Immediate Vault Immediate Access

Building a Successful ERM Program

Iman H. Al-Gharabally is responsible for the enterprise risk management program at Kuwait Petroleum Corporation (KPC) and its subsidiaries since 2004. She is the team iman-h-al-gharabally-picleader, coordinator and project manager for the ERM program and its strategic implementation across the Kuwait oil sector. Al-Gharabally, a speaker at RIMS’ Middle East Risk Forum 2016, taking place Dec. 13 and 14 in Dubai, United Arab Emirates, discusses the implementation strategies and successes of KPC’s ERM program.

RIMS: How did you begin the process of building KPC’s ERM program?

Al-Gharabally: In 2002 the KPC managing directors at the time recognized there was a serious need to look into and have in place a consolidated view of potential risks and a consolidated risk management format of those risks facing the organization. Hence the ERM initiative was introduced as a way to instill this unified format of consolidated risk management mainly through the insurance section. In 2004 the ERM initiative was introduced and in 2006 the ISO 31000 was launched.

RIMS: How did you develop your ERM structure?

Al-Gharabally: Initially I had no prior knowledge of what ERM stood for. I was recruited in April 2004 from Kuwait Oil Company (a subsidiary to KPC) to project manage and lead this new ERM initiative. I studied the topic extensively and slowly had to lay down the foundation for a dynamic ERM program for KPC and its subsidiaries. We started at the very top, first in the corporate office looking at the strategy of the corporation and what the corporate objectives aimed to achieve in the coming five years from 2004 to 2009. We then looked at the potential risks that would prevent the corporation from achieving those objectives and started the communication lines across the subsidiaries to initiate awareness on these potential risks and put forth mitigation options to ensure the corporation was well prepared and to increase our abilities to deliver on our strategic objectives.

It was imperative at the very beginning to ensure that we worked hand-in-hand with the various planning, HSE and marketing units across the entire value chain. The idea was to start the conversations early and brainstorm unilaterally for solutions to be placed to counteract any potential risks emerging that would hinder our 2020 strategic business goals.

Over the first few months in 2004, we managed to convince CEOs across the group to create and assign a focal point to be internally responsible for ERM and coordinate and liaise with us at the corporate head office on all ERM related matters. It took 10-12 months before having each subsidiary assign a dedicated ERM focal point. Once there were dedicated individuals to communicate with and be internally responsible for monitoring and reporting on all risk-related matters, the next phase of setting up an ERM framework and governance structure was initiated. In 2007 the ISO 31000 framework was launched across the group for implementation.

KPC’s ERM structure is that of a hybrid matrix in which central ERM policies, procedures and key performance measures are set, while subsidiaries and ERM units across the group are free to implement according to their individual company’s needs and business model.

RIMS: How did you make ERM a success?

Al-Gharabally: It was not an easy task, to be honest. KPC is the corporate head office to eight other companies from upstream to downstream. The nature of their business is quite complex and diversified. So to lead ERM initiatives and have them fully incorporated and periodically monitor and report on the progress is a challenging full time task. The key is to be well integrated. From the very start of our initiative in 2004 we made certain that the corporate head office ERM unit was well integrated with each and every single subsidiary ERM unit. We put in place a platform establishing a community of ERM best practice and there are means to discuss, troubleshoot and share various topics to ensure the benefit is widely absorbed across the entire oil sector. We conduct periodic risk culture surveys and benchmark ourselves not only internally across the group, but also against international financial and oil corporations with advanced risk management programs.

RIMS: What is unique about KPC’s approach to ERM?

Al-Gharabally: Having an ERM program in place in an oil corporation is in itself unique. To take that further and have a single unified ERM strategy and shared initiatives across multi discipline functions and across eight subsidiaries elevates the uniqueness. Having delivered a successful fully functioning ERM program over the past 13 years in close collaboration with the corporation’s strategic planning, financial and marketing departments sets KPC’s ERM program apart.

RIMS: What tools/resources have been the most helpful on this journey?

Al-Gharabally: From a risk culture perspective, establishing a community of best practices for ERM individuals to have a platform to share and collaborate various ideas, trouble-shoot implementation issues or integrate objectives on unilateral ERM implementation plans is critical to the success of our program. Having a risk operating committee chaired by the CFO and reporting to the corporation’s risk and audit committee was also a critical success factor to KPC’s ERM initiative. Subsidiaries learned early on that having a dedicated ERM unit reporting directly to the CEO, with no conflicts of interest of shared ownership of risks in the reporting line, was a critical success factor to KPC’s ERM structure. From a technical perspective, establishing a clear ERM framework, policy and procedure as well as systematic reporting of risks in a unified ERM information system, and linking the reporting to the corporations was a critical success factor.

