More Related Content Similar to ERM-Enterprise Risk Management (20) ERM-Enterprise Risk Management1. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
1
MakeITWork.Consulting ME
Business Management
Enterprise Risk
Management
Ramallah, Palestine
25th May, 2015
A MakeITWork Consulting ME event in cooperation with Palestinian Banking Institute
2. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
2
MakeITWork Presentation
MakeITWork Consulting is a Consulting and Training company,
now also based in the Middle-East, specialized in Project and Risk
Management, Business Strategy and Resource and Outsourcing services.
Founded by a group of professionals with extensive experience and
knowledge of the international market, MakeITWork Consulting
features an integrated range of services, tailored to the needs of each
Company.
From the professional experience of its founders, it stands out the
success stories in companies and organizations from different sectors of
activities, including Banking and Insurance, Information Technology and
Telecommunications, Software Industry, Government and overall Public
Sector.
3. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
3
Speaker Presentation
Dr. Jorge Vaz Girão, PMP, CISA, PMDPro
Jorge Vaz Girão has more than 30 years of experience in the fields of Program,
Project and Risk Management, Business Analysis and Change Management for
the IT, Banking, Insurance, Telecom, Transportation and Aviation industries.
His career path was developed in various business domains both in the private and
in the public sectors, having assumed many challenging different projects,
especially relating to the areas of international management and consulting,
across Europe, Africa and Middle East. He has managed and consulted on more
than 35 local and international major projects, being its project and risk
manager, for companies like Temenos, Misys, Capgemini, IBM, Altran, Axa
Insurance, Sony, Shell and Bertelsmann.
Project and Risk management, as well the coaching are his passion. For the past 5
years he has developed and taught over 20 different Project and Risk
Management & related training courses.
His vast experience and training methodology has received excellent feedback
from his students and many domestic and international clients.
4. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
4
1. STRATEGIC RISK MANAGEMENT
• What Is a Risk?
• The Importance of Risk Management
• Enterprise Risk Management As A Factor Of Success for Organizations
• A simple strategy for ERM
• How can an ERM, programme enable organizations achieve strategic
objectives more effectively?
• How to Benefit from Basel III recommendations to develop Risk Management
Practices?
2. A RISK MANAGEMENT STANDARD
• Enterprise Risk Management Framework
• Risk Identification
• Risk Assessment
• Risk Treatment / Response
• Risk Reporting and Communication
• Monitoring and Review of the Risk Management Process
• The Structure and Administration of Risk Management
Agenda
5. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
5
1. STRATEGIC RISK MANAGEMENT
• What Is a Risk?
• The Importance of Risk Management
• Enterprise Risk Management As A Factor Of Success for Organizations
• A simple strategy for ERM
• How can an ERM, programme enable organizations achieve strategic
objectives more effectively?
• How to Benefit from Basel III recommendations to develop Risk Management
Practices?
Workshop Agenda
6. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
6
Strategic Risk Management
What is a Risk ?
7. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
7
Strategic Risk Management
What is a Risk ?
Dangerous Profession Irresponsible Behaviour Dangerous Car Driving
Plane Crash DisasterNatural Tsunami Disaster Fire Accident
Banking Robbery Stock Exchange CrashPickpocket Robbery
8. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
8
Strategic Risk Management
What is a Risk ?
A risk is ANYTHING that may affect and have an impact
on the achievement of the objectives
(your organization’s objectives, your project, your personal life, etc…)
Risk involves two key dimensions:
1) the UNCERTAINTY that surrounds future events and
outcomes
and
2) the expression of the LIKELIHOOD and IMPACT of an
event with the potential to influence the achievement of
the objectives.
9. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
9
Strategic Risk Management
What is a Risk ? Uncertainty
Uncertainty (probability)
This means there is a probability between 1-99% that the event
could occur …
1) If there is a 0% chance of an event occurring, there is no risk (example;
there is a 0% chance your project will be adequately funded, this is not
a risk, it is a reality)
2) If there is a 100% chance of an event occurring, this would be an issue,
not a risk;
10. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
10
Strategic Risk Management
What is a Risk ? Effect
Effect (likelihood, impact)
This means there may affect and have an impact, consequences
on the achievement of the objectives…
Consequences can range from negative to positive:
1) Risks with negative consequences are called THREATS
2) Risks with positive consequences are called OPPORTUNITIES
(Yes, risk can be good! Stop thinking of risk as bad, and start thinking of it in terms of
probabilities!)
11. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
11
Strategic Risk Management
What is a Risk ? Risk Factors
Risk factors
1.
The probability
that it will occur
2.
The range of
possible
outcome
(impact)
3.
Expected
timing (when)
4.
The anticipated
frequency of
risk event
(how often)
12. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
12
1. STRATEGIC RISK MANAGEMENT
• What Is a Risk?
• The Importance of Risk Management
• Enterprise Risk Management As A Factor Of Success for Organizations
• A simple strategy for ERM
• How can an ERM, programme enable organizations achieve strategic
objectives more effectively?
• How to Benefit from Basel III recommendations to develop Risk Management
Practices?
Workshop Agenda
13. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
13
Strategic Risk Management
The Importance of Risk Management. Why do we need it?
Why do we need Risk Management?
