A. N .

Bhagat – Risk Officer

C.M.Chugh, AGM(Civil)- Resource Person
Anand Trivedi, Mgr (U&S)- Resource Person
 Outline of Presentation
• Background

• Risk Management Concepts

• ERM in SAIL

• Risk Class and Categories in SAIL

• Risk Management Templates

Background
 Clause 49 of Listing Agreement

•Clause 49 deals with Corporate Governance norms

•These norms pertain to:

Board of Directors

Audit Committee

Subsidiary Companies (unlisted)

Disclosures

CEO/CFO Certification

Report on Corporate Governance

Disclosures – Risk Management (under Clause 49)
• Procedures to inform Board about the risk assessment and minimization
procedures

• Periodic review of procedures to ensure that executive management controls risk

through a properly defined framework

• Risk Assessment Report to be placed before the Board for review and approval
Risk Management Concepts
Basic risk example

Impact: High Impact: Low

Likelihood: Low Likelihood: High
TSUNAMI THEFT OF OFFICE STATIONERY
Risk Management Concepts

Risk: Potential for loss or harm - or the diminished opportunity for gain -
that can adversely affect the achievement of an organization’s
objectives

Example: Shortage of manpower and high age mix leading to adverse impact
on productivity
Risk Management Concepts

Contributing Factor: factors that

contribute to the creation of the risks.
Risk Example:
Lack of appropriate action to address
these will further amplify the risk Shortage of manpower
and high age mix
leading to adverse
Example: No fresh recruitment, absence impact on productivity
of effective succession planning,
superannuation in key posts / areas
 Risk Management Concepts

Impact: the outcome of an event

Contributing Factor expressed qualitatively or
Example: Risk Example: quantitatively, being a loss, injury,
vulnerability, disadvantage or gain
No fresh recruitments, Shortage of manpower
absence of effective and high age mix
succession planning, leading to adverse Example: Loss of productivity and
superannuation in key impact on productivity dilution of skills
posts / areas
Risk Management Concepts

Contributing Factor
Example: Risk Example:
Impact Example:
No fresh recruitments, Shortage of manpower
absence of effective and high age mix Loss of productivity and
succession planning, leading to adverse dilution of skills
superannuation in key impact on productivity
posts / areas

Control: any action or activity that

increases the likelihood of achieving
your business objectives

Example: Re-deployment of manpower,

fresh recruitments in key areas
Risk Management Concepts (Contd.)

The Risk Formula

Risk(Objectives) - Control = Acceptable Residual Risk

Risks are everything that gets in the way of the sustainable achievement of your
objectives.

Objectives are what your organization aims to accomplish.

Controls are any action or activity that increases the likelihood of achieving your
business objectives.
Inherent Risk to Acceptable Residual Risk
To develop action plans, the organization should consider the effectiveness of the
existing control environment to mitigate risk exposures.

Effective
Inherent Controls Controls controls
risk

Treatment Desired level

Plan(s)
Residual of “residual
Risk risk
ACCEPTABLE
Residual Risk
 The Risk Management Process Overview

Establish the context

Communicate and consult

Monitor and review

Identify risks

Analyze
Analyse risksrisks

Evaluate risksrisks
Evaluate

Assess risks

Treat risks and design controls

Risk management overview (AS/NZS 4360:1999)

Process Explained
Establish the context
• Establish the strategic, organizational and risk management context in which the rest of
the process will take place. Criteria against which risk to be evaluated should be
established and the structure of the analysis defined

Identify Risks
• Identify risks through a) workshops, b) brainstorming sessions, c) past data or
experience, d) customer feedback or e) by analysis

Analyze Risks
• Analyze risks by determining the existing control measures and examining the likelihood
and impact. Likelihood and impact may be combined to arrive at estimated level of risk

