Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ToTCOOP+i O3 o4 unit-9_final_version_en

Unit 9 - Strategic Risk Management

  • Be the first to comment

  • Be the first to like this

ToTCOOP+i O3 o4 unit-9_final_version_en

  1. 1. House Keeping  Health & Safety  Security  Classroom agreement  Breaks  Trainer Introduction Turn Off Mobile Phones
  3. 3. Programme Overview 1. Programme Introductions 2. Definitions, Principles & Concepts of Risk Management 3. Considering Risk Factors & The Need for RM 4. The Value of Strategic Risk Management 5. Risk Appetite 6. Risk Tolerance 7. Governance & the Role of Directors in ERM
  4. 4. Programme Overview 8. Risk Management Frameworks 9. Risk Management from an ISO Perspective 10. Implementing Risk Management 11. Risk Culture 12. Other Business Risk a) Operational Risk b) Reputational Risk c) Fraud & Improper Conduct d) Environmental Risk e) Compliance Risk f) Market Risk g) Competition Risk h) Technology Risk i) Health & Safety Risk j) Business Continuity Planning k) Management Succession Planning
  5. 5. Risk Management Ice-Breaker
  6. 6. Programme Introduction
  7. 7. Risk Management What do you want to get from today?
  8. 8. Risk Management Aims: The aim of this module is to enable learners to  Understand the Principles of Risk Management as well as the importance of implementing effective risk management procedures in business entities.  Learners will also learn to how to mitigate risks using a variety of methods. Objectives: by the end of this module, learners will be able to:  Be familiar with the principles and elements of risk management  Understand the meaning of a Risk Framework  Identify and Assess the Risks  Conduct a Risk Analysis
  9. 9. A Practical Approach to Strategic Risk Management
  10. 10. What is Risk Management All About
  11. 11. Basic Principles, Concepts & Definitions of Risk Management
  12. 12. RISK – the possibility that an action, event or set of circumstances will adversely or beneficially affect the organisations ability to achieve its business objectives. RISK is about the Future and comes from Uncertainty. Basic principles, concepts, definitions
  13. 13. Risk Management involves: The planned and systematic approach to identification, evaluation and control of risk. To manage the probability of specific risks occurring and the potential impact if they did occur, taking action to keep exposure to an acceptable level in a cost-effect way. Basic principles, concepts, definitions
  14. 14. A risk is anything that may affect & have an impact on the Achievement of Organisational Objectives. Risk Involves Three key factors: 1. Uncertainty 2. Likelihood Effect 3. Impact Basic principles, concepts, definitions
  15. 15. 1. A risk is ANYTHING that may affect the achievement of an organisation’s objectives. 2. It is the UNCERTAINTY that surrounds future events and outcomes. 3. It is the expression of the likelihood and impact of an event with the potential to influence the achievement of an organisation’s objectives. Basic principles, concepts, definitions
  16. 16. Uncertainty = Probability (the probability of something happening) The chance great or small that an event could occur. Generally between 1% and 99% if 0% chance – there is no risk if 100% chance – this is a major issue Uncertainty
  17. 17. Likelihood – the likelihood of the event occurring Impact – The consequences as a result of the event occurring Consequences can range from negative to positive: 1. Risks with negative consequences are called – THREATS 2. Risks with Positive Consequences are called - OPPORTUNITIES Effect – Likelihood & Impact
  18. 18. Threats and opportunities Threat – a risk that may HINDER the achievement of objectives Opportunities - a risk that may HELP in the achievement of objectives Interest rates Foreign exchange rates Supply of service/product/resources Demand/uptake for service/product/resources  The economy The weather The stock market
  19. 19. Introduce yourselves to others at your table Pick a risk – discuss it as both a threat and an opportunity Report to the large group. Pick a spokesperson. Group Exercise 1 – 10 minutes
  20. 20. Run Break Timer – 15 minutes
  21. 21. Considering Risk Factors & the Need for Risk Management
  22. 22. Probability Expected Timing Impact Frequency Risk Factors
  23. 23. Risk management is: “A process which aims to help organisations understand, evaluate and take action on all their risks with a view to increasing the probability of success and reducing the likelihood of failure.” Institute of Risk Management “A process, effected by an entity’s board of directors, management and other personnel, applied in strategy and across the enterprise, designed to identify potential events that may affect the entity and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives” COSO Enterprise Risk Management – Integrated Framework 2004. Understanding the concept of RM
