KPMG helps VTTI
For over 18 years, VTTI has been a global leader in independent energy storage and now develops critical energy infrastructure needed to move towards a carbon neutral future. Fueled by its purpose, ‘Energy to Move Tomorrow,’ the company safely provides and expands access to essential energy, including fuels, chemicals, gasses, and other energy derived products and accelerates the transition to sustainable sources for customers and partners.
KPMG is the outsourcing partner for VTTI in Internal Audit. In preparation for the 2024 annual audit plan and further professionalization of risk management, we started discussions about conducting a Dynamic Risk Assessment (DRA).
"We have been working with KPMG for a while, and we are always on the lookout for better practices and expert insights," says Jennifer Feuerstacke (JF), Head of Governance, Risk & Assurance at VTTI. "After having heard of DRA I was curious about the proposition and how it could help our organization to better facilitate the discussion about risk management."
What is KPMG’s Dynamic Risk Assessment?
"The traditional risk assessment models, which assess risks based on their individual impact or likelihood, have been widely applied by many organizations," states Ara Hovsepjan (AH), senior consultant Governance, Risk & Compliance Services at KPMG. "However, the existing models fail to recognize the interconnections among the risks, which may reveal enhanced assessment dimensions and more relevant risk-mitigating actions. In response to this, the Dynamic Risk Assessment (DRA) has been developed based on proven scientific modelling, expert elicitation, and advanced data analytics. DRA enables organizations to gain a deeper understanding of how risks impact the different parts of the firm and subsequently, to design more effective and efficient risk-mitigating measures."
"Risks cannot be assessed AND mitigated in an isolated way, treat them in an interconnected way."
Why did VTTI perform a Dynamic Risk Assessment?
JF: VTTI operates in a highly dynamic and constantly evolving business environment with a variety of external challenges and often subject to strict regulatory aspects. Examples of external challenges include the overall energy transition, complex stakeholder landscapes, and geopolitical developments. As the Governance, Risk & Assurance lead, my goal is to contribute to delivery of VTTI’s business objectives and enhance its resilience to risks. To achieve this, it is essential to firmly integrate risk management into VTTI’s day to day activities.
The primary reason for executing DRA is to obtain a concise and integrated representation of VTTI’s risk ecosystem, including strategic and external risks, as well as more operational risks. By gathering insights and creating an interconnected view of risks, we can effectively address distinct risk clusters in the organization. The execution of DRA provides an opportunity to further enhance the professionalization of risk management activities and improve processes, recognizing the importance of evolving risk management tooling and enhancing our risk management capabilities.
What does the Dynamic Risk Assessment (DRA) process look like?
AH: The Dynamic Risk Assessment process consists of four steps, divided into risk Identification and risk Assessment.
- Steps 1 and 2 - Individual Interviews & Workshop with Experts
We started by identifying at least six experts for individual interviews to compile an initial risk list. A key factor lies in selecting the right experts to achieve the best possible result. It is crucial to determine appropriate risk scales with the client, as this is vital for the most accurate risk assessment. Further in step 2, together with a large group of experts, we validate the risks to arrive at a maximum of 20 strategic risks for the organization. - Steps 3 and 4 – Risk assessment and Reporting
In step three, all experts will use the DRA survey tool to assess the identified risks based on probability & impact, connectivity, and velocity. Subsequently, we analyse the results and discuss them in step four.
What are the success factors for conducting a Dynamic Risk Assessment?
AH: Over the past few years, we have identified several success factors through conducting DRAs. We noted that these factors were crucial for ensuring the desired quality and impact in every assignment carried out.
An essential factor in successful Dynamic Risk Assessment (DRA) implementation is the involvement of the C-suite management. They need to understand and support the importance of risk management processes to allocate the appropriate resources and budgets, facilitating an effective DRA execution and realizing the outcomes. Coupled with this, clear goal formulation becomes crucial. Identifying these objectives during the goal-setting phase is crucial. They should be clear, widely understood, and set the expectations straight. Navigating through this intricate and continuous process, it becomes vitally important to seek out the right professionals. They should possess the necessary skills and experience to ensure they fit seamlessly into the process.