Rims: How can ERM best inform strategy?

Al-Gharabally: KPC’s decision to maximize transparency and work closely with strategy marketing and finance was a key aspect in making our ERM program successful. To be able to look at leading risk indicators and have in place the appropriate mitigation options for improving the corporation’s performance in meeting its strategic objectives is an invaluable resource.

RIMS: What advice can you give those embarking on building a world-class ERM program?

Al-Gharabally: Communication, communication, communication! Had we not lobbied, or brainstormed across various business functions early in our journey in 2004, or not ensured that we had the full support of planning and finance on board for our ERM initiatives, our program most likely would have flopped!

How to Influence Risk Management Standards, Frameworks and Guidelines

What do you want risk management standards, frameworks and guidelines to do for your success? Many people depend on these documents to provide needed guidance.

online pharmacy advair with best prices today in the USA

Yet, you have heard the reasons people give for not wanting to deal with risk management standards and frameworks. Perhaps you have even voiced these yourself, at one time or another:

  • Our organization is so unique, no one standard or framework could possibly apply.
  • Standards are the same as regulations—we don’t need more regulations.
  • We know what we are doing—we don’t need any guidance. Those things don’t apply to us anyway.

Whether we like it or not, standards are a part of life and our daily language. We refer to a gold standard as a measure of excellence. There are standard breeds of dogs, horses and even chickens. We have internet standards. And what would we do without standards of care, and food safety standards?

Standards have been around a long time, and actually have benefited society. When time was standardized along the prime meridian, commerce flourished. When the United States decided to build the transcontinental railroad using a standard gauge, deliveries of passengers and goods were made more efficiently. Anyone who has traveled internationally can attest to at least one outcome when there is a lack of standards: the proliferation of power adapters that are needed when representatives from different nations gather.

Standards and guidelines—which typically are voluntary—are not regulations. Standards are created through consensus, public comment and acceptance. Regulations, on the other hand, are mandated through legislation. A primary standard (or “recognized” standard) is an established norm or collection of “best practices” that evolve over time under the jurisdiction of an international, regional or national standards development body. Standards are published as a formal document that can establish criteria, methods, processes and practices. In contrast, a guidance document, company product, corporate standard, etc., that may be developed outside of a recognized standards setting body—but which becomes generally accepted—is often called a de facto standard.

Ultimately, standards provide value when they foster common understanding reflecting collective wisdom, while creating efficiencies and better results for the organizations using them. In benefiting organizations, risk management standards generally recommend, but do not require, risk management criteria, methods, processes and practices. Therefore, they boost risk management’s value—one of the reasons you should care about risk management standards, frameworks and guidelines. And shouldn’t you be involved in developing guidance about your daily work? Another reason to care.

The problem is not a shortage of risk management standards and frameworks, but the proliferation of standards and frameworks that, at times, seem to contradict each other. The result is confusion, even about how terms and concepts are used. Sorting through these contradictions is challenging, particularly when others in the organization may be advocating a different risk management approach. These differences lead respective proponents to argue about which one is “right” or “better,” rather than focusing on the value that risk management can deliver. Creating a new risk management standard does not necessarily help the situation, as it usually just becomes one more competing standard.

There is an unmistakable need for understanding how to apply various risk management standards.

online pharmacy azithromycin with best prices today in the USA

Another reason for you to care: how complementary—or contradictory—risk management standards and frameworks may be can either help or hurt your efforts.

ACT NOW

We all have a unique opportunity right now to influence two of the major risk management guidance documents: ISO 31000:2009 developed by the International Organization for Standardization and the COSO ERM Framework 2004 under the auspices of the Committee of Sponsoring Organizations. Both are undergoing revision reviews at this time.

To influence the ISO 31000 revision: Seek to join the national mirror committee of your country. In the United States, the Technical Advisory Group for the American National Standards Institute (ANSI) is administered by the Association of Safety Engineers (ASSE) and chaired by Carol Fox, RIMS vice president of strategic initiatives. If you are interested in joining the US TAG, contact Ovidiu Munteanu for information and an application (omunteanu@asse.org).

To influence the COSO revision: The revision is open for public comment June 15 through September 30, 2016. COSO has expanded its website, www.COSO.org, with a section on the Framework update that includes the proposed Framework, survey and comment tools, and FAQs about the project, details of the most significant updates and how to respond to the survey. Written comments on the exposure draft will become part of the public record and will be available on the COSO website through Dec.

online pharmacy fluoxetine with best prices today in the USA

31, 2016.