As a form of crisis management, business continuity management (BCM) has evolved since the 1970s in response to the technical and operational risks that threaten an organisation’s recovery from hazards and interruptions. All business ventures have hazards and disruptive factor with which to contend. All manner of disasters can and do happen which can lead to loss of confidence by clients and customers further compounded by the fact that competitors may take advantage of your misfortunes. Often production and even data systems would have been disrupted leading to huge losses for stakeholders, employees and even to the community. Read more
We jumpstarted 2019 with our first tea talk of the year by Mr. Allan Lee, Director of Consulting Services at Friday Concepts (International) as well as Head of the BCM Faculty at IERP, who spoke on the value of business continuity management (BCM) through the lens of Value on Investment (VOI). VOI helps measure the total value of ‘soft ‘or intangible benefits derived from continuity initiatives in addition to those “hard” benefits measured by ROI. Its approach is critical to allow funding for continuity planning efforts that provide the competitive differentiation necessary in today’s dynamic business landscape.
Business continuity is defined as getting your business up and running at the quickest time possible, with minimal losses to your business. Mr. Allan highlighted current perceptions concerning BCM. According to The Resilience Gap Report 2017, even though 96% of those surveyed believed that business resilience SHOULD BE a core element of their company’s overall business strategy, only 54% claim that business resilience is a focus. This statistic proves that although BCM is recognized among businesses it is not comprehensively integrated and practiced by organisations as intended because BCM does not support a strong ROI.
As risk management is a relatively young discipline without an identifiable career path, those who forge a path in their respective industries can provide both their career and organization with a competitive advantage. Some wonder whether going through a certification program is worth the time and effort, but here are five reasons to consider:
The high demand for talent in the field
Though every organization can benefit from a robust risk function, it’s often only regulated sectors such as banking and insurance that will have established one. At the same time, risk management is increasingly becoming formalised and integrated. Organizations see the need for risk management in order to keep up with changing economic and market needs, but leaders are finding it hard to find the right talent to take up the challenge of implementing risk management best practices. Thus, those certified to have a set of skills and knowledge will help you stand out to prospective employers. Read more
Corporate fraud is a tale as old as time. The total costs of a fraud attempt and the complete set of risks facing a financial institution in the aftermath of a fraud attack often go far beyond the fraud losses itself. That is, organizations must also account for legal costs, investigation costs, reputational risks, as well as eroded confidence and customer loss. An effective fraud framework will include prevention, detection, and deterrence. Organizations often focus on prevention and detection and neglect fraud deterrence, which involves proactive rather than reactive measures. Given the high occurrence and costs of fraud, both financial and reputational, organizations with successful fraud management frameworks in place could have an edge over competitors.
With billions of dollars that can be lost due to fraud, organizations are increasingly concerned with fraud risk management, looking towards a more proactive approach rather than a compliance-driven one. Read on for four important considerations in fraud risk management: Read more
Last week, the IERP held a Chief Risk Officer Networking Group (CRONG), where Mr. Khairul Azwa, director of risk and compliance at a prominent GLIC, spoke on his experiences developing the risk culture in his organization. With a background in banking, he had started as a treasury dealer, eventually going on to become a risk manager at one of the GLICs in Malaysia. One of the challenges that he faced was setting a new risk management department from scratch. A task that he gave himself three to five years to develop. At the company, he noticed two traits that were ingrained in their DNA, firstly they have a strong culture of service and secondly, they cannot afford to make mistakes as that will have repercussions on not only the company, but also on careers, stakeholders and the country. Read more
Many have the impression that risk managers just focus on the technical aspects of risk. While the technical is important, it is just one of the aspects in Enterprise Risk Management (ERM). There are many skills needed to succeed in ERM but it is not just about number crunching, ‘challenging’ others, validating internal controls, any form of internal or external auditing, or EHS specialism. ERM is not all about identifying risk either. During our Tea Talk on 16 October, Mr. Ramesh Pillai, IERP® Chairman of the Board of Governors, spoke on the importance of EQ and soft skills in ERM. EQ and soft skills, while often vastly underrated, are what will differentiate the experienced, effective risk managers from the average ones.
These are the top 10 EQ and soft skills a Risk Manager or Risk Practitioner needs in order to succeed in Risk Management: Read more
The World Economic Forum has named climate and other environmental risks as a top global risk for for seven consecutive years. At the same time, leaders at both state and business levels have generally failed to build the sustainability, resilience, and agility needed to handle environmental threats.
According to a 2016 report by ClimateWise, there is a widening gap between insured losses and total economic losses from climate-related natural catastrophes. In 2015, this gap was more than USD 100 billion. Both countries and businesses do not completely understand their risk exposures and thus are inadequately prepared for adverse events. Read more
In response to a changing global economy as well as to regulatory and customer demands, risk management has evolved from a reactive and independent function, to one that is increasingly connected to strategic decision-making, with its own developing standards and best practices. In short, risk management has undergone considerable development: broadening its scope from just credit, market, and operational issues. Enterprise Risk Management (ERM) is currently the most advanced iteration of risk management, and seeks to improve on conventional approaches while taking into account current and future needs.