  24. 24. Why the Need for Risk Management “The only alternative to risk management is crisis management --- and crisis management is much more expensive, time consuming and embarrassing.” James Lam, Enterprise Risk Management, Whiley Finance © 2003
  25. 25. Why the Need for Risk Management “Without good risk management practices, (organisations) cannot manage its resources effectively. Risk management means more than preparing for the worst; it also means taking advantage of opportunities to improve services or lower costs” Sheila Fraser, Auditor General of Canada
  26. 26. Risk Management is now an integral part of business planning in private & public-sector organisations throughout the world. Why the Need for Risk Management
  27. 27.  Increase risk awareness – What could affect the achievement of objectives? What could change? What could go wrong? What could go right?  Increase understanding of risk – sensitivities. What makes my risks increase/decrease/disappear?  Promote a “healthy” risk culture – It’s safe to talk about risk. Open and transparent.  Develop a common and consistent approach to risk across the organisation. Not intuition-based. Why the Need for Risk Management
  28. 28.  Allows intelligent “informed” risk-taking.  Focuses efforts –helps prioritise.  Is proactive…. not reactive – Prepare for risks before they happen. Identify risks and develop appropriate risk mitigating strategies.  Improve outcomes – achievement of objectives (corporate, clinical, etc)  Really comes to down to simple good management  Enables accountability, transparency and responsibility  and maybe even mean survival Why the Need for Risk Management
  29. 29. Enterprise vs Integrated Risk Management Similarities:  Formal process  Consistent and systematic  Includes projects, programs, operations  Is embedded in key processes such as strategic planning, budgeting, project planning, evaluation, etc.  Must be driven and supported by Leadership  Adds value to decision-making Differences: Enterprise-wide:  Is organisational-centric  Success is defined as implementation over the entire organisation Integrated:  Takes a systems-focus  May actually create risks for individual organizations
  30. 30. A Siloed Approach to RM
  31. 31. An Enterprise Approach to RM A Siloed Approach An Enterprise Approach Financial Risk Technolo gy Risk Environ mental Risk Market Risk Strategi c Risk Operation al Risk Financial Risk Technolog y Risk Environ mental Risk Market Risk Strategi c Risk Operationa l Risk Enterprise Risk Management
  32. 32. The Value of Strategic Risk Management
  33. 33. The Value of Strategic RM No Big Surprises No Missed Opportunities No Big Mistakes Early Warning Systems  Systematically Identify, assess and prioritise risks  Avoid unrewarded risks  Promote organisational learning amongst management  Reduce chance of repeated problems Operational Resilience  Provide assurance that key risks are understood and mitigated  Prevent & rapidly respond to potential catastrophic failures  Secure and protect staff, processes and technology  Align organisational goals with stakeholder requirements Enhance organisational Value  Seek growth, ensuring threats are understood and vulnerabilities are mitigated  Accelerate ability to respond to change and opportunities  Identify opportunities to improve performance and reduce costs
  34. 34. The Value of Strategic RM
  35. 35. Risk Appetite
  36. 36.  Risk appetite can be defined as 'the amount and type of risk that an organisation is willing to take in order to meet their strategic objectives.  Risk appetite and tolerance need to be high on any board's agenda and is a core consideration of an enterprise risk management approach Risk Appetite
  37. 37. Risk Appetite influences how risks are assessed and managed.  Acceptance  Tolerated  Shared  Reduced (Mitigated)  Tranfered  Avoided Are risk treatments implemented or postponed Risk Appetite
  38. 38. Risk Appetite F R E Q U E N C Y SEVERIT Y
  39. 39. The following factors influence Risk Appetite: 1. External Environment 2. People 3. Business Systems & Policies Risk Appetite’s are very specific to individual organisations There is no “one size fits all” solution Risk Appetite
  40. 40. A well defined Risk Appetite should have the following characteristics: Risk Appetite Characteristics 1. Reflective of Strategy, including objectives, Business Plans and Stakeholder Expectations 2. Reflective of ALL aspects of the organisation 3. Acknowledge a willingness and capacity to take risks 4. Is documented as a formal Risk Appetite Statement
