1. NATIONAL CONFERENCE & EXHIBITION 2014
Creating Value Through Enterprise Risk Management
Presented by Peter Moore
Risk Point
Platinum Sponsor
Silver Sponsor Bronze Sponsor
Risk Manager of the Year
Award Sponsor
Conference and Exhibition Partners
2. Overview
• Barriers to success in creating value
• Risk management frameworks
• Risk appetite and risk tolerance
• Integrating risk management
• Summary and close
3. 1. Barriers to Success in
Creating Value
• Barriers to success in creating value:
• Poor/ incorrect use of language
• Poorly designed frameworks
• Poor risk assessment techniques
• Risk versus fact analysis
• Lack of engagement and commitment within the enterprise
• Over complexity in design of risk management frameworks and systems
• Focus on process outcomes rather than decision support and resource
allocation
4. 2. Risk Management Frameworks
• Keep it simple unless complexity is required due to the nature or size
of the organisation
• Take into consideration how the framework integrates risk
management into the business
• Make it intuitive so it “looks like the business”
5. Risk Area Framework
• Provides focus on the organisation, what it does and how it does it
• Internal processes and externalities (internal and external context)
Area of Business
Service Delivery
Financial
Human Resources
Sales – Marketing/ Business Development
IT/ Technological
Commercial/ Legal
Occupational Health & Safety
Compliance
Management
Political/ Economic
Competition
6. Risk Area Framework
• If more detailed structure required, sub areas or categories may be appropriate
Area of Business
Financial Payroll
Debtors/ creditors
Treasury
Human Resources Recruitment
Remuneration/ retention
Training and management
IT/ Technological IT assets
Information assets
Information security
7. Risk Types - Compliance/ Business
Strategic/ Operational
• Creates distinction between compliance risks and business risks which integrates
into risk appetite and risk tolerance and corporate governance
• Provides clarity on strategic risks (involving board) and operational risks which
integrate into management processes and business planning
• Allows risks to be considered in context and increases clarity in analysis
Risk Type
Compliance
Business
Risk Type
Strategic
Operational
8. Align the Framework to the Business
• What business are we in?
• What is it that we do?
• What are our objectives and what are we trying to achieve?
• From a risk management perspective these questions provide alignment with the
business and provide one of the keys to integrating risk management and
creating value
9. Risk Identification Techniques
• Risk identification techniques and risk statements
• Root cause analysis technique1
Risk
Cause
Root Cause
1.IEC/ISO 31010:2009 Risk management – Risk assessment techniques
10. Risk Identification Techniques
• Risk identification techniques and risk statements
• Root cause analysis technique1
Risk
Cause
Root Cause
1,IEC/ISO 31010:2009 Risk management – Risk assessment techniques
Business
Objectives
11. Risk Identification Techniques
• Risk identification techniques and risk statements
• Cause-and-effect analysis technique2
• Not statements of fact
Cause Risk Effect
2. IEC/ISO 31010:2009 Risk management – Risk assessment techniques
13. 3. Risk Appetite and Risk Tolerance
• Clarity is required on use of language
• Definitions are not included in AS/NZS ISO 31000 (need to refer to ISO
Guide 73)
• Context needs to be applied
• Failure to follow above will lead to confusion
• Allows appropriate decisions to be made with regard to risk
14. Risk Appetite and Risk Tolerance
Risk appetite
“Amount and type of risk that an organization is willing to pursue or
retain”3
Risk tolerance
“Organization’s or stakeholder’s readiness to bear the risk after
treatment in order to achieve its objectives” 4
3,4. ISO Guide 73 Risk management - Vocabulary
15. Risk Appetite –
ASX Corporate Governance Principles
Principle 1: Lay solid foundations for management and oversight
Recommendation 1.1 – Commentary
“Usually the board of a listed entity will be responsible for:
• Ensuring that the entity has in place an appropriate risk management
framework and setting the risk appetite within which board expects
management to operate”5
5. Corporate Governance Principles and Recommendations. 3rd Edition ASX Corporate Governance Council, 2014
16. Risk Appetite –
ASX Corporate Governance Principles
Principle 7: Recognise and manage risk
Commentary
“The board of a listed entity is ultimately responsible for deciding the nature and
extent of the risks it is prepared to take to meet its objectives.
