INTERNAL CONTROL basic course
January 2009EU Twinning Project TR 07-FI-02
THE STAGESIDENTIFYreliable & comprehensiveinformation
REVIEW & REPORT ASSESS up to date, reliable, assess & record current status fit for purpose potential for adverse impact
ADDRESScapability, supporting toolsownership, contingency plans
THE 3 MAIN APPROACHES TO RISK MANAGEMENT
INFORMAL APPROACHTHE RISKS* Process & Policies are usually underdeveloped* Reporting of bad news may not be part of the culture* Risk information may not trigger action* Accountability/responsibility may be unclear* Blame rather than Encouragement* Resources allocated may be disproportionate
RULES - BASED APPROACH
THE RISKS * Applied in a rule bound, inflexible way* Focus: reporting and completing registers only* Only performed to comply with requirements* Information reliance substitutes good judgement* Risk adverse for fear of censure* Preoccupation with reputational risks
THE BENEFITS* Process & policies are subject to helpful challenge* Combine quantitative methods, organisational learning, & scenarios to consider uncertainty & response* Professional judgement is encouraged* Blame-free culture* Innovation & risk taking are well managed
SUMMARY: EXPLICT & SYSTEMATIC?
Risk Management Assessment Framework (1)7 Categories set by the Risk Support Team, HM Treasury, UK in October 2004:
1. Leadership: do senior management and Ministers support and promote risk management?2. Are people equipped and supported to manage risk well?3. Is there a clear risk strategy and risk policies?4. Are there effective arrangements for managing risks with partners5. Do the organisations processes incorporate effective risk management?
Risk Handling6. Are risks handled well?
Outcomes7. Does risk management contribute to achieving outcomes?
Risk Management Assessment Framework (2)Assessment Scale:
Capability (Leadership; Policy & Strategy; People; Partnerships & Resources; and Processes):1. Awareness and understanding2. Implementation planned & in progress3. Implemented in all key areas4. Embedded and improving5. Excellent capability established
Risk Handling and Outcome performance:1. No evidence2. Satisfactory3. Good4. Very good5. Excellent
EFFECTIVE RISK MANAGEMENT REQUIRES:
IDENTIFY, ASSESS probability, significance & RECORD DETERMINE THE RESPONSE - what is our capability to manage the response? WHO IS IN OVERALL CHARGE OF IMPLEMENTING THE RESPONSE? HOW TO ORGANISE IMPLEMENTING THE RESPONSE? tools? people? WHEN/HOW TO MONITOR & REVIEW THE RISK & RESPONSE is this reliable & effective? Does the approach need updating?
Key themes in NAO guidance to Audit Committees (January 2010):LeadershipStaff trainingRisk management frameworkRisk identificationRisk evaluationControl of risksRisk AppetitesEmbedding risk management
RISK CATEGORIES (ILLUSTRATIVE)EXTERNAL:p.e.s.t.l.e.
OPERATIONAL: delivery capacity & capability risk management performance & capability
CHANGE: specific targets change programmes new projects/new policies
RESPONSES (ILLUSTRATIVE)KNOW YOURSELF: S.W.O.T.
* fundamental controls * consultation throughout the organisation * ongoing application of control strategies * awareness of organisational objectives * early warning mechanisms & quick response * reliable business information AN EMPHASIS ON CHANGING BEHAVIOURS
SWOT so what?
VALUE TO THE RISK TO THE ORGANISATION ORGANISATION S W
O T ABILITY TO ABILITY TO EXPLOIT ADDRESS
GROUP SESSION 5 risk management
1 organise yourselves
2 address the questions in the course outline
FOCUS YOUR THOUGHTS & RESPONSES ON:
IDENTIFYING & ADDRESSING RISKS
REMEMBER PREVIOUS GROUP SESSIONS