RET embraces Enterprise Risk Management

In recent years, the legal structure for Dutch public transport companies has been changed drastically, transforming municipal services into private companies.

Triggered by a Dutch government ruling that restricts public transport tenders to independent legal entities, RET decided to privatise as of 1 January 2007 (i.e. one public shareholder, non-transferable shares). For RET, which operates extensive bus, tram, subway and fast ferry services in the metropolitan area of Rotterdam, ‘going private’ meant a big step in its long history that dates back to 1878.

Corporate governance

Changing its legal structure also implied a different regime for control, with a Supervisory Board embracing the values of corporate governance. Corporate governance is the set of policies, processes and procedures that affect the way a corporation is directed, administered or controlled.

Amongst other topics, the governance code of conduct refers to a set of best practices regarding risk management and internal control, for example:

• Best practice II.1.4: “in the annual report the board reports the internal control – and risk management systems to be adequate and effective, giving substantive support to their assertions”
• Best practice III.1.8: “at least once a year the Supervisory Board discusses corporate strategy and risks and the results of assessing the design and operating effectiveness of the internal control – and risk management systems including possible significant changes to these systems”

RET not only decided to follow-up on these best practices but to take it one step further – to use risk management as a vehicle to realise business objectives. To this end, RET adopted the COSO framework for implementing Enterprise Risk Management.

COSO Enterprise Risk Management

Enterprise Risk Management (ERM) deals with risks and opportunities affecting value creation or preservation. ERM is defined by COSO as follows:

ERM is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

In other words, Enterprise Risk Management is cross-functional, company-wide, and looks at all risks – tangible and intangible, existing and emerging.

Enterprise Risk Management consists of eight interrelated components:

1. Culture scan – in which RET was assessed against e.g. risk management philosophy, risk appetite1, integrity and ethical values. Along with an analysis on internal communication and information, this scan gave a positive view on the risk climate for the RET internal environment.

2. Objective setting – objectives must exist before management can identify potential events affecting their achievement. RET already put a lot of effort in a comprehensive business plan in which business goals and ambitions for the midterm were elaborated. This business plan focuses on:

• RET services being closely aligned with its customers and their expectations
• A dominant RET market share in overall mobility
• RET operates as an integral company
• RET exploits public transport services against market prices
• RET offers innovative services to customers and stakeholders according to socially accepted standards

3. Event identification – internal and external events affecting achievement of organisations’ objectives must be identified. To this end, interviews and workshops with board members, senior managers and other staff members were very useful in identifying the WCGWs (What Can Go Wrongs).

4. Risk assessment – risks were analysed, considering likelihood and impact as a basis for determining how they should be managed. RET distinguishes between strategic risks, risks that threaten strategic business objectives and risks that are related to RET operations.

5. Risk response – the risk management process gives several alternatives to react to a risk. The first choice is to take appropriate measures to mitigate the risk. Secondly, risks can be avoided e.g. by redesigning the process. A third way is to look for insurance and ‘buying off the risk’. And finally, it is always possible to accept a risk e.g. when it is judged that the risk is inherent to the business. For the most part, RET chose to mitigate their risks; other risks were accepted in which case motivations were documented.

6. Control activities – these are policies and procedures to ensure that risk responses are effectively carried out. For RET this meant introducing a new management system in an organisation that already has a lot of controls in place e.g. with respect to internal control, safety management, contingency planning, project management, business continuity management etc.

7. Information and communication – relevant information is identified and communicated in a form and timeframe that enables people to carry out their responsibilities with respect to risk management.

8. Monitoring – the process of risk management is monitored and modifications are made as necessary. In this step, RET focuses strongly on follow-up on risk mitigation.

The process of Enterprise Risk Management heavily relies on management systems already in place, e.g. safety management and contingency planning receive a lot of attention in the public transport industry. Within RET, these topics are elaborated in an auditable process in which risk analysis is an important step in designing plans and procedures. Consequently, ERM doesn’t have to focus on risk analyses in this realm but still has an important role in taking risks out of isolated departments and to analyse them in an interrelated way throughout the organisation. In doing so, analyses may demonstrate that there are circumstances in which safety issues relate to corporate image.

Example

One of RETs’ strategic objectives is to offer service-oriented public transport on top of a solid platform of technical and operational excellence. To put this ambition into practice it is imperative to make public transport perfectly accessible for passengers, both in an innovative way e.g. by joining the TCK chip card pilot project and by providing basic services such as escalators, low-floor buses etc. Subsequently, the ‘high level’ risk of facilities giving inadequate access has to be mitigated by monitoring, contract management, service level management and contingency planning. Figure 1 on page 35 illustrates one of the strategic risks for RET.

Added value

By using a top-down approach and assessing strategic business objectives for potential risks, RET identified a number of obstacles for realising its corporate mission. The next step was to have senior managers translate the RET business plan to their units, complementing tactical business objectives with activities, critical assets, changes to the environment and a stakeholder inventory. This created a business map from which threats could easily be derived. The ultimate step is to bring this exercise to the operational level in which the business map is further detailed and more and more people become risk aware and include dealing with risks in their day-to-day operations.

Roadmap

When implementing Enterprise Risk Management, an organisations’ maturity level has to be taken into account. RET has chosen to take risk management one step at a time. The first step was to define an initial risk profile and to make people risk aware. The second step will be to further develop the operational risk management process. The ultimate goal will be that everyone understands his or her position in the organisation, is fully aware of what RET aims for and consciously takes risks and opportunities into account.

Conclusion

RET adopted Enterprise Risk Management for a number of purposes. First of all, defining a risk profile is the most effective means of gathering, prioritising, and communicating knowledge about enterprise risk to stakeholders. For principals (RET holds several concessions for a body in which the city of Rotterdam is represented), investors, civil society organisations and other stakeholders, there is improved transparency, a reliable disclosure of risks and the elimination of surprises. Secondly, companies with detailed information exposing their risk vulnerabilities will likely have a much better response when a crisis occurs.

Finally, Enterprise Risk Management creates a focus on business objectives, whereas risk awareness and risk response contribute to a learning organisation.

References

1. Risk appetite is the amount of risk an organisation is willing to accept in pursuit of value.
2. TCK is the pilot project for implementing chip cards into the public transportation access – and payment system.