  41. 41. 1. Considers the Skills, Resources and Technology to monitor and manage the risk exposure in the context of the risk appetite 2. Is inclusive of a Tolerance for Loss or negative events that can be reasonable quantified 3. Is periodically reviewed and reconsidered with reference to evolving industry and market conditions 4. Has been approved by the Board Risk Appetite Characteristics
  42. 42.  At Board level, risk appetite is a driver of strategic risk decisions.  At executive level, risk appetite translates into a set of procedures to ensure that risk receives adequate attention when making tactical decisions.  At operational level, risk appetite dictates operational constraints for routine activities. Risk Appetite
  43. 43. Risk Tolerance
  44. 44. What is Risk Tolerance  The degree of variability in risk, that an organisation is willing to withstand. Risk Tolerance
  45. 45.  Business Objectives  Return on Investments  Risk Capital  Time  Experience / Perseverance Factors affecting Risk Tolerance
  46. 46. Governance and the Role of Directors in Risk Management
  47. 47. ERM Governance is about 3 things: 1. Understanding Limits of Acceptable Risk 2. Providing confidence and guidance to management 3. Anticipating events to position success. ERM Governance
  48. 48. Directors Requests for RM
  49. 49. Risk Governance Structures A Typical Risk Management Structure
  50. 50. Risk Management Officer Implements & maintains RM system Board Resource and oversee RM system & policy Risk Committee Optional body which the RM Officer reports to CEO / Manager Implements internal controls Internal Audit Independent check of controls Risk Governance Structures Key Officers
  51. 51. Individual Roles & Reporting Officer… Does… Reports… Risk Management Officer • Risk audit • Maintains RM Policy • Consults w/ management team on risk response • Training • Reports findings to board and manager Manager • Maintains system of internal control • Reports progress to board Board • Oversees RM system & policy • Performance manages manager (& RM officer?) • Decisions on RM policy and performance via Board Report Internal Audit • Independently audits the effectiveness of internal controls • Reports issues to the board
  52. 52. Risk Governance Structures
  53. 53.  Governance is the process by which directors oversee the decisions and actions of executive management in a constructive manner, consistent with applicable laws and regulations, as management formulates and executes strategies to accomplish enterprise objectives.  Effective governance provides assurance to investors and other key stakeholders that the enterprise conducts its affairs with integrity and reports its performance in a fair and transparent manner  ERM & Governance are inextricably linked. RM and the role of Directors
  54. 54.  Good governance facilitates implementation of ERM because ERM is built on transparency.  An effective ERM infrastructure will provide greater confidence to the board and to executive management that risks and opportunities are being systematically identified, rigorously analysed and effectively managed across the organisation as a whole. RM and the role of Directors
  55. 55. Specific functions include:  Understand the risks the organisation faces in the context of business objectives.  Provide oversight over ERM  Policy development.  Ensure appropriate strategies and capabilities are in place to manage key risks  Ensure that growth & innovation are encouraged and rewarded RM and the role of Directors
  56. 56. Specific functions include:  Ensure that performance measures and targets do not encourage excessively risky behaviour  Ensure that effect internal controls and check are in place  Ensure that management has in place the appropriate capabilities to execute approved risk responses.  Ensure that the risk appetite is inherent in the organisations opportunity seeking behaviour in developing new products, and markets and that the appetite is clearly understood and managed RM and the role of Directors
  57. 57. RM and the role of Directors
  58. 58. Think about your individual role in risk management system, is there anything listed that is not within your capability? Risk Governance Structures
  59. 59. RM and the role of Directors
  60. 60. Run Break Timer – 60 minutes
  61. 61. Welcome Back
  62. 62. In your role there are times when you may need to think outside the box 9 – DOT Puzzle
  63. 63. In your role there are times when you may need to think outside the box 9 – DOT Puzzle
  64. 64. Risk Management Frameworks
  65. 65. A Simple Framework Evaluate & Take Action Establish Objectives Identify Risks & Controls Assess Risks & Controls Monitor & Report Step 1 Step 2 Step 3 Step 4 Step 5 Communicate, learn, improve
  66. 66. What is a Risk Framework about? Establish Context •External factors •Internal factors Risk Assessment  Identification  Analysis  Evaluation Risk Treatment  Retain  Reduce  Transfer  Remove Monitoring & Review Communicatio n & Consultation
