Embed Size (px)
Citation preview
Policy & Procedure
RISK MANAGEMENT HANDBOOK
Contact details
Risk Management is the responsibility of all members of staff, but maintenance of this document is the
responsibility of the Group Risk Manager. The corresponding policies and procedures have been
approved by the Board Risk Committee and implemented by the Group Management Risk Committee. This
document will be reviewed at least annually and as needed to ensure it remains appropriate to the needs
of the business.
RISK MANAGEMENT HANDBOOK
Owner: Board Risk Committee Issued: May 2017 Supersedes: N/A
Review date: April 2018 Page 1 of 18
RISK MANAGEMENT HANDBOOK | Page 2
Section 1 Establishing the Culture of Risk Management
1.1 Introduction
We know the environment is highly competitive and uncertain, all businesses are susceptible to crises which
could lead to operational disruptions, financial loss, reputational damage and in extreme cases, failure. At the
same time, businesses must seek and take risks in order to succeed and grow. We genuinely believe risk
management, embedded and used effectively, can improve our chance of success, make us more resilient, and
improve the bottom line. To this end, all staff need to work together to strengthen our risk management.
This applies across the Group ranging from our decisions in the Boardroom, across every region and in every
hotel. Every member of staff has a part to play.
This handbook sets out the risk management framework and is divided into 3 key sections:
Section 1: Establishing the culture of risk management - getting the culture right is the first step.
Regardless of the methodology, the culture will determine whether we achieve the benefits of risk
management. Key Sections include: Guiding Principles, Risk Management Strategy and Vision, Risk
Governance Structure and Risk Management Policy
Section 2: Understanding, defining and using risk appetite – making sense of this abstract but
fundamental topic.
Section 3: Risk management process – setting out a simple but consistent way the Group will manage risks
at the Board level and in Regions and Functions, seeking to join up risk throughout the business whilst
providing flexibility for other approaches within specific risk areas (e.g. information security, fraud, compliance
etc.) and at hotel level. The Risk Management Process comprises Risk Identification, Risk Assessment, Risk
Treatment and Risk Monitoring.
The appendix contains support tools which help us put risk management into practice including the Risk
Reporting Cycle, Tools and Templates, the GMRC Terms of Reference and a Glossary of Risk Management
Terms.
1.2 Guiding Principles
Irrespective of the process and tools adopted, there are fundamental principles for risk management that we
wish to embed into the culture. These will ensure we are effectively managing risks, considering risk in our
decision making and acting responsibly:
Take accountability
We all have roles, projects and tasks to deliver and each of us must take accountability for risks that could
impact on our success. Risk management is everyone’s job, and not just for the Board and senior
management. Everyone should be aware of and consider risks throughout their activities and in particular
when making decisions. Some risk accountabilities are the responsibility of the senior people in the
Group and they need to set the right culture to ensure that processes are challenged and key risks are
understood and acted upon.
Do it like you mean it
Risk management is not a ‘tick-box exercise’. The risks we face as a Group are real and significant, and
may have a personal impact on us and the people around us. The efforts we take to manage risk should
be intended to achieve real risk reduction, or to help us make decisions to take further action.
Be proactive, innovative and challenge the status quo
If we’ve identified a risk that we’re genuinely worried about, it probably means we aren’t satisfied with
what we’re currently doing. In these cases, we need to find the best solutions which may involve different
perspectives, innovations, cross-regional teams and challenges to the status quo.
Prove it with data
In most cases, it won’t be enough to simply say that an identified risk is a high risk that requires fixing, or
that an identified risk will not happen. Risk treatment solutions (i.e. mitigating, reducing, transferring or
accepting the risk) may require financial investment, management time and resources. We need to use
data and analytics proportionately to monitor the risk, inform the need for actions, or to develop a
business case for change.
Think holistically
When building a comprehensive picture of risks, look at the business area from different perspectives.
Consider longer term external trends across different stakeholders, be commercially minded, think about
change, our guests, people and day-to-day operational risks.
Embed risk management
Effective risk management does not happen in isolation, risks should be considered whenever decisions
are made and formal risk consideration should be integrated into other business activities such as
business and budget planning, performance management, reporting and governance, decision making
committees and processes, project management, policies, controls, and compliance activities.
Open and transparent culture
The Group has an open, transparent and blame-free culture and expects all staff to freely identify and
discuss risks. Where there are sensitive risks, appropriate channels are available, including reaching out to
Group Management Risk Committee (“GMRC”) members, to members of the Board Risk Committee
(“BRC”) or consider the Group’s Whistleblowing Policy.
