Risk manajemen-intro

  • 147 views
Uploaded on

Introduction to Corporate Risk Management

Introduction to Corporate Risk Management

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
147
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Corporate Risk ManagementIntroduction Anwar S
  • 2. Understand Risk - Intro IT Risk Risk Management IT Value Risk & Opportunity Value Management IT Event IT Process Management IT Governance Managing risk not only reduce negative impact of technology but also increase positive impact for Business 2
  • 3. Mengerti Resiko ISO 31000:2009 defines risk as: “The effect of uncertainty on objectives” A deviation from the expected – positive and/or negative Deficiency of information relating to an event,its consequence, or likelihood • Can have different aspects e.g. finance, safety, environment goal • Can apply at different levels e.g. strategic, department, project What can go wrong? How likely is it? 3 What are the consequences?
  • 4. Mendaftar Resiko Risk Register Minimum Records A source of risk (hazard) An event (including when and where) An outcome (consequence) A cause (how and why) Fire Fire at head office Estimated cost 100 million dollar Short circuit Virus H1N1 Pandemic Operations Interruption Employees contact virus 4
  • 5. Risk Key Element A risk cause is something that leads to the source of risk, to an exposure to it, or to a risk event. A cause can also be called contributory factor particularly when it does not necessarily result in the risk occurring but increases its likelihood. RISK CAUSE A risk factor is something that makes the magnitude of risk (likelihood or consequence) higher or lower without being specifically a cause. It may also be called a vulnerability. RISK FACTOR A control failure can be considered to be an uncertain event with an outcome that affects objectives. However a control failure only becomes a problem if there is a source of risk and an event occurs, i.e. it is a conditional risk. CONTROL FAILURE 5
  • 6. Mengukur Resiko Level of Risk (Magnitude of a risk) Likelihood of occurrence Consequence of an event Risk is often expressed in terms of the consequences of an event or a change in circumstances and the associated likelihood of occurrence
  • 7. Evolution of Risk Management The Past Risk Management as Compliance Identify problems Rank them Demonstrate every risk has a control (usually a standard procedure) Monitor controls The Present Risk Management to Prioritise Problems The Future Risk Management as Business Optimisation Identify problems Rank them Check if level of risk above target level (qualitative) Implement improved controls starting from highest risks Monitor implementation Identify potential problems and opportunities Understand causes and factors which affect likelihood and consequence Optimise treatment considering  Effectiveness of current and proposed controls Causal factors Costs and benefits of treating the risk Costs and benefits of taking the risk Treat according to risk appetite Monitor and feedback 7
  • 8. Risk Management Process Establishing the context Risk assessment Risk identification Communication and Consultation Risk analysis Risk evaluation Risk treatment Monitoring and Review
  • 9. a) Creates value b) Integral part of organizational processes c) Part of decision making d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organization Principles (Clause 3) Mandate and Commitment (4.2) Design of framework (4.3) Continual improvement of the Framework (4.6) Implementing risk Management (4.4) Monitoring and review of the Framework (4.5) Framework (Clause 4) C o m u n i c a t i o n & c o n s u l t a t i o n 5.2 ISO 31000:2009 Relationship between the Principles, Framework and Process Establishing the context (5.3) Risk assessment (5.4) Risk identification (5.4.2) Risk analysis (5.4.3) Risk evaluation (5.4.4) Risk treatment (5.5) Process (Clause 5) M o n i t o r i n g & r e v i e w (5.6 )
  • 10. ACME Enterprise Risk Management (ERM) Activities (Example)
  • 11. Managing Risks is Shared Responsibilities ERM Activities Objective : – To ensure the Risk owners in departement /division level (Business Unit)are understand about the risk sorrounding their departement and take the appropiate Risk Mitigations actions related the risk – To have update on current company risk profile which is include update the existing risk rating and identified the new risk, and as – The Result could be part of tools for management on business decision making process – To ensure the information related risk and its mitigation control are properly documented Business Unit Roles (Risk Owners) : Update the risk and identifying new risks drivers (i.e. what trigger things to happen) related their department /division and update their risk mitigation action plan Risk Management Unit Roles • Facilitate and assist the risk owners related with framework and the process • To communicate and report to the Management, Board of Directors and Board Audit Committee the result of ERM activities
  • 12. Criteria of Likelihood Rare Unlikely General Description Event may occur in exceptional circumstances only Expected to occur less frequently Estimated Frequency Once every 5 years Once every 3 years Estimated Probability < 10% 10% < 25% Moderate Likely Event has Event might happened occur at some before and will time probably occur again At least once Several times in the next 12 in a year months 25% < 50% 50% < 75% Almost Certain Event is common and is expected to occur in most circumstances At least monthly > 75%
