Advanced Risk Management - Elsam Management Consultants

www.elsamconsult.com 1

EMAC

ADVANCED RISK MANAGEMENT WORKSHOP

STELLA MARIS HOSTEL

Bagamoyo 9TH -11TH April,2014

ELSAM MANAGEMENT CONSULTANTS - EMAC


EMAC

These slides contains video clips for enabling a reader to understand the risk management concepts

To view the slides you must be on slide show mode and click on the links with underline

The video clips are copyrighted materials and EMAC has no legal responsibility of any other use than education dissemination

Notes


EMAC

Who are we? Elsam Management Consultants

(EMAC) is a pool of professional consultants in management disciplines established as a limited liability company since 2006

Core Functions are: Recruitment, Training and Consultancies

More details: www.elsamconsult.com

Welcoming Remarks


EMAC

Introduction of facilitators Self introduction to others on your team Recap- Share something on personal

experience in Risk Management and highly the expectations of this training

Pick 1-Identify a risk-discuss it as both a threat and an opportunity

Report to the a large group pick a spokesperson

Welcoming Remarks


EMAC

Why this training?


EMAC

Government Collapse; Greece, Turkey, Africa

Global Markets, more complex Greater product complexity New businesses (e-banking) Increasing competition New players

Why this training?


EMAC

Regulatory imbalances Technology Corporate Failures, what about Tanzania? Increase in fraud and corruption Increase in “snake on suits” Theft and robberies

Why this training?


EMAC

Day 1 – Understanding Risk Management

Principles Day 2 - Public Sector Risk Management

Theoretical Implication Practical Implication Challenges

Day 3 - Fraud Risk Management Day 3 - Lessons Learned from practice

Organization of this training


EMAC

Part I

www.elsamconsult.com

EMAC

OVERVIEW OF RISK MANAGEMENT

UNDERSTANDING THE RISK MANAGEMENT

CONCEPTS AND DIGESTS

10


EMAC

Presentation Plan

Defining and understanding risk Risk and Risk Management Objectives of Risk Management Modeling of Risk Management Process

Risk Management Process Guidelines for Risk Management

11

EMAC

Presentation Plan cont…

Role of Internal auditor in Risk Management

Role of Audit Committee in Risk Management

Examples of Models for Risk Management

Practical sessions ( continuous)

12www.elsamconsult.com


EMAC

What is not risk?

Risk? What is it?


EMAC

Risk

Real or perceived Risk is the threat or possibility that an action or event will adversely or beneficially affect organization's ability to achieve its objectives

‘A calculation of both probability and improbability becoming a reality’.

Risk has no religion This definition is based on three scenarios:

14


EMAC

Risk Scenarios

Whatever can go wrong, will go wrong

Whatever cannot go wrong, will go wrong

When things go wrong, they go badly wrong.

15

EMAC

WHAT IS RISK? Something happening that may have

an impact on the achievement of objectives.

It includes risk as an opportunity as well as a threat.

By managing threats entity will be in a stronger position to deliver its business plan priorities. By managing opportunities the organisation will be in a better position to provide improved services and better value for money.


EMAC

Probability VS ‘Risk Magnitude’

Improbable Risk

-10; -9; -8; -7; -6; -5; -4; -3; -2; -1; 0 1; 2; 3; 4; 5; 6; 7; 8; 9; 10

Unlikely Risk Likely Risk

High Magnitude Risk Low Magnitude Risk

Probable Risks


click on underlined words to watch video


EMAC

Based on the Video Presentation Can you identify ten risk

scenarios? Do you agree that one risks

normally results into other potential risks?

Is this a probable or improbable risks

What are major risks in your organisation which are improbable?

