Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Reporting Risks to the Board (2) Page 1 of 6 Version 1.0 6/03/2007
APM Risk SiG Conference 26APM Risk SiG Conference 26APM Risk SiG Conference 26APM Risk SiG Conference 26thththth October 2006 October 2006 October 2006 October 2006
Reporting risks to the boardReporting risks to the boardReporting risks to the boardReporting risks to the board
PurposePurposePurposePurpose The purpose of this paper is to summarise the key points from the various presentations and knowledge sharing session held at the October meeting of the Risk SiG. It should provide a reminder for those at the event of the main issues, tips and suggestions for reporting risks to the board. It may also be useful for anyone not present who has an interest in this topic. This paper should be read in conjunction with the presentations which are available for viewing at http://www.apm.org.uk/riskmanagement/page.asp?categoryID=11&subCategoryID=&pageID=&action=viewArticle&category=75&uID=&ID=525
Scope The target audience for this paper is predominately project and programme managers. However others involved in
operational or business risk would find many of the ideas useful.
IntroductionIntroductionIntroductionIntroduction The presenters were asked to provide their views on reporting risks to the board. They were given a brief which highlighted 4 topics for consideration and were asked to reflect on those areas from as many perspectives as possible. After the main presentations the delegates split into 4 Knowledge Sharing Network (KSN) groups to discuss each topic. Whilst the body of this paper maintains that structure, many of the key points were identified several times in different areas. For simplicity each key point has been placed in its predominant section.
Reporting Risks to the Board (2) Page 2 of 6 Version 1.0 6/03/2007
GovernanceGovernanceGovernanceGovernance There were 5 key points identified in this topic:
� BodiesBodiesBodiesBodies It is necessary to have a clear understanding of which parts of the organisation are involved in the risk process. Both BT and Rolls Royce have a clear framework diagram that explained the groups involved and also how information flowed between them.
� StakeholdersStakeholdersStakeholdersStakeholders Stakeholders – a common theme is to ensure that stakeholders are identified and engaged as they offer a different perspective and a broader range of possible impacts. Some stakeholders will identify strategic risks which may need to be managed at the Project Sponsor level. Any
effective risk process should provide an identification of the widest range of risks and should have a contribution
from stakeholders.
� AppetiteAppetiteAppetiteAppetite One important prerequisite for helping to determine the level of detail required for risk reporting is to know the Board’s risk appetite. As Protiviti explained “establish the big rules including appetite and ask are the risks undertaken consistent with the organisation’s risk appetite?
� CultureCultureCultureCulture The term culture towards risk management is used a lot but without much detailed definition. For many it is the attitude to risk combined with the risk appetite that generates a culture. Clearly every individual on a board will have a different attitude to risk but collectively the board will promote a particular risk culture – either
consciously or subconsciously, tuning in to that culture is very important, especially if you want to try and change it.
� Common LanguageCommon LanguageCommon LanguageCommon Language When reporting risks to the board you must ensure that the terminology used will be clearly understood by the recipients. This implies that a common risk language be used across the business and this can be defined as part of the risk policy or the risk standards.
There were two additional points raised during the governance KSN. � The first was how to convince the Board that they own governance of risks. A comment was made that it is
active ownership that is needed. One suggestion for supporting the board was to offer a “Masterclass” in risk
management. It was also recommended that the board members be approached individually. � Some boards may not fully understand project and risk management – but can’t admit it. One suggestion for this
is to get them to actively manage a single risk with support.
5Governance of ERM Programme
Risk Committee
Risk Steering Committee
(min 2 times a year)
Tool (ARM)
Process
Risk Stakeholder Meeting
(monthly)Communication of status
Change Control Board
ARM Steering Committee
Risk Owner / Risk Champion Risk point of Contact
QuantificationSteering
Committee
* Risk ProcessCouncil
(quarterly)
Risk Systems & PoC 1-1s(fortnightly)
DoR (ERM)
Risk Executive
(monthly)
Assurance Sector Review Boards
Programme
DeliveryTeams
* Internal only at present
Reporting Risks to the Board (2) Page 3 of 6 Version 1.0 6/03/2007
ReceivingReceivingReceivingReceiving informationinformationinformationinformation There were 3 key points identified in this topic. This topic was slightly modified during the analysis to include any process related suggestions.
