Upload
sako-mayrick
View
309
Download
1
Embed Size (px)
DESCRIPTION
It provides a general overview of enterprise risk management principles which can help to transform corporate from risk exposure to the risk protected. Consideration for basic steps in Risk Management Process are critically and logically analysed
Citation preview
www.elsamconsult.com 1
EMAC
ADVANCED RISK MANAGEMENT WORKSHOP
STELLA MARIS HOSTEL
Bagamoyo 9TH -11TH April,2014
ELSAM MANAGEMENT CONSULTANTS - EMAC
www.elsamconsult.com 2
EMAC
These slides contains video clips for enabling a reader to understand the risk management concepts
To view the slides you must be on slide show mode and click on the links with underline
The video clips are copyrighted materials and EMAC has no legal responsibility of any other use than education dissemination
Notes
www.elsamconsult.com 3
EMAC
Who are we? Elsam Management Consultants
(EMAC) is a pool of professional consultants in management disciplines established as a limited liability company since 2006
Core Functions are: Recruitment, Training and Consultancies
More details: www.elsamconsult.com
Welcoming Remarks
www.elsamconsult.com 4
EMAC
Introduction of facilitators Self introduction to others on your team Recap- Share something on personal
experience in Risk Management and highly the expectations of this training
Pick 1-Identify a risk-discuss it as both a threat and an opportunity
Report to the a large group pick a spokesperson
Welcoming Remarks
www.elsamconsult.com 5
EMAC
Why this training?
www.elsamconsult.com 6
EMAC
Government Collapse; Greece, Turkey, Africa
Global Markets, more complex Greater product complexity New businesses (e-banking) Increasing competition New players
Why this training?
www.elsamconsult.com 7
EMAC
Regulatory imbalances Technology Corporate Failures, what about Tanzania? Increase in fraud and corruption Increase in “snake on suits” Theft and robberies
Why this training?
www.elsamconsult.com 8
EMAC
Day 1 – Understanding Risk Management
Principles Day 2 - Public Sector Risk Management
Theoretical Implication Practical Implication Challenges
Day 3 - Fraud Risk Management Day 3 - Lessons Learned from practice
Organization of this training
www.elsamconsult.com 9
EMAC
Part I
www.elsamconsult.com
EMAC
OVERVIEW OF RISK MANAGEMENT
UNDERSTANDING THE RISK MANAGEMENT
CONCEPTS AND DIGESTS
10
www.elsamconsult.com
EMAC
Presentation Plan
Defining and understanding risk Risk and Risk Management Objectives of Risk Management Modeling of Risk Management Process
Risk Management Process Guidelines for Risk Management
11
EMAC
Presentation Plan cont…
Role of Internal auditor in Risk Management
Role of Audit Committee in Risk Management
Examples of Models for Risk Management
Practical sessions ( continuous)
12www.elsamconsult.com
www.elsamconsult.com 13
EMAC
What is not risk?
Risk? What is it?
www.elsamconsult.com
EMAC
Risk
Real or perceived Risk is the threat or possibility that an action or event will adversely or beneficially affect organization's ability to achieve its objectives
‘A calculation of both probability and improbability becoming a reality’.
Risk has no religion This definition is based on three scenarios:
14
www.elsamconsult.com
EMAC
Risk Scenarios
Whatever can go wrong, will go wrong
Whatever cannot go wrong, will go wrong
When things go wrong, they go badly wrong.
15
EMAC
WHAT IS RISK? Something happening that may have
an impact on the achievement of objectives.
It includes risk as an opportunity as well as a threat.
By managing threats entity will be in a stronger position to deliver its business plan priorities. By managing opportunities the organisation will be in a better position to provide improved services and better value for money.
16www.elsamconsult.com
EMAC
Probability VS ‘Risk Magnitude’
Improbable Risk
-10; -9; -8; -7; -6; -5; -4; -3; -2; -1; 0 1; 2; 3; 4; 5; 6; 7; 8; 9; 10
Unlikely Risk Likely Risk
High Magnitude Risk Low Magnitude Risk
Probable Risks
17www.elsamconsult.com
click on underlined words to watch video
www.elsamconsult.com 18
EMAC
Based on the Video Presentation Can you identify ten risk
scenarios? Do you agree that one risks
normally results into other potential risks?
Is this a probable or improbable risks
What are major risks in your organisation which are improbable?