Group study 1

EMAC

EXAMPLES OF RISKS

Resources, Political, economic, Social, Technological, legislative/Regulatory, Environmental, competition, Customer/citizen, Managerial Professional, Financial, Legal, Partnership/Contractual, procurement, Physical, technological……



EMAC

Mention the risk you know in …

Public Sector Service Delivery Banking Industry Starting a job or carrier Transport and travel Financial management Attending this workshop Risk related to your organization

20

Risks:Risk Category Possible Risks Areas

Strategy Planning Business Portfolio

Management Activity

New Business/Growth Opportunities

Strategy Development Business Performance

Management

Target Setting/Vision/Goals

Investor Relations

Joint Venture Mgt Rationalisation

Communicaiton of strategic direction set by Board

Human Resources

Workplace Industrial Relations

Employment Practices Remuneration and

Entitlements

Succession Planning

Recruitment and Retention

Workers Compensation

Skills availability/Training and Development

Leadership Diversity

Employee Safety and Health

Performance Incentivisation

Communication

Contractors / 3rd parties

Information Technology

Data Management

Data Security Systems Development /

New systems

Systems Maintenance

Availability Data Integrity

Service delivery

‘e’ Commerce

Outsourcing management Interface with 3rd parties

Sharing of classified inofrmation

Marketing Competitive Positioning Market Research

Image

Trademarks Strategic alliance

networks Pricing / Costing

Patents Reputation

Customer Service

New Products Project management

Research and Development

Product portfolio

Product Liability Obsolescence

“e” Commerce

Risk Category Possible Risks Areas

Supply Chain / Distribution

Logistics

Purchasing/procurement

Inventory Management

Contract Management

Import Clearance

Continuity management Environment Regulatory Compliance

Contamination

Loss of Containment

Complaints Management

Handling Image/ reputation

Community / Government Relations

Legal Regulatory Compliance

Commercial Relationships

Acquisitions/Divestments

Intellectual Property

Competition Law

Contractual Obligations

Finance Funding / Treasury

Investments Taxation

Debt Management

Supplier Payments Capital Expenditure

Financial Controls and Reporting

Fraud Insurance

Physical Assets Security

Natural Disaster

Fire

Explosion

Impact

Capital Expenditure Operations Manufacturing upscaling

Technical Engineering

Capacity Planning

Costs of upscaling to Production

Reliability Management & partners

Safe Operations Government Sovereignty

Politics

War

Legislative Change Corruption

Terrorism

Tax law change Change to party in power

Economics Interest Rates Commodity Currency


22 CRCA © 2007 Deloitte Touche Tohmatsu


Strategy Planning

Business Portfolio

Management Activity

New Business/Growth Opportunities

Strategy Development

Business Performance Management

Target Setting/Vision/Goals

Investor Relations

Joint Venture Mgt

Rationalisation

Communicaiton of strategic direction set by Board

Human Resources

Workplace Industrial Relations

Employment Practices

Remuneration and Entitlements

Succession Planning

Recruitment and Retention

Workers Compensation

Skills availability/Training and Development

Leadership

Diversity

Employee Safety and Health

Performance Incentivisation

Communication

Contractors / 3rd parties

Information Technology

Data Management

Data Security

Systems Development / New systems

Systems Maintenance

Availability

Data Integrity

Service delivery

‘e’ Commerce

Outsourcing management

Interface with 3rd parties

Sharing of classified inofrmation

Marketing Competitive Positioning

Market Research

Image

Trademarks

Strategic alliance networks

Pricing / Costing

Patents

Reputation

Customer Service

New Products

Project management

Research and Development

Product portfolio

Product Liability

Obsolescence

“e” Commerce


Supply Chain / Distribution

Logistics

Purchasing/procurement

Inventory Management

Contract Management

Import Clearance

Continuity management Environment Regulatory Compliance

Contamination

Loss of Containment

Complaints Management

Handling Image/ reputation

Community / Government Relations

Legal Regulatory Compliance

Commercial Relationships

Acquisitions/Divestments

Intellectual Property

Competition Law

Contractual Obligations

Finance Funding / Treasury

Investments

Taxation

Debt Management

Supplier Payments

Capital Expenditure

Financial Controls and Reporting

Fraud

Insurance Physical Assets Security

Natural Disaster

Fire

Explosion

Impact

Capital Expenditure Operations Manufacturing upscaling

Technical Engineering

Capacity Planning

Costs of upscaling to Production

Reliability Management & partners

Safe Operations Government Sovereignty

Politics

War

Legislative Change

Corruption

Terrorism

Tax law change

Change to party in power

Economics Interest Rates Commodity Currency

Risks:



