Transpacific Industries is a leading waste management company in Australia and New Zealand that manages risks across its many facilities and operations. The presentation discusses consolidating risk information across the organization to get a more comprehensive view of risks. It promotes implementing an enterprise risk management system with a common risk language and process to identify risks, encourage participation, and leverage lessons learned. The goals are to make hidden risks more visible, facilitate knowledge sharing across the organization, and provide insights to help manage risks and opportunities.
1. Managing Risk Registers – SOPAC® 2013
Getting hidden risks on the 3-6 March 2013 Brisbane
radar
Karen Tuesley
Group Internal Audit
Manager
Karl Davey
Chief Risk Officer
2. Agenda
1. Setting the Scene – Transpacific Industries
2. Consolidating the risk environment
3. Categorising risk
4. The Internal Audit perspective
5. ERM Consolidation
6. Business Benefits
Page 2
3. Australia and New Zealand’s leading
waste management provider
> Australian publicly listed company with
annual revenues of approximately $2b
> 380 locations across Australasia
> 45 major processing facilities
> More than 300 products and services
> More than 7,000 staff
> Australia‟s largest waste management
fleet with more than 3,600 vehicles
5. Behind the scenes processing ‘smarts’
> Australian-first hydrogenation facility
> Mineral oil processed and reused as fuel oil and
base oils
> Used cooking oil refined and reused to
enhance stock feed
> Liquid and hazardous treatment plants
> Wastes disposed of in an environmentally friendly
and safe way
> Material Recycling Facilities (MRFs)
> Co-mix, building and construction, green waste
> Convert harmful landfill gas into „green‟
electricity
7. The Problem: Silo’ed Risk Management
Board Risk
Register
Audit
BU Risk
Register BU Risk
Register
Risks BU Risk BU Risk
Register Register Risks
Risks Risks
8. The Solution: Enterprise Risk Management (ERM)
> A process owned and supported by
> The Board
> The organisation as a whole
> The solution, a risk process which provides
> An identification of the widest range of risks
> Allow a contribution from all
> This means including all stakeholders across our endeavour
> A one team approach
> Endeavour wide risk management
> Raising Risks and potential problems is GOOD.
> Culture change
> Supportive Management, No blame environment
> Management Actions Should be Accountable
> Measurable
> Auditable
9. Risk Management Process
> Common Integrated Process
Plan: Set The Context > Safety
> Environmental
Identify > Business & Strategic
Communicate
> Business Resilience
Govern
Assess > Emphasis on Management
> Elimination of Threats
> Realisation of Opportunities
Manage > Control
> Recovery
> Sharing Best Practice
Review & Monitor
10. Consolidating the Risk Envirnoment
> Look beyond the silo‟s
> Bigger picture
> Top down and Bottom up
> Business requirements V‟s Operational requirements
Business and Strategic Risks Mgt
Project / Operational Risks Mgt
11. Rollup of Information
Board Risk
Register
Audit
BU Risk BU Risk BU Risk BU Risk
Register Register Register Register
Risks Risks Risks Risks
12. Risk Assessment
Financial
Likelihood Consequence Safety & Health Environmental Business Interruption Reputational
(Set locally)
A significant outage that causes International impact - International
Threat is expected to
Permanent widespread damage inside irreversible damage to a large number public attention. Direct impact on share
Almost Certain occur Significant One or more fatalities (public or > AUD $ X M EBIT
or outside of site of customers (impacts viability of the price. Potential loss of long term core
75-99% workers)
business) client
A significant outage that causes National impact - National public
Threat could occur Widespread damage within or outside
Likely Major Permanent Injury or Disability widespread damage to customer concern. Leads to share price volatility. > AUD $ X M to <AUD $ X M AUD EBIT
50-74% of site, costly restoration
(public or workers) relationships (some permanent) Loss of client.
Threat
Threat could possibly
Recoverable damage with treatment Inconvenience to customers that cause Considerable impact - Regional public
Possible occur Moderate Lost Time Injury to worker >AUD $ X M to AUD <$ X M EBIT
inside or outside of site some harm to relationships concern. Client Unease
25-49% Injury to member of public
Threat is unlikely to occur Short to medium term damage Delay affecting customers but no
Unlikely
11-24%
Minor Minor Injury to worker medical
treatment required
requiring possible intervention Opportunity
damage to relationships
Limited impact - Local public concern
Threat $ X K to AUD <$ X M EBIT
>AUD
Threat may occur in Almost Certain -25 -21 -15 -10 -5 5 10 15 21 25 Almost Certain
Short term damage no intervention A temporary delay in servicing a small Slight impact - Public awareness may
Rare exceptional circumstances Insignificant AUD $0 - AUD < $ X K EBIT
Slight Injury to worker first aid required required number of customers exist but no public concern
0-10%
Likely -24 -20 -14 -9 -4 4 9 14 20 24 Likely
Nil Nil
Likelihood
Likelihood
-23 term solution-13 reduces
Short -18 -8 -3 3 8 13 18 23
International impact - International
The opportunity is very Enhancement leading to slight injury Possible Possible
which public attention. Direct positive impact
Rare unlikely to be realised Insignificant and first aid treatment incident Short term environment enhancement AUD $0 - AUD < $ X K EBIT
downtime on share price. Potential gain of
0-25% prevention
-22 -17 -12 -7 -2 2 7 12 17 22
competitors core client
Unlikely Unlikely
The opportunity is unlikely
Enhancement leading to medical Short to medium term environment A temporary solution or redundancy National impact - National public