Group study 1
EMAC
EXAMPLES OF RISKS
Resources, Political, economic, Social, Technological, legislative/Regulatory, Environmental, competition, Customer/citizen, Managerial Professional, Financial, Legal, Partnership/Contractual, procurement, Physical, technological……
19www.elsamconsult.com
www.elsamconsult.com
EMAC
Mention the risk you know in …
Public Sector Service Delivery Banking Industry Starting a job or carrier Transport and travel Financial management Attending this workshop Risk related to your organization
20
Risks:Risk Category Possible Risks Areas
Strategy Planning Business Portfolio
Management Activity
New Business/Growth Opportunities
Strategy Development Business Performance
Management
Target Setting/Vision/Goals
Investor Relations
Joint Venture Mgt Rationalisation
Communicaiton of strategic direction set by Board
Human Resources
Workplace Industrial Relations
Employment Practices Remuneration and
Entitlements
Succession Planning
Recruitment and Retention
Workers Compensation
Skills availability/Training and Development
Leadership Diversity
Employee Safety and Health
Performance Incentivisation
Communication
Contractors / 3rd parties
Information Technology
Data Management
Data Security Systems Development /
New systems
Systems Maintenance
Availability Data Integrity
Service delivery
‘e’ Commerce
Outsourcing management Interface with 3rd parties
Sharing of classified inofrmation
Marketing Competitive Positioning Market Research
Image
Trademarks Strategic alliance
networks Pricing / Costing
Patents Reputation
Customer Service
New Products Project management
Research and Development
Product portfolio
Product Liability Obsolescence
“e” Commerce
Risk Category Possible Risks Areas
Supply Chain / Distribution
Logistics
Purchasing/procurement
Inventory Management
Contract Management
Import Clearance
Continuity management Environment Regulatory Compliance
Contamination
Loss of Containment
Complaints Management
Handling Image/ reputation
Community / Government Relations
Legal Regulatory Compliance
Commercial Relationships
Acquisitions/Divestments
Intellectual Property
Competition Law
Contractual Obligations
Finance Funding / Treasury
Investments Taxation
Debt Management
Supplier Payments Capital Expenditure
Financial Controls and Reporting
Fraud Insurance
Physical Assets Security
Natural Disaster
Fire
Explosion
Impact
Capital Expenditure Operations Manufacturing upscaling
Technical Engineering
Capacity Planning
Costs of upscaling to Production
Reliability Management & partners
Safe Operations Government Sovereignty
Politics
War
Legislative Change Corruption
Terrorism
Tax law change Change to party in power
Economics Interest Rates Commodity Currency
21www.elsamconsult.com
22 CRCA © 2007 Deloitte Touche Tohmatsu
Risk Category Possible Risks Areas
Strategy Planning
Business Portfolio
Management Activity
New Business/Growth Opportunities
Strategy Development
Business Performance Management
Target Setting/Vision/Goals
Investor Relations
Joint Venture Mgt
Rationalisation
Communicaiton of strategic direction set by Board
Human Resources
Workplace Industrial Relations
Employment Practices
Remuneration and Entitlements
Succession Planning
Recruitment and Retention
Workers Compensation
Skills availability/Training and Development
Leadership
Diversity
Employee Safety and Health
Performance Incentivisation
Communication
Contractors / 3rd parties
Information Technology
Data Management
Data Security
Systems Development / New systems
Systems Maintenance
Availability
Data Integrity
Service delivery
‘e’ Commerce
Outsourcing management
Interface with 3rd parties
Sharing of classified inofrmation
Marketing Competitive Positioning
Market Research
Image
Trademarks
Strategic alliance networks
Pricing / Costing
Patents
Reputation
Customer Service
New Products
Project management
Research and Development
Product portfolio
Product Liability
Obsolescence
“e” Commerce
Risk Category Possible Risks Areas
Supply Chain / Distribution
Logistics
Purchasing/procurement
Inventory Management
Contract Management
Import Clearance
Continuity management Environment Regulatory Compliance
Contamination
Loss of Containment
Complaints Management
Handling Image/ reputation
Community / Government Relations
Legal Regulatory Compliance
Commercial Relationships
Acquisitions/Divestments
Intellectual Property
Competition Law
Contractual Obligations
Finance Funding / Treasury
Investments
Taxation
Debt Management
Supplier Payments
Capital Expenditure
Financial Controls and Reporting
Fraud
Insurance Physical Assets Security
Natural Disaster
Fire
Explosion
Impact
Capital Expenditure Operations Manufacturing upscaling
Technical Engineering
Capacity Planning
Costs of upscaling to Production
Reliability Management & partners
Safe Operations Government Sovereignty
Politics
War
Legislative Change
Corruption
Terrorism
Tax law change
Change to party in power
Economics Interest Rates Commodity Currency
Risks:
22www.elsamconsult.com
www.elsamconsult.com 23
EMAC
Case study I
Video Practical Session ICase Analysis I
Meaning of Risks
www.elsamconsult.com 24
EMAC
End of Session I
EMAC
Risk Management
25www.elsamconsult.com
EMAC
What is Risk Management
?