EMAC

Case study I

Video Practical Session ICase Analysis I

Meaning of Risks


EMAC

End of Session I

EMAC

Risk Management


EMAC

What is Risk Management

?


EMAC

Basis of Risk Management Risk management is a part of the wider corporate governance and internal control system of an organization

Corporate governance is the system by which organizations are directed and controlled and ensures that the objectives and plans are established and operations adheres to transparency, probity and accountability



EMAC

Accountability Ensure that management is accountable to the Board Ensure that the Board is accountable to the shareholders

Fairness Protects shareholders rights Treats all Shareholders including minorities, equitably Provide effective redress for violation

Transparency Ensure timely, accurate disclosure on all material matters

including financial situation, performance, ownership and corporate governance

Independence Procedures and structures are in place so as to minimize, or

avoid completely conflicts of interest Independent directors, advisers i.e. free from influence of others

Risk Management Pillars of Corporate Governance


EMAC

Creates value (Gain should exceed pain) Be an integral part of organisational processes Be part of decision making process Explicitly address uncertainty and assumptions Be systematic and structured Be based on best available information Be customizable to entity needs Take human factors into account Be transparent and inclusive Be dynamic, iterative and responsible to change Be capable of continual improvement and enhancement Be continually and periodically re-assessed Be tailora-ble

Principles of Risk Management

EMAC

Risk management It is not avoiding risk It is application of management policies and procedures and practices to the task of identifying, analyzing, assessing, treating and monitoring the various risks that might prevent an organization from achieving its objectives

There is no risk free environment!


EMAC

Risk management definedRisk management is a process,

affected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.(Committee of Sponsoring Organizations of the

Treadway Commission (COSO), Enterprise Risk Management — Integrated Framework, September 2004, New York, NY).


http://www.coso.org/


EMAC

RM is a structured, consistent and continuous process across the whole organization for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievements of its objectives. IIA

Risk Management is the identification, assessment, and priotization of Risk (ISO 31000) and subsequent application of resources to minimize, monitor, and control the probability and/or impact of downside events or to maximize the realization of opportunities

It deals with the management of uncertainty, risks and opportunity towards the achievement of company goals and objectives.

Risk Management Defined

EMAC

Objectives of Risk Management Support strategic and business

planning Enhances communication between

directors and departments Support effective use of resources Promote continual improvement Helps focus internal audit programs Fewer shocks and unwelcome

surprises Reassures stakeholders Quick grasps of new opportunities 33www.elsamconsult.com

EMAC

Objectives and RMRisk can be describe as The chance of something happening that will have an impact on objectives. It is measured in terms of consequences and likelihood.

Objective must be defined before defining risks which may affect the objectives.

Risk management must be linked to objectives/ strategies/ project



EMAC

Aligns risk profile and strategyBroadens risk awarenessMinimizes surprise and lossesRationalizes capital requirements

Improves the shareholders value

Assures regulatory compliance

Benefits of Risk Management


EMAC

Hard Side Soft SideMeasures and Reporting

Risk Awareness

Risk Oversight Committees

People

Policies and Procedures

Skills

Risk Assessment IntegrityRisk Limits IncentivesAudit Process Culture and ValuesSystems Trust and

Communication

Hard and Soft side of Risk Management


EMAC

Drivers for Risk Management


EMAC

Video Presentation

Case study 2

What are real objectives of RM?

39

STRATEGIC OPERATIONAL RISK

Situation analysis

Mission and Vision

Objectives

Targets

Overview of SP

Activities

Inputs and costing39www.elsamconsult.com


What do you See?


