Innføring i risikostyring EBL, 3. juni 2008 Deloitte AS
Agenda Hva er risiko? Måling og håndtering av risiko Risiko som en del av virksomhetsstyringen -1-
Overraskende få har en bevist forhold til risikostyring i sin oppfølging og planlegging No plans to incorporate Plan to incorporate in next 12 months Partially Incorporated Fully Incorporated Strategic Planning 19% 19% 37% 24% Capital Allocation 30% 14% 33% 23% Transactions 26% 20% 35% 19% Internal Audit 6% 13% 27% 55% Mergers & Acquisitions 18% 20% 38% 24% Treasury 8% 10% 32% 49% Performance Management 39% 20% 24% 16% Project Management 20% 19% 31% 30% Ethics and Compliance 18% 16% 33% 33% Legal 7% 16% 41% 36% Sarbanes Oxley 31% 12% 22% 35% External stakeholder communications 20% 16% 35% 29% Delegation of Authority 31% 11% 20% 38% Insurance 6% 15% 35% 44% Treasury 3% 15% 33% 48% Environment Health & Safety 11% 13% 33% 43% Labor Relations 27% 20% 25% 27% Other 33% 33% 33% 0% -2-
Definisjon av risikostyring Risikostyring er en prosess som skal initieres av virksomhetens ledelse og brukes som et redskap for å nå virksomhetens mål og etterleve regelverk Prosessen skal gjennomføres på en slik måte at ledelsen har mulighet til å identifisere mulige hendelser eller forhold som kan påvirke virksomhetens oppgaveutførelse internt eller eksternt; og derigjennom være i stand til å styre risiko i tråd med selskapets risikofilosofi slik at ledelsen har rimelig grad av sikkerhet for at virksomheten når sine mål og etterlever regelverk -3-
Risiko Med risiko menes muligheter for at en hendelse vil oppstå og påvirke måloppnåelse og etterlevelse av regleverk på en negativ eller positiv måte Plan Gjennomføring Hendelser kan påvirke gjennomføring av plan Mål Aktiviteter -4- Verdiskaping Ressurser
Risiko kan sees fra flere perspektiver Navigasjon risikoperspektiver økonomi etterlevelse av regelverk produktivitets & effektivitetstap misligheter administrasjon & ledelse endring & reformer måloppnåelse og vedtaksoppfølging manglende samhandling & kompetanse -5-
Risikomatrisen - et utgangspunktet for å definere hendelser risiko og risikorespons Kritisk Helt sikkert Høy Mål, regelverk & rapportering KSF/ hendelser Årsaker Virkninger Sannsynlighet Meget stor Stor Mindre Liten Moderat Lav Risikorespons/ tiltak Lav Moderat Stor Meget stor Kritisk Konsekvens -6-
Risikomatrisen uttrykker kritikalitet Kritisk Helt sikkert Meget stor Høy Moderat Lav Sannsynlighet Stor Mindre Liten Lav Moderat Stor Meget stor Kritisk Konsekvens -7-
Tiltak Høy Medium risiko Høy risiko Del risiko Reduser og kontroller risiko Lav risiko Medium risiko Lav Aksepter risiko Kontroller risiko Høy -8-
Muligheter & risiko -9-
Men risiko er ikke bare farlig produktivitets & effektivitetstap administrasjon & ledelse økonomi etterlevelse av regelverk måloppnåelse og vedtaksoppføl ging manglende samhandling & kompetanse RISIKO Risiko er også muligheter misligheter endring & reformer -10- VERDISKAPNING
Til grunn for risikostyringen må det ligge en risikopolicy En risikopolicy er virksomhetens overordnede styringsdokument for strategi, vurdering og tiltak knyttet til risiko Risikopolicyen bør definere Tolkning/definisjon av risikobegrepet Forståelse av hvordan risiko er knyttet til virksomhetsstyring og resultatoppnåelse Politikk knyttet til å ta aktiv risiko, samt reduksjon av negativ risiko Prosesstilnærming knyttet til kontinuerlig styring, inkludert fastsetting og oppfølging av risiko -11-
Viktige elementer i risikopolicy er definisjon av skalaer og risikonivåer Skalaer for sannsynlighet og konsekvens relevante konsekvensområder kvalitative beskrivelser av de ulike nivåer På bakgrunn av dette må risikonivåer defineres -12-
Risikostyring som en del av den øvrige virksomhetsstyringen Risk Framework: Risk objective setting Vedlikehold og løpende forbedringer Overvåk og eskaler Utvikle og implementere strategi Risk appetite Risk tolerance Risk Assessment Identification Prioritization Design & teste kontrollene Tiltak Forecasting Strategy Intervention Planning Strategy Planning Identifiser risiko Analyses Quatification Risk Strategies Risk management capabilities Risk monitoring Continuous improvement Analysere risiko Analysis External Reporting Value Creation Management Reporting Operational Reporting Budgeting Mål og vurdere risiki -13-
Verdikartet kan hjelpe i forståelsen av risiko Shareholder Value Revenue Growth Operating Margin (after taxes) Asset Efficiency Expectations Volume Price Realization Selling, General & Administrative (SG&A) Cost of Goods Sold (COGS) Income Taxes Property, Plant & Equipment (PP&E) Inventory Receivables & Payables Company Strengths External Factors Acquire New Customers Retain and Grow Current Customers Leverage Income- Generating Assets Strengthen Pricing Customer Interaction Efficiency Corporate/ Shared Service Efficiency Development & Production Efficiency Logistics & Service Provision Efficiency Income Tax Efficiency PP&E Efficiency Inventory Efficiency Receivables & Payables Efficiency Managerial & Governance Effectiveness Execution Capabilities Product & Service Innovation Product & Service Innovation Cash / Asset Management Demand & Supply Management Marketing & Advertising IT, Telecom & Networking Product Development Logistics & Distribution Income Tax Management RealEstate & Infrastructure Finished Goods Accounts, Notes & Interest Receivable Governance Operational Excellence Marketing & Sales Account Management Price Optimization Sales Real Estate Materials Merchandising Equipment & Systems Work in Process & Raw Materials Accounts, Notes & Interest Payable Business Planning Partnership & Collaboration Retention Customer Service & Support Human Resources Production Service Delivery Program Delivery Relationship Strength Cross-Sell/ Up-Sell Order Fulfillment & Billing Procurement (Excluding Production Materials & Merchandise) Business Performance Management Agility& Flexibility Business Management Strategic Assets Financial Management Strategic Objective KPI Initiative Risk -14-
