4. Capital Planning and Execution
Effective
delivery of
current
projects
Geothermal
expansion
Capital planning and
execution processes
CP1
CP3
CP2
Regulatory Management
Improve
single buyer
model
Steer
deregulation
process
Build a regulatory structure in
KenGen’s organisation
RG1
RG3
RG2
Operational Excellence
OP1
OP3
Reduce
operational
and
overhead
costs
Optimise
main-
tenance
practices
OP2
Improve operational
processes and structure
Organisational Health
OG1
Performance
management
OG2
Promotion and
succession
planning
OG3
Structure and
Governance
OG4
Annual
planning and
budget
OG5
Innovation and
continuous
improvement
Organisational effectiveness from improved processes, structure and culture
OG6
Information
Technology
Vision:
To be the market leader in the provision of reliable, safe, quality and
competitively priced electric energy in the Eastern Africa region
Strategic pillars
+3000MW
by 2018
4
5. • Specific expected objectives
• Clarity of risk and the risk management process ;
• Clarity on the role audit & audit process;
• Link between Audit & Risk Management
• Auditors role in risk management process
• Commitment towards a consistent risk consciousness
10. Risk is the aggregate effect of uncertain events and outcomes on the achievement of
objectives
10
11. Objectives: A goal or end result that is to be achieved;
Uncertainty: Unknown, indefinite or unclear;
Events: A happening, inside or outside an KenGen (naturally or man-made);
Outcomes: Results of and contingent upon events (financial or not, tangible or
not); and
Effects: Consequences of outcomes on the achievement of objectives (favourable
or not)
11
14. Key elements of ERM include:
Adopting consistent and effective risk governance;
Standardizing the risk management process;
Aggregating and integrating a view of all risks; and
Relating risks to business objectives.
14
15. 15
Enterprise: A purposeful undertaking that requires boldness.
Risk: The potential for loss, harm or sub-optimization of gain.
Management: Directing and controlling people, entities and resources for the
purpose of coordinating and harmonizing them towards accomplishing a goal i.e.,
protect existing assets and create future growth.
17. Introduction;
Before the Three Lines: Risk Management Oversight and Strategy-Setting
The First Line of Defense: Operational/Process Management
The Second Line of Defense: Risk Management and Compliance
Functions
The Third Line of Defense: Internal Audit, External Auditors, Regulators,
and Other External bodies;
Coordinating The Three Lines of Defense
17
18. In twenty-first century businesses, it’s not uncommon to find diverse
teams of internal auditors, enterprise risk management specialists,
compliance officers, internal control specialists, quality
inspectors/assessors, fraud investigators, and other risk and control
professionals working together to help their organizations manage
risk.
The Three Lines of Defense model distinguishes among three groups
(or lines) involved in effective risk management:
†Functions that own and manage risks (1st Line):
†Functions that oversee risks (2nd Line); and
†Functions that provide independent assurance (3rd Line)
18
19. Operational managers own and manage risks. They implementing
corrective actions to address process and control deficiencies.
Maintain effective internal controls and for executing risk and
control procedures on a day-to-day basis.
Identifies, assesses, controls, and mitigates risks, guiding the
development and implementation of internal policies and
procedures
Design and implement detailed procedures that serve as controls and
supervise execution of those procedures by their employees.
Serves as the first line of defense because controls are designed into
systems and processes under their guidance of operational
management.
There should be adequate managerial and supervisory controls in
place to ensure compliance and to highlight control breakdown,
inadequate processes, and unexpected events.
19
20. In a perfect world, only one line of defense would be needed to
assure effective risk management. In the real world, however, a
single line of defense often can prove inadequate. Management
establishes various risk management and compliance functions to
help build and/or monitor the first line-of-defense controls.
The responsibilities of these functions vary on their specific nature,
but can include:
†Supporting management policies, defining roles and
responsibilities, and setting goals for implementation.
†Providing risk management frameworks, Identifying known and
emerging issues.
†Identifying shifts in the organization’s implicit risk appetite.
20
21. Assisting management in developing processes and controls to
manage risks and issues.
†Providing guidance and training on risk management processes.
†Facilitating and monitoring implementation of effective risk
management practices by operational management.
†Alerting operational management to emerging issues and
changing regulatory and risk scenarios.
