Enterprise Risk Management

Bringing it to life

Enterprise Risk Management:
bringing it to life

Enterprise Risk Management is a term that has been around now for decades. But how many mining companies really understand it? What are the benefits? And why is now the time to take a fresh look at what it can do for the mining sector? Let’s start from the top…1 What is ERM?
Enterprise Risk Management (ERM) has been defined as:“The culture, capabilities, and practices, integrated with strategy-setting and its execution, that organisations rely on to manage risk in creating, preserving, and realising value”¹.In plain English…Risk may be a cause of uncertainty, a driver of strategic decisions or it may simply be embedded in the day to day business of organisations. ERM should be a systematic process to identify, assess, prioritise and manage the potential impact of all types of current and emerging risks (both on an individual and an aggregate level) on all processes, activities, stakeholders, products and services, taking into account organisations’ implicit or explicit risk appetites and various internal/external stakeholders.

Sounds simple and straightforward? Not really…

2 Why should mining companies bother with ERM?
Let’s start with the basics by considering the lifecycle that mining companies have to exploit to achieve their goals. It is important to do so, because the successful management of the lifecycle as a whole is detrimental to their long
term viability.To be able to manage the above lifecycle successfully, companies are assessing the threats and the opportunities that are linked to the lifecycle, and its phases, and are actively trying to achieve an optimal risk and reward balance which is unique to their structure and their attitude to risk, by simultaneously taking into account external and internal drivers.How easy is it to do the above and why is the amount of time and money that organisations spend on ERM is significant?The drivers that mining companies consider, or should consider, when they are formulating key strategic, financial, and operational decisions are numerous. Some of them are external in nature and some of them internal. Some of them cover the lifecycle of a mine as a whole and some of them target specific phases, taking into account any potential dependencies. But which ones really matter and are at the forefront of the risk professionals and top CEOs’ agendas? You raised them with us, we listened and below we provide the industry’s aggregated view.

¹Source: COSO ERM Aligning Risk with Strategy and Performance, June 2016 edition.

Figure 1 - a typical lifecycle of a mine

Source: Willis Towers Watson

Key external drivers (applicable to the whole lifecycle)Increasing corporate regulation requires boards to demonstrate they have carried out a robust assessment of the principal risks their companies are facing. In the UK, boards of listed companies are now required to:

monitor the company’s ERM framework – including its risk appetites

at least annually, carry out an effectiveness review of the holistic ERM framework

at least annually, carry out an effectiveness review of the controls that are linked to the principal risks

report the outcomes of these reviews in their Annual Report

This is now regarded as good market practice across the globe.

Rating agencies assess companies’ ERM frameworks thoroughly, which significantly impact the overall rating process and the development of capital requirements

Increased activism from the shareholders’ demands for greater transparency into board’s decision making process, including the assessment and financing of business risks.

Key internal drivers (applicable either to the whole lifecycle or to targeted phases)

Reduced financial volatility, by managing risk at an enterprise level and by strengthening the internal control framework.

Higher business resilience, by putting together rigorous and well tested contingency plans that cover all the plausible risk classes that organisations are facing.

Lower operational losses, by implementing a robust and proactive monitoring process throughout the organisation.

A risk adjusted decision making process, which enables organisations make more informative and risk balanced decisions.

Increased visibility of the ERM function to the board of directors, by demonstrating the value that the ERM function adds to the organisation as a whole.

Better allocation of risk management resources, by targeting them on areas of risk over or under exposure.

3 All right, but what does good ERM look like?
Over the past year we have seen several mining companies, of different sizes and in different geographies, trying to establish and embed robust risk management frameworks with clearly articulated organisational structures and well defined and documented responsibilities across the enterprise. This is necessary, but challenging too, because it enables organisations to:

satisfy their external and internal key drivers

achieve segregation of duties comply with general accepted risk management standards such as the updated COSO II and the new ISO 31000 which are well regarded by their stakeholders.

In Figure 2 we provide an example of a well- articulated ERM framework, and its elements, that mining companies frequently use.

Over the past year we have seen several mining companies, of different sizes and in different geographies, trying to establish and embed robust risk management frameworks.

As mentioned earlier, establishing a resilient ERM framework can be a challenging process and it requires a clear action plan with specific improvement points and defined timelines. To do that, an assessment of the current status of each ERM element against the desired “fit for purpose” one and the global risk management standards is required. A widely used framework from mining companies that achieves the above objectives is demonstrated in Figure 3.

Fig 2 - a robust ERM Framework

Source: Willis Towers Watson

Fig 3 - a common output from an ERM maturity assessment

Source: Willis Towers Watson

4 Got it, but how do ERM and strategy link together?
This is one of the key questions that we almost always get asked when we are interacting with C-suites from different industries. Although the industries are different, the answer is always the same: risk appetite and tolerances.Risk appetiteAn organisation’s risk appetite describes the amount of risk that it is willing to seek or accept in the pursuit of its long term objectives. It influences strategic parameters, such as the types of activities a business engages in and the time horizon for investment activities, and is a contributing factor to the overall business strategy.

Establishing a resilient ERM framework can be a challenging process and it requires a clear action plan with specific improvement points and defined timelines.

Tolerances and limitsMining companies around the globe are trying to set appropriate risk appetites and tolerances that reflect their strategy, their business model and the environment in which they operate. In doing so, they are establishing financial and non-financial limits against which their
exposure to the major categories of risk can be controlled, measured, communicated and reported. The major categories of risk typically include Strategic, Financial, Operational and Regulatory, but these categories should be tailored to fit the needs of different organisations.Cascading Group Risk Appetite to a Business Unit and a Risk Type levelCascading a high level risk appetite to a more granular level and allocating it to the different business units and risk types is a challenging process - the effort and time commitment that is required to complete this should not be underestimated. The outcome of this process, as shown in Figure 4 below, enables organisations to link strategy directly to risk, improve their tactical and operational risk adjusted decision making process and assess which business decisions could breach their appetite and/or tolerance. If a business decision breaches an organisation’s appetite, then either the business decision should be amended or the risk appetite should be reassessed and revised accordingly.

Mining companies around the globe are trying to set appropriate risk appetites and tolerances that reflect their strategy, their business model and the environment in which they operate.

Fig 4 - Defining and allocating a group risk appetite to business units and risk classes

Source: Willis Towers Watson

Conclusion
Changes in regulations, business environment, political agendas and technology create new emerging risks and opportunities, driving organisations to adapt. The mining sector will of course continue to grow and flourish, with companies winning and losing along the way. The role of ERM is to enable companies in the sector to become knowledgeable risk takers, maximise the value that they create for their various stakeholders and empower key decision makers to build bolder business visions and resilient organisations.

Ioannis Michos is an economist, a chartered accountant, a CFA charterholder and a Partner in the Strategic Risk Consulting team at Willis Towers Watson.

Changes in regulations, business environment, political agendas and technology create new emerging risks and opportunities, driving organisations to adapt.