The only alternative to risk management is crisis management --- and crisis
management is much more expensive, time consuming and embarrassing.
(JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003)
Without good risk management practices, government cannot manage its resources
effectively. Risk management means more than preparing for the worst; it also
means taking advantage of opportunities to improve services or lower costs.
(SHEILA FRASER, Auditor General of Canada)
14. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
14
Strategic Risk Management
The Importance of Risk Management. What is Risk Management ?
What is Risk Management?
Process which aims to help organizations understand, evaluate and take action on all
their risks with a view to increasing the probability of success and reducing the
likelihood of failure.
(THE INSTITUTE OF RISK MANAGEMENT)
A process, designed to identify potential events that may affect the entity, and
manage risks to be within its risk appetite, to provide reasonable assurance regarding
the achievement of entity objectives
(COSO Enterprise Risk Management)
Coordinated activities to direct and control an organization with regard to risks…
Performed way who helps prevent many problems and helps make other problems
less likely…
15. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
15
Strategic Risk Management
The Importance of Risk Management.
Increase risk awareness (What could affect the achievement of objectives? What could change? What
could go wrong? What could go right?)
Increase understanding of risk sensitivities (What makes my risks increase / decrease /
disappear?)
Promote a “healthy” risk culture (It’s safe to talk about risk. Open and transparent)
Develop a common and consistent approach to risk across the organization (Not
intuition-based)
Allows intelligent “informed” risk-taking.
Focuses efforts – helps prioritize (Top 10 list. Or top 3. Or…)
Is proactive…. not reactive (Prepare for risks before they happen. Identify risks and develop
appropriate risk mitigating strategies)
Improve outcomes – achievement of objectives (corporate, departmental, project, etc.)
Really comes to down to simple good management
Enables accountability, transparency and responsibility
And maybe even mean survival
16. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
16
1. STRATEGIC RISK MANAGEMENT
• What Is a Risk?
• The Importance of Risk Management
• Enterprise Risk Management As A Factor Of Success for Organizations
• A simple strategy for ERM
• How can an ERM, programme enable organizations achieve strategic
objectives more effectively?
• How to Benefit from Basel III recommendations to develop Risk Management
Practices?
Workshop Agenda
17. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
17
Regulatory
Organizations typically undertake some risk management activities but may
lack an integrated and disciplined process
Strategic Risk Management
ERM As A Factor Of Success for Organizations. A Siloes Approach
Financial
Reputational Human
Resource
IT
Political
Environmental
Insurance
Strategic
Business
Interruption
Operational
18. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
18
Strategic Risk Management
ERM As A Factor Of Success for Organizations. Enterprise Approach
Operation
Risk
Financial
Risk
HR
Risk
Strategic
Risk
Technology
Risk
Environment
Risk
Enterprise Risk
Management
An Enterprise Approach
Enterprise Risk Management: A rigorous approach to identifying, assessing and addressing risks from
all sources that threaten the achievement of an organizations strategic, operational and financial
objectives and/or represent an opportunity or competitive advantage.”
Jerry Miccolis, Tillinghast-Towers Perrin
Operation
Risk
Financial
Risk
HR
Risk
Strategic
Risk
Technology
Risk
Environment
Risk
A Silo Approach
19. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
19
Strategic Risk Management
ERM As A Factor Of Success for Organizations. ERM Governance
ERM Governance is about
three things:
1. Understanding limits of
acceptable risk
2. Providing confidence and
guidance to management
3. Anticipating events to
position firm for success
(National Association of Corporate Directors Blue
Ribbon Commission on Risk Governance, 2009)
20. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
20
Strategic Risk Management
ERM As A Factor Of Success for Organizations. A Value Proposition
No Big
Surprises
Early Warning Systems
Systematically identify, assess and prioritize risks
Avoid unrewarded risks
Promote organizational learning among management
Reduce chance of repeat problems
Operational Resilience
Provide assurance that key risks are understood and mitigated
Prevent and rapidly respond to potential catastrophic failures
Secure and protect staff, processes, and technology
Align organizational goals with stakeholder requirements
No Big
Mistakes
No Big Missed
Opportunities
Enhance Organizational Value
Seek growth, ensuring threats are understood and vulnerabilities
are mitigated
Accelerate ability to respond to change and opportunities
Identify opportunities to improve performance and reduce costs
21. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
21
1. STRATEGIC RISK MANAGEMENT
• What Is a Risk?
• The Importance of Risk Management
• Enterprise Risk Management As A Factor Of Success for Organizations
• A simple strategy for ERM
• How can an ERM, programme enable organizations achieve strategic
objectives more effectively?
• How to Benefit from Basel III recommendations to develop Risk Management
Practices?
Workshop Agenda
22. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
22
Strategic Risk Management
A simple strategy for ERM… The 3 W’s…
Where is the
fundamental
value of the
business?
What drives that
value?
What can cause
catastrophic
loss or
disruptive
opportunity?
Risk Management
will only add value if
aligned with value
drivers
Risk Management will
only drive results if
complex cause/effect
relationships are
understood
ERM professionals
must identify
emerging risks and
opportunities
Caution:
Any risk management approach
whose only goal is to add
controls will simply add cost.