JF: Expectation management plays a crucial role to perform an effective DRA, and this involves appointing a C-level sponsor to discuss and manage expectations around risk management. This level of involvement creates realistic expectations among participants, ensuring they are engaged, aligned, and committed to expected results and outcomes. VTTI’s work culture and behaviour effectively support risk management. The importance of the tone at the top and organizational culture in making ERM a success cannot be emphasized often enough.
What were the challenges during execution?
AH: Each time, we find that one of the biggest challenges is to free up the schedules of our C-level executives to carry out the risk assessment process. The struggle intensifies when our leaders need these experts to focus their energy on other priorities. Overcoming this hurdle means our leaders need to carefully plan a strategy that balances our available resources against the level of risk we are willing to take.
JF: This is very recognizable. We faced a similar challenge with our team as well. First, selecting the right people to involve in the dynamic risk assessment process is crucial. Then getting timely and thorough responses from all involved can take time and effort, as not everyone shares the same priorities, which can lead to misunderstanding of timelines and unnecessary delays. To overcome this challenge, we focused on clear communication with all DRA participants and to remind them of the importance of their input and the criticality of timely responses for the process to be effective.
We also addressed the need for clear common definitions and language for risk assessment. This required finetuning to ensure that everyone had the same understanding of concepts and aligning on the interpretation of risk scales. We made choices as part of the DRA and as we operate in a dynamic environment, the process of ensuring a common language and aligning on scales is something we do periodically.
What were the deliverables and next steps?
AH: After completing step 4 of the process, we handed over the report to VTTI. This report visualizes the entire strategic landscape using the four dimensions of a Risk Assessment: impact, likelihood, connectivity, and velocity. Jennifer, what did you do with the DRA report and what choices did you make after receiving the results?
JF: Our company operates with an open mindset and consequence-conscious decision-making process. We carefully evaluate the implications of our choices. We discuss the DRA key insights regularly, sometimes specific to a risk domain and sometimes broader.
We also share essential points with the Audit Committee.
This ensures an ongoing risk dialogue and helps integrate consciously factoring risk aspects into daily decision-making. As a risk facilitator, it is important to be aware of the overall landscape and how this impacts our business. Building connections that help people understand the interconnectivity of risks featured in our DRA in their daily work is a continuous process.
It requires refreshing the discussion from time to time and evaluating if things have changed.
Keeping the dialogue going is the essence. Especially the aspect of interconnectivity represents a mental shift for the organization since there was a tendency to focus on risks from a functional perspective. The insight was not so much on the individual risks, but more on the way they influence each other.
That also means taking the DRA and looking deeper into the risk ecosystem with more detailed risk analysis. For external or strategic risks, the approach to address them is different to more preventable operational risks. That is where each risk owner needs to work on a suitable, cross-functional approach that goes deep into the organization, and ensure the actions are relevant.
After the DRA, we started taking a fresh look at our existing risk & control matrices (RCM) to see where the interconnectivity aspects play a role and if we need to take a different approach to some topics. While we did the DRA at enterprise level, our team of experts also included operating site representatives, who now take the learnings of the process to their teams, giving a new impulse to the local site dialogues on risk.
Finally, we ensure we have the right assurance activities in place to close the PDCA (plan, do, check, act) circle. Risk-based auditing is part of the approach, along with focused actions aimed at enhancing awareness around specific themes.
Within VTTI we recognize the importance of better risk dialogues and necessity to address risk in a cross-functional manner. Sometimes, cross-functional communication is challenging, given everyone’s full agenda and different perspectives on a topic. Still, dialogue is vital as it can reveal insights that are not visible on paper. It can also help identify the low-hanging fruit and promote a lean approach to processes. Expert elicitation as a concept ensures you have participants with relevant knowledge in any given dialogue. For any topic, take care that knowledgeable colleagues within the organization take a seat at the table.
Featured
Learn more?
Ara Hovsepjan
Alex Graafmans
About VTTI
For over 18 years, VTTI has been a global leader in independent energy storage and now develops critical energy infrastructure needed to move towards a carbon neutral future. Fueled by its purpose, ‘Energy to Move Tomorrow,’ the company safely provides and expands access to essential energy, including fuels, chemicals, gasses, and other energy derived products and accelerates the transition to sustainable sources for customers and partners. Please visit www.vtti.com for more information.
VTTI’s Headquarters is in Rotterdam, Netherlands and the company is owned by Vitol, IFM Investors and ADNOC.