Category Archives: Strategic Risk Management

Для тех, кто интересуется безопасным доступом к онлайн-играм, наш партнер предлагает зеркало Вавады, которое позволяет обходить любые блокировки и сохранять доступ ко всем функциям казино.

Building a Successful ERM Program

Posted on by

Iman H. Al-Gharabally is responsible for the enterprise risk management program at Kuwait Petroleum Corporation (KPC) and its subsidiaries since 2004. She is the team iman-h-al-gharabally-picleader, coordinator and project manager for the ERM program and its strategic implementation across the Kuwait oil sector. Al-Gharabally, a speaker at RIMS’ Middle East Risk Forum 2016, taking place Dec. 13 and 14 in Dubai, United Arab Emirates, discusses the implementation strategies and successes of KPC’s ERM program.

buy prelone online https://silvermancare.com/wp-content/uploads/2023/10/jpg/prelone.html no prescription pharmacy

RIMS: How did you begin the process of building KPC’s ERM program?

Al-Gharabally: In 2002 the KPC managing directors at the time recognized there was a serious need to look into and have in place a consolidated view of potential risks and a consolidated risk management format of those risks facing the organization. Hence the ERM initiative was introduced as a way to instill this unified format of consolidated risk management mainly through the insurance section. In 2004 the ERM initiative was introduced and in 2006 the ISO 31000 was launched.

RIMS: How did you develop your ERM structure?

Al-Gharabally: Initially I had no prior knowledge of what ERM stood for. I was recruited in April 2004 from Kuwait Oil Company (a subsidiary to KPC) to project manage and lead this new ERM initiative. I studied the topic extensively and slowly had to lay down the foundation for a dynamic ERM program for KPC and its subsidiaries. We started at the very top, first in the corporate office looking at the strategy of the corporation and what the corporate objectives aimed to achieve in the coming five years from 2004 to 2009. We then looked at the potential risks that would prevent the corporation from achieving those objectives and started the communication lines across the subsidiaries to initiate awareness on these potential risks and put forth mitigation options to ensure the corporation was well prepared and to increase our abilities to deliver on our strategic objectives.

It was imperative at the very beginning to ensure that we worked hand-in-hand with the various planning, HSE and marketing units across the entire value chain. The idea was to start the conversations early and brainstorm unilaterally for solutions to be placed to counteract any potential risks emerging that would hinder our 2020 strategic business goals.

Over the first few months in 2004, we managed to convince CEOs across the group to create and assign a focal point to be internally responsible for ERM and coordinate and liaise with us at the corporate head office on all ERM related matters. It took 10-12 months before having each subsidiary assign a dedicated ERM focal point. Once there were dedicated individuals to communicate with and be internally responsible for monitoring and reporting on all risk-related matters, the next phase of setting up an ERM framework and governance structure was initiated. In 2007 the ISO 31000 framework was launched across the group for implementation.

KPC’s ERM structure is that of a hybrid matrix in which central ERM policies, procedures and key performance measures are set, while subsidiaries and ERM units across the group are free to implement according to their individual company’s needs and business model.

RIMS: How did you make ERM a success?

Al-Gharabally: It was not an easy task, to be honest. KPC is the corporate head office to eight other companies from upstream to downstream. The nature of their business is quite complex and diversified. So to lead ERM initiatives and have them fully incorporated and periodically monitor and report on the progress is a challenging full time task. The key is to be well integrated.

From the very start of our initiative in 2004 we made certain that the corporate head office ERM unit was well integrated with each and every single subsidiary ERM unit. We put in place a platform establishing a community of ERM best practice and there are means to discuss, troubleshoot and share various topics to ensure the benefit is widely absorbed across the entire oil sector. We conduct periodic risk culture surveys and benchmark ourselves not only internally across the group, but also against international financial and oil corporations with advanced risk management programs.

RIMS: What is unique about KPC’s approach to ERM?