  67. 67. •Risk Treatment •Avoid •Transfer •Control / Contain / Reduce •Accept •Risk Register •Regular Reviews •Key Risk Indicators •Incident Management •Audit •Board •Likelihood •Impact •Gross (inherent) •Net (Residual) •Target •Context Setting •Stakeholders •Risk Policy •Sources of Risk •Internal / External •Risk Appetite •Risk Tolerance identify Assess Mitigate Monitor & Report Risk Management Framework
  68. 68. COSO Risk Management Framework
  69. 69. COSO RM Framework
  70. 70.  four categories of objectives across the top – strategic, operations, reporting and compliance  eight components of enterprise risk management  the entity, its divisions and business units are depicted as the third dimension of the matrix COSO RM Framework
  71. 71. 1. Internal Environment This component reflects an entity’s enterprise risk management philosophy, risk appetite, board oversight, commitment to ethical values, competence and development of people, and assignment of authority and responsibility. It encompasses the “tone at the top” of the enterprise and influences the organization’s governance process and the risk and control consciousness of its people. The eight components of ERM
  72. 72. 2. Objective-Setting Management sets strategic objectives, which provide a context for operational, reporting and compliance objectives. Objectives are aligned with the entity’s risk appetite, which drives risk tolerance levels for the entity, and are a precondition to event identification, risk assessment and risk response. The eight components of ERM
  73. 73. 3. Event Identification Management identifies potential events that may positively or negatively affect an entity’s ability to implement its strategy and achieve its objectives and performance goals. Potentially negative events represent risks that provide a context for assessing risk and alternative risk responses. Potentially positive events represent opportunities, which management channels back into the strategy and objective-setting processes. The eight components of ERM
  74. 74. 4. Risk Assessment Management considers qualitative and quantitative methods to evaluate the likelihood and impact of potential events, individually or by category, which might affect the achievement of objectives over a given time horizon. The eight components of ERM
  75. 75. 5. Risk Response Management considers alternative risk response options and their effect on risk likelihood and impact as well as the resulting costs versus benefits, with the goal of reducing residual risk to desired risk tolerances. Risk response planning drives policy development. The eight components of ERM
  76. 76. 6. Control Activities Management implements policies and procedures throughout the organization, at all levels and in all functions, to help ensure that risk responses are properly executed. The eight components of ERM
  77. 77. 7. Information and Communication The organisation identifies, captures and communicates pertinent information from internal and external sources in a form and timeframe that enables personnel to carry out their responsibilities. Effective communication also flows down, across and up the organization. Reporting is vital to risk management and this component delivers it. The eight components of ERM
  78. 78. 8. Monitoring Ongoing activities and/or separate evaluations assess both the presence and functioning of enterprise risk management components and the quality of their performance over time. The thought process underlying the above framework works in the following manner: For any given objective, such as operations, management must evaluate the eight components of ERM at the appropriate level, such as the entity or business unit level. The eight components of ERM
  79. 79. COSO – A Framework for Risk Management
  80. 80. Run Break Timer – 15 minutes
  81. 81. Risk Management from an ISO Perspective
  82. 82. Managing risk from ISO 31000 perspective Internal & External Factors Risk Assessment Risk Treatment Monitor & Review O B J E C T I V E S • Identify • Analyze • Evaluate
  83. 83. Managing risk from ISO 31000 perspective
  84. 84. Implementing Risk Management
  85. 85. The most important phase of the risk management process includes:  Risk Identification  Risk Analysis  Risk Response Implementing Risk Management
  86. 86. The aim of risk identification is to get an overview of all risks facing an organisation  Scan the environment  Capture both cause and effect  Involve stakeholders  Determine risk ownership  Scan the horizon Implementing Risk Management OPPORTUNI TY THREAT remember that risks are uncertainties that can represent not only a threat but also an opportunity.