26www.elsamconsult.com
EMAC
Basis of Risk Management Risk management is a part of the wider corporate governance and internal control system of an organization
Corporate governance is the system by which organizations are directed and controlled and ensures that the objectives and plans are established and operations adheres to transparency, probity and accountability
27www.elsamconsult.com
www.elsamconsult.com 28
EMAC
Accountability Ensure that management is accountable to the Board Ensure that the Board is accountable to the shareholders
Fairness Protects shareholders rights Treats all Shareholders including minorities, equitably Provide effective redress for violation
Transparency Ensure timely, accurate disclosure on all material matters
including financial situation, performance, ownership and corporate governance
Independence Procedures and structures are in place so as to minimize, or
avoid completely conflicts of interest Independent directors, advisers i.e. free from influence of others
Risk Management Pillars of Corporate Governance
www.elsamconsult.com 29
EMAC
Creates value (Gain should exceed pain) Be an integral part of organisational processes Be part of decision making process Explicitly address uncertainty and assumptions Be systematic and structured Be based on best available information Be customizable to entity needs Take human factors into account Be transparent and inclusive Be dynamic, iterative and responsible to change Be capable of continual improvement and enhancement Be continually and periodically re-assessed Be tailora-ble
Principles of Risk Management
EMAC
Risk management It is not avoiding risk It is application of management policies and procedures and practices to the task of identifying, analyzing, assessing, treating and monitoring the various risks that might prevent an organization from achieving its objectives
There is no risk free environment!
30www.elsamconsult.com
EMAC
Risk management definedRisk management is a process,
affected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.(Committee of Sponsoring Organizations of the
Treadway Commission (COSO), Enterprise Risk Management — Integrated Framework, September 2004, New York, NY).
31www.elsamconsult.com
www.elsamconsult.com 32
EMAC
RM is a structured, consistent and continuous process across the whole organization for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievements of its objectives. IIA
Risk Management is the identification, assessment, and priotization of Risk (ISO 31000) and subsequent application of resources to minimize, monitor, and control the probability and/or impact of downside events or to maximize the realization of opportunities
It deals with the management of uncertainty, risks and opportunity towards the achievement of company goals and objectives.
Risk Management Defined
EMAC
Objectives of Risk Management Support strategic and business
planning Enhances communication between
directors and departments Support effective use of resources Promote continual improvement Helps focus internal audit programs Fewer shocks and unwelcome
surprises Reassures stakeholders Quick grasps of new opportunities 33www.elsamconsult.com
EMAC
Objectives and RMRisk can be describe as The chance of something happening that will have an impact on objectives. It is measured in terms of consequences and likelihood.
Objective must be defined before defining risks which may affect the objectives.
Risk management must be linked to objectives/ strategies/ project
34www.elsamconsult.com
www.elsamconsult.com 35
EMAC
Aligns risk profile and strategyBroadens risk awarenessMinimizes surprise and lossesRationalizes capital requirements
Improves the shareholders value
Assures regulatory compliance
Benefits of Risk Management
www.elsamconsult.com 36
EMAC
Hard Side Soft SideMeasures and Reporting
Risk Awareness
Risk Oversight Committees
People
Policies and Procedures
Skills
Risk Assessment IntegrityRisk Limits IncentivesAudit Process Culture and ValuesSystems Trust and
Communication
Hard and Soft side of Risk Management
www.elsamconsult.com 37
EMAC
Drivers for Risk Management
www.elsamconsult.com 38
EMAC
Video Presentation
Case study 2
What are real objectives of RM?
39
STRATEGIC OPERATIONAL RISK
Situation analysis
Mission and Vision
Objectives
Targets
Overview of SP
Activities
Inputs and costing39www.elsamconsult.com
www.elsamconsult.com 40
What do you See?
www.elsamconsult.com 41
End of Session II
www.elsamconsult.com 42
EMAC
Modeling of Risk Management&Risk Management Standards
Risk Management Frameworks
www.elsamconsult.com 43
EMAC
Risk Management Standard (IRM, ALARM and AIRMIC) of UK
ISO 31000 Risk Management – Guidelines on principles and implementation of risk management
ISO Guide 73 – Risk Management Vocabulary BS 31100 Cod of best practice for Risk Management AZ/ANS 4360:2004 Risk Management Standard COSO Enterprise Risk Management Canadian Government Sector Standard Basel II/III Solvency II (ICAAP) Kings Report
Common Risk Management Standards
www.elsamconsult.com 44
COCOWESTINGHOUSE
MALCOLM BALDRIGEDeming
COSO
ISO
31000
Peter Senge’s Deep Learning Framework
Cadbury
Twelve Attributes
Basel II
www.elsamconsult.com 45
Many Models To Chose Among
COSO COCO Cadbury Report Deming Award TQM 12 Attributes
Deep Learning Framework
Baldrige Award ISO 31000 Westinghouse Award Northrop Award
www.elsamconsult.com 46
EMAC
Who Developed Models? COSO: The major accounting and audit
professional organizations issued COSO in 1992.
12 Criteria: The Canadian Comprehensive Auditing Foundation published Effectiveness Reporting and Auditing in the Public Sector in 1987.
