Stephen Vink Senior Vice President Group Risk Management and Internal Audit Lessons learned from ERM

Agenda –Overview  Setting the context  What is ERM  What is “not” ERM  Visible impact of ERM –ERM in the region  Prior to global financial crisis  Post global financial crisis –Lessons learned from ERM implementations  Key issues that obstruct ERM implementations  How to overcome the key implementation issues 2

Overview 3 Setting the context What is ERM What is not ERM Visible impact of ERM

Setting the context 4 –ERM in corporate world can be compared with making money in share market over a period of time  Everyone wants to do it  Many falsely claim to do it - it is just losses that they have made  Those few who have done it, did it accidently and not over a period of time  Only a handful knows how to do it and have done it well over a period of time  People love to hear stories of it –Quite often discussed topic in many board rooms and various conferences “… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO Enterprise Risk Management – Integrated Framework. 2004

What is Enterprise Risk Management 5 –A process, ongoing and flowing through an entity –Effected by people at every level of an organization –Applied in strategy setting –Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk –Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite –Able to provide reasonable assurance to an entity’s management and board of directors –Geared to achievement of objectives in one or more separate but overlapping categories Important COSO’s integrated framework is a guiding post and not the only approach to implement ERM, you can have your own approach customized to your requirements.

What is “NOT” Enterprise Risk Management 6 –NOT a one time activity –NOT the responsibility of your Risk Management Department / CEO / Board –NOT independent of business strategy / business –NOT to be run in silo –NOT applied to only part of the business –NOT about preparing heat map / bubble chart, a heat map is just the beginning. –NOT a system to prevent the potential events –NOT something that can be implemented in days –NOT something that gives immediate results after implementation

Visible impact of ERM (1/2) 7 The impact comes over a period of time and is not a matter of overnight success The impact comes in to phases depending on approach

Visible impact of ERM (2/2) 8 Kick-StartAccelerateSteady State Compliance with controls Risk driven decisions Improved communications on risk Initiative to create awareness of integrated risk approach Better utilization of capital External communications on risk management Safeguard shareholder value Improving shareholder value Improving governance

ERM in Middle East 9 Prior to global financial crisis Post global financial crisis

ERM in Middle East - Prior to global financial crisis 10 –ERM as an integrated framework was issued by COSO in September 2004 –Risk management was existing before COSO issued the framework  Mainly operated in silos  Not viewed as enterprise wide  Not linked with strategy  Viewed as control function only –The early adapters of ERM  Companies having parents in US / Europe / Australia  Public sector organizations more particularly in the energy sector  A handful private sector organizations –Key reasons for lower penetration of ERM in Middle East  Excess liquidity available in the system  Global boom - boom in real estate - boom in local businesses  Absence of shareholder activism / stakeholder activism  Family owned businesses - Corporate governance is nothing but as governed by families

ERM in Middle East – The financial crisis 11

ERM in Middle East - Post global financial crisis 12 –Impact of global financial crisis that created need for ERM  Liquidity constraints in the system  Global recession – local real estate and local business – you know better  Resulted in questions from shareholders / stakeholders regarding management of various risks at the enterprise level, regarding good corporate governance –Many private sector organizations have, either willingly or forced by regulator or forced by lenders, started taking various risk management initiatives –New awakening amongst regional central banks and other regulators

Lessons learned from ERM implementations 13 Key issues that impede ERM implementations How to overcome key implementation issues

Key issues that impede ERM implementation 14 –ERM objectives not aligned to corporate objectives –Creates friction / jeopardize the initiatives among groups / individuals –No insight / Insufficient commitment from the top management –Failure to set clear risk appetite –Delays the implementation / Failed implementation, i.e., no benefit –Inadequate conceptualization of ERM model / approach –Inadequate / Inappropriate model will not yield desired benefits suitable to “your” business needs –Managerial decisions does not embed risk in the process –Insufficient/inadequate risk management resources –Adequately knowledgeable resources needed for special jobs –Poor systems / Stone age tools will make implementation sub - optimal –Cultural mismatch –ERM brings in change management –Your organizational culture will be changed –Change management is not easy and not at all in Middle East –Organization’s culture not aligned with risk strategy

How to overcome key implementation issues 15 Risk transparency and insight Risk appetite and strategy Risk related business processes and decisions Risk organization and governance Risk culture Best Practices * for ERM implementations *Source: McKinsey

How to overcome key implementation issues 16 Risk transparency and insight Risk appetite and strategy Risk related business processes and decisions Risk organization and governance Risk culture Best Practices for ERM implementations 1.Prioritize risk heat map 2.Board to provide insight on big bets that really matter 3.Share information with risk management

How to overcome key implementation issues 17 Risk transparency and insight Risk appetite and strategy Risk related business processes and decisions Risk organization and governance Risk culture Best Practices for ERM implementations 1.Clear definition of risk appetite approved by board, with matching operational levers 2.Risk strategy linked with insights provided by the Board

How to overcome key implementation issues 18 Risk transparency and insight Risk appetite and strategy Risk related business processes and decisions Risk organization and governance Risk culture Best Practices for ERM implementations 1.Managerial decisions optimized by embedding risk considerations in the process 2.Strong links between RM function, key business units and other areas

How to overcome key implementation issues 19 Risk transparency and insight Risk appetite and strategy Risk related business processes and decisions Risk organization and governance Risk culture Best Practices for ERM implementations 1.Adequate changes in governance to fit in the risk management process 2.Adequate knowledgeable resources 3.Adequate Technology

How to overcome key implementation issues 20 Risk transparency and insight Risk appetite and strategy Risk related business processes and decisions Risk organization and governance Risk culture Best Practices for ERM implementations 1.Clear understanding of organization’s risk culture gaps 2.Alignment of culture with risk strategy

Ultimate Lesson Learnt 21 Enterprise risk management is a journey where you need to follow the direction provided by adequate knowledgeable resources and technology or else you could end up on the rocks