At our Tea Talk session on 12th September, IERP® faculty member Zaffarin Zanal gave a featured talk on Creating Value out of ERM. Zaff started off by stating that—to strong murmurs of agreement across the room of risk practitioners—implementing ERM is hard. The typical difficulty with implementing ERM is that while risk professionals understand the value for ERM, the top management (as well as the rest of the organization) might not readily see its value. Zaff noted that when something has perceived value, psychologically there is a ‘pull factor’ to it. It doesn’t require much forceful selling (the ‘push factor’).
He shared that from the results of a 2017 ERM Benchmark Survey which showed that whilst enterprise risk management is a ‘popular’ framework being implemented in organizations, management and line managers are still quite resistant to it. The challenge lies in establishing that pull factor when risk management is so often seen as tedious, bureaucratic, and expensive. To treat this particular ‘acceptance risk’, it is important to understand the potential causes. Read more
In implementing enterprise risk management in your organisation, people will be your most important resource. It doesn’t matter whether you are seeking to establish or support enterprise risk management in your organisation, making strategic decisions for your company, or managing the talent. Establishing a good network of working relationships is essential to your success as a risk practitioner, and developing your emotional intelligence is what will enable you to influence top decisions and culture in your organisation – without using overly aggressive, fear-based tactics.
Emotional intelligence is more than just being a decent human being (though some have trouble with that, too). It is the ability to understand emotions, both yours and others’, so that you can manage your behaviour and have healthy connections with others. Some are predisposed to having more emotional intelligence than others. However, it is a set of skills that can be developed and improved upon to the benefit of your career growth as well as your job effectiveness. Read more
A little more than a year ago, Equifax disclosed to the public that it had experienced a cyberattack, during which hackers stole the names, Social Security numbers, birthdates, and addresses of 147.7 million Americans – more than half the US population. Since then, other major data breach incidents have been reported worldwide, involving—among many other entities—Facebook, fitness tracking app Strava, Adidas, Under Armour, and identification authority Aadhar (compromising the personal information of all 1.1 billion Indian citizens registered under its service).
By now, it should go without saying that cybersecurity is not just an IT issue. Cybersecurity requires enterprise-wide awareness and effort. Cyberattacks hurt a company’s reputation and can lose your customers’ and suppliers’ trust: it can be difficult to shake off the public view that your organization is unreliable or inefficient.
A Business Impact Analysis is a critical component of a Business Continuity Management framework – required to understand the organization’s interdependencies and full range of operational complexities.
The goal of a Business Impact Analysis (BIA) is to identify the crucial business functions that will be affected in the event of a natural or man-made disaster. BIA findings allow leaders to set up recovery priorities, plan out recovery strategies, allocate the appropriate resources, and determine important metrics such as Recovery Time Objectives (RTO), a measure of the maximum time within which business functions should recover as close to normal during disaster recovery. Read more
In Malaysia, the Statement on Risk Management and Internal Control (SORMIC) is a requirement from the Securities Commission, in accordance with the Malaysian Code of Corporate Governance (MCCG) 2017. On 14th September 2018, a Tea Talk was held at the IERP® International Secretariat, featuring a presentation crafting an effective and practical SORMIC – by Mr. Ramesh Pillai, Group Managing Director of Friday Concepts Risk Consulting.
The MCCG and Defining “Risk Management”
Speaking on the MCCG 2017 as a guidance document for the SORMIC, Pillai notes that its main contributors/authors were auditing/accounting bodies; there were no contributions by risk practitioners. He drew attention to Principle B in the MCCG, where the Intended Outcome of a Risk Management and Internal Control Framework is that:
“Companies make informed decisions about the level of risk they want to take and implement necessary controls to pursue their objectives.
The board is provided with reasonable assurance that adverse impact arising from a foreseeable future event or situation on the company’s objectives is mitigated and managed.” Read more
A common excuse given by those who are not convinced of the use of risk management is that there is ‘no time’ for it, especially if management often has to make quick decisions. However, Leonard Ariff Abdul Shatar, Group Managing Director of CCM Duopharma Biotech, notes that many mistakes (and the subsequent costs) could have been avoided if additional thought and effort had been put in. As a public-listed company, it’s a requirement for CCM to have a risk management function. For CCM Duopharma Biotech, risk management was split up as it was thought that the audit function was overshadowing it.
At CCM Duopharma Biotech, Leonard Ariff faced the monumental task of reshaping the business to resolve issues relating to ageing products as well as ageing assets. A key part of the strategy was to move into biosimilar medicine, which is medicine that is highly similar to their reference product (distinct from generics, which are exactly identical to their reference product). In order to build the capabilities required of this endeavor, the company needed to establish partnerships with companies already in the field — CCM had concluded that building in-house capabilities would take 8-9 years. Read more
With Enterprise Risk Management becoming increasingly institutionalized, global best practices are continually under revision as international standards-setting bodies such as ISO or COSO seek to improve on ERM methods and guidelines. A core development in recent years has been the recognition that an objective-centric approach to ERM yields greater outcomes compared to the traditional taxonomy approach. At the same time, the constant evolution of ERM practices means that there is often a gap where organizations are slow to correct outdated methodologies – due to the complexity and resources required to change existing processes, structures, and culture.
