Maheran Nor Salfarina Salim did not start out as a risk manager when she began her career more than two decades ago. In fact, the business major from the University of Tasmania was more into all things finance and with that background, her initial perspective of risk management was very different from what it is today. As the Head of Risk Management and Governance of PETRONAS Refinery and Petrochemical Corporation Sdn Bhd (PRPC), however, she finds that her previous experience in the financial field has been a great support to her present risk management career – although by her own admission, she realised that “finance was not really my forte.”
She was speaking at a session organised for the benefit of students of the University of Wollongong’s MBA course, on what it was like to be a risk practitioner in the Oil & Gas industry. Starting as a Finance Executive, she moved on to becoming a Finance & Administration manager at PETRONAS offices in Cambodia and India, before returning to the Malaysian headquarters, where she became the Head of Scholarship in the Financial Services Department. “This is where I started getting really involved directly with risk,” she said. “I started with financial risk. I was appointed as Head of Integrated Risk in PETRONAS Financial Risk Management in PETRONAS headquarters.”
This was not something new to her as someone with a finance background, but the perspectives were different. “We were not the frontliners, nor were we the back office,” she explained. “We were right in the middle, looking at the whole of financial exposure, from the perspective of financial transactions of financial, commodity, price and credit counterparty risks, among others.” There were a whole host of other related activities as well. She also became involved in formulating corporate financial policy at different levels for PETRONAS’ upstream and downstream businesses. “It was really interesting as I was exposed to the business, and started having more in-depth conversations about risk,” she added.
Discussions centred around what kind of exposure the business would experience if certain objectives or strategies were pursued. “These conversations made me really happy,” she said. “It was thrilling!” Businesses, she remarked, are aware of the risks, and are generally proactive about how to mitigate it. Her interest saw her becoming a market risk specialist soon after, looking after the company’s investment portfolio under the treasury department. She tracked the market closely every day, identifying the kind of exposure of the firm’s portfolio – a very specialised area. After about a year and a half, she moved from the financial risk department to the downstream business.
Here, as the Head of Financial Risk & Governance, the exposure was beyond financial risk of the investment portfolio. There was more involvement with business people, and with mergers and acquisitions. “Risk management is becoming important because risk managers are supporting their organisations’ decisions, and are being seen as business partners,” she pointed out, adding that she has since become a specialist in downstream business which includes petrochemicals, refineries, lubricants and retail stations. In 2016, she moved to PRPC as the Head of Financial Risk & Governance, and decided to get herself certified as an Enterprise Risk Manager with IERP.
By this time, her portfolio had expanded beyond financial risk, to enterprise-wide risk. She found that the certification course gave her several advantages, such as additional knowledge, best practices, techniques and skills – particularly with managing stakeholders. “Managing stakeholders is not something you learn in the classroom; it’s something you acquire throughout your career,” she said. “It’s a process of trial and error, getting comments and feedback from superiors, colleagues and counterparts – whoever you work with. As long as you take it positively, you will grow and become better at managing stakeholders.”
There’s never a dull moment when one is in risk management, she declared. But rather than letting the thought of what could happen keep her up at night, she approaches it with optimism – actually looking forward to the next day. “My job is to recognise the concerns that businesses have, and do something about it,” she said. Sharing her role and that of her company in the Pengerang Integrated Complex, she said, “We manage the entire complex, and are also the service provider; it is a huge responsibility, making sure that things are in place. We need to identify the possible exposure or threat to the companies’ strategic objectives, and put mitigative measures in place.”
Her presentation also covered PETRONAS’ Resiliency Model and the role that ERM plays, i.e., to reduce the likelihood and impact of identified risks to enhance the organisation’s achievement of its objectives. “Every organisation establishes its strategic objectives every year, e.g., how many barrels of oil to produce next year or how much revenue or cost optimisation needs to be achieved,” she said. “In order to achieve these goals, what are the risks or exposure we need to be aware of? What risks need to be considered in business operations? We typically have regulatory, financial, market and operational risks.”
Running through a comprehensive list of things to do in connection with the process of risk mitigation, she said that conversations about risk exposure usually started in tandem with budget discussions, normally in August or September each year. “We do a round of risk conversations with leaders in the organisation to find out what they think will hinder the achievement of their goals,” she explained. “The conversation is carried out over a month or so, after which a risk profile is developed. The risk events are identified, together with the causes and consequences. Based on these, we discuss mitigation, and everything is presented to the board.”
Such reviews are updated every quarter, to determine if the measures set in place, as well as the risk ratings, should be maintained or need to be increased or decreased. “All this is guided by the enterprise risk management framework that we have, as well as our policies,” she said. The risk profile is to facilitate decision-making by management, while the risk appetite is identified by the board every year, so that management can run the business. Once the risk appetite is established, it is monitored by the risk management team. She stressed that every decision paper which goes to the board or CEO for consideration must have a risk assessment included, that considers all types of exposure.
Addressing the question of whether there was a future for risk management and risk practitioners, she affirmed that there definitely was. “As long as we understand what the business wants, we become part of the enterprise, not a hindrance to the business,” she said. “Also, we cannot assess our current profiles only every August or September. We need to be flexible and agile, monitor continuously and be constantly aware of trigger events – be proactive instead of reactive.” Risk professionals also need to be innovative, and have lots of conversations with others in the business on threats like cybersecurity, or how cryptocurrency will affect the organisation.
A certain level of openness is also necessary. “Good risk managers need to be vigilant, agile and dynamic but they also need to be able to call a spade, a spade,” she said. “If anything is high risk to the company, you have to notify the board accordingly even if it can be rationalised. Don’t be afraid to speak up.” Wrapping up the session with what she looks for when interviewing candidates for a risk manager’s position, she said candidates can be from any background but they should at least be able to understand what risk management entails, and be able to explain their perspectives as well as how they deal with business people.
Candidates should be able to articulate which risks they think are relevant, and could impact the country. Emphasising that some people tend to see risk assessment as risk management, she stressed that this was not so, adding that “at the end of the day, my team members must be able to see risk not as a ‘show-stopper’ but as an opportunity to grow,” she said.
