5. OVERVIEW
Why are we here?
1
What are we trying to accomplish?
2
How will the results be used?
3
Questions?
4
The purpose of today’s workshop is to understand, identify, sort and prioritize key risks within the
organization.
5
6. GROUND RULES
Encourage participation.
1
6
Don’t use the “S” word.
2
Keep anonymity of votes.
3
Keep parking lot questions of other topics.
4
Stay engaged – don’t leave during voting.
5
Come back on time from breaks.
6
Turn off cell phones and don’t read or answer emails.
7
7. BE OPEN AND COLLABORATIVE
Although risk is often viewed as a negative topic, we hope to collectively gain insight through open
group discussion and constructive debate. We understand that all participants in today’s meeting are
faced with risk management decisions daily.
Today’s discussion is designed to encourage cross-functional communication that
will build consensus around the risks that really matter.
1
It is not a performance appraisal. It is a diagnostic tool to help focus your risk
management priorities.
1
7
8. OBJECTIVES
Prioritize risks through anonymous voting based on:
• Significance
• Inherent likelihood that a risk will occur
• Residual likelihood that a risk will occur after application of management controls
2.
Discuss and validate identified risks.
1.
Plot the three votes using facilitation software into two two-by-two graphs:
• Inherent Risk Map (Significance and Inherent Likelihood)
• Residual Risk Map (Significance and Residual Likelihood)
3.
8
9. WHAT IS RISK?
• “Risk” is defined as the possibility that an event will occur and adversely affect achievement of
the organization’s strategic objectives over the next three to five years.
• Risks must first be prioritized based on significance.
• Consider the most likely impact on achievement of your strategic objectives if this risk was not
adequately prevented or controlled well.
Write down your top five most significant risks, thinking about the potential they have to impact
achievement of the organization’s strategic objectives over the next three to five years if not
properly mitigated or controlled.
What is Risk Universe?
9
10. RISK MODEL
Environment
Risk
Process Risk
Information for
Decision-Making Risk
• Competitor
• Political
• Legal and
Regulatory
• Economy/Industry
• Lending
Compliance
• Guest Satisfaction
• Talent
Management
• Management of
Agreements
• HOA
Management
• Separation
• Procurement
• Project
Development
• Transfer Property
• Business
Continuity
• Customer Data
Privacy
• International
Operations
• Cash Flow
Management
• Cybersecurity
• IT Infrastructure
• Reputational
• Fraud
• Growth Management
• Sales and Marketing
• Financial Reporting
• Tax Compliance
• Financial Planning and
Analysis
10
11. VOTING
11
Overview of Voting Technology
• The voting is interesting, but the discussion is more
important. The discussion will allow each
participant to gain insight into the relative potential
impact of risks.
• If you are completely unfamiliar with the factors
related to an individual risk, click on “absent” to
register a “no-vote.” The no-vote option should be
utilized sparingly, as the object of the session is to
obtain your input from your perspective.
• Your vote will not be counted twice by the software,
so feel free to click on the button again to confirm if
you are not sure that your vote registered.
12. FIRST VOTE: SIGNIFICANCE
• Consider the most likely impact on achievement of your strategic
objectives if this risk were to occur.
• The voting is being done to rank the significance (or potential impact) of
the risks. High Significance is 9 and Low is 1.
• Significance (or potential impact) should be considered broadly:
− Reputation
− People
− Financial
− Stock price
− Customers
− Regulatory fines
• Use the worksheet provided to help assign your ratings prior to the vote.
12
13. SIGNIFICANCE (MOST LIKELY IMPACT) SCALE,
ASSUMING THE RISK ACTUALLY OCCURRED
Level Descriptor Business Impact Description
8 and 9 Major Very significant financial, reputational or other loss that ultimately could
jeopardize the ability of the organization to continue without major
changes may occur. High damage control must occur that may require
public/regulatory communication.
6 and 7 High High financial, reputational or other loss and scrutiny by board and
analysts (could result in a significant decline in share price) may occur.
Business impact likely requires additional resources (internal or
external) and likely requires public disclosure.
5 Significant Financial, reputational or other loss is significant to the company and
may require public disclosure. Senior management must be very
involved with issue.
3 and 4 Moderate Fairly significant impact that gets the attention of senior management
and could be a factor in not meeting budget expectations may occur.
Business impact may require (mainly internal) additional resources in
response to risk occurrence.