COCO: In November 1995, The Canadian Institute of Chartered Accountants (CICA) published Guidance on Control.
www.elsamconsult.com 47
EMAC
Who Developed Models? (Continued)
ISO 31000 developed by the International Organization for Standardization (ISO)
Deep Learning Framework: In 1990, Peter Senge published the now classic The Fifth Discipline and then in 1995 published The Fifth Discipline Fieldbook.
www.elsamconsult.com 48
EMAC
Different Frameworks: Same Goals
Different Frameworks: Same Goals
Frameworks provide a way of understanding our organizations.
By having different groupings, each highlights some aspects of control more than others.
The criteria in the frameworks provide a basis for understanding control in an organization and for making judgment about the effectiveness of control.
www.elsamconsult.com 49
EMAC
Different Frameworks: Same Goals
Different Frameworks: Same Goals
Frameworks provide a systematic step by step method of evaluating and addressing the adequacy of controls in multiple dimensions of a business.
Frameworks provide a standard review process.
Frameworks provide a tool that helps management and auditors evaluate the adequacy of controls in multiple dimensions of the business. It helps give a picture of how well all of the controls in all of the dimensions are working.
www.elsamconsult.com 50
EMAC
Risk Management Principles, Frameworks and Processes
www.elsamconsult.com 51
EMAC
Risk Management Principles, Frameworks and Processes
www.elsamconsult.com 52
EMAC
Risk Management Principles, Frameworks and Processes
www.elsamconsult.com 53
EMAC
Risk Management Principles, Frameworks and Processes
www.elsamconsult.com 54
EMAC
Risk Management Principles, Frameworks and Processes
Risk Management Process
Establish Context
Identify Risks
Analyse Risks
Evaluate Risks
Treat risks
Assess Risks and Controls
Context:Strategic, internal, external context
Identification:What can go wrong? Missed opportunities?
Analysis/Measurement:Assess risk likelihood and consequence, review
Evaluate:Compare risks, set risk priorities
Treatment Options:Reduce, avoid, transfer or retain
Com
mun
icat
ion
and
Con
sulta
tion
Establish Context
Identify Risks
Analyse Risks
Evaluate Risks
Treat risks
Risk Assessment
Mon
itor
and
Rev
iew
55www.elsamconsult.com
Risk Management ProcessCOSO Framework
COSO stands for Committee of Sponsoring Organizations of the Treadway Commission
It is the US Private Sector organization,
Dedicated to providing guidance to executives, management and governance entities on critical aspects of governance, Business Ethics
Guidance on Internal Control, ERM, Fraud, and financial reporting
COSO has established a common internal control model against which companies and organizations may assess their control systems.
www.elsamconsult.com 56
COSO AND ISO 31000
COSO defines ERM as a process;
Effected by an entity’s board of directors, management and other personnel;
Applied in strategy setting and across enterprise;
Designed to identify potential events that may affect the entity;
Manage risks within its risk appetite;
Provides reasonable assurance regarding the achievement of entity objectives.
IRM (New COSO) defines Risk Management as
The process whereby the organizations methodically address the risks attaching to their activities
With a goal of achieving sustained benefits within each activity and across the portfolio of all activities
Generally it is a decision-making discipline that reduces uncertainty and managers potential variations from expected outcomes in achieving company goals (RIMS)
www.elsamconsult.com 57
COSO AND ISO 31000 ISO 31000 defines risk
Management as Integral part of all
organization processes It is not a stand alone
activity that is separate from main activities and processes of the organization
It is part of responsibilities of management and
An integral part of all organizational processes including strategic planning and all project and change management processes
In practical insight the whole of the business is just like risk management, why?
Buffet Defines Risk Management as
www.elsamconsult.com 58
Analysis of Warren Case
What is risk Management
What are consequences of dedicating risk management activities to a unit in a organisation?
Who is supposed to manage risk in an organization
What is the status of Risk Management today?
Summary of Risk Management Models
www.elsamconsult.com 59
Case study of risk in Hospitality industry
Case Study II – Risk Management
End of Session III
www.elsamconsult.com 60
EMAC
COSO ERM Framework
61www.elsamconsult.com
Understanding the cube
Objectives Internal Enviro
nment Event Identifica
tion Risk Assessme
nt Risk Response Control Activiti
es Risk Monitoring
EMAC
COSO - Framework (Control Framework)
Stra
tegy
62www.elsamconsult.com
A Car internal control exemplification
EMAC
Effective Risk Management
Organizations should come out with risk management strategy in order to ensure that the organizations Achieves their goals and objectives
When management of risk goes well it often remains unnoticed. When it fails, the consequences can be significant and high-profile. Any responsible organisation needs to avoid this – hence the need for effective risk management.
63www.elsamconsult.com
EMAC
Effective Risk Management
Risk management strategy describes the processes that will be put in place to link, identify, assess, address, review and report risks, and describes the principles that will be used to underpin this approach.
The Diagram below summarizes the process risk management within the organisation.
64www.elsamconsult.com
EMAC
65www.elsamconsult.com
www.elsamconsult.com 66
EMAC
End of Session IV
www.elsamconsult.com 67
EMAC
Who manages risks?