� Process Process Process Process –––– frequency frequency frequency frequency Everyone agreed that there should be a defined risk process, however the frequency of reporting to the board
was dependent on the industry and the organisation but should be at least every 6 months with some form of escalation in place for any new emerging or rapidly changing risks. Protiviti explained this clearly in their presentation:
Report Risk Information
Utilise reporting
process to communicate key risk information to
risk sources for accountability, responsibility and
action.
Aggregate
Risk
Information
11©Copyright 2004 Marsh U.S.A
Business Risk InventorySM
Business Interruption Environmental Product/Service Failure
Change Response Health and Safety Product/Service Pricing
Compliance Inventory Management Real Estate
Contract Commitment Knowledge Management Relationship Management
Customer Satisfaction Measurement Sourcing
Cycle Time Partnering Supply Chain
Delivery Channel Physical Security Strategy Implementation
Distribution Product Development Transaction Processing
Efficiency Product/Service Liability
Brand
Business Model
Business Portfolio
Intellectual Property
Location
Marketplace
Organizational
Structure
Planning
Product Life Cycle
Resource Allocation
Accountability
Change Readiness
Communications
Competencies/Skills
Empowerment
Employment Law Violation
Hir ing/ Retention
Leadership
Outsourcing
Performance Incentives
Succession Planning
Training/Development
Conflict of Interest
Employee Fraud
Ethical Decision
Making
Illegal Acts
Management Fraud
Third-Party Fraud
Unauthorized Acts
Access
Availability
Capacity
Data Integrity
e-Commerce
Information
Secur ity
Infrastructure
Relevance
Reliability
Technological
Innovation
Accounting Information
Budgeting and Forecasting
Completeness/Accuracy
Investment Evaluation
Pension Fund
Regulatory Reporting
Taxation
Cash Flow
Collateral
Commodities
Concentration
Counterparty
Credit
Default
Equity
Financial Instruments
Foreign Exchange
Interest Rate
Liquidity
Modeling
Opportunity Cost
Process
Strategic
Human Resources Integrity TechnologyManagement Information
Financial
EXTERNAL
INTERNAL
Operational
Capital Availability Economy Legal Shareholder Relations Terrorism
Competitor Financial Markets Natural Hazard/Catastrophe Social Responsibility
Customer Needs Industry Regulatory Sovereign/Political
Capture Risk
Information
from Multiple
Sources
Senior Management
Middle Management
Employees
Environment
Industry
Competitors
Consultants
Enterprise-wide Reporting
Cross-functional leaders and core
resources.• Aggregate data• Prioritise risks• Monitor action
Analyse and
Summarise Risks
Prioritise
Key Risks
Aware of all key risks and the
necessary action to manage/mitigate the risks.
Board Reporting
Validate Risk Profile communicating key risks to Executive Management and the Board.
Coordinated, Informed
Decision-making
� The majority of Boards meet 9~12 times per year and run for 3~4 hours
� The frequency with which you should Risk Report to the Board is dependent on:
� Volatility of the company and industry;
� Risk appetite of the company;
� Occurrence of significant risk event; and
� Identification of potential significant risk event.
� As a general guide:
� Formal reporting should occur quarterly
� Ad-hoc reporting channels should be established and used as necessary to report risks of strategic importance
Frequency of Reporting
Reporting Risks to the Board (2) Page 4 of 6 Version 1.0 6/03/2007
� Top down and bottom upTop down and bottom upTop down and bottom upTop down and bottom up
Must undertake bottom-up analysis and flow of risks as well as top-down. This was mentioned by most presenters and is succinctly demonstrated by this slide
6Embedded Risk Management
Project
Business
Sector
Corporate IMP
LE
ME
NT
ED
AC
TIO
NS
IDE
NT
IFIE
D R
ISK
S
Risk Register Hierarchy
The bottom-up is, of course, to capture those big or common risks. The top-down is to ensure that the lower
levels understand the risks which the higher levels are managing allowing them to help and see that their big risks haven’t been discounted. HVR explained “Strategic risks help structure risk identification at the lower level. You should be able to relate tactical risks to strategic risks.