2 Minor Low impact may occur. Business impact is easily mitigated, and
director or above involvement may be necessary.
1 Insignificant Little impact may occur. Top management attention may not be
required. Process changes are likely not required in response to risk
occurrence.
13
14. SECOND AND THIRD VOTES: RISK LIKELIHOOD
• Risk likelihood may be assessed on both an inherent and residual basis.
− Vote 2: Inherent Risk is the likelihood that something will have a significant impact to the
entity in the absence of any actions management might take to control the risk.
− Vote 3: Residual Risk is the likelihood that something will have a significant impact to the
entity after management has taken action to control the risk.
• We will be ranking risks for inherent and residual likelihood of the risk significantly impacting
the achievement of the company’s strategic objectives.
14
15. INHERENT RISK FACTORS: HIGH VS. LOW
High Inherent Risk Low Inherent Risk
• Many control points
• Decentralized
• High turnover of personnel
• Less mature systems
• Many unusual/non-routine transactions
• Significant judgments and/or estimates
• Communication breakdowns
• Few control points
• Centralized
• Low turnover of personnel
• More mature systems
• Few unusual/nonroutine transactions
• No significant judgments and/or estimates
• Few communication breakdowns
What would you be concerned about if you were buying a timeshare company that was similar to
the organization? Your concerns would typically parallel the areas with the highest inherent risk.
Another way to think about this:
15
16. THIRD VOTE: RESIDUAL RISK FACTORS – HIGH VS.
LOW
Management Commitment Responsibility
• Systems do not work
• Procedures aren’t executed
• High error rates
• Inadequate resources to perform
• Lack of expertise
• Unaddressed issues
• Inadequate supervision
• Highly effective systems
• High effectiveness of people
• Low error rates
• Full staffing and significant history
• High expertise
• Few unaddressed issues
• Sufficient supervision and review
To determine whether residual risk is high or low, you have to consider control
effectiveness:
• High control effectiveness significantly reduces the likelihood that a risk will occur.
• Low control effectiveness does not significantly reduce the likelihood that a risk will occur.
16
17. VOTE: RISK LIKELIHOOD SCALE
Level Descriptor Likelihood Description
Probability of
Occurrence
9 Almost Certain The risk is expected to significantly impact
the company in most circumstances.
Greater than 95%
7 and 8 Probable The risk is likely to significantly impact the
company.
Greater than 70 –
95%
4,5 and
6
Reasonably Possible The risk is likely to have a more than
remote but less than likely chance of
being significant.
Greater than 30 –
70%
2 and 3 Unlikely The chance of the risk having a significant
impact is slight.
Greater than 5 –
30%
1 Remote The risk may occur and be significant only
in exceptional circumstances.
5% or less
17
19. PREPARATION AND RISK INTRODUCTION
19
• Invite people to sit at the front of the room (rather than letting them sit at the back).
• Keep the time schedule in mind and avoid taking too much time for one item.
• Make sure you periodically take a short break to revitalize the group.
• Avoid judging participants’ comments.
• Manage expectations by directly addressing the expectation(s) that cannot be met.
• Take your time when presenting the risk management concepts. It is probably the first time that most
participants are hearing about the concepts.
• Spend a few minutes to give people an overview of the whole process before starting with Step 1 when
presenting the risk assessment process.
This guide provides tips and tricks for facilitating a risk assessment workshop. These tips are organized to
guide you through the high-level phases of a risk assessment discussion and provide insight into the
facilitator’s role for this process.
20. RISK IDENTIFICATION
20
• Ask everyone to state one risk in order to avoid getting a long list of risks from participants. After one round, ask if there are
additional key risks concerning the objectives.
• Be as specific as possible when defining the risk. For example, describe risk as “Loss of top two key suppliers, Company
ABC and XYZ” rather than “Loss of key suppliers.”
• Avoid documenting current issues since these are the things they should be managing. Ask “Is this an issue?” If so, explain
that “an issue is a certainty, and a risk is an uncertainty. So, what is the risk (uncertainty)?”
• Ensure that there is a verb included in the risk definition. For example, state that “Employee turnover increases beyond
15%” rather than “The risk of employee turnover.”
• Implement a temporary definition on-screen first and then work with participants to fine-tune it to speed up the risk definition
process.
• Ask participants how they would formulate a risk definition instead of trying to formulate it yourself.