Evaluate Risks
• Evaluate risk on the basis of prioritization. This enables risks to be ranked so as to identify
management priorities
Process Explained (Contd.)
Treat Risks and design controls
• Select and implement appropriate options for dealing with risk i.e.
 Avoid – exit that activity that entails the particular risk (e.g. where potential of loss outweighs that of
gain, buying / entering a new business, eliminate potential hazards)
 Accept – choose to accept the risk (e.g. changing policies, self insurance for small risks, wars,
where potential for gain outweighs that for loss)
 Share – share loss or gain (e.g. joint venture for a new business)
 Transfer – transfer risk of loss , not the event (e.g. insurance)
 Reduce – reduce severity or likelihood of loss (e.g. incremental software development,
outsourcing, hedging for foreign currency exposure)
 Control – control the consequence (e.g. install safety equipment for safety related risks)
 Diversify – spread to new markets or move into new businesses

• Implement action plans and validate mitigation of risks

Communicate & Consult

• Communicate and consult with internal and external stakeholders as appropriate at each
stage of the risk management process concerning the process as a whole

Monitor & Review

• Review and monitor the action plans
 Risk Assessment Parameters

The risks should be assessed on following qualitative two-fold criteria:

The likelihood of occurrence of the risk event, and

The magnitude of impact if the risk event occurs

Levels Descriptors Levels Descriptors

5 Very High Likelihood 5 Very High Impact

4 High Likelihood 4 High Impact

3 Moderate Likelihood 3 Moderate Impact

2 Low Likelihood 2 Low impact

1 Very Low Likelihood 1 Very low Impact

 Process Explained - Risk Prioritization

5 10 15 20 25
Most Critical
Need active
monitoring
5

4 8 12 16 20
4

3 6 9 12 15 High Impact/ Likelihood

Need periodic monitoring
3

2 4 6 8 10
LIKELIHOOD

Low likelihood & Impact

1 2 3 4 5 Need Annual Review
1

1 2 3 4 5

IMPACT
Process Explained - Risk Prioritization

• The output of a risk evaluation is a prioritized list of risks for further action

• Risks ratings are the combined scores of likelihood and impact

• Risks are prioritized in three categories:

– High (Red zone or critical – Average score more than 11.5)

– Medium (Yellow zone or cautionary – Average score between 6.5 to 11.5)

– Low (Green zone or acceptable – Average score upto 6.5)

Risk Intelligence enables the enterprise to create and
preserve value

New product
Creating development +
shareholder
Increased revenue
value V
Increased market
share A
L
U
E
Penalties and fines
Preserving
shareholder Fraud
value
Lawsuits
−
Companies make money by taking intelligent risks, and lose by failing
to manage them intelligently
ERM IN SAIL
SAIL ERM

• SAIL established an ERM framework at locations namely Bokaro Steel Plant,

Bhilai Steel Plant, Durgapur Steel Plant, Rourkela Steel Plant, IISCO Steel Plant,
Salem Steel Plant, Central Marketing Organization, VISL, RDCIS, CET, MTI, SSO
and Corporate Office

• Risk Registers were formulated for each location

• Key deliverables :
- ERM Framework
- Risk Categories
- ERM Governance Structure
- Org structure for CRO office and extended team
- Risk Management Process Workflow
- Risk Management Policy
ERM Governance Structure
Roadmap for SAIL to build a risk intelligent program
Optimize risk
management
processes
Maximum value from Risk Intelligence
is achieved when all aspects of the
Monitor risk Create an
Risk Management Roadmap have been responses Integrated
implemented. Establish Risk Reporting/
Mitigation Scorecard
Plans /
Baselines
Value Derived

Manage issues

Create a Develop Risk Monitor key

Governance Processes risks
Model
Undertake
enterprise wide
Risk & Control
Develop a Self Assessment
Risk
Framework SAIL’s roadmap to a Risk Intelligent
Develop
Map risks to
achieving the
Policies Program leverages the existing risk
objectives management activities and
infrastructure at the enterprises and
integrates these activities into the
Agree on overall risk management objective
Business
Objectives
Complexity of Approach / Time
Legend: Green – Completed; Red – Not yet planned
 SAIL Risk Management Policy
Policy Statement:

To develop organization wide capabilities in Risk

Management by defining and implementing
robust processes so as to ensure efficient and
effective assessment and management of risk in
the achievement of SAIL’s objectives on an
ongoing basis. Risk Management should strike
an optimal balance between growth objectives
and related risks which should consider
contingent or unforeseen risks, in all its
manifestations.

