SlideShare a Scribd company logo

Risk Management Fundamentals

M
mikaelastafrace

The document provides an overview of risk management fundamentals and processes. It defines risk, outlines the benefits of a risk management framework, and describes the key components of establishing and implementing an effective risk management system, including: - Establishing the organizational context and risk criteria - Identifying, analyzing, and evaluating risks - Developing and implementing risk treatment plans - Monitoring and reviewing the risk management process on an ongoing basis

1 of 44
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Most read
25
26
27
28
29
30
Most read
31
32
33
34
35
36
37
38
39
40
41
42
Most read
43
44
Risk Management Fundamentals Mikaela Reynoldson Claverhouse Risk & Legal
Page 2 • Have a better understanding of AS/NZS ISO 31000:2009 (Risk management – Principles and Guidelines) • Understanding the link between governance and risk in Victoria • Knowledge of each activity contained in the risk management process • An understanding of the linkage between governance, risk and control • Use of tools and techniques necessary for managing the risks facing your organisation • Apply the risk management principles within your area of responsibility • Conduct a basic risk assessment applying the tools supplied Learning outcomes and objectives
Risk defined Definition - What is Risk? “The chance of something happening that will have an impact on achieving objectives” -AS/NZS 4360:2004 “Effect of uncertainty on objectives” - ISO 31000 (Source: ISO31000 Risk Management – Principles and Guidelines on Implementation, 2009) Module 1 – Introduction to Governance and Risk Management
Risk Management - a comprehensive process Page 4 • Supported by appropriate strategies and frameworks • Designed to identify, analyse, evaluate, treat, monitor and communicate risks that could prevent a department or agency from achieving its objectives. • Covers strategic, operational, financial and compliance risks. • The term “enterprise-wide risk management” is widely used both by the Victorian public sector and the private sector to describe this comprehensive approach.
What are the benefits of a Risk Management framework? • Enables identification of threats and opportunities for an agency • Improves and informs the planning process • Reduces likelihood of costly “surprises” • Contributes to improved resource allocation • Improves efficiency and performance • Improves accountability • Encourages continual improvement
Governance and risk management in Victoria – why is risk management important? Page 6 Legislative obligation •Victorian Managed Insurance Authority Act (1996) and •Financial Management Act (1994). Financial Management Act – requires agencies to develop and implement a risk management strategy, and keep it under review. There is a quarterly monitoring process established under the Act. Victorian Managed Insurance Authority Act - requires participating bodies to develop and implement a risk management strategy, and keep it under review. Board obligation The Board is required to attest annually that the risk management framework is in place. The VGRMF imposes the obligation
Example of an attestation clause (VGRMF) I, [Accountable Officer], certify that as at 30th June 20XX the [Department] has risk management processes in place consistent with the Australian/New Zealand Risk Management Standard (or equivalent designated standard) and an internal control system is in place that enables the executive to understand, manage and satisfactorily control risk exposures. The audit committee verifies this assurance and that the risk profile of the [Department] has been critically reviewed within the last 12 months. (Source: Victorian Government Risk Management Framework, July 2007, Attachment A, p. 21)
Link between Governance and Risk Management What is Corporate Governance? •Three basic elements - stewardship, leadership, and control. •Corporate governance is the framework established by a governing body to ensure that stakeholders, primarily the Parliament, the Government and the Victorian community, have assurance that the agency is fulfilling its responsibilities with due diligence and accountability. •This stewardship relationship demands that Boards establish processes to both delegate and limit power to pursue the organisation’s strategy and direction in a way that enhances the prospects for the organisation’s long- term success. Page 8
Page 9 Risk management governance structure CEO Executive Team Management Team Manager, Quality & Risk Other Sub- Committees Service Quality and Risk Mgt Committee Risk Management Advisory Committee Quality Committee Audit & Risk Committee Board of Directors Operational Level Management Level Board Level Other Board Committees Oversight Oversight Critique Monitor & Review Guide Identify Identify Assesses Execute Monitor & Review Staff/ Volunteers
The integration of risk management Any successful alignment of risk management and governance requires four key factors: •an agency focus – where there is an identifiable source of risk management expertise in the agency and senior managers come together on a regular basis to discuss risk management issues •an agency direction – where a clear direction and strategy is established for risk management, including articulating the agency’s risk appetite and giving a clear mandate for what constitutes effective risk management •decision-making structures – where risk management is not a separate process, but a key consideration at all parts of the decision-making chain: being factored into strategic and operational planning; included as a common component in all project proposals and business cases; and incorporated into advice to Ministers; and Page 10
The integration of risk management • agency capacity and capability – where the agency’s executive management invests time and resources to build momentum, capacity and capability, including: ensuring that there is a shared language of risk management; a common understanding of the principles; training and development to build expertise; and established tools and processes for risk management. Integrated risk management requires an ongoing assessment of potential risks and opportunities for an agency at every level. The results should inform agency level risks, facilitate priority setting and improve an agency’s decision making. Clear links should be established between risk management, Government policies and priorities, agency objectives (vertical integration), and agency policy and operations (horizontal integration). Page 11
Enterprise wide perspective Mandate And Commitment Design of Framework For Managing Risk Monitoring & Review of The Framework Implementing Risk Management Continual Improvement of The Framework Risk Management Policy Risk Management Plan(s) Risk Register/ Risk Profile Risk Reporting 11 Principle s Risk Management Process(es) Assurance/ Attestation Plan Organisation al Strategy & Objectives (Measures & Targets)
Page 13 Integrated approach Achievement of Strategies & Objectives Corporate governance is the guidance system for achieving planned objectives – it is an objective-focused concept. It is a process by which organisations are directed, controlled and held to account. Corporate GovernanceCorporate Governance RiskRisk ControlsControls Risk controls provides reasonable assurance to Board & Management that objectives will be achieved within an acceptable degree of residual risk. RiskRisk ManagementManagement Risk management develops risk treatment plans, risk controls and strategies associated with achieving objectives. Quality &Quality & ComplianceCompliance Compliance & quality ensures that laws, regulations, codes, and organisational standards and requirements are met. Monitoring,Monitoring, Review &Review & ReportingReporting Monitor, review & report against performance measures for each objective. PerformancePerformance ManagementManagement Performance of individuals are managed, motivated & aligned to organisational & personal objectives
Page 14 Seven key questions A good risk management framework seeks to answer these basic questions: • what are we trying to achieve? • what events or circumstances that could affect the achievement of our objectives? • what are the consequences? • how likely are these events? • what can we do to manage these outcomes? • how will we maximise opportunities? • can the organisation recover if an risk eventuates? Module 2 – Framework for managing risk
Page 15 The trilogy of risk frameworks • AS/NZS ISO 31000:2009 – Risk management – Principles and guidelines (20 November 2009) **Replaced AS/NZ 4360 • Standard developed as a Guideline Document • Unlike other ISO standards, it is NOT for certification • ISO Guide 73:2009 - Risk management — Vocabulary (15 November 2009) • Defines important risk management terminology • IEC/ISO 31010:2009 Risk Management - Risk Assessment Techniques (1 December 2009) • A supporting standard for ISO 31000:2009 (15 November 2009) • Provides guidance (Annex A – Informative) on selection and application of systematic techniques for risk assessment • Is NOT for certification, regulatory or contractual use
Page 16 Related standards, handbooks and frameworks • HB 158:2010 – Delivering assurance based on ISO 31000:2009 • Help assurance providers to plan and implement their activities using the information arising from the (ISO 31000:2009) risk management process. • HB 327:2010 - Communicating and consulting about risk (23 February 2010) • Provides guidance to individuals and organisations to understand communication and consultation when managing risk. • AS/NZS 5050:2010 Business continuity - Managing disruption-related risk (28 June 2010) • The Standard describes the application of the principles, framework and process for risk management, as set out in AS/NZS ISO 31000:2009, to disruption-related risk. • Victorian Government Risk Management Framework (March 2011)