• Use their words rather than your words when summarizing. This will increase the feeling that it is an assessment of their
risks.
• Summarize the discussions (or ask someone to do that for you) to regain focus after a long discussion and move on to the
next topic.
• Ensure that the participants are focused on the facilitator by agreeing upfront that the assistant waits for the facilitator to
verbally summarize the definition before documenting the risk definition.
• Ask for feedback to gain clarity from participants on risk definitions. For example, “Is this definition clear for everyone?”
• Avoid conversations that entail judging the scale of the risk before voting (discussion should concern the definition).
• Ensure that internal risks are also addressed when identifying risks. People can sometimes focus too much on external
risks during the risk assessment process.
• Make sure that people do not give opinions on how they would rank the risk when explaining risk definitions. The voting
process comes later in the session.
21. RISK PRIORITIZATION
Ask participants when there is no consensus on risk priorities, “Would someone like to say why you might
vote high/low on this risk?” Summarize the high and low arguments and ask if people would like to revote.
1
Only revote when participants say they want to revote on the risk significance. Ask participants, “Based on
the arguments you just heard, who feels they need to change their vote?”
2
Avoid being drawn into the discussion content as a facilitator by reflecting any content questions back to the
group. Focus on the process of the risk assessment and not interjecting your opinion into the process.
3
Keep up the tempo during the voting process by summarizing and managing long discussions.
4
Keep repeating, “If this risk has happened, what is the impact?” when voting on risk impact.
5
21
22. RISK SOURCING AND ACTION PLANNING
22
• Ensure that a risk owner is assigned prior to starting the sourcing exercise. This helps to ensure that there is buy-in for the
risk actions.
• Avoid spending time on unimportant causes/consequences by performing a quick brainstorm to find the main causes.
Cluster the first level of causes, where applicable. Then ask the group, “Which are the most important identified causes and
consequences?” Only then should you drill down the chosen causes/consequences.
• A rule of thumb is to have three layers of causes for the most important (main) causes to get the right level of detail. Do this
by asking “why?” three times.
• Ask for suggestions in formulation instead of making suggestions in your own words.
• Type the participants’ suggestions into the risk assessment program as quickly as possible and fine tune it after you have
something workable on screen.
• Wait for the assistant to finish typing before moving onto the next cause/consequence.
• Formulate the cause/consequence as concisely as possible, bearing in mind that all discussions documented should be
understandable after a few months for other people to read.
• Ensure that there is an adjective/verb included in each formulated cause or consequence. For example, you would
document “customer awareness increases” rather than “customer awareness.”
• For external risks, focus on the consequences; for internal risks, focus on the causes.
• Add one action per root cause.
• Ensure that you only list the actions that are new or actions that need to be reviewed, thus avoiding generating a list of
actions already being taken.
• Add the due date and an applicable action owner to create extra buy-in and a need for urgency.
• Emphasize that risk action planning is part of future, normal management practice.
23. RISK CONTENT
23
4
Point out the
consequences of
important items in order
to create maximum
awareness of their
relevance to
participants’ daily work.
Mention specific actions
to be taken by people if
you can.
Make sure that the
risk’s general point is
understood before
getting into the details
of a specific problem
or question.
Ask for feedback such
as, “Is this point clear
to everyone?” If you
have doubts that the
point is understood,
ask someone to
summarize it or give a
practical example.
Ensure that you only go
into the items/actions
that are new or need to
be reviewed.
3
2
1
24. KEEPING THE PROCESS GOING
24
Keep up the training
session tempo by
summarizing and managing
long discussions.
Keep the time schedule
in mind and avoid taking
too much time for one
item.
Summarize the
discussion to regain
focus (or ask someone
to do that for you).
25. RELEVANCE AND RISK IMPORTANCE
25
If participants are not
convinced of a specific
topic’s importance, take a
moment to discuss the
possible negative business
impact of not adhering to
the rules (or the benefits of
adhering to them).
Emphasize that the new
procedures are part of
future normal working
practice.
Point out that people may
want to make a note of an
especially important item
when discussing it.
27. MEETING OBJECTIVES
27
Expand understanding of known risks and, perhaps, surface risks that have not been emphasized previously
within the organization or the risk assessment interviews.
• Dialogue among participants is critical to achieving this objective.