Compliance:

 Compliance with SAIL Risk Management Policy

is mandatory. Failure to comply may result in
disciplinary action taken by the management.
 For all exceptions to, or deviations from the
Policy, prior approval must be obtained from the
SAIL Risk Office.
 SAIL ERM Framework

Board of Directors

Sustain and Continuously Improve

Develop and Establish Strategies

Governance, Industry & Standards,

Risk Compliance Training & Program
Organization, Roles Regulatory Reporting Tools &
Management Monitoring Awareness Management
Review and Guidance

& Responsibilities requirement

Communicate and Report

Technology

Corporate Risk Office

Business Performance
Risk Portfolio Objectives Measurement

Risk Integration
Enterprise Wide
Risk Integration

Unit / Plant
Design, Monitor,
Unit / Plant Identify Assess & Respond to implement & test
Risks Evaluate Risks Assure &
Risks controls Escalate
Unit / Plant

Unit / Plant
Unit / Plant level
Risk Management FUNCTIONAL RISK CATEGORIES
Finance Corporate Governance Ethics CR&S External factors Planning Strategy HR IT
Corporate Assets Legal Product Development Sales, Market & Comm Compliance Reporting
Risk Class and Categories - SAIL
SAIL Risk Categories
Risk Governance
Strategy and Operations /
Compliance Reporting
Class Planning Infrastructure

Corporate
CSR Corporate Asset Compliance Reporting
Governance

Ethics External factors Finance

Human
Risk Category

Planning
Resource

Information
Strategy
Technology

Project
Legal
Management

Product
Development

Sales, Marketing
and
Communications
SAIL Risk Categories
SAIL Risk Categories
SAIL Risk Categories
SAIL Risk Categories
SAIL Risk Categories
RM process and templates
SAIL RM Documentation templates

Identify and analyze risks

Risk Identification Forms and Risk Register

Evaluate risks
Risk Assessment

Treat risks and design controls

Risk Profile

Monitor and Review

Quarterly Risk Management Report

Legend: ERM Process stage ERM documentation

1. Risk Identification Form

Employee name:
Functional head name:
Risk Category:
Risk Description:
Contributing Factors:
•
Description of issues :
•
Likelihood Rating (A) – (To be
provided by employee based on
individual perception)
Impact Rating (B) – (To be provided
by employee based on individual
perception)
Overall Inherent Risk Rating (A*B):
 Risk Identification Form (contd.)

Risk Assessment by Functional Head :

- Is it a pre-identified risk, documented in Risk Register?

- If the answer to above question is NO, please document if the risk requires immediate escalation to Risk
Officer.

Signature of Functional Head

Risk Assessment by Risk Officer:
- Does the risk require immediate escalation to Chief Risk Officer?

- If the answer to above question is YES, it will follow the Risk Identification and Escalation process.

- If the answer to above question is NO, the risk will be evaluated in quarterly risk assessment.

Signature of Risk Officer

 Risk Identification Form (contd.)

Risk Assessment by Chief Risk Officer:

- Does the risk require immediate updation to Risk Register?

- If the answer to above question is YES, identify Risk Owner (in consultation with concerned Risk Officer)
and ensure Risk Profile is prepared.

- If the answer to above question is NO, the risk will be evaluated in quarterly risk assessment.

Signature of Chief Risk Officer

 2. Risk Register

Risk register is a categorized and prioritized repository of risks and controls.

