Your SlideShare is downloading. ×
0
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Risk Management Fundamentals
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Risk Management Fundamentals

670

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
670
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • How does the above match with what the participants hope to get out of this course ? 9.30am TIME
  • Risk management is HOW a business or Government achieve its objectives. The focus should be on how it will add VALUE to what is being undertaken and how best to achieve that. Too often the focus shifts from what is trying to be achieved and whether there is any value in undertaking the activity to focusing on all the things that could go wrong and finding ways to prevent it. This stifles innovation and creativity.
  • It needs to be a “living document” with consistent and frequent reporting to relevant stakeholders
  • Transcript

    • 1. Risk Management Fundamentals Mikaela Reynoldson Claverhouse Risk & Legal
    • 2. Page 2 • Have a better understanding of AS/NZS ISO 31000:2009 (Risk management – Principles and Guidelines) • Understanding the link between governance and risk in Victoria • Knowledge of each activity contained in the risk management process • An understanding of the linkage between governance, risk and control • Use of tools and techniques necessary for managing the risks facing your organisation • Apply the risk management principles within your area of responsibility • Conduct a basic risk assessment applying the tools supplied Learning outcomes and objectives
    • 3. Risk defined Definition - What is Risk? “The chance of something happening that will have an impact on achieving objectives” -AS/NZS 4360:2004 “Effect of uncertainty on objectives” - ISO 31000 (Source: ISO31000 Risk Management – Principles and Guidelines on Implementation, 2009) Module 1 – Introduction to Governance and Risk Management
    • 4. Risk Management - a comprehensive process Page 4 • Supported by appropriate strategies and frameworks • Designed to identify, analyse, evaluate, treat, monitor and communicate risks that could prevent a department or agency from achieving its objectives. • Covers strategic, operational, financial and compliance risks. • The term “enterprise-wide risk management” is widely used both by the Victorian public sector and the private sector to describe this comprehensive approach.
    • 5. What are the benefits of a Risk Management framework? • Enables identification of threats and opportunities for an agency • Improves and informs the planning process • Reduces likelihood of costly “surprises” • Contributes to improved resource allocation • Improves efficiency and performance • Improves accountability • Encourages continual improvement
    • 6. Governance and risk management in Victoria – why is risk management important? Page 6 Legislative obligation •Victorian Managed Insurance Authority Act (1996) and •Financial Management Act (1994). Financial Management Act – requires agencies to develop and implement a risk management strategy, and keep it under review. There is a quarterly monitoring process established under the Act. Victorian Managed Insurance Authority Act - requires participating bodies to develop and implement a risk management strategy, and keep it under review. Board obligation The Board is required to attest annually that the risk management framework is in place. The VGRMF imposes the obligation
    • 7. Example of an attestation clause (VGRMF) I, [Accountable Officer], certify that as at 30th June 20XX the [Department] has risk management processes in place consistent with the Australian/New Zealand Risk Management Standard (or equivalent designated standard) and an internal control system is in place that enables the executive to understand, manage and satisfactorily control risk exposures. The audit committee verifies this assurance and that the risk profile of the [Department] has been critically reviewed within the last 12 months. (Source: Victorian Government Risk Management Framework, July 2007, Attachment A, p. 21)
    • 8. Link between Governance and Risk Management What is Corporate Governance? •Three basic elements - stewardship, leadership, and control. •Corporate governance is the framework established by a governing body to ensure that stakeholders, primarily the Parliament, the Government and the Victorian community, have assurance that the agency is fulfilling its responsibilities with due diligence and accountability. •This stewardship relationship demands that Boards establish processes to both delegate and limit power to pursue the organisation’s strategy and direction in a way that enhances the prospects for the organisation’s long- term success. Page 8
