appetite and strategy
Element
Insight and risk
transparency
Four archetypes of Risk DNA for Corporations
Decentral risk ownership
Central risk ownership
Checks and balances
Aggregated insight
Examples1
Priority
▪ Line management owns risks
▪ Light touch central
support as needed
▪ Risk optimization “ensured” by a strong
business and risk
culture
▪ Risk function owns and actively manages
certain key risks
centrally (e.g., FX
hedging)
▪ Business heads get approval on other risk
strategies from CRO
▪ Line management owns risks
▪ Strong central risk team
led by “Chief Risk
Officer” with a seat at
the table, acting as counterweight for
important strategic
decisions
▪ CRO acts as thought partner (blend of
collaboration and
challenge) to business
heads
▪ Line management owns risks
▪ Small central risk team
aggregates risk insight,
integrates across
enterprise, and shares across the organization
▪ Risk optimization
achieved by line with
support from central risk team
▪ “We do not believe in a separate risk
organization. Risk
management is a line
management direct
responsibility”– SVP &
Treasurer
▪ “The risk function
provides analytics,
reporting, advise and process support to
management and
Board committees” –
Head of ERM
▪ “I spend my time talking
with others. My main
role is to discuss and challenge their thinking”
- CRO
▪ "The risk function
hedges or takes out
insurance as they see fit" – CFO
Description
1. Based on filed public reports, speeches, and press articles
SOURCE: McKinsey Risk Practice
Typical for financials (banks, asset mgmt…)
Overall trend, nonfinancial institutions
The archetypes of different industries’ Risk DNA differ among risk types
SOURCE: McKinsey Risk Practice
Decentral risk ownership
Central risk ownership
Checks and balances
Aggregated insight
Financial risk
▪ Commodity
▪ FX
▪ Credit
Operational/technical and project risk
Political/regulatory and portfolio/ enterprise risk
AI
O&G
EPNG
AI
EPNG
O&G
AI
EPNG
O&G
▪ Financial Risk: AI more
independent1, rest more
centralized
▪ Operational/ Technical:
O&G majors with stronger
centralization than rest
▪ Political/ regulatory:
Dependent on reliance on politics (EPNG and O&G)
and geographical
operations
1 in particular Commodity risk
McKinsey & Company |
We believe an integrated approach to risk matters
Improve transparency and measure
Manage and decide on
improvement levers
Enhance processes to facilitate risk
mitigation
Empower skilled risk
organi-zation
Build a risk conscious mitigation
culture
Enterprise Risk Leadership
Focus of today
Ensure early warningsare monitored and facilitate
ongoing risk management
Embed risk optimization in
each major strategic decision
before launch/positive decision
Redistribute risk to other
market participants and seek
to improve flexibility to act
Proactively manage the cycle and price risk
Translate into risk tolerances, limits and triggers
Build insights into all relevant risk and their interdependencies
Develop early-warning "KPIs" to
identify issues faster than others
Establish information system that
facilitates proactive actions for top
management
8
McKinsey & Company |
…
…
2015
2014
2013
Time horizon
Revenues
– Cost of goods sold
Gross margin
– Operative costs
EBITDA
– Amortizations
– Adjustments on receivables
EBIT
+ Net financial expenses
Net profit
+ Amortizations
– CAPEX
Operating cash flow2012
Commodity risks▪ Commodity volatility
(impacting both revenues and costs)
Operations risk▪ Operative costs
volatility
▪ Plant under-
performance▪ Accidents
▪ Completion
investments delay
▪ CAPEX overrun
▪ …
Credit risk▪ Counterparties’
defaults
Exchange rate risk▪ Exchange rate
volatility
Regulatory risk▪ Changes on the
regulation of fuels in
Europe
▪ Changes on drilling
regulation in major
countries▪ …
Interest rate risk▪ Interest rates
volatility
Macro-economic▪ GDP volatility
affecting production volumes and prices
Identifying the key risks across your drivers of cash flow…
9
McKinsey & Company |
… will allow you to understand your cash flow distribution and how it can be affected
Revised operating cash flow distribution, levers include (e.g.)
▪ Commodity hedging▪ Capital structure changes
▪ Portfolio changes
▪ Others (e.g., contracting, etc.)
Higher probability of funding
strategic capex
Pre-CFAR operating cash flow distribution
Lower probability of funding strategic
capex
2
1
Operating cash flowPrioritization of cash needs
Cash flow
probability (Monte Carlo)
▪ Commodity price
scenarios
▪ Business
outcomes
Potential stress
Interest &
principal
payments
Divi-
dends
Ongoing
maintenance
capex
Sustaining
capex
Growth
capex
Strategic
capex
Oil and gas example
10
McKinsey & Company |
A tailored overall risk report is a key part of risk transparency
Mega risks identified and assigned executive ownership
Mega risks – update and action plans
Financial risk update
Leading indicators
Sensitivity analysis
Liquidity
Market
scenarios
Stakeholders risk update
Resource tax – stakeholder summary
Project #1 – stakeholder summary
Project risk update
Project-specific deep dive
Operation risk update
Asset overview
Country risk
overview
HSE
update
Key project
summary
11
McKinsey & Company | 12
Understand your credit rating exposure based on your cash flow distribution
Probability FFO/debt below targetPercent
31 42 48 78 53 60
Year
Target
50
Debt/EBITDApercent
SOURCE: McKinsey Risk Practice 12
McKinsey & Company |SOURCE: McKinsey Risk Practice
Risk management can provide different types of support to keycorporate decisions
Potential specific risk contribution
Mitigate new risks
Coordinate sufficient lock-in of fuel purchases, power sales, and fx rates to satisfy funding covenants
Customize tools
Pricing tool for valuing risk sharing options in project contract
negotiations
Share best practices
Aid project leaders to systematically incorporate risk
assessment and mitigation into overall project management
process
Challenge assumptions
Sit down with business case preparers and challenge every assumption for reasonableness prior to decision
Independent review
Review and form independent view from BU management on risk and return tradeoff in entering Asian market
Provide agreed upon assumptions for scenarios used by
each BU for its business planCentralize information
13
McKinsey & Company |
Closing remarks
Do you have a full understanding of the biggest risks for your company and a warning for detecting early?
Can you improve the way you are managing and addressing risks?
How important is mitigating these risks for your company (e.g. through cash flow, rating / funding,
reputation, etc.)?
What do you think is missing the most to better address your risks?
14