The webinar covers:
• ISO 31000 as the adopted standard, for ISO standards that have risk components, such as ISO 27005 and OHSAS 18001
• Description of Management of Risk (MoR) – how organizations can benefit
• Complementary values that ISO 31000 and MoR bring to each other
• How Risk Managers can evolve a practical approach to carrying out Risk Processes
Presenter:
This webinar was presented by PECB Trainer Orlando Olumide Odejide, an experienced Enterprise Architect and Chief Trainer for Training Heights Limited.
5. Definition of Risk
Uncertain events or a set of events that, should it occur, will
have an effect (usually negative) on the achievement of
objectives.
A risk is measured by the combination of probability of a
perceived threat or opportunity occurring and the
magnitude of its importance on objectives.
6. Definition of Enterprise Risk
Management
Risk Management allows for the activities involved to be visible, repeatable or consistent , to
support effective decision-making.
Risk Management allows an organization to make cost effective use of a risk management
process that includes a series of well controlled steps.
The aim of Risk Management is to improve internal control and support better decision making
through a good understanding of individual risks and the overall risk exposure that exist at a
particular time.
Risk Management refers to the systematic application of principles, an approach and a process
to the tasks of identifying and assessing risks, and then planning and implementing risk
responses. This provides a disciplined environment for proactive decision making.
For Risk Management to be effective, risks need to be Identified, Assessed and Controlled.
7. Risks and its Controls
Risks
Risk Assessment
Controls
Risk
Treatment/Mitigation
An
Orga
nizati
on
8. The Relationship and Interconnectedness
of Risks
Enterprise Risk Ecosystem
Corporate Governance
Risk
Management Risk Strategy Risk Market Risk
Credit Operational (Process) Liquidity (Cashflow) Reputation/Brand Risk
Social Risk Political Risk Investment Risk Financial (Accounting)
Risk
Health and Safety Risk Environmental Risk Counter Party Risk Technology Risk
Project Risk Economic Risk Commercial Risk Regulatory
Internal Audit Risk Legal Risk Global Risks Inherent and Residual
Risk
9. Corporate Governance Risk
This refers to the risk that the Board of the organization is wrongly constituted
(without the appropriately persons with the right skills and experience).
It also refers to the possibility of the Board of an organization not being aware or
appropriately educated of their role and responsibilities with regards to
Corporate Governance.
Finally it refers to the Boards not ensuring that the organization is led, guided,
controlled and monitored appropriately to discharge its corporate governance
mandate.
10. Corporate Management Risk
This refers to the risk of the management (CEO, COO, CFO, CIO and Executive
Directors) not managing the organization appropriately to ensure that all
stakeholder interests are served appropriately.
It reviews whether the Management of the organization are clear on their roles
and responsibilities, if they have a vision and strategy to deliver on stated
organizational objectives.
Other components include if the Management team have the rights skills,
experience and expertise to successfully lead the organization.
11. Strategy Risk
This refers to the strategy development and execution capabilities of an
organization. If an organization is driven and managed using the right,
appropriate and measurable business/corporate strategy.
It reviews the strategy development tools and methods (e.g. balanced score
card, blue ocean strategy) used (if they are the right and appropriate ones for
that particular organization/industry).
It looks at if the business is being run inline with its documented strategy
(strategy development versus execution).
12. Market Risk
This includes risks like:
1. Equity: Stocks, Shares and the Nigerian Stock Exchange
2. Interest Rate: 21+% from Banks
3. Currency: Dollars and Pounds Movement
4. Commodity: Barrel of Oil in the International Market
13. Credit Risk
The risk that an organization can be over exposed to its creditors (people it gives
goods and services to on credit) and their inability to pay completely as at when
due.
Credit is crucial to a lot of businesses and if not carefully managed can lead to
major cash flow problems and even close of a business.
14. Operational (Process) Risk
This is the risk that is associated with the operations of an organization and it is
the most widely reviewed and understood area of risk management.
Operational risks lead to either fraud, business losses or poor results/outputs.
It is in 3 folds:
1. The risk of Operational processes (manual and automated) being unsuitable.
2. The risk associated with the people who carry out operational processes
3. The risk that Operational systems are not appropriately designed and
ineffectively operated.
15. Liquidity (Cash Flow)
This can be in two ways:
1. The risk of an organization not having enough cash available as at when it is
needed to run and fund business operations.
2. The risk that a given security or asset cannot be traded quickly enough in the
market to prevent a loss (or make the required profit).
16. Reputation/Brand
A brand is what the potential and existing customers/market of an organization
say about it and its goods/services.
This is the risk that is attached to the Brand Equity of an organization.
Also refers to the risk that an organization can suffer if its reputation is
destroyed.
