Improving risk management maturity, strengthening decision-making
The Client: DUBAL
As a leading industrial company, Dubai Aluminium (DUBAL) faces many inherent risks, broadly classified as Financial Risk, Operational Risk, Market Risk, and Strategic / Reputational Risk. Some of these risks are mitigated and controlled internally. Others are shared with third-parties. Some risks are managed, while others are simply accepted.
As an example of a recent risk - in 2012-13, the Strait of Hormuz was expected to close due to escalating U.S.-Iran tensions. That meant that the supply of raw materials to DUBAL, as well as the export of finished products would have been blocked. It was a double logistics/ operational risk - one that could have seriously affected DUBAL’s production, sales, and revenue.
For over 30 years, the company has managed its risks well, as has been evident from incident reports. There have been, however, some challenges in terms of articulating and reporting enterprise risks; defining them in a common language; and quantifying those risks in metrics that would support decision-making. So, in 2011, the company decided to establish a more structured and systemic approach to risk management by implementing a new Enterprise Risk Management (ERM) framework. Their objective was to put in place effective risk management policies, strategies, and processes that would contribute to the existing strategies aimed at protecting and enhancing shareholder value
Keep your ERM program simple and logical: Don’t overcomplicate risk management. Keeping things simple can make your ERM framework implementation far more effective.
Be aware of risk misconceptions: Understand common risk misconceptions, and refrain from acting on them. For instance, try not to make your ERM program simply about complying with regulations such as SOX. DUBAL’s ERM program was more of an internal initiative, driven by the need to start being more professional about the way risks were managed, reported, and leveraged to make decisions.
Do your homework, establish a road map: Determine where you stand from a risk perspective. Identify your risk strategy and philosophy, and work towards it in a measured, transparent approach.
Don’t take shortcuts: Rolling out a successful ERM framework and philosophy is not a quick win - it’s not something you can achieve in 12 months. It’s a long-term investment in people, processes, and change.
Get the management team on board: In many companies, the C-suite team resists the need for a new ERM framework. Either they are not ready for it, or they feel that their company is not so heavily regulated that it requires a robust ERM program. In such cases, remind your CEOs that they are already managing risks whether they know it or not. It’s just that those risks are not being consolidated, articulated, or reported well enough. Ease your C-suite team into the ERM process by requesting them to spend a little time every week populating risk reports of what they are doing. Implement a system that is automated enough to (a) remind them when they need to review the risk (b) auto-populate the risk report for them.
Incorporate industry best practices and guidelines around risk management: Take the best of the regulations and frameworks out there, but adapt them to suit your business. Don’t just blindly follow ISO 31000 or COSO - fit those guidelines to your company’s purposes.
DUBAL’s new ERM framework is well-streamlined, structured, and unified with clear visibility into the top risks affecting each business unit. These risks are systematically and regularly assessed in qualitative and quantitative terms, and then consolidated and roll up to the enterprise level where they can be used to support strategic decision-making.
Below are the steps DUBAL took to implement its new ERM framework:
A baseline maturity assessment
DUBAL conducted a baseline ERM maturity assessment to determine where it stood from a risk perspective. The maturity level of the ERM processes were plotted on a graph where the lowest level of maturity - Level 1 - is characterized by fragmented risk processes and silos, while the highest level - Level 5 - is characterized by a holistic, integrated, and optimized risk framework. At the start of the ERM project, DUBAL found itself in the middle of the maturity assessment curve. The company’s goal for the next 5/ 7 years of the ERM program implementation is to end up at level 5.
Identification of business unit risks
DUBAL knew that attempting to collate and understanding every single risk across all its business units, would have taken several years. Instead, the company decided to focus on identifying and collating the top 50-60 risks in each business unit. The risks were than evaluated on a scale ranging from Very High, to High, Medium, Low, and Very Low.
Quantitative assessment of business unit risks
After identifying the top risks in each business unit, DUBAL transitioned to quantitatively assessing these risks to understand their impact on the business in terms of a 3-point estimate: Minimum Anticipated Financial Impact, Anticipated Financial Impact, and Maximum Anticipated Financial Impact. Eventually, the company combined the quantitative risk assessments with qualitative assessments.
Monte Carlo simulation exercise
As part of the quantitative risk assessment process, DUBAL began to run Monte Carlo simulations to determine its Value-at-Risk (VaR) would be if a particular risk were to occur. The company implemented specific tools to calculate the maximum VaR, minimum VaR, and anticipated risk. It was then possible to predict with 95% confidence, that if risk “x” were to occur, “y” would be the maximum VaR.
Over time, DUBAL hopes to run the Monte Carlo simulations on all identified risks. Yet the necessary understands that these simulations are merely one part of the risk assessment tool, and serve to validate what the risk managers already know and believe to be correct for the business. The biggest benefit of the Monte Carlo simulations is in helping DUBAL put a dollar value to risks by simulating the high, low, and expected losses.
Dubals Structured ERM Roll-out
However, there some risks like Environment, Health, and Safety risks (EHS) which can be difficult to put a monetary value on. In such instances, DUBAL often consults its insurers, most of whom have already quantified the risk of various physical injuries in monetary terms. The company also works closely with business analysts to quantify how a safety risk like an employee injury could affect the reputation of the company; or how a health risk like a flu pandemic, arising from so many employees living together in close quarters on the company facilities, could impact production. DUBAL analyzes these various scenarios, and then tries to determine what the financial impact of the scenarios would be.
Gradually, DUBAL started getting employees comfortable with idea of reporting on risks in an open and transparent manner. The company drafted policies and procedures, implemented an extensive training program, and began to integrate their risk and control processes. At every stage, its aim was to ensure that the ERM framework roll-out was structured and sustainable.
Towards the end of 2011, DUBAL began looking for an ERM software solution vendor to support and enable its new ERM framework. The company identified six vendors, and then shortlisted three after an evaluation of each vendor’s product presentations and demonstrations.
Eventually, DUBAL chose MetricStream as its ERM solution provider for the following reasons: (a) the flexibility and configurability of the MetricStream product (b) MetricStream’s highly integrated GRC platform which would help DUBAL leverage synergies between Risk, Internal Control, and Audit(c) MetricStream’s rich product functionality - especially data driven Key Risk Indicators (KRIs) and quantitative risk analytics (d) and MetricStream’s positioning in the Leaders Quadrant of Gartner’s Magic Quadrant for Enterprise GRC platforms.
MetricStream had just a few months to implement the ERM solution, as the DUBAL board required an enterprise-wide risk report to be presented by April 2012. Despite the tight deadline, MetricStream met the client requirements in time - the solution went live on March 31, 2012.