Advanced Risk Management - Elsam Management Consultants


Published on

It provides a general overview of enterprise risk management principles which can help to transform corporate from risk exposure to the risk protected. Consideration for basic steps in Risk Management Process are critically and logically analysed

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Risk and Insurance Management Society
  • Advanced Risk Management - Elsam Management Consultants

    2. 2. E M A C These slides contains video clips for enabling a reader to understand the risk management concepts To view the slides you must be on slide show mode and click on the links with underline The video clips are copyrighted materials and EMAC has no legal responsibility of any other use than education dissemination 2 Notes
    3. 3. E M A C Who are we? Elsam Management Consultants (EMAC) is a pool of professional consultants in management disciplines established as a limited liability company since 2006 Core Functions are: Recruitment, Training and Consultancies More details: 3 Welcoming Remarks
    4. 4. E M A C Introduction of facilitators Self introduction to others on your team Recap- Share something on personal experience in Risk Management and highly the expectations of this training Pick 1-Identify a risk-discuss it as both a threat and an opportunity Report to the a large group pick a spokesperson 4 Welcoming Remarks
    5. 5. E M A C 5 Why this training?
    6. 6. E M A C Government Collapse; Greece, Turkey, Africa Global Markets, more complex Greater product complexity New businesses (e-banking) Increasing competition New players 6 Why this training?
    7. 7. E M A C Regulatory imbalances Technology Corporate Failures, what about Tanzania? Increase in fraud and corruption Increase in “snake on suits” Theft and robberies 7 Why this training?
    8. 8. E M A C Day 1 – Understanding Risk Management Principles Day 2 - Public Sector Risk Management Theoretical Implication Practical Implication Challenges Day 3 - Fraud Risk Management Day 3 - Lessons Learned from practice 8 Organization of this training
    9. 9. E M A C Part I 9
    11. 11. E M A C Presentation Plan Defining and understanding risk Risk and Risk Management Objectives of Risk Management Modeling of Risk Management Process Risk Management Process Guidelines for Risk Management
    12. 12. E M A C Presentation Plan cont… Role of Internal auditor in Risk Management Role of Audit Committee in Risk Management Examples of Models for Risk Management Practical sessions ( continuous)
    13. 13. E M A C What is not risk? 13 Risk? What is it?
    14. 14. E M A C Risk Real or perceived Risk is the threat or possibility that an action or event will adversely or beneficially affect organization's ability to achieve its objectives ‘A calculation of both probability and improbability becoming a reality’. Risk has no religion This definition is based on three scenarios:
    15. 15. E M A C Risk Scenarios Whatever can go wrong, will go wrong Whatever cannot go wrong, will go wrong When things go wrong, they go badly wrong.
    16. 16. E M A C WHAT IS RISK? Something happening that may have an impact on the achievement of objectives. It includes risk as an opportunity as well as a threat. By managing threats entity will be in a stronger position to deliver its business plan priorities. By managing opportunities the organisation will be in a better position to provide improved services and better value for money.