Unlikely to be realised
26-50%
Minor
treatment incident prevention enhancement Rare -19 which reduces-11
-16 downtime -6 -1 positive 1awareness.6 11 >AUD $16 to AUD <$ X M EBIT
XK
19 Rare
Significant
Significant
Insignificant
Insignificant
Major
Minor
Minor
Major
Moderate
Moderate
The opportunity will
Enhancement leading to lost time Medium term environment initiative that A temporary solution or redundancy Considerable impact - Regional public
Opportunity
Possible probably be realised Moderate >AUD $ X M to AUD <$ X M EBIT
incident prevention can be repeated which prevents downtime positive awareness. Client praise
51-75%
Consequence Consequence
The opportunity is
Enhancement leading to incident Permanent process improvement that Limited impact - Positive local public
Likely expected to be realised Major Permanent environment enhancement > AUD $ X M to <AUD $ X M AUD EBIT
prevention eliminates potential downtime be pursued and
Opportunity should awareness
76-90% Requires Immediate Management Response and
Extreme Contingency Plan developed if critical to Extreme Contingency Plan
objectives
The opportunity is almost A significant permanent process
Permanent widespread enhancement Requires Management Response and
Almost Certain certain to be released Significant Enhancement leading to Zero Harm improvement that eliminates potential be pursuedimpact - Positive local interest
High Opportunity should Slight High > AUD $ XContingency Plan
M EBIT
that can be replicated at other sites
91-99% downtime and improves efficiency
Opportunity should be pursued if cost
Medium effective
Medium Requires Management Response
Likelihood Consequence Safety & Health Environmental Business Interruption Reputational Financial
Low Monitor Low Monitor
13. Categorising information
> Key is the ability to develop a common risk environment
language
> Need to identify the common nature of risks, using business
specific terminology.
Risk Types
Technical Risk Operational Risk Programme Risk
>
Performance Safety Reliability Resources Information Communication Interfaces Complexity
> Phase/work stream/functional/operation/process
> Design
> Development
> etc
14. The Internal Audit Perspective…
> Maturity of Risk Management &
Controls frameworks
> Understanding the journey
> How to add value
Risk
Framework
and
Governance
Compliance
Process risk with policies
and control &
procedures
15. Example: Organisation with Mature ERM
Organisation wide control environment
Process risk & control
ERM a
Policies &
Proceduresa
Site Risk Management
Cross-
Value Divisional
Processes
Site 1 Site 2 Site 3 Site 4
r a a a a r
Value Value Value
16. Organisation with Immature ERM
Organisation wide control environment
Process risk & control
ERM r
Policies &
Proceduresr
Site Risk Management
Cross-
Value? Divisional
Processes Site 1 Site 2 Site 3 Site 4
r a a r a r
Value? Value?
17. Adding Value
> Risk & Control identification Risk
Registers
> What is working Shared knowledge
> Findings linked to real risk, not
compliance
18. Getting the risks on the risk register
> “The business unit does not have a risk
register”
> “The business unit does not have a risk
register which includes strategic, business,
finance and operational risk”
> “The business unit has not identified the
following risks in their risk register. (risks
listed).
> Opportunity to highlight Controls that are
working
20. TPI ERM Configuration
• System Aligned to the
organisation and reporting
structure.
• All TPI Staff see full structure
(subject to security)
• Allow limited access to Third
Parties
21. Regional Portfolio Analysis
Regional
Business &
Strategic Risks
Portfolio
Analysis
Risk Roll up:
Understanding and
consolidate exposure
across Operations.
Eg: Systemic Issues,
Significant Risks
Compound risks Knowledge Sharing
Risk Escalation of
common risks.
22. Business Stream Portfolio Analysis
Business Stream
Business &
Strategic Risks
Risk Roll up:
Understanding and
consolidate exposure
across streams.
Eg: Systemic Issues,
Significant Risks
Compound Risks Knowledge Sharing
Key Business Risks
Key Strategic Risks Risk Escalation of
common risks.
Key learning's
and Innovation
23. Divisional Consolidation
Business &
Strategic Risks
Risk Roll up:
Understanding and
consolidate exposure
across Regions.
Eg: Systemic Issues,
Significant Risks
Compound Risks Knowledge Sharing
Key Business Risks
Key Strategic Risks Risk Escalation of
common risks.
Key learning's
and Innovation
24. Corporate Consolidation
Business &
Strategic Risks
Risk Roll up:
Understanding and
consolidate exposure
across Divisions.
Eg: Systemic Issues,
Significant Risks
Compound Risks Knowledge Sharing
Key Business Risks
Key Strategic Risks Risk Escalation of
common risks.
Key learning's
and Innovation
25. Business Benefits
> Visibility
> Common proactive risk & opportunity built around enabling
consistent support and understanding
> Knowledge Database
> Retained risk and opportunity intelligence available across the
organisation
> Insight from Internal Audit
> Risk and control knowledge is shared across the organisation
> Value adding findings
> Puts organisation is on the path for assurance to be provided
26. Summary
> To Identify and understand the hidden risks.
> Develop a common process
> Implement consistent language
> Ensure risks are understandable
> Gain involvement from all
> Use history, lessons learnt and other perspectives
“There is only one thing more painful than learning from experience -
and that is not learning from experience.”
Archibald MacLeish
American Poet and Critic. 1892-1982
Page 26
27. Managing Risk Registers – SOPAC® 2013
Getting hidden risks on the 3-6 March 2013 Brisbane
radar
Karen Tuesley
Group Internal Audit
Manager
Karen.Tuesley@transpac.com.au
Karl Davey
Chief Risk Officer
Karl.Davey@transpac.com.au