Presentation is loading. Please wait.

Presentation is loading. Please wait.

Approach to Risk Management

Published byVeronica Berry Modified over 6 years ago

Similar presentations

Presentation on theme: "Approach to Risk Management"— Presentation transcript:

1 Approach to Risk Management

2 Basic Concepts

3 Why do we need Risk Management?
The only alternative to risk management is crisis management --- and crisis management is much more expensive, time consuming and embarrassing. JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003 Without good risk management practices, government cannot manage its resources effectively. Risk management means more than preparing for the worst; it also means taking advantage of opportunities to improve services or lower costs. Sheila Fraser, Auditor General of Canada

4 Why Bother about Risk Management?
Increase risk awareness – What could affect the achievement of objectives? What could change? What could go wrong? What could go right? Increase understanding of risk – sensitivities. What makes my risks increase/decrease/disappear? Promote a “healthy” risk culture – It’s safe to talk about risk. Open and transparent. Develop a common and consistent approach to risk across the organization. Not intuition-based.

5 Why Bother about Risk Management?
Allows intelligent “informed” risk-taking. Focuses efforts –helps prioritize. Top 10 list. Or top 3. Or… Is proactive…. not reactive – Prepare for risks before they happen. Identify risks and develop appropriate risk mitigating strategies. Improve outcomes – achievement of objectives Really comes down to simple good management Enables accountability, transparency and responsibility And maybe even mean survival

6 Basic principles, concepts, definitions
A risk is ANYTHING that may affect the achievement of an organization’s objectives. It is the UNCERTAINTY that surrounds future events and outcomes. It is the expression of the likelihood and impact of an event with the potential to influence the achievement of an organization’s objectives.

7 Threats and Opportunities
Threat – a risk that may HINDER the achievement of objectives Opportunities - a risk that may HELP in the achievement of objectives Interest rates Foreign exchange rates Supply of service/product/resources Demand/uptake for service/product/resources The economy The weather The stock market

8 Definition of ERM “… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO Enterprise Risk Management – Integrated Framework The Committee of Sponsoring Organizations of the Treadway Commission (COSO)

9 Enterprise vs Integrated Risk Management
Similarities: Formal process Consistent and systematic Includes projects, programs, operations Is embedded in key processes such as strategic planning, budgeting, project planning, evaluation, etc Must be driven and supported by Leadership Adds value to decision-making Differences: Enterprise-wide: Is organizational-centric Success is defined as implementation over the entire organization Integrated: Take a systems-focus May actually create risks for individual organizations

10 Risk Management Basics
Risk (uncertainty) may affect the achievement of objectives. Effective mitigation strategies/controls can reduce negative risks or increase opportunities. Residual risk is the level of risk after evaluating the effectiveness of controls. Acceptance and action should be based on residual risk levels. INHERENT Slide 10

11 Communicate, learn, improve
A Simple Framework Evaluate & Take Action Establish Objectives Identify Risks & Controls Assess Monitor & Report Step 1 Step 2 Step 3 Step 4 Step 5 Communicate, learn, improve

12 Risk Management is critical to ALL levels of decisions
The HM Treasury’s The Orange Book Decisions can be categorized into three types. The amount of risk (uncertainty) varies with the type of decisions. Most decisions are concerned with implementation.

13 Categorizing Risk – Comprehensive
Reputational Risk Financial Risk Operational Risk People Risk Strategic Risk Stakeholder Satisfaction / Public Perception Risk Legal / Compliance Risk Technology Risk Governance / Organizational Risk Confidentiality Risk Security Risk 1. Financial Risk - The risk of financial losses, overspending, or the inability to meet budgets and plans. 2. Service Delivery or Operational Risk - The risk that products or services will not get completed or delivered in a timely manner as expected. This also includes risks to business continuity. 3. People / HR Risk - The risk that capable & motivated staff will not be available to get the job done. This could be the result of resignations, turnovers, inability to hire, lack of skills, strikes, injury etc. 4. Information Risk- The risk that information produced, or used, is incomplete, out-of-date, inaccurate, irrelevant, or inappropriately disclosed 5. Strategic / Policy Risk -The risk that strategies and policies fail to achieve required results 6. Stakeholder Satisfaction / Public Perception Risk - The risk of failure to meet expectations of the public, other governments, ministries, or other stakeholders 7. Legal / Compliance Risk- The risk that a government initiative, or action, will be in breach of a statute, regulation, contract, MOU, or that the government will face litigation 8. Technology Risks- Risk that information technology infrastructure does not align with business requirements, and does not support availability, access, integrity, relevance, and security of data. This also includes risks to business continuity 9. Governance / Organizational Risk- Risk that the organization structure, accountabilities, or responsibilities are not designed, communicated, or implemented to meet the organization’s objectives, and the risk that business culture and management commitment does not support the formal structures 10. Privacy Risk- Risk that associated with the collection, use and disclosure of personal information and personal health information. 11. Security Risk- Risk that is associated with the protection of confidentiality, integrity, availability and value of assets (tangible and intangible) and people. Slide 13