End of Session II


EMAC

Modeling of Risk Management&Risk Management Standards

Risk Management Frameworks


EMAC

Risk Management Standard (IRM, ALARM and AIRMIC) of UK

ISO 31000 Risk Management – Guidelines on principles and implementation of risk management

ISO Guide 73 – Risk Management Vocabulary BS 31100 Cod of best practice for Risk Management AZ/ANS 4360:2004 Risk Management Standard COSO Enterprise Risk Management Canadian Government Sector Standard Basel II/III Solvency II (ICAAP) Kings Report

Common Risk Management Standards


COCOWESTINGHOUSE

MALCOLM BALDRIGEDeming

COSO

ISO

31000

Peter Senge’s Deep Learning Framework

Cadbury

Twelve Attributes

Basel II


Many Models To Chose Among

COSO COCO Cadbury Report Deming Award TQM 12 Attributes

Deep Learning Framework

Baldrige Award ISO 31000 Westinghouse Award Northrop Award


EMAC

Who Developed Models? COSO: The major accounting and audit

professional organizations issued COSO in 1992.

12 Criteria: The Canadian Comprehensive Auditing Foundation published Effectiveness Reporting and Auditing in the Public Sector in 1987.

COCO: In November 1995, The Canadian Institute of Chartered Accountants (CICA) published Guidance on Control.


EMAC

Who Developed Models? (Continued)

ISO 31000 developed by the International Organization for Standardization (ISO)

Deep Learning Framework: In 1990, Peter Senge published the now classic The Fifth Discipline and then in 1995 published The Fifth Discipline Fieldbook.


EMAC

Different Frameworks: Same Goals


Frameworks provide a way of understanding our organizations.

By having different groupings, each highlights some aspects of control more than others.

The criteria in the frameworks provide a basis for understanding control in an organization and for making judgment about the effectiveness of control.


EMAC



Frameworks provide a systematic step by step method of evaluating and addressing the adequacy of controls in multiple dimensions of a business.

Frameworks provide a standard review process.

Frameworks provide a tool that helps management and auditors evaluate the adequacy of controls in multiple dimensions of the business. It helps give a picture of how well all of the controls in all of the dimensions are working.


EMAC

Risk Management Principles, Frameworks and Processes


EMAC



EMAC



EMAC



EMAC


Risk Management Process

Establish Context

Identify Risks

Analyse Risks

Evaluate Risks

Treat risks

Assess Risks and Controls

Context:Strategic, internal, external context

Identification:What can go wrong? Missed opportunities?

Analysis/Measurement:Assess risk likelihood and consequence, review

Evaluate:Compare risks, set risk priorities

Treatment Options:Reduce, avoid, transfer or retain

Com

mun

icat

ion

and

Con

sulta

tion

Establish Context

Identify Risks

Analyse Risks

Evaluate Risks

Treat risks

Risk Assessment

Mon

itor

and

Rev

iew


Risk Management ProcessCOSO Framework

COSO stands for Committee of Sponsoring Organizations of the Treadway Commission

It is the US Private Sector organization,

Dedicated to providing guidance to executives, management and governance entities on critical aspects of governance, Business Ethics

Guidance on Internal Control, ERM, Fraud, and financial reporting

COSO has established a common internal control model against which companies and organizations may assess their control systems.


COSO AND ISO 31000

COSO defines ERM as a process;

Effected by an entity’s board of directors, management and other personnel;

Applied in strategy setting and across enterprise;

Designed to identify potential events that may affect the entity;

Manage risks within its risk appetite;

Provides reasonable assurance regarding the achievement of entity objectives.

IRM (New COSO) defines Risk Management as

The process whereby the organizations methodically address the risks attaching to their activities

With a goal of achieving sustained benefits within each activity and across the portfolio of all activities

Generally it is a decision-making discipline that reduces uncertainty and managers potential variations from expected outcomes in achieving company goals (RIMS)


COSO AND ISO 31000 ISO 31000 defines risk

Management as Integral part of all

organization processes It is not a stand alone

activity that is separate from main activities and processes of the organization

It is part of responsibilities of management and

An integral part of all organizational processes including strategic planning and all project and change management processes

In practical insight the whole of the business is just like risk management, why?