  87. 87. Evaluating the Risk (Risk Analysis)  Review of the existing controls and the implementation of any necessary additional controls.  Identify a Treatment Strategy Implementing Risk Management
  88. 88. Categorizing Risk – Comprehensive Political or Reputational Risk  Financial Risk  Service Delivery or Operational Risk  People / HR Risk  Information/Knowledge Risk  Strategic / Policy Risk  Stakeholder Satisfaction / Public Perception Risk  Legal / Compliance Risk  Technology Risk  Governance / Organizational Risk  Equity Risk  Privacy Risk  Security Risk
  89. 89. Risk Response or Risk Treatment Implementing Risk Management
  90. 90. Acting on Risks
  91. 91.  Auditable actions  must be completed within a defined timescale  Task allocated to identified individuals. Acting on Risks
  92. 92. Monitor & Review Risk Register  should be viewed as a risk action plan that includes details of the current controls and details of any further actions that are planned.  Is a compliance requirement Implementing Risk Management
  93. 93. Risk Register Contents 1. The Risk 2. Root Cause 3. Mitigating Controls 4. Corrective Action Plan 5. Responsible Persons 6. Target Date (timeframe) 7. Impact & Probability Assessment Implementing Risk Management
  94. 94.  People  Organisation  Process  Systems  Change Management Implementation Challenges
  95. 95. People  Lack of commitment / buy-in from board, senior management and staff  No in-house expertise or experience on establishing / implementing risk management  Risk Management Culture no established Implementation Challenges
  96. 96. Organisation  No Appropriate Risk Management Structures in place  Not aligned with Organisational Objectives / Strategy  Not aligned with Business Units  No clear strategy on Risk Appetite and Risk Tolerance Implementation Challenges
  97. 97. Process  No funding or dedicated budget for Risk Management  No clear understanding of policies and procedures to establish a risk management architecture  Failure to prioritise implementation activities Implementation Challenges
  98. 98. Systems  Lack of adequate technological systems to measure risks  Inadequate system to communicate and capture risk management information  Systems not fully integrated – traditional ways of doing things Implementation Challenges
  99. 99. Change Management  Articulating and measuring the potential benefits of ERM  Integrating ERM into Organisational Strategy  Understanding of Industry specific risks and risk management standards / solutions Implementation Challenges
  100. 100. Remember……… Establish Context •External factors •Internal factors Risk Assessment  Identification  Analysis  Evaluation Risk Treatment  Retain  Reduce  Transfer  Remove Monitoring & Review Communicatio n & Consultation
  101. 101. Risk Culture
  102. 102. Is system of values and behaviours present in an organisation that shapes risk decisions of management and employees. Risk Culture
  103. 103. An effective risk culture is one:  that enables and rewards individuals and groups for taking the right risks in an informed manner.  Where inappropriate behaviours are challenged and sanctioned  Risk management skills and knowledge valued, encouraged and developed, with a properly resourced risk management function Risk Culture
  104. 104. An effective risk culture is one:  Where the Culture of a group arises from the repeated Behaviour of its members  The Behaviour of the group and its constituent individuals is shaped by their underlying attitudes  Both Behaviour and Attitudes are influenced by the prevailing Culture of the group Risk Culture
  105. 105. What can the board do about culture?  Boards of organisations should understand and address their risk cultures.  The board has a responsibility to set, communicate and enforce a risk culture that consistently influences, directs and aligns with the strategy and objectives of the business and thereby supports the embedding of its risk management frameworks and processes. Risk Culture
  106. 106. The board needs to ask:  what is the current risk culture in our organisation and how do we improve risk management within that culture?  how do we want to change that culture?  how do we move from where we are to where we want to be? Risk Culture
