• No results found

Risk Management The International Standard

N/A
N/A
Protected

Academic year: 2021

Share "Risk Management The International Standard"

Copied!
141
0
0

Loading.... (view fulltext now)

Full text

(1)

John Crawley & Emer McAneny

June 2014

Risk Management

(2)

Accountant

Banker

Businessman

Trainer

Turnaround Expert

Risk Expert

Who I am

(3)

Agenda

Strategy

• And the role of Risk

GRC

• Governance, Risk & Compliance

Tolera

nce

• And why organisation are now setting “Appetite”

Identifica

tion

• Using a Stakeholder approach

Assessi

ng

• Simplicity or complexity

Action

• Everything can be dealt with as a “T”

Report

(4)

Rules of engagement

Engage Open mind No distractions Challenge Question Enjoy

(5)
(6)

What is risk

Effect

of uncertainty on

objectives

Effect:

 Positive  Negative

 Deviation from the expected

Objectives:

 Definition works best if the organisation has clear objectives  These need to be tested as part of risk management process

(7)

What is the best definition of risk?

Organisation Definition of risk

ISO Guide 73 ISO 31000

Effect of uncertainty on objectives. Note that an effect may be positive, negative, or a deviation from the expected. Also, risk is often described by an event, a change in

circumstances or a consequence Institute of Risk

Management (IRM)

Risk is the combination of the probability of an event and its consequence. Consequences can range from positive to negative

COSO – ERM Integrated Framework

The possibility that an event will occur and adversely affect the achievements of objectives

From old

AS/NZ 4360:2004

The chance of something happening that will have an impact on objectives

(8)

Definitions of risk management

Organisation Definition of risk management

ISO Guide 73 ISO 31000

Coordinated activities to direct and control an organisation with regard to risk

Institute of Risk Management (IRM)

Process which aims to help organisations understand, evaluate and take action on all their risks with a view to increasing the probability of success and reducing the likelihood of failure

COSO – ERM Integrated Framework

A process affected by an entity‟s board of directors,

management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential

events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

(9)
(10)
(11)
(12)

Do

things

right

Do the

right

thing

Good

Corporate Governance

(13)

What is Risk Management

Process which aims to help organisations

understand, evaluate and take action

on all their

risks with a view to:

increasing

the probability of success

and

(14)
(15)

Q

What is the fundamental

reason that cars have

brakes?

(16)

Q

So that cars can stop - but they also allow

cars to be driven faster

A

What is the fundamental

(17)

Why manage risk?

(18)

For discussion…

What events can you

recall that support the

need for a structured

and systematic

approach to risk

management?

(19)

Consider the list of disasters identified. Was this a failure of:

- prediction? - prioritisation?

- mobilising resources? For discussion....

(20)

ISO 31000 overview

Throughout the course we will use ISO 31000 as our core framework Mandate and commitment (4.2) Design of framework for managing risk (4.3) Implementing risk management (4.4) a) Creates value b) Integral part of organisational processes c) Part of decision making d) Explicitly addresses uncertainty

e) Systematic, structured and timely

f) Based on the best available information g) Tailored

h) Takes human and cultural factors into account

i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organisation Principles (Clause 3) Monitoring and review of the framework (4.5) Continual improvement of the framework (4.6)

Establishing the context

(5.3) Risk identification (5.4.2) Risk evaluation (5.4.4) Risk analysis (5.4.3) Risk treatment (5.5) Risk assessment (5.4.2) C o m m u n ic a ti o n a n d c o n s u lt a ti o n (5 .2 ) M o n it o ri n g a n d r e v ie w (5 .6 ) Framework (Clause 4) Process (Clause 5)

(21)

ISO 31000 overview Mandate and commitment (4.2) Design of framework for managing risk (4.3) Implementing risk management (4.4) a) Creates value b) Integral part of organisational processes c) Part of decision making d) Explicitly addresses uncertainty

e) Systematic, structured and timely

f) Based on the best available information g) Tailored

h) Takes human and cultural factors into account

i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organisation Principles (Clause 3) Monitoring and review of the framework (4.5) Continual improvement of the framework (4.6)