Buffet Defines Risk Management as


Analysis of Warren Case

What is risk Management

What are consequences of dedicating risk management activities to a unit in a organisation?

Who is supposed to manage risk in an organization

What is the status of Risk Management today?

Summary of Risk Management Models


Case study of risk in Hospitality industry

Case Study II – Risk Management

End of Session III


EMAC

COSO ERM Framework


Understanding the cube

Objectives Internal Enviro

nment Event Identifica

tion Risk Assessme

nt Risk Response Control Activiti

es Risk Monitoring

EMAC

COSO - Framework (Control Framework)

Stra

tegy


A Car internal control exemplification

EMAC

Effective Risk Management

Organizations should come out with risk management strategy in order to ensure that the organizations Achieves their goals and objectives

When management of risk goes well it often remains unnoticed. When it fails, the consequences can be significant and high-profile. Any responsible organisation needs to avoid this – hence the need for effective risk management.


EMAC

Effective Risk Management

Risk management strategy describes the processes that will be put in place to link, identify, assess, address, review and report risks, and describes the principles that will be used to underpin this approach.

The Diagram below summarizes the process risk management within the organisation.


EMAC



EMAC

End of Session IV


EMAC

Who manages risks?

EMAC

ELEMENTS OF RISK MANAGEMENT

Identifying risks;Assessing risks;Addressing risks;Reviewing and reporting risks.


Entity should ensure that it has…

have a robust approach to risk management - aiming to identify, assess, address and review and report risk in a way that can stand audit scrutiny, building on best practice and protecting the interests of our stakeholders.

be accountable - processes and data will be open to review by our auditors and will respond to the improvements they suggest.

We will encourage appropriate risk-taking, with a view to fostering an innovative approach to policy making and service delivery.


EMAC

Identifying riskA ‘risk’ is something that may have an

impact on the achievement of our priorities. It may come from outside the organisation, or may arise from shortcomings of its own systems and procedures

Identification can be done through staff workshops or work groups

Consideration should be given to categories of risk

The issues should be prepared and presented in the form of risk scenarios


Identifying risk

Risk category Possible risksCompliance risk the risk of failing to comply with statutory

requirements

External risk risks from changing public or government attitudes.

Financial risk risks arising from spending, fraud or impropriety, or insufficient resources

Operational risk risks associated with the delivery of examination papers to the regional centres– arising, for example, from logistic difficulties, diversion of staff to other duties, or IT failures

Project risk risks of specific projects missing deadlines or failing to meet stakeholder expectations


IDENTIFYING RISK

Risk type Possible risksReputation risk risks from damage to the organisation’s credibility

and reputation

Risks facing banking Sector

Risk to our stakeholders that need to be taken into account in our planning and service provision – for example, fraud

Strategic risk risks arising from policy decisions or major decisions affecting organisational priorities; risks arising from senior-level decisions on priorities

Technology risk Risk arising from outdated technology, inadequate data processing and the software malfunctioning

Human resource risk It is impossible to recruit staff with the required skills or Key staff are ill and are unavailable at critical times or required training for staff is not available


EMAC

Identifying Risk, What To Do?

Once risks have been identified, essential information about them will be gathered in the form of a risk register (see appendix 1). There will be a central register of its most important risks, built up from information provided from each department.


EMAC

IDENTIFYING RISK, WHAT TO DO?

The identification of risks is a continuous process and all staff have a part to play - it is not the sole domain of managers.

Systematically identifying risks will enable risks to be assessed and dealt with.

It will also help to identify new opportunities for policy direction and business planning, by showing what the future risks to management of .................................