Conventional risk management is based on taxonomies, which create an often inductive process for risk assessment. Risk is identified and aggregated into a static and ‘stable’ set of categories, then prioritized according to likelihood and impact. The limitation to this approach is that risk is not stable. While taxonomies allow for a certain level of customization across different business units, their success and efficiency is predicated on the use of a standard and somewhat rigid set of categories and shared language – ultimately ineffective for large corporations facing wide-ranging risk complexities. Read more
On May 4, over 20 professionals from across industries attended a Tea Talk session at the IERP® International Secretariat. Our keynote speaker for this session was Mr. Ramesh Pillai, Chairman of the Board of Governors of the IERP® and Group Managing Director of Friday Concepts, an ERM, GRC, and BCM boutique consultancy. Speaking on distinguishing between Enterprise Risk Management (ERM) and Operational Risk Management (ORM) approaches, he aimed to dispel common misconceptions of the two related but different approaches.
He noted that more attention has been placed on Operational Risk as of late as a result of geopolitical volatility and technological disruptions. The possible escalation of conflict and the deterioration of interstate ties, for example, are genuine concerns that would have far-reaching effects across the interconnected global economy. With a large range of risk factors to consider, an organization can face up to thousands of risks at a time, most of which are constantly changing and need to be re-evaluated as such. In such an environment, it is essential that risk management moves from a siloed approach towards a more integrated and dynamic one. Read more
As originally printed in The Star on August 27, 2017: In collaboration with the Institute of Enterprise Risk Practitioners (IERP) based in London, KDU University College unveils a new revolution to the business industry by introducing the world’s first Master of Business Administration (MBA) programme specialising in Enterprise Risk Management (ERM). Read more
Given how extensive technology has shifted our world today, being tech-savvy is no longer reserved for the younger generation, but a crucial requirement for today’s enterprise risk managers, said Bank Negara Malaysia (BNM) assistant governor Donald Joshua Jaganathan (pic).
For technological advancements are able to not just shape the world and business environment, but also render its users or institutions vulnerable to online threats.
As such, Jaganathan said there is a greater need for savviness for two main reasons: to harness operational efficiency and to quickly identify and respond to new sources of risks arising from these advancements.
Jaganathan, who is responsible for BNM’s supervisory function, said this in his keynote address at the 4th Institute of Enterprise Risk Practitioners (IERP) Global Conference 2017 in Kuala Lumpur yesterday. Read more
While working for a Kuala Lumpur-based international banking organisation, Ramesh Pillai found himself and his management team in a dire situation when the bank’s employees were caught in the 1998 riots in Jakarta, Indonesia.
“We had to evacuate our staff in Jakarta and relocate them to Kuala Lumpur, which we did successfully. We turned the Renaissance Hotel into our ‘Jakarta office’, which meant whatever calls that were made to Jakarta were answered in Kuala Lumpur,” Pillai recalls.
However, the staff eventually moved back to Jakarta despite the dangerous circumstances — a bold decision that made the front page of The Jakarta Post. Later, when normalcy returned, the bank was given additional licences by the Indonesian government to expand its business in the country. Read more
PETALING JAYA: RAM Holdings Bhd has teamed up with Friday Concepts (Asia), an expert in risk management and strategy, to set up the Institute of Enterprise Risk Practitioners.
The institute will design a certification programme titled Professional Certification in Enterprise Risk Management (ERM).
RAM said in a statement yesterday the primary goal of the programme was to foster a pool of well-qualified management experts and ERM specialists as well as to facilitate better networking among such professionals.
A comprehensive 12-day professional module had been specially created to equip participants with the requisite tools and knowledge.
The inaugural programme, to be launched next month, will produce its first batch of graduates in February.
As originally printed in The Star
The current financial crisis has highlighted that companies with effective and holistic Enterprise Risk Management (“ERM”) practices are better equipped to weather the turbulence and to exploit the resultant business opportunities. Such companies, which span myriad industries and geographical locations, can fully appreciate the importance of ERM and how to link it to their performance. They use ERM as an effective strategic, management and decision-making tool to create and hone strategic as well as competitive advantages over their competitors.
Acknowledging the increasing importance of ERM, RAM Holdings Berhad (“RAM”) has teamed up with Friday Concepts (Asia) (“FCA”) – experts in risk management and strategy – to set up the Institute of Enterprise Risk Professionals (IERP) and design an ERM certification programme entitled Professional Certification in Enterprise Risk Management. The primary goal of this programme is to foster a pool of well-qualified management experts and ERM specialists, not to mention business leaders and entrepreneurs who are also savvy in this arena. The programme also aims to facilitate better networking among such professionals, complemented by shared business knowledge and experience. Read more