Enterprise risk management and its relation to travel

risk management

Enterprise risk management (ERM) conceptually encompasses all manageable or potentially mitigatable risks that can impact personnel or business continuity, from travel and expats, to assets like facilities, supply chain and more. Some of methods for mitigation may be based upon regulatory requirements, ethical or environmental guide- lines, credit or investment considerations, cyber risks, reputational risk, or compliance with safety standards. When approaching the topic of ERM alone, it can often be referred to in the context of finance-related decisions, but whether it is travel risk management (TRM), or any other aspect of risk management, safeguarding against these potential risks has value to the company and requires advance planning and systems to effectively reduce the potential for incidents or loss. From business travelers and the contributions they make, to a risk assessment in consideration of investing in an acquisition, at the end of the day, there is a financial value to approaching risk. However, in the case of TRM, there is also a human value, a personal impact on company travelers, and not just the value of their lives by keeping them safe, but the value of their levels of morale and stress, as it relates to how well they perform for their employers.

Putting enterprise risk into more context with TRM, consider all of the different ways that employee and contractor mobility touches most aspects of a company’s operations, including a company’s approach to risk management. For example:

● Travel to assess the risks associated with expanding operations into a new market.

● Travel to meet with parties being considered for merger, acquisition, or partnership, and their impact on the company’s reputation.

● Travel to ensure compliance with legal and environmental requirements involving a project or operation

● Are your facilities still operational after a major natural disaster? What impact does that have on travel?

While the primary goal of this text is to develop an understanding and approach toward TRM as a discipline, and ongoing practice for process improvement, TRM is only one important element of an organization’s ERM approach. Again, the areas managed under the guise of a risk management program can depend upon the lengths to which an organization has adopted risk management as a discipline.

Key components of ERM include:

1. TRM a. Employees b. Contractors c. Meeting and events d. Expatriates

9

Building a Travel Risk Management Program 158

2. ARM (asset risk management) a. Facilities

b. Supply chain c. Intellectual property

3. ORM (operational risk management) a. Physical security of operations

b. Resiliency of operations faced with interruptions (business continuity)

Components of TRM programs have distinct differences worth noting, such as:

● Employee travel—The primary driver and focus of most policies, plans, and protocols, for which the TRM program is built upon. This component most often takes the most time and resources pertaining to TRM.

● Contractor travel—While many of the same processes and programs that touch each of the key process areas of the Travel Risk Management Maturity Model (TRM3) apply to contractors, not all policies and procedures that apply to normal employee travelers necessarily apply to contractors. Whether a policy or procedure applies to a contractor depends upon many factors, such as the contractor contract requirements, contractor travel being booked outside of your travel program but paid for by your company, and the inability to provide same level of safety training or policy compliance with contractors. Thus it is important that there be clear terms and conditions for contractor travel and definitions of liability where possible (employer versus contractor).

● Meeting and event attendee travel—Management of this type of travel under TRM is unique because of the type of group transportation involved, as well as the types of travelers (employee and nonemployee attendees) and special safety considerations for managing risks at meetings and events, such as assessments, special insurance coverage, and support services (e.g., security).

● Expatriates—These employees are not managed the same as standard transient travelers, except when traveling away from their assignment on business. Typically, these individuals and their families are living in places for extended periods for business purposes, and may need a different kind of training, disclosures, and support for their assignment areas than transient travelers. For example, an expat living in Russia and traveling within Russia on business, may not want to receive the same security trip briefings over and over again, for trips that they make on a regular basis and have been trained already with regards to the associated risks and precautions. You may, however, want to continue forwarding relevant alerts to them for travel booked to any destination that they plan on visiting, but current updates on potentially critical incidents that may be cause for concerns over safety.