EMAC

ASSESSING RISK

To assess risks adequately entity will identify the consequences of a risk occurring and give each risk a score or risk rating.

Whoever identifies the risk should be responsible for assessing the risk.


EMAC

ASSESSING RISK This initial assessment will then be

refined with the help of colleagues and managers and a ‘risk owner’ will be identified who will be responsible for reviewing and accepting the assessment that will be entered onto the risk register.

The consequences of the identified risks will be grouped into one or more of the categories outlined earlier. Using these categories will allow similar risks to be grouped and will help to identify cross-cutting risks


EMAC

RISK RATING

A means of comparing risks is needed so that efforts can be concentrated on addressing those that are most important.

Each risk will be given a score, depending on both its likelihood and its impact, as shown in Figure 1 below.

Any risks which are both very likely to occur and will have a high impact are the ones that demand immediate attention.


RISK RATING

Risk Assessment

Likelihood

Very High (4) 4 8 12 16*

High (3) 3 6 9 12

Medium (2) 2 4 6 8

Low (1) 1 2 3 4

Low (1) Medium (2) High (3)Very High

(4)

Impact 78www.elsamconsult.com

EMAC

RISK RATING - LIKELIHOOD Likelihood

The probability of the threat being realised will be expressed in terms of

Very High (VH), High (H), Medium (M) or Low (L) using the definitions below:

L: Rare (the risk may occur in exceptional circumstances);

M: Possible (the risk may occur in the next three years);

H: Likely (the risk is likely to occur more than once in the next three years); and,

VH: Almost certain (the risk is likely to occur this year or at frequent intervals).


EMAC

RISK RATING -IMPACT The effect of the risk being realised will

be expressed in terms of Very High (VH), High (H), Medium (M) or Low (L) using the definitions below: L: minimal financial losses; service

delivery unaffected; no legal implications; unlikely to affect the core business; unlikely to damage reputation.

M: medium financial losses; reprioritising of services required; minor legal concerns raised; minor impact on the health sector and facilities; short-term reputation damage.80www.elsamconsult.com

EMAC

RISK RATING -IMPACT The effect of the risk being realised will

be expressed in terms of Very High (VH), High (H), Medium (M) or Low (L) using the definitions below: L: minimal financial losses; service

delivery unaffected; no legal implications; unlikely to affect the core business; unlikely to damage reputation.

M: medium financial losses; reprioritising of services required; minor legal concerns raised; minor impact on the health sector and facilities; short-term reputation damage.81www.elsamconsult.com

EMAC

RISK RATING -IMPACT The effect of the risk being realised will be

expressed in terms of Very High (VH), High (H), Medium (M) or Low (L) using the definitions below: H: major financial loss; need to renegotiate

business plan priorities; potentially serious legal implications (e.g. risk of successful legal challenge); significant impact on the ..............; longer-term damage to reputation.

VH: huge financial loss; key deadlines missed or priorities unmet; very serious legal concerns (e.g. high risk of successful legal challenge, with substantial implications for entity); major impact on core business; loss of stakeholder public confidence.


Requires Active Management where Consequence is rated 5 else Periodic Monitoring.

Risks where treatment options require preparation, active review and management.

Control is adequate, continued monitoring of controls to confirm this.

Control is not strong but risk impact is not high. Options include improving control or monitoring risk impact to ensure the residual risk rating does not increase over time.

Risks where systems and processes managing the risks are adequate and subject to minimal monitoring.Mitigating Practices /

Control Rating

Inh

ere

nt

Ris

k R

ati

ng

Active Management

Periodic Monitoring

Control Critical

No Major Concern

0 1 2 3 4 5 6 7 8 9 10

10

9

8

7

6

5

4

3

2

1

0

Adequate Inadequate

Very High

High

Low

Moderate


Residual risk ratings

This is an alternative risk heat map preferred by some as it shows that there is no absolute risk boundaries, but rather a gradual change in risk

Unsatisfactory

Mitigating Practices / Control Rating

Inh

ere

nt

Ris

k R

ati

ng

Periodic Review

Active Management

Continuous Review

No Major Concern

High

Excellent

Low


EMAC

Risk Appetite

Risk appetite is the amount of risk —on a broad level —an entity is willing to accept in pursuit of value.

Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable variation).

The primary objective of Managing operational risk is risk reduction/ proactive prevention

Risk cut across all financial institution operation and function



EMAC

Risk Appetite Best Practices


EMAC

Determining Risk Appetite

EMAC

Risk Assessment Process

To make an initial assessment of risk, a ‘bottom-up and top-down’ approach will be adopted.

This will mean identifying and assessing risks both at an operational level, using the departmental Performance Teams, directorates’ team meetings and by Management Team identifying the major risks affecting the organisation


EMAC

Risk Assessment Process

The bottom-up process of identifying risks through involving staff should be as exhaustive as possible, identifying all potential risks no matter how small (and including health and safety risks for staff).


EMAC

Risk Assessment Process These will then be reviewed by the departmental

Performance Team, comprising a nominated departmental risk co-ordinator from each department and the Risk Coordinator.

The group will identify the more significant risks that will need to be placed on the corporate risk register. This process will be overseen by the Risk Coordinator, who will ensure consistency in the way risks are assessed and categorised.

For every risk to be identified as important enough to be placed on the corporate risk register, a ‘risk owner’ will be identified (who will be responsible for overseeing the management of the risk, and making sure appropriate resources are available to do this) and a ‘risk coordinator’ (who will be responsible for day-to-day management of the risk, implementing countermeasures and monitoring their effectiveness).


EMAC

Risk Assessment Process Management Team will also identify the

major corporate risks to the organisation, with the Director responsible identifying in particular major financial risks. For such major corporate risks, directors are likely to be both the risk owner and risk coordinator.

Management Team will then take a strategic view of all risks identified as needing to be placed on the corporate risk register, assessing them against the entity’s business plan priorities. They will identify the most critical risks, and report these to key Board of Directors through the audit committee.


EMAC

Risk Assessment ProcessThis process will identify a set of

significant risks that need to be addressed, and placed on the corporate risk register, which will then be maintained by the organisation’s risk co-ordinator. Other risks identified by staff through risk identification workshops, team meetings etc. should be recorded within the originating department and kept under review by the department risk co-ordinator.


EMAC

Addressing Risks

Having identified significant risks and placed them on the corporate risk register, a process will be undertaken to decide what to do about each risk, through the departmental Performance Team and the Management Team.


EMAC

Addressing Risk

Assessing current risk controls The first step is to look what mechanisms are already

in place to deal with the identified risks. For many risks, for example examination leakage risk, action may have already been taken to treat or eliminate the risk under all circumstances under which it could arise.

Where such mechanisms are in place, the Departmental Performance Teams should examine them to judge whether they are adequate or whether any ‘residual risk’ remains, or whether the risk might ‘slip through’ these existing mechanisms under some circumstances. In some cases, risks may be deemed to be ‘over-controlled’ – action in this case may be to ease such controls and allow the risk to be taken.


EMAC

Addressing Risk

In this way, risks can be addressed through ‘gap analysis’, focussing only on those risks that are not adequately treated, or are not treated at all.

The next stage is to look at how such risks may be dealt with.


EMAC

How to deal with risk

Transfer the risk conventional insurance or by asking

a third party to take on the risk in another way.

Contracting out services, for example, transfers some, but not all, risks (but can introduce a new set of risks to be managed);


EMAC


Tolerate the risk: the ability to take effective action against some

risks may be limited, or the cost of taking action may be

disproportionate to the potential benefit gained. In this instance, the only management action

required is to ‘watch’ the risk to ensure that its likelihood or impact does not change. If new management options arise, it may become appropriate to treat this risk in the future;


EMAC


Treat the risk: by far the greater number of risks will

be in this category. The purpose of ‘treatment’ is not

necessarily to terminate the risk but, more likely, to establish a planned series of mitigating actions to contain the risk to an acceptable level; and,


EMAC


Terminate the risk: this is a variation of the ‘treat’

approach, and involves quick and decisive action to eliminate a risk altogether.

