Introduction of Risk Management Topic 1 SMQR 5103
Why you need Risk Assessment? The only alternative to risk management is crisis management - and crisis management is much more expensive, time consuming and embarrassing. James Lam, Enterprise Risk Management, Wiley Finance © 2003 Without good risk management practices, government cannot manage its resources effectively. Risk management means more than preparing for the worst; it also means taking advantage of opportunities to improve services or lower costs. Sheila Fraser, Auditor General of Canada
What is ERM? Source: Institute of Internal Auditors A rigorous and coordinated approach to assess and respond to all risks that affect the achievement of an organization’s strategic and financial objectives. Source: Fundamental of Risk Management, Paul Hopkins A broader approach to the practice of risk management. It looks at all the risks that it faces across all of the operations that it undertakes.
Toyota is subject to various risks associated with conducting business worldwide. These risks include: natural calamities; political and economic instability; fuel shortages; interruption in social infrastructure including energy supply, transportation systems, gas, water, or communication systems resulting from natural hazards or technological hazards; wars; terrorism; labor strikes and work stoppages. Should the major markets in which Toyota purchases materials, parts and components and supplies for the manufacture of Toyota products or in which Toyota’s products are produced, distributed or sold be affected by any of these events, it may result in disruptions and delays in the operations of Toyota’s business. Should significant or prolonged disruptions or delays related to Toyota’s business operations occur, it may adversely affect Toyota’s financial condition and results of operations.
Consequences of not managing risk … 1984: Union Carbide pesticide factory, Bhopal India – release of toxic methyl isocyanate gas people died within the first 24 hours > 3,000 people died in the past 30 years > 20,000 High rate of miscarriages survivors impaired with breathing difficulties, vision problems, spells of unconsciousness, and psychological disorders > 500,000 Birth defects
Effect of uncertainty on objectives Risk = Probability x Consequence Terms and Definitions Effect of uncertainty on objectives Risk = Probability x Consequence Probability This is the probability that the harm will occur Consequence This is the seriousness of the harm Overall process of risk identification, risk analysis and risk evaluation Coordinated activities to direct and control an organization with regard to risk
Enterprise Risk Enterprise Risk Safety and Health Risk Quality Risk Environmental Risk
Global Issues/Crises/Risk “A global risk is an uncertain event or condition that, if it occurs, can cause significant negative ïmpact for several countries or industries within the next ten years” “The world is, however, insufficiently prepared for an increasingly complex risk environment” Executive Summary, 2015 Global Risk Report World Economic Forum
Global Risks
Organizational External Factors Change of government / policy maker, terrorism, riots Growth/ decline, exchange rates, inflation, credit, wages, fiscal, monetary, trade, investment Cultural norms & expectation, demography, health & safety Technological changes, barriers, supply chain & outsourcing decisions Legal requirements having effect on materials, labour, operation, import/export, etc. Emissions to air, water and land having impact to the environment (climate change, etc)
Quality Risk - Construction Industry The construction industry risk category: Cost, Time, Quality, Environment, Safety Examples of Quality related risks: Tight project schedule Inadequate program scheduling Unsuitable construction program planning Incomplete or inaccurate cost estimate Low management competency of subcontractors Variations of construction programs Unavailability of sufficient amount of skilled labour Design variations Lack of coordination between project participants
Why the need to manage risk? Organization face internal and external factors that make it uncertain to achieve objective. Inability to achieve objectives will lead to inability to achieve business objectives. The effect of these uncertainties in achieving objective is known as “risk”. The process of managing these risks is known as “ risk management” Consequence a.k.a impact A measure of the probability & consequence of not achieving a defined project goal
Damage to Asset/ Property Operational Risk Category in ERM Operational Risk Process Failure Cost Overrun Project Delay IT System Failure Damage to Asset/ Property Health & Safety Human Capital Communication
Managing risk from ISO 31000 perspective OBJECTIVE Internal & External Factors Risk Assessment Risk Treatment Monitor & Review Identify Analyze Evaluate Consequence a.k.a impact A measure of the probability & consequence of not achieving a defined project goal
Q, OSH and E MS and Risk Management standards RISK MANAGEMENT SYSTEM ISO 31000 QUALITY MANAGEMENT SYSTEM ISO 9001:2015 OSH MANAGEMENT SYSTEM ISO 45001 ENVIRONMENTAL MANAGEMENT SYSTEM ISO 14001 RISK ASSESSMENT TECHNIQUES (Env. Impact assessment, HIRADC, FMEA, etc) ISO 31010
Relationship between Risk Management and Risk Assessment Identify, Analyze Evaluate
Analysis Evaluation Communication & Consultation Risk Management Concept Establish Context External factors Internal factors Risk Assessment Identification Analysis Evaluation Risk Treatment Retain Reduce Transfer Remove Monitoring & Review Communication & Consultation
Risk Assessment L I KE HOOD CONSEQUENCES Almost Certain 4 M4 S8 S12 Likely 3 M3 S6 S9 Unlikely 2 L2 Rare 1 L1 Negligible Minor 2 Major 3 Critical 4 L I KE HOOD CONSEQUENCES
Example of Risk Profile at Company Level Objective: Strong financial performance Risk Source Mitigation Strategies Action Plans Unable to achieve total income target of RM500 mil. Risk Rating: Significant Unable to achieve project milestone. Improve skill of translating customer requirements. Enhance the contract review before agreeing to accept the job or project. Variation order to be comprehensively documented and treated as part of the contract, understood and agreed between both parties. Focus on contract review and project delivery process during QMS internal audit.
Governance, Risk Management and Compliance What is corporate governance? Obligation place on the board of an organization To ensure stakeholders confidence in the ability of the organization to achieve outcomes. MALAYSIAN CODE OF CORPORATE GOVERNANCE (MCCG) is compulsory for companies listed on Bursa Malaysia. However, organizations are encouraged to adopt the principles and recommendations of MCCG 2012.
CORPORATE GOVERNANCE IS FUNDAMENTAL TO THE CONTINUING OPERATION OF ANY CORPORATION Malaysian Code of Corporate Governance (MCCG 2012) Principle 1: Establish clear roles and Responsibilities Principle 2: Strengthen composition Principle 3: Reinforce independence Principle 4: Foster commitment Principle 5: Uphold integrity in financial reporting Principle 6: Recognize and manage risk Principle 7: Ensure timely and high quality disclosure Principle 8: Strengthen relationship between company and shareholders
The BOD should: Governance, Risk Management and Compliance Principle 6 of mccg 2002: Recognize & Manage Risk The BOD should: Establish a sound risk management framework and internal control system. Determine the organization’s level of risk tolerance Assess and monitor risks to safeguard shareholder’s investment & organization’s asset. Altogether there are 8 principles.
ERM Structure {Source: Chapman, R.J. (2013)}