Al-Gharabally: Having an ERM program in place in an oil corporation is in itself unique. To take that further and have a single unified ERM strategy and shared initiatives across multi discipline functions and across eight subsidiaries elevates the uniqueness. Having delivered a successful fully functioning ERM program over the past 13 years in close collaboration with the corporation’s strategic planning, financial and marketing departments sets KPC’s ERM program apart.

RIMS: What tools/resources have been the most helpful on this journey?

Al-Gharabally: From a risk culture perspective, establishing a community of best practices for ERM individuals to have a platform to share and collaborate various ideas, trouble-shoot implementation issues or integrate objectives on unilateral ERM implementation plans is critical to the success of our program. Having a risk operating committee chaired by the CFO and reporting to the corporation’s risk and audit committee was also a critical success factor to KPC’s ERM initiative. Subsidiaries learned early on that having a dedicated ERM unit reporting directly to the CEO, with no conflicts of interest of shared ownership of risks in the reporting line, was a critical success factor to KPC’s ERM structure. From a technical perspective, establishing a clear ERM framework, policy and procedure as well as systematic reporting of risks in a unified ERM information system, and linking the reporting to the corporations was a critical success factor.

Rims: How can ERM best inform strategy?

Al-Gharabally: KPC’s decision to maximize transparency and work closely with strategy marketing and finance was a key aspect in making our ERM program successful. To be able to look at leading risk indicators and have in place the appropriate mitigation options for improving the corporation’s performance in meeting its strategic objectives is an invaluable resource.

RIMS: What advice can you give those embarking on building a world-class ERM program?

Al-Gharabally: Communication, communication, communication! Had we not lobbied, or brainstormed across various business functions early in our journey in 2004, or not ensured that we had the full support of planning and finance on board for our ERM initiatives, our program most likely would have flopped!

Creating a Strong Defense and Offense in Your Risk Management Program

Posted on by

Stakeholders demand that companies grow, but at the same time, they expect growth to be managed to make sure the brand is not tarnished. That means enabling value as well as protecting value, which comes down to striking the appropriate balance between risk agility and risk resiliency.

For many years, risk management has focused on protecting the brand and keeping the company out of trouble. But if it’s done right, risk management is about playing not only defense but offense as well—it’s about value protection and value enablement.

Defensive Risk Management

Defensive risk management is mostly about risk resiliency, enabling a company to either prevent bad things from happening or recover more efficiently from disruption. Defensive tactics include setting up a risk appetite statement and framework that are approved by the board on down. Next, the risks should be aggregated across the enterprise and mapped against that appetite along with related risk tolerances and limits. Defensive risk management is also about developing a set of very specific key risk indicators (KRIs) to look for. This includes having a solid business continuity management strategy that will quickly get things back on track after a risk event. These activities keep the company out of harm’s way, and may be the easier part of risk management.

Offensive Risk Management

The more difficult part is thinking about risk management offensively—leveraging it for strategic advantage and growth. The first offensive tactic is to align your risk management process with strategic planning so you can drive those priorities forward in light of all the risks you are facing. That’s not an easy thing to do because even though companies may think they’re aligned, many of them actually run two very distinct and separate processes. Another offensive tactic involves giving some of the risk management activities back to the business units—so they can run faster and drive risk-adjusted decisions and revenue plans.

Risk agility lets a company flex and grow by making the risk management process adaptable to changes in the business model or to external changes affecting the company.

online pharmacy cozaar with best prices today in the USA

It is also something that has to be thought about more formally so that it does not become counterintuitive to the growth agenda, but actually supports it and even helps drive it.

If a company is being held accountable by its stakeholders to grow—and they all are—that growth has to be pursued in a controlled manner so the brand doesn’t become tarnished. That is about striking the appropriate balance between risk agility and risk resiliency—playing offense and defense.

The simple fact is that companies that use their risk management activities to play both sides are more likely to see sustainable growth and better performance patterns because they are balanced between moving the business forward and keeping the business in check.