Risk responses must reflect risk
appetite
23. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
24
Strategic Risk Management
A simple strategy for ERM… The Framework
ERM framework defines essential components, suggests a common
language, and provides clear direction and guidance for enterprise risk
management
STRATEGIC
OPERATIONS
REPORTING
COMPLIANCE
SUBSIDIARY
BUSINESS UNIT
DIVISION
ENTITY-LEVEL
Entity objectives can be viewed in
the context of four categories:
Considers activities at all levels of
the organization:
24. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
25
Strategic Risk Management
A simple strategy for ERM… The Framework
ERM framework defines essential components, suggests a common
language, and provides clear direction and guidance for enterprise risk
management
Entity objectives can be viewed in
the context of four categories:
Considers activities at all levels of
the organization:
25. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
26
1. STRATEGIC RISK MANAGEMENT
• What Is a Risk?
• The Importance of Risk Management
• Enterprise Risk Management As A Factor Of Success for Organizations
• A simple strategy for ERM
• How can an ERM, programme enable organizations achieve strategic
objectives more effectively?
• How to Benefit from Basel III recommendations to develop Risk Management
Practices?
Workshop Agenda
26. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
27
Strategic Risk Management
How can the ERM be an enabler ?… Having a Framework Roadmap
Dimensions of a Risk Management Framework
Risk Culture
& Policies
Organizational
Mindset
Tone at the Top
Standards/Protoco
ls
Risk Appetite &
Tolerance
Infrastructure &
Organization
Authority,
Responsibility
& Accountability
Bottom-up
Structure
Top-down
Structure
Resources &
Capabilities
Installing Centres
of Competency
Communication
& Awareness
Learning &
Education
Monitoring
Functions
Tools &
Techniques
Tools & techniques
to support the
efficient & effective
identification,
measurement,
management &
reporting of risk
27. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
28
Strategic Risk Management
How can the ERM be an enabler ?… Getting ERM Right…
1 Do we understand the risk context of our
key business value-drivers ? 2 Are we focused on risks in the activities
and processes that create that value ?
3 Are we engaging the business to create
more and better risk information ? 4 Are we driving consistent best practice
risk responses across the organization ?
5 Are we collaborating with other risk
managers professionals to manage risks ? 6 Can we identify, monitor and manage the
root causes of risks ?
7 Can we predict how risks will impact value
under different scenarios ? 8
Can we aggregate and communicate critical
risk information to business decision
makers ?
9 Have we standardized our practices and tools ?
Do we have a risk library or risk cemetery ? 10
Are we providing the insight our
executives and Board need to create and
preserve value ?
28. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
29
1. STRATEGIC RISK MANAGEMENT
• What Is a Risk?
• The Importance of Risk Management
• Enterprise Risk Management As A Factor Of Success for Organizations
• A simple strategy for ERM
• How can an ERM, programme enable organizations achieve strategic
objectives more effectively?
• How to Benefit from Basel III recommendations to develop Risk Management
Practices?
Workshop Agenda
29. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
30
Strategic Risk Management
How to Benefit from Basel III. Basel Context (from Basel I till Basel III)
Equity standard: Bank loans are backed by 8% equity
Basel I1988 - 1996
2004 - 2009
After 2009
30. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
32
Strategic Risk Management
How to Benefit from Basel III. Basel Risk Context Overview
Basic Risks Other Risks Other Considerations Fairness Supervisory Action
Credit Risk
Market Risk
Operational
Risk
Settlement
Risk
Residual
Risk
Securitization
Risk
Concentration
Risk
Interest
Rate Risk
Reputation
Risk
Liquidity
Risk
Stress Tests
Scenario Analysis
Economic and Regulatory
Environment
Capital Planning
Individual Capital
Guidance
System & Control
Improvements
Provisioning
Restriction of
Business
Peer Group
Comparison
Reliance on risk management, internal audit, independent validation
units or external audit
31. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
33
Strategic Risk Management
How to Benefit from Basel III. An Overall Framework…
Nine principles for building an Enterprise Risk Management (ERM) framework
32. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
34
Strategic Risk Management
How to Benefit from Basel III. An Overall Framework…
Identify
Risks
Assess &
Evaluate
Risks
Integrate
Risks
Record to
Risks
Design,
Implement &
Test Controls
Monitor,
Assure &
Escalate
Risk Process
Risk Types
Governance
Strategy &
Planning
Operational /
Infrastructure
Compliance Reporting
Business Units
and
Supporting functions
Risk
Ownership
Business Unit
Responsibility
Support of pervasive
functions
Common Risk
Infrastructure
Executive Management
Responsibility
Objective Assurance
and Monitoring
Common Risk Infrastructure
Executive ManagementRisk
Infrastructure &
Management
People Process Technology
Roles and
Responsibilities
Transparency for
Governing Bodies
Common Definition of
Risk
Common Risk
Framework
Oversight
Board of Directors
Risk
Governance
Tone at the
Top
Nine principles for building an Enterprise Risk Management (ERM) framework
33. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
35
1. STRATEGIC RISK MANAGEMENT
• What Is a Risk?
• The Importance of Risk Management
• Enterprise Risk Management As A Factor Of Success for Organizations
• A simple strategy for ERM
• How can an ERM, programme enable organizations achieve strategic
objectives more effectively?
• How to Benefit from Basel III recommendations to develop Risk Management
Practices?