The one we use: Risk Management Framework - ISO 31000:2009 Communicate & Consult Treat Risks • Establish the Context Establish the Context • Identify Risks Identify Risks • Analyse Risks Analyse Risks Evaluate Risks Monitor & Review
Page 18 Process for managing risk (Clause 5) Overview of AS/NZS/ISO31000 & AS/NZ 4360 Principles for managing risk (Clause 3) 1) Creates value 2) Integral part of organisational processes 3) Part of decision making 4) Explicitly addresses uncertainty 5) Systematic, structured & timely 6) Based on the best available information 7) Tailored 8) Takes human & cultural factors into account 9) Transparent & inclusive 10) Dynamic, iterative & responsive to change 11) Facilitates continual improvement & enhancement of the organisation Framework for managing risk (Clause 4) Attributes of enhanced risk management (Annex A - Informative) Risk Assessment Establishing the Context Risk Identification Risk Analysis Risk Evaluation Risk Treatment Communication&Consultation Monitoring&Review AS4360 – Implicit, to some extent AS4360 – Covered partially in Section 4 “Establishing effective risk management” AS4360 – Fully covered in Section 3 “Risk Management Process” AS4360 – Not covered Mandate & commitment Continual improvement of the framework Design of framework for managing risk Monitoring & review of the framework Implementing risk management
Page 19 Framework for managing risk 4.2 Mandate and commitment 4.3 Design of framework for managing risk 4.3.1 Understanding the organisation and its environment 4.3.2 Establishing risk management policy 4.3.3 Accountability 4.3.4 Integration into organisational processes 4.3.5 Resources 4.3.6 Establishing external communication & reporting mechanisms 4.3.7 Establishing internal communication & reporting mechanisms 4.4 Implementing risk management 4.4.1 Implementing the framework for managing risk 4.4.2 Implementing the risk management process 4.5 Monitoring and review of the framework 4.6 Continual improvement of the framework (Source: AS/NZS/ISO31000:2009 Risk Management – Principles and Guidelines)
Page 20 Risk management should be embedded in all the organisation's practices and processes in a way that it is relevant, effective and efficient. The risk management process should become part of, and not separate from, those organisational processes. In particular, risk management should be embedded into the policy development, business and strategic planning and review, and change management processes. Fit-for-purpose? (Source: AS/NZS/ISO31000:2009 Risk Management – Principles and Guidelines) Module 3 – Embedding risk management
Page 21 Integrating risk management CEO Corporate Services Client Services Operations Governance Structure Board Strategic Objectives & Indicators Operational Objectives & Indicators Strategic Risk (Risk Register) Operational Risk (Risk Register) Strategic & Operational Planning Process Risk Management Process Aligned & Cascaded Down Cascaded Down Escalated Up Reporting Process CEO/ Board Report Operational Reports Evaluated & Reported Evaluated & Reported Consolidated & Escalated Up
Page 22 No Level Committee Name Frequency Members Responsibility (Terms of Reference) Reports To Map “as-is” committee/ meeting structure. Rationalise committees/ meetings, where possible Map “as-is” committee/ meeting structure. Rationalise committees/ meetings, where possible Review risk management roles of each committee/ meeting. Risk management as standing agenda item in all meetings Review risk management roles of each committee/ meeting. Risk management as standing agenda item in all meetings How to embed risk management-some examples Map “as-is” organisational/ reporting structure. Rationalise reports, where possible. Map “as-is” organisational/ reporting structure. Rationalise reports, where possible.
Embedding risk management -some more examples Page 23 • Include responsibility for risk management in all job descriptions• Include responsibility for risk management in all job descriptions Risk management as standard reporting item in all reports Risk management as standard reporting item in all reports Also remember: - introduce a language of risk - risk environment changes over time - organisational change means roles and responsibility for managing risk will change - clarify strategic and operational objectives and measures - articulate and document those objectives and measures
Content of a typical risk management plan • A statement of the risk management policy • Details of the scope and objectives of risk management in the agency • Consistent risk management language and definitions • Integration with other management practices and procedures • Risk Assessment criteria (consequence and likelihood ratings) • Description of the internal and external context in which the agency operates • List of analysed risks (detailed in the Risk Register) • Summary of the risk treatment plan • Outline of the risk reporting protocol • Outline of the monitoring and review program Page 24 Module 4 – Risk management policy and plan
Content of a typical risk management policy • Objectives, scope and coverage of the policy • Statement of commitment from the Board • Accountabilities and responsibilities for managing risk • Alignment with other management policies and procedures • Escalation and reporting protocols • Statement of risk appetite and tolerance • Processes, tools and templates for managing risk • Reporting and communication protocols • Statement about assessment, measurement and reporting methodology • Outline of DRP and BCP and regularity of testing regime Page 25
The Process of Risk Management? “Culture, process and structures that are directed towards realising potential opportunities whilst managing adverse effects” AS/NZS 4360: 2004 (Source: ISO31000 Risk Management – Principles and Guidelines on Implementation, 2009) “...Co-ordinated activities to direct and control an organisation with regard to risk” – ISO 31000 ISO 31000 Module 5 – Process for managing risk
5.2 C O M M U N I C A T I O N & C O N S U L T A T I O N 5.6 M O N I T O R I N G & R E V I E W 5.3 ESTABLISHING THE CONTEXT 5.4 RISK ASSESSMENT 5.4.3 RISK ANALYSIS 5.3.2 External Context 5.3.3 Internal Context 5.3.4 Risk Management Process Context 5.3.5 Developing Risk Criteria 5.5 RISK TREATMENT 5.5.2 Selection of risk treatment options 5.5.3 Preparing and implementing risk treatment plans 5.4.4 RISK EVALUATION (1) Compare against criteria. (2) Identify & assess options. (3) Decide on response. (4) Establish priorities. Determine existing controls Determine Consequences Determine Likelihood Determine Level of Risk 5.4.2 RISK IDENTIFICATION What can happen, when, where, how & why The risk management process described in more detail
Communication and Consultation Page 28 It is critical to: •Establish channels of communication with internal and external stakeholders •Risk management tasks and activities must be allocated with responsibilities, accountabilities and authorities clearly understood and defined •Draft a communications plan and a distribution timetable •Identify what specialist advice might be needed (engineers, actuaries, OHS specialists, VMIA support) •Identify the stakeholders – • Internal (Board, Minister, executive and operational management) • External (Regulators, customers, the public, key suppliers)
Establishing the context Page 29 Module 6 – Establishing the context Know and understand: - the purpose, goals and objectives of the agency; - where the risk management process is being applied within the agency; - the cost/benefit of the risk management program and the resource allocation required; - the need to maintain documented records of the program; - the external and internal environment in which the agency operates; - the sources of risk facing the agency; - the benchmarks around which risk will be evaluated within the agency; Risk Appetite and Tolerance Risk appetite - The amount and type of risk that an organisation is willing to accept in pursuit of its long term strategic and operational objectives Risk tolerance - The boundaries of risk taking outside of which the organisation is not prepared to venture in the pursuit of its long term objectives.
Page 30 Sources of risk FinancialFinancial OperationalOperational ClinicalClinical Health, Occupational, Safety Health, Occupational, Safety Human Resource Human Resource GovernanceGovernance Infra- structure/ Asset Infra- structure/ Asset StrategicStrategic Common Risk Categories Common Risk Categories
Consequence and Likelihood • A process for evaluating the risk facing the agency using agreed criteria; • Likelihood means the probability of the identified risk occurring • Severity means the impact on or cost to the agency if the identified risk occurred • The likelihood and severity ratings are multiplied together and plotted on a heat map which gives a view of the overall risk profile for the agency. An informed decision can then be taken as to the response strategies, treatment plan and resource allocation that might be appropriate. • Responsibilities can then be allocated to a risk owner with the treatment tasks allocated to a control owner. • Examples of the tools used to plot severity and likelihood are in the following slides Page 31
Tools for assessing risk - Risk rating scales (likelihood) L I K E L I H O O D Score Detailed description 5 Frequent The event is very likely to occur within 3 months 4 Likely The event will probably occur within 1 year 3 Occasionally The event could occur between 1-3 years 2 Unlikely The event could occur between 3-10 years 1 Rare The event may possibly occur, but unlikely at a frequency less than 10 yearly **A time horizon is selected that best suits the unique profile of the agency