  107. 107. This starts with the risk behaviours, attitudes and culture of the board itself and reaches down through the organisation.  Tone at the top  risk leadership - clarity of direction  how the organisation responds to bad news  Governance  the clarity of accountability for managing risk  the transparency and timeliness of risk information Risk Culture
  108. 108.  Competency  the status, resources and empowerment of the risk function  risk skills - the embedding of risk management skills across the organisation  Decision making  well informed risk decisions  appropriate risk taking rewarded and performance management linked to risk taking. Risk Culture
  109. 109. Risk Culture
  110. 110.  Crucial to set tone from the top – Leadership & Consistency  Promote Risk Management as a day-to-day management tool – to ensure the achievement of strategic objectives and enhance service delivery  Senior Management should establish clear risk roles and responsibilities Institutionalising Risk Management
  111. 111.  Staff should have the capacity to perform risk management roles (skills, training, knowledge, information and resources)  Integrated with Strategic Planning (new initiatives & Projects)  Every person has a role to play (Performance Management) Institutionalising Risk Management
  112. 112. Other Business related Risks
  113. 113. Remember………
  114. 114. Operational Risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events. It is better viewed as the risks related to an organisation's core processes. Examples of operational risk include risks arising from catastrophic events (e.g., hurricanes), computer hacking, internal and external fraud, the failure to adhere to internal policies, and others. Operational Risk
  115. 115.  frequency – how often the event occurs  impact – the amount of the losses resulting from the event Operational Risk Operational risk events are classified by two factors:
  116. 116. Categorising Operational Loss
  117. 117.  There are four fundamental steps to managing operational risk.  Each leads to improvements in management and control quality and greater economic profit. Managing Operational Risk Framework  Risk Strategy, Tolerance  Roles & Responsibilities  Policies & Procedures  Risk definition & categorisation Processes  Loss Data collection  Risk Indicator Data collection  Control Self- Assessment  Risk Assessment & Analysis  Workflow  Automatic Notification  Follow-up action Measurement  Estimation of Annual Losses – Cost of operational Failure  Estimation of VaR – Risk Capital  Estimation of scores representing quality of internal controls Reporting  Integrated MIS Reporting  Awareness of exposure  Knowledge of controls quality  Cost benefit analysis  Improved risk mitigation and transfer strategy
  118. 118. Operational Risk
  119. 119. Operational Risk Framework - ORM
  120. 120. Operational Risk Governance
  121. 121.  A threat or danger to the good name or standing of a business or entity  “a risk of loss resulting from damages to a firm's reputation, in lost revenue; increased operating, capital or regulatory costs; or destruction of shareholder value, consequent to an adverse or potentially criminal event even if the company is not found guilty.”  reputational risk may not always be the company's fault Reputational Risk
  122. 122.  Industrial accident  Revelation of unethical or criminal practices.  Product recall.  Extended service outage. Reputational Risk Examples of Reputational Risk
  123. 123.  The biggest problem with reputational risk is that it can literally erupt out of nowhere  reputational risk can be mitigated through prompt damage control measures Reputational Risk Risk Treatment
  124. 124. Mitigating Reputational Risk
  125. 125. 1. Reputational damage stems from a breakdown of trust. It challenges the perceived strength of a company and its management, and undermines relationships with key stakeholders. 2. Companies are exposed to reputational damage even when they have done little wrong. Conversely, a strong market position or brand may mitigate impacts even when a company is at fault. Reputational Risk – Ten Takeaways
  126. 126. 3. An impaired reputation can affect companies in different ways over different time horizons. Assessments of potential damage should distinguish between visible effects such as share price, earnings, and balance sheet consequences, and the less measurable impact of continuous brand degradation. 4. Attempts to quantify reputational risk rigorously are fraught with difficulty. The use of scenarios can help companies gauge the potential magnitude of incidents and identify mitigation opportunities. Reputational Risk – Ten Takeaways
