1. Enterprise Risk Management
Session B8
Thursday, May 1st , 2014
11:30 – 12:45
David Fernandes
Incorporating a
Risk Management Strategy
Throughout the Organization
2. YOUR EXPECTATIONS
Incorporating a Risk Management Strategy
Throughout the Organization
2Session B8 Slide #
How many in Audit Department ? <5 < 10
What do you want to get out of this presentation?
Is there any Risk Management program currently in place?
Who owns “Risk” in your company? Board? Management? Legal?
When do you want to have a ERM solution in place ?
4. • Developing a Risk Management Strategy.
• Integrated Approach to Risk Management.
• Establishing of a Risk Management Committee.
• Managing Risk
• Creating an Enterprise Risk Assessment.
• Setting up Control Monitoring process.
• Risk Management and Internal Audit
TOPICS
Incorporating a Risk Management Strategy
Throughout the Organization
4Session B8 Slide #
5. TOPICS
• Developing a Risk Management Strategy.
• Integrated Approach to Risk Management.
• Establishing of a Risk Management Committee.
• Managing Risk
• Creating an Enterprise Risk Assessment.
• Setting up Control Monitoring process.
• Risk Management and Internal Audit
Incorporating a Risk Management Strategy
Throughout the Organization
5Session B8 Slide #
6. Management -the act or skill of controlling and
making decisions about a business, department
Strategy -a careful plan or method for
achieving a particular goal usually over a long
period of time
Risk - The chance of loss or the perils to the subject matter of an
insurance contract; also : the degree of probability of such loss
Developing a Risk Management Strategy
Developing a Risk Management Strategy
6Session B8 Slide #
7. • Risk Identification:
– Identify foreseeable risks which could affect objectives, their cause(s) and possible effect(s).
• Risk Assessment:
– Establish the Likelihood of occurrence and Impact for each identified risk and prioritizing risks for
further attention, grouping risks into categories to identify hotspots of risk exposure or common causes,
and analyzing the combined effect of risks on corporate Goals and Objectives.
• Risk Management:
– Defining the scope and objectives of the risk process, describing the techniques and tools to be used,
stating the thresholds of acceptable risk to various stakeholders, detailing roles and responsibilities etc.
• Risk Response:
– Consideration of response to each risk and selecting a strategy which is appropriate, achievable and
affordable, delegating each task or activity to an owner.
• Risk Monitoring:
– Ensuring that agreed actions are implemented effectively, monitoring the effect on risk exposure, and
communicating risk information to stakeholders with appropriate detail and frequency.
• Risk Review:
– Updating the risk process to assess the status of existing risks, determine the effectiveness of agreed
responses, identify emerging risks, and review the Risk Management Strategy
Developing a Risk Management Strategy
7Session B8 Slide #
8. Risk Management Strategy (RMS) provides a structured and coherent
approach to identifying, assessing and managing risk. It builds in a process for
regularly updating and reviewing the assessment based on new developments or actions
taken.
The process of identifying and reviewing the risks that a business faces is known
as Enterprise Risk Assessment (ERA).
The assessment of potential risks enables the company to :
Be aware of where uncertainty surrounding events or outcomes exists and
Identifies the necessary steps that should be taken to protect the company.
Risk Management Strategy can be developed and implemented by even
the smallest of groups or projects or built into a complex strategy for a multi-
site international organization.
Developing a Risk Management Strategy
8Session B8 Slide #
10. TOPICS
• Developing a Risk Management Strategy.
• Integrated Approach to Risk Management.
• Establishing of a Risk Management Committee.
• Managing Risk
• Creating an Enterprise Risk Assessment.
• Setting up Control Monitoring process.
• Risk Management and Internal Audit.
Incorporating a Risk Management Strategy
Throughout the Organization
10Session B8 Slide #
11. Analyze key risks and current capabilities Measure, monitor, & report risk management performanceMeasure, monitor, & report risk management performance
Integrated Approach to Risk Management.
Integrative Risk Management starts with the premise that no measure of exposure can be
taken in isolation. It is a view that is well established in a corporate context, with stress being
placed on a more holistic understanding of Integrated Risk Management.
Integrated Risk Management is different from traditional management as it allows us to
examine what is missing in normal business process, and why those missing elements expose
us to risk.
Integrated Risk Management encourages better up-front planning and allows us to
determine if our polices and capabilities are well aligned to the strategy we desire to
executive.
11Session B8 Slide #
12. Analyze key risks and current capabilities Measure, monitor, & report risk management performanceMeasure, monitor, & report risk management performance
Integrated Approach to Risk Management.
12Session B8 Slide #
13. Analyze key risks and current capabilities Measure, monitor, & report risk management performanceMeasure, monitor, & report risk management performance
Integrated Approach to Risk Management.