To enable the board to do this, the entity must have an appropriate framework to
identify and manage risk on an ongoing basis. It is the role of management to
design and implement that framework and to ensure that the entity operates
within the risk appetite set by the board. It is the role of the board to the risk
appetite for the entity,…..”6
6. Corporate Governance Principles and Recommendations. 3rd Edition ASX Corporate Governance Council, 2014
17. Risk Appetite –
Commonwealth Risk Management Policy
Element One – Establishing a risk management policy
“13.1 An entity must establish and maintain an entity specific risk management
policy that:
a….
b. defines the entity’s risk appetite and risk tolerance”7
7. Commonwealth Risk Management Policy. Australian Government Department of Finance., 2014
18. Risk Appetite –
Commonwealth Risk Management Policy
Element Three – Defining responsibility for managing risk
“15.1 Within the risk management policy, the accountable authority of an entity must
define the responsibility for managing risk by:
a. defining who is responsible for determining an entity’s appetite and tolerance
for risk”8
8. Commonwealth Risk Management Policy. Australian Government Department of Finance., 2014
19. Setting Risk Tolerance
• Thresholds for tolerability are established for compliance risk (non negotiable, must manage to defined
levels)
• Policy settings can be used to establish tolerance levels for compliance risk (e.g., risk level “Low” score no
greater than 4)
RISK MATRIX
Likelihood Consequence
1
Insignificant
2
Minor
3
Moderate
4
Major
5
Severe
5 Almost Certain M H H VH VH
4 Likely M M H H VH
3 Possible L M H H H
2 Unlikely L L M M H
1 Rare L L M M H
20. Setting Risk Appetite
• Must be established in accordance with preparedness to take commercial, or business risks in order to
achieve objectives
• Is different in different parts of the business (e.g. “High” score 9/ High score 16)
• Provides a feedback loop to strategy setting (are we likely to achieve the positive outcomes and returns for
the potential adverse threats in pursuing the strategy?)
RISK MATRIX
Likelihood Consequence
1
Insignificant
2
Minor
3
Moderate
4
Major
5
Severe
5 Almost Certain M H H VH VH
4 Likely M M H H VH
3 Possible L M H H H
2 Unlikely L L M M H
1 Rare L L M M H
Business
process or
function A
Business
process or
function B
24. 4. Integrating Risk Management
• Draws upon a sound risk management framework
• Incorporates risk appetite and risk tolerance settings
• Links risk management to strategic planning
• Links risk management to corporate governance
• Techniques for determining what risk management and risk treatment activities
(to manage risks to acceptable levels) are part of the job
• A mechanism for making risk management “part of the business”
• Accountabilities and responsibilities defined
• Establishing Key Risk Indicators (KRI’s)
25. Risk Management Task Integration
• A method of determining which risk management activities (e.g.,
development of risk treatment plans) are part of the job
• Assists in determining what’s important, what’s urgent and what’s not
• Assists in resource allocation and decision making
• Creates value through better decision making and better business
outcomes
26.
27.
28. Accountability
• Accountabilities need to be assigned for:
• Risks
• Control development and assurance
• Risk treatment actions and plans
• Reporting on risk management activities
29. Key Risk Indicators (KRI’S)
• Identify what aspect of the business needs to be measured and monitored
• Develop sources of data around activities which influence or impact risks
and risk levels
• Develop metrics for measurement
• Assign ownership (as critical as risk ownership)
• Measure movements in KRI’s
• Take action where KRI’s move beyond tolerable levels
30. Key Risk Indicators (KRI’S)
• Leading indicators
• A predictive indicator which provides insights into the likelihood of a risk materialising:
• Reduced business opportunity pipeline/ sales conversion ratio
• Lagging indicators
• An outcome indicator which provides insight into the frequency and impact of a risk materialising:
• Lower sales to date from budget
• Note: These indicators would be used to assist reviewing a business risk such as, “failure to meet sales targets resulting in
impact on revenue objectives”.
31. KRI Monitoring – Qualitative Assessment
RAGAR Model8
Score
Baseline
Time
Out of
tolerance –
take action
Borderline –
may require
investigation
Within
tolerance- no
action required
8. Adapted from Smart, A., and Creelman, J., Risk-Based Performance Management, 2013
34. NATIONAL CONFERENCE & EXHIBITION 2014
Thank you.
Platinum Sponsor
Silver Sponsor Bronze Sponsor
Risk Manager of the Year
Award Sponsor
Conference and Exhibition Partners