Enterprise risk management in mining and metals

Theo Yameogo: Welcome, Gaby. Thanks for joining me. I'm looking forward to our conversation about enterprise risk management.

Gaby Kazour: Thanks for having me. I look forward to our discussion.

Theo Yameogo: Let's get right into it, Gaby. As a national leader for enterprise risk management for mining and metals clients, you see different risk appetites, different risk frameworks. How has the risk world evolved in the past two years?

Gaby Kazour: Excellent question Theo, thanks. So, over the past two years, the pace that the risk is evolving at has been unprecedented. And we've seen significant new entrants into our top mining risks that we haven't seen before. I think if you look at our 2022 risk survey, two things stand out. One is ESG, and the second one is decarbonization, which ranked one and two, which was kind of surprising at the beginning when we look at these two risks, compared to license to operate, which historically has been for the past four years, at least, the number-one risk in our sector. But now we think about it from an ESG point of view. I think, you know, a lot of organizations are looking at their sustainable practices. A lot of investors are looking for ways to invest in sustainable organizations. And a lot of capital is being raised by organizations that have good sustainable practices and environmental practices. Keeping that in mind, I think these are some of the risks that organizations historically had on their risk register but they never really focused on that much. With the way things are changing in the way these risks are evolving, again, we live in a world where things are changing almost on a monthly basis, if not daily.

You look at the pandemic and the outcomes of the pandemic. You look at the recent conflict that's happening in parts of the world. You look at the supply chain disruption that's happening. You look at our talent shortages. So risks are really somewhat different and are coming at a faster pace than we used to have before. And these will continue to evolve, and organizations will continue to have to adapt and change their risk management policies or risk management frameworks to address these risks that are rising.

Theo Yameogo: Thanks for that, Gaby. I know you interact a lot with audit committee chairs and audit committees across the country. How are mining companies revisiting and adjusting their risk management strategies?

Gaby Kazour: So, organizations need a reliable risk management strategy. Data intelligence can help organizations with driving efficiencies and reducing costs and really working towards the strategic objectives of the organization. In a recent 2021 board risk survey, fewer than 20% of board members indicated that their organizations are managing risk appropriately. The old way of combating risk in a divide-and-conquer method is no longer effective.

As we mentioned earlier, I think the risks are evolving at a faster pace, they’re quicker than before. And, you know, the digital era is changing a lot of the ways we do things in the future. So accordingly, risk management strategies have to be more integrated. You're looking at a risk management strategy or organizations that are leading practice where you're seeing a lot more integration from a governance risk, a compliance functions with business strategies.

The three lines of defence model is becoming more integrated within an organization and more responsibilities are added. This is allowing organizations to really focus in on the upside risk and capitalize on upside risk, where at the same time minimizing the impact of downside and outside risks. This is critical for organizations. When we look at organizations and we look at how they're reshaping some of their risk appetite in terms of capturing the opportunities, because sometimes we talk about the risks, but we're ignoring the opportunities aspect of things. Because with risks, there are opportunities as well. Having a well-defined risk appetite framework for an organization is very critical. We see a lot of mining companies taking time to refresh their risk appetite to understand what are the areas that they need to invest in, what are the areas that they need to focus and avoid.

And these are critical. One of it is allowing the organization to have more risk coverage. And they're capitalizing on these risks as well. We talk about upside risk. There is a capitalization aspect of this risk. And then finally, the cost of compliance overall is reducing. You're eliminating some of the redundancies in the processes. You're simplifying the process, and you're taking advantage of the digitalization that's happening. So the data within the organization is critical to help these risk management functions be able to make decisions quicker and more insightful decisions as well.

Theo Yameogo: So, Gaby, in this ever-changing environment, how should the role of internal audit evolve?

Gaby Kazour: From an internal audit point of view, I think one thing we want to focus in on, the function itself hasn't evolved as quickly as the rest of the business has evolved historically. So right now, internal audit is really playing catch-up with the rest of the business. However, again, when we go back and we revisit some of the leading organizations in the way they're dealing with internal audit, you see internal audit taking more of a trusted advisor role at this point in time. They're focusing less and less on the traditional ways of doing audits in terms of the five-, six-, eight-week program to complete an audit and then take some time to report on that to becoming more agile. Internal audit of the future is going to be more of a control centre where you're going to have people monitoring dashboards, analyzing results based on all the technology that has been implemented in organizations.

Some of our leading mining organizations have already started implementing new technologies and internal audit functions to help with the risk reporting and continuous monitoring aspect of things, allowing the internal audit function to really partner with the business and support the business with the growth.

Internal audit is foundational to any organization. Now, you want to make sure internal audit’s mandate is clear. They are addressing the risks that matter. They are partnering with third parties or subject matter resources to perform some of these audits. We've seen a lot of organizations apply a, what we call a co-source model, where they team with subject matter resources that have deep expertise in specific areas, whether it's a cyber or a supply chain or our metals accounting expertise to help them achieve some of these audits and provide meaningful and insightful recommendations to the business. Any organization cannot really build their own internal audit function by staffing up all the competencies so that teaming or collaboration with experts in the field is becoming more critical, and it's allowing internal audit to raise the profile within the organization and allow them to better partner with the business.

Theo Yameogo: We definitely need a world of collaboration. Thanks Gaby, for your insightful conversation.

Gaby Kazour: Thanks for having me, Theo. I think this is really critical at this time, to talk about risk with our clients and highlight how quickly some of these things can happen so everyone's prepared and we're all working towards the same objective of building a better working world.