Unfortunately, expats can often get caught up in company-related business in for- eign assignment countries, putting them in harm’s way very uniquely because of their status or mere presence in the country in questions. For instance, in 2012, a Brazilian court required the surrender of passports from 17 employees from Chevron and oil rig operator Transocean, while the courts prepared criminal charges against the companies for alleged oil spill incidents.¹ Whether or not the employees were directly responsible for the incident, the Brazilian government allegedly thought that allowing these individuals to leave the country might negatively impact the Brazilian investigation.

1 Simon Romero, “Brazil Bars Oil Workers From Leaving After Spill,” The New York Times, March 18, 2012, http://www.nytimes.com/2012/03/19/business/energy-environment/brazil-bars-17-at-chevron-and- transocean-from-leaving-after-spill.html.

Enterprise risk management and its relation to travel risk management 159

Another expat issue can include the fact that some countries refuse to allow resi- dency to expatriates who have chronic health conditions such as human immunodefi- ciency virus (HIV), and require medical exams for applicants.

ARM is the structured ability to monitor things of value to an organization, from theft of interruption of delivery on supply chain, to a natural disaster’s impact on office or manufacturing facility assets, among other incidents.

Let’s take a look at some different examples of ARM.

XYZ auto parts

XYZ Auto Parts is a fictional automobile parts manufacturer with factories and distribution centers throughout the southeastern United States, China, and Mexico.

Mr. Vernon Smith is the company’s risk officer in charge of ERM, including ARM.

Scenario 1–Supply chain loss investigation

Over the course of a 6-month period, an increasing percentage of losses have been experienced upon taking inventory of parts shipments to their manufacturing facilities in China. What didn’t exist in the prior 6 months, has developed as a pattern over the most recent 6 months, and no one seems to know how valuable assets are turning up missing between their suppliers and their manufacturing facilities. Because the shipments travel through various shipping providers and in some cases internal distribution centers, the need to identify where the thefts are taking place is critical to solving the problem and ensuring that production isn’t impacted by the shortage of supplies.

Similar to traveler tracking, Mr. Smith employs an asset-tracking program for his shipments using a GPS-based locating device, discreetly attached to the inventory

Board CEO governance & risk

committee

Policy & risk tolerance establishment Centralized oversight

Decision making

& risk management Corporate audit

enterprise risk committee financial risk committee

Executive committee management

Example components of ERM governance.

Building a Travel Risk Management Program 160

itself. In conjunction with his inventory management system, any shipments arriving now without all of the original contents, can be reconciled and the missing contents located by their GPS signals. Immediately after the implementation of his new system, he was able to identify the distribution center where inventory was being stolen and launched an investigation, leading to arrests.

Scenario 2–Natural disaster impact on crisis response

Vernon Smith has each of his distribution centers, manufacturing facilities, and offices logged and being monitored in his ARM system, which notifies him when something of significance that could impact his operations comes within 10 miles of his facilities. On one day in particular, a series of severe thunderstorms with the chance for tor- nadoes and flash floods were forecasted, particularly in a pattern that had the potential to impact two of his managed facility assets. Understanding that during the period expected when the storms might hit these locations that it was during business hours, Mr. Smith had to ensure that proper crisis response and preparedness procedures were being enacted, so that if the facility were hit, employees and visitors would be in a safe location to shelter in place.

This situation could also directly impact travel depending on how visiting employees or contractors react to the situation, and possibly call upon the company’s crisis response hotline for advice and support services.

Scenario 3–Civil unrest impact on facilities and productivity

Mr. Smith receives a security alert from his intelligence provider that civil unrest has broken out in a city where he has a major call center. He quickly assesses the situation, looking at where the employees who work there live in relation to the facility and whether their route to work will be safe and will avoid the conflict?

By understanding the proximity of the situation to his facility, Mr. Smith is able to arrange for safe transport of those employees who live close to the location without experiencing the civil unrest, while employees who would be forced to travel in close proximity to the violence were set up to work from home via remote call forwarding. Understanding where your people are in relation to your facilities in a crisis such as a natural disaster can help to avoid a major interruption in service. If you consider employees to be assets (i.e., human capital), you must treat them with a high sense of value to your business continuity plan.

