John Crawley & Emer McAneny
June 2014
Risk Management
“The International Standard”
• Accountant
• Banker
• Businessman
• Trainer
• Turnaround Expert
• Risk Expert
Who I am
Agenda
Strategy
• And the role of Risk
GRC
• Governance, Risk & Compliance
Tolera
nce
• And why organisation are now setti...
Rules of engagement
Engage
Open mind
No
distractions
Challenge
Question
Enjoy
What is risk and risk management?
What is risk
 “Effect of uncertainty on objectives”
 Effect:
 Positive
 Negative
 Deviation from the expected
 Objec...
What is the best definition of risk?
Organisation Definition of risk
ISO Guide 73
ISO 31000
Effect of uncertainty on objec...
Definitions of risk management
Organisation Definition of risk management
ISO Guide 73
ISO 31000
Coordinated activities to...
Strategy – Where are we going?
Your Business Compass
Do
things
right
Do the
right
thing
Good
Corporate Governance
What is Risk Management
 Process which aims to help organisations
understand, evaluate and take action on all their
risks...
Why manage risk?
Q What is the fundamental
reason that cars have
brakes?
Q
So that cars can stop - but they also allow
cars to be driven faster
A
What is the fundamental
reason that cars have bra...
Why manage risk?
Achievement Safeguarding
For discussion…
What events can you
recall that support the
need for a structured
and systematic
approach to risk
manageme...
Consider the list of disasters identified.
Was this a failure of:
- prediction?
- prioritisation?
- mobilising resources?
...
ISO 31000 overview
Throughout the course we will use ISO 31000 as our core
framework
Mandate and
commitment
(4.2)
Design o...
ISO 31000 overview
Mandate and
commitment
(4.2)
Design of
framework for
managing risk
(4.3)
Implementing
risk
management
(...
Risk management principles
• creates and protects value
• integral part of organisational processes
• part of decision making
• explicitly addresses ...
• tailored
• takes human and cultural factors into account
• transparent and inclusive
• dynamic, iterative and responsive...
Attributes of effective risk
management
Effective risk management has the following
attributes:
– proportionate
– aligned
– comprehensive
– embedded
– dynamic
Wha...
Effective risk management has the following
attributes:
– proportionate
– aligned
– comprehensive
– embedded
– dynamic
Wha...
Effective risk management has the following
attributes:
– proportionate
– aligned
– comprehensive
– embedded
– dynamic
Wha...
Effective risk management has the following
attributes:
– proportionate
– aligned
– comprehensive
– embedded
– dynamic
Wha...
Effective risk management has the following
attributes:
– proportionate
– aligned
– comprehensive
– embedded
– dynamic
Wha...
Introduction to key risk
management disciplines
How does enterprise risk
management (ERM) differ from
risk management?Q
How does enterprise risk
management (ERM) differ from
risk management?Q
ERM seeks to:
• include all categories of risk and...
What is governance?
Q
What is governance?
Q
The system by which organisations are directed and
controlled.
Generic aspects of governance include...
International development of codes of
corporate governance
• principle-based approach
versus
• prescriptive (rules) based
...
What is compliance?
Q
What is compliance?
Q
Compliance is the leadership processes that an
organisation establishes to comply with societal, tra...
What is GRC?
Q
What is GRC?
Q
GRC stands for:
• governance
• risk
• compliance
ARISK
Compliance
Governance
Risk management process
Mandate and
commitment
(4.2)
Design of
framework for
managing risk
(4.3)
Implementing
risk
managem...
ISO 31000 overview
Mandate and
commitment
(4.2)
Design of
framework for
managing risk
(4.3)
Implementing
risk
management
(...
Ongoing monitoring
Audit & Report Incidents Re-assess
Treatment
Tolerate Treat Transfer Terminate
Assess
Impact Likelihood...
Communication and consultation
Establish the context
Identify risks
Evaluate risks
Analyse risks
Treat risks
Risk assessment
Communicateandconsult
Monito...
Communication
– a continual and iterative process that an organisation
conducts to provide, share or obtain information an...
• help to establish the context appropriately
• stakeholders interests understood & considered
• risks adequately identifi...
Effective communication about risk
• comprehensive and frequent reporting of risk
management performance is an essential e...
Establishing the context
Session 2 Establish the context Risk assessmentCommunication & consultation Risk appetite and tol...
Establish the context
Identify risks
Evaluate risks
Analyse risks
Treat risks
Risk assessment
Communicateandconsult
Monito...
Establishing the context
External context
Internal context
Context of the risk management
process
• what does the world ar...
How do you Plan Ahead?
Risk assessment
Session 2 Establish the context Risk assessmentCommunication & consultation Risk appetite and tolerance
Ri...
Establish the context
Identify risks
Evaluate risks
Analyse risks
Treat risks
Risk assessment
Communicateandconsult
Monito...
Risk assessment
Risk identification
– what might happen (the event)?
Risk analysis
– how likely is it to happen?
– if it d...
ISO 31000 - The Risk Process
Ongoing monitoring
Audit & Report Incidents Re-assess
Treatment
Tolerate Treat Transfer Termi...
Two main types of identification techniques
Forward looking
– brainstorming workshops
– surveys
– expert knowledge
Histori...
PerspectivesFinancial
Marketing
& Sales
Operations
Employees
CSR
Economic
Compliance
Perspectives to Identify KPI’s
Some risk terminology
• A risk is the effect of uncertainty on objectives
• A hazard is the source of potential harm (a ha...
Describing a risk
Combines the cause(s), the event(s) and the effect(s)
Consequences
or effect(s)
(on objectives)
Source(s...
KPI - Financial
Liquidity
₋ Current Ratio
₋ Quick Ratio
Financial Strength
₋ Interest Cover
₋ Debt to Equity Ratio
Corpora...