    • 9. Page 9 Risk management governance structure CEO Executive Team Management Team Manager, Quality & Risk Other Sub- Committees Service Quality and Risk Mgt Committee Risk Management Advisory Committee Quality Committee Audit & Risk Committee Board of Directors Operational Level Management Level Board Level Other Board Committees Oversight Oversight Critique Monitor & Review Guide Identify Identify Assesses Execute Monitor & Review Staff/ Volunteers
    • 10. The integration of risk management Any successful alignment of risk management and governance requires four key factors: •an agency focus – where there is an identifiable source of risk management expertise in the agency and senior managers come together on a regular basis to discuss risk management issues •an agency direction – where a clear direction and strategy is established for risk management, including articulating the agency’s risk appetite and giving a clear mandate for what constitutes effective risk management •decision-making structures – where risk management is not a separate process, but a key consideration at all parts of the decision-making chain: being factored into strategic and operational planning; included as a common component in all project proposals and business cases; and incorporated into advice to Ministers; and Page 10
    • 11. The integration of risk management • agency capacity and capability – where the agency’s executive management invests time and resources to build momentum, capacity and capability, including: ensuring that there is a shared language of risk management; a common understanding of the principles; training and development to build expertise; and established tools and processes for risk management. Integrated risk management requires an ongoing assessment of potential risks and opportunities for an agency at every level. The results should inform agency level risks, facilitate priority setting and improve an agency’s decision making. Clear links should be established between risk management, Government policies and priorities, agency objectives (vertical integration), and agency policy and operations (horizontal integration). Page 11
    • 12. Enterprise wide perspective Mandate And Commitment Design of Framework For Managing Risk Monitoring & Review of The Framework Implementing Risk Management Continual Improvement of The Framework Risk Management Policy Risk Management Plan(s) Risk Register/ Risk Profile Risk Reporting 11 Principle s Risk Management Process(es) Assurance/ Attestation Plan Organisation al Strategy & Objectives (Measures & Targets)
    • 13. Page 13 Integrated approach Achievement of Strategies & Objectives Corporate governance is the guidance system for achieving planned objectives – it is an objective-focused concept. It is a process by which organisations are directed, controlled and held to account. Corporate GovernanceCorporate Governance RiskRisk ControlsControls Risk controls provides reasonable assurance to Board & Management that objectives will be achieved within an acceptable degree of residual risk. RiskRisk ManagementManagement Risk management develops risk treatment plans, risk controls and strategies associated with achieving objectives. Quality &Quality & ComplianceCompliance Compliance & quality ensures that laws, regulations, codes, and organisational standards and requirements are met. Monitoring,Monitoring, Review &Review & ReportingReporting Monitor, review & report against performance measures for each objective. PerformancePerformance ManagementManagement Performance of individuals are managed, motivated & aligned to organisational & personal objectives
    • 14. Page 14 Seven key questions A good risk management framework seeks to answer these basic questions: • what are we trying to achieve? • what events or circumstances that could affect the achievement of our objectives? • what are the consequences? • how likely are these events? • what can we do to manage these outcomes? • how will we maximise opportunities? • can the organisation recover if an risk eventuates? Module 2 – Framework for managing risk
    • 15. Page 15 The trilogy of risk frameworks • AS/NZS ISO 31000:2009 – Risk management – Principles and guidelines (20 November 2009) **Replaced AS/NZ 4360 • Standard developed as a Guideline Document • Unlike other ISO standards, it is NOT for certification • ISO Guide 73:2009 - Risk management — Vocabulary (15 November 2009) • Defines important risk management terminology • IEC/ISO 31010:2009 Risk Management - Risk Assessment Techniques (1 December 2009) • A supporting standard for ISO 31000:2009 (15 November 2009) • Provides guidance (Annex A – Informative) on selection and application of systematic techniques for risk assessment • Is NOT for certification, regulatory or contractual use