EMAC
ELEMENTS OF RISK MANAGEMENT
Identifying risks;Assessing risks;Addressing risks;Reviewing and reporting risks.
68www.elsamconsult.com
Entity should ensure that it has…
have a robust approach to risk management - aiming to identify, assess, address and review and report risk in a way that can stand audit scrutiny, building on best practice and protecting the interests of our stakeholders.
be accountable - processes and data will be open to review by our auditors and will respond to the improvements they suggest.
We will encourage appropriate risk-taking, with a view to fostering an innovative approach to policy making and service delivery.
69www.elsamconsult.com
EMAC
Identifying riskA ‘risk’ is something that may have an
impact on the achievement of our priorities. It may come from outside the organisation, or may arise from shortcomings of its own systems and procedures
Identification can be done through staff workshops or work groups
Consideration should be given to categories of risk
The issues should be prepared and presented in the form of risk scenarios
70www.elsamconsult.com
Identifying risk
Risk category Possible risksCompliance risk the risk of failing to comply with statutory
requirements
External risk risks from changing public or government attitudes.
Financial risk risks arising from spending, fraud or impropriety, or insufficient resources
Operational risk risks associated with the delivery of examination papers to the regional centres– arising, for example, from logistic difficulties, diversion of staff to other duties, or IT failures
Project risk risks of specific projects missing deadlines or failing to meet stakeholder expectations
71www.elsamconsult.com
IDENTIFYING RISK
Risk type Possible risksReputation risk risks from damage to the organisation’s credibility
and reputation
Risks facing banking Sector
Risk to our stakeholders that need to be taken into account in our planning and service provision – for example, fraud
Strategic risk risks arising from policy decisions or major decisions affecting organisational priorities; risks arising from senior-level decisions on priorities
Technology risk Risk arising from outdated technology, inadequate data processing and the software malfunctioning
Human resource risk It is impossible to recruit staff with the required skills or Key staff are ill and are unavailable at critical times or required training for staff is not available
72www.elsamconsult.com
EMAC
Identifying Risk, What To Do?
Once risks have been identified, essential information about them will be gathered in the form of a risk register (see appendix 1). There will be a central register of its most important risks, built up from information provided from each department.
73www.elsamconsult.com
EMAC
IDENTIFYING RISK, WHAT TO DO?
The identification of risks is a continuous process and all staff have a part to play - it is not the sole domain of managers.
Systematically identifying risks will enable risks to be assessed and dealt with.
It will also help to identify new opportunities for policy direction and business planning, by showing what the future risks to management of .................................
74www.elsamconsult.com
EMAC
ASSESSING RISK
To assess risks adequately entity will identify the consequences of a risk occurring and give each risk a score or risk rating.
Whoever identifies the risk should be responsible for assessing the risk.
75www.elsamconsult.com
EMAC
ASSESSING RISK This initial assessment will then be
refined with the help of colleagues and managers and a ‘risk owner’ will be identified who will be responsible for reviewing and accepting the assessment that will be entered onto the risk register.
The consequences of the identified risks will be grouped into one or more of the categories outlined earlier. Using these categories will allow similar risks to be grouped and will help to identify cross-cutting risks
76www.elsamconsult.com
EMAC
RISK RATING
A means of comparing risks is needed so that efforts can be concentrated on addressing those that are most important.
Each risk will be given a score, depending on both its likelihood and its impact, as shown in Figure 1 below.
Any risks which are both very likely to occur and will have a high impact are the ones that demand immediate attention.
77www.elsamconsult.com
RISK RATING
Risk Assessment
Likelihood
Very High (4) 4 8 12 16*
High (3) 3 6 9 12
Medium (2) 2 4 6 8
Low (1) 1 2 3 4
Low (1) Medium (2) High (3)Very High
(4)
Impact 78www.elsamconsult.com
EMAC
RISK RATING - LIKELIHOOD Likelihood
The probability of the threat being realised will be expressed in terms of
Very High (VH), High (H), Medium (M) or Low (L) using the definitions below:
L: Rare (the risk may occur in exceptional circumstances);
M: Possible (the risk may occur in the next three years);
H: Likely (the risk is likely to occur more than once in the next three years); and,
VH: Almost certain (the risk is likely to occur this year or at frequent intervals).
79www.elsamconsult.com
EMAC
RISK RATING -IMPACT The effect of the risk being realised will
be expressed in terms of Very High (VH), High (H), Medium (M) or Low (L) using the definitions below: L: minimal financial losses; service
delivery unaffected; no legal implications; unlikely to affect the core business; unlikely to damage reputation.
M: medium financial losses; reprioritising of services required; minor legal concerns raised; minor impact on the health sector and facilities; short-term reputation damage.80www.elsamconsult.com
EMAC
RISK RATING -IMPACT The effect of the risk being realised will
be expressed in terms of Very High (VH), High (H), Medium (M) or Low (L) using the definitions below: L: minimal financial losses; service
delivery unaffected; no legal implications; unlikely to affect the core business; unlikely to damage reputation.