14 Risk Prioritization – likelihood and impact
Likelihood of a risk event occurring Very High: Is almost certain to occur High: Is likely to occur Medium: Is as likely as not to occur Low: May occur occasionally Very Low: Unlikely to occur Risk Impact: Level of damage that can occur when a risk event occurs Very High: Threatens the success of the project High: Substantial impact on time, cost or quality Medium: Notable impact on time, cost or quality Low: Minor impact on time, cost or quality Very Low: Negligible impact Slide 14

15 Risk rating …Combining impact and likelihood
Slide 15

16 Risk reporting and communications

17

18 Key Risk Indicators (KRIs) are linked to strategy, performance and risk
Strategy & objectives Risk Cause Consequence KRI Performance Sandra KRIs need to be linked to strategy, objectives and target performance levels, with a good understanding of the drivers to risk.

19 EXAMPLES OF KRIs Human resource
• Average time to fill vacant positions • Staff absenteeism /sickness rates • Percentage of staff appraisals below “satisfactory” Age demographics of key managers Information Technology • Systems usage versus capacity • Number of system upgrades/ version releases • Number of help desk calls Finance • Daily P&L adjustments (#, amt) • Reporting deadlines missed (#) • Incomplete P&L sign-offs (#, aged) Legal/compliance • Outstanding litigation cases (#, amt) • Compliance investigations (#) • Customer complaints (#) Audit • Outstanding high risk issues (#, aged) • Audit findings (#, severity) • Revised management action target dates (#) Risk management • Management overrides • Limit breaches (#, amt) Sandra

20 Measure and report RM implementation progress
Excellent Advanced capabilities to identify, measure, manage all risk exposures within tolerances Advanced implementation, development and execution of ERM parameters Consistently optimizes risk adjusted returns throughout the organization Strong Clear vision of risk tolerance and overall risk profile Risk control exceeds adequate for most major risks Has robust processes to identify and prepare for emerging risks Incorporates risk management and decision making to optimize risk adjusted returns Adequate Has fully functioning control systems in place for all of their major risks May lack a robust process for identifying and preparing for emerging risks Performing good classical “silo” based risk management Not fully developed process to optimize risk adjusted returns Weak Incomplete control process for one or more major risks Inconsistent or limited capabilities to identify, measure or manage major risk exposures Source: Standard & Poor

21 An Approach to Risk Management
Establish centralized support Develop a standardized framework Provide education and coaching Ensure organisation-wide implementation Embed RM into all major processes including strategic planning and resource allocations decisions

22 The Approach Incorporates risk information into the strategic direction- setting, making decisions that consider established risk tolerance levels. Takes a systems approach to managing risk at the strategic, operational and project levels which is continuous, proactive and systematic. Fosters a working culture that values learning, innovation, responsible risk-taking and continuous improvement.

23 Keep it simple

24 Back at the office Why is the organization interested in RM? What are they hoping will be achieved with its implementation? Who is doing what? Roles & responsibilities must be clearly defined. Make sure Leadership supports RM and uses RM results to make decisions. Everyone is a risk manager. Make sure that all risks have owners and the responsibilities for mitigation are assigned How will it be implemented? What is your framework? What is the common language? How will risks be measured and reported? Where will you start? Choices could be where you can most easily succeed or where it is needed the most or where interest is high. When will it be implemented? It is a journey not a destination; 3-5 years for complete roll-out; how often will risks be assessed; when will mitigation plans be implemented and monitored; when will risks be reported.