It is very much related to the risk that a competitor can develop a better brand
that over-shadows an organization’s existing band.
17. Social Risk [Corporate Social
Responsibility – ISO 26000]
This also can be in two ways:
1. The risk than organization is unaware and not aligning its strategy, goods and
services to the social demographics of the market including issues like male
versus female, under 30 versus above 30, educated versus non-educated etc.
2. The other side of social risk relates to an organization not seen as being
socially responsible. Hence why organizations try to carry out civic and socially
responsible activities like motherless baby homes, books for public schools,
building school halls and libraries etc.
18. Political Risk
Political risk relates to the risk that can affect an organization based on the
political climate of the country it operates within.
This can be caused by a change in Government, unfavorable governmental
policies and general inability within government.
Examples include Elections in Nigeria and others.
19. Investment Risk
This is the risk that there will be insufficient return on an investment. The major investment
classes include:
Cash: Cash is the least risky of the four but it tends to deliver low returns, which means the
value of your money can be eroded in times of high inflation.
Bonds: One step up the risk ladder is government bonds, or gilts, followed by investment grade
corporate bonds, where you effectively lend money to large companies in exchange for a fixed-
rate of interest.
Property: Investing in commercial property, such as offices, supermarkets and warehouses, can
grow your money through rental income and growth in the value of the property you own.
Equities: Stocks and shares, commonly known as equities, are seen as the most risky asset class,
as stock markets can be highly unpredictable.
20. Financial Risk (P or L, A and L)
Financial risk means various things to different people.
Primarily it means the risk that the organization might collapse due to the ill
health of its financial position.
Balance Sheet risk describes the in-balance that might occur if the liabilities of
an organization is more than its assets.
P or L risk describes if an organizations cumulative expenses over a period
significantly outweighs its revenue leading to major losses in the organization.
21. Health and Safety Risk (OHSAS 18001)
Health and Safety is very essential in an organization and it helps to avoid
litigation and penalties to the organization with regards to the health and safety
of the staff of the organization.
It refers to the risks associated with the possibility of the loss of life (ultimate
risk) in the office place.
OHSAS 18001 is the ISO standard that organizations have to show adherence to
and it is compulsory for certain industries like Mining, Manufacturing and Oil
and Gas.
22. Environmental Risk (ISO 14001)
This is the risk that the activities of an organization are injurious and detrimental
to the physical and geographical environment that it operates.
This includes waste management, environmental pollution and climate
destruction.
There are huge penalties (including sanctions and fines) for organizations who
are seen to be environmentally irresponsible.
ISO 140001 is the standard for managing and ensuring that organizations in
certain industries like Oil and Gas must strictly adhere to.
23. Counter Party Risk
This refers to the risk that the counter party/partner of an organization
(possibility its Insurance Company or one of its Partners) might not be able to
pay the right claims in the event of a major unfavorable event or might default in
terms of their obligations to a particular venture.
The risk to each party of a contract that the counterparty will not live up to its
contractual obligations. Counterparty risk as a risk to both parties and should be
considered when evaluating a contract.
In most financial contracts, counterparty risk is also known as "default risk".
24. Technology (IT) Risk
This is the risk of an organization not have the right information technology tools
and platforms of adequately run its business.
It can stem from not having the right persons (with the right skills and
capabilities) running It in an organization.
It can also be an organization not being capitalized enough to invest in the right
IT tools and platforms.
Finally, it can be an organization not getting the needed results and returns from
its investment in IT.
Examples: Failed Banking and Insurance Applications.
25. Project Risk
Most Projects are Capital (Finance and Budget) intensive and their failure can be
material to an organization.
Project risk refers to the possibility that an organization might not get the
appropriate return on its investment in specific projects.
A Project has failed if it goes beyond defined tolerances for Costs/Budget, Time,
Scope, Resource Utilization, Quality of Deliverables and if it falls short of the
expectations of stakeholders.
26. Economic Risk
These are risks related to 2 major branches of the economy:
1. Macroeconomic Factors: Growth, Inflation, Unemployment, National Income
and International Trade.
2. Microeconomic Factors: Supply and Demand, Pricing and other Microsoft
economic issues.
27. Commercial Risk
This is the risk that is associated with 3 key things:
1. Customers: Not having the right customers, in the right segments, in the right
quantities/volumes.
2. Suppliers: Not having the right suppliers (strategic, tactical operational and
commodity) that provide convenient business conditions with the appropriate
agreements.
3. Products: Not developing the right products, with the right quality, with the
right packaging, for the right price for the right market segment.
28. Regulatory and Compliance Risk
This is the risk of not being to meet the requests and demands of the regulators
of particular industries and for particular issues.
It is very much the same as the risk of non-compliance to stated industry
demands and requirements.