    • 16. Page 16 Related standards, handbooks and frameworks • HB 158:2010 – Delivering assurance based on ISO 31000:2009 • Help assurance providers to plan and implement their activities using the information arising from the (ISO 31000:2009) risk management process. • HB 327:2010 - Communicating and consulting about risk (23 February 2010) • Provides guidance to individuals and organisations to understand communication and consultation when managing risk. • AS/NZS 5050:2010 Business continuity - Managing disruption-related risk (28 June 2010) • The Standard describes the application of the principles, framework and process for risk management, as set out in AS/NZS ISO 31000:2009, to disruption-related risk. • Victorian Government Risk Management Framework (March 2011)
    • 17. The one we use: Risk Management Framework - ISO 31000:2009 Communicate & Consult Treat Risks • Establish the Context Establish the Context • Identify Risks Identify Risks • Analyse Risks Analyse Risks Evaluate Risks Monitor & Review
    • 18. Page 18 Process for managing risk (Clause 5) Overview of AS/NZS/ISO31000 & AS/NZ 4360 Principles for managing risk (Clause 3) 1) Creates value 2) Integral part of organisational processes 3) Part of decision making 4) Explicitly addresses uncertainty 5) Systematic, structured & timely 6) Based on the best available information 7) Tailored 8) Takes human & cultural factors into account 9) Transparent & inclusive 10) Dynamic, iterative & responsive to change 11) Facilitates continual improvement & enhancement of the organisation Framework for managing risk (Clause 4) Attributes of enhanced risk management (Annex A - Informative) Risk Assessment Establishing the Context Risk Identification Risk Analysis Risk Evaluation Risk Treatment Communication&Consultation Monitoring&Review AS4360 – Implicit, to some extent AS4360 – Covered partially in Section 4 “Establishing effective risk management” AS4360 – Fully covered in Section 3 “Risk Management Process” AS4360 – Not covered Mandate & commitment Continual improvement of the framework Design of framework for managing risk Monitoring & review of the framework Implementing risk management
    • 19. Page 19 Framework for managing risk 4.2 Mandate and commitment 4.3 Design of framework for managing risk 4.3.1 Understanding the organisation and its environment 4.3.2 Establishing risk management policy 4.3.3 Accountability 4.3.4 Integration into organisational processes 4.3.5 Resources 4.3.6 Establishing external communication & reporting mechanisms 4.3.7 Establishing internal communication & reporting mechanisms 4.4 Implementing risk management 4.4.1 Implementing the framework for managing risk 4.4.2 Implementing the risk management process 4.5 Monitoring and review of the framework 4.6 Continual improvement of the framework (Source: AS/NZS/ISO31000:2009 Risk Management – Principles and Guidelines)
    • 20. Page 20 Risk management should be embedded in all the organisation's practices and processes in a way that it is relevant, effective and efficient. The risk management process should become part of, and not separate from, those organisational processes. In particular, risk management should be embedded into the policy development, business and strategic planning and review, and change management processes. Fit-for-purpose? (Source: AS/NZS/ISO31000:2009 Risk Management – Principles and Guidelines) Module 3 – Embedding risk management
    • 21. Page 21 Integrating risk management CEO Corporate Services Client Services Operations Governance Structure Board Strategic Objectives & Indicators Operational Objectives & Indicators Strategic Risk (Risk Register) Operational Risk (Risk Register) Strategic & Operational Planning Process Risk Management Process Aligned & Cascaded Down Cascaded Down Escalated Up Reporting Process CEO/ Board Report Operational Reports Evaluated & Reported Evaluated & Reported Consolidated & Escalated Up
    • 22. Page 22 No Level Committee Name Frequency Members Responsibility (Terms of Reference) Reports To Map “as-is” committee/ meeting structure. Rationalise committees/ meetings, where possible Map “as-is” committee/ meeting structure. Rationalise committees/ meetings, where possible Review risk management roles of each committee/ meeting. Risk management as standing agenda item in all meetings Review risk management roles of each committee/ meeting. Risk management as standing agenda item in all meetings How to embed risk management-some examples Map “as-is” organisational/ reporting structure. Rationalise reports, where possible. Map “as-is” organisational/ reporting structure. Rationalise reports, where possible.