Risk rating scales: consequence Score Description The categories below are possible categories only Financial Service Delivery Reputation People & Knowledge Health and Safety Legal and Regulatory 5 Catastrophic / Extreme 4 Major 3 Moderate 2 Minor 1 Insignificant
CONSEQUENCE LIKELIHOOD Insignificant 1 Minor 2 Moderate 3 Major 4 Catastrophic 5 Almost Certain 5 5 10 15 20 25 Likely 4 4 8 12 16 20 Possible 3 3 6 9 12 15 Unlikely 2 2 4 6 8 10 Rare 1 1 2 3 4 5 Risk matrix
Risk appetite and risk rating Large Appetite for Risk Standard Plan for All Extreme Risks Risk Averse Increasing Likelihood  Increasing Likelihood  Increasing Likelihood  Increasing Likelihood  IncreasingImpactIncreasingImpact Board CEO Manager Staff IncreasingImpactIncreasingImpact
Risk Type of Action Risk/ Audit Committee oversight Extreme Immediate action required Direct High Senior management attention needed Monitors Moderate Management responsibility must be specified Ensures sign offs and is advised of changes up or down Low Manage by routine procedures Ensures sign offs CEO/ BOARD GMs Risk response and escalation
Control effectiveness scales 1 Effective Indicates minimal uncontrolled risk, due to excellent risk management/controls in place, tested and monitored 2 Good Indicates good risk management and control system, but an opportunity for refinement exists to reduce risk further. 3 Fair/ Partially Effective Indicates a need for improvement in controls, increased adherence to controls or that controls are being developed, but are not fully in place and tested. 4 Poor Indicates effective risk controls have not yet been developed and a significant lack of risk control exists – additional risk management or treatment is a matter of priority
The Risk Register • The risk register is a key document which records the output of the risk management process • At a minimum it would contain the following: oRisk Description oAssessment of Inherent Risk oAssessment of Controls oAssessment of Residual Risk oTreatment of Risk o**Remember the distinction between inherent (untreated) and residual (treated) risk Module 7 – Risk assessment and treatment
Risk Register - Example Overall Effectively managed. Areas for Improvement: Formalised Training calendar to be introduced Input controls to be strengthened over Payroll Salary benchmark to be performed Internal Advertising of posts available to be sent out on monthly e-mails All issues to be tracked on tracking database. • Human Resources • Quarterly Reports submitted to Departmental Management regarding Performance Management System and Succession Planning • Divisional Management • Control Self Assessment performed 2 monthly which includes questions on PMS and succession planning • Internal Audit • An internal audit on Performance Management System to be performed during the 2011/12 year • External Audit • Payroll testing to be included in Annual Audit. • Competitive remuneration, strategies and structure • Defined targets and KPIs • Divisional and Departmental operating targets for all key employees • Work life balance • Training and internal growth opportunity • Non-remuneration employee benefit strategies (EAP) • Identification and grooming of employees into the succession role • Training to ensure success in the new role • Documented policies and procedures/information to retain knowledge • Loss of key employees leading to the loss of primary relationship contacts, loss of investment in training and development and loss of intellectual property. This may lead to stretched resources and disrupt the Department’s capability to continue critical business operations. Potential causes include: • Poaching of employees • Changes to the organisation influencing the culture and leading to instability/insecurity • Lack of availability of skilled and competent workers • Career/lifestyle change • Retirement, death/mental inability Loss of key personnel- Residual Risk Rating = Moderate (Consequence = Minor; Likelihood = Possible) Are Risks being managed effectively? (What more could be done?) Assurance Provider/ Monitoring Procedures Primary Controls / Processes/ Control Strategies EMPLOYEES Inherent Risk Description Overall Effectively managed. Areas for Improvement: Formalised Training calendar to be introduced Input controls to be strengthened over Payroll Salary benchmark to be performed Internal Advertising of posts available to be sent out on monthly e-mails All issues to be tracked on tracking database. • Human Resources • Quarterly Reports submitted to Departmental Management regarding Performance Management System and Succession Planning • Divisional Management • Control Self Assessment performed 2 monthly which includes questions on PMS and succession planning • Internal Audit • An internal audit on Performance Management System to be performed during the 20 year • External Audit • Payroll testing to be included in Annual Audit. • Competitive remuneration, strategies and structure • Defined targets and KPIs • Divisional and Departmental operating targets for all key employees • Work life balance • Training and internal growth opportunity • Non-remuneration employee benefit strategies (EAP) • Identification and grooming of employees into the succession role • Training to ensure success in the new role • Documented policies and procedures/information to retain knowledge • Loss of key employees leading to the loss of primary relationship contacts, loss of investment in training and development and loss of intellectual property. This may lead to stretched resources and disrupt the Department’s capability to continue critical business operations. Potential causes include: • Poaching of employees • Changes to the organisation influencing the culture and leading to instability/insecurity • Lack of availability of skilled and competent workers • Career/lifestyle change • Retirement, death/mental inability Loss of key personnel- Residual Risk Rating = Moderate (Consequence = Minor; Likelihood = Possible) Are Risks being managed effectively? (What more could be done?) Assurance Provider/ Monitoring Procedures Primary Controls / Processes/ Control Strategies EMPLOYEES Inherent Risk Description
Risk Treatment There are five risk treatment options available as defined below: o Avoid the Risk o Transfer the Risk o Share the Risk o Treat the Risk o Accept the Risk
Page 41 Volume of risk information Board Executive Management Business Units Operational and strategic risk information at Business level Significant / key operational and strategic risk information Strategic / Critical risk issues Op Risk Mgt Committee Risk/ Audit Committee Exec Risk Mgt Committee Reporting – the right things at the right level Module 8 – Monitoring and review
Page 42 Risk register, profiles and reports Risk Register Risk Register Risk Reports Risk Reports Risk Profile Risk Profile Risk Treatment Plans Risk Treatment Plans Risk Profile – Description of an organisation’s risk (ISO31000) Risk Register – Document used for recording risk management process for identified risks (ISO31000) It lists all identified risks, including description, likelihood of occurring, consequences on organisational objectives, proposed responses/ risk treatments and risk owners. Risk reporting – Development of reports including strategic, operational, financial and compliance-related risk information, as a basis for directing and controlling the organisation as well as for external accounting (ISO31000) Risk treatment – Development and implementation of measures to modify risk (ISO31000) Risk-Based Internal Audit Plan Risk-Based Internal Audit Plan Risk Audit – Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine extent to which the risk management policies and procedures are fulfilled (ISO31000) Internal audit plan identifies activities to be audited, which specifies the areas, allotted dates and personnel required to perform internal audits Risk Matrix Risk Matrix Risk matrix – Tool for ranking and displaying risks by defining risk categories and defining ranges for consequences and levels of likelihood for each category (ISO31000) Heat Map – Overview of the organisation’s main risks plotted in its risk matrix (ISO31000) Heat Map Heat Map Risk treatment plans includes (1) testing of existing controls or monitoring control effectiveness over time; or (2) tracking of the implementation of new controls and/or training programs.
Page 43 1st Business operations 2nd Oversight functions: Finance, HR, IT, Legal and Risk Management 3rd Independent assurance: Internal Audit, External Audit and other independent assurance providers RISK & CONTROL An established risk and control environment Strategic management, policy and procedure setting, functional oversight Provide independent challenge and assurance RISK & CONTROL RISK & CONTROL Board,Executive&AuditCommittee business operations Oversight functions Internal audit, external audit and other assurance providers First Line Second Line Third Line Three levels of defence
Page 44 In summary 1. AS/NZS ISO 31000:2009 is a principles-based standard that seeks to customise the risk management process fit-for-purpose to the context. 2. Risk management must be integrated/ embedded into existing organisational processes/practices. 3. Managing risk is about creating value out of uncertainty and achieving its objectives. 1. AS/NZS ISO 31000:2009 is a principles-based standard that seeks to customise the risk management process fit-for-purpose to the context. 2. Risk management must be integrated/ embedded into existing organisational processes/practices. 3. Managing risk is about creating value out of uncertainty and achieving its objectives.