  127. 127. 5. Reputation risk management involves more than just effective communication. In addition to external relations activities, it requires the integration of enterprise risk management practices, a strong operating culture, and corporate preparedness. 6. Good corporate behaviour is the best safeguard against reputational challenges. Establishing a culture that is ethical and mindful of risk requires committed leadership, as well as processes and structures that allow less tangible values to flourish. Reputational Risk – Ten Takeaways
  128. 128. 7. Chief Executives should set the tone from the top in building corporate resilience to reputation risk. They must also show visible leadership in a crisis and commit the company to putting things right. 8. A mishandled response to a crisis can generate more reputational damage, and spur greater financial consequences, than the incident itself. This is especially true when the response appears to undermine the company’s core values. Reputational Risk – Ten Takeaways
  129. 129. 9. As they recover from a reputational crisis, companies need to find an astute balance between ongoing sensitivity to stakeholders and hard-edged commercial decisions, to avoid underestimating or overestimating the scale of the predicament. 10. Brand development work can strengthen corporate resilience to reputation risk or recovery from an incident only when communication efforts are underpinned by tangible strategic, governance, and operational commitments. Reputational Risk – Ten Takeaways
  130. 130. Abusing your position of Responsibility for inappropriate reasons:  Monetary Gain: × Embezzlements × Fraudulent Claims  Conflicts of Interests  Ensure proper Controls / Governance procedures  Accounting systems  Procurement Fraud & Improper Behaviour
  131. 131. Environmental Risk can be broken in to two sub-categories:  Business Environment  Green Environment Environmental Risk
  132. 132.  Competitors  Technology  Logistics  Sensitivity  Shareholder Expectations  Capital Business Environment  Political  Legal  Industry  Financial Markets  Human Capital
  133. 133.  Environmental Risk can be defined as the “actual or potential threat of adverse effects on living organisms and the environment by effluents, emissions, wastes, resource depletion, etc., arising out of an organization's activities.”  Environmental risk management involves the search for a 'best route‘ between social benefit and environmental risk. It is a balancing or trading-off process in which various combinations of risks are compared and evaluated against particular social or economic gains. Green Environment
  134. 134. Compliance risk is the potential for losses and legal penalties due to failure to comply with laws or regulations. Compliance risk is the threat posed to an organisation’s financial, organisational, or reputational standing resulting from violations of laws, regulations, codes of conduct, or organisational standards of practice. Compliance
  135. 135.  A compliance Risk Assessment aims to specifically identify legal or regulatory compliance risks  Is closely linked with the enterprise or internal audit risk processes Compliance
  136. 136. Compliance
  137. 137. Compliance Figure 1: Enterprise ethics and compliance program and risk exposure framework – An illustrative example (© Deloitte Development LLC)
  138. 138. Market risk is the risk of losses in positions arising from movements in the market Two main considerations:  Financial Markets  Product / Commodities Markets
  139. 139. Finance  Volatility  Equities  Stock Prices  Interest Rates These will be discussed in more detail in the Financial Risk Module Markets Product / Commodities  Competition  Quality  Trade  Consumers  Business Processes
  140. 140. The potential for losses due to competitive pressures. The potential for reduced revenue or declining margins due to the price, product, promotion or distribution actions of a competitor. Competition
  141. 141. Technology risks threaten assets and processes vital to your business and may prevent compliance with regulations, impact profitability, and damage your company's reputation in the marketplace.  Information technology (IT) risk can result from human error, malicious intent, or even compliance regulations. Technology Risk