    • 23. Embedding risk management -some more examples Page 23 • Include responsibility for risk management in all job descriptions• Include responsibility for risk management in all job descriptions Risk management as standard reporting item in all reports Risk management as standard reporting item in all reports Also remember: - introduce a language of risk - risk environment changes over time - organisational change means roles and responsibility for managing risk will change - clarify strategic and operational objectives and measures - articulate and document those objectives and measures
    • 24. Content of a typical risk management plan • A statement of the risk management policy • Details of the scope and objectives of risk management in the agency • Consistent risk management language and definitions • Integration with other management practices and procedures • Risk Assessment criteria (consequence and likelihood ratings) • Description of the internal and external context in which the agency operates • List of analysed risks (detailed in the Risk Register) • Summary of the risk treatment plan • Outline of the risk reporting protocol • Outline of the monitoring and review program Page 24 Module 4 – Risk management policy and plan
    • 25. Content of a typical risk management policy • Objectives, scope and coverage of the policy • Statement of commitment from the Board • Accountabilities and responsibilities for managing risk • Alignment with other management policies and procedures • Escalation and reporting protocols • Statement of risk appetite and tolerance • Processes, tools and templates for managing risk • Reporting and communication protocols • Statement about assessment, measurement and reporting methodology • Outline of DRP and BCP and regularity of testing regime Page 25
    • 26. The Process of Risk Management? “Culture, process and structures that are directed towards realising potential opportunities whilst managing adverse effects” AS/NZS 4360: 2004 (Source: ISO31000 Risk Management – Principles and Guidelines on Implementation, 2009) “...Co-ordinated activities to direct and control an organisation with regard to risk” – ISO 31000 ISO 31000 Module 5 – Process for managing risk
    • 27. 5.2 C O M M U N I C A T I O N & C O N S U L T A T I O N 5.6 M O N I T O R I N G & R E V I E W 5.3 ESTABLISHING THE CONTEXT 5.4 RISK ASSESSMENT 5.4.3 RISK ANALYSIS 5.3.2 External Context 5.3.3 Internal Context 5.3.4 Risk Management Process Context 5.3.5 Developing Risk Criteria 5.5 RISK TREATMENT 5.5.2 Selection of risk treatment options 5.5.3 Preparing and implementing risk treatment plans 5.4.4 RISK EVALUATION (1) Compare against criteria. (2) Identify & assess options. (3) Decide on response. (4) Establish priorities. Determine existing controls Determine Consequences Determine Likelihood Determine Level of Risk 5.4.2 RISK IDENTIFICATION What can happen, when, where, how & why The risk management process described in more detail
    • 28. Communication and Consultation Page 28 It is critical to: •Establish channels of communication with internal and external stakeholders •Risk management tasks and activities must be allocated with responsibilities, accountabilities and authorities clearly understood and defined •Draft a communications plan and a distribution timetable •Identify what specialist advice might be needed (engineers, actuaries, OHS specialists, VMIA support) •Identify the stakeholders – • Internal (Board, Minister, executive and operational management) • External (Regulators, customers, the public, key suppliers)
    • 29. Establishing the context Page 29 Module 6 – Establishing the context Know and understand: - the purpose, goals and objectives of the agency; - where the risk management process is being applied within the agency; - the cost/benefit of the risk management program and the resource allocation required; - the need to maintain documented records of the program; - the external and internal environment in which the agency operates; - the sources of risk facing the agency; - the benchmarks around which risk will be evaluated within the agency; Risk Appetite and Tolerance Risk appetite - The amount and type of risk that an organisation is willing to accept in pursuit of its long term strategic and operational objectives Risk tolerance - The boundaries of risk taking outside of which the organisation is not prepared to venture in the pursuit of its long term objectives.
    • 30. Page 30 Sources of risk FinancialFinancial OperationalOperational ClinicalClinical Health, Occupational, Safety Health, Occupational, Safety Human Resource Human Resource GovernanceGovernance Infra- structure/ Asset Infra- structure/ Asset StrategicStrategic Common Risk Categories Common Risk Categories
    • 31. Consequence and Likelihood • A process for evaluating the risk facing the agency using agreed criteria; • Likelihood means the probability of the identified risk occurring • Severity means the impact on or cost to the agency if the identified risk occurred • The likelihood and severity ratings are multiplied together and plotted on a heat map which gives a view of the overall risk profile for the agency. An informed decision can then be taken as to the response strategies, treatment plan and resource allocation that might be appropriate. • Responsibilities can then be allocated to a risk owner with the treatment tasks allocated to a control owner. • Examples of the tools used to plot severity and likelihood are in the following slides Page 31