Risk Updates
Assessment
Risk resources
across different
functions and
business
processes
Red flags,
Mitigating controls, and
Detection procedures
Risk and Controls
Become aware of function-
specific risks and implement
adequate risk controls
Learn About the Business
Save time and quickly create customized
control questionnaires on key business risks.
Control environments include:
General IT
Operational
Finance
Human Resources
Business
13Session B8 Slide #
14. Right Sized Technology Adds More Business Value
Reduces Complexity and Increases Adoption & Usage
Step 1: Risk
Identification
Step 2: Risk
Assessment
Step 3: Risk Management
List of Possible Risks
Likelihood
H/M/L
Impact
H/M/L
What are we already
doing about it?
(mitigating factors)
What more can we
do about it?
Timescale
Person
Responsible
Reviewed
Level of
Risk
Integrated Approach to Risk Management.
14Session B8 Slide #
15. Develop connected, transparent
action plans with measurable
metrics
Enable mitigation through
triggers and focused
reporting
Analyze key risks and current capabilitiesAnalyze key risks and current capabilitiesAnalyze key risks and current capabilitiesAnalyze key risks and current capabilitiesAnalyze key risks and current capabilities
Simplify management
strategies to vital risks.
Measure, monitor, & report risk management performanceMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performanceIdentify, assess, and prioritize business risks
Identify, assess, and
prioritize business risks
Summarize results &
integrate with Risk
Mitigation processes
R Business Goals, Objectives & Strategists & integrate
with decision – making processes
Analyze key risks and
current capabilities
15Session B8 Slide #
Integrated Approach to Risk Management
16. Some Challenges
Building blocks of processes, roles and technologies were not properly established.
Management does not fully understand or accept their critical role and responsibilities.
Risks that the project will not achieve the desired outcomes.
Business owners fail to see the value of the process and terminate the audit program.
Obtaining a complete and controlled population of data required to support a specific test.
Companies Face A Wide Array of Risks A Common Challenge:
How can you identify and prepare for major risks to your business?
Integrated Approach to Risk Management.
16Session B8 Slide #
17. .
Most executives focus their risk
assessment and management efforts
primarily on financial and compliance
risks.
Risk Management Strategy that fails to
simultaneously identify and address the
entire range of major risks types, put
the company in danger
Incorporating a Risk Management Strategy
17Session B8 Slide #
18. Incorporating a Risk Management Strategy
Throughout the Organization
TOPICS
• Developing a Risk Management Strategy.
• Integrated Approach to Risk Management.
• Establishing of a Risk Management Committee.
• Managing Risk
• Creating an Enterprise Risk Assessment.
• Setting up Control Monitoring process.
• Risk Management and Internal Audit.
18Session B8 Slide #
19. Analyze key risks and current capabilities Measure, monitor, & report risk management performanceMeasure, monitor, & report risk management performance
Establishing of a Risk Management Steering Committee
Risk Management is the responsibility of every
employee of the University
. Different stakeholders
have different objectives and levels of account
ability with respect to risk management. An
effective risk management framework includes
a comprehensive and defined accountability for
risks, controls and risk treatment tasks. The
risk management framework documents the roles
and responsibilities of the various components of
a risk management process.
19Session B8 Slide #
20. Right Sized Technology Adds More Business Value
Reduces Complexity and Increases Adoption & Usage
Develop a framework for assessing different levels of audit analytic techniques and
associated benefits.
Define progressive levels to evolve its use of Data / Business Analytics.
Identify the building blocks: People, Process and Technology that must be in place to
optimize benefits.
Understand, plan and communicate what needs to be done to achieve and increase benefits.
Establish a proactive and comprehensive view for effective ERA and ERM.
Establishing of a risk management steering committee
20Session B8 Slide #
21. Make up of the committee?
o Member from the Senior Management Team: (Board of Directors, Audit Committee, C Suite)
What are the committee’s core responsibilities?
The committee has three primary responsibilities:
Establish a risk management program,
Implement an annual risk assessment,
Identify the organization’s exposures and
Develop a risk control program.
What are main steps in creating a risk management program?
Identify and analyze risks (exposures).
Prioritize risk and communicate the appropriate risk management plan,
Implement the risk management plan and
Monitor and update the plan as needed.
Analyze key risks and current capabilities Measure, monitor, & report risk management performanceMeasure, monitor, & report risk management performance
Establishing of a risk management steering committee
.
21Session B8 Slide #
22. TOPICS
• Developing a Risk Management Strategy.
• Integrated Approach to Risk Management.
• Establishing of a Risk Management Committee.
• Managing Risk
• Creating an Enterprise Risk Assessment.
• Setting up Control Monitoring process.
• Risk Management and Internal Audit.
Incorporating a Risk Management Strategy
Throughout the Organization
22Session B8 Slide #
23. Right Sized Technology Adds More Business Value
Reduces Complexity and Increases Adoption & Usage
Risk Avoidance
An organization decides to avoid the risk altogether by not entering into the activity or providing the service.