Your Risk Register – Step 1
KPI Categories to Risks
 Fill in 1 Financial risk
KPI - Marketing & Sales
₋ Net Promoter Score
“How likely are you to recommend this
business to a colleague or friend?”
₋ D...
Marketing & Sales
KPI Categories to Risks
 Fill in 1 Marketing & Sales risk
KPI - Operational & Technology
₋ How suitable and operational is
our equipment? How
technologically advanced are
we?
₋ Are...
Operational & Technology
KPI Categories to Risks
 Fill in 1 Operational & Technology risk
KPI - Employees
— How well do you protect and
support your employees?
— How well does the
organisation vet its
employees?
...
KPI - Employees
KPI Categories to Risks
 Fill in 1 risk associated with your Employees
KPI - Corporate Social Responsibility
₋ Are you compliant with
Environmental
regulations/standards?
₋ Are your suppliers s...
Corporate Social Responsibility
KPI Categories to Risks
 Fill in 1 Corporate Social Responsibility risk
KPI - Economic
₋ What would the financial effect of a
change of +/- 1% in the interest rate
paid or charged ?
₋ To what ex...
Economic
KPI Categories to Risks
 Fill in 1 Economic risk
KPI - Compliance
₋ Comprehensiveness of the
organisations Governance
procedures
“What is the effect of the new
Legislation...
Compliance
KPI Categories to Risks
 Fill in 1 Compliance risk
• the outcome of a risk event is not always
negative
• think of some examples where a risk event
can result in positive or...
Recap
Mandate and
commitment
(4.2)
Design of
framework for
managing risk
(4.3)
Implementing
risk
management
(4.4)
a) Creat...
Your Risk Register – Step 1
Positive Risk
 Fill in 2 Positive Risks
Risk evaluation -
risk appetite and tolerance
The Risk Process
Ongoing monitoring
Audit & Report Incidents Re-assess
Treatment
Tolerate Treat Transfer Terminate
Assess
...
• the amount of risk an organisation is willing to
seek or accept in pursuit of its long-term
objectives
Risk
appetite
• t...
Risk appetite can be complex
– simplification can be attractive but can lead to
meaningless approaches
Needs to be measura...
Developed in the context of the organisation’s risk
management capability
– an understanding of risk appetite unlikely to ...
• prioritise risks in terms of their significance
• provide some consistency about the perception of
significance
• decide...
Benchmark to determine significance
₋ Financial – sums involved
₋ Disruption – length of time
₋ Reputational - profile
Appetite
Hungry?
Not enough risk
Over Fed?
Too Much Risk
Attitude?
1. That’s Grand
2. Don’t Push It
3. Your taking the
P**s
Appetite – Healthy Eating
(Tolerance)
• Increased sales
• Cost EfficiencyHigh
• Lack of staff expertise &
training
• Ineff...
Your Risk Register – Step 2
Risk Appetite
 Enter
- High
- Medium
- Low
- Zero
Beside each of the risks you have identified
Risk profiling – consequence;
probability matrix – risk registers
The Risk Process
Ongoing monitoring
Audit & Report Incidents Re-assess
Treatment
Tolerate Treat Transfer Terminate
Assess
...
Risk matrixLikelihood
Impact
ProbablePossibleRemote
Low Medium High
Likelihood
Estimation Descriptors Indicators
Probable Likely to occur each year or
more than a 25% chance of
occurrence
Po...
Estimating likelihood - criteria
Within the next 12 months the event is:
Almost certain
• Frequent occurrence > 90% chance...
Impact
High
Financial impact on the organisation is likely to exceed €x
Significant impact on delivery of the organisation...
Estimating impact – criteria
REPUTATION FINANCE SERVICE
DELIVERY
COMPLIANCE SAFETY
EXTREME Loss of credibility
key stakeho...
LIKLIHOOD
PROBABLE
Likely to occur each year or
more than a 25% chance of
occurrence
3 3 6 9
POSSIBLE
Likely to occur in a...
Opportunity and risk matrix
Two-sided Risk Matrix
1:100
Likelihood & Impact
Likelihood
High
Medium
Low
Zero
Impact
High
Medium
Low
Zero
Risk Score
Likelihood
High
Medium
Medium
High
Impact
High
High
Low
Low
Score
High
Judgement
Judgement
Judgement
Your Risk Register – Step 3
Risk Score
 Enter
- High
- Medium
- Low
- Zero
For Impact, Likelihood and risk score beside e...
Risk evaluation
Evaluate Risk score
Risk
score
Risk
appetite
Good
Risk
score
Risk
appetite
Treat
Your Risk Register – Step 4
Do you need to take Action?
 Enter
- Yes if your risk score is not equal to appetite
- No if ...
Risk treatment
The Risk Process
Ongoing monitoring
Audit & Report Incidents Re-assess
Treatment
Tolerate Treat Transfer Terminate
Assess
...
Establish the context
Identify risks
Evaluate risks
Analyse risks
Treat risks
Risk assessment
Communicateandconsult
Monito...
A process to modify risk (ISO 31000)
Risk treatment (or response) involves:
– the selection of one or more options for mod...
Risk treatment is a cyclical process
Deciding
whether the
residual risk
level is
tolerable
Assessing
the
effectiveness
of ...
The purpose of risk treatment plans is to document how the
chosen treatment options will be implemented.
Information shoul...
Treatment
Tolerate Treat
Transfer Terminate
Treatment - Step 4
4 T’s
What Treatment could you use?
 Enter one or more of the following
- Treat fill in what you would...
Monitoring and review
Establish the context
Identify risks
Evaluate risks
Analyse risks
Treat risks
Risk assessment
Communicateandconsult
Monito...