2. A RISK MANAGEMENT STANDARD
• Enterprise Risk Management Framework
• Risk Identification
• Risk Assessment
• Risk Treatment / Response
• Risk Reporting and Communication
• Monitoring and Review of the Risk Management Process
• The Structure and Administration of Risk Management
Workshop Agenda
34. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
36
2. A RISK MANAGEMENT STANDARD
• Enterprise Risk Management Framework
• Risk Identification
• Risk Assessment
• Risk Treatment / Response
• Risk Reporting and Communication
• Monitoring and Review of the Risk Management Process
• The Structure and Administration of Risk Management
Workshop Agenda
35. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
37
Risk Management Standards
The ERM Framework…
Identify
Risks
Assess &
Evaluate
Risks
Integrate
Risks
Record to
Risks
Design,
Implement &
Test Controls
Monitor,
Assure &
Escalate
Risk Process
Risk Types
Governance
Strategy &
Planning
Operational /
Infrastructure
Compliance Reporting
Business Units
and
Supporting functions
Risk
Ownership
Business Unit
Responsibility
Support of pervasive
functions
Common Risk
Infrastructure
Executive Management
Responsibility
Objective Assurance
and Monitoring
Common Risk Infrastructure
Executive ManagementRisk
Infrastructure &
Management
People Process Technology
Roles and
Responsibilities
Transparency for
Governing Bodies
Common Definition of
Risk
Common Risk
Framework
Oversight
Board of Directors
Risk
Governance
Tone at the
Top
Nine principles for building an Enterprise Risk Management (ERM) framework
36. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
38
Risk Management Standards
The ERM Framework… Governance Principles…
Principle #1: common definition of risk
With an Enterprise Risk Management, a common definition of risk, which
addresses both value preservation and value creation, is used
consistently throughout the organization.
people think of risk in terms of threats —bad things happening to the
business.
But you can also consider the other side of risk, the one that applies to
value creation —risk taking for reward (For eg. new products, entering
foreign markets and acquiring competitors)
Principle #2: common risk framework
With an Enterprise Risk Management, a common risk framework supported
by appropriate standards is used throughout the organization to manage
risks.
Risk management in many organizations is fragmented and does not
have a centralized view
For an enterprise risk management program to be effective, it must be
built around a framework such as COSO ERM and ISO 31000.
Identify Risks
Assess &
Evaluate Risks
Integrate Risks Record to Risks
Design, Implement & Test
Controls
Monitor, Assure
& Escalate
Risk Process
Risk Types
Governance Strategy & Planning Operational / Infrastructure Compliance Reporting
Business Units
and
Supporting functions
Ris
k
Ow
ner
shi
p
Business Unit Responsibility
Support of pervasive functions
Common Risk Infrastructure
Executive Management Responsibility
Objective Assurance and Monitoring
Common Risk Infrastructure
Executive Management
Risk
Infrastructure
&
Management
People Process Technology
Roles and Responsibilities
Transparency for Governing Bodies
Common Definition of Risk
Common Risk Framework
Oversight
Board of Directors
Risk
Governance
Tone at the Top
Identify Risks
Assess &
Evaluate Risks
Integrate Risks Record to Risks
Design, Implement & Test
Controls
Monitor, Assure
& Escalate
Risk Process
Risk Types
Governance Strategy & Planning Operational / Infrastructure Compliance Reporting
Business Units
and
Supporting functions
Ris
k
Ow
ner
shi
p
Business Unit Responsibility
Support of pervasive functions
Common Risk Infrastructure
Executive Management Responsibility
Objective Assurance and Monitoring
Common Risk Infrastructure
Executive Management
Risk
Infrastructure
&
Management
People Process Technology
Roles and Responsibilities
Transparency for Governing Bodies
Common Definition of Risk
Common Risk Framework
Oversight
Board of Directors
Risk
Governance
Tone at the Top
37. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
39
Risk Management Standards
The ERM Framework… Governance Principles…
Principle #3: Roles and responsibilities
With an Enterprise Risk Management, key roles, responsibilities, and
authority relating to risk management are clearly defined within the
organization.
The board to set the direction, the executive leads the risk program, the
business units work as a team for a successful implementation &
certain functions support the risk program.
Principle #4: Transparency for governing bodies
With an Enterprise Risk Management, governing bodies (e.g., boards,
audit committees, etc.) have appropriate transparency and visibility into
the organization's risk management practices to discharge their
responsibilities.
some boards of directors are not kept informed on how risk is being
managed within the organization..
