View
292
Download
0
Embed Size (px)
DESCRIPTION
Presented by Peter Moore Risk Point
Citation preview
Creating Value Through Enterprise Risk Management Presented by Peter Moore
Risk Point
NATIONAL CONFERENCE & EXHIBITION 2014
Platinum Sponsor
Silver Sponsor Bronze SponsorRisk Manager of the Year
Award Sponsor
Conference and Exhibition Partners
Overview
• Barriers to success in creating value
• Risk management frameworks
• Risk appetite and risk tolerance
• Integrating risk management
• Summary and close
1. Barriers to Success in Creating Value
• Barriers to success in creating value:• Poor/ incorrect use of language
• Poorly designed frameworks
• Poor risk assessment techniques
• Risk versus fact analysis
• Lack of engagement and commitment within the enterprise
• Over complexity in design of risk management frameworks and systems
• Focus on process outcomes rather than decision support and resource allocation
2. Risk Management Frameworks• Keep it simple unless complexity is required due to the nature or size
of the organisation
• Take into consideration how the framework integrates risk management into the business
• Make it intuitive so it “looks like the business”
Risk Area Framework
• Provides focus on the organisation, what it does and how it does it
• Internal processes and externalities (internal and external context)
Area of Business
Service Delivery
Financial
Human Resources
Sales – Marketing/ Business Development
IT/ Technological
Commercial/ Legal
Occupational Health & Safety
Compliance
Management
Political/ Economic
Competition
Risk Area Framework
• If more detailed structure required, sub areas or categories may be appropriate
Area of Business
Financial Payroll
Debtors/ creditors
Treasury
Human Resources Recruitment
Remuneration/ retention
Training and management
IT/ Technological IT assets
Information assets
Information security
Risk Types - Compliance/ BusinessStrategic/ Operational
• Creates distinction between compliance risks and business risks which integrates into risk appetite and risk tolerance and corporate governance
• Provides clarity on strategic risks (involving board) and operational risks which integrate into management processes and business planning
• Allows risks to be considered in context and increases clarity in analysis
Risk Type
Compliance
Business
Risk Type
Strategic
Operational
Align the Framework to the Business
• What business are we in?
• What is it that we do?
• What are our objectives and what are we trying to achieve?
• From a risk management perspective these questions provide alignment with the business and provide one of the keys to integrating risk management and creating value
Risk Identification Techniques
• Risk identification techniques and risk statements
• Root cause analysis technique1
Risk
Cause
Root Cause
1.IEC/ISO 31010:2009 Risk management – Risk assessment techniques
Risk Identification Techniques
• Risk identification techniques and risk statements
• Root cause analysis technique1
Risk
Cause
Root Cause
1,IEC/ISO 31010:2009 Risk management – Risk assessment techniques
Business Objectives
Risk Identification Techniques
• Risk identification techniques and risk statements
• Cause-and-effect analysis technique2
• Not statements of fact
Cause Risk Effect
2. IEC/ISO 31010:2009 Risk management – Risk assessment techniques
Discussion
3. Risk Appetite and Risk Tolerance
• Clarity is required on use of language
• Definitions are not included in AS/NZS ISO 31000 (need to refer to ISO Guide 73)
• Context needs to be applied
• Failure to follow above will lead to confusion
• Allows appropriate decisions to be made with regard to risk
Risk Appetite and Risk Tolerance
Risk appetite
“Amount and type of risk that an organization is willing to pursue or retain”3
Risk tolerance
“Organization’s or stakeholder’s readiness to bear the risk after treatment in order to achieve its objectives” 4
3,4. ISO Guide 73 Risk management - Vocabulary
Risk Appetite –ASX Corporate Governance Principles
Principle 1: Lay solid foundations for management and oversight
Recommendation 1.1 – Commentary
“Usually the board of a listed entity will be responsible for:
• Ensuring that the entity has in place an appropriate risk management framework and setting the risk appetite within which board expects management to operate”5
5. Corporate Governance Principles and Recommendations. 3rd Edition ASX Corporate Governance Council, 2014
Risk Appetite –ASX Corporate Governance Principles
Principle 7: Recognise and manage risk
Commentary
“The board of a listed entity is ultimately responsible for deciding the nature and extent of the risks it is prepared to take to meet its objectives.