The Risk Process
Ongoing monitoring
Audit & Report Incidents Re-assess
Treatment
Tolerate Treat Transfer Terminate
Assess
...
A process not an event
•Action Plans &
OwnersT’s
•Inline with
Appetite?Incidents
•Once Yearly
Reassess
• ensure controls effective and efficient
• obtain information to improve risk assessment
• learn the lessons from events
...
Key risk and control indicators
KRIs
Metrics to help
identify changes
that could alter the
overall assessment
of key risk ...
Key risk indicators
For the case study provided identify
the metrics that were used or could
have been used to indicate a ...
Define monitoring and review responsibilities
– risk owners
– control owners
– responsibility for the review of the whole ...
Business continuity management
Session 2 Establish the context Risk assessmentCommunication & consultation Risk appetite a...
ISO 31000 overview
Mandate and
commitment
(4.2)
Design of
framework for
managing risk
(4.3)
Implementing
risk
management
(...
What is a risk management framework?
• a system of leadership,
commitment and
processes
• foundation for a mutual
understa...
Think back to previous case
histories discussed -
• why did the established controls
systems fail?
• what do the case stud...
Embedding risk management
Visible commitment from the top
– articulated and endorsed through a policy and
framework for ma...
An organisational framework to ensure
– clearly defined responsibility and accountability
– training for all relevant stak...
Integration into management processes
– ensure the benefits for business and resource
planning are clearly established thr...
• clear and concise outline of the organisation’s
requirements
• providing uniformity and consistency in the risk
manageme...
• developed and owned at board level
• developed with consideration as to how
compliance with the policy will be monitored...
• who are your key
stakeholders?
• what do you hope the
ERM process will
deliver to you and to
your key stakeholders?
Grou...
5 • a framework for control
4
• better informed decision making
3 • reduced volatility
2 • improved stakeholder relationsh...
The greatest risk is to take no risk at all, because if
we don’t take risks there’s no advancement,
there’s no progress an...
ISO 31000 overview
Mandate and
commitment
(4.2)
Design of
framework for
managing risk
(4.3)
Implementing
risk
management
(...
• Fundamentals of Risk Management
• International Certificate in Risk Management
– leads to Certificate membership grade
•...
References and further reading
• IRM Fundamentals of Risk Management – Paul Hopkin – Kogan Page £35.00
ISBN: 978-0-7494-59...
So to recap…
Ongoing monitoring
Audit & Report Incidents Re-assess
Treatment
Tolerate Treat Transfer Terminate
Assess
Impact Likelihood...
Tutor
• John Crawley
• john@TheFinanceExpert.ie
• + 353 1 210 4753
• www.TheFinanceExpert.ie
• LinkedIN
• Tweet: @AFinance...
T H A N K Y O U
Institute of Risk Management
Bow tie analysis
Event
Causes Consequences
Immediate
consequences
Ultimate
consequences
Underlying
threats
Immediate
threa...
Risk seminar - john crawley & emer mc aneny
Risk seminar - john crawley & emer mc aneny
Risk seminar - john crawley & emer mc aneny
Upcoming SlideShare
Loading in …5
×

Risk seminar - john crawley & emer mc aneny

995 views

Published on

Published in: Business, Economy & Finance
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
995
On SlideShare
0
From Embeds
0
Number of Embeds
159
Actions
Shares
0
Downloads
74
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Risk seminar - john crawley & emer mc aneny

  1. 1. John Crawley & Emer McAneny June 2014 Risk Management “The International Standard”
  2. 2. • Accountant • Banker • Businessman • Trainer • Turnaround Expert • Risk Expert Who I am
  3. 3. Agenda Strategy • And the role of Risk GRC • Governance, Risk & Compliance Tolera nce • And why organisation are now setting “Appetite” Identifica tion • Using a Stakeholder approach Assessi ng • Simplicity or complexity Action • Everything can be dealt with as a “T” Report ing • Importance on Enbedding KRIs
  4. 4. Rules of engagement Engage Open mind No distractions Challenge Question Enjoy
  5. 5. What is risk and risk management?
  6. 6. What is risk  “Effect of uncertainty on objectives”  Effect:  Positive  Negative  Deviation from the expected  Objectives:  Definition works best if the organisation has clear objectives  These need to be tested as part of risk management process
  7. 7. What is the best definition of risk? Organisation Definition of risk ISO Guide 73 ISO 31000 Effect of uncertainty on objectives. Note that an effect may be positive, negative, or a deviation from the expected. Also, risk is often described by an event, a change in circumstances or a consequence Institute of Risk Management (IRM) Risk is the combination of the probability of an event and its consequence. Consequences can range from positive to negative COSO – ERM Integrated Framework The possibility that an event will occur and adversely affect the achievements of objectives From old AS/NZ 4360:2004 The chance of something happening that will have an impact on objectives
  8. 8. Definitions of risk management Organisation Definition of risk management ISO Guide 73 ISO 31000 Coordinated activities to direct and control an organisation with regard to risk Institute of Risk Management (IRM) Process which aims to help organisations understand, evaluate and take action on all their risks with a view to increasing the probability of success and reducing the likelihood of failure COSO – ERM Integrated Framework A process affected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
  9. 9. Strategy – Where are we going?
  10. 10. Your Business Compass
  11. 11. Do things right Do the right thing Good Corporate Governance
  12. 12. What is Risk Management  Process which aims to help organisations understand, evaluate and take action on all their risks with a view to:  increasing the probability of success and  reducing the likelihood of failure
  13. 13. Why manage risk?
  14. 14. Q What is the fundamental reason that cars have brakes?
  15. 15. Q So that cars can stop - but they also allow cars to be driven faster A What is the fundamental reason that cars have brakes?