25 Ask questions and develop your approach
Do we understand our major risks? Do we know what is causing our risks to increase, decrease or stay the same? Have we assessed the likelihood and impact of our risks? Have we identified the sources and causes of our risks? How well are we managing our risks? Are we trying to prevent the downside risks from happening? Or are we trying to simply recover from them? Who is accountable for these risks? How do we talk about risk? Do we have a common language across branches, across divisions, across the ministry, across the OPS, across the health care system? Are we taking too much risk? Or not enough risk? Are the right people taking the right risks at the right time? What’s our culture? Are we risk adverse or are we risk-takers? Or are we somewhere in between?

26 TAKE SMALL BITES………. RM IMPLEMENTATION

27 Questions?

28 Questions?

Download ppt "Approach to Risk Management"

Similar presentations

Options appraisal, the business case & procurement

Options appraisal, the business case & procurement
A presentation for CIOs. What are the biggest challenges that face a modern CIO? (Lets list them…)

A presentation for CIOs. What are the biggest challenges that face a modern CIO? (Lets list them…)
Risk Management at Harvard – Panel Discussion Harvard IT Summit

Risk Management at Harvard – Panel Discussion Harvard IT Summit
Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.
Auditing Governance Functions

Auditing Governance Functions
Lisanne Sison Director ERM Bickmore

Lisanne Sison Director ERM Bickmore
IMFO Audit & Risk Indaba June 2012

IMFO Audit & Risk Indaba June 2012
Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.

Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.
2011 Governance, Risk, and Compliance Conference August 29 – 31, 2011 / Orlando, FL, USA The Top Four Essential Objectives to Auditing ERM Stephen E. McBride,

2011 Governance, Risk, and Compliance Conference August 29 – 31, 2011 / Orlando, FL, USA The Top Four Essential Objectives to Auditing ERM Stephen E. McBride,
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Risk Assessment Frameworks

Risk Assessment Frameworks
CORPORATE RISK MANAGEMENT & INSURANCE BY R P BLAH D.G.M. INCHARGE THE ORIENTAL INSURANCE COMPANY LIMITED REGIONAL OFFICE BHUBANESWAR.

CORPORATE RISK MANAGEMENT & INSURANCE BY R P BLAH D.G.M. INCHARGE THE ORIENTAL INSURANCE COMPANY LIMITED REGIONAL OFFICE BHUBANESWAR.
Privileged and Confidential Strategic Approach to Asset Management Presented to October 2004 2004 Urban Water Council Regional Seminar.

Privileged and Confidential Strategic Approach to Asset Management Presented to October Urban Water Council Regional Seminar.
COBIT® 5 for Risk Introduction

COBIT® 5 for Risk Introduction
Global Risk Management Solutions Risk Management and the Board of Director: Moving Beyond Concepts to Execution Anton VAN WYK Partner, Global Risk Management.

Global Risk Management Solutions Risk Management and the Board of Director: Moving Beyond Concepts to Execution Anton VAN WYK Partner, Global Risk Management.
1 Bölgesel Rekabet Edebilirlik Operasyonel Programı’nın Uygulanması için Kurumsal Kapasitenin Oluşturulmasına Yönelik Teknik Yardım Technical Assistance.

1 Bölgesel Rekabet Edebilirlik Operasyonel Programı’nın Uygulanması için Kurumsal Kapasitenin Oluşturulmasına Yönelik Teknik Yardım Technical Assistance.
RISK ASSESSMENT 2010/2011 M.J Ramakgolo. THE PURPOSE The aim of the risk assessment session is to develop the Strategic Risk Profile for the municipality.

RISK ASSESSMENT 2010/2011 M.J Ramakgolo. THE PURPOSE The aim of the risk assessment session is to develop the Strategic Risk Profile for the municipality.
Risk Management, Culture & Governance. Agenda  What is risk management?  A framework for risk management  Establishing a good risk culture  Getting.

Risk Management, Culture & Governance. Agenda  What is risk management?  A framework for risk management  Establishing a good risk culture  Getting.
IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253

IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253
Stephen Vink Senior Vice President Group Risk Management and Internal Audit Lessons learned from ERM.

Stephen Vink Senior Vice President Group Risk Management and Internal Audit Lessons learned from ERM.

Similar presentations

Ads by Google