    17. 17. E M A C Probability VS ‘Risk Magnitude’ Improbable Risk -10; -9; -8; -7; -6; -5; -4; -3; -2; -1; 0 1; 2; 3; 4; 5; 6; 7; 8; 9; 10 Unlikely Risk Likely Risk High Magnitude Risk Low Magnitude Risk Probable Risks click on underlined words to watch video
    18. 18. E M A C Based on the Video Presentation Can you identify ten risk scenarios? Do you agree that one risks normally results into other potential risks? Is this a probable or improbable risks What are major risks in your organisation which are improbable? 18 Group study 1
    19. 19. E M A C EXAMPLES OF RISKS Resources, Political, economic, Social, Technological, legislative/Regulatory, Environmental, competition, Customer/citizen, Managerial Professional, Financial, Legal, Partnership/Contractual, procurement, Physical, technological……
    20. 20. E M A C Mention the risk you know in … Public Sector Service Delivery Banking Industry Starting a job or carrier Transport and travel Financial management Attending this workshop Risk related to your organization
    21. 21. Risks: Risk Category Possible Risks Areas Strategy Planning Business Portfolio Management Activity New Business/Growth Opportunities Strategy Development Business Performance Management Target Setting/Vision/Goals Investor Relations Joint Venture Mgt Rationalisation Communicaiton of strategic direction set by Board Human Resources Workplace Industrial Relations Employment Practices Remuneration and Entitlements Succession Planning Recruitment and Retention Workers Compensation Skills availability/Training and Development Leadership Diversity Employee Safety and Health Performance Incentivisation Communication Contractors / 3rd parties Information Technology Data Management Data Security Systems Development / New systems Systems Maintenance Availability Data Integrity Service delivery „e‟ Commerce Outsourcing management Interface with 3rd parties Sharing of classified inofrmation Marketing Competitive Positioning Market Research Image Trademarks Strategic alliance networks Pricing / Costing Patents Reputation Customer Service New Products Project management Research and Development Product portfolio Product Liability Obsolescence “e” Commerce Risk Category Possible Risks Areas
    22. 22. 22 CRCA © 2007 Deloitte Touche Tohmatsu Strategic alliance networks Pricing / Costing Project management Obsolescence “e” Commerce Risk Category Possible Risks Areas Supply Chain / Distribution Logistics Purchasing/procurement Inventory Management Contract Management Import Clearance Continuity management Environment Regulatory Compliance Contamination Loss of Containment Complaints Management Handling Image/ reputation Community / Government Relations Legal Regulatory Compliance Commercial Relationships Acquisitions/Divestments Intellectual Property Competition Law Contractual Obligations Finance Funding / Treasury Investments Taxation Debt Management Supplier Payments Capital Expenditure Financial Controls and Reporting Fraud Insurance Physical Assets Security Natural Disaster Fire Explosion Impact Capital Expenditure Operations Manufacturing upscaling Technical Engineering Capacity Planning Costs of upscaling to Production Reliability Management & partners Safe Operations Government Sovereignty Politics War Legislative Change Corruption Terrorism Tax law change Change to party in power Economics Interest Rates Commodity Currency Risks:
    23. 23. E M A C Case study I Video Practical Session I Case Analysis I 23 Meaning of Risks
    24. 24. E M A C End of Session I 24
    25. 25. E M A C Risk Management
    26. 26. E M A C What is Risk Management?
    27. 27. E M A C Basis of Risk Management Risk management is a part of the wider corporate governance and internal control system of an organization Corporate governance is the system by which organizations are directed and controlled and ensures that the objectives and plans are established and operations adheres to transparency, probity and accountability
    28. 28. E M A C Accountability Ensure that management is accountable to the Board Ensure that the Board is accountable to the shareholders Fairness Protects shareholders rights Treats all Shareholders including minorities, equitably Provide effective redress for violation Transparency Ensure timely, accurate disclosure on all material matters including financial situation, performance, ownership and corporate governance Independence Procedures and structures are in place so as to minimize, or avoid completely conflicts of interest Independent directors, advisers i.e. free from influence of others 28 Risk Management Pillars of Corporate Governance
    29. 29. E M A C Creates value (Gain should exceed pain) Be an integral part of organisational processes Be part of decision making process Explicitly address uncertainty and assumptions Be systematic and structured Be based on best available information Be customizable to entity needs Take human factors into account Be transparent and inclusive Be dynamic, iterative and responsible to change Be capable of continual improvement and enhancement Be continually and periodically re-assessed Be tailora-ble 29 Principles of Risk Management
    30. 30. E M A C Risk management It is not avoiding risk It is application of management policies and procedures and practices to the task of identifying, analyzing, assessing, treating and monitoring the various risks that might prevent an organization from achieving its objectives There is no risk free environment!
    31. 31. E M A C Risk management defined Risk management is a process, affected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.(Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk Management — Integrated Framework, September 2004, New York, NY).
