Client story: VTTI – 'How to firmly integrate risk management into day to day activities?‘

For over 18 years, VTTI has been a global leader in independent energy storage and now develops critical energy infrastructure needed to move towards a carbon neutral future. Fueled by its purpose, ‘Energy to Move Tomorrow,’ the company safely provides and expands access to essential energy, including fuels, chemicals, gasses, and  other energy derived products and accelerates  the transition to sustainable sources for customers and partners. 

KPMG is the outsourcing partner for VTTI in Internal Audit. In preparation for the 2024 annual audit plan and further professionalization of risk management, we started discussions about conducting a Dynamic Risk Assessment (DRA).

"We have been working with KPMG for a while, and we are always on the lookout for better practices and expert insights," says Jennifer Feuerstacke (JF), Head of Governance, Risk & Assurance at VTTI. "After having heard of DRA I was curious about the proposition and how it could help our organization to better facilitate the discussion about risk management."

"The traditional risk assessment models, which assess risks based on their individual impact or likelihood, have been widely applied by many organizations," states Arja Hovsepjan (AH), senior manager Governance, Risk & Compliance Services at KPMG. "However, the existing models fail to recognize the interconnections among the risks, which may reveal enhanced assessment dimensions and more relevant risk-mitigating actions. In response to this, the Dynamic Risk Assessment (DRA) has been developed based on proven scientific modelling, expert elicitation, and advanced data analytics. DRA enables organizations to gain a deeper understanding of how risks impact the different parts of the firm and subsequently, to design more effective and efficient risk-mitigating measures."

AH: Over the past few years, we have identified several success factors through conducting DRAs. We noted that these factors were crucial for ensuring the desired quality and impact in every assignment carried out.  

An essential factor in successful Dynamic Risk Assessment (DRA) implementation is the involvement of the C-suite management. They need to understand and support the importance of risk management processes to allocate the appropriate resources and budgets, facilitating an effective DRA execution and realizing the outcomes. Coupled with this, clear goal formulation becomes crucial. Identifying these objectives during the goal-setting phase is crucial.  They should be clear, widely understood, and set the expectations straight. Navigating through this intricate and continuous process, it becomes vitally important to seek out the right professionals. They should possess the necessary skills and experience to ensure they fit seamlessly into the process.

JF: Expectation management plays a crucial role to perform an effective DRA, and this involves appointing  a C-level sponsor to discuss and manage expectations around risk management. This level of involvement creates realistic expectations among participants, ensuring they are engaged, aligned, and committed to expected results and outcomes. VTTI’s work culture  and behaviour effectively support risk management. The importance of the tone at the top and organizational  culture in making ERM a success cannot be emphasized often enough. 

AH: Each time, we find that one of the biggest challenges is to free up the schedules of our C-level executives to carry out the risk assessment process. The struggle intensifies when our leaders need these experts to focus their energy on other priorities. Overcoming this hurdle means our leaders need to carefully plan a strategy that balances our available resources against the level of risk we are willing to take.

JF: This is very recognizable. We faced a similar challenge with our team as well. First, selecting the right people to involve in the dynamic risk assessment process is crucial. Then getting timely and thorough responses from all involved can take time and effort, as not everyone shares the same priorities, which can lead to misunderstanding of timelines and unnecessary delays. To overcome this challenge, we focused on clear communication with all DRA participants and to remind them of the importance of their input and the criticality of timely responses for the process to be effective. 

We also addressed the need for clear common definitions and language for risk assessment. This required finetuning to ensure that everyone had the same understanding of concepts and aligning on the interpretation of risk scales. We made choices as part of the DRA and as we operate in a dynamic environment, the process of ensuring a common language and aligning on scales is something we do periodically. 

AH: After completing step 4 of the process, we handed over the report to VTTI. This report visualizes the entire strategic landscape using the four dimensions of a Risk Assessment: impact, likelihood, connectivity, and velocity. Jennifer, what did you do with the DRA report and what choices did you make after receiving the results?

JF: Our company operates with an open mindset and consequence-conscious decision-making process.  We carefully evaluate the implications of our choices. We discuss the DRA key insights regularly, sometimes specific to a risk domain and sometimes broader.  

We also share essential points with the Audit Committee.

This ensures an ongoing risk dialogue and helps integrate consciously factoring risk aspects into daily decision-making. As a risk facilitator, it is important to be aware of the overall landscape and how this impacts our business. Building connections that help people understand the interconnectivity of risks featured in  our DRA in their daily work is a continuous process.  

It requires refreshing the discussion from time to time and evaluating if things have changed.

Keeping the dialogue going is the essence. Especially the aspect of interconnectivity represents a mental shift for the organization since there was a tendency to focus on risks from a functional perspective. The insight was not so much on the individual risks, but more on the way they influence each other.

That also means taking the DRA and looking deeper  into the risk ecosystem with more detailed risk analysis. For external or strategic risks, the approach to address them is different to more preventable operational risks. That is where each risk owner needs to work on a suitable, cross-functional approach that goes deep into the organization, and ensure the actions are relevant.

After the DRA, we started taking a fresh look at our existing risk & control matrices (RCM) to see where the interconnectivity aspects play a role and if we need to take a different approach to some topics. While we did the DRA at enterprise level, our team of experts also included operating site representatives, who now take the learnings of the process to their teams, giving a new impulse to the local site dialogues on risk. 

Finally, we ensure we have the right assurance activities in place to close the PDCA (plan, do, check, act) circle. Risk-based auditing is part of the approach, along with focused actions aimed at enhancing awareness around specific themes.

Within VTTI we recognize the importance of better risk dialogues and necessity to address risk in a cross-functional manner. Sometimes, cross-functional communication is challenging, given everyone’s full agenda and different perspectives on a topic. Still, dialogue is vital as it can reveal insights that are not visible on paper. It can also help identify the low-hanging fruit and promote a lean approach to processes. Expert elicitation as a concept ensures you have participants with relevant knowledge in any given dialogue. For any topic, take care that knowledgeable colleagues within the organization take a seat at the table.

Senior Consultant

Governance,  Risk & Compliance Services

hovsepjan.ara@kpmg.nl

Consultant

Governance, Risk & Compliance Services

graafmans.alex@kpmg.nl