To enable the board to do this, the entity must have an appropriate framework to identify and manage risk on an ongoing basis. It is the role of management to design and implement that framework and to ensure that the entity operates within the risk appetite set by the board. It is the role of the board to the risk appetite for the entity,…..”6
6. Corporate Governance Principles and Recommendations. 3rd Edition ASX Corporate Governance Council, 2014
Risk Appetite –Commonwealth Risk Management Policy
Element One – Establishing a risk management policy
“13.1 An entity must establish and maintain an entity specific risk management policy that:
a….
b. defines the entity’s risk appetite and risk tolerance”7
7. Commonwealth Risk Management Policy. Australian Government Department of Finance., 2014
Risk Appetite –Commonwealth Risk Management Policy
Element Three – Defining responsibility for managing risk
“15.1 Within the risk management policy, the accountable authority of an entity mustdefine the responsibility for managing risk by:
a. defining who is responsible for determining an entity’s appetite and tolerance for risk”8
8. Commonwealth Risk Management Policy. Australian Government Department of Finance., 2014
Setting Risk Tolerance• Thresholds for tolerability are established for compliance risk (non negotiable, must manage to defined
levels)
• Policy settings can be used to establish tolerance levels for compliance risk (e.g., risk level “Low” score no greater than 4)
RISK MATRIX
Likelihood Consequence
1
Insignificant
2
Minor
3
Moderate
4
Major
5
Severe
5 Almost Certain M H H VH VH
4 Likely M M H H VH
3 Possible L M H H H
2 Unlikely L L M M H
1 Rare L L M M H
Setting Risk Appetite• Must be established in accordance with preparedness to take commercial, or business risks in order to
achieve objectives
• Is different in different parts of the business (e.g. “High” score 9/ High score 16)
• Provides a feedback loop to strategy setting (are we likely to achieve the positive outcomes and returns for the potential adverse threats in pursuing the strategy?)
RISK MATRIX
Likelihood Consequence
1
Insignificant
2
Minor
3
Moderate
4
Major
5
Severe
5 Almost Certain M H H VH VH
4 Likely M M H H VH
3 Possible L M H H H
2 Unlikely L L M M H
1 Rare L L M M H
Business process or function A
Business process or function B
Setting Risk Appetite and Risk Tolerance
Discussion
4. Integrating Risk Management
• Draws upon a sound risk management framework
• Incorporates risk appetite and risk tolerance settings
• Links risk management to strategic planning
• Links risk management to corporate governance
• Techniques for determining what risk management and risk treatment activities (to manage risks to acceptable levels) are part of the job
• A mechanism for making risk management “part of the business”
• Accountabilities and responsibilities defined
• Establishing Key Risk Indicators (KRI’s)
Risk Management Task Integration
• A method of determining which risk management activities (e.g., development of risk treatment plans) are part of the job
• Assists in determining what’s important, what’s urgent and what’s not
• Assists in resource allocation and decision making
• Creates value through better decision making and better business outcomes
Accountability
• Accountabilities need to be assigned for:• Risks
• Control development and assurance
• Risk treatment actions and plans
• Reporting on risk management activities
Key Risk Indicators (KRI’S)
• Identify what aspect of the business needs to be measured and monitored
• Develop sources of data around activities which influence or impact risks and risk levels
• Develop metrics for measurement
• Assign ownership (as critical as risk ownership)
• Measure movements in KRI’s
• Take action where KRI’s move beyond tolerable levels
Key Risk Indicators (KRI’S)
• Note: These indicators would be used to assist reviewing a business risk such as, “failure to meet sales targets resulting inimpact on revenue objectives”.
• Leading indicators• A predictive indicator which provides insights into the likelihood of a risk materialising:
• Reduced business opportunity pipeline/ sales conversion ratio
• Lagging indicators• An outcome indicator which provides insight into the frequency and impact of a risk materialising:
• Lower sales to date from budget
KRI Monitoring – Qualitative AssessmentRAGAR Model8
Score
Time
Baseline
Out of tolerance –take action
Borderline –may require investigation
Within tolerance- no action required
8. Adapted from Smart, A., and Creelman, J., Risk-Based Performance Management, 2013
Discussion
Summary and Close
• Learnings
• New developments
• Next steps
Thank you.
NATIONAL CONFERENCE & EXHIBITION 2014
Platinum Sponsor
Silver Sponsor Bronze SponsorRisk Manager of the Year
Award Sponsor
Conference and Exhibition Partners