Presented by Kevin King, Executive Vice President and Head of Risk Management, Hong Kong Exchanges and Clearing Limited at the Premier Business Leadership Series 2010. http:://www.sas.com/theserieshk Through its ownership of the Hong Kong Stock Exchange, Hong Kong Futures Exchange and their associated clearing houses, Hong Kong Exchanges and Clearing Ltd. brings together the market organisations that have transformed Hong Kong's financial services industry from a domestically focused market to a central marketplace in Asia. King is in charge of implementing an enterprise risk management framework to protect investment funds from all over the world. He will discuss the comforts and hidden dangers of corporate silos and the never-ending process of enhancing management decision making.

1. The Premier Business Leadership Series Hong Kong
11 August 2010
“Meeting the Challenges of
Enterprise Risk Management”
Kevin King
EVP Head of Risk Management
Hong Kong Exchanges and Clearing Ltd.

2. Agenda
Enterprise Risk Management (ERM) defined
Key benefits
The evolution of ERM and several leading models
Key components
Heat mapping as a tool for enhanced decision making
The “D Risks” and how ERM helps to manage them
Closing comments
2

3. Enterprise Risk Management
The process whereby all material risks faced
by an organization are identified, assessed and
effectively managed within a coordinated and
strategic framework.
3

4. Key Benefits of an Effective ERM Framework
Provides a systematic way to identify all material risks.
Enhances the ability to manage risks on an aggregate level.
Reduces the risk of major risk events interfering with the
priority objectives of the organization.
Enables the organization to better manage emergent risks.
Promotes greater operational efficiency.
Contributes to informed decision making.
4

5. ERM Evolution and Related Key Publications
A Risk Management Standard - Federation of
European Risk Management Associations
[largely based on AIRMIC/ALARM/IRM Risk
Management Standard]
Continued focus on ERM Specialty
internal control, risk Guide - Society
management and Risk Management Standard - ERM Integrated of Actuaries
responsibilities AIRMIC/ALARM/IRM Framework - COSO
1990s - 2000 2001 2002 2003 2004 2005 2006 - 2008
Sarbanes Oxley AS/NZS 4360 Risk
Act of 2002 Management Standard - ERM Assessment Framework -
Standards Australia/ Standard & Poor's
Standards New Zealand [for including the evaluation of ERM
Overview of ERM - Casualty
(revised version) into its corporate credit rating
Actuarial Society
process]
[largely based on the AS/NZS 4360
Risk Management Standard]
5

6. The AIRMIC/ALARM/IRM Risk Management Standard (2002)
The Organisation's
Strategic Objectives
Some personal views:
Risk Assessment Emphasizes the
Risk Analysis understanding of the
Risk Identification external and internal
Risk Description
Risk Estimation
drivers of key risks faced
Modification
by the organization.
Risk Evaluation Formal
Audit Stresses the importance
of relating risk
Risk Reporting management to the
Threats& Opportunities
strategic objectives of
the firm.
Decision
Easy to understand the
Risk Treatment risk management process
but provides limited
guidance on the
Residual Risk Reporting
implementation of each
step.
Monitoring
Source for diagram: A Risk Management Standard published in 2002 by the Association of Insurance and Risk Managers
(AIRMIC); ALARM, the Public Risk Management Association; and the Institute of Risk Management (IRM)
6

7. COSO ERM – Integrated Framework (2004)
Internal Environment Some personal views:
- Risk management philosophy It provides a a comprehensive
- Risk appetite
vision of ERM.
Objective Setting
- Objectives - Inventory of - Risk Emphasizes the need for
- Units of opportunities tolerances understanding the internal
Event Identification environment and the
- Inventory of risks objectives of the
organization. “Objective
Risk Assessment setting” is one of the key steps
- Inherent - Risk . - Residual of the risk management
risks responses risks process and is a precondition
d
Risk Response to event identification.
- Risk .
responses
Worth studying from a
theoretical standpoint but falls
Control Activities
- Outputs
short in terms of guidance on
- Indicators how to apply the principals
- Reports from a practical standpoint.
Monitoring
Source for diagram: Enterprise Risk Management – Integrated Framework: Application Techniques published in
2004 by the Committee of Sponsoring Organizations of the Treadway Commission)
7