M: medium financial losses; reprioritising of services required; minor legal concerns raised; minor impact on the health sector and facilities; short-term reputation damage.81www.elsamconsult.com
EMAC
RISK RATING -IMPACT The effect of the risk being realised will be
expressed in terms of Very High (VH), High (H), Medium (M) or Low (L) using the definitions below: H: major financial loss; need to renegotiate
business plan priorities; potentially serious legal implications (e.g. risk of successful legal challenge); significant impact on the ..............; longer-term damage to reputation.
VH: huge financial loss; key deadlines missed or priorities unmet; very serious legal concerns (e.g. high risk of successful legal challenge, with substantial implications for entity); major impact on core business; loss of stakeholder public confidence.
82www.elsamconsult.com
Requires Active Management where Consequence is rated 5 else Periodic Monitoring.
Risks where treatment options require preparation, active review and management.
Control is adequate, continued monitoring of controls to confirm this.
Control is not strong but risk impact is not high. Options include improving control or monitoring risk impact to ensure the residual risk rating does not increase over time.
Risks where systems and processes managing the risks are adequate and subject to minimal monitoring.Mitigating Practices /
Control Rating
Inh
ere
nt
Ris
k R
ati
ng
Active Management
Periodic Monitoring
Control Critical
No Major Concern
0 1 2 3 4 5 6 7 8 9 10
10
9
8
7
6
5
4
3
2
1
0
Adequate Inadequate
Very High
High
Low
Moderate
83www.elsamconsult.com
Residual risk ratings
This is an alternative risk heat map preferred by some as it shows that there is no absolute risk boundaries, but rather a gradual change in risk
Unsatisfactory
Mitigating Practices / Control Rating
Inh
ere
nt
Ris
k R
ati
ng
Periodic Review
Active Management
Continuous Review
No Major Concern
High
Excellent
Low
84www.elsamconsult.com
EMAC
Risk Appetite
Risk appetite is the amount of risk —on a broad level —an entity is willing to accept in pursuit of value.
Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable variation).
The primary objective of Managing operational risk is risk reduction/ proactive prevention
Risk cut across all financial institution operation and function
85www.elsamconsult.com
www.elsamconsult.com 86
EMAC
Risk Appetite Best Practices
www.elsamconsult.com 87
EMAC
Determining Risk Appetite
EMAC
Risk Assessment Process
To make an initial assessment of risk, a ‘bottom-up and top-down’ approach will be adopted.
This will mean identifying and assessing risks both at an operational level, using the departmental Performance Teams, directorates’ team meetings and by Management Team identifying the major risks affecting the organisation
88www.elsamconsult.com
EMAC
Risk Assessment Process
The bottom-up process of identifying risks through involving staff should be as exhaustive as possible, identifying all potential risks no matter how small (and including health and safety risks for staff).
89www.elsamconsult.com
EMAC
Risk Assessment Process These will then be reviewed by the departmental
Performance Team, comprising a nominated departmental risk co-ordinator from each department and the Risk Coordinator.
The group will identify the more significant risks that will need to be placed on the corporate risk register. This process will be overseen by the Risk Coordinator, who will ensure consistency in the way risks are assessed and categorised.
For every risk to be identified as important enough to be placed on the corporate risk register, a ‘risk owner’ will be identified (who will be responsible for overseeing the management of the risk, and making sure appropriate resources are available to do this) and a ‘risk coordinator’ (who will be responsible for day-to-day management of the risk, implementing countermeasures and monitoring their effectiveness).
90www.elsamconsult.com
EMAC
Risk Assessment Process Management Team will also identify the
major corporate risks to the organisation, with the Director responsible identifying in particular major financial risks. For such major corporate risks, directors are likely to be both the risk owner and risk coordinator.
Management Team will then take a strategic view of all risks identified as needing to be placed on the corporate risk register, assessing them against the entity’s business plan priorities. They will identify the most critical risks, and report these to key Board of Directors through the audit committee.
91www.elsamconsult.com
EMAC
Risk Assessment ProcessThis process will identify a set of
significant risks that need to be addressed, and placed on the corporate risk register, which will then be maintained by the organisation’s risk co-ordinator. Other risks identified by staff through risk identification workshops, team meetings etc. should be recorded within the originating department and kept under review by the department risk co-ordinator.
92www.elsamconsult.com
EMAC
Addressing Risks
Having identified significant risks and placed them on the corporate risk register, a process will be undertaken to decide what to do about each risk, through the departmental Performance Team and the Management Team.
93www.elsamconsult.com
EMAC
Addressing Risk
Assessing current risk controls The first step is to look what mechanisms are already
in place to deal with the identified risks. For many risks, for example examination leakage risk, action may have already been taken to treat or eliminate the risk under all circumstances under which it could arise.