Mr Gervase MacGregor, Non-Executive Director Mr Tan Kian Seng, CEO
Chairman, Board Risk Committee Chairman, Group Management Risk Committee
May 2017 May 2017
RISK MANAGEMENT HANDBOOK | Page 4
1.3 Risk Management Strategy and Vision
Building, embedding and sustaining risk management
capability is a strategic journey and the pace of
development depends on many factors. Our current
phase of development in the risk management strategy
is to establish a strong foundation based on high value
risk management information, bringing in business data
to inform senior executive decision making. The risk
management framework will seek to integrate with other
reporting protocols and requirements thereby reducing
duplication and ensuring governance committees and
executives are clear about priorities, be better informed
about risk and have less but more useful management
information. Beginning with the Level 1 Board Risk
Profile and growing into the Level 2 Regions and
Functions. The strategy is to integrate risk management
information from Level 3 hotels and detail risk
assessments in specific areas. This Risk Management Handbook sets out the process methodology, tools and
templates used in Level 1 and Level 2 risk profiles and in due course will seek out the most appropriate
approach to develop and integrate risk information for Level 3.
Risk management is most effective when embedded into the business; hence we seek to enhance, integrate
and formalise risk discussions into regular management agendas, reporting and decision making processes.
We illustrate this vision in the diagram below which highlight some areas (not an exhaustive or prioritised list)
where we will seek to identify synergies, efficiencies and opportunities to embed risk informed decision
making. As a starting point, the timing of the quarterly risk reporting will tie in with the quarterly operational
reviews. Referring to the Guiding Principles – risk management will encourage owners of the processes below
to embed risk management.
1.4 Risk Governance Structure
Clarity on roles and responsibilities and hence having clear accountability is fundamental to effective risk
management. For the avoidance of doubt, we have set out a Governance Structure supported by Risk
Management Policy (see 1.5).
The Board is ultimately accountable for Risk Management including establishing the Group’s risk appetite and
ensuring risks are effectively managed. To fulfil this mandate and recognising the importance, the Board
established a dedicated Board Risk Committee (“BRC”) in 2016 who has a mandate to oversee the effective
management of the most significant risks to the Group, these are captured in the Level 1 Board Risk Profile
and are summarised in the Annual Report and Accounts. The Board Risk Committee - Terms of Reference can
be found on the Investor Relations section website (see here).
Whilst the BRC will provide oversight, a dedicated Group Management Risk Committee (“GMRC”) has been
established to own and manage the Board Risk Profile. The GMRC is chaired by the Group Chief Executive
Officer with membership comprised of the Regional and Functional heads, Chief Financial Officer and the
Company Secretary and General Counsel. The GMRC will be supported by the Group Risk Manager who shall
provide secretariat support while the Head of Internal Audit will have an open invitation. The GMRC shall
meet at least quarterly. The GMRC Terms of Reference are included in the Appendix.
Underpinning these formal structures, each Region and Functional Head is accountable for risk within their
respective areas. This may be managed as part of existing senior management meetings or by forming risk
sub-committees. For example, New Zealand has established a separate Audit Committee to which risk
management is one of its mandates.
This structure is represented pictorially below, and the risk related reporting cycle is shown in the Appendix 1:
RISK MANAGEMENT HANDBOOK | Page 6
Functions
Regions
Global CEO
CEO
CFO
CFO CFO
Chief
Technology
Officer
Chief
Commercial
Offier
SVP Digital,
Distribution &
Revenue
Strategy
Chief Marketing
OfficerSVP, HR
SVP, Group
General
Counsel
US regionPresident,
Noth America
Head of Asset
Management,
North America
VP, Finance
US
Director of
Procurement
Director, IT
US
Head of
Business
Development
Senior
Corporate
Director,
Revenue
Head of
Business
Development
VP Talent &
Culture, North
America
VP,
Legal Affairs
Associate
General
Counsel
US
European
region
SVP, Operations
Europe
Head of Asset
Management &
Acquisitions
Europe
Director
Finance Europe.
SVP Finance.