8. The COSO Cube
(The Committee of Sponsoring Organizations of the Treadway Commissions
Source: http://www.sox-online.com/coso_cobit_coso_cube-new.html
8

9. An alternative cubist perspective on ERM
9

10. The Australian/New Zealand Risk Management Standard
AS/NZS 4360 (2004)
ESTABLISH THE CONTEXT
-
-
The Internal Context
The External Context
Some personal views
- The Risk Management Context
- Develop Criteria
- Define the Structure Emphasizes the
understanding of the
IDENTIFY RISKS
- What can happen?
external and internal
- When and where?
- How and why?
environment of the firm in
COM UNICATE AND CONSULT
which the objectives are
ONITOR AND REVIEW
ANALYSE RISKS pursued.
Identify existing controls
Determine Determine Offers a flexible approach
consequences likelihood
which in my view makes the
Determine Level of Risk
key stages of the risk
EVALUATE RISKS management process
M
M
- Compare against criteria
- Set priorities
relatively easy to
No
understand.
Treat
Risks
Provides more detailed
Yes
guidance for
TREAT RISKS
- Identify options
implementation across the
- Assess options
- Prepare and implement
organization.
treatment plans
- Analyse and evaluate
Source for diagram: The Australian/ New Zealand Risk Management Standard AS/NZS 4360 (2004) published in 2004 by
Standards Australia and Standards New Zealand.
10

11. Key components of an effective ERM Framework
Establish the risk context
Establish the frame of reference for how risks will be evaluated through the process
Design a risk register for capturing the key details
Design risk reference tables for the key scoring and triggered action
– Likelihood
– Impact
– Combined risk scoring / Heat mapping
– Risk Acceptance (establishing triggers for mandatory actions)
Risk Identification
Workshop the resident experts and front line risk owners to identify all significant risks
Define each risk
Risk Assessment
Score the likelihood & impact based on the risk context that has already been established
Assess whether the risk level of each risk is to be accepted or not
Risk Treatment
Identify the appropriate options and design specific risk treatment plans with owners
Higher level review and sign-off on approved risk treatment plans
Risk Reporting & Monitoring
Establish formal procedures and routines for reporting and monitoring of action plans
Heat mapping of the most significant risks for stakeholder assessments and review
11

12. Heat Mapping as a Tool for Enhanced Decision Making
3X3
Impact
Low Medium High
-1 -2 -3
L High -3 R5 R1
i
k
e
l Medium -2 R7 R3 R2
i
h
o
o Low -1 R8 R9 R6 R4
d R10
5X5
Impact
Negligible Minor Moderate High Extreme
-1 -2 -3 -4 -5
Almost
certain -5
L
i
k Likely -4 R5 R1
e
l
i Medium -3 R7 R3 R2
h
o
o Unlikely -2 R10 R8 R9 R6
d
Rare -1 R4
12

13. The “D” Risks (particularly relevant to ERM)
Deficient Expertise Risk
Deliberation Risk (actually over-deliberation risk)
Difficulty Risk
Disastrous Risk (Catastrophic)
Disconnect Risk (Silo and/or absence of ownership)
Distraction Risk
Don’t Dare to Say Risk
13

14. Closing comments
“Risk is all about uncertainty or, more importantly, the effect
of uncertainty on the achievement of objectives. The really
successful organizations, work on understanding the
uncertainty involved in achieving their objectives and
ensuring they manage their risks so as to ensure a
successful outcome.” - Kevin Knight, ISO
“If you do not actively attack the risks, they will actively
attack you.” -Tom Gib
“Good Risk Management fosters vigilance in times of calm
and instills discipline in times of crisis.” - Dr. Michael Ong
14

15. Thank you
HKEx Corporate Website: www.hkex.com.hk
HKExnews Website: www.hkexnews.hk
15