This may be possible for some types of activities carried out by the organization but usually not core activities.
Risk Control
An organization decides to continue the activity which creates the risk, but to manage it so that it will be less likely
to occur and less damaging if it does occur. If an activity is central for an organization then it will need to identify
what standards of staff and volunteer training are needed to carry out the activity, what good practice policies must
be adhered to. There must be clear record keeping in order to ensure that it is clear that the organization met the
good practice requirements laid down in its policy. Good governance is important here too as the Management
Committee will need to understand the risks and the control strategies in place. Having a skilled board with an
under standing of accounting law, management etc is part of a good risk control strategy.
Risk Transfer
An organization decides to have a third party perform the risky activity or to transfer the consequences of the risk to
another person or organization. This can be through insurance, indemnity, exemption from liability or through
transferring the activity to another organization.
Mitigating Factors:
These are the things which are done to reduce risk. Some of these are internal i.e. within the control of the
organization and some are external i.e. they may be regulatory or imposed by funders. Some of these are in place
already and it is important to take account of these in planning risk management
Managing Risk
23Session B8 Slide #
24. TOPICS
• Developing a Risk Management Strategy.
• Integrated Approach to Risk Management.
• Establishing of a Risk Management Committee.
• Managing Risk
• Creating an Enterprise Risk Assessment.
• Setting up Control Monitoring process.
• Risk Management and Internal Audit.
Incorporating a Risk Management Strategy
Throughout the Organization
24Session B8 Slide #
25. Creating an Enterprise Risk Assessment
Risk Areas
Business Risk
Organizational
Strategic Risks
Financial Risks
Operational Risks
Legal & Compliance Risks
IT & Systems Risks
Risk Catalog
Design a web- based, risk
assessment survey that requires
s participants to assess each
risk using critical criteria:
Impact – How significant is
this risk to the business?
Likelihood – How likely is
this risk to come to pass?
Web-based Risk Survey
Trending and Velocity
If the risk comes to pass, how
quickly will it impact the
company?
Risk Committee
Guidance on Risk Selection
and Participants
• Consolidate and analyze the
responses of your survey .
• Prepare a detailed and
comprehensive report.
• Include heat maps
Board
Presentation
Present Graphs for
Top 5 risks by impact, likelihood
and velocity
Top 5 risks for each category e.g.
Business, Financial, Operational etc
25Session B8 Slide #
26. Right Sized Technology Adds More Business Value
Reduces Complexity and Increases Adoption & Usage
Risk & Definition# Ref
1 B1
Business Interruption / Service Failure -
• The company's capability to continue critical operations and processes are dependent on
availability of energy, information technologies, skilled labor, etc.
• Critical resources are not available, causing the company to experience difficulty in
continuing profitable operations.
• A major disaster, such as fires, earthquakes, explosions, floods or terrorism, threatens the
company's ability to sustain operations, provide essential products and services or recover
operating costs i.e. a disaster impacts the ability to support customers.
• Physical Risks : a disaster or extreme weather conditions impact the ability to support
customers e.g. tsunamis, fires, earthquakes, explosions, floods.
• Regulatory / Legal : changes in government laws e.g. nationalization, import taxes / bans,
energy supply impact the company's ability to sustain production.
2 B2
Business Portfolio / Mergers / Acquisitions -
• The "due diligence" process is flawed and underlying business performance is not as
presented by the buyer.
• The company does not negotiate appropriate risk mitigation processes in the deal document.
• Merger or acquisition activity results in inconsistent financial processes, lacks operational
synergies or has a fragmented IT structure.
• Non-delivery of expected synergy benefits / cost savings, loss of market / customer focus
during integration process and loss of key employees during integration process.
Business Risk
Corporate
Average -
Significance
Corporate
Average -
Likelihood
3.7 2.0
3.0 2.4
Trending
Creating an Enterprise Risk Assessment
26Session B8 Slide #
27. Analyze key risks and current capabilities Measure, monitor, & report risk management performanceMeasure, monitor, & report risk management performance
Creating an Enterprise Risk Assessment
27Session B8 Slide #
28. Analyze key risks and current capabilities Measure, monitor, & report risk management performanceMeasure, monitor, & report risk management performance
Creating an Enterprise Risk Assessment
1.0
2.0
3.0
4.0
5.0
1.0 2.0 3.0 4.0 5.0
Significance
Likelihood
Total Company Responses
Business Technology Manufacturing Information Technology Finance Organizational Sales & Marketing
SM1
SM2
SM4
T3
M5
28Session B8 Slide #
29. Analyze key risks and current capabilities Measure, monitor, & report risk management performanceMeasure, monitor, & report risk management performance
Creating an Enterprise Risk Assessment
29Session B8 Slide #
30. TOPICS
• Developing a Risk Management Strategy.
