CORPORATE RISK EXERCISE
Risk Management Information Gathering Exercise (January 2010 to June 2011)
MECO undertook an extensive risk management information gathering exercise in order to provide the Management Committee with the key corporate risks. The risk management team had requested a workshop approach to the meeting in order to share the risks and get involvement from the Management Committee. However, this was rejected and a one-hour presentation was scheduled instead.
The ERM team met with the administrative areas' representatives. The team:
• Went over the history of ERM and outlined the purpose and key definitions
• Clarified the data collection form
• Consolidated this input to business line level, as appropriate, once input was received from all administrative areas and their divisions
The team had further discussion with compliance functions and key organizations. This step was necessary to help consolidate and prioritize business line risks to arrive at corporate-level risks. The team also integrated corporate planning input, which included particulars of internal and external risks as well as risks gathered from various publications. All this information made up the content of the Corporate Risk Register, which was used to derive MECO's risk profile.
The template used can be seen in Exhibit 20.2.
This is the template that was designed to collect the administrative area's and its divisions' risks. To ensure consistency of understanding, the team clarified each data entry column in a two-page document.
The key was to have the administrative area provide a risk number and a risk description; probability (in percentage terms); a source of the risk (internal, external, or shared); whether or not controls exist, and how effective these are (highly, partially, barely); and the risk priority (listing from 1 being the top risk, followed by 2, 3, and 4 for subsequent risks).
Exhibit 20.3 provides an example of the information received by the ERM team from the business.
In this example, the risk, its cause, and its impact are all clear. Using the risk description and data in the remaining columns, the team analyzed the data in such a way that it helped them consolidate and prioritize the risks, to arrive at the relevant business line level and later at corporate level.