10Minutes

Organisations of all types and sizes face internal and external factors that create uncertainty. The effect this uncertainty has on an organisation's objectives is risk1.

on building Enterprise Risk Management in companies in Russia, the CIS and CEE

What you need to know about emerging topics essential to your business. Brought to you by PricewaterhouseCoopers
Companies around the world must today deal with risks that are much more interconnected and therefore more challenging to manage than those they were dealing with under more favourable economic conditions2. Never before has sound risk management been so important for company profitability and, in some cases, survival. Risk management is by no means a new initiative; it has been around since the 1980s. Indeed, companies inherently have always been managing risks. Active discussion at the executive level around investment decisions and successful change management activities are all examples of risk management in action, even though sometimes applied informally. The investment community, credit rating agencies and regulators are putting pressure on company management and boards within Russia, the CIS and CEE to further raise the bar in terms of formalisation and consistency of risk management approach. There is a general industry push to make risk management a continuous process that supports internal changes and decisions and allows the organisation to respond well to external changes. Regardless whether your company has already established a risk management foundation or is only starting out the process, this document will be a useful resource.
1 ISO31000:2009 Risk management Principles and guidelines 2 Global Risks 2010, A Global Risk Network Report, World Economic Forum

Many organisations across the CEE region are re-evaluating the need to develop robust Enterprise Risk Management (ERM). Some are at the start of the journey, with unintegrated or no framework in place; others are looking to move from small, established risk management functions at the group level to a function that extends deeper within the organisation. Whatever the case may be, establishing ERM is not an overnight process and companies should take a staged approach: 1. Prepare for the mind shift. Building ERM will require changes to the organisations culture and processes. Before you embark on the journey, prepare: read the available literature, familiarise yourself with the available standards, be ready for tough questions and have a plan. 2. Take it one step at the time. Obtain the commitment and support of senior management. Know the end game, but change the company mindset one step at a time. 3. Achieve quick wins and win people over. Show management results to prove that risk management can significantly improve the way the company operates. Dont wait a year until ERM is fully implemented share the success stories as you go.

pwc

At a glance

Risk management is the systematic application of management policies, procedures and practices to the activities of communicating, consulting, identifying, analysing, evaluating, treating, monitoring and reviewing risks3.

The global perspective on risk management Responses to this years 13th Annual Global CEO Survey signal that risk management is becoming a permanent element of the organisational strategic planning process. More CEOs intend to change their risk management process than any other element of their strategy, organisation or business model. And more boards are increasing their engagement with strategic risk assessment than any other item on the boardroom agenda. Risk is not only moving up the corporate agenda in response to the crisis, but is seen as something that needs to be embraced by the organisation as a whole. Clearly, Global CEOs are becoming more risk aware: 41% anticipate a major change to their risk management approach4.

Strategy and governance People and organisation Processes Technology Vision and strategy Culture and risk appetite Communications Policies and procedures Organisation and responsibilities Trainind and HR development Risk management, compliance and business processes Technology support

Risk management is not a stand-alone activity. It is part managements responsibilities and an integral part of all organisational processes, including strategic planning and the project and change management processes. It is what great companies do every day.

3 PricewaterhouseCoopers: Management Barometer, 2007

4 13th Annual Global CEO Survey, PricewaterhouseCoopers, 2009

PricewaterhouseCoopers

01
Introducing sound risk management will require changes to the organisations culture and processes be prepared
Before you embark on the journey, make sure you are prepared to answer some tough questions along the way. The good news is, you are not alone. There is a wealth of literature on the subject, and many recognised international organisations have published risk management standards and best practice guides that will help you. ISO 31000:2009 Risk management Principles and guidelines and FERMA Risk Management Standard, 2002 are just some of the examples. Attending risk management forums to listen to new ideas, share experiences and get to know your peers is also effective.

Get support and buy in

Risk management must start at the top, so before you begin, identify key stakeholders at the board and executive levels. Identify one or two historic examples specific to your company to show how sound risk management could have prevented or minimised adverse impacts (do so without attributing blame to anyone). It may help to determine one or two existing business processes within the organisation that could be significantly improved by integrating an element of risk management (for example, board reporting or investment decision-making) and get support from the process owners before presenting the business case for ERM.

Build a business case for ERM

Integrating risk management requires making changes, and you should prepare a business case to justify these proposed changes. The business case should not only highlight the benefits of ERM, but also clearly articulate the need for change, key roles and responsibilities, timeframes and expected short-, medium- and long-term deliverables. Information provided in this 10 minutes brochure will help you put together a business case.

Have a plan!
Risk management is a journey and, regardless whether your company has an established risk management foundation or is just starting out, having a plan is essential. The plan should clearly highlight the staged approach, identify quick and longer term wins, and show roles and responsibilities and timeframes.