  • 13. Criteria of Impact Insignificant Moderate Major Catastrophic < 1 hour 0 -15 min nil Disruption to Service: i) Localised* ii) Regional* iii) Nationwide* Minor 1 hours – 4 hours 15 min – 1 hours 0 -15 min 4 hours – 10 hours 1 hours – 4 hours 15 min - 1 hours 10 hours – 48 hours 4 hours – 10 hours 1 hours- 4 hours > 48 hours > 10 hours > 4 hours  Injuries Nil Minor injury  Minor injury  Minor treatment (first  Requires outpatient aid)  Extensive bodily injuries  /permanent disability treatment  permanent disability requiring hospitalisation Hospitalisation required  Financial ** and Aggregate Loss < 1% variance against target s/ budget financial indicator 1% <5% variance against targets/ budget financial indicator 5% <10% variance against targets/ budget financial indicator Aggregate loss <0.25% p.a against Gross Revenue Aggregate loss ≥ 0.25% and <0.5% p.a against Gross Revenue Aggregate loss ≥ 0.5% and <1% p.a against Gross Revenue  Customer  Customer complaints  Customer complaints Aggregate loss ≥ 2 p.a against Gross Revenue Aggregate loss ≥ 1% and <2% p.a against Gross Revenue Widespread negative Death ≥15% variance against targets/ budget financial indicator 10% <15% variance against targets/ budget financial indicator  Extensive bodily injuries /  Widespread negative publicity complaints generally restricted to include negative posts publicity online (e.g. online (e.g. blogs, twitter, generally hotline / emails online (e.g. blogs, twitter, blogs, twitter, YouTube YouTube etc.) etc.) etc.) restricted to hotline / emails Reputation  Estimated time to restore reputation: 3 months  Estimated time to  Estimated time to restore  reputation: 6 months restore reputation: significantly affected  1 week Corporate image Estimated time to restore  Long-standing reputation damage  Criminal prosecutions  Political intervention reputation: 1 year Media Attention None Media enquires only One-off newspaper article / radio / television / online mention Sustained media attention for > 3 days Sustained media attention for > 5 days
  • 14. Risk Rating Matrix LEVEL OF IMPACT LEVEL OF LIKELIHOOD Insignificant Minor Moderate Major Catastrophic Almost Certain Moderate Moderate Significant High Extreme Likely Moderate Moderate Significant High High Moderate Low Moderate Significant Significant High Unlikely Low Low Moderate Significant Significant Rare Low Low Moderate Moderate Significant Risk Rating What it Means Extreme   Board attention is required. Immediate action by Board with a detailed research and management risk treatment plan. High    Board attention is required. Senior management responsibility specified. Risk must be managed by senior management with a detailed risk treatment plan. Significant    Senior management attention required. Management responsibility specified. Risks should be treated using one or more of the risk treatment options Moderate    Management attention required. Management responsibility specified. Risks should be treated using one or more of the risk treatment options Low   Risk is accepted with minimal treatment and can normally be managed using existing routine procedures. Low risks need to be monitored and periodically reviewed to ensure they remain acceptable.
  • 15. Criteria of Risk Treatment Measures Effective Mostly Effective Fairly Effective Ineffective • >75% of necessary/ identified risk treatment measures are implemented • Significant attention to the risk exists • Current risk treatment measures mitigate risks to a level where there is no desire/need to take more or less risk • On going risk monitoring system is maintained • From 50% to 75% of necessary/ identified risk treatment measures are implemented • Current risk treatment measures provide a reasonable certainty of control over the risk • Current risk treatment measures mitigate risks to an extent that requires some actions to enhanced design/operation of risk treatment strategies • From 25% to 50% of necessary/ identified risk reduction measures are implemented • Current risk treatment measures mitigate risks to an extent that requires major actions to enhance design/operation of risk treatment strategies • <25% of necessary/ identified risk reduction measures are implemented • Current risk treatment insufficient/ineffective to mitigate risks
  • 16. Criteria of Managing Risk Action 4T Strategy – Take, Treat, Transfer, and Terminate (1) RISK TREATMENT TAKE Accept the risk within the Group and establish an appropriate plan to manage such risks. TREAT Option 1 – Reduce the likelihood or probability through Option 2 – Reduce the impact of risk through WHAT YOU CAN DO? • Setting loss targets and tolerance levels • Establish and monitor risk indicators • Charge premium price to cover the risk • Finance the consequences • Vision, mission, strategies, objectives and goals • Policies, plans, guidelines and standards • Values and ethics • Clear assignment of responsibility • Audit and compliance program • Review of specification, design, engineering and operations • Inspection and process control • Investment and portfolio management • Corrective and preventive maintenance • Quality assurance, management and standards • Research and development • Training and supervision • Performance measurement and tracking • Performance appraisals and feedback • Contingency planning • Disaster recovery plan • Engineering and structural barriers • Fraud management • Separation or relocation of activity/resources • Contractual transfer • Design features • Reduce scale of activity or business
  • 17. Criteria of Managing Risk Action 4T Strategy – Take, Treat, Transfer, and Terminate (2) RISK TREATMENT WHAT YOU CAN DO? TRANSFER Transfer the risk by moving the risks to third party – full transfer or sharing some parts of the risks at a cost. These can be done through: • Contracts • External insurance contract • Partnership, alliances and joint-ventures contracts • Hedging • Diversification Note: It is important to note that transfer of risk does not result in transfer of accountability; the risk owner will remain accountable. TERMINATE Avoid the risk by terminating the activity likely to generate risks (where this is practicable) through: • Cease the activity • Pull out of market • Divest • Change the business objectives
  • 18. Thank You