Establishing the context

(5.3) Risk identification (5.4.2) Risk evaluation (5.4.4) Risk analysis (5.4.3) Risk treatment (5.5) Risk assessment (5.4.2) C o m m u n ic a ti o n a n d c o n s u lt a ti o n (5 .2 ) M o n it o ri n g a n d r e v ie w (5 .6 ) Framework (Clause 4) Process (Clause 5)

(22)
(23)

• creates and protects value

• integral part of organisational processes

• part of decision making

• explicitly addresses uncertainty

• systematic, structured and timely

• based on the best available information

(24)

• tailored

• takes human and cultural factors into account

• transparent and inclusive

• dynamic, iterative and responsive to change

• facilitates continual improvement

(25)

Attributes of effective risk

management

(26)

Effective risk management has the following

attributes:

proportionate – aligned – comprehensive – embedded – dynamic

What is effective risk management?

(27)

Effective risk management has the following

attributes:

– proportionate – aligned – comprehensive – embedded – dynamic

(28)

Effective risk management has the following

attributes:

– proportionate – aligned – comprehensive – embedded – dynamic

What is effective risk management?

Strategic/ programmes Tactical/ projects Operational/ processes

(29)

Effective risk management has the following

attributes:

– proportionate – aligned – comprehensive – embedded – dynamic

(30)

Effective risk management has the following

attributes:

– proportionate – aligned – comprehensive – embedded – dynamic

(31)

Introduction to key risk

management disciplines

(32)

How does enterprise risk

management (ERM) differ from

risk management?

(33)

How does enterprise risk

management (ERM) differ from

risk management?

Q

ERM seeks to:

• include all categories of risk and uncertainty • consider upside as well as downside

• be comprehensive – applied throughout the organisation

(34)

What is governance?

(35)

What is governance?

Q

The system by which organisations are directed and controlled.

Generic aspects of governance include:

- the rights and duties of owners/shareholders and other stakeholders

- how powers are shared and exercised by directors

- how the holders of power are held accountable for what they do

(36)

International development of codes of

corporate governance

• principle-based approach

versus

• prescriptive (rules) based

approach

(37)

What is compliance?

Q

(38)

What is compliance?

Q

Compliance is the leadership processes that an

organisation establishes to comply with societal, trade, professional and stakeholder needs

Examples include: - law

- codes of practice

- contracts

- trade union agreements - professional standards

(39)

What is GRC?

(40)

What is GRC?

Q

GRC stands for: • governance • risk • compliance

A

RISK Compliance Governance

(41)

Risk management process

Mandate and commitment (4.2) Design of framework for managing risk (4.3) Implementing risk management (4.4) a) Creates value b) Integral part of organisational processes

c) Part of decision making

d) Explicitly addresses uncertainty

e) Systematic, structured and timely

f) Based on the best available information

g) Tailored

h) Takes human and cultural factors into account

i) Transparent and inclusive

j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organisation Principles (Clause 3) Monitoring and review of the framework (4.5) Continual improvement of the framework (4.6)

Establishing the context

(5.3) Risk identification (5.4.2) Risk evaluation (5.4.4) Risk analysis (5.4.3) Risk treatment (5.5) Risk assessment (5.4.2) C o m m u n ic a ti o n a n d c o n s u lt a ti o n (5 .2 ) M o n it o ri n g a n d r e v ie w (5 .6 ) Framework (Clause 4) Process (Clause 5)

(42)

ISO 31000 overview Mandate and commitment (4.2) Design of framework for managing risk (4.3) Implementing risk management (4.4) a) Creates value b) Integral part of organisational processes c) Part of decision making d) Explicitly addresses uncertainty

e) Systematic, structured and timely

f) Based on the best available information g) Tailored

h) Takes human and cultural factors into account

i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organisation Principles (Clause 3) Monitoring and review of the framework (4.5) Continual improvement of the framework (4.6)