  16. 16. Why manage risk? Achievement Safeguarding
  17. 17. For discussion… What events can you recall that support the need for a structured and systematic approach to risk management?
  18. 18. Consider the list of disasters identified. Was this a failure of: - prediction? - prioritisation? - mobilising resources? For discussion.... Predictable surprise
  19. 19. ISO 31000 overview Throughout the course we will use ISO 31000 as our core framework Mandate and commitment (4.2) Design of framework for managing risk (4.3) Implementing risk management (4.4) a) Creates value b) Integral part of organisational processes c) Part of decision making d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organisation Principles (Clause 3) Monitoring and review of the framework (4.5) Continual improvement of the framework (4.6) Establishing the context (5.3) Risk identification (5.4.2) Risk evaluation (5.4.4) Risk analysis (5.4.3) Risk treatment (5.5) Risk assessment (5.4.2) Communicationandconsultation(5.2) Monitoringandreview(5.6) Framework (Clause 4) Process (Clause 5) Reproduced from ISO 31000:2009
  20. 20. ISO 31000 overview Mandate and commitment (4.2) Design of framework for managing risk (4.3) Implementing risk management (4.4) a) Creates value b) Integral part of organisational processes c) Part of decision making d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organisation Principles (Clause 3) Monitoring and review of the framework (4.5) Continual improvement of the framework (4.6) Establishing the context (5.3) Risk identification (5.4.2) Risk evaluation (5.4.4) Risk analysis (5.4.3) Risk treatment (5.5) Risk assessment (5.4.2) Communicationandconsultation(5.2) Monitoringandreview(5.6) Framework (Clause 4) Process (Clause 5) Reproduced from ISO 31000:2009
  21. 21. Risk management principles
  22. 22. • creates and protects value • integral part of organisational processes • part of decision making • explicitly addresses uncertainty • systematic, structured and timely • based on the best available information Principles for managing risk
  23. 23. • tailored • takes human and cultural factors into account • transparent and inclusive • dynamic, iterative and responsive to change • facilitates continual improvement Principles for managing risk
  24. 24. Attributes of effective risk management
  25. 25. Effective risk management has the following attributes: – proportionate – aligned – comprehensive – embedded – dynamic What is effective risk management? “You don’t need a sledgehammer to crack a nut”
  26. 26. Effective risk management has the following attributes: – proportionate – aligned – comprehensive – embedded – dynamic What is effective risk management?
  27. 27. Effective risk management has the following attributes: – proportionate – aligned – comprehensive – embedded – dynamic What is effective risk management? Strategic/ programmes Tactical/ projects Operational/ processes
  28. 28. Effective risk management has the following attributes: – proportionate – aligned – comprehensive – embedded – dynamic What is effective risk management?
  29. 29. Effective risk management has the following attributes: – proportionate – aligned – comprehensive – embedded – dynamic What is effective risk management?
  30. 30. Introduction to key risk management disciplines
  31. 31. How does enterprise risk management (ERM) differ from risk management?Q
  32. 32. How does enterprise risk management (ERM) differ from risk management?Q ERM seeks to: • include all categories of risk and uncertainty • consider upside as well as downside • be comprehensive – applied throughout the organisation A
  33. 33. What is governance? Q
  34. 34. What is governance? Q The system by which organisations are directed and controlled. Generic aspects of governance include: - the rights and duties of owners/shareholders and other stakeholders - how powers are shared and exercised by directors - how the holders of power are held accountable for what they do A
  35. 35. International development of codes of corporate governance • principle-based approach versus • prescriptive (rules) based approach
  36. 36. What is compliance? Q
  37. 37. What is compliance? Q Compliance is the leadership processes that an organisation establishes to comply with societal, trade, professional and stakeholder needs Examples include: - law - codes of practice - contracts - trade union agreements - professional standards A
  38. 38. What is GRC? Q
  39. 39. What is GRC? Q GRC stands for: • governance • risk • compliance ARISK Compliance Governance
  40. 40. Risk management process Mandate and commitment (4.2) Design of framework for managing risk (4.3) Implementing risk management (4.4) a) Creates value b) Integral part of organisational processes c) Part of decision making d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organisation Principles (Clause 3) Monitoring and review of the framework (4.5) Continual improvement of the framework (4.6) Establishing the context (5.3) Risk identification (5.4.2) Risk evaluation (5.4.4) Risk analysis (5.4.3) Risk treatment (5.5) Risk assessment (5.4.2) Communicationandconsultation(5.2) Monitoringandreview(5.6) Framework (Clause 4) Process (Clause 5) Reproduced from ISO 31000:2009
  41. 41. ISO 31000 overview Mandate and commitment (4.2) Design of framework for managing risk (4.3) Implementing risk management (4.4) a) Creates value b) Integral part of organisational processes c) Part of decision making d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organisation Principles (Clause 3) Monitoring and review of the framework (4.5) Continual improvement of the framework (4.6) Establishing the context (5.3) Risk identification (5.4.2) Risk evaluation (5.4.4) Risk analysis (5.4.3) Risk treatment (5.5) Risk assessment (5.4.2) Communicationandconsultation(5.2) Monitoringandreview(5.6) Framework (Clause 4) Process (Clause 5) Reproduced from ISO 31000:2009
  42. 42. Ongoing monitoring Audit & Report Incidents Re-assess Treatment Tolerate Treat Transfer Terminate Assess Impact Likelihood Set appetite Zero Low Medium High Identify Objectives Tools The “Standard” is...ISO 31000
  43. 43. Communication and consultation
  44. 44. Establish the context Identify risks Evaluate risks Analyse risks Treat risks Risk assessment Communicateandconsult MonitorandreviewReproduced from ISO 31000:2009 Communication and consultation
  45. 45. Communication – a continual and iterative process that an organisation conducts to provide, share or obtain information and to engage in dialogue with stakeholders Consultation – a two-way process of informed communication between an organisation and its stakeholders on an issue prior to making a decision or determining a direction on that issue Stakeholders – a person or organisation that can affect, be affected or perceive themselves to be affected by a decision or activity Communication and consultation
  46. 46. • help to establish the context appropriately • stakeholders interests understood & considered • risks adequately identified • bring expertise together for risk analysis • ensure different views are considered • secure support for risk treatment plans • enhance appropriate change management • develop appropriate communication plans Purpose of communication and consultation
  47. 47. Effective communication about risk • comprehensive and frequent reporting of risk management performance is an essential element of organisational governance • internal and external stakeholders • communication is upwards, downwards and across the organisation • communicate on significant risks and risk management performance • how we communicate matters as much as what we communicate • link to effective relationship building and behaviours
  48. 48. Establishing the context Session 2 Establish the context Risk assessmentCommunication & consultation Risk appetite and tolerance Risk treatment Business continuity management Monitoring & review
  49. 49. Establish the context Identify risks Evaluate risks Analyse risks Treat risks Risk assessment Communicateandconsult Monitorandreview Reproduced from ISO 31000:2009 Establishing the context
  50. 50. Establishing the context External context Internal context Context of the risk management process • what does the world around us look like? • what are the drivers and trends? • what are our objectives? • what is our capacity? • what are our business processes? • how do we make decisions? • what is the process expected to achieve? • who will be responsible? • what resources will be required? • what determines whether a risk is acceptable? • what determines whether a risk should be controlled? • how can we measure our total risks? Defining risk criteria
  51. 51. How do you Plan Ahead?