Examples: CBN, NAICOM, NDIC, NCC and others.
29. Internal Audit and Control Risk
This is the risk that there is no appropriate internal audit programme,
procedures and plans within the organizations.
It also refers to the risk of no appropriate controls in place to prevent business
losses either via fraud, theft or lack of effectiveness within the operations of the
organization.
Internal Audit and Internal Control are 2 different functions within an
organization, however there are risks at it pertains to both of them.
Most controls are in place to help detect, prevent and correct anomalies and it is
continuous.
Internal Audit is periodic and continual in nature (starts and stops) and it
primarily checks for alignment.
30. Legal Risk
This is risk related to flouting legal (laws of the land) conditions and the multiple
consequences of such.
There are sanctions and penalties for being unable to meet or going against
stated laws in a particular country.
Examples: Tax, Employment Laws etc.
31. Global Risk
This is the risks that global events and happenings can adversely
affect an organization in a particular country.
Global happenings like Wars, G8 Sanctions and others.
32. Inherent and Residual Risk
Inherent Risk: the risk that comes as part of the nature of a specific
type of operation/business.
Residual Risk : The risk that is left after a
control/mitigation/treatment/remediation has been applied.
34. Structure of MoR
CONTENT (PART 1 – 6)
1. Introduction
2. MoR Principles
3. MoR Approach
4. MoR Risk Process
5. Embedding and Reviewing MoR
6. Perspectives
APPENDICES
1. MoR Document Outlines
2. Common Techniques
3. Health Check
4. Maturity Model
5. Risk Specialisms
35. MoR Part 1
What is Risk?
What is Risk Management?
Why is Risk Management Important?
How has Risk Management Developed?
Corporate Governance and Internal Control
Where and when should Risk Management be applied?
OGC Best Practice Guidance
36. MoR Part 2 --- MoR Principles
2.1 Introduction
2.2 Alignment with Objectives
2.3 Fits the Context
2.4 Engages Stakeholders
2.5 Provides Clear Guidance
2.6 Informs Decision Making
2.7 Facilitates Continual Improvement.
2.8 Creates a Supportive Culture.
2.9 Achieves Measurable Value.
37. MoR Part 3 – MoR Approach
3.1 Introduction
3.2 Risk Management Policy
3.3 Risk Management Process Guide
3.4 Risk Management Strategy
3.5 Risk Register
3.6 Issue Register
3.7 Risk Improvement Plan
3.8 Risk Communications Plan
3.9 Risk Response Plan
3.10 Risk Progress Report
3.11 Relationship between Documents
38. MoR Part 4
4.1 Introduction
4.2 Common Process Barriers
4.3 Communications throughout the Process
4.4 Identify – Context
4.5 Identify – Identify the Risks
4.6 Assess – Estimate
4.7 Assess – Evaluate
4.8 Plan
4.9 Implement
39. MoR Part 5 – Embedding and Reviewing
MoR
5.1 Introduction
5.2 Embedding the Principles
5.3 Changing the culture of Risk Management
5.4 Measuring the Value
5.5 Overcoming the Common Barriers to Success
5.6 Identify and Establish Opportunities for Change
40. MoR Part 6 – Perspectives
6.1 Introduction
6.2 Strategic Perspective
6.3 Programme Perspective
6.4 Project Perspective
6.5 Operational Perspective
6.6 Achieving Measurable Value
6.7 Integrating Risk Management Across Perspectives
6.8 Roles and Responsibilities
41. Appendix A – MoR Document Outlines
(9 Great Templates )
1. Risk Management Policy
2. Risk Management Process Guide
3. Risk Management Strategy
4. Risk Register
5. Issue Register
6. Risk Improvement Plan
7. Risk Communications Plan
8. Risk Response Plan
9. Risk Progress Report
42. Appendix B: Common Techniques
1. Introduction
2. Techniques for the Identify Context Step
2.1 Stakeholder Analysis 2.2 Pestle Analysis
2.3 SWOT Analysis 2.4 Horizon Scanning
2.5 Probability Impact Grid
3. Techniques for the Identity Identify the Risks Step
3.1 Checklists 3.2. Prompt list
3.3 Cause and effect diagrams 3.4. Group Techniques
3.5 Questionnaires 3.6. Individual interviews
3.7 Assumptions Analysis 3.8. Constraints Analysis
3.9 Risk Descriptions
4. Techniques for the Assess Estimate Step
4.1. Probability Assessment 4.2. Impact Assessment
4.3. Proximity 4.4 Expected Value Assessment
5. Techniques for the Assess Evaluate Step
◦ 5.1 Summary Risk Profiles
◦ 5.2 Summary Expected Value Assessment
◦ 5.3 Probabilistic Risk Models
◦ 5.4 Probability Trees
◦ 5.5 Sensitivity Analysis
6. Techniques for the Plan Step
◦ 6.1 Risk Response Planning
◦ 6.2 Cost-Benefit Analysis
◦ 6.3 Decision Trees
7. Techniques for the Implement Step
◦ 7.1 Update summary risk profiles
◦ 7.2 Risk Exposure Trends
◦ 7.3 Update probabilistic risk models
43. Appendix C: Management of Risk Health
Check
GENERAL
Purpose of Risk Health Check
Process
◦ Preparation
◦ Data Collection
◦ Data Analysis
◦ Review and Report
FRAMEWORK (8 STEPS)
1. Aligns with Objectives
2. Tailored to Context
3. Engages Stakeholders
4. Provides Clear Guidance
5. Informs Decision Making
6. Facilitates Continual Improvement
7. Creates a Supportive Culture
8. Achieves Measurable Value
44. Appendix D: Management of Risk
Maturity Model
1. Introduction
2. Process Improvement
3. Definition
4. Purpose
5. Scope
6. Structure/Composition
7. Levels
8. Criteria [Level 1(Initial), 2 (Repeatable), 3
(Defined), 4 (Managed), 5 (Optimizing)].