Identify Risks
Assess &
Evaluate Risks
Integrate Risks Record to Risks
Design, Implement & Test
Controls
Monitor, Assure
& Escalate
Risk Process
Risk Types
Governance Strategy & Planning Operational / Infrastructure Compliance Reporting
Business Units
and
Supporting functions
Ris
k
Ow
ner
shi
p
Business Unit Responsibility
Support of pervasive functions
Common Risk Infrastructure
Executive Management Responsibility
Objective Assurance and Monitoring
Common Risk Infrastructure
Executive Management
Risk
Infrastructure
&
Management
People Process Technology
Roles and Responsibilities
Transparency for Governing Bodies
Common Definition of Risk
Common Risk Framework
Oversight
Board of Directors
Risk
Governance
Tone at the Top
Identify Risks
Assess &
Evaluate Risks
Integrate Risks Record to Risks
Design, Implement & Test
Controls
Monitor, Assure
& Escalate
Risk Process
Risk Types
Governance Strategy & Planning Operational / Infrastructure Compliance Reporting
Business Units
and
Supporting functions
Ris
k
Ow
ner
shi
p
Business Unit Responsibility
Support of pervasive functions
Common Risk Infrastructure
Executive Management Responsibility
Objective Assurance and Monitoring
Common Risk Infrastructure
Executive Management
Risk
Infrastructure
&
Management
People Process Technology
Roles and Responsibilities
Transparency for Governing Bodies
Common Definition of Risk
Common Risk Framework
Oversight
Board of Directors
Risk
Governance
Tone at the Top
38. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
40
Risk Management Standards
The ERM Framework… Risk Infrastructure & Oversight Principles…
Principle # 5: common risk infrastructure
A common risk management infrastructure is used to support the business
units and functions in the performance of their risk responsibilities.
To effectively and efficiently manage risks and reap the rewards,
organizational silos must be bridged.
In particular, a common risk infrastructure needs to be created. All
the business units and functions should also use the same supporting
risk technologies and processes
Principle #6: executive management responsibility
With an Enterprise Risk Management, executive management is assigned
with primary responsibility for designing, implementing, and maintaining an
effective risk program.
Everyone has a responsibility for risk
Principle # 7: objective assurance & monitoring
Certain functions (e.g., internal audit, risk management, compliance,
etc.) provide objective assurance as well as monitor and report on
the effectiveness of an organization's risk program to governing bodies
and executive management
Identify Risks
Assess &
Evaluate Risks
Integrate Risks Record to Risks
Design, Implement & Test
Controls
Monitor, Assure
& Escalate
Risk Process
Risk Types
Governance Strategy & Planning Operational / Infrastructure Compliance Reporting
Business Units
and
Supporting functions
Ris
k
Ow
ner
shi
p
Business Unit Responsibility
Support of pervasive functions
Common Risk Infrastructure
Executive Management Responsibility
Objective Assurance and Monitoring
Common Risk Infrastructure
Executive Management
Risk
Infrastructure
&
Management
People Process Technology
Roles and Responsibilities
Transparency for Governing Bodies
Common Definition of Risk
Common Risk Framework
Oversight
Board of Directors
Risk
Governance
Tone at the Top
Identify Risks
Assess &
Evaluate Risks
Integrate Risks Record to Risks
Design, Implement & Test
Controls
Monitor, Assure
& Escalate
Risk Process
Risk Types
Governance Strategy & Planning Operational / Infrastructure Compliance Reporting
Business Units
and
Supporting functions
Ris
k
Ow
ner
shi
p
Business Unit Responsibility
Support of pervasive functions
Common Risk Infrastructure
Executive Management Responsibility
Objective Assurance and Monitoring
Common Risk Infrastructure
Executive Management
Risk
Infrastructure
&
Management
People Process Technology
Roles and Responsibilities
Transparency for Governing Bodies
Common Definition of Risk
Common Risk Framework
Oversight
Board of Directors
Risk
Governance
Tone at the Top
Identify Risks
Assess &
Evaluate Risks
Integrate Risks Record to Risks
Design, Implement & Test
Controls
Monitor, Assure
& Escalate
Risk Process
Risk Types
Governance Strategy & Planning Operational / Infrastructure Compliance Reporting
Business Units
and
Supporting functions
Ris
k
Ow
ner
shi
p
Business Unit Responsibility
Support of pervasive functions
Common Risk Infrastructure
Executive Management Responsibility
Objective Assurance and Monitoring
Common Risk Infrastructure
Executive Management
Risk
Infrastructure
&
Management
People Process Technology
Roles and Responsibilities
Transparency for Governing Bodies
Common Definition of Risk
Common Risk Framework
Oversight
Board of Directors
Risk
Governance
Tone at the Top
39. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
41
Risk Management Standards
The ERM Framework… Risk Ownership Principles…
Principle # 8: Business unit responsibility
Business units (departments, agencies, etc.) are responsible for the
performance of their business and the management of risks they take
within the risk framework established by executive management
So everyone is responsible for risk. But who “owns” it?
If you own the business unit, you own the risk.
risk owners must also abide by the rules and operate under certain
constraints they do not choose the framework
Principle #9: Support and pervasive functions
Certain functions (e.g., finance, legal, HR, etc.) have a widespread impact
on the business and provide support to the business units as it relates to
the organization's risk program
certain groups within the organizations carry a unique role —namely, the
internal audit, compliance, and risk management functions.