    32. 32. E M A C RM is a structured, consistent and continuous process across the whole organization for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievements of its objectives. IIA Risk Management is the identification, assessment, and priotization of Risk (ISO 31000) and subsequent application of resources to minimize, monitor, and control the probability and/or impact of downside events or to maximize the realization of opportunities It deals with the management of uncertainty, risks and opportunity towards the achievement of company goals and objectives. 32 Risk Management Defined
    33. 33. E M A C Objectives of Risk Management Support strategic and business planning Enhances communication between directors and departments Support effective use of resources Promote continual improvement Helps focus internal audit programs Fewer shocks and unwelcome surprises Reassures stakeholders Quick grasps of new opportunities
    34. 34. E M A C Objectives and RM Risk can be describe as The chance of something happening that will have an impact on objectives. It is measured in terms of consequences and likelihood. Objective must be defined before defining risks which may affect the objectives. Risk management must be linked to objectives/ strategies/ project
    35. 35. E M A C Aligns risk profile and strategy Broadens risk awareness Minimizes surprise and losses Rationalizes capital requirements Improves the shareholders value Assures regulatory compliance 35 Benefits of Risk Management
    36. 36. E M A C Hard Side Soft Side Measures and Reporting Risk Awareness Risk Oversight Committees People Policies and Procedures Skills Risk Assessment Integrity Risk Limits Incentives Audit Process Culture and Values Systems Trust and Communication 36 Hard and Soft side of Risk Management
    37. 37. E M A C 37 Drivers for Risk Management
    38. 38. E M A C Video Presentation Case study 2 38 What are real objectives of RM?
    39. 39. 39 STRATEGIC OPERATIONAL RISK Situation analysis Mission and Vision Objectives Targets Overview of SP Activities Inputs and
    40. 40. What do you See? 40
    41. 41. 41 End of Session II
    42. 42. E M A C Modeling of Risk Management & Risk Management Standards 42 Risk Management Frameworks
    43. 43. E M A C Risk Management Standard (IRM, ALARM and AIRMIC) of UK ISO 31000 Risk Management – Guidelines on principles and implementation of risk management ISO Guide 73 – Risk Management Vocabulary BS 31100 Cod of best practice for Risk Management AZ/ANS 4360:2004 Risk Management Standard COSO Enterprise Risk Management Canadian Government Sector Standard Basel II/III Solvency II (ICAAP) Kings Report 43 Common Risk Management Standards
    44. 44. Cadbury Basel II 44
    45. 45. Many Models To Chose Among COSO COCO Cadbury Report Deming Award TQM 12 Attributes Deep Learning Framework Baldrige Award ISO 31000 Westinghouse Award Northrop Award 45
    46. 46. E M A C Who Developed Models? COSO: The major accounting and audit professional organizations issued COSO in 1992. 12 Criteria: The Canadian Comprehensive Auditing Foundation published Effectiveness Reporting and Auditing in the Public Sector in 1987. COCO: In November 1995, The Canadian Institute of Chartered Accountants (CICA) published Guidance on Control. 46
    47. 47. E M A C Who Developed Models? (Continued) ISO 31000 developed by the International Organization for Standardization (ISO) Deep Learning Framework: In 1990, Peter Senge published the now classic The Fifth Discipline and then in 1995 published The Fifth Discipline Fieldbook. 47
    48. 48. E M A C Different Frameworks: Same Goals Frameworks provide a way of understanding our organizations. By having different groupings, each highlights some aspects of control more than others. The criteria in the frameworks provide a basis for understanding control in an organization and for making judgment about the effectiveness of control. 48
    49. 49. E M A C Different Frameworks: Same Goals Frameworks provide a systematic step by step method of evaluating and addressing the adequacy of controls in multiple dimensions of a business. Frameworks provide a standard review process. Frameworks provide a tool that helps management and auditors evaluate the adequacy of controls in multiple dimensions of the business. It helps give a picture of how well all of the controls in all of the dimensions are working. 49
    50. 50. E M A C 50 Risk Management Principles, Frameworks and Processes
    51. 51. E M A C 51 Risk Management Principles, Frameworks and Processes
    52. 52. E M A C 52 Risk Management Principles, Frameworks and Processes
    53. 53. E M A C 53 Risk Management Principles, Frameworks and Processes
    54. 54. E M A C 54 Risk Management Principles, Frameworks and Processes
    55. 55. Risk Management Process Establish Context Identify Risks Analyse Risks Evaluate Risks Treat risks Assess Risks and Controls Context: Strategic, internal, external context Identification: What can go wrong? Missed opportunities? Analysis/Measurement: Assess risk likelihood and consequence, review Evaluate: Compare risks, set risk priorities Treatment Options: Reduce, avoid, transfer or retain CommunicationandConsultation Establish Context Identify Risks Analyse Risks Evaluate Risks Treat risks Risk Assessment MonitorandReview
    56. 56. Risk Management Process COSO Framework COSO stands for Committee of Sponsoring Organizations of the Treadway Commission It is the US Private Sector organization, Dedicated to providing guidance to executives, management and governance entities on critical aspects of governance, Business Ethics Guidance on Internal Control, ERM, Fraud, and financial reporting COSO has established a common internal control model against which companies and organizations may assess their control systems. 56