SAIL - XYZ Risk Register - Prioritized

Risk ID Risk Risk Contributing Date Likelihood Impact Combined Risk Remarks
no. Category Statement Factors Identified Score Score Score Owner
 Risk Register (contd.)
Identification Of Risk

SAIL - XYZ Risk Register - Prioritized

Risk ID Risk Risk Contributing Date Likelihood Impact Combined Risk Remarks
no. Category Statement Factors Identified Score Score Score Owner

Risk Categories are designed to assist in risk identification:

• These are broad ‘baskets’ in which we can classify the risks
• Grouping of risks is critical for determining the primary drivers of each risk category and to
assist in the development of common risk mitigation solutions
• Classification helps better management and control over risks
 Risk Register (contd.)
Risk Statement

SAIL - XYZ Risk Register - Prioritized

Risk ID Risk Risk Contributing Date Likelihood Impact Combined Risk Remarks
no. Category Statement Factors Identified Score Score Score Owner

• Risk Statement are used to define risk in a clear and concise manner.
• Risk Statements should clearly highlight the cause and effect.
• Risk statements are defined by the risk owner and further evaluated and
validated by risk management organization of unit /plant.
 Risk Register (contd.)
Contributing Factor

SAIL - XYZ Risk Register - Prioritized

Risk ID Risk Risk Contributing Date Likelihood Impact Combined Risk Remarks
no. Category Statement Factors Identified Score Score Score Owner

• These are the factors that contribute to the creation of the risk
• Lack of management decision or appropriate action to address
these contributing factors will further amplify the risk
 Risk Register
Contributing Factor – Examples
SAIL - XYZ Risk Register – Prioritized
Risk ID Risk Risk Contributing Factors Date Likelihood Impact Combined Risk Remarks
no. Category Statement Identified Score Score Score Owner

1 Human Inability to - Compensation package

Resource retain skilled - Selection method
manpower (selection of appropriate
leading to talent)
adverse - Low motivation
impact on - Lower industry
operations attractiveness
- Inadequate reward and
recognition system
- Inadequate policy for job
rotations
3. Risk Assessment Template
What is Risk Assessment Template?

Risk Assessment Template: Individual template:

Risk No. Risk Statement Likelihood Impact

1 2 3 4 5 1 2 3 4 5

The person assessing the risk should give his perception of likelihood and impact in
the above template. Group's average score should be used as risk assessment
score for rating.
 Risk Assessment Parameters

The risks is assessed on following qualitative two-fold criteria:

The likelihood of occurrence of the risk event, and

The magnitude of impact if the risk event occurs

Levels Descriptors Levels Descriptors

5 Very High Likelihood 5 Very High Impact

4 High Likelihood 4 High Impact

3 Moderate Likelihood 3 Moderate Impact

2 Low Likelihood 2 Low impact

1 Very Low Likelihood 1 Very low Impact

 Risk Assessment template - Aggregate Scorecard
Example

Risk Risk Category Risk Statement Individual Likelihood Rating Impact Rating
Ref. No. Ratings
Risk 2 Project Delays in project 1 2 3 4 5 1 2 3 4 5
Management implementation
leading to time and
cost overruns

Person 1 P P

Person 2 P P

Person 3 P P

Group's
Average Rating
3 5
Combined Risk
Rating
15
 Risk Register – Prioritized (An example)
SAIL - XYZ Risk Register – Prioritized
Risk ID Risk Risk Contributing Factors Date Likeliho Impact Combin Risk Remarks
no. Category Statement Identi od Score ed Owner
fied Score Score
2 Project Delays in - Delays in the planning process 18/03 3.0 5.0 15.0 Mr.
Managem project - Socio - political environment /09 XYZ
ent implementatio - Government regulations/ restrictions (e.g.
n leading to - Limited specialized technology ED
time and cost vendors (Proje
overruns - Payment terms cts))
- Rigid selection process of vendors
- Inflation
- Shortage of supervisory executives
and staff
- Land acquisition for future projects
- Non availability of raw material (eg.
coal)
- Non closure of projects in time
- Losing quality contractors/ increase
in cost
- Inadequate detailing by consultants
before project implementation
4. Risk Profile Template

Risk Ref. No:

Risk Category:
Risk Description:
Risk Owner
Date of validation: dd/mm/yy
Date of next review: dd/mm/yy
Contributing Factors:
•
Description of issues :
•
Risk Profile Template contd.