More Related Content

PDF
Enterprise Risk Management.pdf
Self Employed
 
PDF
Enterprise risk & risk management - I
Dr. Shiv S Tripathi
 
PDF
Fundamentals of Risk Management.pdf
MostafaAmmar8
 
PPT
Risk management: Principles, methodologies and techniques
ILRI
 
PPT
Risk management
Jubayer Alam Shoikat
 
PPTX
Project risk management: Techniques and strategies
DebashishDas49
 
PDF
Iso 31000 Risk management Principles and guidelines
Mohsen Gharakhani
 
PPT
Enterprise Risk Management
Croydon Consulting, LLC
 
Enterprise Risk Management.pdf
Self Employed
 
Enterprise risk & risk management - I
Dr. Shiv S Tripathi
 
Fundamentals of Risk Management.pdf
MostafaAmmar8
 
Risk management: Principles, methodologies and techniques
ILRI
 
Risk management
Jubayer Alam Shoikat
 
Project risk management: Techniques and strategies
DebashishDas49
 
Iso 31000 Risk management Principles and guidelines
Mohsen Gharakhani
 
Enterprise Risk Management
Croydon Consulting, LLC
 

What's hot (20)

PPT
Fundamentals Of Risk Management
Dr David Hancock
 
PPTX
COSO VS ERM -
Naresh Parandhaman
 
PPTX
ISO 31000 risk management process
Muizz Anibire
 
PPTX
Risk Management ERM Presentation
alygale
 
PPTX
Operational Risk Management - A Gateway to managing the risk profile of your...
Eneni Oduwole
 
PDF
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Resolver Inc.
 
PDF
Risk Overview & Risk management
Subhendu Datta
 
PDF
Risk Identification PowerPoint Presentation Slide
SlideTeam
 
PDF
Shaping Your Culture via Risk Appetite
Andrew Smart
 
PPTX
Risk Management
Stefan Csosz
 
PPTX
Key risk indicators shareslide
Zakaria Salah, Ph.D,MBA
 
PDF
Risk Management Process And Procedures PowerPoint Presentation Slides
SlideTeam
 
PPT
The importance of risk management in business
r2financial
 
PPTX
Integrating Strategy and Risk Management
Andrew Smart
 
PDF
Risk Appetite
Towers Perrin
 
PPTX
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
Aronson LLC
 
PPTX
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
Frackson Kathibula-Nyoni
 
PDF
ISO 31000:2018 Risk Management System, Framework and Implementation
Alvin Integrated Services [AIS]
 
PPTX
Risk management
Harold Malamion
 
PPTX
Risk Culture, Risk What?
Ian Rich
 
Fundamentals Of Risk Management
Dr David Hancock
 
COSO VS ERM -
Naresh Parandhaman
 
ISO 31000 risk management process
Muizz Anibire
 
Risk Management ERM Presentation
alygale
 
Operational Risk Management - A Gateway to managing the risk profile of your...
Eneni Oduwole
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Resolver Inc.
 
Risk Overview & Risk management
Subhendu Datta
 
Risk Identification PowerPoint Presentation Slide
SlideTeam
 
Shaping Your Culture via Risk Appetite
Andrew Smart
 
Risk Management
Stefan Csosz
 
Key risk indicators shareslide
Zakaria Salah, Ph.D,MBA
 
Risk Management Process And Procedures PowerPoint Presentation Slides
SlideTeam
 
The importance of risk management in business
r2financial
 
Integrating Strategy and Risk Management
Andrew Smart
 
Risk Appetite
Towers Perrin
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
Aronson LLC
 
OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION
Frackson Kathibula-Nyoni
 
ISO 31000:2018 Risk Management System, Framework and Implementation
Alvin Integrated Services [AIS]
 
Risk management
Harold Malamion
 
Risk Culture, Risk What?
Ian Rich
 
Ad

Viewers also liked (20)

PPTX
R3 Process Training
Mike Sloop
 
PPTX
Context Statement.docx
Nader Jarmooz
 
PPT
Risk mangement
college
 
PPTX
Implementing Enterprise Risk Management with ISO 31000:2009
Goutama Bachtiar
 
PDF
Risk Management And Communication Maps
Jonelle Hilleary
 
PPTX
Does corporate governance beget firm’s performance2
Adeeldd
 
DOCX
Risk Management Policy (NRDM)
Komal Zahra
 
PPTX
Risk Management System
Dr.Saravanan Paramasivam Ph.D.
 
PPT
Quad bikes - Our story: managed risk rather than risk elimination
Occupational Health and Safety Industry Group
 
PDF
The monitoring & delegation of the risk management function under AIFMD
Arkus Financial Services
 
PDF
IIT Academy: Scaling Agile 205
Steven HK Ma | 馬國豪
 
PPTX
Bcu msc cg week 5 rm framework
Stephen Ong
 
PPT
Beyond Compliance
mikaelastafrace
 
PDF
Meeting the Challenges of Enterprise Risk Management
SAS Institute India Pvt. Ltd
 
PDF
2009 irmcaug iso31000
Fernando Pereira
 
PDF
Twas the day before renewal[1]
Praxiom
 
PPT
Learning
Rajesh Patel
 
PDF
Tools used in climate risk management policies
CCAFS | CGIAR Research Program on Climate Change, Agriculture and Food Security
 
PDF
EY Legal Risk Brochure LR_single-pages
Matthew Whalley
 
PPTX
ANES 1501 - M11 PPT: Legal Concepts, Risk Management, and Ethical Issues
College of DuPage Learning Technologies
 
R3 Process Training
Mike Sloop
 
Context Statement.docx
Nader Jarmooz
 
Risk mangement
college
 
Implementing Enterprise Risk Management with ISO 31000:2009
Goutama Bachtiar
 
Risk Management And Communication Maps
Jonelle Hilleary
 
Does corporate governance beget firm’s performance2
Adeeldd
 
Risk Management Policy (NRDM)
Komal Zahra
 
Risk Management System
Dr.Saravanan Paramasivam Ph.D.
 