• Each participant has different exposure levels to various risks given their job responsibilities. Participants with
more knowledge of a particular risk are strongly encouraged to share their perspective with the group to
improve overall understanding of the factors to be considered in evaluating the risk.
Prioritize the top risks facing the organization by considering the significance and likelihood of each risk.
Discuss the key activities in place to mitigate each of the highest priority risks and determine if management
believes that more should be done to manage each of the highest priority risks.
Recap and discuss the objectives for the next phases of ERM.
28. GROUND RULES
28
Please…
• Participate in discussions and activities.
• Maintain one conversation at a time.
• Ask clarifying questions.
• Be present as much as possible – there is a lot of information to be absorbed.
• Respect break times.
• Place your cell phones on silent.
Parking Lot
The facilitator reserves the right to request for an item or conversation to be moved to the “parking lot.” Parking lot
items are issues, comments and clarifications that are not directly related to the session objective or that do not
provide commentary or follow-up discussions cursory to the agenda item at hand. These will be captured so they
can be addressed at an appropriate point in the session.
29. INTRODUCTION
29
“Business risk” is defined as the level of exposure to uncertainties that the enterprise must
understand and effectively manage as it achieves its objectives and creates value.
• It is not just about threats; there is an upside as well as a downside.
• Risk is not about a single point estimate.
• Time frame is an important factor when evaluating risk.
• Exposure and uncertainty are important factors.
A Definition of Business Risk:
• Risk is a fact of life; life is constantly changing and is uncertain.
• Today’s economy requires companies to identify and respond more quickly to changing risk
profiles.
• All management is essentially risk management.
• Many risk management activities are well-defined, and accountability has been assigned. For risks
that have not been defined/assigned, risks can “slip between the cracks” and/or be managed
inconsistently due to individual perceptions of the significance of the risk.
Things to Consider
30. PRIORITIZING BUSINESS RISKS
30
Significance
• How big of an impact
would this risk have if it
were to occur?
• Impact could be in many
areas, including financial,
reputation, human
resources, stock
valuation, etc.
Likelihood
• Consider how likely it is that
this risk would actually occur
given the inherent uncertainties
in your business.
• Don’t consider the mitigating
effects of internal controls.
Risk
31. IDENTIFYING BUSINESS RISKS
31
• Think about risks from your point of view within the company, considering your group’s goals and
objectives:
− You must identify inherent risks in your business.
− Don’t consider whether you are controlling the risk.
− You must identify risks that are inherent in the business regardless of your internal control.
• You don’t know for sure if the risk is being controlled until it is tested.
• View risks as if you were just being introduced to the company for the first time and you don’t know if
anything is working well.
32. QUESTIONS TO IDENTIFY BUSINESS RISKS
32
Where do you devote considerable internal effort in order to control?
01
What areas receive considerable management reporting?
02
Where have you devoted significant resources?
03
What are the analysts and rating agencies most interested in?
04
What wouldn’t you want on the front page of the newspaper?
05
What are key obstacles to taking advantage of opportunities?
06
What is impeding growth?
07
What do your competitors do better?
08
What keeps you up at night?
09
What do people complain about within the organization?
10
If you could fix one thing at the company, what would it be?
11
34. REVIEW RISK DOCUMENTATION
34
WFDDAdsQAD
Is clarification needed?
WFDDAdsQAD
Is there a risk category that is missing?
The success of this exercise will depend upon the level of understanding of
the risks and your input.
35. SIGNIFICANCE
35
You can rank the significance of your key business risks using the scale described below.
Level Descriptor Business Impact Description
7, 8 and 9 Major
Very significant financial, reputational or other loss that ultimately could
jeopardize the ability of the organization to continue without major changes
may occur. Regulatory communication may be required.
4, 5 and 6 Moderate
Financial loss is moderate, could be significant and may require public
disclosure. Management must be involved in the issue and focused on
completing it within a timely manner.
1, 2 and 3 Insignificant
Little financial loss may occur. Management’s attention may not be
required. Process changes are likely not required in response to risk
occurrence.
36. LIKELIHOOD
36
You can rank the likelihood of your key business risks using the scale described below.
Level Descriptor Business Impact Description
7, 8 and 9 Probable The future event or events are expected to occur in most circumstances.
4, 5 and 6 Possible
The chance of the future event or events is more than remote but less
than probable.
1, 2 and 3 Remote The future event or events may occur only in exceptional circumstances.