    57. 57. COSO AND ISO 31000 COSO defines ERM as a process; Effected by an entity’s board of directors, management and other personnel; Applied in strategy setting and across enterprise; Designed to identify potential events that may affect the entity; Manage risks within its risk appetite; Provides reasonable assurance regarding the achievement of entity objectives. IRM (New COSO) defines Risk Management as The process whereby the organizations methodically address the risks attaching to their activities With a goal of achieving sustained benefits within each activity and across the portfolio of all activities Generally it is a decision-making discipline that reduces uncertainty and managers potential variations from expected outcomes in achieving company goals (RIMS) 57
    58. 58. COSO AND ISO 31000 ISO 31000 defines risk Management as Integral part of all organization processes It is not a stand alone activity that is separate from main activities and processes of the organization It is part of responsibilities of management and An integral part of all organizational processes including strategic planning and all project and change management processes In practical insight the whole of the business is just like risk management, why? Buffet Defines Risk Management as 58
    59. 59. Analysis of Warren Case What is risk Management What are consequences of dedicating risk management activities to a unit in a organisation? Who is supposed to manage risk in an organization What is the status of Risk Management today? Summary of Risk Management Models 59 Case study of risk in Hospitality industry Case Study II – Risk Management
    60. 60. End of Session III 60
    61. 61. E M A C COSO ERM Framework Understanding the cube Objectives Internal Environment Event Identification Risk Assessment Risk Response Control Activities Risk Monitoring
    62. 62. E M A C COSO - Framework (Control Framework) A Car internal control exemplification
    63. 63. E M A C Effective Risk Management Organizations should come out with risk management strategy in order to ensure that the organizations Achieves their goals and objectives When management of risk goes well it often remains unnoticed. When it fails, the consequences can be significant and high- profile. Any responsible organisation needs to avoid this – hence the need for effective risk management.
    64. 64. E M A C Effective Risk Management Risk management strategy describes the processes that will be put in place to link, identify, assess, address, review and report risks, and describes the principles that will be used to underpin this approach. The Diagram below summarizes the process risk management within the organisation.
    65. 65. E M A C
    66. 66. E M A C End of Session IV 66
    67. 67. E M A C 67 Who manages risks?
    68. 68. E M A C ELEMENTS OF RISK MANAGEMENT Identifying risks; Assessing risks; Addressing risks; Reviewing and reporting risks.
    69. 69. Entity should ensure that it has… have a robust approach to risk management - aiming to identify, assess, address and review and report risk in a way that can stand audit scrutiny, building on best practice and protecting the interests of our stakeholders. be accountable - processes and data will be open to review by our auditors and will respond to the improvements they suggest. We will encourage appropriate risk-taking, with a view to fostering an innovative approach to policy making and service delivery.
    70. 70. E M A C Identifying risk A ‘risk’ is something that may have an impact on the achievement of our priorities. It may come from outside the organisation, or may arise from shortcomings of its own systems and procedures Identification can be done through staff workshops or work groups Consideration should be given to categories of risk The issues should be prepared and presented in the form of risk scenarios
    71. 71. Identifying risk Risk category Possible risks Compliance risk the risk of failing to comply with statutory requirements External risk risks from changing public or government attitudes. Financial risk risks arising from spending, fraud or impropriety, or insufficient resources Operational risk risks associated with the delivery of examination papers to the regional centres– arising, for example, from logistic difficulties, diversion of staff to other duties, or IT failures Project risk risks of specific projects missing deadlines or failing to meet stakeholder expectations
    72. 72. IDENTIFYING RISK Risk type Possible risks Reputation risk risks from damage to the organisation’s credibility and reputation Risks facing banking Sector Risk to our stakeholders that need to be taken into account in our planning and service provision – for example, fraud Strategic risk risks arising from policy decisions or major decisions affecting organisational priorities; risks arising from senior-level decisions on priorities Technology risk Risk arising from outdated technology, inadequate data processing and the software malfunctioning Human resource risk It is impossible to recruit staff with the required skills or Key staff are ill and are unavailable at critical times or required training for staff is not available
    73. 73. E M A C Identifying Risk, What To Do? Once risks have been identified, essential information about them will be gathered in the form of a risk register (see appendix 1). There will be a central register of its most important risks, built up from information provided from each department.