  52. 52. Risk assessment Session 2 Establish the context Risk assessmentCommunication & consultation Risk appetite and tolerance Risk treatment Business continuity management Monitoring & review
  53. 53. Establish the context Identify risks Evaluate risks Analyse risks Treat risks Risk assessment Communicateandconsult Monitorandreview Reproduced from ISO 31000:2009 Risk assessment
  54. 54. Risk assessment Risk identification – what might happen (the event)? Risk analysis – how likely is it to happen? – if it does what might the impact be? Risk evaluation – so what! – is it within our risk appetite and tolerance?
  55. 55. ISO 31000 - The Risk Process Ongoing monitoring Audit & Report Incidents Re-assess Treatment Tolerate Treat Transfer Terminate Assess Impact Likelihood Set appetite Zero Low Medium High Identify Objectives Tools
  56. 56. Two main types of identification techniques Forward looking – brainstorming workshops – surveys – expert knowledge Historic – statistical analysis – trend analysis -------- ---- ---- ---- ---- ---- ---- ---- ---- ---- Strategy Market Commercial Partners Plan execution Technology Health & Safety (and CSR) Finance ---- -------- -------- ---- ---- ---- ---- -------- ---- ---- ---- ---- ---- ---- ---- ---- ---- Strategy Market Commercial Partners Plan execution Technology Health & Safety (and CSR) Finance ---- -------- -------- ---- ---- ---- ---- ---- -------- -------- ---- ---- ---- ---- Injury statistics
  57. 57. PerspectivesFinancial Marketing & Sales Operations Employees CSR Economic Compliance Perspectives to Identify KPI’s
  58. 58. Some risk terminology • A risk is the effect of uncertainty on objectives • A hazard is the source of potential harm (a hazard can be a risk source) • A risk source has the potential, alone or in combination, to give rise to risk. We might also term this cause • An event is the occurrence or change of a particular set of circumstances • A consequence is the outcome of an event affecting objectives Source: ISO Guide 73:2009 Session 2 Establish the context Risk assessmentCommunication & consultation Risk appetite and tolerance Risk treatment Business continuity management Monitoring & review
  59. 59. Describing a risk Combines the cause(s), the event(s) and the effect(s) Consequences or effect(s) (on objectives) Source(s) or cause(s) (What? Why?) Event or circumstance giving rise to the uncertainty (Uncertainty)
  60. 60. KPI - Financial Liquidity ₋ Current Ratio ₋ Quick Ratio Financial Strength ₋ Interest Cover ₋ Debt to Equity Ratio Corporate Value ₋ Dividend/Drawings Yield
  61. 61. Your Risk Register – Step 1 KPI Categories to Risks  Fill in 1 Financial risk
  62. 62. KPI - Marketing & Sales ₋ Net Promoter Score “How likely are you to recommend this business to a colleague or friend?” ₋ Do customer expectations match the service we deliver? ₋ How involved/emotionally attached are your customers to your organisation?
  63. 63. Marketing & Sales KPI Categories to Risks  Fill in 1 Marketing & Sales risk
  64. 64. KPI - Operational & Technology ₋ How suitable and operational is our equipment? How technologically advanced are we? ₋ Are we realising our full production/ work potential? ₋ How long does it take to fill an order/provide a service?
  65. 65. Operational & Technology KPI Categories to Risks  Fill in 1 Operational & Technology risk
  66. 66. KPI - Employees — How well do you protect and support your employees? — How well does the organisation vet its employees? — How well are the skills of the employees matched to the needs of the organisation? — Do you offer and encourage training?
  67. 67. KPI - Employees KPI Categories to Risks  Fill in 1 risk associated with your Employees
  68. 68. KPI - Corporate Social Responsibility ₋ Are you compliant with Environmental regulations/standards? ₋ Are your suppliers socially conscious? i.e. Fairtrade for foodstuffs, ethical manufacturers for clothing ₋ Do your manufacturing facilities meet ethical standards?