VP
Procurement,
Europe
Director, IT
Europe
SVP,
E-Commerce
Europe
VP Sales,
Europe
Director
Revenue
Management,
Europe
VP Marketing,
Europe
Director HR,
Europe
Senior Legal
Counsel
Asia regionPresident,
Asia
President,
Asia
VP, Finance
Asia
Director of
Procurement,
Asia
Director of IT,
Asia
VP Sales, Asia
VP Revenue
Management,
Asia
VP Marketing,
Asia
VP, HR
AsiaVP, Legal
New Zealand
MD,
New Zealand
and VP
Operations
New Zealand
Director of
Property
Management
VP, Finance
New Zealand
VP Operations
and National
Purchasing
Manager
Director, IT
New Zealand
Director
Conference and
Incentives
Director
International
Sales and
Marketing
National
Distribution &
Revenue
Manager
Marketing
Manager
Director Human
Resources
New Zealand
Group Company
Secretary &
Legal Counsel
SVP, Head of
Internal Audit
IT Brand &
Marketing
HR & Talent
Succession
Legal &
ComplianceOperations
Asset
Management
Finance &
TreasuryProcurement
Sales &
Revenue
Board Risk Committee: Membership comprised of Non-Executive Directors
as disclosed in the Annual Reports and Accounts
Group Management Risk Committee Members:Group CFO, SVP Group General Counsel and Company Secretary, , Regional and Functional headsSecretary: Group Risk Co-ordinator
Chair: Group CEO
1.5 Risk Management Policy
Taking and managing risk is fundamental to the success and growth of any business. At M&C, we
acknowledge the uncertainty in the markets in which we operate and competitive pressures of the industry.
As such, we wish to take risk management seriously and have set out the Board’s expectations around risk
management in this policy.
Policy Objective
This policy supports the M&C Board in fulfilling its duties in relation to risk management. The objective of the
policy is to embed a consistent, structured and joined up approach to managing risks across the Group.
Scope of Policy
We have set out guiding principles that apply broadly across the Group, with specific requirements for
reporting and adoption of risk management tools applied to each Region and Global Function within M&C’s
management control. M&C are aware some entities such as joint ventures, franchisees, partnerships and
vendors could impact on its performance, risk exposures, and reputation, however, these will be managed
through other methods e.g. contractual arrangements, relationship management, 3rd
party auditing etc.
In line with the Guiding Principles and fundamental to risk management is taking accountability. The policy
sets out specific roles and responsibilities for risk management set out in the table below:
Who Accountability Activities
Board Ultimately accountable for risk
management
Delegates risk management requirements to the Audit
Committee and a Board Risk Committee
Audit
Committee
Ensure an effective system of internal
controls and risk management is in
place
Makes annual statement pertaining to effectiveness of system
of internal controls and risk management
Receive reports from BRC twice per year pertaining to the
Board Risk Profile and risk management system effectiveness
Board Risk
Committee
(“BRC”)
Define risk appetite and culture of the
Group
Oversee risks on the Board Risk Profile
are appropriately managed within risk
appetite
Ensure there is an effective risk
management system in place
Review the Board Risk Profile quarterly and be satisfied the
residual risks are below risk appetite
Receive reports from the GMRC and be satisfied that M&C
maintains an effective risk management system
Report to the Audit Committee the Board Risk Profile
(biannually) and effectiveness of risk management system
(annually)
Group
Management
Risk
Committee
(“GMRC”)
Chaired by Chief Executive who owns
the Board Risk Profile
GMRC Members own the Board level
risks and must ensure these are well
managed and within the risk appetite
set by the Board
Review the Board Risk Profile on a quarterly basis and consider
emerging risks
Ensure Board level risks are appropriately owned, resourced
and managed
Receive reports from the Regional and Functional heads on a
quarterly basis and be satisfied that relevant risks are being
managed
Ensure high and extreme risks within the Regions and
Functions are escalated and determine whether these should
be included in the Board Risk Profile
RISK MANAGEMENT HANDBOOK | Page 8
Regional &
Functional
heads
Management of risks within their
respective area
Role model the agreed risk culture and
ensure risks are reviewed quarterly
Maintain a risk profile for respective area in line with tools and
templates set out in the Risk Management Handbook
Review and discuss their risk profile with respective senior
management team on a quarterly basis and ensure risks that
could impact the business plans and success of the area are
captured
Assign Risk Owners and appropriate resources to manage risks
Escalate any high or severe risks to the GMRC
Risk Owners Management of risks assigned to them
Escalation of issues, roadblocks, and
sub-risks
Quarterly review and update of the
respective risk
Ensure the risks are appropriately managed i.e. controls are in
place and effective, agreed actions are delivered and that
decisions are made in the full knowledge of the risks
Quarterly reporting upon the status of risk management
activities using the risk detail template described in section 3
of this Risk Management Handbook
Level 2 risks will be reported to the Region/Function Head and
discussed at the respective Senior Management Team. Level 1
risks will be further reported to the GMRC and BRC.