Likelihood Rating (A) -

Impact Rating (B) -
Overall Inherent Risk Rating (A*B) -
Financial Exposure (in the event of Risk
occurrence) (C)
– (Refer Calculation and Assumptions
attached)
Insurance (Yes / No) (D)
Net Exposure (C) – (D)
Description of controls:
•
Do the controls address the risk effectively? Yes/No
Are the controls documented and communicated? Yes/No
 Risk Profile Template contd.
RISK TREATMENT PLAN
Proposed Risk Treatment Actions:
Sr. No. Description Target Status Responsibility
date
1.
2.
Sr. No. Resource Requirements Responsibility Budgeted Amount

Signature of Risk Owner Signature of Risk Officer

Note: For completion of Risk treatment actions, the overall responsibility lies with respective Risk owner.
In addition to the risk requirement part, where responsibility for particular activity or job is mentioned,
following details also need to be provided:

Calculations:
Assumptions:
5 (a). Risk Management Report (from Units to CRO)

Quarterly Risk Management Report

[Date]

I, the Risk Officer of the __ Unit / Corporate function, certify that we have conducted
a quarterly review of the __ Unit's / Corporate function's risks in the month of
[Month, Year] as laid out in SAIL's Risk Management Policy. Risk identification,
assessment and evaluation for the current risks have been completed. The RMC
has reviewed the risks profiled and agreed with the actions planned for mitigation.
The details of the key risks, the status of actions planned to mitigate and the
resource requirement for mitigation of the same are annexed in section 1 and 2
below.

________________________
(Signature of Risk Officer)
 5 (a). Risk Management Report (from Units to CRO)
contd.
Quarterly Risk Management Report
[Date]

Section 1 : List of Key Risks

Risk Ref. No. Risk Risk Statements Risk ratings Risk Owner
Categories
Likelihood Impact Overall
average score

Section 2 : Status report on Actions Planned

Risk Risk Statement Action Resource Person Responsible Planned Status
Ref. Description Requirement Completion Date
No.
 5 (b). Risk Management Report (from RMSC to Board)

Quarterly Risk Management Report

[Date]
Certificate of Compliance

I, the Chief Risk Officer, member of SAIL's ‘Risk Management Steering Committee',
certify that we have conducted a quarterly review of the Company risks in the month
of [Month, Year] as laid out in SAIL's Risk Management Policy. Risk identification,
assessment and evaluation for the current risks have been completed. The details
of the key risks and the status of actions planned to mitigate the same are annexed
in section 1 and 2 below.

________________________

(Signature of Chief Risk Officer)

 5 (b). Risk Management Report (from RMSC to Board)
contd.
Quarterly Risk Management Report
[Date]

Section 1 : List of Key Risks

Risk Ref. No. Risk Risk Statements Risk ratings Risk Owner
Categories
Likelihood Impact Overall
average score

Section 2 : Status report on Actions Planned

Risk Ref. Risk Statement Action Description Person Responsible Planned Completion Status
No. Date
 6. Loss Database

Sr. Date on which Risk Details of Event Financial Non Changed Sign Off
No. event occurred Category that Occurred Impact Financial Overall Risk
Impact Risk Score Owner

For all losses occurred, loss database needs to be updated.

Risk reviews
• A risk review involves re-examination of all risks recorded in the risk register and
risk profiles to ensure that the current assessments remain valid.

• Review also aims at assessing the progress of risk treatment action plans.

• Risk reviews should form part of agenda for every RMC and RMSC meeting. The
risk register should be reviewed, assessed and updated on a quarterly basis.

• The Chief Risk Officer is responsible for ensuring that the Risk Register is
reviewed and updated at least quarterly.
Review and reporting cycle

Function Frequency Date

Establishment of Risk
Once As approved
Management Process

As and when risk are

March, June
Risk register identified and assessed, at
September, December
least once in a quarter

As and when risk are

March, June
Risk assessment identified, at least once in a
September, December
quarter

As and when risk are

March, June
Risk profile identified, at least once in a
September, December
quarter

March, June
Risk Management Report Quarterly
September, December
THANK YOU !