  69. 69. Corporate Social Responsibility KPI Categories to Risks  Fill in 1 Corporate Social Responsibility risk
  70. 70. KPI - Economic ₋ What would the financial effect of a change of +/- 1% in the interest rate paid or charged ? ₋ To what extent is our business exposed to the collapse of a particular industry, economy or sector? ₋ To what extent is our business’s customer base exposed to the collapse of a particular industry?
  71. 71. Economic KPI Categories to Risks  Fill in 1 Economic risk
  72. 72. KPI - Compliance ₋ Comprehensiveness of the organisations Governance procedures “What is the effect of the new Legislation for your business?” ₋ To what extent is our organisation open to legal challenge?
  73. 73. Compliance KPI Categories to Risks  Fill in 1 Compliance risk
  74. 74. • the outcome of a risk event is not always negative • think of some examples where a risk event can result in positive or beneficial outcomes • discuss how the risk wheel and the bow tie technique can be used to identify opportunities Risks aren’t always bad For discussion..
  75. 75. Recap Mandate and commitment (4.2) Design of framework for managing risk (4.3) Implementing risk management (4.4) a) Creates value b) Integral part of organisational processes c) Part of decision making d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organisation Principles (Clause 3) Monitoring and review of the framework (4.5) Continual improvement of the framework (4.6) Establishing the context (5.3) Risk identification (5.4.2) Risk evaluation (5.4.4) Risk analysis (5.4.3) Risk treatment (5.5) Risk assessment (5.4.2) Communicationandconsultation(5.2) Monitoringandreview(5.6) Framework (Clause 4) Process (Clause 5) Reproduced from ISO 31000:2009
  76. 76. Your Risk Register – Step 1 Positive Risk  Fill in 2 Positive Risks
  77. 77. Risk evaluation - risk appetite and tolerance
  78. 78. The Risk Process Ongoing monitoring Audit & Report Incidents Re-assess Treatment Tolerate Treat Transfer Terminate Assess Impact Likelihood Set appetite Zero Low Medium High Identify Objectives Tools
  79. 79. • the amount of risk an organisation is willing to seek or accept in pursuit of its long-term objectives Risk appetite • the boundaries of risk taking outside of which the organisation is not prepared to venture in pursuit of its long-term objectives Risk tolerance • the full range of risks which could impact, either positively or negatively, on the ability of the organisation to achieve its long-term objectives Risk universe Key terms
  80. 80. Risk appetite can be complex – simplification can be attractive but can lead to meaningless approaches Needs to be measurable – otherwise statements empty and useless – key performance drivers need to be understood – key risk and key control indicators need to be developed Not a single fixed concept – there may be a range of appetites within an organisation – appetites may vary overtime influenced by changes in the risk and control environment or the benefits to be gained Key principles
  81. 81. Developed in the context of the organisation’s risk management capability – an understanding of risk appetite unlikely to emerge before a level of risk management maturity reached Must take into account strategic, tactical and operational levels – risk appetite needs to be addressed at all levels Must be integrated into the control culture – linked to both the propensity to take risk (often greater at strategic level) and also the propensity to exercise control (more prevalent at operational level) Key principles
  82. 82. • prioritise risks in terms of their significance • provide some consistency about the perception of significance • decide how to allocate scarce resources • decide whether to proceed with a new strategy, project or investment • inform decisions on risk appetite Why is risk analysis and evaluation important?
  83. 83. Benchmark to determine significance ₋ Financial – sums involved ₋ Disruption – length of time ₋ Reputational - profile
  84. 84. Appetite Hungry? Not enough risk Over Fed? Too Much Risk
  85. 85. Attitude? 1. That’s Grand 2. Don’t Push It 3. Your taking the P**s
  86. 86. Appetite – Healthy Eating (Tolerance) • Increased sales • Cost EfficiencyHigh • Lack of staff expertise & training • Inefficient admin/operations Medium • Not achieving value for money • Unsatisfactory fundingLow • Severe reputational damage • Compliance FailureZero
  87. 87. Your Risk Register – Step 2 Risk Appetite  Enter - High - Medium - Low - Zero Beside each of the risks you have identified
  88. 88. Risk profiling – consequence; probability matrix – risk registers
  89. 89. The Risk Process Ongoing monitoring Audit & Report Incidents Re-assess Treatment Tolerate Treat Transfer Terminate Assess Impact Likelihood Set appetite Zero Low Medium High Identify Objectives Tools
  90. 90. Risk matrixLikelihood Impact ProbablePossibleRemote Low Medium High
  91. 91. Likelihood Estimation Descriptors Indicators Probable Likely to occur each year or more than a 25% chance of occurrence Potential of it occurring several times within the time period (e.g. ten years). Has occurred recently Possible Likely to occur in a ten-year time period or less than a 25% chance of occurrence Could occur more than once within the time period (e.g. ten years). Is there a history of occurrence? Remote Not likely to occur in a ten- year period or less than a 2% chance of occurrence Has not occurred. Unlikely to occur
  92. 92. Estimating likelihood - criteria Within the next 12 months the event is: Almost certain • Frequent occurrence > 90% chance Likely • Regular occurrence > 60% chance Possible • Occasional occurrence > 10% chance Unlikely • Has never occurred < 10% chance
  93. 93. Impact High Financial impact on the organisation is likely to exceed €x Significant impact on delivery of the organisation’s strategic or operational activities Significant stakeholder concern Medium Financial impact on the organisation likely to be between €x and €y Moderate impact on organisation’s strategic or operational activities Moderate stakeholder concern Low Financial impact on the organisation likely to be less than €y Low impact on the organisation’s strategic or operational activities Low stakeholder concern