Risk
Manager
Risk management subject matter
expert and methodology owner
Embedding risk management activity
in the business
Support the BRC, GMRC, Regional and Functional heads, risk
owners, and other stakeholders manage risks by providing
appropriate risk management methodologies, tools, templates,
guidance and training
Coordinate and consolidate risk management information with
proportionate use of resources supporting key risks to the
Group.
Lead / coordinate risk reporting to GMRC and BRC
Form partnerships with other specialist areas and decision
making processes to embed risk management structures,
streamline reporting, and improve information flow and better
risk management
New and emerging risks
All staff are expected to be aware of the risks affecting the business. The Group has an open, transparent and
blame-free culture and expects all staff to freely identify and discuss risks with their supervisor.
Where new and emerging risks are identified, these should be escalated appropriately (to the relevant
supervisor, General Manager or Regional of Functional head) in order for the risk to be addressed. If
appropriate to do so, risks may be included and monitored as part of a risk profile.
Risks can also be raised by emailing the Group Risk Manager on the following email address:
Section 2 Understanding and Defining Risk Appetite
Risk appetite is the nature and extent of risk an organisation is prepared to take to achieve its objectives. For
UK listed businesses such as M&C, setting risk appetite is a Board level responsibility and requirement set out
in the UK Corporate Governance Code. Whilst this topic is slightly abstract, interpreted correctly, it provides
clarity of expectations set out at the highest levels of an organisation. The benefits of clearly articulating risk
appetite are:
Clarity to all stakeholders, better transparency and alignment on expectations;
Less requirement for personal judgement, exposure to personal biases and lower chance of rogue
behaviour; and
Fewer operational surprises.
Risk appetite varies depending on the type of risk and can be influenced by a number of factors including
potential for returns, past experiences and personal attitudes. As such M&C will look at risk appetite at an
individual risk-by-risk perspective rather than developing a single overarching risk appetite statement.
Each risk appetite will be a statement setting out the direction and attitude the Board has towards this
particular risk including setting out how it wishes the risk to be managed and controlled. Where appropriate,
the risk appetite may link to the measures and levels set out in the key risk indicators.
Defined well, the risk appetite statement can provide fundamental guidance to the risk owner. For example if
the Board determines its appetite for a particular risk was low, it may also require implementing robust
controls. The risk appetite statement might go onto clarify the measures it seeks to see and that it recognises
that such a solution could have cost implications which it is prepared to accept.
The above example aims to illustrate the importance of risk appetite and how it can influence management
decision making, allocations of resources and the handling of trade-offs. In practice, these appetite
statements should be drafted by the Risk Owners and discussed with the Region and Functional Head. Risk
appetite for Level 1 risks will be further discussed at the GMRC and finally agreed at the BRC. Risk appetite
supports the Guiding Principle around an open and transparent culture.
RISK MANAGEMENT HANDBOOK | Page 10
Section 3 Risk Management Process
The Group’s risk management process is a simple 4
step process designed to achieve the widest
adoption and understanding across the Group. This
methodology, along with the guiding principles and
tools combine pragmatic risk management
experience with the best and common elements of
internationally recognised risk management
methodologies (e.g. ISO31000 - 2009 Risk
Management Principles and Guidelines). The process
is shown as cyclical reflecting the continuous and
iterative nature of the business and risk environment.
Risk management is the continuous process of
identifying, assessing, treating and monitoring of
risks.
The output of this risk management process will be summarised in a risk profile at the Board level (Level 1)
and for each Region and Function (Level 2) capturing typically between 8-12 key risks. Common themes
should be aggregated, risks with immaterial business impacts, extreme doomsday type risks or those that we
have absolutely no control over (although we should always challenge this assumption as there may be
opportunities to influence) may be excluded. Each risk will have a named risk owner responsible for managing
the risk and whose role includes quarterly reporting on the risk using a risk detail form. Property specific risks,
risks in projects or specific areas form Level 3 which may use different methodologies and templates but if
these areas are significant in aggregate, the information should feed into this process. To implement this
process effectively, we remind users to think about the Guiding Principle, do it like you mean it.
Tips for risk owners
Risk owners are accountable for the respective risk to which they are assigned, they have the
critical role of managing the risk to within the Board’s risk appetite (or where this is not explicit,
to manage within expectations of their line management).