PwC’s study 2016 Risk in review: Going the distance highlights how companies can achieve this important balance. For example, companies that structure their risk management programs to play both offense and defense are more likely to see sustainable growth and better performance patterns.

online pharmacy rogaine with best prices today in the USA

In addition, these companies are nearly as likely to report that they expect significant revenue and profit margin growth (greater than 5%) as companies that are focused only on growth—and they are better positioned for sustainable success. Such companies are balanced between having the agility to move their business forward and the resilience to prevent bad things from happening and/or recover more efficiently from disruption.

online pharmacy fluoxetine with best prices today in the USA

pwc-3

High-risk growth

Some companies with aggressive top-line growth targets decide not to invest at the appropriate levels in their risk management programs, which can allow their growth to outpace their infrastructure. Following this course can bring more risks—vulnerability peaks and risk events become more crippling to the brand. In the end, more capital is spent on investments to take risk management activities to the next level after something bad happens to the business.

The mindset across industries is that immediate growth is great, but longer term, sustainable growth is better. Companies are building up stronger and more relevant second-line (risk and compliance) functions, and holding the first line more accountable on risk because they see that will help them achieve sustainable growth.
pwc-2

Adapt or get left behind

As the business landscape continues to evolve, companies need to adapt or find themselves in deep distress. The key to creating an effective risk management program is to find the right balance that allows for growth at a comfortable pace relative to the risk appetite and risk tolerance levels set by management, and accepted by the board. When that is done, your risk management program truly becomes a strategic asset, supporting both offense and defense.

Captive Growth Increases Need for Insurance-Experienced Board

Posted on by

The current climate for captive insurers is gravitating toward encouraging captives—including single-parent, association and agent-owned—to appoint experienced, independent directors to their boards. Regulators (National Association of Insurance Commissioners and Bermuda Monetary Authority) and rating organizations (A.M. Best and Standard & Poor’s) have all come out in favor of the appointment of independent directors. They believe that independent directors add value by providing independent, experienced guidance to captive owners that is separate and distinct from a captive’s other advisers, including as managers, lawyers and accountants.

Their appointment could also help a company avoid a lawsuit. Independent directors do not have conflicts of interest, can provide experience that is different from others on the board and usually have a broad captive insurance perspective.

Another point worth considering is that some captive managers may have other interests, such as brokerages, reinsurance brokerages, actuarial, claims, asset investments. Some may even provide leads for a possible fee for premium financing. Furthermore, captive owners can mistakenly believe they get all the advice they need from their current advisers.

Independents on the Horizon

In the coming months, expect to see captive owners reaching out to independent directors, both because of their value-added consulting expertise and because regulators and possibly rating agencies will require it. This practice already exists in some overseas jurisdictions, and with Solvency II, it could become more important as it may ultimately apply here in the U.S.

What is often overlooked is the value-added experience independents offer. Here is a partial list of services normally expected of experienced independent directors:

  • Help in selecting the reinsurance interme­diary. They provide an independent per­spective separate from the reinsurance broker or risk manager.
  • Advise on acquisition opportunities of the captive, if any, such as buying a third-party administrator, a licensed admitted insur­ance company, or an investment in a new start-up retail brokerage firm. These sophis­ticated ideas are an expansion of most cap­tives’ business plans and need to be consid­ered carefully given the risks they present. Keep in mind, however, that the captive landscape from the 1970s is littered with the carcasses of captives that ventured ill-advised into such businesses.
  • Help in evaluating a reinsurance program’s structure and economics.
  • Attend and advise on the rating process with outside rating agencies, such as A.M. Best.
  • Attend meetings with insurance regulators, especially if there is a regulatory concern.