  94. 94. Estimating impact – criteria REPUTATION FINANCE SERVICE DELIVERY COMPLIANCE SAFETY EXTREME Loss of credibility key stakeholders; extensive adverse media; external intervention Financial loss exceeding £/$ ??? Total sustained disruption to critical services Intervention by regulator; serious breach of legal or contractual obligation Fatality (multiple) HIGH Significant loss of trust; significant adverse media Financial loss exceeding £ /$??? Significant sustained disruption to critical services Censure by regulator; breach of legal or contractual obligation Serious injury or ill- health (disabling) MEDIUM Significant complaints Financial loss exceeding £/$??? Some short-term disruption to services Failure to meet recommended best practice Injury or ill-health resulting in lost time LOW Isolated complaints Low-level or no financial loss Minor disruption to services Failure to meet internal standards or SLA Minor injury (no lost time)
  95. 95. LIKLIHOOD PROBABLE Likely to occur each year or more than a 25% chance of occurrence 3 3 6 9 POSSIBLE Likely to occur in a ten year time period or less than a 25% chance of occurrence 2 2 4 6 REMOTE Not likely to occur in a ten year period or less than a 2% chance of occurrence 1 1 2 3 1 2 3 LOW MEDIUM HIGH •financial impact on the organisation is likely to be less than £x •low impact on delivery of the organisation’s strategic or operational activities •low stakeholder concern •financial impact on the organisation is likely to be between £x and £x •moderate impact on delivery of the organisation’s strategic or operational activities •moderate stakeholder concern •financial impact on the organisation is likely to exceed £x •significant impact on delivery of the organisation’s strategic or operational activities •significant stakeholder concern IMPACT Putting it all together
  96. 96. Opportunity and risk matrix Two-sided Risk Matrix 1:100
  97. 97. Likelihood & Impact Likelihood High Medium Low Zero Impact High Medium Low Zero
  98. 98. Risk Score Likelihood High Medium Medium High Impact High High Low Low Score High Judgement Judgement Judgement
  99. 99. Your Risk Register – Step 3 Risk Score  Enter - High - Medium - Low - Zero For Impact, Likelihood and risk score beside each of the risks you have identified
  100. 100. Risk evaluation
  101. 101. Evaluate Risk score Risk score Risk appetite Good Risk score Risk appetite Treat
  102. 102. Your Risk Register – Step 4 Do you need to take Action?  Enter - Yes if your risk score is not equal to appetite - No if your risk score is equal to appetite
  103. 103. Risk treatment
  104. 104. The Risk Process Ongoing monitoring Audit & Report Incidents Re-assess Treatment Tolerate Treat Transfer Terminate Assess Impact Likelihood Set appetite Zero Low Medium High Identify Objectives Tools
  105. 105. Establish the context Identify risks Evaluate risks Analyse risks Treat risks Risk assessment Communicateandconsult Monitorandreview Reproduced from ISO 31000:2009 Risk treatment
  106. 106. A process to modify risk (ISO 31000) Risk treatment (or response) involves: – the selection of one or more options for modifying risks – implementing those options – the treatments then provide controls or modify current controls Controls include any process, policy, device, practice or other actions which modify the risk What is risk treatment?
  107. 107. Risk treatment is a cyclical process Deciding whether the residual risk level is tolerable Assessing the effectiveness of that treatment Examine cost and benefit of the treatment If not tolerable, generating a new risk treatment
  108. 108. The purpose of risk treatment plans is to document how the chosen treatment options will be implemented. Information should include: – a description of what the planned action is – expected benefit(s) to be gained – performance measurements and constraints – accountabilities (risk owners and control owners) – reporting and monitoring requirements – resourcing requirements – timing and scheduling Risk treatment plans (action plans)
  109. 109. Treatment Tolerate Treat Transfer Terminate
  110. 110. Treatment - Step 4 4 T’s What Treatment could you use?  Enter one or more of the following - Treat fill in what you would do to treat - Transfer fill in what you would do to transfer - Tolerate fill in what you would do to tolerate - Terminate fill in what you would do to terminate
  111. 111. Monitoring and review
  112. 112. Establish the context Identify risks Evaluate risks Analyse risks Treat risks Risk assessment Communicateandconsult Monitorandreview Reproduced from ISO 31000:2009 Monitoring and review
  113. 113. The Risk Process Ongoing monitoring Audit & Report Incidents Re-assess Treatment Tolerate Treat Transfer Terminate Assess Impact Likelihood Set appetite Zero Low Medium High Identify Objectives Tools
  114. 114. A process not an event •Action Plans & OwnersT’s •Inline with Appetite?Incidents •Once Yearly Reassess
  115. 115. • ensure controls effective and efficient • obtain information to improve risk assessment • learn the lessons from events – changes, trends, successes and failures • detect change to internal or external context or to the risk itself • identify emerging risks Purpose of monitoring and review
  116. 116. Key risk and control indicators KRIs Metrics to help identify changes that could alter the overall assessment of key risk events KCIs Metrics to help assess the effectiveness of key controls
  117. 117. Key risk indicators For the case study provided identify the metrics that were used or could have been used to indicate a change in the risk environment. Key control indicators For the case study provided identify the metrics that were used or could have been used to measure the effectiveness of existing controls Workshop exercise
  118. 118. Define monitoring and review responsibilities – risk owners – control owners – responsibility for the review of the whole process How frequently should – risks and their control measures be reviewed? – the effectiveness of the ERM process be reviewed? Benchmarking and maturity models Things to consider
  119. 119. Business continuity management Session 2 Establish the context Risk assessmentCommunication & consultation Risk appetite and tolerance Risk treatment Business continuity management Monitoring & review
  120. 120. ISO 31000 overview Mandate and commitment (4.2) Design of framework for managing risk (4.3) Implementing risk management (4.4) a) Creates value b) Integral part of organisational processes c) Part of decision making d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organisation Principles (Clause 3) Monitoring and review of the framework (4.5) Continual improvement of the framework (4.6) Establishing the context (5.3) Risk identification (5.4.2) Risk evaluation (5.4.4) Risk analysis (5.4.3) Risk treatment (5.5) Risk assessment (5.4.2) Communicationandconsultation(5.2) Monitoringandreview(5.6) Framework (Clause 4) Process (Clause 5) Reproduced from ISO 31000:2009