Risk owners should be escalating issues and concerns which could breach risk appetite or
expectations; at times bringing proposed solutions and securing necessary resources to manage
such risks.
One element of this risk owner’s role includes regular monitoring and reporting which for Level
1 and Level 2 risks uses the risk detail template shown in Appendix 3. M&C’s risk management
process requires risk owners to complete this form and review/update on a quarterly basis. The
sections of the form align with the risk management process and are further explained in the
following section.
Completed forms should be reported to the respective Region/Function Head and the Risk
Manager.
Risk owners should consider and demonstrate all of the Guiding Principles.
Identification
Assessment
Treatment
Monitoring
S
T
O
3.1 Risk Identification
The objective of this stage is simply to identify, understand, and describe risks (uncertain factors or events that
could impact on the achievement of business objectives) so that others have a shared understanding; and
then to agree the most appropriate risk owner. The section of the risk detail form corresponding to risk
identification is shown below including a short title, fuller description, causes of the risk and the description of
consequences:
Risk Title: <A short title for this risk>
Risk Owner: <A named individual>
Event Causes Consequences
<Fuller description of an uncertain
factor or event that could happen>
<What is the context, triggers, root
cause(s), vulnerabilities or underlying
reasons that could cause this risk to
happen>
<What are the resultant losses or
outcomes (describe the impact of the
worse credible scenario)>
Types of Risk
Although there are many types of risks, the ones we are most interested in are those that could have the
biggest impact on the business objectives. One model used to differentiate risks and aid risk identification
addresses the Guiding Principle to think holistically, the model shows three different types of risks that all
organisations and teams face:
Strategic Risks – Strategic risks are usually driven by external factors or
market conditions and can have an effect on strategic objectives. These risks
are often viewed over a longer time horizon (+5 years) and best identified
through PESTLE and SWOT types of analysis (see Glossary) impacting on the
Group.
Tactical Risks – Tactical risks impact the business over a medium time
horizon (usually 12-36 months) and can be sub-divided into financial risks and
project risks.
Operational risks – Operational risks impact on M&C’s day to day operations including the running of
owned and managed hotels, central systems and websites and support to franchisees. As the Group’s
operations include the supply chain and external stakeholders, operational risk analysis should include
consideration for suppliers, partners, the wider community and risks affecting our guests.
RISK MANAGEMENT HANDBOOK | Page 12
Tips for risk identification
Risks to what? The achievement of business objectives. It is most helpful to be clear about the
business objectives the organisation or team is working towards (however, be mindful that objectives
should include “business as usual” activities in addition to incremental/growth).
Consider holding a risk identification workshop involving diverse stakeholders with different
perspectives to gain a comprehensive view of all risk affecting the area.
In addition to either the above simple holistic model, there are other models with numerous risk
categories designed to help aid thinking, ensure breadth of coverage. We could also consider
different perspectives (e.g. customer/guests, regulatory, media, local vs. global etc.).
To articulate the risk properly, try completing this sentence: “There is a risk that (event description)
happens due to (list of causes); and as a result, we could experience (list of consequences).”
3.2 Risk Assessment
The purpose of this stage is to prioritise the risks by comparing the
impact of the risk occurring and the likelihood that it would occur
against pre-defined impact and likelihood parameters. This is a
simplification of the risk and is meant to be a quick and broad
estimation. We understand the same risk may have different
impacts and likelihoods. For example, if the curve shown on the
left represents Fire risk in hotels, point A which has a high
likelihood of occurrence but low impact, might be small electrical
fires or near misses (e.g. kettles and hairdryers) while point B
representing a high impact and low likelihood, might be an
extreme event involving fire caused by M&C negligence, involving multiple fatalities and the total loss of the
largest hotel in the estate.
It is up to the risk owner to decide which scenario is the most concerning. For consistency, we encourage risk
owners to think about the ‘worse credible scenario’ which might be represented by point C. In this example, it
might be a scenario where the risk of a serious fire involving at least one fatality and loss of the building.
Risk Assessment from different perspectives
Gross or inherent risk – this is the impact and likelihood of the risk occurring without taking into account
any efforts or controls in place to manage it. This hypothetical (and usually much higher) risk assessment
is necessary in cases where management controls prove to be ineffective. It is most commonly used to
inform audit programmes as it does not assume controls are in place or effective.
Residual or net risk – this is the impact and likelihood of the risk occurring taking into account the
existing efforts and controls in place to manage the particular risk. This relies on the risk owner knowing
what controls are in place and making judgements on the effectiveness of these.