Establishing the context

(5.3) Risk identification (5.4.2) Risk evaluation (5.4.4) Risk analysis (5.4.3) Risk treatment (5.5) Risk assessment (5.4.2) C o m m u n ic a ti o n a n d c o n s u lt a ti o n (5 .2 ) M o n it o ri n g a n d r e v ie w (5 .6 ) Framework (Clause 4) Process (Clause 5)

(43)

Ongoing monitoring

Audit & Report Incidents Re-assess

Treatment

Tolerate Treat Transfer Terminate

Assess

Impact Likelihood

Set appetite

Zero Low Medium High

Identify

Objectives Tools

(44)
(45)

Establish the context Identify risks Evaluate risks Analyse risks Treat risks Risk assessment C om m un ic at e an d co ns ul t M on ito r an d re vi ew

Reproduced from ISO 31000:2009

(46)

Communication

– a continual and iterative process that an organisation conducts to provide, share or obtain information and to engage in dialogue with stakeholders

Consultation

– a two-way process of informed communication between an organisation and its stakeholders on an issue prior to

making a decision or determining a direction on that issue

Stakeholders

– a person or organisation that can affect, be affected or

perceive themselves to be affected by a decision or activity

Communication and consultation

(47)

• help to establish the context appropriately

• stakeholders interests understood & considered

• risks adequately identified

• bring expertise together for risk analysis

• ensure different views are considered

• secure support for risk treatment plans

• enhance appropriate change management

• develop appropriate communication plans

(48)

Effective communication about risk

• comprehensive and frequent reporting of risk

management performance is an essential element of organisational governance

• internal and external stakeholders

• communication is upwards, downwards and across the organisation

• communicate on significant risks and risk management performance

• how we communicate matters as much as what we communicate

(49)

Establishing the context

Session 2 Communication & consultation Establish the context Risk assessment Risk appetite and tolerance Risk treatment Business continuity management Monitoring & review

(50)

Establish the context Identify risks Evaluate risks Analyse risks Treat risks Risk assessment C om m un ic at e an d co ns ul t M on ito r an d re vi ew

Reproduced from ISO 31000:2009

(51)

Establishing the context

External context

Internal context

Context of the risk management process

• what does the world around us look like? • what are the drivers and trends?

• what are our objectives? • what is our capacity?

• what are our business processes? • how do we make decisions?

• what is the process expected to achieve? • who will be responsible?

• what resources will be required?

• what determines whether a risk is acceptable?

• what determines whether a risk should be controlled? • how can we measure our total risks?

(52)
(53)
(54)

Risk assessment

Session 2 Communication & consultation Establish the context Risk assessment Risk appetite and tolerance Risk treatment Business continuity management Monitoring & review

(55)

Establish the context Identify risks Evaluate risks Analyse risks Treat risks Risk assessment C o m m u n ic a te a n d c o n su lt M o n ito r a n d r e vi e w

Reproduced from ISO 31000:2009

(56)

Risk assessment

Risk identification

– what might happen (the event)?

Risk analysis

– how likely is it to happen?

– if it does what might the impact be?

Risk evaluation

– so what!

(57)

ISO 31000 - The Risk Process

Ongoing monitoring

Audit & Report Incidents Re-assess

Treatment

Tolerate Treat Transfer Terminate

Assess

Impact Likelihood

Set appetite

Zero Low Medium High

Identify

(58)

Two main types of identification techniques

Forward looking – brainstorming workshops – surveys – expert knowledge Historic – statistical analysis – trend analysis ----Strategy Market Commercial Partners Plan execution Technology

Health & Safety (and CSR) Finance --- ----Strategy Market Commercial Partners Plan execution Technology

Health & Safety (and CSR) Finance --- --- ----Injury statistics

(59)

Perspectives Financial Marketing & Sales Operations Employees CSR Economic Compliance

(60)

Some risk terminology

• A risk is the effect of uncertainty on objectives

• A hazard is the source of potential harm (a hazard can be a risk source)

• A risk source has the potential, alone or in

combination, to give rise to risk. We might also term

this cause

• An event is the occurrence or change of a particular

set of circumstances

• A consequence is the outcome of an event affecting objectives

Source: ISO Guide 73:2009

Session 2 Communication & consultation Establish the context Risk assessment Risk appetite and tolerance Risk treatment Business continuity management Monitoring & review