Quad bikes - Our story: managed risk rather than risk elimination
Occupational Health and Safety Industry Group
 
The monitoring & delegation of the risk management function under AIFMD
Arkus Financial Services
 
IIT Academy: Scaling Agile 205
Steven HK Ma | 馬國豪
 
Bcu msc cg week 5 rm framework
Stephen Ong
 
Beyond Compliance
mikaelastafrace
 
Meeting the Challenges of Enterprise Risk Management
SAS Institute India Pvt. Ltd
 
2009 irmcaug iso31000
Fernando Pereira
 
Twas the day before renewal[1]
Praxiom
 
Learning
Rajesh Patel
 
Tools used in climate risk management policies
CCAFS | CGIAR Research Program on Climate Change, Agriculture and Food Security
 
EY Legal Risk Brochure LR_single-pages
Matthew Whalley
 
ANES 1501 - M11 PPT: Legal Concepts, Risk Management, and Ethical Issues
College of DuPage Learning Technologies
 
Ad

Similar to Risk Management Fundamentals (20)

PPTX
Risk seminar - john crawley & emer mc aneny
Иван Вали-Пур
 
PPTX
1-.Teklay-EFFORT (PPT) -April-2025- Risk Mgnt Top Mgmnt -Breifing.PPTX
teklayweldegerima1
 
PPTX
Iso 31000
Dr. Jojo Javier
 
PDF
Riskpro iso 31000 services 2013
Nidhi Gupta
 
PDF
Riskpro iso 31000 services 2013
Rahul Bhan (CA, CIA, MBA)
 
PDF
Riskpro iso 31000 services 2013
Nidhi Gupta
 
PDF
The IRM India- A Risk Management Standard
The IRM India
 
PDF
Understandiing ISO 31000-2009
Ridwan Ibrahim
 
PDF
ISO+31000+2009+Understanding
Setiono Winardi
 
PPT
Risk Management Presentation to Doyle Property Club
marcpreston
 
PDF
Risk Management for Directors - Governance Institute
Turlough Guerin GAICD FGIA
 
PPTX
Julia graham@bdm2014
bdm2014
 
PDF
Risk and opportunity management skills © Harri Timonen 2025.pdf
Harri Timonen
 
PDF
Risk management erm
Alberto Garcia Romera
 
PDF
Iso 31000.pdf
AdykMargaRaharja
 
PPTX
Risk - IT Services
Nema Chhaya Buch
 
PPTX
2014.03.20 BDM Transport Insurance Seminar presentation
FERMA
 
PDF
Risk management standard 030820
Alberto Garcia Romera
 
PPTX
Presentation on Risk management & controlling (Corporate Finance & Internatio...
Suyash Rewale
 
PPTX
Enterprise risk management
Andre Knipe
 
Risk seminar - john crawley & emer mc aneny
Иван Вали-Пур
 
1-.Teklay-EFFORT (PPT) -April-2025- Risk Mgnt Top Mgmnt -Breifing.PPTX
teklayweldegerima1
 
Iso 31000
Dr. Jojo Javier
 
Riskpro iso 31000 services 2013
Nidhi Gupta
 
Riskpro iso 31000 services 2013
Rahul Bhan (CA, CIA, MBA)
 
Riskpro iso 31000 services 2013
Nidhi Gupta
 
The IRM India- A Risk Management Standard
The IRM India
 
Understandiing ISO 31000-2009
Ridwan Ibrahim
 
ISO+31000+2009+Understanding
Setiono Winardi
 
Risk Management Presentation to Doyle Property Club
marcpreston
 
Risk Management for Directors - Governance Institute
Turlough Guerin GAICD FGIA
 
Julia graham@bdm2014
bdm2014
 
Risk and opportunity management skills © Harri Timonen 2025.pdf
Harri Timonen
 
Risk management erm
Alberto Garcia Romera
 
Iso 31000.pdf
AdykMargaRaharja
 
Risk - IT Services
Nema Chhaya Buch
 
2014.03.20 BDM Transport Insurance Seminar presentation
FERMA
 
Risk management standard 030820
Alberto Garcia Romera
 
Presentation on Risk management & controlling (Corporate Finance & Internatio...
Suyash Rewale
 
Enterprise risk management
Andre Knipe
 

More from mikaelastafrace (7)

PPTX
Regulatory reform in the australian general insurance market
mikaelastafrace
 
PPT
Legal implications for authorised representatives
mikaelastafrace
 
PPT
Strategically managing your insurance program
mikaelastafrace
 
PPT
Regulatory compliance update
mikaelastafrace
 
PPTX
Liability of insurance agents to their clients
mikaelastafrace
 
PPTX
The intersection between corporate and clinical governance - implications for...
mikaelastafrace
 
PPTX
Indemnity clauses - what they are, how they work and how to make them for you
mikaelastafrace
 
Regulatory reform in the australian general insurance market
mikaelastafrace
 
Legal implications for authorised representatives
mikaelastafrace
 
Strategically managing your insurance program
mikaelastafrace
 
Regulatory compliance update
mikaelastafrace
 
Liability of insurance agents to their clients
mikaelastafrace
 
The intersection between corporate and clinical governance - implications for...
mikaelastafrace
 
Indemnity clauses - what they are, how they work and how to make them for you
mikaelastafrace
 