� Concise top level with supporting documentationConcise top level with supporting documentationConcise top level with supporting documentationConcise top level with supporting documentation
It is important to ensure that an appropriate amount of information is presented at all levels and that means at the top-level you need to report the information in a simple, concise way.
Reporting of Risk Reporting of Risk Reporting of Risk Reporting of Risk The 5 key points were:-
� Understand what the Board require to help them make decisions
What does the board want? – Find out! The board may not know what they want. Use what we have got and try to anticipate what they want.
� Aligned with strategy and objectives.
What is the board strategy? Is it finance, or sales, or expansion, or customer satisfaction based? Risk must impact
on corporate strategy/objectives. Rolls Royce explained the risks need to be presented in financial terms and in how they impact on the strategic objectives. Thus Rolls Royce can target mitigation resources at key risks. BT explained “Enterprise threats are discussed at Board level and appear in the Annual Report. An example of a strategic risk is the pension fund is large compared with the size of the company.”
� Effective communication/ presentation sympathetic to the organisation’s culture.
� Present the few key (5/6) risks across the organisation.
� Right Information at the right time
Protiviti summed this up by:
Reporting Risks to the Board (2) Page 5 of 6 Version 1.0 6/03/2007
Board
Senior Management
Risk Managers
� Most significant risks (impact, likelihood)
� Most significant risk events
� Risks with strategic importance
� Have supporting documentation available if requested
Am
ou
nt
of
info
rma
tio
n r
eq
uir
ed
� Detailed analysis of significant risks
� Detailed analysis of significant risk events
� Understanding of risk impact on strategic objectives
� High level communication, understanding of lower level risks (process level)
� Detailed understanding of risk environment
� Detailed analysis of the significance, cause
and management action associated with risk
� Ongoing communications on risks
What risks to report?
Tools and TechniquesTools and TechniquesTools and TechniquesTools and Techniques One technique identified or referenced by most presenters was:
� Cause and effect – sensitivity graph (driver analysis)
This aspect came out in different ways in the presentations but they were saying overall that it is important to consider how the risks’ causes and effects are linked so that a model (e.g. quantitative) can be produced or
resources can be addressed at the key risk drivers in order to maximise return on effort managing risks. One aspect of this can be demonstrated by the below from one of Rolls Royce’s slides:
The large group of about 20 people in the KSN agreed that there were two additional key points: � Need a suite of tools which can operate at all levels (but these would depend on the maturity of the organisation)
BT explained that they use a collection of tools including one to produce their risk dashboard:-
Reporting Risks to the Board (2) Page 6 of 6 Version 1.0 6/03/2007
© British Telecommunications plc
20
40
60
Risk A
Risk H
Risk I
Risk E
Risk FRisk G
Risk B
Risk C
Risk D
(%)
Example of Board Report
Likelihood of risk impact at £Xm
80
20
40
60
80
Risk J
Risk K
Risk L
Rolls Royce are implementing an enterprise-wide tool (ARM). Many organisations use cheap tools, e.g. Excel, and can’t justify the expense of a heavyweight tool but still want the benefits of hierarchical risk management. The feeling was that this could be achieved.
� Need some consultancy to help the organisation to implement this,
This was so that the company can have a common language, education, expertise in the tools & techniques available and someone to drive the implementation. This could well be from within the company. Strategic
Thought said “Use a common terminology, categories that reflect the organisation.”
ConclusionConclusionConclusionConclusion Overall the conclusion is to ensure that the boards expectations of risk management are understood and that the reporting of risks is done in a way that provides valuable information at the right time to enable the boards to reduce surprises, to link operational risks with strategic decisions and recognise when their risk exposure or their risk appetite changes. It should be simple and clear although the supporting documentation should be available if needed.
AcknowledgementsAcknowledgementsAcknowledgementsAcknowledgements Thanks very much to all of the presenters who have made their material available. Larry Stone, BT Tom Teixeira, Rolls Royce Martin Hopkinson, HVR Karl Davey, Strategic Thought Jonathan Blackhurst, Protiviti Legal notice:Legal notice:Legal notice:Legal notice: Neither the Association for Project Management, nor any person acting on behalf of the Association, is responsible for the use which might be made of the information contained in this publication.