Their key responsibility is to provide assurance that the internal
control and risk structure operates effectively
Identify Risks
Assess &
Evaluate Risks
Integrate Risks Record to Risks
Design, Implement & Test
Controls
Monitor, Assure
& Escalate
Risk Process
Risk Types
Governance Strategy & Planning Operational / Infrastructure Compliance Reporting
Business Units
and
Supporting functions
Ris
k
Ow
ner
shi
p
Business Unit Responsibility
Support of pervasive functions
Common Risk Infrastructure
Executive Management Responsibility
Objective Assurance and Monitoring
Common Risk Infrastructure
Executive Management
Risk
Infrastructure
&
Management
People Process Technology
Roles and Responsibilities
Transparency for Governing Bodies
Common Definition of Risk
Common Risk Framework
Oversight
Board of Directors
Risk
Governance
Tone at the Top
Identify Risks
Assess &
Evaluate Risks
Integrate Risks Record to Risks
Design, Implement & Test
Controls
Monitor, Assure
& Escalate
Risk Process
Risk Types
Governance Strategy & Planning Operational / Infrastructure Compliance Reporting
Business Units
and
Supporting functions
Ris
k
Ow
ner
shi
p
Business Unit Responsibility
Support of pervasive functions
Common Risk Infrastructure
Executive Management Responsibility
Objective Assurance and Monitoring
Common Risk Infrastructure
Executive Management
Risk
Infrastructure
&
Management
People Process Technology
Roles and Responsibilities
Transparency for Governing Bodies
Common Definition of Risk
Common Risk Framework
Oversight
Board of Directors
Risk
Governance
Tone at the Top
40. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
42
2. A RISK MANAGEMENT STANDARD
• Enterprise Risk Management Framework
• Risk Identification
• Risk Assessment
• Risk Treatment / Response
• Risk Reporting and Communication
• Monitoring and Review of the Risk Management Process
• The Structure and Administration of Risk Management
Workshop Agenda
41. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
43
Risk Management Standards
The ERM Framework… Risk Identification… It’s Value
Value is a function of risk and return.
Every decision either increases, preserves, or erodes value.
42. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
44
Risk Management Standards
The ERM Framework… Risk Identification… It’s Value
being risk as an integral to pursuit of
value, strategic-minded enterprises do
not strive to eliminate risk or even to
minimize it…
This perspective represents a critical
change from the traditional view of
risk as something to avoid.
That’s why risk identification is important.
It’s the way in which enterprises get a handle on how significant each risk
is to the achievement of their overall goals
43. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
45
Risk Management Standards
The ERM Framework… Risk Identification
At this stage, a wide net is cast to
understand the universe of risks
making up the enterprise’s risk
profile.
While each risk captured may be
important to management at the
function and business unit level, the
list requires prioritization to focus
senior management and board
attention on key risks.
44. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
46
Risk Management Standards
The ERM Framework… Risk Identification
Legal &
Compliance
Finance
Operation &
IT
Identify Risks
Assess &
Evaluate
Risks
Respond
to Risks
Design,
Implement
& Test
Controls
Monitor,
Assure,
Escalate
Governance
Strategy &
Planning
Operational /
Infrastructure
Compliance Reporting
The risk (or event) identification process precedes risk assessment and produces
a comprehensive list of risks (and often opportunities as well), organized by risk
category (financial, operational, strategic, compliance) and sub-category (market,
credit, liquidity, etc.) for business units, corporate functions, and capital projects.
While each risk captured may be important to management at the function and
business unit level, the list requires prioritization to focus senior management and
board attention on key risks.
45. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
47
Risk Management Standards
The ERM Framework… Risk Identification
46. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
48
Risk Management Standards
The ERM Framework… Risk Identification
47. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
49
Risk Management Standards
The ERM Framework… Risk Identification
48. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
50
2. A RISK MANAGEMENT STANDARD
• Enterprise Risk Management Framework
• Risk Identification
• Risk Assessment
• Risk Treatment / Response
• Risk Reporting and Communication
• Monitoring and Review of the Risk Management Process
• The Structure and Administration of Risk Management
Workshop Agenda
49. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
51
Risk Management Standards
The ERM Framework… Risk Assessment
Develop assessment criteria
The first activity within the risk assessment
process is to develop a common set of
assessment criteria to be deployed across
business units, corporate functions, and large
capital projects.
Risks and opportunities are typically
assessed in terms of impact and likelihood.
Many enterprises recognize the utility of
evaluating risk along additional dimensions
such as vulnerability and speed of onset.
Legal &
Compliance
Finance
Operation &
IT
Identify Risks
Assess &
Evaluate Risks
Respond to
Risks
Design,
Implement &
Test Controls
Monitor,
Assure,
Escalate
Governance Strategy & Planning
Operational /
Infrastructure
Compliance Reporting
50. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
52
Risk Management Standards
The ERM Framework… Risk Assessment
51. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
53
Risk Management Standards
The ERM Framework… Risk Assessment
52. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
54
Risk Management Standards
The ERM Framework… Risk Assessment
53. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
55
Risk Management Standards
The ERM Framework… Risk Assessment
54. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
56
Risk Management Standards
The ERM Framework… Risk Assessment
Legal &
Compliance
Finance
Operation &
IT
Identify Risks
Assess &
Evaluate Risks
Respond to
Risks
Design,
Implement &
Test Controls
Monitor,
Assure,
Escalate
Governance Strategy & Planning
Operational /
Infrastructure
Compliance Reporting
Assess risks
Assessing risks consists of assigning values
to each risk and opportunity using the
defined criteria.
This may be accomplished in two stages
where an initial screening of the risks is
performed using qualitative techniques
followed by a more quantitative analysis of
the most important risks.