37. RISK RATING INTERPRETATION
37
The graphic below depicts how the risk map on the following slide can be interpreted – risk responses should be
developed starting with those risks found in the upper-right quadrant.
Likelihood
HIGH
Low High
Low
High
Significance
Secondary Risks
• Likelihood is lower but could have
significant adverse impact on business
objectives.
Key Risks
• Critical risks that potentially threaten the
achievement of business objectives may
occur.
Low Priority Risks
• Significant monitoring may not be
necessary unless there is a change in
classification.
• Reassess these risks periodically.
Secondary Risks
• Significance is lower, but more likely to
occur.
• Consider cost/benefit trade-off.
• Reassess these risks often to ensure
changing conditions (move to high
significance).
38. SAMPLE RISK MAP
38
Risk: Moderate to High
Risk: High
Risk: Moderate to High
Risk: Moderate
Risk: Very High
Risk: High
Risk: Low to Moderate Risk: Moderate
Risk: Low
Insignificant
Moderate
Significant
High
Major
Remote Unlikely Reasonably
Possible
Probable Almost Certain
I
M
G
B
C
H
Q
P
E
D
K O
J
F
N
R
A
L
Significance
Likelihood
Insert Risk
M
Insert Risk
H
Insert Risk
I
Insert Risk
L
Insert Risk
A
Insert Risk
D
Insert Risk
F
Insert Risk
P
Insert Risk
Q
Insert Risk
K
Insert Risk
E
Insert Risk
N
Insert Risk
O
Insert Risk
G
Insert Risk
J
Insert Risk
B
Insert Risk
C
Insert Risk
R
9
8
7
6
4
3
2 5
1
9
8
7
6
4
3
2
5
1
39. VOTING GUIDANCE
39
Overview of Voting Technologies
• The voting is interesting, and the discussion is important. The discussion
will allow each participant to gain additional insight into risks that may not
be within their span of control but that may impact them in the execution of
their responsibilities.
• Vote risk on an “inherent” basis (in the absence of controls).
• All voting is on a scale of 1 (lowest) through 9 (highest).
• If you are completely unfamiliar with the factors related to an individual risk,
press 0 to register a “no-vote.” The no-vote option should be utilized
sparingly, as the objective of the session is to obtain input from your
perspective.
• Your vote will not be counted twice by the software, so feel free to press
the button again to confirm your vote if you are not sure that it registered.
Let’s vote now.
40. ASSESS CURRENT RISK MANAGEMENT CAPABILITY:
RISK MANAGEMENT CAPABILITIES
40
Level Assessment Current Risk Management Capabilities
1 Very Capable
ABC is very capable of managing the risk. Significant focus is spent to
understand, report and manage the risk. There is little additional work that
management could do to manage the risk without incurring costs that
clearly outweigh the benefits.
2 and 3 Capable
Management is actively managing the risk and believes that any additional
mitigation would involve costs that would likely exceed the benefits. The
appropriate processes and reporting are in place and the people are highly
capable of executing.
4, 5 and 6 Somewhat Capable
ABC has some processes/activities in place to manage the risk and would
generally be able to identify risk events and control them in an acceptable
manner. There may be opportunities to further reduce the risk if activities
were further analyzed.
7 and 8 Low Capability
Few processes/activities are in place to mitigate risk. Heavy reliance is
placed on the abilities of people due to a lack of defined
processes/appropriate systems to accumulate/analyze/report risk
information.
9 No Capability
Formal process/activities are not in place to effectively mitigate risk in this
area. People/systems are not capable of executing activities consistently.
Management of risk is largely reactive.
41. ASSESS CURRENT RISK MANAGEMENT CAPABILITY:
WORKSHOP RECAP
41
• Provide feedback on the risk assessment process.
• Did surprises occur?
− Risks identified
− Risks not identified
• Were comments/feedback provided?
• Next steps
− Finalize the risk universe.
○ Incorporate comments and suggested enhancements.
− Incorporate risk management capabilities and identify mitigating controls.
○ Top significant risks will be targeted by the company.
○ Further assess the adequacy of the control environment.
○ Identify gaps where controls and reporting are better needed to manage critical risks.
○ Determine future organization and infrastructure needs to enable management of critical risks (and other
risks identified by management).
○ Formalize action plans to address identified control gaps.
○ Produce reporting and provide it to Company ABC for review and consolidation.