    • 32. Tools for assessing risk - Risk rating scales (likelihood) L I K E L I H O O D Score Detailed description 5 Frequent The event is very likely to occur within 3 months 4 Likely The event will probably occur within 1 year 3 Occasionally The event could occur between 1-3 years 2 Unlikely The event could occur between 3-10 years 1 Rare The event may possibly occur, but unlikely at a frequency less than 10 yearly **A time horizon is selected that best suits the unique profile of the agency
    • 33. Risk rating scales: consequence Score Description The categories below are possible categories only Financial Service Delivery Reputation People & Knowledge Health and Safety Legal and Regulatory 5 Catastrophic / Extreme 4 Major 3 Moderate 2 Minor 1 Insignificant
    • 34. CONSEQUENCE LIKELIHOOD Insignificant 1 Minor 2 Moderate 3 Major 4 Catastrophic 5 Almost Certain 5 5 10 15 20 25 Likely 4 4 8 12 16 20 Possible 3 3 6 9 12 15 Unlikely 2 2 4 6 8 10 Rare 1 1 2 3 4 5 Risk matrix
    • 35. Risk appetite and risk rating Large Appetite for Risk Standard Plan for All Extreme Risks Risk Averse Increasing Likelihood  Increasing Likelihood  Increasing Likelihood  Increasing Likelihood  IncreasingImpactIncreasingImpact Board CEO Manager Staff IncreasingImpactIncreasingImpact
    • 36. Risk Type of Action Risk/ Audit Committee oversight Extreme Immediate action required Direct High Senior management attention needed Monitors Moderate Management responsibility must be specified Ensures sign offs and is advised of changes up or down Low Manage by routine procedures Ensures sign offs CEO/ BOARD GMs Risk response and escalation
    • 37. Control effectiveness scales 1 Effective Indicates minimal uncontrolled risk, due to excellent risk management/controls in place, tested and monitored 2 Good Indicates good risk management and control system, but an opportunity for refinement exists to reduce risk further. 3 Fair/ Partially Effective Indicates a need for improvement in controls, increased adherence to controls or that controls are being developed, but are not fully in place and tested. 4 Poor Indicates effective risk controls have not yet been developed and a significant lack of risk control exists – additional risk management or treatment is a matter of priority
    • 38. The Risk Register • The risk register is a key document which records the output of the risk management process • At a minimum it would contain the following: oRisk Description oAssessment of Inherent Risk oAssessment of Controls oAssessment of Residual Risk oTreatment of Risk o**Remember the distinction between inherent (untreated) and residual (treated) risk Module 7 – Risk assessment and treatment
    • 39. Risk Register - Example Overall Effectively managed. Areas for Improvement: Formalised Training calendar to be introduced Input controls to be strengthened over Payroll Salary benchmark to be performed Internal Advertising of posts available to be sent out on monthly e-mails All issues to be tracked on tracking database. • Human Resources • Quarterly Reports submitted to Departmental Management regarding Performance Management System and Succession Planning • Divisional Management • Control Self Assessment performed 2 monthly which includes questions on PMS and succession planning • Internal Audit • An internal audit on Performance Management System to be performed during the 2011/12 year • External Audit • Payroll testing to be included in Annual Audit. • Competitive remuneration, strategies and structure • Defined targets and KPIs • Divisional and Departmental operating targets for all key employees • Work life balance • Training and internal growth opportunity • Non-remuneration employee benefit strategies (EAP) • Identification and grooming of employees into the succession role • Training to ensure success in the new role • Documented policies and procedures/information to retain knowledge • Loss of key employees leading to the loss of primary relationship contacts, loss of investment in training and development and loss of intellectual property. This may lead to stretched resources and disrupt the Department’s capability to continue critical business operations. Potential causes include: • Poaching of employees • Changes to the organisation influencing the culture and leading to instability/insecurity • Lack of availability of skilled and competent workers • Career/lifestyle change • Retirement, death/mental inability Loss of key personnel- Residual Risk Rating = Moderate (Consequence = Minor; Likelihood = Possible) Are Risks being managed effectively? (What more could be done?) Assurance Provider/ Monitoring Procedures Primary Controls / Processes/ Control Strategies EMPLOYEES Inherent Risk Description Overall Effectively managed. Areas for Improvement: Formalised Training calendar to be introduced Input controls to be strengthened over Payroll Salary benchmark to be performed Internal Advertising of posts available to be sent out on monthly e-mails All issues to be tracked