    74. 74. E M A C IDENTIFYING RISK, WHAT TO DO? The identification of risks is a continuous process and all staff have a part to play - it is not the sole domain of managers. Systematically identifying risks will enable risks to be assessed and dealt with. It will also help to identify new opportunities for policy direction and business planning, by showing what the future risks to management of .................................
    75. 75. E M A C ASSESSING RISK To assess risks adequately entity will identify the consequences of a risk occurring and give each risk a score or risk rating. Whoever identifies the risk should be responsible for assessing the risk.
    76. 76. E M A C ASSESSING RISK This initial assessment will then be refined with the help of colleagues and managers and a ‘risk owner’ will be identified who will be responsible for reviewing and accepting the assessment that will be entered onto the risk register. The consequences of the identified risks will be grouped into one or more of the categories outlined earlier. Using these categories will allow similar risks to be grouped and will help to identify cross- cutting risks
    77. 77. E M A C RISK RATING A means of comparing risks is needed so that efforts can be concentrated on addressing those that are most important. Each risk will be given a score, depending on both its likelihood and its impact, as shown in Figure 1 below. Any risks which are both very likely to occur and will have a high impact are the ones that demand immediate
    78. 78. RISK RATING Risk Assessment Likelih o o d Very High (4) 4 8 12 16* High (3) 3 6 9 12 Medium (2) 2 4 6 8 Low (1) 1 2 3 4 Low (1) Medium (2) High (3) Very High (4) Impact
    79. 79. E M A C RISK RATING - LIKELIHOOD Likelihood The probability of the threat being realised will be expressed in terms of Very High (VH), High (H), Medium (M) or Low (L) using the definitions below: L: Rare (the risk may occur in exceptional circumstances); M: Possible (the risk may occur in the next three years); H: Likely (the risk is likely to occur more than once in the next three years); and, VH: Almost certain (the risk is likely to occur this year or at frequent intervals).
    80. 80. E M A C RISK RATING -IMPACT The effect of the risk being realised will be expressed in terms of Very High (VH), High (H), Medium (M) or Low (L) using the definitions below: L: minimal financial losses; service delivery unaffected; no legal implications; unlikely to affect the core business; unlikely to damage reputation. M: medium financial losses; reprioritising of services required; minor legal concerns raised; minor impact on the health sector and facilities; short-term reputation damage.
    81. 81. E M A C RISK RATING -IMPACT The effect of the risk being realised will be expressed in terms of Very High (VH), High (H), Medium (M) or Low (L) using the definitions below: L: minimal financial losses; service delivery unaffected; no legal implications; unlikely to affect the core business; unlikely to damage reputation. M: medium financial losses; reprioritising of services required; minor legal concerns raised; minor impact on the health sector and facilities; short-term reputation damage.
    82. 82. E M A C RISK RATING -IMPACT The effect of the risk being realised will be expressed in terms of Very High (VH), High (H), Medium (M) or Low (L) using the definitions below: H: major financial loss; need to renegotiate business plan priorities; potentially serious legal implications (e.g. risk of successful legal challenge); significant impact on the ..............; longer-term damage to reputation. VH: huge financial loss; key deadlines missed or priorities unmet; very serious legal concerns (e.g. high risk of successful legal challenge, with substantial implications for entity); major impact on core business; loss of stakeholder public confidence.
