What is Risk Management?Whose responsibility is it in your institution?

Mark Weatherley

What is Risk Management?Whose responsibility is it in your institution?

Am I a Risk Manager?

Risk: What Is It?

The chance that something you don’t want to happen will

Or the likelihood that something you would like to happen doesn’t because you didn’t take the chance

Three main risk categories– Common to all entities– Strategy driven for a particular entity– Industry specific

Risk: Four Choices Available

Transfer risk to another partyDesign and apply appropriate internal

controlsAvoid engaging in the activity Accept risk

What is Risk Management?

Risk management is about :

1. Identifying and assessing key risks

2. Designing and implementing processes by which those risks can be managed

3. Maintaining residual risks at a level acceptable to the Board

Whose Responsibility Is It?

BoardManagementInternal AuditOther specialists

IIA New Definition of the Role of Internal Audit

Internal Audit is an independentindependent, objective assurance and consulting activity designed to add value and improve an organisation’s operations.

It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve effectiveness of risk management, control and corporate governance processes.

Key Attributes of IA

Independent ObjectiveKnowledge of University, its people,

systems and processSkills in risk management, documentation,

evaluation and assessmentProvides services to the Board and

management

IA Skills in Risk Management

Systematic analysis of business process– IA performs organisation-wide risk assessment

involving management• See next slide

– IA prepares an inventory of processes– IA determines audit priorities based on the risk

assessment

McGill UniversityRisk Assessment Overview

Likelihood of Exposure

Con

sequ

ence

Significant

Insignificant

Low High

VP, IST

VP, Academic

Law

LibrariesDentistry

Medicine

VP, D & AR

Agriculture & Environment

VP, A & F

Arts

ContinuingEducation

Engineering

ReligiousStudies

StudentServices

Science

Education

VP, R & Gs

High Risk Moderate Risk Low Risk Core Processes

PrincipalSecretariat

Music

Management

IA Skills in Risk Management (Cont’d)

Objective assessments for process effectiveness– audit projects include:

• Identification of components, deliverables or processes

• Risk assessment of the unit involving management• Definition of audit priorities based on the risk

assessment• Assessment of control design• Tests on control effectiveness

IA Skills in Risk Management (Cont’d)

Independent reporting and assessment of ways to change or improve processes– Audit reports include recommendations to

improve :• Control design

• Control effectiveness

IA Skills in Risk Management (Cont’d)

Ability to spread good practices across the organisation– Design and offer training sessions to

management– Provide useful information through the IA

web site

How IA Helps the Risk Management Process?

Assessment of the adequacy and effectiveness of risk management processes which includes:– Identification of risks– Prioritization of risks– Design of controls– Control effectiveness– Reporting

How IA Helps the Risk Management Process? (Cont’d)

Assessment of residual risksAssessment of other specialist units also

providing assurance and advice– eg

• Health and Safety

• Environment

• Legal Services

• Insurance

How IA Helps the Risk Management Process? (Cont’d)

Consultants to assist the Board and management in the development of documented risk management processes– Risk identification and assessment– Development of policies and procedures on

risk and control– Mechanisms to review the effectiveness of risk

management and internal control

What Internal Audit Does Not Do

Judge the appropriateness of the objectives of the organisation

Judge the Board’s strategies to achieve objectives

Benefits From Effective Risk Management Process

Enhances the ability to achieve the University’s objectives

Defines risk tolerance and acceptance of the Board

Leads to informed decision-makingDirects the effective allocation of

resources and management time

Key Reference Source

Risk Management and the value added by Internal Audit, published by the Institute of Chartered Accountants in England & Wales (ICAEW), www.icaew.co.uk/internalaudit, ISBN 1-84152-038-1