on tracking database. • Human Resources • Quarterly Reports submitted to Departmental Management regarding Performance Management System and Succession Planning • Divisional Management • Control Self Assessment performed 2 monthly which includes questions on PMS and succession planning • Internal Audit • An internal audit on Performance Management System to be performed during the 20 year • External Audit • Payroll testing to be included in Annual Audit. • Competitive remuneration, strategies and structure • Defined targets and KPIs • Divisional and Departmental operating targets for all key employees • Work life balance • Training and internal growth opportunity • Non-remuneration employee benefit strategies (EAP) • Identification and grooming of employees into the succession role • Training to ensure success in the new role • Documented policies and procedures/information to retain knowledge • Loss of key employees leading to the loss of primary relationship contacts, loss of investment in training and development and loss of intellectual property. This may lead to stretched resources and disrupt the Department’s capability to continue critical business operations. Potential causes include: • Poaching of employees • Changes to the organisation influencing the culture and leading to instability/insecurity • Lack of availability of skilled and competent workers • Career/lifestyle change • Retirement, death/mental inability Loss of key personnel- Residual Risk Rating = Moderate (Consequence = Minor; Likelihood = Possible) Are Risks being managed effectively? (What more could be done?) Assurance Provider/ Monitoring Procedures Primary Controls / Processes/ Control Strategies EMPLOYEES Inherent Risk Description
    • 40. Risk Treatment There are five risk treatment options available as defined below: o Avoid the Risk o Transfer the Risk o Share the Risk o Treat the Risk o Accept the Risk
    • 41. Page 41 Volume of risk information Board Executive Management Business Units Operational and strategic risk information at Business level Significant / key operational and strategic risk information Strategic / Critical risk issues Op Risk Mgt Committee Risk/ Audit Committee Exec Risk Mgt Committee Reporting – the right things at the right level Module 8 – Monitoring and review
    • 42. Page 42 Risk register, profiles and reports Risk Register Risk Register Risk Reports Risk Reports Risk Profile Risk Profile Risk Treatment Plans Risk Treatment Plans Risk Profile – Description of an organisation’s risk (ISO31000) Risk Register – Document used for recording risk management process for identified risks (ISO31000) It lists all identified risks, including description, likelihood of occurring, consequences on organisational objectives, proposed responses/ risk treatments and risk owners. Risk reporting – Development of reports including strategic, operational, financial and compliance-related risk information, as a basis for directing and controlling the organisation as well as for external accounting (ISO31000) Risk treatment – Development and implementation of measures to modify risk (ISO31000) Risk-Based Internal Audit Plan Risk-Based Internal Audit Plan Risk Audit – Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine extent to which the risk management policies and procedures are fulfilled (ISO31000) Internal audit plan identifies activities to be audited, which specifies the areas, allotted dates and personnel required to perform internal audits Risk Matrix Risk Matrix Risk matrix – Tool for ranking and displaying risks by defining risk categories and defining ranges for consequences and levels of likelihood for each category (ISO31000) Heat Map – Overview of the organisation’s main risks plotted in its risk matrix (ISO31000) Heat Map Heat Map Risk treatment plans includes (1) testing of existing controls or monitoring control effectiveness over time; or (2) tracking of the implementation of new controls and/or training programs.
    • 43. Page 43 1st Business operations 2nd Oversight functions: Finance, HR, IT, Legal and Risk Management 3rd Independent assurance: Internal Audit, External Audit and other independent assurance providers RISK & CONTROL An established risk and control environment Strategic management, policy and procedure setting, functional oversight Provide independent challenge and assurance RISK & CONTROL RISK & CONTROL Board,Executive&AuditCommittee business operations Oversight functions Internal audit, external audit and other assurance providers First Line Second Line Third Line Three levels of defence
    • 44. Page 44 In summary 1. AS/NZS ISO 31000:2009 is a principles-based standard that seeks to customise the risk management process fit-for-purpose to the context. 2. Risk management must be integrated/ embedded into existing organisational processes/practices. 3. Managing risk is about creating value out of uncertainty and achieving its objectives. 1. AS/NZS ISO 31000:2009 is a principles-based standard that seeks to customise the risk management process fit-for-purpose to the context. 2. Risk management must be integrated/ embedded into existing organisational processes/practices. 3. Managing risk is about creating value out of uncertainty and achieving its objectives.

    ×