(61)

Describing a risk

Combines the cause(s), the event(s) and the effect(s)

Consequences or effect(s) (on objectives) Source(s) or cause(s) (What? Why?) Event or circumstance giving rise to the uncertainty (Uncertainty)

(62)

KPI - Financial

Liquidity ₋ Current Ratio ₋ Quick Ratio Financial Strength ₋ Interest Cover

₋ Debt to Equity Ratio

Corporate Value

(63)

Your Risk Register – Step 1

KPI Categories to Risks

(64)

KPI - Marketing & Sales

₋ Net Promoter Score

How likely are you to recommend this business to a colleague or friend?”

₋ Do customer expectations match the

service we deliver?

₋ How involved/emotionally attached

are your customers to your organisation?

(65)

Marketing & Sales

KPI Categories to Risks

(66)

KPI - Operational & Technology

₋ How suitable and operational is

our equipment? How

technologically advanced are we?

₋ Are we realising our full

production/ work potential?

₋ How long does it take to fill an

(67)

Operational & Technology

KPI Categories to Risks

(68)

KPI - Employees

— How well do you protect and

support your employees?

— How well does the

organisation vet its employees?

— How well are the skills of the

employees matched to the needs of the organisation?

— Do you offer and encourage

(69)

KPI - Employees

KPI Categories to Risks

(70)

KPI

- Corporate Social Responsibility

₋ Are you compliant with

Environmental

regulations/standards?

₋ Are your suppliers socially

conscious? i.e. Fairtrade for

foodstuffs, ethical manufacturers for clothing

₋ Do your manufacturing facilities

(71)

Corporate Social Responsibility

KPI Categories to Risks

(72)

KPI

-

Economic

₋ What would the financial effect of a

change of +/- 1% in the interest rate paid or charged ?

₋ To what extent is our business exposed

to the collapse of a particular industry, economy or sector?

₋ To what extent is our business’s

customer base exposed to the collapse of a particular industry?

(73)

Economic

KPI Categories to Risks

(74)

KPI - Compliance

₋ Comprehensiveness of the

organisations Governance procedures

What is the effect of the new

Legislation for your business?”

₋ To what extent is our

organisation open to legal challenge?

(75)

Compliance

KPI Categories to Risks

(76)

• the outcome of a risk event is not always negative

• think of some examples where a risk event can result in positive or beneficial outcomes • discuss how the risk wheel and the bow tie

technique can be used to identify opportunities

Risks aren‟t always bad

(77)

Recap

Mandate and commitment (4.2) Design of framework for managing risk (4.3) Implementing risk management (4.4) a) Creates value b) Integral part of organisational processes c) Part of decision making d) Explicitly addresses uncertainty

e) Systematic, structured and timely

f) Based on the best available information g) Tailored

h) Takes human and cultural factors into account

i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organisation Principles (Clause 3) Monitoring and review of the framework (4.5) Continual improvement of the framework (4.6)

Establishing the context

(5.3) Risk identification (5.4.2) Risk evaluation (5.4.4) Risk analysis (5.4.3) Risk treatment (5.5) Risk assessment (5.4.2) C o m m u n ic a ti o n a n d c o n s u lt a ti o n (5 .2 ) M o n it o ri n g a n d r e v ie w (5 .6 ) Framework (Clause 4) Process (Clause 5)

(78)

Your Risk Register – Step 1

Positive Risk

(79)

Risk evaluation

(80)

The Risk Process

Ongoing monitoring

Audit & Report Incidents Re-assess

Treatment

Tolerate Treat Transfer Terminate

Assess

Impact Likelihood

Set appetite

Zero Low Medium High

Identify

(81)

• the amount of risk an organisation is willing to seek or accept in pursuit of its long-term

objectives

Risk

appetite

• the boundaries of risk taking outside of which the organisation is not prepared to venture in pursuit of its long-term objectives

Risk

tolerance

• the full range of risks which could impact, either positively or negatively, on the ability of the

organisation to achieve its long-term objectives

Risk

universe

(82)