    83. 83. Requires Active Management where Consequence is rated 5 else Periodic Monitoring. Risks where treatment options require preparation, active review and management. Control is adequate, continued monitoring of controls to confirm this. Control is not strong but risk impact is not high. Options include improving control or monitoring risk impact to ensure the residual risk rating does not increase over time. Risks where systems and processes managing the risks are adequate and subject to minimal monitoring. Mitigating Practices / Control Rating InherentRiskRating Active Management Periodic Monitoring Control Critical No Major Concern 0 1 2 3 4 5 6 7 8 9 10 10 9 8 7 6 5 4 3 2 1 0 Adequate Inadequate Very High High Low Moderate
    84. 84. Residual risk ratings This is an alternative risk heat map preferred by some as it shows that there is no absolute risk boundaries, but rather a gradual change in risk Unsatisfactory Mitigating Practices / Control Rating InherentRiskRating Periodic Review Active Management Continuous Review No Major Concern High Excellent Low
    85. 85. E M A C Risk Appetite Risk appetite is the amount of risk —on a broad level —an entity is willing to accept in pursuit of value. Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable variation). The primary objective of Managing operational risk is risk reduction/ proactive prevention Risk cut across all financial institution operation and function
    86. 86. E M A C 86 Risk Appetite Best Practices
    87. 87. E M A C 87 Determining Risk Appetite
    88. 88. E M A C Risk Assessment Process To make an initial assessment of risk, a ‘bottom- up and top-down’ approach will be adopted. This will mean identifying and assessing risks both at an operational level, using the departmental Performance Teams, directorates’ team meetings and by Management Team identifying the major risks affecting the organisation
    89. 89. E M A C Risk Assessment Process The bottom-up process of identifying risks through involving staff should be as exhaustive as possible, identifying all potential risks no matter how small (and including health and safety risks for staff).
    90. 90. E M A C Risk Assessment Process These will then be reviewed by the departmental Performance Team, comprising a nominated departmental risk co-ordinator from each department and the Risk Coordinator. The group will identify the more significant risks that will need to be placed on the corporate risk register. This process will be overseen by the Risk Coordinator, who will ensure consistency in the way risks are assessed and categorised. For every risk to be identified as important enough to be placed on the corporate risk register, a ‘risk owner’ will be identified (who will be responsible for overseeing the management of the risk, and making sure appropriate resources are available to do this) and a ‘risk coordinator’ (who will be responsible for day-to-day management of the risk, implementing countermeasures and monitoring their effectiveness).
    91. 91. E M A C Risk Assessment Process Management Team will also identify the major corporate risks to the organisation, with the Director responsible identifying in particular major financial risks. For such major corporate risks, directors are likely to be both the risk owner and risk coordinator. Management Team will then take a strategic view of all risks identified as needing to be placed on the corporate risk register, assessing them against the entity’s business plan priorities. They will identify the most critical risks, and report these to key Board of Directors through the audit committee.
    92. 92. E M A C Risk Assessment Process This process will identify a set of significant risks that need to be addressed, and placed on the corporate risk register, which will then be maintained by the organisation’s risk co-ordinator. Other risks identified by staff through risk identification workshops, team meetings etc. should be recorded within the originating department and kept under review by the department risk co-ordinator.
    93. 93. E M A C Addressing Risks Having identified significant risks and placed them on the corporate risk register, a process will be undertaken to decide what to do about each risk, through the departmental Performance Team and the Management Team.
    94. 94. E M A C Addressing Risk Assessing current risk controls The first step is to look what mechanisms are already in place to deal with the identified risks. For many risks, for example examination leakage risk, action may have already been taken to treat or eliminate the risk under all circumstances under which it could arise. Where such mechanisms are in place, the Departmental Performance Teams should examine them to judge whether they are adequate or whether any ‘residual risk’ remains, or whether the risk might ‘slip through’ these existing mechanisms under some circumstances. In some cases, risks may be deemed to be ‘over-controlled’ – action in this case may be to ease such controls and allow the risk to be taken.
    95. 95. E M A C Addressing Risk In this way, risks can be addressed through ‘gap analysis’, focussing only on those risks that are not adequately treated, or are not treated at all. The next stage is to look at how such risks may be dealt with.