Additional techniques could (should) be used like:
Analysis of Existing Data
Reviewing internal and external data can help
individuals assess the likelihood and impact of a risk
or opportunity.
Interviews and Cross-Functional Workshops
Assessment can be conducted through one-on-one
interviews or facilitated meetings.
Surveys
Surveys are useful for large, complex, and
geographically distributed enterprises or where the
culture suppresses open communication.
Benchmarking
Benchmarking is a collaborative process among a
group of entities.
Scenario Analysis
Scenario analysis has long been recognized for its
usefulness in strategic planning.
55. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
57
Risk Management Standards
The ERM Framework… Risk Assessment
56. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
58
Risk Management Standards
The ERM Framework… Risk Assessment
57. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
59
Risk Management Standards
The ERM Framework… Risk Assessment
Assess risk interactions
Risks do not exist in isolation.
Enterprises have come to recognize the
importance of managing risk interactions.
Even seemingly insignificant risks on their
own have the potential, as they interact with
other events and conditions, to cause great
damage or create significant opportunity.
Therefore, enterprises are gravitating toward
an integrated or holistic view of risks using
techniques such as risk interaction matrices,
bow-tie diagrams, and aggregated probability
distributions.
Legal &
Compliance
Finance
Operation &
IT
Identify Risks
Assess &
Evaluate Risks
Respond to
Risks
Design,
Implement &
Test Controls
Monitor,
Assure,
Escalate
Governance Strategy & Planning
Operational /
Infrastructure
Compliance Reporting
58. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
60
Risk Management Standards
The ERM Framework… Risk Assessment
59. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
61
Risk Management Standards
The ERM Framework… Risk Assessment
Legal &
Compliance
Finance
Operation &
IT
Identify Risks
Assess &
Evaluate Risks
Respond to
Risks
Design,
Implement &
Test Controls
Monitor,
Assure,
Escalate
Governance Strategy & Planning
Operational /
Infrastructure
Compliance Reporting
Prioritize risks
Risk prioritization is the process of
determining risk management priorities by
comparing the level of risk against
predetermined target risk levels and tolerance
thresholds.
Risk must be viewed not just in terms of
financial impact and probability, but also
subjective criteria such as health and safety
impact, reputational impact, vulnerability, and
speed of onset.
60. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
62
Risk Management Standards
The ERM Framework… Risk Assessment
61. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
63
2. A RISK MANAGEMENT STANDARD
• Enterprise Risk Management Framework
• Risk Identification
• Risk Assessment
• Risk Treatment / Response
• Risk Reporting and Communication
• Monitoring and Review of the Risk Management Process
• The Structure and Administration of Risk Management
Workshop Agenda
62. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
64
Risk Management Standards
The ERM Framework… Risk Treatment / Response
Legal &
Compliance
Finance
Operation &
IT
Identify Risks
Assess &
Evaluate
Risks
Respond
to Risks
Design,
Implement
& Test
Controls
Monitor,
Assure,
Escalate
Governance
Strategy &
Planning
Operational /
Infrastructure
Compliance Reporting
Identifies and evaluates possible responses to risk.
Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential
risk responses, and degree to which a response will reduce impact and/or
likelihood.
Selects and executes response based on evaluation of the portfolio of risks and
responses.
Responses include risk avoidance, reduction, sharing, and acceptance.
63. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
65
Risk Management Standards
The ERM Framework… Risk Treatment / Response
64. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
66
Risk Management Standards
The ERM Framework… Risk Treatment / Response
65. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
67
Risk Management Standards
The ERM Framework… Risk Treatment / Response
66. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
68
2. A RISK MANAGEMENT STANDARD
• Enterprise Risk Management Framework
• Risk Identification
• Risk Assessment
• Risk Treatment
• Risk Reporting and Communication
• Monitoring and Review of the Risk Management Process
• The Structure and Administration of Risk Management
Workshop Agenda
67. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
69
Risk Management Standards
The ERM Framework… Risk Reporting and Communication
To ensure that the risk response is followed consistently throughout the organization, Enterprise
risk management functions may set policies, issue guidance and/or minimum standards that
apply to all business units globally .
Business unit management, in consultation with the appropriate risk management functions, will
design and document action plans to implement or strengthen risk-mitigating activities,
as applicable .
Legal &
Compliance
Finance
Operation &
IT
Identify Risks
Assess &
Evaluate
Risks
Respond
to Risks
Design,
Implement
& Test
Controls
Monitor,
Assure,
Escalate
Governance
Strategy &
Planning
Operational /
Infrastructure
Compliance Reporting
Increasingly, as a best practice, systems and critical business processes are designed and
implemented to automate or “design in” compliance with these standards and other risk
mitigation strategies .
68. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
70
Risk Management Standards
The ERM Framework… Risk Reporting and Communication
Information and communication channels are in place to make business leaders, as well as
individuals, aware of risks that fall into their area of responsibility and the expected behaviour
to mitigate negative outcomes .
Formal and informal training should be conducted with applicable personnel.
For many areas of risk, mandatory training is conducted annually.
Knowledge is also exchanged within risk management functions through regular department
meetings, short-term rotations through Corporate or enterprise functions and ad hoc cross-
business unit assignments .