Risk appetite can be complex

– simplification can be attractive but can lead to meaningless approaches

Needs to be measurable

– otherwise statements empty and useless

– key performance drivers need to be understood

– key risk and key control indicators need to be developed

Not a single fixed concept

– there may be a range of appetites within an organisation – appetites may vary overtime influenced by changes in the

risk and control environment or the benefits to be gained

Key principles

(83)

Developed in the context of the organisation‟s risk

management capability

– an understanding of risk appetite unlikely to emerge before a level of risk management maturity reached

Must take into account strategic, tactical and

operational levels

– risk appetite needs to be addressed at all levels

Must be integrated into the control culture

– linked to both the propensity to take risk (often greater at strategic level) and also the propensity to exercise control (more prevalent at operational level)

(84)

• prioritise risks in terms of their significance

• provide some consistency about the perception of

significance

• decide how to allocate scarce resources

• decide whether to proceed with a new strategy,

project or investment

• inform decisions on risk appetite

Why is risk analysis and evaluation

important?

(85)

Benchmark to determine significance

₋ Financial – sums involved

₋ Disruption – length of time

(86)

Appetite

Hungry?

Not enough risk

Over Fed?

(87)

Attitude?

1. That’s Grand

2. Don’t Push It

3. Your taking the

P**s

(88)

Appetite –

Healthy Eating

(Tolerance)

• Increased sales • Cost Efficiency

High

• Lack of staff expertise & training

• Inefficient admin/operations

Medium

• Not achieving value for money • Unsatisfactory funding

Low

• Severe reputational damage • Compliance Failure

(89)

Your Risk Register – Step 2

Risk Appetite

Enter - High - Medium - Low - Zero

(90)

Risk profiling – consequence;

(91)

The Risk Process

Ongoing monitoring

Audit & Report Incidents Re-assess

Treatment

Tolerate Treat Transfer Terminate

Assess

Impact Likelihood

Set appetite

Zero Low Medium High

Identify

(92)

Risk matrix

Like lihoo d Impact Prob ab le Po ssib le Re mote

(93)

Likelihood

Estimation Descriptors Indicators

Probable Likely to occur each year or

more than a 25% chance of occurrence

Potential of it occurring

several times within the time period (e.g. ten years).

Has occurred recently

Possible Likely to occur in a ten-year

time period or less than a 25% chance of occurrence

Could occur more than once within the time period (e.g. ten years).

Is there a history of occurrence?

Remote Not likely to occur in a

ten-year period or less than a 2% chance of occurrence

Has not occurred. Unlikely to occur

(94)

Estimating likelihood - criteria

Within the next 12 months the event is:

Almost certain

• Frequent occurrence > 90% chance

Likely

• Regular occurrence > 60% chance

Possible

• Occasional occurrence > 10% chance

Unlikely

(95)

Impact

High

Financial impact on the organisation is likely to exceed €x Significant impact on delivery of the organisation‟s strategic or operational activities

Significant stakeholder concern

Medium

Financial impact on the organisation likely to be between €x and €y

Moderate impact on organisation‟s strategic or operational activities

Moderate stakeholder concern

Low

Financial impact on the organisation likely to be less than €y

Low impact on the organisation‟s strategic or operational activities

(96)

Estimating impact – criteria

REPUTATION FINANCE SERVICE DELIVERY

COMPLIANCE SAFETY

EXTREME Loss of credibility key stakeholders; extensive adverse media; external intervention Financial loss exceeding £/$ ??? Total sustained disruption to critical services Intervention by regulator; serious breach of legal or contractual obligation Fatality (multiple)

HIGH Significant loss of trust; significant adverse media Financial loss exceeding £ /$??? Significant sustained disruption to critical services Censure by regulator; breach of legal or contractual obligation

Serious injury or ill-health (disabling) MEDIUM Significant complaints Financial loss exceeding £/$??? Some short-term disruption to services Failure to meet recommended best practice Injury or ill-health resulting in lost time

LOW Isolated complaints Low-level or no financial loss Minor disruption to services Failure to meet internal standards or SLA

Minor injury (no lost time)

(97)