This situation can also directly impact travel to and from a location, triggering temporary bans or added security protocols.

ORM is the structured ability to mitigate and manage a business’s resiliency around operations in the face of interruptions. Operational risk, according to the Basel Committee, is the risk of loss resulting from inadequate or failed internal processes, people and system, or from external events.²

2 Wikipedia, “Basel Committee on Banking Supervision,” http://en.wikipedia.org/wiki/Basel_Committee_

on_Banking_Supervision.

Enterprise risk management and its relation to travel risk management 161

Like ERM, ORM can be employed to many more aspects of a company’s operation than are listed below, but for discussion purposes, let’s consider just physical security and operational resiliency.

Physical security

Examples of physical security include entry and exit points for a facility; in the context of travel, this could be the entry and exit points of a hotel. Not having good security around entrances and exits of hotels, could lead to travelers feeling unsafe and therefore negatively impact the hotel’s business and “operational resiliency” per se.

Some core components of physical security are:

● Access permissions and restrictions—tightly managed access keys or cards, with updates or redistribution upon departure of previously authorized employees.

● Security systems—connected to local authorities, the notification of the policy or fire depart- ments can be critical for mitigating the incident.

● Monitoring—recording who entered and left the facilities, establishing a visitor manifest and a timeline.

● Communications—training for employees on how to communicate different types of emer- gencies to key company stakeholders or the authorities, even under duress.

Operational resiliency

One example of operational resiliency, again using a hotel as an example, is to consider the risks associated with not cross-training your employees to work both the front desk and guest services. If two of your front desk attendees call in sick at the same time and you are expecting a group to check in that day, would it be worthwhile to pull in trained employees from guest services to help check everyone in? The decision to take that risk in the event that you are without the resources you need, is a small example of how operationally resilient a department or a company can be, by simply looking ahead and calculating the potential risks, along with a plan for how to mitigate those risks. In short, operational resiliency is the how well an organization can rebound or adapt to unexpected circumstances with minimal or no impact on operations.

Interestingly enough, other documented approaches to ERM such as the Corporate Treasurers Council’s “CTC Guide to Enterprise Risk Management Beyond Theory:

Practitioner Perspectives on ERM,”³ are very similar to the TRM3 model, which focuses on TRM, as is noted in the Council’s IAMGOLD case study, which identified the feature company’s four-phase approach to ERM as consisting of:

● Risk identification and assessment

● Risk mitigation

● Risk policy

● Risk infrastructure

3 Nilly, Essaides, “Enterprise Risk Management Beyond Theory: Practitioner Perspectives on ERM,”

Corporate Treasurers Council and Association for Financial Professionals, Inc., 2013, http://www.pwc.

com/us/en/risk-management/assets/beyond-theory.pdf.

Building a Travel Risk Management Program 162

Case Study 2: IAMGOLD Corporation

This mid-size Canadian gold-mining company has a deeply rooted risk culture, which it recently formalized into a four-step process. It treats ERM as a living/

breathing process as the company continues to refine its approach, and views successful risk management as a competitive advantage.

The mining business is inherently risky. It involves large capital investment, significant operating commitments, and costly exploration programs in countries that may suffer political and social instability. It’s no surprise then that IAMGOLD professes to have had a strong ERM program long before it made revisions to its policies and procedures in 2012, according to the ERM team comprised of senior executives: EVP and CFO Carol Banducci; Aun Ali Khokhawala, Director of Internal Audit and Risk Management; SVP of Corporate Affairs Benjamin Little; and Treasurer Alberto Nunez. The ERM team discussed the company’s program during an interview in May 2013.