PricewaterhouseCoopers

02
Risk management is a journey take it one step at the time
The risk management approach should be unique for every organisation there is no one size fits all solution. The complexity and maturity of the overall risk management effort should be directly linked to the boards willingness to accept risk, stakeholder expectations and the external environment in which the company operates. Consider two extremes: A small speculative company operating in a high-risk environment will have a very different ERM process from that of a large pillar of society company owned by a large number of risk-averse shareholders and operating in a highly regulated environment. Clearly, the latter would need a much more formal and integrated ERM system. Similarly, if a company has significant exposure to a particular risk type (for example, currency risk), the company may choose to develop additional procedures to deal with that risk. Whatever the required complexity, risk management should be looked at in the context of the overall organisational framework.
Strategic planning Internal and external reporting Riskoversight

Know the end game

Risk management has long been considered to be an integral part of the organisational framework and one of the key elements of corporate governance. Risk management should not be a bolt on to the companys existing processes; it should be something management considers every day as part of their job.

Take it one step at a time

While your longer term aim should be to change the way the company thinks about risk and operates, dont try to tackle changing all the processes at once take it one step at a time. Organisations that have been successful at implementing ERM had a plan and shared the common end vision, but took a staged approach. Consider which of the organisational elements could benefit most from integrating risk management. For example, pick board reporting and expand the scope a bit by adding information about significant emerging and existing risks and what is being done to mitigate them. This will help to improve the reports and highlight the value of risk management.

Integrating ERM

Change management Decision making

Effective organisational framework

Project management

PricewaterhouseCoopers

03
Aim for quick wins and win people over
Make risk management stick in the organisation by sharing success stories and delivering quick wins. Understanding the underlying values of sound risk management will help you to aim for quick wins first: 1. Transparency of information. Providing board members and the executive team with adequate information about key exposures (risks), their significance to the company and what is currently being done to prevent or mitigate them. 2. Informed decision-making. Decisions put before executive management require a full appreciation of the risks surrounding them and how these risks might be controlled to ensure successful outcomes. 3. Dealing with uncertainty and surprises. Risk management helps to minimise uncertainty surrounding the achievement of organisational goals. Having in place mechanisms for early risk detection will help to reduce surprises. 4. Increase efficiency and reduce costs. Risk management can also help to achieve significant operational efficiencies and reduce costs. Consider a procurement function where through upfront risk identification, counterparty risk levels are recorded and appropriate controls are implemented. This could significantly reduce the level of bad debt. Every organisation is different, and it is important to focus your risk management efforts on the areas that will be of the most benefit for you. We will use a couple of case studies to show how quick wins can be implemented: Case study 1 Management at large international airport decided to enhance the quality of their financial and operational board reporting by including additional information about significant emerging and existing risks and what management is doing to mitigate them. This helped to create a level of transparency and risk oversight at the board level, thus building trust and confidence in the management team and further strengthening the risk management culture within the organisation.

Case study 2 A large real estate development company incorporated risk assessment within their annual strategy and planning cycle. This allowed senior management to better understand the risks that may prevent achieving the companys strategy and strengthened their responsibility and ownership over company risk management.

PricewaterhouseCoopers

Take action

Benefits of sound risk management far outweigh the costs involved. Inaction can be a value killer

Integrating risk management into the organisational framework provides numerous benefits, including: Improved strategic and operational planning and budgeting The ability to make critical business decisions with better data, improving your chance of success Less time spent reacting to risk issues, and more time on using risk management to tell you more about emerging risks Improved ability to prevent, quickly detect, correct, and escalate critical risk issues The ability to provide a comfort level to the board and other stakeholders that the full range of risks are understood and managed

ERM checklist
Do a stock take of existing risk management practices Research and select a risk management methodology to be consistently applied across the organisation Have a plan Get commitment and support Pick a pilot/aim for quick wins Roll out the staged ERM programme Analyse the results and share success stories

Organisations that focus their attention on understanding risks and actively managing them are the ones to most often reap the rewards. Take action!m

PricewaterhouseCoopers

How can PwC help

Our governance, risk and compliance team can provide your company with an independent assessment of your risk management maturity and provide practical and objective advice to optimise your risk management processes during this time of change.

Lyubov Nissenboim Director Governance, risk and compliance Tel.: + 7 (495) 223-5002 lyubov.nissenboim@ru.pwc.com

Alexei Sidorenko Senior Manager Governance, risk and compliance Tel.: + 7 (495) 223-5002 alexei.sidorenko@ru.pwc.com

PricewaterhouseCoopers

www.pwc.ru

2010 PricewaterhouseCoopers LLP. All rights reserved. PricewaterhouseCoopers refers to PricewaterhouseCoopers LLP, a Delaware limited liability partnership, or, as the context requires, the PricewaterhouseCoopers global network or other member firms of the network, each of which is a separate and independent legal entity. This document is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.