L IK L IH OO D PROBABLE

Likely to occur each year or more than a 25% chance of

occurrence

3 3 6 9

POSSIBLE

Likely to occur in a ten year time period or less than a 25%

chance of occurrence

2 2 4 6

REMOTE

Not likely to occur in a ten year period or less than a 2%

chance of occurrence

1 1 2 3

1 2 3

LOW MEDIUM HIGH

•financial impact on the organisation is likely to be

less than £x •low impact on delivery of the

organisation‟s strategic or operational activities •low stakeholder concern

•financial impact on the organisation is likely to be

between £x and £x •moderate impact on delivery of the organisation‟s strategic

or operational activities •moderate stakeholder

concern

•financial impact on the organisation is likely to exceed £x •significant impact on delivery of the organisation‟s strategic or operational activities •significant stakeholder concern IMPACT

(98)

Opportunity and risk matrix

Two-sided Risk Matrix

(99)

Likelihood & Impact

Likelihood

High

Medium

Low

Zero

Impact

High

Medium

Low

Zero

(100)

Risk Score

Likelihood

High

Medium

Medium

High

Impact

High

High

Low

Low

Score

High

Judgement

Judgement

Judgement

(101)

Your Risk Register – Step 3

Risk Score

Enter - High - Medium - Low - Zero

For Impact, Likelihood and risk score beside each of the risks you have identified

(102)
(103)

Evaluate Risk score

Risk

score

Risk

appetite

Good

Risk

(104)

Your Risk Register – Step 4

Do you need to take Action?

Enter

- Yes if your risk score is not equal to appetite

(105)
(106)

The Risk Process

Ongoing monitoring

Audit & Report Incidents Re-assess

Treatment

Tolerate Treat Transfer Terminate

Assess

Impact Likelihood

Set appetite

Zero Low Medium High

Identify

(107)

Establish the context Identify risks Evaluate risks Analyse risks Treat risks Risk assessment C om m un ic at e an d co ns ul t M on ito r an d re vi ew

Reproduced from ISO 31000:2009

(108)

A process to modify risk (ISO 31000)

Risk treatment (or response) involves:

– the selection of one or more options for modifying risks

– implementing those options

– the treatments then provide controls or modify current controls

Controls include any process, policy, device, practice or other actions which modify the risk

(109)

Risk treatment is a cyclical process

Deciding whether the residual risk level is tolerable Assessing the effectiveness of that treatment Examine cost and benefit of the treatment If not tolerable, generating a new risk treatment

(110)

The purpose of risk treatment plans is to document how the chosen treatment options will be implemented.

Information should include:

– a description of what the planned action is – expected benefit(s) to be gained

– performance measurements and constraints

– accountabilities (risk owners and control owners) – reporting and monitoring requirements

– resourcing requirements – timing and scheduling

(111)

Treatment

Tolerate

Treat

(112)
(113)

Treatment - Step 4

4 T’s

What Treatment could you use?

Enter one or more of the following

- Treat fill in what you would do to treat - Transfer fill in what you would do to transfer - Tolerate fill in what you would do to tolerate

(114)
(115)

Establish the context Identify risks Evaluate risks Analyse risks Treat risks Risk assessment C om m un ic at e an d co ns ul t M on ito r a nd re vi ew

Reproduced from ISO 31000:2009

(116)

The Risk Process

Ongoing monitoring

Audit & Report Incidents Re-assess

Treatment

Tolerate Treat Transfer Terminate

Assess

Impact Likelihood

Set appetite

Zero Low Medium High

Identify

(117)

A process not an event

• Action Plans &

Owners

T’s

• Inline with

Appetite?

Incidents

• Once Yearly

Reassess

(118)

• ensure controls effective and efficient

• obtain information to improve risk assessment

• learn the lessons from events

– changes, trends, successes and failures

• detect change to internal or external context or

to the risk itself

• identify emerging risks

(119)

Key risk and control indicators

KRIs

Metrics to help

identify changes

that could alter the

overall assessment

of key risk events

KCIs

Metrics to help

assess the

effectiveness of

key controls

(120)

Key risk indicators

For the case study provided identify

the metrics that were used or could

have been used to indicate a change in

the risk environment.