Where such mechanisms are in place, the Departmental Performance Teams should examine them to judge whether they are adequate or whether any ‘residual risk’ remains, or whether the risk might ‘slip through’ these existing mechanisms under some circumstances. In some cases, risks may be deemed to be ‘over-controlled’ – action in this case may be to ease such controls and allow the risk to be taken.
94www.elsamconsult.com
EMAC
Addressing Risk
In this way, risks can be addressed through ‘gap analysis’, focussing only on those risks that are not adequately treated, or are not treated at all.
The next stage is to look at how such risks may be dealt with.
95www.elsamconsult.com
EMAC
How to deal with risk
Transfer the risk conventional insurance or by asking
a third party to take on the risk in another way.
Contracting out services, for example, transfers some, but not all, risks (but can introduce a new set of risks to be managed);
96www.elsamconsult.com
EMAC
How to deal with risk
Tolerate the risk: the ability to take effective action against some
risks may be limited, or the cost of taking action may be
disproportionate to the potential benefit gained. In this instance, the only management action
required is to ‘watch’ the risk to ensure that its likelihood or impact does not change. If new management options arise, it may become appropriate to treat this risk in the future;
97www.elsamconsult.com
EMAC
How to deal with risk
Treat the risk: by far the greater number of risks will
be in this category. The purpose of ‘treatment’ is not
necessarily to terminate the risk but, more likely, to establish a planned series of mitigating actions to contain the risk to an acceptable level; and,
98www.elsamconsult.com
EMAC
How to deal with risk
Terminate the risk: this is a variation of the ‘treat’
approach, and involves quick and decisive action to eliminate a risk altogether.
For example, terminating risks arising from outdated .............. systems by buying new ones (although new systems, in themselves, may introduce new risks).
99www.elsamconsult.com
Risk Treatment
Is Risk Acceptable?
Accept
Treatment Strategy(1) Recommend(2) Choose (3) Implement
Retain
Monitor
and
Review
Is Residual Risk
Acceptable?
Part Retained
Yes
NoUnacceptable residual risk
No Yes
Reduce Likelihood Reduce ConsequenceTransferAvoid
START HERE
100www.elsamconsult.com
EMAC
RISK IDENTIFICATION AND ANALYSIS TEMPLATE (see
attachment)
101www.elsamconsult.com
www.elsamconsult.com 102
EMAC
Risk Reporting
www.elsamconsult.com 103
EMAC
Risk Reporting
www.elsamconsult.com 104
EMAC
Key Risk Indicators
www.elsamconsult.com 105
EMAC
Developing KRI’s
www.elsamconsult.com 106
EMAC
Examples of Risk Indicators
www.elsamconsult.com 107
EMAC
Risk Control Self Assessment (RCSA)
www.elsamconsult.com 108
EMAC
Risk IT Extends Val IT and COBIT
www.elsamconsult.com 109
EMAC
COBIT 5 Principles
www.elsamconsult.com 110
EMAC
COBIT 5 Enterprise Enablers
EMAC
Role of internal auditor in RM
Giving assurance on risk management processes.
Giving assurance that risks are correctly evaluated.
Evaluating risk management processes.
Evaluating the reporting of key risks.
Reviewing the management of key risks.
111www.elsamconsult.com
EMAC
Role of internal auditor (with safeguard)
Facilitating identification and evaluation of risks.
Coaching management in responding to risks.
Coordinating ERM activities. Consolidating the reporting on risks.Maintaining and developing the ERM
framework.Championing establishment of ERM. Developing risk management strategy for
board approval.112www.elsamconsult.com
EMAC
What the IA should not do
Setting the risk appetite.Imposing risk management
processes.Management assurance on risks.Taking decisions on risk responses.Implementing risk responses on
management's behalf.Accountability for risk management.
113www.elsamconsult.com
www.elsamconsult.com 114
EMAC
Internal Audit Approach
EMAC
Role of Audit committee in RM
Critical role in ERM by establishing the right environment or tone-at-the-top
Vital role in overseeing management’s approach to ERM
Without their oversight, ERM may not be embraced by senior management
Discuss policies with respect to risk assessment and risk management
Better risk intelligence means both audit committees and the full board are better informed 115www.elsamconsult.com
EMAC
Conclusion Risk management is a process and
therefore put in place a strategy for introducing risk management
Develop a risk management strategy Develop a risk management framework
tailored to your activities ( avoid copying and pasting)
Develop risk management policy and guidelines
Develop a risk management capacity building program
116www.elsamconsult.com
EMAC
End Session V&
Final Case Study
117www.elsamconsult.com
www.elsamconsult.com
EMAC
Risk management in public institutions
It is now recognized that risk management is an essential part of securing the health of any organization including public sector institutions
Risks are inherent in the public institutions as well as in private sector. It entails the whole of Public Sector.
It is new in public organization but the concept of risk is not new
Government internal auditors have special mandate to champion its establishment and monitoring
118
EMAC
RISK MANAGEMENT IN PUBLIC SECTOR The public sector is currently undergoing
radical changes through reforms There are new risks related to human rights,
unemployment, corporate governance. Risk management should be a vital part of
functions and activities provided by public institutions.