Risk Management Fundamentals

  • 1. Risk Management Fundamentals Mikaela Reynoldson Claverhouse Risk & Legal
  • 2. Page 2 • Have a better understanding of AS/NZS ISO 31000:2009 (Risk management – Principles and Guidelines) • Understanding the link between governance and risk in Victoria • Knowledge of each activity contained in the risk management process • An understanding of the linkage between governance, risk and control • Use of tools and techniques necessary for managing the risks facing your organisation • Apply the risk management principles within your area of responsibility • Conduct a basic risk assessment applying the tools supplied Learning outcomes and objectives
  • 3. Risk defined Definition - What is Risk? “The chance of something happening that will have an impact on achieving objectives” -AS/NZS 4360:2004 “Effect of uncertainty on objectives” - ISO 31000 (Source: ISO31000 Risk Management – Principles and Guidelines on Implementation, 2009) Module 1 – Introduction to Governance and Risk Management
  • 4. Risk Management - a comprehensive process Page 4 • Supported by appropriate strategies and frameworks • Designed to identify, analyse, evaluate, treat, monitor and communicate risks that could prevent a department or agency from achieving its objectives. • Covers strategic, operational, financial and compliance risks. • The term “enterprise-wide risk management” is widely used both by the Victorian public sector and the private sector to describe this comprehensive approach.
  • 5. What are the benefits of a Risk Management framework? • Enables identification of threats and opportunities for an agency • Improves and informs the planning process • Reduces likelihood of costly “surprises” • Contributes to improved resource allocation • Improves efficiency and performance • Improves accountability • Encourages continual improvement
  • 6. Governance and risk management in Victoria – why is risk management important? Page 6 Legislative obligation •Victorian Managed Insurance Authority Act (1996) and •Financial Management Act (1994). Financial Management Act – requires agencies to develop and implement a risk management strategy, and keep it under review. There is a quarterly monitoring process established under the Act. Victorian Managed Insurance Authority Act - requires participating bodies to develop and implement a risk management strategy, and keep it under review. Board obligation The Board is required to attest annually that the risk management framework is in place. The VGRMF imposes the obligation
  • 7. Example of an attestation clause (VGRMF) I, [Accountable Officer], certify that as at 30th June 20XX the [Department] has risk management processes in place consistent with the Australian/New Zealand Risk Management Standard (or equivalent designated standard) and an internal control system is in place that enables the executive to understand, manage and satisfactorily control risk exposures. The audit committee verifies this assurance and that the risk profile of the [Department] has been critically reviewed within the last 12 months. (Source: Victorian Government Risk Management Framework, July 2007, Attachment A, p. 21)
  • 8. Link between Governance and Risk Management What is Corporate Governance? •Three basic elements - stewardship, leadership, and control. •Corporate governance is the framework established by a governing body to ensure that stakeholders, primarily the Parliament, the Government and the Victorian community, have assurance that the agency is fulfilling its responsibilities with due diligence and accountability. •This stewardship relationship demands that Boards establish processes to both delegate and limit power to pursue the organisation’s strategy and direction in a way that enhances the prospects for the organisation’s long- term success. Page 8
  • 9. Page 9 Risk management governance structure CEO Executive Team Management Team Manager, Quality & Risk Other Sub- Committees Service Quality and Risk Mgt Committee Risk Management Advisory Committee Quality Committee Audit & Risk Committee Board of Directors Operational Level Management Level Board Level Other Board Committees Oversight Oversight Critique Monitor & Review Guide Identify Identify Assesses Execute Monitor & Review Staff/ Volunteers
  • 10. The integration of risk management Any successful alignment of risk management and governance requires four key factors: •an agency focus – where there is an identifiable source of risk management expertise in the agency and senior managers come together on a regular basis to discuss risk management issues •an agency direction – where a clear direction and strategy is established for risk management, including articulating the agency’s risk appetite and giving a clear mandate for what constitutes effective risk management •decision-making structures – where risk management is not a separate process, but a key consideration at all parts of the decision-making chain: being factored into strategic and operational planning; included as a common component in all project proposals and business cases; and incorporated into advice to Ministers; and Page 10
  • 11. The integration of risk management • agency capacity and capability – where the agency’s executive management invests time and resources to build momentum, capacity and capability, including: ensuring that there is a shared language of risk management; a common understanding of the principles; training and development to build expertise; and established tools and processes for risk management. Integrated risk management requires an ongoing assessment of potential risks and opportunities for an agency at every level. The results should inform agency level risks, facilitate priority setting and improve an agency’s decision making. Clear links should be established between risk management, Government policies and priorities, agency objectives (vertical integration), and agency policy and operations (horizontal integration). Page 11
  • 12. Enterprise wide perspective Mandate And Commitment Design of Framework For Managing Risk Monitoring & Review of The Framework Implementing Risk Management Continual Improvement of The Framework Risk Management Policy Risk Management Plan(s) Risk Register/ Risk Profile Risk Reporting 11 Principle s Risk Management Process(es) Assurance/ Attestation Plan Organisation al Strategy & Objectives (Measures & Targets)
  • 13. Page 13 Integrated approach Achievement of Strategies & Objectives Corporate governance is the guidance system for achieving planned objectives – it is an objective-focused concept. It is a process by which organisations are directed, controlled and held to account. Corporate GovernanceCorporate Governance RiskRisk ControlsControls Risk controls provides reasonable assurance to Board & Management that objectives will be achieved within an acceptable degree of residual risk. RiskRisk ManagementManagement Risk management develops risk treatment plans, risk controls and strategies associated with achieving objectives. Quality &Quality & ComplianceCompliance Compliance & quality ensures that laws, regulations, codes, and organisational standards and requirements are met. Monitoring,Monitoring, Review &Review & ReportingReporting Monitor, review & report against performance measures for each objective. PerformancePerformance ManagementManagement Performance of individuals are managed, motivated & aligned to organisational & personal objectives
  • 14. Page 14 Seven key questions A good risk management framework seeks to answer these basic questions: • what are we trying to achieve? • what events or circumstances that could affect the achievement of our objectives? • what are the consequences? • how likely are these events? • what can we do to manage these outcomes? • how will we maximise opportunities? • can the organisation recover if an risk eventuates? Module 2 – Framework for managing risk
  • 15. Page 15 The trilogy of risk frameworks • AS/NZS ISO 31000:2009 – Risk management – Principles and guidelines (20 November 2009) **Replaced AS/NZ 4360 • Standard developed as a Guideline Document • Unlike other ISO standards, it is NOT for certification • ISO Guide 73:2009 - Risk management — Vocabulary (15 November 2009) • Defines important risk management terminology • IEC/ISO 31010:2009 Risk Management - Risk Assessment Techniques (1 December 2009) • A supporting standard for ISO 31000:2009 (15 November 2009) • Provides guidance (Annex A – Informative) on selection and application of systematic techniques for risk assessment • Is NOT for certification, regulatory or contractual use
  • 16. Page 16 Related standards, handbooks and frameworks • HB 158:2010 – Delivering assurance based on ISO 31000:2009 • Help assurance providers to plan and implement their activities using the information arising from the (ISO 31000:2009) risk management process. • HB 327:2010 - Communicating and consulting about risk (23 February 2010) • Provides guidance to individuals and organisations to understand communication and consultation when managing risk. • AS/NZS 5050:2010 Business continuity - Managing disruption-related risk (28 June 2010) • The Standard describes the application of the principles, framework and process for risk management, as set out in AS/NZS ISO 31000:2009, to disruption-related risk. • Victorian Government Risk Management Framework (March 2011)
  • 17. The one we use: Risk Management Framework - ISO 31000:2009 Communicate & Consult Treat Risks • Establish the Context Establish the Context • Identify Risks Identify Risks • Analyse Risks Analyse Risks Evaluate Risks Monitor & Review