Key control indicators

For the case study provided identify

the metrics that were used or could

have been used to measure the

effectiveness of existing controls

(121)

Define monitoring and review responsibilities

– risk owners

– control owners

– responsibility for the review of the whole process

How frequently should

– risks and their control measures be reviewed?

– the effectiveness of the ERM process be reviewed?

Benchmarking and maturity models

(122)

Business continuity management

Session 2 Communication & consultation Establish the context Risk assessment Risk appetite and tolerance Risk treatment Business continuity management Monitoring & review

(123)

ISO 31000 overview Mandate and commitment (4.2) Design of framework for managing risk (4.3) Implementing risk management (4.4) a) Creates value b) Integral part of organisational processes c) Part of decision making d) Explicitly addresses uncertainty

e) Systematic, structured and timely

f) Based on the best available information g) Tailored

h) Takes human and cultural factors into account

i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organisation Principles (Clause 3) Monitoring and review of the framework (4.5) Continual improvement of the framework (4.6)

Establishing the context

(5.3) Risk identification (5.4.2) Risk evaluation (5.4.4) Risk analysis (5.4.3) Risk treatment (5.5) Risk assessment (5.4.2) C o m m u n ic a ti o n a n d c o n s u lt a ti o n (5 .2 ) M o n it o ri n g a n d r e v ie w (5 .6 ) Framework (Clause 4) Process (Clause 5)

(124)

What is a risk management framework?

• a system of leadership,

commitment and

processes

• foundation for a mutual

understanding - to

communicate

effectively

• an opportunity to gain

commitment

• provides direction for all

levels of management

Mandate and commitment (4.2) Design of framework for managing risk (4.3) Implementing risk management (4.4) Monitoring and review of the framework (4.5) Continual improvement of the framework (4.6) Framework (Clause 4)

(125)

Think back to previous case

histories discussed

-•

why did the established controls

systems fail?

what do the case studies tell us

about the risk culture of the

organisation?

what are the critical factors for

embedding risk management ?

Group Discussion

(126)

Embedding risk management

Visible commitment from the top

– articulated and endorsed through a policy and framework for managing risk

– lead through actions – risk-based decision making, aligned with strategic objectives

– clear understanding of the risks to the business. Set risk tolerance and risk appetite

– active support and adequate resource for risk management initiatives

– assurance on status of key risks (KRI‟s) and controls (KCI‟s) sought and followed through

(127)

An organisational framework to ensure

– clearly defined responsibility and accountability – training for all relevant stakeholder groups to raise

awareness of benefits, establish responsibilities and improve skills in management of risk

– ownership clearly established for risks and key controls

– clearly defined lines for reporting and communication

(128)

Integration into management processes

– ensure the benefits for business and resource

planning are clearly established through integration with the „normal‟ business planning processes

– integrate into performance management system and establish KPI‟s

– integrate with reporting and review systems, including internal audit

– include development of risk management skills within leadership and management development

programmes

(129)

• clear and concise outline of the organisation‟s

requirements

• providing uniformity and consistency in the risk

management process across all operations

• provides a high level overview and description of

the risk management process

Purpose of a risk management policy

(130)

• developed and owned at board level

• developed with consideration as to how

compliance with the policy will be monitored

• reviewed regularly

– annual review

The policy should be…

(131)

• who are your key

stakeholders?

• what do you hope the

ERM process will

deliver to you and to

your key stakeholders?

Group exercise

(132)

5

• a framework for control

4

• better informed decision making

3

• reduced volatility

2

• improved stakeholder relationships

1

• protection of company assets

So what will risk management do for me?

„The elevator pitch‟

(133)

The greatest risk is to take no risk at all, because if

we don‟t take risks there‟s no advancement,

there‟s no progress and there‟s no profitability.