Legal &
Compliance
Finance
Operation &
IT
Identify Risks
Assess &
Evaluate
Risks
Respond
to Risks
Design,
Implement
& Test
Controls
Monitor,
Assure,
Escalate
Governance
Strategy &
Planning
Operational /
Infrastructure
Compliance Reporting
69. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
71
Risk Management Standards
The ERM Framework… Risk Reporting and Communication
70. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
72
Risk Management Standards
The ERM Framework… Risk Reporting and Communication
71. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
73
Risk Management Standards
The ERM Framework… Risk Reporting and Communication
72. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
74
Risk Management Standards
The ERM Framework… Risk Reporting and Communication
73. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
75
2. A RISK MANAGEMENT STANDARD
• Enterprise Risk Management Framework
• Risk Identification
• Risk Assessment
• Risk Treatment / Response
• Risk Reporting and Communication
• Monitoring and Review of the Risk Management Process
• The Structure and Administration of Risk Management
Workshop Agenda
74. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
76
Risk Management Standards
The ERM Framework… Monitoring and Control
Monitoring and Control activities are the policies and procedures that help ensure that
management’s risk responses are carried out.
Monitoring and Control activities occur throughout the organization, at all levels and in all
functions.
They include a range of activities - as diverse as approvals, authorizations, verifications,
reconciliations, reviews of operating performance, security of assets, and segregation of duties
Legal &
Compliance
Finance
Operation &
IT
Identify Risks
Assess &
Evaluate
Risks
Respond
to Risks
Design,
Implement
& Test
Controls
Monitor,
Assure,
Escalate
Governance
Strategy &
Planning
Operational /
Infrastructure
Compliance Reporting
Having selected risk responses, management identifies control activities needed to help
ensure that the risk responses are carried out properly and in a timely manner. .
75. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
77
Risk Management Standards
The ERM Framework… Risk Reporting and Communication
76. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
78
2. A RISK MANAGEMENT STANDARD
• Enterprise Risk Management Framework
• Risk identification
• Risk Assessment
• Risk Treatment / Response
• Risk Reporting and Communication
• Monitoring and Review of the Risk Management Process
• The Structure and Administration of Risk Management
Workshop Agenda
77. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
79
Risk Management Standards
The ERM Framework… The Structure and Administration
An organisation’s risk management policy should set out its approach to and appetite for risk
and its approach to risk management.
The policy should also set out responsibilities for risk management throughout the
organisation
The Board has responsibility for determining the strategic direction of the organisation and for
creating the environment and the structures for risk management to operate effectively.
This may be through an executive group, a nonexecutive committee, an audit committee or
such other function that suits the organisation’s way of operating and is capable of acting as a
‘sponsor’ for risk management.
The Board should, as a minimum, consider, in evaluating its system of internal control:
the nature and extent of downside risks acceptable
for the company to bear within its particular
business
the likelihood of such risks becoming a reality
how unacceptable risks should be managed
the company’s ability to minimise the probability
and impact on the business
the costs and benefits of the risk and control activity
undertaken
the effectiveness of the risk management process
the risk implications of board decisions
Role of the Board
78. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
80
Risk Management Standards
The ERM Framework… The Structure and Administration
The Business Units have primary responsibility for managing risk on a day-to-day basis
business unit management is responsible for
promoting risk awareness within their operations;
they should introduce risk management objectives
into their business
risk management should be a regular management-
meeting item to allow consideration of exposures
and to reprioritise work in the light of effective risk
analysis
business unit management should ensure that risk
management is incorporated at the conceptual
stage of projects as well as throughout a project
Role of the Business Units
79. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
81
Risk Management Standards
The ERM Framework… The Structure and Administration
Depending on the size of the organisation the risk management function may range from a
single risk champion, a part time risk manager, to a full scale risk management department.
setting policy and strategy for risk management
primary champion of risk management at strategic
and operational level
building a risk aware culture within the organisation
including appropriate education
establishing internal risk policy and structures for
business units
designing and reviewing processes for risk
management
co-ordinating the various functional activities which
advise on risk management issues within the
organisation
developing risk response processes, including
contingency and business continuity programmes
preparing reports on risk for the board and the
stakeholders
Role of the Risk Management
80. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
82
Risk Management Standards
The ERM Framework… The Structure and Administration
The role of Internal Audit is likely to differ from one organisation to another.
In practice, Internal Audit’s role may include some or all of the following: .
focusing the internal audit work on the significant
risks, as identified by management, and auditing
the risk management processes across an
organisation
providing assurance on the management of risk
providing active support and involvement in the risk
management process
facilitating risk identification/assessment and
educating line staff in risk management and internal
control
co-ordinating risk reporting to the board, audit
committee, etc
Role of the Internal Audit
81. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
83
Questions?
Comments?
We’ll be happy to help you!
82. MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
84
Our Contacts
For ERM consultation and workshops:
Jorge Vaz Girão, CISA, PMP, PMDPro I, ERMCP, CAMS
Regional Director, MakeITWork Consulting ME
+44 37 0801 1345 (UK)
+962 798 110 562 (Jordan)
jorgevazgirao@makeitworkconsulting.co.uk
For overall consultation, general inquiries:
MakeITWork Consulting ME
+44 37 0800 1306 (UK)
+962 795 338 447
+962 (0) 658 135 05
makeitwork@makeitworkconsulting.co.uk