†Monitoring the adequacy and effectiveness of internal control,
accuracy and completeness of reporting, compliance with laws
and regulations, and timely remediation of deficiencies.
21
22. Internal auditors provide the governing body and senior
management with comprehensive assurance based on the highest
level of independence and objectivity within the organization.
This high level of independence is not available in the second line of
defense.
Internal audit provides assurance on the effectiveness of governance,
risk management, and internal controls, including the manner in
which the first and second lines of defense achieve risk management
and control objectives.
The scope of this assurance, which is reported to senior management
and to the governing body, usually covers:
22
23. FIRST LINE OF DEFENSE SECOND LINE OF
DEFENSE
THIRD LINE OF
DEFENSE
Risk Owners/Managers Risk
Control/Compliance
Risk Assurance
Operating management Limited independence
Reports primarily to
management
Internal audit
Greater independence
Reports to governing
body
23
28. At the end of the session the participant will understand how to;
Identify risk;
Measure risk;
Select a risk response;
Develop mitigating strategies;
Report on risk; and
Sustain the risk management process.
28
30. 30
Governance: Board roles and responsibilities, internal audit and risk management
functions, tone at the top, risk management policies such as risk appetite and tolerance,
the code of ethics, and delegation of authority.
People: This pillar focuses on management capabilities and related risks such as having
the right number of people, with the right training and awareness.
Process: Includes core operational and infrastructure business processes necessary to
run the business in an efficient manner, and create and protect value.
Technology: This pillar establishes capable systems to analyze and communicate risk
information throughout the organization and enable risk intelligent decision-making
and timely response
Competition Security Attacks
Identify
risks
Assess &
measure
risks
Respond
to risks
Design &
test controls
Sustain &
continuously
improve
Governance
Process
Technology
People
Develop &
deploy
strategies
Monitor,
assure &
escalate Riskintelligence
tocreate &
preserve value
32. 32
Strategies to ensure:
Revenue growth sustained;
Asset efficiency maximised;
Operating margins managed; and
Stakeholder expectations met.
Strategic objectives need to be cascaded throughout the
organization.
How is this being done at KenGen ?
How does it tie in to the G2G Transformation Strategy?
37. 37
Define the risk factors to be used as a basis for risk ranking:
Impact factors: financial, stakeholders, reputation, legal/regulatory, speed of
onset;
Vulnerability factors: Control effectiveness, speed of response, complexity, rate
of change and external factors.
Impact and vulnerability can be assessed in terms of high, medium/moderate, and
low.
38. 38
Risk is a function of
impact and Vulnerability,
and the consideration of controls inplace.
RISK = Impact x likelihood
Consider the existing controls to
mitigate the identifiedrisks.
Therefore
Controls do not always completely
eliminate the risks, therefore, the
remaining risk after considering
controls is referred to as Residual Risk
Residual Risk = Impact x Vulnerability
or (likelihood – Controls)
Vulnerability The
extent to which an
event is likely to
occur considering
the existing
controls.
Impact
The effect that a
risk will have in the
organisations
should it
materialise.
Inherent Risk
Lack of understanding of the
system functionality
resulting in inaccurate and
incomplete reporting
information.
Existing Controls
• System training
• Qualifiedpersonnel
• User reference guide
• Helpdesksupport
Residual Risk
Considering the controls, the
likelihood of the risk occurring
becomes low, thus the residual
risk (vulnerability) rating is low.
Example
40. 40
Avoid risk
Divest, prohibit, stop, screen or eliminate the risk event.
Certain
project activities may have too much associated risk and as
such a decision is taken not to enter into or continue with the
activities.
Manage risk
Reduce the risk impact, risk vulnerabilityor both in a cost
effective manner, so that the risk exposure is reduced.
Transfer risk
Reduce risk likelihood or impact by transferring or
otherwise
sharing a portion of the risk.
Accept risk
Risk mitigation or risk management resources are not
allocated
to the risk.
41. 41
Risk Category Risk Response
Very High Manage/Avoid/ Enhance Risk Mitigation
High Manage/Avoid/Enhance Risk Mitigation
Medium Transfer/ Monitor/ Measure for Cumulative Impact
Low Accept/ Retain/ Redeploy Resources