Target risk – Where there is desire (or appetite) for significant change to the risk level, a third perspective
is considered representing the desired impact and likelihood risk level.
Impact
Lik
elih
oo
d
A
B C
To make an informed residual risk assessment, there is a need to understand how effective the current
controls are. This might be informed by internal audit or independent reviews of the related processes. To
aid the thinking around controls, we have set out various types of controls, asking risk owners to list out items
that are in place for each control type. The risk owner is also asked to comment on the effectiveness of these
controls and to make an overall assessment on the collective effectiveness of controls. The residual risk
assessment is informed by this analysis but it is not a formulaic reduction.
Type of control List of relevant controls Comments on effectiveness
Policies
Training / communications
Systems, processes and other control activities
Risk Financing and insurance
Governance, reporting and monitoring
Overall effectiveness of controls Where = Significant control deficiencies = Minor control weaknesses = Effective controls
RISK MANAGEMENT HANDBOOK | Page 14
Risk Assessment Definitions
For consistency, and to enable comparison and aggregation, risks will be assessed against the categories and
definitions set out below. As there are multiple impact categories, risk owners are expected to choose a single
representative impact score taking account all aspects (i.e. considering the financial, reputational, operational
impacts etc.) that best describes the impact if the ‘worse-credible scenario’ were to happen and the
corresponding likelihood to such an outcome. This should be done by gross, residual and target perspectives.
IMPACT
RATING
Financial
Impact (PBT) Reputational Impact Operational Impact Safety Impact People Impact
5
Severe Over £50m
Prominent, enduring
negative global media
coverage, major
investigation by
authorities, and/or >40%
share price impact
Permanent or long-
term loss of key
facilities, multiple
hotels, or central
services
Severe incident
resulting in loss of
life or multiple
severe injuries with
probable M&C
negligence
N/A
4
Major
£50m
-
£15m
Negative global media
coverage, investigation
by authorities and/or 15-
40% share price impact
Permanent or long-
term loss of 1-3 key
hotels or prolonged
outage of a key
central service
Major incident
resulting in serious
injury / illness with
probable M&C
negligence
Global employee
dissatisfaction
resulting in higher
than normal churn
including key roles
3
Moderate
£15m
-
£5m
Short lived regional
media coverage,
warnings by authorities,
and/or up to 15% share
price impact
Permanent loss of a
non-key hotel or
short-term delay in
central services
affecting all/or
significant group of
hotels
Moderate incident
with implied or
potential M&C
negligence
Regional employee
dissatisfaction,
resulting in higher
than normal staff
churn
2
Minor
£5m
-
£1m
Local media
coverage, negative
customer or investor
feedback requiring press
release
Major disruption to a
single hotel or minor
impact on multiple
(not all) hotels
Incident resulting in
loss of life or severe
injury with no
purported M&C
negligence
Employee
dissatisfaction in a
hotel or department
resulting in localised
churn
1
Insignificant Less than £1m
Negative customer or
investor feedback
Secondary system or
process disrupted in
a hotel for a short
period
Incident involving
injury or illness and
no implied M&C
negligence
Staff tensions
impacting
engagement in hotel
or department
LIKELIHOOD Probability of Occurrence Description
5
Almost
Certain
Over 70% chance or
a less than 2 year event
An event that can be expected to happen or is already occurring at
M&C
4
Likely
50-70% chance or
2-3 year event
A likely event that can be anticipated at M&C or has happened in
similar organisations
3
Possible
30-50% chance or
3-7 year event
A possible event that has never occurred at M&C but has happened in
other organisations
2
Unlikely
5-30% chance or
7-20 year event
An unlikely event that can be envisaged but hasn’t occurred at M&C
or other organisations
1
Rare
Less than 5% chance or
Over 20 year event
A rare event that can be conceived but only under exceptional
circumstances
The risk score is plotted on the risk profile showing the representative impact (1-5) and likelihood scores
(1-5) as (impact, likelihood) or (x, y) coordinates. The colour key determines how the resultant assessment
should be treated or escalated.
Gross risk i.e. risk level with ineffective or no risk controls in place
Assess the risk if all the controls have failed or there are no controls in place
Consider the worse credible scenario or risk event which you are most concerned about, the impact of this
scenario and then determine the corresponding likelihood of this happening
Residual risk i.e. current risk level with existing controls in place
Identify the current controls in place that reduce this risk, are they effective?