9. Competencies
10. MoR Maturity Model
11. Use/Deployment
◦ Progressing between maturity levels
◦ Maintaining the highest level of maturity
◦ Benefits
12. Conclusion
13. Other Examples
14. More information on the OGC P3M3
45. Appendix E: Risk Specialism
1. Business Continuity Management
2. Incident and Crisis Management
3. Health and Safety Management
4. Security Risk Management
5. Financial Risk Management
6. Environmental Risk Management
7. Reputation Risk Management
8. Contract Risk Management
9. Energy Risk Management ******
47. Benefits/Capabilities for Management of
Risk
1. Increase the likelihood of achieving objectives
2. Encourage proactive management
3. Be aware of the need to identify and treat risk
throughout the organization
4. Improve the identification of opportunities and
threats
5. Comply with relevant legal and regulatory
requirements and international norms
6. Improve mandatory and voluntary reporting
7. Improve governance
8. Improve stakeholder confidence and trust
9. Improve controls
10. Establish a reliable basis for decision making and
planning
11. Effectively allocate and use resources for risk
treatment
12. Improve operational effectiveness and efficiency
13. Enhance health and safety performance as well as
environmental protection
14. Improvement loss prevention and incident
management
15. Minimize losses
16. Improve organizational learning
17. Improve organizational resilience
48. Stakeholders who have Risk
Management needs
1. Those responsible fro developing risk management policy within their organization
2. Those accountable for ensuring that risk is effectively managed within the organization as a
whole or within a specific area, protect or activity
3. Those who need to evaluate an organization’s effectiveness in managing risk
4. Developers of standards, guides, procedures and codes of practice that, in whole or in part,
set out how risk is to be managed within specific context of these documents .
49. Terms and Definitions (*Notes)
1. Risk: Effect of Uncertainty on
Objectives
An effect is a deviation from the expected +
or –.
Objectives can have different aspects e.g.
financial and at different levels (strategic or
project).
2. Risk Management
3. Risk Management Framework
4. Risk Management Policy
5. Risk Attitude
6. Risk Management Plan
7. Risk Owner
8. Risk Management Process
9. Establishing the Context
10. External Context
11. Internal Context
12. Communication and Consultation
13. Risk Assessment
14. Risk Identification
15. Risk Resource
16. Event
17. Consequence
18. Risk Profile
19. Risk Analysis
20. Risk Criteria
21. Level of Risk
22. Risk Evaluation
23. Risk Treatment
24. Control
25. Residual Risk
26. Monitoring
27. Review
50. ISO 31000: Clauses 3, 4, 5 and Annex A
Clause 3: Principles Clause 4: Framework Clause 5: Process Annex A
1. RM creates and
protects value
2. Risk management is an
integral part of all
organizational
processes
3. Risk management is
part of decision making
4. RM addresses
uncertainty
5. RM is systematic,
structures and timely
6. RM is based on the best
available information
7. RM is tailored
General
Mandate and Commitment
Design of Framework for
Management Risk
Implementing Risk
Management
Monitoring and Review of
the Framework
Continual Improvement of
Framework
General
Communication and
Consultation
Establishing the Context
Risk Assessment
Risk Treatments
Monitoring and Review
Recording the risk
management and process
General
Key Outcomes
Attributes
Continual Improvement
Full accountability for risk
Application of risk
management in all decision
making
Continual communications
Full integration in
organizations governance
structure
51. ISO 31000 – Risk Management Principles
and Guidelines