    96. 96. E M A C How to deal with risk Transfer the risk conventional insurance or by asking a third party to take on the risk in another way. Contracting out services, for example, transfers some, but not all, risks (but can introduce a new set of risks to be managed);
    97. 97. E M A C How to deal with risk Tolerate the risk: the ability to take effective action against some risks may be limited, or the cost of taking action may be disproportionate to the potential benefit gained. In this instance, the only management action required is to ‘watch’ the risk to ensure that its likelihood or impact does not change. If new management options arise, it may become appropriate to treat this risk in the future;
    98. 98. E M A C How to deal with risk Treat the risk: by far the greater number of risks will be in this category. The purpose of ‘treatment’ is not necessarily to terminate the risk but, more likely, to establish a planned series of mitigating actions to contain the risk to an acceptable level; and,
    99. 99. E M A C How to deal with risk Terminate the risk: this is a variation of the ‘treat’ approach, and involves quick and decisive action to eliminate a risk altogether. For example, terminating risks arising from outdated .............. systems by buying new ones (although new systems, in themselves, may introduce new risks).
    100. 100. Risk Treatment Is Risk Acceptable? Accept Treatment Strategy (1) Recommend (2) Choose (3) Implement Retain Monitor and Review Is Residual Risk Acceptable? Part Retained Yes NoUnacceptable residual risk No Yes Reduce Likelihood Reduce Consequence Transfer Avoid START HERE
    102. 102. E M A C 102 Risk Reporting
    103. 103. E M A C 103 Risk Reporting
    104. 104. E M A C 104 Key Risk Indicators
    105. 105. E M A C 105 Developing KRI’s
    106. 106. E M A C 106 Examples of Risk Indicators
    107. 107. E M A C 107 Risk Control Self Assessment (RCSA)
    108. 108. E M A C 108 Risk IT Extends Val IT and COBIT
    109. 109. E M A C 109 COBIT 5 Principles
    110. 110. E M A C 110 COBIT 5 Enterprise Enablers
    111. 111. E M A C Role of internal auditor in RM Giving assurance on risk management processes. Giving assurance that risks are correctly evaluated. Evaluating risk management processes. Evaluating the reporting of key risks. Reviewing the management of key risks.
    112. 112. E M A C Role of internal auditor (with safeguard)  Facilitating identification and evaluation of risks.  Coaching management in responding to risks.  Coordinating ERM activities.  Consolidating the reporting on risks.  Maintaining and developing the ERM framework.  Championing establishment of ERM.  Developing risk management strategy for board approval.
    113. 113. E M A C What the IA should not do Setting the risk appetite. Imposing risk management processes. Management assurance on risks. Taking decisions on risk responses. Implementing risk responses on management's behalf. Accountability for risk management.
    114. 114. E M A C 114 Internal Audit Approach
    115. 115. E M A C Role of Audit committee in RM Critical role in ERM by establishing the right environment or tone-at-the-top Vital role in overseeing management’s approach to ERM Without their oversight, ERM may not be embraced by senior management Discuss policies with respect to risk assessment and risk management Better risk intelligence means both audit committees and the full board are better informed
    116. 116. E M A C Conclusion Risk management is a process and therefore put in place a strategy for introducing risk management Develop a risk management strategy Develop a risk management framework tailored to your activities ( avoid copying and pasting) Develop risk management policy and guidelines Develop a risk management capacity building program
    117. 117. E M A C End Session V & Final Case Study
    118. 118. E M A C Risk management in public institutions It is now recognized that risk management is an essential part of securing the health of any organization including public sector institutions Risks are inherent in the public institutions as well as in private sector. It entails the whole of Public Sector. It is new in public organization but the concept of risk is not new Government internal auditors have special mandate to champion its establishment and monitoring
    119. 119. E M A C RISK MANAGEMENT IN PUBLIC SECTOR The public sector is currently undergoing radical changes through reforms There are new risks related to human rights, unemployment, corporate governance. Risk management should be a vital part of functions and activities provided by public institutions. Without risk management it will not be possible to achieve good corporate governance and the aims and intentions of many legislation and rules
    120. 120. E M A C RISK MANAGEMENT IN PUBLIC SECTOR  Failure to pay proper attention to likelihood and potential consequences of risk can cause public institutions serious problems  These includes high employee absenteeism, financial costs, service disruption, bad publicity, low staff morale, threat to public health, high staff turnover, violent demonstrations and claims for compensation.  What to do then? Public sector institutions should recognize risk management as a critical achievement of its goals and governance responsibilities. It should establish a risk management processes that is clearly defined and documented and continuously apply risk management practices in the decision making.