Has the impact and likelihood of this risk changed due to these controls?
Target risk (if applicable) i.e. desired risk level to opitomise investment, as required
Is the net risk level acceptable, is there a need to reduce the risk or is there opportunity to take more risk?
Are there projects or additional opportunities to feasibly alter the impact and / or likelihood?
G
G
R
T
RISK MANAGEMENT HANDBOOK | Page 16
What does the scoring mean and how does it relate to risk appetite?
The rule of thumb is that “Extreme” or “High” risks require management focus and upward reporting while
the “Moderate” risks may need to be monitored by the Region and Function heads. “Low” risks should
typically be monitored by the risk owner and reported by exception. The Risk Appetite statement should
help inform whether risks are appropriately managed, whether additional actions are required and whether
a separate Target risk level should be defined.
3.3 Risk Treatment
Risk treatment is arguably the most important aspect of the framework in that it seeks to improve the
management of the risk. It is a collection of activities that are planned or being delivered to bring the risk to
within appetite. Risk treatment should be done in the context of the controls already in place i.e. building on
existing controls in an incremental way may help reduce the risk towards the Target. Other ways to treat a
risk include:
risk transfer e.g. through outsourcing or insurance;
avoid the activities that give rise to the risk e.g. to exit the market; or,
take a decision to accept the risk as it is e.g. typically for some uncontrollable risks.
The table below is used to capture the action plans put in place to treat the risk and to monitor delivery. It
would then be used as part of the monitoring process to comment on the delivery of the treatment plans.
# Agreed
Actions
Action
owner Delivery date Comments Status
1
2
3
Where = Attention required = Marginally under-delivering = On track
Tips for risk treatment
Where residual risks are assessed to be “Extreme” or “High” in the risk profile, action plans are to be
expected particularly where there is a low risk appetite
Thinking about incremental risk treatments is where the Guiding Principle to be proactive, innovative
and challenge the status quo can help and where real benefits of risk management are realised. Most
challenging business problems now require cross-functional teams that are prepared to challenge the
status quo.
When thinking about the actions needed, it may be helpful to address the causes articulated in the
risk identification section. Further root cause analysis techniques can be employed to identify the
specific problem to solve.
For material risks, the actions are likely to be carefully managed projects with defined budgets and
scope. These may further have project delivery risks to be managed.
3.4 Monitoring The final step in the risk management process is Risk Monitoring. This includes:
the identification of related emerging risks, issues and updated management information;
the assumptions related to existing risk analysis;
delivery of actions;
key risk indicators (“KRIs”).
The risk trend is identified during the regular assessment stage, informed by the above factors and shown as
an arrow pointed up for increasing risks, pointing down for decreasing risks and pointing to the right for the
same level of risk or N for a new risk.
KRIs are a set of leading or lagging data points that gives insight into how the risk is trending and could
include measures of control effectiveness, incident history or performance. The KRIs support the Guiding
Principle around Prove it with data and is critical in making risk management discussions engaging and
valuable to senior stakeholders. These could be in varying formats and recorded in the following table which
include consideration of acceptable outcomes and points of escalation.
RISK MANAGEMENT HANDBOOK | Page 18
If a KRI is deemed “Action needed”, then it should be escalated to the respective Regional or Function Head.
Level 1 risks should be further raised to the GMRC and BRC. Additional actions should be recorded in the
table explained in the Risk Treatment section. The process of risk management is a cycle, and the results of
the monitoring must feed back into future identification, assessment and treatment of risks. Risks are not
static, and hence must be managed in a continuous process.
Appendix 1 | Page 1
Appendix 1: Risk Reporting Cycle
Risk reporting is aligned with the governance structures and embedded into the existing business planning process is an important aspect of operationalising
the Group’s risk management process. Exact dates and requirements will be set and communicated throughout the year and as meetings are planned.
Jan
Feb
Mar
Apr
May
Jun Jul
Aug
Sep
Oct
Nov
Dec
Annual report & accounts
Quarterly BRC and Board meeting
Quarterly BRC and Board meeting
Major Risks reviewed by GMRC as part of business
planning
CDL Risk Committee Meeting
CDL Risk Committee Meeting
CDL Risk Committee Meeting
CDL Risk Committee Meeting
Personal Development
reviews
GMRC meeting
Quarterly BRC and Board meeting
GMRC meeting
Quarterly BRC and Board meeting
GMRC meeting
CDL annual IT Risk reporting
Legal report Legal report
Legal report
Legal report
SHE report SHE report
SHE report
SHE report
Strategy session
Audit committee
Audit committee
Appendix 2 | Page 1
Appendix 2: Tools and Templates
Risk Profile
Risk Detail Form
Appendix 2 | Page 2
Appendix 3 | Page 1
Appendix 3 | Page 1
Appendix 3: Glossary of Risk Management Terms
Inherent (gross) risk the impact and likelihood of the risk occurring without taking into account any efforts or
controls the firm has put in place to manage it.
