Arthur J Gallagher One of the world’s largest insurance brokerage and risk management services organisations. It has operations in 15 countries and does business in over 100 countries around the world through a network of correspondent brokers and consultants Gallagher Bassett Services The world’s largest Third Party Administrator. We service more than 3,300 clients worldwide through more than 100 branches and 4,000 skilled professionals. Gallagher Bassett UK Founded in 1991, we have over 200 staff within 8 offices around the UK. Risk control is an essential and valuable element of our service offering. Our services have been developed in direct response to the needs of our clients and include: Risk reviews to measure, assess and provide assurance on the adequacy of significant control processes and an action plan for improvement. Training to help raise awareness, develop skills and embed change. Development of policy to provide a framework and guide to drive continuous improvement and change. We provide risk management services across all industries including: public; private; blue chip; financial; charities (not-for-profit); logistics etc etc both nationally and internationally.
Tutor Note – Slide not in tutor workbook You may wish to show this slide of ‘old’ disasters while discussing these points. NB this slide is not in the delegate workbook. Photos show – Exxon Valdes oil tanker disaster Piper Alpa Bhopal Chernobyl Herald of free enterprise BSE (John Gummer feeding beef Berger to his 5 year old) DISASTER IS NOT ALWAYS TO DO WITH FINANCIAL FAILINGS
Global development of corporate governance requirements can be crudely divided into those Countries who have opted for a principles based approach – including the UK, Europe, Australia and New Zealand and those adopting a more prescriptive or rules based approach – notably the US and Canada Japan. Principles based approach This has been described as a ‘comply or explain’ approach in which principles are set but boards have flexibility in their application. As such they can decide to take another route but must explain why they have done so. Supporters of this approach argue that more considered judgement must be applied and it avoids a ‘one-size-fits-all’ mentality of compliance for compliance sake rather than doing what is right for the business. Prescription based approach This approach has been driven by the introduction in the US in 2002 of the Sarbanes Oxley Act (SOX). This was a direct response to the scandals of Enron, Worldcom and Xerox. SOX focuses largely on financial control, disclosure and a system of certification of the accounts by the CEO and CFO. More rigid and prescriptive it has been described as a ‘comply and sign’ approach. Supporters argue that this approach provides less opportunity for unscrupulous directors to defraud or mislead as the rules are more clear than under the principles based systems. On the following slides we take a very brief look at some of the main codes in operation across the globe.
The relationship between objectives and the 8 components of the ERM framework are sometimes depicted as a cube. The four objective categories are represented by vertical columns, the eight components by horizontal rows and the organisations operating units by the third dimension.
The British Standard came into effect on 31 st Oct 2008. It states that risk management is as much about exploiting potential opportunities as preventing potential problems. The model presented provides at the core a framework & process to manage risks. The outer rings contain the context (in which the organisation operates), the organisation itself and the culture. It has been drafted to be consistent with other standards listed (including the new ISO) and the risk management framework and process described can be easily mapped to the other standards. For more information and to purchase a copy go to the British Standards Website www.bsi-global.com Tutor note A copy of the BS is in the Essential reading folder
The ISO was published in November 2009 It draws on all previous standards but most closely resembles the Australian / New Zealand standard. As with the British Standard the ISO sets out – - Principles for managing risk - A framework within which risk can be managed A process (see above) For a copy of the Draft ISO and to keep appraised of progress go to ISO website www.iso.org Tutor note – Copy in the Essential Reading folder The process is identical to that set out in the Australian standard and very similar to the British standard and COSO framework. It identifies five ‘activities’ that are required to manage risk. In gaining an understanding of HOW to manage risk we will look in detail at each of these five activities.
Activity 1. Consult & Communicate with Internal & External Stakeholders – Help define context (activity 2.) – Ensure interests understood & considered – risk perception gaps between stakeholders addressed – Bring expertise together – may not understand implications in terms of legal or practicality issues – Enhance change management – gets buy-in from start not after you designed process – Secure support for risk treatment – if they buy-in into the fact that they may need to do something then when they are told what that something is more likely that they will agree to act. REMEMBER YOUR STAKEHOLDERS MAY HAVE A DIFFERENT VIEW OF THE RISK. YOUR PARTNERS MAY HAVE DIFFERENT OBJECTIVES AND AGENDAS.
Activity 2. Establishing Context • Context of risk management process (What environment do you work in and still need to achieve objectives) – Internal – what is it that your org exists for (objectives) , what funds / resources do you have to assit risk mgt process, etc External- what external driver like politicians or legal issue could affect your ability to achieve obj Risk mgt process – what is its scope, what risk assessment process used, how should you work with other departments, etc • Developing risk criteria – categories of risk covered (threats or threats + opps), how risk measured (likelihood x impact), at what level is the risk acceptable, what about multiple/combined risk Establishing the context is largely about understanding the organisation and the environment within which it is operating. ASK ATTENDEES TO WRITE DOWN THREE OR FOUR FACTS ABOUT THE CONTEXT OF THEIR AUTHORITY – DISCUSS BRIEFLY
In summary: • Total incoming resources increased by 16% (2008 - 9) to £139 million. The NHS contribution increased from 41% of the cost of the nursing service to 54% with the remainder being met from charitable funds.
