Risk Management, Culture & Governance

Risk Management, Culture & Governance

Agenda

What is risk management? A framework for risk management Establishing a good risk culture Getting risk a seat at the table Providing the right risk information to stakeholders ERM – what does the “E” stand for?

What is a risk? “The effect of uncertainty on objectives”.ISO 31000: 2009 Risk Management

“Those things that may stop you meetingyour objectives”.Susan Crago

What is risk management?Risk Management = Objectives and Outcomes Management

LIKELIHOOD(The probability

of the risk materialising in

the next 12 months)

LEVELPROBABILITY RANGE  

Almost Certain (Level 5) 80% - 100% Low Low Medium High High

Likely (Level 4) 60% - 80% Low Low Medium High High

Possible (Level 3) 40% - 60% Low Low Medium Medium High

Unlikely (Level 2) 20% – 40% Low Low Medium Medium Medium

Rare (Level 1) 0% – 20% Low Low Low Medium Medium

(Level 1)(Level 2)

(Level 3) (Level 4) (Level 5)

CONSEQUENCE(assess as once off or accumulation of risks)

What risk management is not!

Establish Context Identify Assess Action

Monitor and Review

Escalate, Communicate and Consult

A framework for risk management

Establish Context

A framework for risk management

Identify

•What is our strategy and objectives?•What issues have we experienced?•What risks are we currently managing?•What is going on in the external environment?

•What are the risks that could stop us meet objectives?•What would cause those risks to occur?•What controls do we currently have in place?

Assess•How likely is it that this risk will occur?•If it does occur what will be the consequence?•How effective are the controls to manage this risk?

A framework for risk management

•Prioritisation •What will we do about the risk? Nothing or something?•If something what is the best action to take?

Action

Monitor and Review

•Who needs to make the decision about this risk?•Who needs to take any actions on this risk? •Who needs to be aware of this risk?

Escalate, Communicate and Consult

•Are we on track with managing this risk?•Has something changed so we need to review this risk?

The sales pitch

Value Proposition….

1. Making informed decisions•supports prioritisation and transparency of decision making

2. Meeting business unit objectives•alignment to the business strategy and objectives•highlights areas of potential focus

3. Preparing for the unexpected•identifying uncertainties •fewer shocks and unwelcome surprises

Good risk culture ??

Impacts of poor risk culture

Establishing a good risk culture

‘Values and culture drive people to do the right thing even when no one is looking … Although value and culture cannot always be measured quantitatively, they impact governance in powerful ways.’

John F Laker - APRA Chairman (27 February 2013)

Establishing a good risk culture

Getting risk a seat at the table

3 lines of defence

•Own and manage risks•Risk management embedded in processes•Promote a strong risk culture

Business Units(including Executive,

Managers and All Staff)First Line of Defence

•Independent advice, oversight and monitoring•Advocate a risk culture and raise awareness of Risk•Establishment of Risk Management Framework

Independent Risk Function

Second Line of Defence

•Independent appraisal of the control infrastructure•Oversight of the Risk Management FrameworkInternal Audit

Third Line of Defence

Getting risk a seat at the table

Getting risk a seat at the table

Bendigo & Adelaide Bank Group’s Vision:“We aim to be Australia’s leading customer-

connected banking group.”

Providing the right risk information to stakeholders

“... integral to the effectiveness of risk governance, concerns the flow of information to the board. The lack of timely, relevant and comprehensive risk information [is] often a critical weakness.”

John F Laker - APRA Chairman (27 February 2013)

Good risk governance

Clear risk appetite and tolerances

Escalation of new key risks

Monitoring of actions for key risks

Monitoring of testing of key controls

Consistent across risk types

Providing the right risk information to stakeholders

ERM – what does the “E” stand for?

Effective? Efficient? Engaging? Enterprise?

Questions?