  • 18. Page 18 Process for managing risk (Clause 5) Overview of AS/NZS/ISO31000 & AS/NZ 4360 Principles for managing risk (Clause 3) 1) Creates value 2) Integral part of organisational processes 3) Part of decision making 4) Explicitly addresses uncertainty 5) Systematic, structured & timely 6) Based on the best available information 7) Tailored 8) Takes human & cultural factors into account 9) Transparent & inclusive 10) Dynamic, iterative & responsive to change 11) Facilitates continual improvement & enhancement of the organisation Framework for managing risk (Clause 4) Attributes of enhanced risk management (Annex A - Informative) Risk Assessment Establishing the Context Risk Identification Risk Analysis Risk Evaluation Risk Treatment Communication&Consultation Monitoring&Review AS4360 – Implicit, to some extent AS4360 – Covered partially in Section 4 “Establishing effective risk management” AS4360 – Fully covered in Section 3 “Risk Management Process” AS4360 – Not covered Mandate & commitment Continual improvement of the framework Design of framework for managing risk Monitoring & review of the framework Implementing risk management
  • 19. Page 19 Framework for managing risk 4.2 Mandate and commitment 4.3 Design of framework for managing risk 4.3.1 Understanding the organisation and its environment 4.3.2 Establishing risk management policy 4.3.3 Accountability 4.3.4 Integration into organisational processes 4.3.5 Resources 4.3.6 Establishing external communication & reporting mechanisms 4.3.7 Establishing internal communication & reporting mechanisms 4.4 Implementing risk management 4.4.1 Implementing the framework for managing risk 4.4.2 Implementing the risk management process 4.5 Monitoring and review of the framework 4.6 Continual improvement of the framework (Source: AS/NZS/ISO31000:2009 Risk Management – Principles and Guidelines)
  • 20. Page 20 Risk management should be embedded in all the organisation's practices and processes in a way that it is relevant, effective and efficient. The risk management process should become part of, and not separate from, those organisational processes. In particular, risk management should be embedded into the policy development, business and strategic planning and review, and change management processes. Fit-for-purpose? (Source: AS/NZS/ISO31000:2009 Risk Management – Principles and Guidelines) Module 3 – Embedding risk management
  • 21. Page 21 Integrating risk management CEO Corporate Services Client Services Operations Governance Structure Board Strategic Objectives & Indicators Operational Objectives & Indicators Strategic Risk (Risk Register) Operational Risk (Risk Register) Strategic & Operational Planning Process Risk Management Process Aligned & Cascaded Down Cascaded Down Escalated Up Reporting Process CEO/ Board Report Operational Reports Evaluated & Reported Evaluated & Reported Consolidated & Escalated Up
  • 22. Page 22 No Level Committee Name Frequency Members Responsibility (Terms of Reference) Reports To Map “as-is” committee/ meeting structure. Rationalise committees/ meetings, where possible Map “as-is” committee/ meeting structure. Rationalise committees/ meetings, where possible Review risk management roles of each committee/ meeting. Risk management as standing agenda item in all meetings Review risk management roles of each committee/ meeting. Risk management as standing agenda item in all meetings How to embed risk management-some examples Map “as-is” organisational/ reporting structure. Rationalise reports, where possible. Map “as-is” organisational/ reporting structure. Rationalise reports, where possible.
  • 23. Embedding risk management -some more examples Page 23 • Include responsibility for risk management in all job descriptions• Include responsibility for risk management in all job descriptions Risk management as standard reporting item in all reports Risk management as standard reporting item in all reports Also remember: - introduce a language of risk - risk environment changes over time - organisational change means roles and responsibility for managing risk will change - clarify strategic and operational objectives and measures - articulate and document those objectives and measures
  • 24. Content of a typical risk management plan • A statement of the risk management policy • Details of the scope and objectives of risk management in the agency • Consistent risk management language and definitions • Integration with other management practices and procedures • Risk Assessment criteria (consequence and likelihood ratings) • Description of the internal and external context in which the agency operates • List of analysed risks (detailed in the Risk Register) • Summary of the risk treatment plan • Outline of the risk reporting protocol • Outline of the monitoring and review program Page 24 Module 4 – Risk management policy and plan
  • 25. Content of a typical risk management policy • Objectives, scope and coverage of the policy • Statement of commitment from the Board • Accountabilities and responsibilities for managing risk • Alignment with other management policies and procedures • Escalation and reporting protocols • Statement of risk appetite and tolerance • Processes, tools and templates for managing risk • Reporting and communication protocols • Statement about assessment, measurement and reporting methodology • Outline of DRP and BCP and regularity of testing regime Page 25
  • 26. The Process of Risk Management? “Culture, process and structures that are directed towards realising potential opportunities whilst managing adverse effects” AS/NZS 4360: 2004 (Source: ISO31000 Risk Management – Principles and Guidelines on Implementation, 2009) “...Co-ordinated activities to direct and control an organisation with regard to risk” – ISO 31000 ISO 31000 Module 5 – Process for managing risk
  • 27. 5.2 C O M M U N I C A T I O N & C O N S U L T A T I O N 5.6 M O N I T O R I N G & R E V I E W 5.3 ESTABLISHING THE CONTEXT 5.4 RISK ASSESSMENT 5.4.3 RISK ANALYSIS 5.3.2 External Context 5.3.3 Internal Context 5.3.4 Risk Management Process Context 5.3.5 Developing Risk Criteria 5.5 RISK TREATMENT 5.5.2 Selection of risk treatment options 5.5.3 Preparing and implementing risk treatment plans 5.4.4 RISK EVALUATION (1) Compare against criteria. (2) Identify & assess options. (3) Decide on response. (4) Establish priorities. Determine existing controls Determine Consequences Determine Likelihood Determine Level of Risk 5.4.2 RISK IDENTIFICATION What can happen, when, where, how & why The risk management process described in more detail
  • 28. Communication and Consultation Page 28 It is critical to: •Establish channels of communication with internal and external stakeholders •Risk management tasks and activities must be allocated with responsibilities, accountabilities and authorities clearly understood and defined •Draft a communications plan and a distribution timetable •Identify what specialist advice might be needed (engineers, actuaries, OHS specialists, VMIA support) •Identify the stakeholders – • Internal (Board, Minister, executive and operational management) • External (Regulators, customers, the public, key suppliers)
  • 29. Establishing the context Page 29 Module 6 – Establishing the context Know and understand: - the purpose, goals and objectives of the agency; - where the risk management process is being applied within the agency; - the cost/benefit of the risk management program and the resource allocation required; - the need to maintain documented records of the program; - the external and internal environment in which the agency operates; - the sources of risk facing the agency; - the benchmarks around which risk will be evaluated within the agency; Risk Appetite and Tolerance Risk appetite - The amount and type of risk that an organisation is willing to accept in pursuit of its long term strategic and operational objectives Risk tolerance - The boundaries of risk taking outside of which the organisation is not prepared to venture in the pursuit of its long term objectives.
  • 30. Page 30 Sources of risk FinancialFinancial OperationalOperational ClinicalClinical Health, Occupational, Safety Health, Occupational, Safety Human Resource Human Resource GovernanceGovernance Infra- structure/ Asset Infra- structure/ Asset StrategicStrategic Common Risk Categories Common Risk Categories
  • 31. Consequence and Likelihood • A process for evaluating the risk facing the agency using agreed criteria; • Likelihood means the probability of the identified risk occurring • Severity means the impact on or cost to the agency if the identified risk occurred • The likelihood and severity ratings are multiplied together and plotted on a heat map which gives a view of the overall risk profile for the agency. An informed decision can then be taken as to the response strategies, treatment plan and resource allocation that might be appropriate. • Responsibilities can then be allocated to a risk owner with the treatment tasks allocated to a control owner. • Examples of the tools used to plot severity and likelihood are in the following slides Page 31
  • 32. Tools for assessing risk - Risk rating scales (likelihood) L I K E L I H O O D Score Detailed description 5 Frequent The event is very likely to occur within 3 months 4 Likely The event will probably occur within 1 year 3 Occasionally The event could occur between 1-3 years 2 Unlikely The event could occur between 3-10 years 1 Rare The event may possibly occur, but unlikely at a frequency less than 10 yearly **A time horizon is selected that best suits the unique profile of the agency
  • 33. Risk rating scales: consequence Score Description The categories below are possible categories only Financial Service Delivery Reputation People & Knowledge Health and Safety Legal and Regulatory 5 Catastrophic / Extreme 4 Major 3 Moderate 2 Minor 1 Insignificant
  • 34. CONSEQUENCE LIKELIHOOD Insignificant 1 Minor 2 Moderate 3 Major 4 Catastrophic 5 Almost Certain 5 5 10 15 20 25 Likely 4 4 8 12 16 20 Possible 3 3 6 9 12 15 Unlikely 2 2 4 6 8 10 Rare 1 1 2 3 4 5 Risk matrix