En forenklet risikostyringsprosess Risiko kartlegging No. Risk Name Risk description Comments "Company A" Business Environment 1Price Erosion The risk that the market of the company continues to be characterized by a high - Price reductions from 20 up to 40% in a year level of price erosion, due to severe competition, leading to declining margins - Severe competition and loss of income. 2 Laws and Regulations The risk that the laws and regulations are altered and not identified on time by the company, thereby influencing the company's playground and product portfolio. Risiko kart 3 Market Consolidation The risk that there will be a consolidation phase in the market characterized by mergers and acquisitions in which the company is not capable of strengthening its position. "Copmany A" Suppliers 4 Supplier Dependency The risk that the copmany has a high level of dependency on a certain number of suppliers which might lead to operational discontinuity and financial losses if these suppliers fail to deliver their services to the company. "Company A" Customer Service 5 Customer Service The risk that the copmany does not have simplified processes to support the lower market segment, and does not focus adequately on smaller clients, thereby delivering services with insufficient customer care, leading to a very high churn rate. - The company does not have an operating profit. How long can we keep up with this? - Ties with shareholdeer will prevent a hostile takeover, but can also inhibit an acquisition by the company - This risk is especially relevant for system related services. - High quality of service is necessary for both higher and lower segment, not only from a technical perspective, but also from an administrative perspective - For smaller orders the company needs simple and quick process support to take flows right through Risiko grupper HIGH LOW SIGNIFICANCE Regulatory Reporting Price - Commodity Channel Effectiveness Contract Commitment LOW Environmental Financial Reporting Evaluation Sovereign/Political Trademark/Brand Name Erosion Business Portfolio Health and Safety Compliance LIKELIHOOD Human Resources Reputation Industry Product/Service Failure Customer Satisfaction Globalization Investment Evaluation Risiko profil Product Life Cycle Technological Innovation Regulatory Competitor Patent HIGH Environmental Scan Product Development Significance of Risk More Less Less Kontroll kartet Get action Monitor Get assured Control Effectiveness Evaluate CONTROL EFFECTIVENESS More Less restrictive company regulations no high euro wages better production techniques Less restrictive company regulations Outside euro competition Lower production price Currency advantages Creative compensation possibilities Tiltaks kartet Definition: Loss of market share to competitors Lower price Better product Better delivery Direct delivery channel Faster delivery Higher production capacity Better organised delivery channel Size of organisation Riskoprofilen er Competitor Alternative technology R& Lead Lower production costs with similar quality More generic products selskapets iboende risiko Kontroll kartet støtter prosessen med å etablere overvåkning og tiltak Innsikt Size of organisation History of organisation Salary structure Higher training Higher independence Higher flexibility Ability to attract high-tech talent (Decreased emphasis on "cash cows" HR advantages Better organisation Better marketing Smaller product portfolio Higher market coverage Customer fatigue Decreased sales "errors" Tiltaksplan og gjennomføring Generation Locally oriented Single product pusher Higher customer focus Single product pusher Change willingness -15-
About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms and their respective subsidiaries and affiliates. Deloitte Touche Tohmatsu is an organization of member firms around the world devoted to excellence in providing professional services and advice, focused on client service through a global strategy executed locally in nearly 140 countries. With access to the deep intellectual capital of approximately 150,000 people worldwide, Deloitte delivers services in four professional areas, audit, tax, consulting and financial advisory services, and serves more than 80 percent of the world s largest companies, as well as large national enterprises, public institutions, locally important clients, and successful, fast-growing global growth companies. Services are not provided by the Deloitte Touche Tohmatsu Verein and, for regulatory and other reasons, certain member firms do not provide services in all four professional areas. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names Deloitte, Deloitte & Touche, Deloitte Touche Tohmatsu or other related names. Deloitte & Touche DA is the Norwegian member firm of Deloitte Touche Tohmatsu. In Norway, services are provided by the subsidiaries and affiliates of Deloitte & Touche DA (Deloitte AS, Deloitte Advokatfirma DA and its subsidiaries), and not by Deloitte & Touche DA. Copyright 2008 Deloitte AS. All rights reserved.