  142. 142. Examples of Technology risks  An ecommerce website crashes resulting in lost revenue.  A technology project goes over budget and fails to meet goals set out in its business case.  A security incident results in theft of customer data resulting in legal liability, reputational damage and compliance issues. Technology Risk Risk Treatment
  143. 143. Health & Safety legislation > Why important? Where?  Safety, Health & Welfare At Work Act (2005)  Codes of Practice What does it say?  Secure & Improve the Health, Safety & Welfare of People at Work What does it do?  Identifies “Undertakings”, “Persons in control” and “Directors”  Duties  Offences  Health & Safety Authority / Regulator Health & Safety
  144. 144. Safety, Health & Welfare At Work Act  Duties for Undertakings Management of Co-Op Director responsibility Duties include:  Safety Statement – the “How” document (s.20)  Hazard Identification (s.19)  Risk Assessment (s.19)  Implement necessary improvements (s. 19.4)  Written statement - Risks & Hazards Measures & Resources Plans & Procedures – “Who” and “When” Co-operation of staff Health & Safety
  145. 145. Who is Covered by the Act? The Health & Safety at Work etc Act applies to:  Employers, self employed and employees  Casual employees, (including part-time) and trainees  Sub-contractors  Anyone who uses the workplace (premises)  Anyone using equipment  Visitors/customers (paying or otherwise) to the workplace (premises)  Suppliers  Those who control premises  Those affected by the work  Users of the end product  Anyone who uses the professional services of the company  Anyone on the premises unlawfully
  146. 146. Employers’ Responsibilities Under the Act Employers must provide:  A safe workplace and safe systems of work  Safe access and egress  Training for employees  A written safety policy  Safe machinery, plant and equipment
  147. 147. Health & Safety  More specific duties  What must a Co-operative and its Management ensure?  HSA Guidance documents Directors Safe Machinery, Plant & Equipment Safe Facility Training Safe Systems
  148. 148. Health & Safety Legislation – Offences & Penalties Example Impeding an Order of High Court Powers of HSA to seek injunctions from Court Site “should be restricted or immediately prohibited until specified measures have been taken to reduce the risk to a reasonable level” (s.71) If you kept the Site open it would “contravene” an “order” and be an offence (s. 77.5) Liability for offences – applies to Directors (s.80) Penalties (s.78 (2)) Summary - €3,000 and/or 6 months Indictment - €3m and/or 2 years Health & Safety
  149. 149. Business continuity planning (or BCP) is the process of creating systems of prevention and recovery to deal with potential threats to an organisation. Business Continuity Planning - BCP
  150. 150.  Continuation of Critical Business Processes in the event of significant business interruption or disaster. Business Continuity Planning - BCP  Five Stage Process 1. Analysis 2. Solution Design 3. Implementation 4. Testing 5. Maintaining
  151. 151. Business Continuity Planning - BCP
  152. 152.  Is a critical factor in sustaining the success of their organisations. Management Succession Planning - MSP  Proactive succession planning efforts reduce the risk of hiring and promotion mistakes, loss of institutional knowledge, and the negative impact of turnover in key roles.
  153. 153. Succession Planning is a Continuous Process Some of the critical steps include:  Identifying key business challenges facing the organization  Creating a leadership success profile  Assessing identified candidates for key roles  Creating transition plans for new leaders  Developing internal talent  Tracking, documenting, and monitoring the process Management Succession Planning - MSP
  154. 154. Management Succession Planning - MSP
  155. 155.  Succession planning is an important strategic business initiative for all organizations.  By (1) starting early, (2) embracing succession planning as a process, not a one-time event, (3) objectively assessing candidates for key positions, and (4) developing talent, you can:  ensure that your organisation has effective leaders prepared to fill key roles to meet the business challenges of today and tomorrow. Management Succession Planning - MSP
  156. 156. Questions Strategic Risk Management