And finally…

Kevin Knight

Chairman, ISO working group on risk management standards

(134)

ISO 31000 overview

Mandate and commitment (4.2) Design of framework for managing risk (4.3) Implementing risk management (4.4) a) Creates value b) Integral part of organisational processes c) Part of decision making d) Explicitly addresses uncertainty

e) Systematic, structured and timely

f) Based on the best available information g) Tailored

h) Takes human and cultural factors into account

i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organisation Principles (Clause 3) Monitoring and review of the framework (4.5) Continual improvement of the framework (4.6)

Establishing the context

(5.3) Risk identification (5.4.2) Risk evaluation (5.4.4) Risk analysis (5.4.3) Risk treatment (5.5) Risk assessment (5.4.2) C o m m u n ic a tio n a n d c o n su lta tio n (5 .2 ) M o n ito ri n g a n d r e vi e w (5 .6 ) Framework (Clause 4) Process (Clause 5)

(135)

• Fundamentals of Risk Management

• International Certificate in Risk Management

– leads to Certificate membership grade

• International Diploma in Risk Management

– leads to Member grade of the IRM

– Fellowship of the IRM is achieved through continuing professional development

• Specialist subjects

– risk management in financial services

– business continuity and crisis management – information systems risk

(136)

References and further reading

• IRM Fundamentals of Risk Management – Paul Hopkin – Kogan Page £35.00 ISBN: 978-0-7494-5942-0

• British Standards BS 31100 (2008) Risk management – code of practice, www.standardsuk.com • COSO Enterprise Risk Management – Integrated Framework (2004) Executive Summary,

www.coso.org

• Financial Reporting Council Internal Control Revised Guidance for Directors on the Combined Code (2005), www.frc.org.uk

• Institute of Risk Management – A Risk Management Standard (2002), www.theirm.org

• International Standard ISO 31000 Risk Management – Principles and guidelines, www.iso.org

• ISO Guide 73(2009) Risk management – Vocabulary – Guidelines for use in standards, www.iso.org • British Standard BS 25999-1 (2006) Business continuity management Code of practice,

www.standardsuk.com

• HM Treasury (2004) Orange Book: Management of risk – principles and concepts, www.hm-treasury.gov.uk

• International Standard IEC/FDIS 31010 (2009) Risk Management – Risk assessment techniques, www.iso.org

• Institute of Internal Audits (2004) The Role of Auditing in Enterprise-wide Risk Management, www.theiaa.org

• Office of Government Commerce (2007) Management of Risk: Guidance for Practioners, www.tsoshop.co.uk

(137)
(138)

Ongoing monitoring

Audit & Report Incidents Re-assess

Treatment

Tolerate Treat Transfer Terminate

Assess

Impact Likelihood

Set appetite

Zero Low Medium High

Identify

Objectives Tools

(139)

Tutor

John Crawley

john@TheFinanceExpert.ie

+ 353 1 210 4753

www.TheFinanceExpert.ie

LinkedIN

Tweet: @AFinanceExpert

(140)

T H A N K Y O U

(141)

Bow tie analysis

Event Causes Consequences Immediate consequences Ultimate consequences Underlying threats Immediate threats Control measures Recovery measures

References

Related documents

The scatter plot shows the relation between the LSD-induced increase in score on blissful state subscale of the 5D-ASC (difference between LSD and placebo drug conditions, x-axis)

based abstention, and his definition of indifference and the decision-rule followed by citizens differ from the ones adopted in this paper.. Section 3 describes the data

This study has a number of implications, the most obvious of which is perhaps that commercial games can be adapted for use in second language learning and

If the fuel limiter assembly has a torque spring: Screw in the fuel limiter torque spring adjustment screw (Figure 6-7, (4)) to obtain the specified injection amount

In order to compare the computational costs of cuTauLeaping with respect to a standard CPU-based implementation of the original tau-leaping algorithm, we carry out different batches

Delisting worry: What is worrying is that there is an idea to delist the investment company (also an indirect indication that it would be listed initially).

We consider the effect of employment protection regulations on wage, profit, social welfare, employment level, and wage adjustment through renegotiation by a simple, though

PrEmo is daarnaast een geschikt instrument voor het meten van advertentie-emoties wanneer: (1) PrEmo verschillen in emotie tussen open en gesloten advertenties meet in de richting