Hospices Marie Curie operates a network of hospices across the UK which provides a full range of palliative care services including in-patient care, daycare activities, outpatient services and homecare visits by specialist staff. The charity receives funding from the NHS with the balance raised from charitable donations. Marie Curie Nursing Service Marie Curie operates a nursing service which cares for people in their own homes. Marie Curie works in partnership with the NHS and has contracts with more than 180 NHS Primary Care Trusts and Local Health Boards, covering virtually every part of the UK. The charity receives funding from the NHS with the balance raised from charitable donations. Research and Development The charity carries out and funds research into better ways to care for patients with terminal illnesses. The charity provides funding for palliative care research to two Marie Curie institutes which are based in University College London (UCL) and the University of Liverpool and for other projects in collaboration with other research funding bodies.
Plan works with more than 3,500,000 families and their communities each year. Plan is independent, with no religious, political or governmental affiliations. Plan's work is made possible thanks to nearly 1,100,000 people in 18 donor countries who support them by sponsoring a child. An average 80% of donations goes directly to support programmes benefiting children and families. Plan's income stood at €468,000,000 in 2008-2009 More than 70% of Plan’s income comes from child sponsorship. Plan also receives funds from other sources which make up an increasing proportion of their income, which includes income from grants.
Plan's work to promote child rights and lift millions of children out of poverty is based around 8 core areas: Education Plan helps children, young people and adults to get the knowledge and life skills they need to realise their full potential. Health From supporting immunization programmes to training volunteers on strategies to combat malaria, Plan's health programmes help to save thousands of children's lives every year. Water and sanitation We work with communities to improve access to safe drinking water and to raise awareness of the importance of sanitation. Protection Violence against children is widespread and has a devastating impact - threatening children's survival, development and participation in society. Economic security Plan helps families to achieve financial stability so they can provide for their children and plan for the future. Emergencies From providing disaster relief to running recovery projects, Plan works to protect the rights of children and young people during emergencies. Child participation Plan helps millions of children to learn about their rights and take an active role in their communities’ development Sexual health, including HIV Plan's awareness-raising and direct response programmes help to empower children and young people so that they can protect themselves.
The risks facing an organisation and it’s operations can result from factors both external and internal to the organisation and will sometimes be a mixture of both. They can be categorised further into types of risk such as strategic, financial, operational, hazard etc. Events such as a rise in interest rates, the introduction of new regulations, new or improved products, changing customer tastes, and changes in weather patterns are all examples of external drivers of risk. Risk drivers can also be primarily internal to the organisation, for example, issues of recruitment and retention, sickness absence rates amongst employees, failures of information and data storage, adequacy of financial controls, security of buildings, focus on research and development.
Activity 3. Risk Assessment Risk Identification – What might happen (the event) Risk Analysis – How likely is it to happen – If it does what might the impact be Risk Evaluation – So what! – Is it within our risk tolerance ? Many tools to use including Risk Registers, etc to assess risks
IEC 31010:2009 is a dual logo IEC/ISO, single prefix IEC, supporting standard for ISO 31000 and provides guidance on selection and application of systematic techniques for risk assessment.
Too little control & Ignorance Results in - – Damaging loss – Unnecessary waste – Ill prepared and open to surprises Over control and obsession Results in - – Suppression of innovation & creativity – Missed opportunities – Unnecessary expense Object NOT to eliminate risk 4T’s Terminate or Tolerate Treat or Transfer – different means Risk Appetite – amount of risk prepared to take to achieve objectives. Actively pursue appetite to achieve objectives will influence risk treatment used. Risk Tolerance – max risk that can be taken before distress. Acknowledging tolerance will influence type of risk treatment selected. Gap between two creates buffer - for to prevent distress and achieve objectives in a changing world. If appetite runs right up to tolerance can flip from one to other very quickly but gap can be used to be more flexible in way risk treatment used / selected. Remember Policeis and Procedures – are NOT risk control / risk treatment on their own. What steps do you take to ensure policy and procedures are working is the control / risk treament.
Key Risk Indicators – detect changes in internal and external environment that may alter the likelihood or impact of a key risk (e.g. warnings from independent bodies that risks changing such foreign office on other countries or ABI on Directors pay 2002 / 2003 / 2004 / 2005 or HR notifying risk of losing skilled staff to neighbouring org) Key Control Indicators – ensure control and treatment measures are effective (e.g. Hot Permit to Work, anti-fraud procedures, Internal Control / governance procedures, etc) Measure maturity of existing risk management system in terms of knowledge, application, effectiveness etc, PwC 2008 report- “Just 37% of nearly 100 senior executives of major multinational plc’s said there companies link risk indicators to corporate performance indicators”. Read that two ways that they don’t think relevant to their business OR they haven’t placed enough emphasis on Risk Mgt. What do you think?
Education Programmes for RM: Training for Tomorrow’s Professionals Our Experience Carl Dunckley Risk Control Manager Insert date in title case IDRC 2010 Special Session: 6.6 Wednesday 2 nd June 2010
Company Background Insurance Broker and Risk Management Services Founded: 1927 Employees: 9,000 (approx.) Claims Management, Information Management, Risk Control and Appraisal Services Founded: 1962 Employees: 4,000 (approx.)
Adverse Headlines…. Damaging Reputation NGO chief arraigned on 177m/- fraud charges in Manyara Children in French NGO scandal to rejoin families NGO porn scandal shocks Batti, Ampara Scandal of 'phantom' aid money Red Cross Scandals Tarnish Relief Efforts The Swedish Red Cross Scandal
Risk Contexts Organisational structures and activities Resources Culture Power relationships Risk cognition (perception) Strategy Motivations Meanings of success Economies and markets Government policy Regulations and standards Social, cultural and political climate Physical conditions Technology Physical climate INTERNAL EXTERNAL