• Integrated Approach to Risk Management.
• Establishing of a Risk Management Committee.
• Managing Risk
• Creating an Enterprise Risk Assessment.
• Setting up Control Monitoring Process.
• Risk Management and Internal Audit
Incorporating a Risk Management Strategy
Throughout the Organization
30Session B8 Slide #
31. Setting up Control Monitoring Process.
• Do not over-react to the initial wave of
responses to your risk assessment – these
will probably have some ‘white noise.”
• Establish the facts..Interview.
• Effective leadership is to create an
environment where people are
encouraged to identify risks and possible
solutions.
• Pay Attention to the Detail: not getting
lost in the weeds, but being able to sift the
wheat from the chaff.
• Evaluate all outcomes and alternatives.
• Revisit the directives given to make
sure they were executed .
Ownership: ERM belongs to the leadership team not consultants.
Fact: ERM only works when the bad news is faced up and dealt
with not punished nor rationalized.
D E E P E R
31Session B8 Slide #
Responsibility: belongs to everyone.
32. Right Sized Technology Adds More Business Value
Reduces Complexity and Increases Adoption & Usage
Setting up Control Monitoring Process.
Assigning responsibilities is an integral part of monitoring risk
• Role of the executive committee
• Risk Champion / Sponsor
• Unit responsible for risk mitigation
Risk assessment and monitoring techniques
Methods for assessing and monitoring risks assist
managers in identifying where they should focus their
energies and resources
• Workshops
• Questionnaires.
• Control self-assessment
• Identification templates.
• “Bottom up" risk assessments.
32Session B8 Slide #
34. TOPICS
• Developing a Risk Management Strategy.
• Integrated Approach to Risk Management.
• Establishing of a Risk Management Committee.
• Managing Risk
• Creating an Enterprise Risk Assessment.
• Setting up Control Monitoring process.
• Risk Management and Internal Audit
34Session B8 Slide #
Incorporating a Risk Management Strategy
Throughout the Organization
35. Right Sized Technology Adds More Business Value
Reduces Complexity and Increases Adoption & Usage
Risk Management and Internal Audit
35Session B8 Slide #
36. No
Tolerance
Serious
Concern s
Moderate
Concern
General
Tolerance
Highest
Tolerance
Financial
Stability
Oversight
concern for
financial
integrity
Budget
overshot
Credit ratings
downgraded
Financial
statements
subject to
strong audit
comment
Not within
budget
Threats to
credit rating
Audit
comments on
financial
reports
Budget
pressures
appearing
Financial
Reporting
Sound
Positive audit
reports
Within budget
Sound Balance
Sheet
Within Budget
Strong credit
rating
Staff
Engagement
Major staff
moral and
commitment
now a
persistent
pattern.
Attrition is so
great that
replacements
cannot be
found and turn
away offers.
Grievances
preoccupy the
organization
and threaten
to move into
arbitration
Staff moral
showing a
strong
downward
trend over
many months
Attrition
generally
across the
organization
creating
operational
pressure
Grievances
are increasing
and more
pervasive.
Staff surveys
report staff
concern about
their
alignment to
organizational
goals
Attrition
increasing, but
in isolated
areas.
Grievances
show an
increasing
pattern.
Staff
commitment
reported
positive
Attrition
within
acceptable and
replaceable
range
Grievances
occurring but
not in large
numbers
Staff report
high level of
commitment
to work –
multi-year
pattern
Very low level
of attrition
Low level of
internal
grievances
Risk Management and Internal Audit
36Session B8 Slide #
37. • Tone from the Top: present risks to the Risk Committee for their consideration.
• Acceptance: Risk Committee formally accept the risks to the organization.
• Clarification: Review the organizations core values and identify adverse risks.
• Training: Address challenging issues associated with risk perceptions.
• Identification: Clarify the Company’s core values for the organization and
• Communication: include appropriate sharing of information and of concerns.
• Assessment: Assign priorities to top risks, integrate these into existing operational plans.
• Leadership: Demonstrate ability to innovate and motivate your partners.
Risk Management and Internal Audit
37Session B8 Slide #
PLAY 5. Dilbert - The Vicious Cycle, It's Called Managing and Documented Process
Workshops. Organizations are starting to develop risk-focused facilitated workshops that help operating personnel determine and prioritize their objectives and identify and assess risks.
Questionnaires. Operating units are tasked with completing questionnaires on objectives and risks. For example, managers may annually update risks and progress on managing them.
Self-assessment. Managers self-assess with support from Audit, Finance and an external accountant.
Risk identification templates. Business units are given templates. These assist them in identifying and evaluating risks during their business planning process.
"Bottom up" risk assessments. Operating managers identify and evaluate risks. These are then rolled up at the corporate level.