About this presentation…. Risk management is an executive responsibility that should have a “line of sight” to the highest level in the organisation (e.g. the Board, Department Head or the Government Minister). Ideally, it should have a 360 ° view of the enterprises risk including technical and business risks. The method for implementing ERM as articulated in this presentation is a well-trodden path that is consistent with the ‘industry standards’. The success of this depends on the subject matter knowledge and tact of the implementers. We at Business & Systems Consultants have many years of executive level experience in enterprise risk management can assist your organisation to adapt this process and transfer the knowledge in an enduring way. Contact us at: [email_address] Jay Menon: +61 417 585 061
What are Enterprise Risk and Enterprise Risk Management?
Enterprise Risk (Risk) can be identified as the combination of the probability of a relevant “event” and its consequences (ISO/IEC Guide 73).
The consequences can be both ‘upside’ and ‘downside’.
In most circumstances, corporations concentrate on downside risks, especially in the safety field. However, optimising ‘upside risks’ is just as important.
Enterprise Risk Management (ERM) is the management process to influence the eventuation of the risk and its impacts.
While everyone in the organisation is responsible for this, the ultimate responsibility for ERM starts with the “Board” / “Government Head” and “Senior Management”. The ‘ line of sight ’ from / to the Board / Head should always be maintained.
It is closely linked to the corporations key objectives (strategic and operational); including the un-stated ones (e.g. legal).
Risks are clearly defined, analysed and categorised into meaningful groups that are visible to executive management.
The accountability for Risk management is always clear and unshared.
Its is monitored (audited) and reported to senior management and the Board without failure at agreed intervals.
The risk management status (including the residual risk after its treatment) is clearly understood by the Board and at the aggregated level and the senior management at the detailed level at all times.
There is formal risk management role with a level of independence within the organisation.
Overview of the ERM process. Identify the Key Objectives @ Risk Identify Associated Risks Analyse The Risks Evaluate The Risks Treat The Risks
Align with Business Plan Objectives.
Obtain / extract from the Executives
Align with Annual Budget objectives.
Research corporate, HR and O H & S obligations.
Monitor, Audit, Review and Report Method Guideline (AS/NZS 4360:2004) / (ISO 31000)
Ask what could stop the objectives being achieved.
Workshop, interview, survey, brainstorm to discover risks.
Use previously identified risks and realign them.
Concentrate on what is realistic.
What and how can they happen?
Understand the consequence and likelihood.
Quantify these (e.g. H/L/M or scale of 1 to 5 etc.)
Understand the financial impact wherever possible.
consequence can be graded into pre-determined matrix showing the organisation’s appetite for risk tolerance.
Assign risk management responsibility, reporting process and outline management plan / schedule.
Some typical outputs from an ERM project? The register that holds summary details of all the in-flight activities to control risks; indicating the level of progress against plan. They include key projects. Visible to Sponsor and Risk-Owner. Risk Control Activities Register The register that holds the list of primary and subordinate Risks and the current and proposed controls to treat the risk (e.g. To mitigate). Visible to Sponsor and Risk-Owner. Cause and Controls Register The register of current primary risks, their status, risk sponsors and risk owners (Visible to the Board and Executives). Enterprise Risk Register An agreed list of enterprise risk management objectives grouped into risk categories (Visible to the Board and Executives). ERM Objectives Charts PURPOSE/ USE OUTPUTS
What can enhance the success and quality of an ERM project?
Obtain agreement on the key outcomes of the ERM project.
Make a conscious attempt to use common terminology when discussing ERM.
Align ERM with the strategic plan, business plan and/or in the least the annual budget.
Find a sponsor who will lobby for the success of the ERM project. (ideally a respected member of the executive team (i.e. not a group of interested parties).
Identify all the people who need to be in the ‘ line of sight ’ in the execution and ongoing ERM management; from the Board to the operational staff. Ensure that everyone knows that there is a line of sight.
Pre-determine the mechanics of the process:
Information gathering approach (interview / workshop etc.)
Templates for data collection.
Project communications plan (document sharing tools, distribution lists, communications tools etc.)
Comprehensive list of stakeholders and their absolute commitments.
Select / engineer a timeline that accommodates all the key players; ideally all.
Prepare the participants with all relevant information including information about the process, schedule and their contribution.
What is line of sight in ERM? Board Audit & Risk Committee CEO Sen. Mgmt Technical Specialist Team Leaders Line of Sight Operational Staff Risk Register Line of Sight
Examples of ERM Terminology The principle of focussing on the ERM issues that are relevant from the perspective of plausibility and significance to CenITex. Risk Relevance The control mechanisms in place to mitigate the downside-risk manifested as (a). Policy, (b). Processes, and (c). Tasks (including daily routines and special projects) Risk Control Risk category arranges Risks to their natural ‘set’ or ‘cluster’ for management and reporting purpose. Examples: Finance, Human Capital, Technology etc. Risk Category The approach to handling an identified risk: E.g. Mitigate, Transfer, Finance, Accept etc. Risk Treatment Principal risk is an aggregation of two or more closely related Subordinate risks that are usually managed by the same part of the organisation. The objectives of the aggregation and division are based upon the intended efficiency and effectiveness of planned ERM framework and ERM process.
Principal risk, and
The steps involved in identifying, analysing and evolving preventative and corrective actions to achieve the ERM objectives (i.e. the repeatable METHOD). In CenITex, we plan to closely follow the standard AS/NZS 4360:2004. ERM Process The broad outline that describes the process of conducting the ERM and includes the roles and responsibilities for oversight, planning, monitoring and control. ERM Framework The business objective or ideal situation with respect to the Risk category that CenITex wants to safeguard or protect. ERM Objectives Enterprise Risk (Risk) can be identified as the combination of the probability of an “event” and its consequences (ISO/IEC Guide 73). Enterprise Risk Management (ERM) is the management process to influence the eventuation of the risk and its impacts The consequences can be both ‘upside’ and ‘downside’. Enterprise Risk Management (ERM) Meaning Terminology