I first thought that this is a typo on the agenda, but the name of the company is really Mn Services. They administrate the pension plans for a range of pension funds in the Netherlands. The presentation is given by Mr. Michiel Schuijt.
Their challenges are that they want to be a very reliable business partner. They have to find a way to balance business and threats. The "in control statement" itself is according to him not the objective, but the appliances of it. Of course as every company in that domain they are heavily influenced by laws and regulations. Here, they have to comply with it and provide adequate responses to changing laws and regulations.
I always love the risk management people, because they often make use of military language. Mr. Schuijt for example presents the different lines of defense they got. The first line is the business processes. The second line are internal controls and risk management. This is followed by internal audits. The fourth line of defense is an external one, namely external audits. The final line of defense is regulators controlling their business.
In the past, their processes were loaded with too many controls. Now, they turn it around by putting goals and controls first and design processes around that. That also explains the title of Mr. Schuijt's presentation.
They implemented risk management at Mn Services using ARIS. As far as I understand, I'm not a risk management expert, they assess all their controls and put them into 4 different maturity levels. They also invested in risk awareness meaning extracting existing risks on the different management levels. With top management they identified strategic risks and with middle management they identified tactical risks. In the next steps, they aligned those risks with overall goals and processes. For each risk, they implement control management. Here, they use ARIS Risk & Compliance Manager to ensure that controls are actually executed on a regular basis.
Another important aspect is compliance management for them, because there are around 200 different laws and regulations governing their business. An electronic publisher provides the necessary texts and also informs them on updates. They integrate this information in ARIS, for example to mark which controls must be updated.
That was a fast presentation with a lot of content. I think the key point is that enterprise risk management is more than just monitoring some financial risks.