Independent directors are also asked to vote on many issues, including:

  • Should the captive change fronting companies?
  • Should the captive make a large dividend payment to the parent corporation, or should it return capital to its owners?
  • Should the captive write direct procure­ment policies for the parent corporation?
  • What law firm should handle uncollectible reinsurance?
  • Should the captive litigate or arbitrate certain claims?
  • Should it change asset investment managers?
  • Should the captive expand into other lines of business, such as writing third-party reinsurance business?
  • Should it move from an offshore domicile to a domestic domicile?
  • How can the captive reduce the cost of its reinsurance program?
  • How does a captive evaluate its various service providers?
  • What are the consequences of executing reinsurance or fronting agreements?

How Cybersecure is Your Company?

Posted on by

cyber headlines

It should come as no surprise that security has moved from an afterthought at global organizations to a front-and-center consideration, often involving the CEO and board of directors. Headlines of the world’s largest companies involved in breaches are rampant, and will only increase as organizations accelerate their digital transformation plans and in doing so create lucrative opportunities for bad actors to steal valuable assets. Businesses are inherently interested in making money, and cybersecurity crimes have a significant impact on their bottom line. In fact, it is estimated that cybercrime will cost $2.1 trillion by 2019, according to Juniper Research.

For C-level execs and board members alike, their real understanding of cyber-exposure is too often binary: Are we on the front page of the Wall St. Journal or Not? While this may be an unfair over-generalization for tech-savvy board members, it is clear that cybersecurity is now included in their “fiduciary duties.” With increasing investments going to security software, consultants, and now cyber-insurance, executives and officers must know the risk profile of their digital systems and security service level agreements (SSLAs).

Organizations looking to maintain their competitive edge will take a new approach to security from the first line defenders in the IT department to the boardroom. The quickest and simplest step in moving the right direction must be to answer “How secure are we as an organization?”

The Best Defense is a Good Offense

Forward thinking organizations are appointing board members that have recognized this security paradigm shift and are moving from a defensive to an offensive mindset when it comes to protecting their assets. Some companies, like AIG, Blackberry, General Motors and Wells Fargo are even going so far as to appoint board members with cybersecurity expertise. While it isn’t mandatory that organizations have cybersecurity experts on their boards, the reality is that no board can escape responsibility, and digital threats will only become more a part of daily business life.

Ask the Right Questions

Beyond asking “How secure are we?” board members should ask their CISOs and security professionals whether their resources and budgets are appropriate. While CISOs will likely always ask for more, they need to be able to demonstrate specific holes and needs or anticipate pending regulatory changes specific to their industries. It would also be wise to regularly ask what internal changes have been made in light of developments in the industry. Additional questions that should be asked include:

  • How are you designing a security posture that does not slow down business operations?
  • How do we know that data/IP systems not in our control are safe and secure, such as internet of things (IoT) and cloud?
  • How do we ensure that we are ahead of new regulatory requirements coming down the pike?
  • Who is responsible for security—CISO, CIO or risk & compliance officer?
  • What is our risk score matrix?

Establish a Seat at the Table

For CISOs, this new attention can be a double-edged sword; while the increased visibility of their position could be beneficial to their own importance to the company, their performance will be scrutinized by the highest levels of management.

CISOs and their security equivalents presenting to the board require a persistent seat at the table. Bringing them in just for an annual report will leave many questions unanswered and does not paint an accurate picture of the organization’s risk profile. Continual updates should include both positive and negative developments, which will make budget increase requests more likely when needed.

These experts should also be expected to provide detailed analytics and a tailored executive dashboard that demonstrates the progress made against goals and benchmarks. The sophistication of these dashboards will depend on the board’s expertise but educating these members should be included in any presentation.

Put a Price on it

When taking these steps and bringing security to the forefront of business planning, each board presentation will allow organizations to make security a marketable attribute. Consumers are becoming increasingly fickle about doing business with organizations that have been breached and as a result are looking for assurance that they and their data will be secured. Promoting your organization’s commitment to security can be a valuable asset to the company’s bottom line. Board members can play a significant role in shifting perception and reality in the marketplace and would be wise to ask more questions to get closer to answering “How secure are we?”