  • 35. Risk appetite and risk rating Large Appetite for Risk Standard Plan for All Extreme Risks Risk Averse Increasing Likelihood  Increasing Likelihood  Increasing Likelihood  Increasing Likelihood  IncreasingImpactIncreasingImpact Board CEO Manager Staff IncreasingImpactIncreasingImpact
  • 36. Risk Type of Action Risk/ Audit Committee oversight Extreme Immediate action required Direct High Senior management attention needed Monitors Moderate Management responsibility must be specified Ensures sign offs and is advised of changes up or down Low Manage by routine procedures Ensures sign offs CEO/ BOARD GMs Risk response and escalation
  • 37. Control effectiveness scales 1 Effective Indicates minimal uncontrolled risk, due to excellent risk management/controls in place, tested and monitored 2 Good Indicates good risk management and control system, but an opportunity for refinement exists to reduce risk further. 3 Fair/ Partially Effective Indicates a need for improvement in controls, increased adherence to controls or that controls are being developed, but are not fully in place and tested. 4 Poor Indicates effective risk controls have not yet been developed and a significant lack of risk control exists – additional risk management or treatment is a matter of priority
  • 38. The Risk Register • The risk register is a key document which records the output of the risk management process • At a minimum it would contain the following: oRisk Description oAssessment of Inherent Risk oAssessment of Controls oAssessment of Residual Risk oTreatment of Risk o**Remember the distinction between inherent (untreated) and residual (treated) risk Module 7 – Risk assessment and treatment
  • 39. Risk Register - Example Overall Effectively managed. Areas for Improvement: Formalised Training calendar to be introduced Input controls to be strengthened over Payroll Salary benchmark to be performed Internal Advertising of posts available to be sent out on monthly e-mails All issues to be tracked on tracking database. • Human Resources • Quarterly Reports submitted to Departmental Management regarding Performance Management System and Succession Planning • Divisional Management • Control Self Assessment performed 2 monthly which includes questions on PMS and succession planning • Internal Audit • An internal audit on Performance Management System to be performed during the 2011/12 year • External Audit • Payroll testing to be included in Annual Audit. • Competitive remuneration, strategies and structure • Defined targets and KPIs • Divisional and Departmental operating targets for all key employees • Work life balance • Training and internal growth opportunity • Non-remuneration employee benefit strategies (EAP) • Identification and grooming of employees into the succession role • Training to ensure success in the new role • Documented policies and procedures/information to retain knowledge • Loss of key employees leading to the loss of primary relationship contacts, loss of investment in training and development and loss of intellectual property. This may lead to stretched resources and disrupt the Department’s capability to continue critical business operations. Potential causes include: • Poaching of employees • Changes to the organisation influencing the culture and leading to instability/insecurity • Lack of availability of skilled and competent workers • Career/lifestyle change • Retirement, death/mental inability Loss of key personnel- Residual Risk Rating = Moderate (Consequence = Minor; Likelihood = Possible) Are Risks being managed effectively? (What more could be done?) Assurance Provider/ Monitoring Procedures Primary Controls / Processes/ Control Strategies EMPLOYEES Inherent Risk Description Overall Effectively managed. Areas for Improvement: Formalised Training calendar to be introduced Input controls to be strengthened over Payroll Salary benchmark to be performed Internal Advertising of posts available to be sent out on monthly e-mails All issues to be tracked on tracking database. • Human Resources • Quarterly Reports submitted to Departmental Management regarding Performance Management System and Succession Planning • Divisional Management • Control Self Assessment performed 2 monthly which includes questions on PMS and succession planning • Internal Audit • An internal audit on Performance Management System to be performed during the 20 year • External Audit • Payroll testing to be included in Annual Audit. • Competitive remuneration, strategies and structure • Defined targets and KPIs • Divisional and Departmental operating targets for all key employees • Work life balance • Training and internal growth opportunity • Non-remuneration employee benefit strategies (EAP) • Identification and grooming of employees into the succession role • Training to ensure success in the new role • Documented policies and procedures/information to retain knowledge • Loss of key employees leading to the loss of primary relationship contacts, loss of investment in training and development and loss of intellectual property. This may lead to stretched resources and disrupt the Department’s capability to continue critical business operations. Potential causes include: • Poaching of employees • Changes to the organisation influencing the culture and leading to instability/insecurity • Lack of availability of skilled and competent workers • Career/lifestyle change • Retirement, death/mental inability Loss of key personnel- Residual Risk Rating = Moderate (Consequence = Minor; Likelihood = Possible) Are Risks being managed effectively? (What more could be done?) Assurance Provider/ Monitoring Procedures Primary Controls / Processes/ Control Strategies EMPLOYEES Inherent Risk Description
  • 40. Risk Treatment There are five risk treatment options available as defined below: o Avoid the Risk o Transfer the Risk o Share the Risk o Treat the Risk o Accept the Risk
  • 41. Page 41 Volume of risk information Board Executive Management Business Units Operational and strategic risk information at Business level Significant / key operational and strategic risk information Strategic / Critical risk issues Op Risk Mgt Committee Risk/ Audit Committee Exec Risk Mgt Committee Reporting – the right things at the right level Module 8 – Monitoring and review
  • 42. Page 42 Risk register, profiles and reports Risk Register Risk Register Risk Reports Risk Reports Risk Profile Risk Profile Risk Treatment Plans Risk Treatment Plans Risk Profile – Description of an organisation’s risk (ISO31000) Risk Register – Document used for recording risk management process for identified risks (ISO31000) It lists all identified risks, including description, likelihood of occurring, consequences on organisational objectives, proposed responses/ risk treatments and risk owners. Risk reporting – Development of reports including strategic, operational, financial and compliance-related risk information, as a basis for directing and controlling the organisation as well as for external accounting (ISO31000) Risk treatment – Development and implementation of measures to modify risk (ISO31000) Risk-Based Internal Audit Plan Risk-Based Internal Audit Plan Risk Audit – Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine extent to which the risk management policies and procedures are fulfilled (ISO31000) Internal audit plan identifies activities to be audited, which specifies the areas, allotted dates and personnel required to perform internal audits Risk Matrix Risk Matrix Risk matrix – Tool for ranking and displaying risks by defining risk categories and defining ranges for consequences and levels of likelihood for each category (ISO31000) Heat Map – Overview of the organisation’s main risks plotted in its risk matrix (ISO31000) Heat Map Heat Map Risk treatment plans includes (1) testing of existing controls or monitoring control effectiveness over time; or (2) tracking of the implementation of new controls and/or training programs.
  • 43. Page 43 1st Business operations 2nd Oversight functions: Finance, HR, IT, Legal and Risk Management 3rd Independent assurance: Internal Audit, External Audit and other independent assurance providers RISK & CONTROL An established risk and control environment Strategic management, policy and procedure setting, functional oversight Provide independent challenge and assurance RISK & CONTROL RISK & CONTROL Board,Executive&AuditCommittee business operations Oversight functions Internal audit, external audit and other assurance providers First Line Second Line Third Line Three levels of defence
  • 44. Page 44 In summary 1. AS/NZS ISO 31000:2009 is a principles-based standard that seeks to customise the risk management process fit-for-purpose to the context. 2. Risk management must be integrated/ embedded into existing organisational processes/practices. 3. Managing risk is about creating value out of uncertainty and achieving its objectives. 1. AS/NZS ISO 31000:2009 is a principles-based standard that seeks to customise the risk management process fit-for-purpose to the context. 2. Risk management must be integrated/ embedded into existing organisational processes/practices. 3. Managing risk is about creating value out of uncertainty and achieving its objectives.

Editor's Notes

  • #3: How does the above match with what the participants hope to get out of this course ? 9.30am TIME
  • #27: Risk management is HOW a business or Government achieve its objectives. The focus should be on how it will add VALUE to what is being undertaken and how best to achieve that. Too often the focus shifts from what is trying to be achieved and whether there is any value in undertaking the activity to focusing on all the things that could go wrong and finding ways to prevent it. This stifles innovation and creativity.
  • #39: It needs to be a “living document” with consistent and frequent reporting to relevant stakeholders