  121. 121. What is a risk management framework? • a system of leadership, commitment and processes • foundation for a mutual understanding - to communicate effectively • an opportunity to gain commitment • provides direction for all levels of management Mandate and commitment (4.2) Design of framework for managing risk (4.3) Implementing risk management (4.4) Monitoring and review of the framework (4.5) Continual improvement of the framework (4.6) Framework (Clause 4)
  122. 122. Think back to previous case histories discussed - • why did the established controls systems fail? • what do the case studies tell us about the risk culture of the organisation? • what are the critical factors for embedding risk management ? Group Discussion Embedding risk management
  123. 123. Embedding risk management Visible commitment from the top – articulated and endorsed through a policy and framework for managing risk – lead through actions – risk-based decision making, aligned with strategic objectives – clear understanding of the risks to the business. Set risk tolerance and risk appetite – active support and adequate resource for risk management initiatives – assurance on status of key risks (KRI’s) and controls (KCI’s) sought and followed through
  124. 124. An organisational framework to ensure – clearly defined responsibility and accountability – training for all relevant stakeholder groups to raise awareness of benefits, establish responsibilities and improve skills in management of risk – ownership clearly established for risks and key controls – clearly defined lines for reporting and communication Embedding risk management
  125. 125. Integration into management processes – ensure the benefits for business and resource planning are clearly established through integration with the ‘normal’ business planning processes – integrate into performance management system and establish KPI’s – integrate with reporting and review systems, including internal audit – include development of risk management skills within leadership and management development programmes Embedding risk management
  126. 126. • clear and concise outline of the organisation’s requirements • providing uniformity and consistency in the risk management process across all operations • provides a high level overview and description of the risk management process Purpose of a risk management policy Session 3
  127. 127. • developed and owned at board level • developed with consideration as to how compliance with the policy will be monitored • reviewed regularly – annual review The policy should be… Session 3
  128. 128. • who are your key stakeholders? • what do you hope the ERM process will deliver to you and to your key stakeholders? Group exercise What will ERM deliver?
  129. 129. 5 • a framework for control 4 • better informed decision making 3 • reduced volatility 2 • improved stakeholder relationships 1 • protection of company assets So what will risk management do for me? ‘The elevator pitch’
  130. 130. The greatest risk is to take no risk at all, because if we don’t take risks there’s no advancement, there’s no progress and there’s no profitability. And finally… Kevin Knight Chairman, ISO working group on risk management standards
  131. 131. ISO 31000 overview Mandate and commitment (4.2) Design of framework for managing risk (4.3) Implementing risk management (4.4) a) Creates value b) Integral part of organisational processes c) Part of decision making d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organisation Principles (Clause 3) Monitoring and review of the framework (4.5) Continual improvement of the framework (4.6) Establishing the context (5.3) Risk identification (5.4.2) Risk evaluation (5.4.4) Risk analysis (5.4.3) Risk treatment (5.5) Risk assessment (5.4.2) Communicationandconsultation(5.2) Monitoringandreview(5.6) Framework (Clause 4) Process (Clause 5) Reproduced from ISO 31000:2009
  132. 132. • Fundamentals of Risk Management • International Certificate in Risk Management – leads to Certificate membership grade • International Diploma in Risk Management – leads to Member grade of the IRM – Fellowship of the IRM is achieved through continuing professional development • Specialist subjects – risk management in financial services – business continuity and crisis management – information systems risk Institute of Risk Management – education
  133. 133. References and further reading • IRM Fundamentals of Risk Management – Paul Hopkin – Kogan Page £35.00 ISBN: 978-0-7494-5942-0 • British Standards BS 31100 (2008) Risk management – code of practice, www.standardsuk.com • COSO Enterprise Risk Management – Integrated Framework (2004) Executive Summary, www.coso.org • Financial Reporting Council Internal Control Revised Guidance for Directors on the Combined Code (2005), www.frc.org.uk • Institute of Risk Management – A Risk Management Standard (2002), www.theirm.org • International Standard ISO 31000 Risk Management – Principles and guidelines, www.iso.org • ISO Guide 73(2009) Risk management – Vocabulary – Guidelines for use in standards, www.iso.org • British Standard BS 25999-1 (2006) Business continuity management Code of practice, www.standardsuk.com • HM Treasury (2004) Orange Book: Management of risk – principles and concepts, www.hm- treasury.gov.uk • International Standard IEC/FDIS 31010 (2009) Risk Management – Risk assessment techniques, www.iso.org • Institute of Internal Audits (2004) The Role of Auditing in Enterprise-wide Risk Management, www.theiaa.org • Office of Government Commerce (2007) Management of Risk: Guidance for Practioners, www.tsoshop.co.uk
  134. 134. So to recap…
  135. 135. Ongoing monitoring Audit & Report Incidents Re-assess Treatment Tolerate Treat Transfer Terminate Assess Impact Likelihood Set appetite Zero Low Medium High Identify Objectives Tools The “Standard” is...ISO 31000
  136. 136. Tutor • John Crawley • john@TheFinanceExpert.ie • + 353 1 210 4753 • www.TheFinanceExpert.ie • LinkedIN • Tweet: @AFinanceExpert
  137. 137. T H A N K Y O U Institute of Risk Management
  138. 138. Bow tie analysis Event Causes Consequences Immediate consequences Ultimate consequences Underlying threats Immediate threats Control measures Recovery measures

×