Without risk management it will not be possible to achieve good corporate governance and the aims and intentions of many legislation and rules
119www.elsamconsult.com
EMAC
RISK MANAGEMENT IN PUBLIC SECTOR
Failure to pay proper attention to likelihood and potential consequences of risk can cause public institutions serious problems
These includes high employee absenteeism, financial costs, service disruption, bad publicity, low staff morale, threat to public health, high staff turnover, violent demonstrations and claims for compensation.
What to do then? Public sector institutions should recognize risk management as a critical achievement of its goals and governance responsibilities. It should establish a risk management processes that is clearly defined and documented and continuously apply risk management practices in the decision making.120www.elsamconsult.com
www.elsamconsult.com 121
EMAC
Can you assess your Risk Maturity
www.elsamconsult.com 122
EMAC
EMAC
Risk ManagementPART II
CONTROL SELF ASSESSMENTBy Sako Mayrick
ELSAM MANAGEMENT CONSULTANTS
EMAC
Operational Risk Management Framework
and
Control Self Assessment
EMAC
Pillars of Operational Risk Management
Los
ses
EXECUTIVE MANAGEMENT
CS
A
Issu
es
Indi
cato
rs
Qualitative/Quantitative Analyses
Common Operational Risk Classification Scheme
Control Self Assessment Framework
EMAC
Control Self Assessment
Control-Self Assessment Definition Control-Self Assessment Objectives Enterprise wide Control Self Assessment Framework
Balanced Scorecard CSA Methodology Results
Corporate Governance CSA Rollout - Project Time Line
Outline
EMAC
Control Self Assessment
Control-Self Assessment is a risk management tool used by business managers to transparently assess risk and control strengths and weaknesses against a Control Framework. The “self” assessment refers to the involvement of management and staff in the assessment process.
Definition
EMAC
Control Self Assessment
Communication To ensure better communication of DG’s objectives and strategies to all business lines To ensure business line managers communicate their risks and controls more effectively
Education To ensure business line managers have a better comprehension of effective risk control To ensure business line managers have a better comprehension of risk management
Proactive Management To ensure business line managers align their objectives and strategies with the DG's
objectives and strategies To ensure business line managers assume greater responsibility and accountability for
their risks and controls To ensure business line managers monitor their risk effectively and timely To ensure business line managers utilize and allocate their resources effectively
Objectives
EMAC
Enterprise-wide CSA Framework
To foster a proactive management framework which is pervasive throughout organisation
Goal
EMAC
Enterprise-wide CSA Framework
XXXX OBJECTIVES
EMAC
Step 1: Objective Setting
Balanced Scorecard * A tool that translates a firm’s mission and strategy into a comprehensive set of
performance measures that provides the framework for a strategic measurement and management system
Objectives Ensures linkage between the objective of senior management and the businesses Increased focus on the appropriateness of the objectives Reinforced as the central “top down” articulation of goals Provides a framework within which the oversight functions, risk management
and the business lines operate
EMAC
Step 2: CSA Methodology
ORCA Framework
Objectives
Risk Assessment of Key Processes
Controls
Action Plans
The ORCA framework components fit logically together to form a comprehensive relationship between firm-wide objectives, processes and risks, and controls. This relationship may be viewed as the core of a firm’s internal control.
EMAC
Step 2: CSA Methodology
ORCA FrameworkTo find equilibrium, the business managers must carefully
assess the risks inherent within their key processes and apply controls that will work at a reasonable cost.
EMAC
Step 2: CSA Methodology
ORCA Framework
EMAC
Step 2: CSA Methodology
Key Indicators
Metrics to measure the effectiveness of controls in the mitigating
or managing risks TO measure operational problems TO monitor the quality of the services provided TO provide early warning for problems TO aid in the containment of losses TO determine trends TO set limits for risk or escalation criteria TO facilitate everyday decisions.
EMAC
General Approaches for CSA
Facilitated meetings – group workshops
Questionnaires – yes/no answers
Management analysis – self studies
137
EMAC
Corporate Governance
The enterprise-wide CSA framework presented here is a key component of a robust corporate governance structure. It enables the organization to inform executive management of the current state of the firm’s risk environment on an ongoing basis
EMAC
Tools for CRSA
139
EMAC
Tools for CRSA
140
EMAC
Advantages of CSA
The presented enterprise-wide control self-assessment framework:
Provides flexibility and dynamism to evolve with the changing firm
Allows a firm to manage risks from both the “top-down” and “bottom-up” perspectives
Is an integral component of a strong corporate governance structure
EMAC
Way Forward
CRSA is an important management tools We have matured in risk management and
therefore it is time to move a step further through CRSA
We have a new issues in place, a need for control review is imperative
There a critical need for organisations to prepare CRSA for efficiency and effectiness of operations
142