    121. 121. E M A C 121 Can you assess your Risk Maturity
    122. 122. E M A C 122
    124. 124. E M A C Operational Risk Management Framework and Control Self Assessment
    125. 125. E M A C Pillars of Operational Risk Management Losses EXECUTIVE MANAGEMENT CSA Issues Indicators Qualitative/Quantitative Analyses Common Operational Risk Classification Scheme
    126. 126. Control Self Assessment Framework
    127. 127. E M A C Control Self Assessment Control-Self Assessment Definition Control-Self Assessment Objectives Enterprise wide Control Self Assessment Framework  Balanced Scorecard  CSA Methodology  Results Corporate Governance CSA Rollout - Project Time Line Outline
    128. 128. E M A C Control Self Assessment Control-Self Assessment is a risk management tool used by business managers to transparently assess risk and control strengths and weaknesses against a Control Framework. The “self” assessment refers to the involvement of management and staff in the assessment process. Definition
    129. 129. E M A C Control Self Assessment Communication  To ensure better communication of DG‟s objectives and strategies to all business lines  To ensure business line managers communicate their risks and controls more effectively Education  To ensure business line managers have a better comprehension of effective risk control  To ensure business line managers have a better comprehension of risk management Proactive Management  To ensure business line managers align their objectives and strategies with the DG's objectives and strategies  To ensure business line managers assume greater responsibility and accountability for their risks and controls  To ensure business line managers monitor their risk effectively and timely  To ensure business line managers utilize and allocate their resources effectively Objectives
    130. 130. E M A C Enterprise-wide CSA Framework To foster a proactive management framework which is pervasive throughout organisation Goal
    131. 131. E M A C Enterprise-wide CSA Framework XXXX OBJECTIVES
    132. 132. E M A C Step 1: Objective Setting Balanced Scorecard * A tool that translates a firm‟s mission and strategy into a comprehensive set of performance measures that provides the framework for a strategic measurement and management system Objectives Ensures linkage between the objective of senior management and the businesses Increased focus on the appropriateness of the objectives Reinforced as the central “top down” articulation of goals Provides a framework within which the oversight functions, risk management and the business lines operate
    133. 133. E M A C Step 2: CSA Methodology ORCA Framework Objectives Risk Assessment of Key Processes Controls Action Plans The ORCA framework components fit logically together to form a comprehensive relationship between firm-wide objectives, processes and risks, and controls. This relationship may be viewed as the core of a firm‟s internal control.
    134. 134. E M A C Step 2: CSA Methodology ORCA Framework To find equilibrium, the business managers must carefully assess the risks inherent within their key processes and apply controls that will work at a reasonable cost.
    135. 135. E M A C Step 2: CSA Methodology ORCA Framework
    136. 136. E M A C Step 2: CSA Methodology Key Indicators Metrics to measure the effectiveness of controls in the mitigating or managing risks  TO measure operational problems  TO monitor the quality of the services provided  TO provide early warning for problems  TO aid in the containment of losses  TO determine trends  TO set limits for risk or escalation criteria  TO facilitate everyday decisions.
    137. 137. E M A C General Approaches for CSA Facilitated meetings – group workshops Questionnaires – yes/no answers Management analysis – self studies 137
    138. 138. E M A C Corporate Governance The enterprise-wide CSA framework presented here is a key component of a robust corporate governance structure. It enables the organization to inform executive management of the current state of the firm‟s risk environment on an ongoing basis
    139. 139. E M A C Tools for CRSA 139
    140. 140. E M A C Tools for CRSA 140
    141. 141. E M A C Advantages of CSA The presented enterprise-wide control self-assessment framework: Provides flexibility and dynamism to evolve with the changing firm Allows a firm to manage risks from both the “top-down” and “bottom-up” perspectives Is an integral component of a strong corporate governance structure
    142. 142. E M A C Way Forward CRSA is an important management tools We have matured in risk management and therefore it is time to move a step further through CRSA We have a new issues in place, a need for control review is imperative There a critical need for organisations to prepare CRSA for efficiency and effectiness of operations 142