“In the mining sector, there’s already a heightened awareness [of ] how risk can impact operations and local communities,” said one executive. “It’s embed- ded into our culture. Every time we look at our business plan and strategy, we go through a risk assessment,” the executive explained. “Mining is risky and it is important for the business to understand the nature of those risks and how to deal with them.”

According to these senior leaders, “ERM is not a one-time program, it’s a process. There’s always been a form of ERM displayed in the way the business is managed. A year ago we put more clarity around the framework about how to assess, quantify measure, and report risks.” However, according to the risk- management team, while the risk culture has been prevalent, there has certainly been more recent emphasis from the financial community and the board to instill more rigor around it. “Having the process more formalized helps with the com- munication with the directors and the investment community,” according to one senior executive.

For companies in the mining industry such as IAMGOLD, risk management is not only a necessity; it can be a powerful competitive advantage. “If you do not have that supportive culture and an excellent program you are at a competitive disadvantage,” one participant said.

The four-phase process

The team said the ERM program is something the company takes seriously and is fundamental to how the business is managed. The program has four phases:

1. Risk identification and assessment. Define the risk universe with input from across the organization. Risks are assessed within a two-dimensional model of impact and likelihood broken into four broad categories: strategic, operational, financial, and compliance, with an accompanying structure of accountability both at the corporate level and at the various sites.

2. Risk mitigation and reporting. Define rules, responsibilities, control activities, and processes to mitigate and monitor those risks.

Enterprise risk management and its relation to travel risk management 163

3. Risk policy. Document the risk policy and processes, including reporting and communications, and how ERM is integrated into the business planning process.

4. Risk infrastructure. Document the company’s appetite for risk and implement technology tools to track the risks that impact the business and strategic plan. The company is currently at this stage.

The ERM framework was initially designed by Internal Audit/Risk Management (IARM). “IARM supports management in reporting to the board and Audit Committee [about] how we are doing versus our risk framework,” the executives said. “We sit down with the Executive Leadership Team and review risks in terms of both a short- and long-term horizon and in relation to our business and strategic plans.” That overview is then captured within key areas including compliance, financial, strategic and operational risks.

“We get input from all functional and site leadership,” reported one executive.

“We do functional, site management and executive-level reviews, and based on the collective input, we come up with the most significant risks to us.”

The IAMGOLD team noted that ERM is an important, comprehensive, and pro- active undertaking that is used to assess and manage the company’s key risks. “It’s an evolving program. Wherever there is a potential risk, we identify it, address it, and update our risk universe,” they said, adding that while the key risks will get the most attention, all risks are continuously on the radar screen.

IARM is the ERM process owner in terms of developing, monitoring, and reporting protocols and their respective action items. Execution is handled by the functional and business unit executives. Specific risks are assigned to specific individuals. IARM pulls that together and reports to the board through the oversight of the Audit Committee on a quarterly basis, and more frequently if necessary.

Such board and management level buy-in is critical to the running of the program. “The engagement from those levels is absolutely necessary. You’re setting the tone at the top,” said one executive. “The time, effort, and rigor at the top cascade through the rest of the organization. If there is not buy-in from top management, it becomes a corporate or compliance exercise. This is not the case here. The CEO is visibly engaged and spends a considerable amount of time on ERM, supported by the board and the chair of the Audit Committee.” In fact, risk management is defined as one of everyone’s key objectives, which is critical to creating a culture of accountability.

ERM in practice

The risks the company identifies through its process are integrated into the highest level of management decisions, as well as day-to-day operations at the site level.

“We look at risks to the business and the strategic plan. We identify mitigating activities for any risk that might prevent us from achieving those plans,” the executives explained. “We go through this level of rigor at the project level. It gives us insight into risk management not just at the corporate level. ERM goes into every aspect of the business including managing our balance sheet and capital structure,” they said.

“Risk management plays a significant role in the work we do with communities and governments where we operate,” the ERM team said. The relationships

Dalam dokumen Building a Travel Risk Management Program (Halaman 163-172)