Key risk indicators – a set of leading or lagging data that gives insight into how the risk is trending and could
include measures of control effectiveness, incident history or performance
Residual (net) risk is the impact and likelihood of the risk occurring taking into account the existing efforts and
controls in place.
Risk appetite is the nature and amount of risk an organisation is prepared to take to achieve its objectives
Risks are uncertain events or factors that can affect the achievement of business objectives. It is measured in terms
of impact and likelihood and can include both up-side (opportunities) and down-side (threats).
Risk management is the continuous process of identifying, assessing, treatment and monitoring of risks.
Risk profile is the summary view of the key 8-12 risks affecting an area (i.e. the Board, Region, Function or individual
hotel), plotted against a matrix around the impact and likelihood of the key risks.
Risk owner is the named individual best placed and accountable for managing the respective risk and whose duty
includes the quarterly reporting of the risk details
Risk transfer is passing on of risk exposure to an external 3rd
party through contractual agreement, insurance or
outsourcing of the risk. Note that even if liabilities get transferred, there may still be reputation impact that remains
with the Group.
Appendix 4 | Page 1
Appendix 4: GMRC Terms of Reference
Group Management Risk Committee
Terms of Reference
GMRC – terms of reference
Owner: Group Risk Manager Issued: June 2017 Supersedes: N/A
Review date: June 2018 Page 1 of 3
GMRC – Terms of Reference | Page 2
Group Management Risk Committee (the “GMRC”) – Terms of Reference
Chairman Group Chief Executive Officer
Members Chief Financial Officer, Group General Counsel and Company Secretary, Chief
Commercial Officer and/or at least two Regional or Functional heads
Attendees Group Internal Audit (open invitation) and external risk consultants (as required)
Secretary Group Risk Manager
Quorum Chairman and two members of the Committee
Meeting frequency A minimum of three meetings per year
Approval date June 2017
1. Overall Purpose / Objectives
The GMRC has been established by the Chief Executive to ensure there is sufficient accountability and
management of key risks across the Group. These are reflected in the Board Risk Profile agreed by the Board
Risk Committee (the “BRC”). The GMRC is authorised to make decisions (decisions will be based on majority
rule) to manage risks within the appetite set by the BRC, however must do so in the context of other policies
and procedures i.e. budget, delegation of authorities, procurement etc. The GMRC will meet at least three
times a year, will receive reports of risks from within the business and will seek assurance these are
appropriately managed from the Heads of Regions and Functions. The GMRC must also determine whether
any new, emerging or escalated risks should be further reported to the BRC.
2. Roles and Responsibilities
The GMRC will:
2.1. Ensure key risks to the Group are appropriately owned, assessed, resourced and managed. Record
these risks and corresponding details in a Board Risk Profile.
2.2. Review the Board Risk Profile on a quarterly basis and consider emerging risks or changes to existing
risks.
2.3. Receive reports from the Regional and Functional heads on risks within their respective areas on a
quarterly basis and be satisfied that these risks are being managed. Ensure Regions and Functions are
reviewing and engaging with risk management.
2.4. Provide guidance, resource or any suitable support to the Regions and Functions to help address risks
in the business and determine whether these risks should be reported to the Board Risk Committee.
2.5. Annually review and assess the effectiveness of the risk management policy and the Group’s approach
to risk management and whether changes or improvements to processes and procedures are necessary.
GMRC – Terms of Reference | Page 3
3. Reporting Responsibilities
3.1. The Chairman will report formally to the BRC after each GMRC meeting on all matters within the
Committee’s duties and responsibilities. This report shall include:
An update on the Board Risk Profile, highlighting any changes and significant developments
since the previous report
An update on any new or emerging risks affecting the Group and any action plans being put in
place to manage them
The extent to which the business has reviewed and updated its risks in-line with the risk
management policy
4. Other Responsibilities
4.1. Annually review and propose the overall levels of insurance for the group including directors' & officers'
liability insurance and indemnification of directors to the Board Risk Committee.