For example, terminating risks arising from outdated .............. systems by buying new ones (although new systems, in themselves, may introduce new risks).


Risk Treatment

Is Risk Acceptable?

Accept

Treatment Strategy(1) Recommend(2) Choose (3) Implement

Retain

Monitor

and

Review

Is Residual Risk

Acceptable?

Part Retained

Yes

NoUnacceptable residual risk

No Yes

Reduce Likelihood Reduce ConsequenceTransferAvoid

START HERE


EMAC

RISK IDENTIFICATION AND ANALYSIS TEMPLATE (see

attachment)



EMAC

Risk Reporting


EMAC

Risk Reporting


EMAC

Key Risk Indicators


EMAC

Developing KRI’s


EMAC

Examples of Risk Indicators


EMAC

Risk Control Self Assessment (RCSA)


EMAC

Risk IT Extends Val IT and COBIT


EMAC

COBIT 5 Principles


EMAC

COBIT 5 Enterprise Enablers

EMAC

Role of internal auditor in RM

Giving assurance on risk management processes.

Giving assurance that risks are correctly evaluated.

Evaluating risk management processes.

Evaluating the reporting of key risks.

Reviewing the management of key risks.


EMAC

Role of internal auditor (with safeguard)

Facilitating identification and evaluation of risks.

Coaching management in responding to risks.

Coordinating ERM activities. Consolidating the reporting on risks.Maintaining and developing the ERM

framework.Championing establishment of ERM. Developing risk management strategy for

board approval.112www.elsamconsult.com

EMAC

What the IA should not do

Setting the risk appetite.Imposing risk management

processes.Management assurance on risks.Taking decisions on risk responses.Implementing risk responses on

management's behalf.Accountability for risk management.



EMAC

Internal Audit Approach

EMAC

Role of Audit committee in RM

Critical role in ERM by establishing the right environment or tone-at-the-top

Vital role in overseeing management’s approach to ERM

Without their oversight, ERM may not be embraced by senior management

Discuss policies with respect to risk assessment and risk management

Better risk intelligence means both audit committees and the full board are better informed 115www.elsamconsult.com

EMAC

Conclusion Risk management is a process and

therefore put in place a strategy for introducing risk management

Develop a risk management strategy Develop a risk management framework

tailored to your activities ( avoid copying and pasting)

Develop risk management policy and guidelines

Develop a risk management capacity building program


EMAC

End Session V&

Final Case Study



EMAC

Risk management in public institutions

It is now recognized that risk management is an essential part of securing the health of any organization including public sector institutions

Risks are inherent in the public institutions as well as in private sector. It entails the whole of Public Sector.

It is new in public organization but the concept of risk is not new

Government internal auditors have special mandate to champion its establishment and monitoring

118

EMAC

RISK MANAGEMENT IN PUBLIC SECTOR The public sector is currently undergoing

radical changes through reforms There are new risks related to human rights,

unemployment, corporate governance. Risk management should be a vital part of

functions and activities provided by public institutions.

Without risk management it will not be possible to achieve good corporate governance and the aims and intentions of many legislation and rules


EMAC

RISK MANAGEMENT IN PUBLIC SECTOR

Failure to pay proper attention to likelihood and potential consequences of risk can cause public institutions serious problems

These includes high employee absenteeism, financial costs, service disruption, bad publicity, low staff morale, threat to public health, high staff turnover, violent demonstrations and claims for compensation.

What to do then? Public sector institutions should recognize risk management as a critical achievement of its goals and governance responsibilities. It should establish a risk management processes that is clearly defined and documented and continuously apply risk management practices in the decision making.120www.elsamconsult.com


EMAC

Can you assess your Risk Maturity


EMAC

EMAC

Risk ManagementPART II

CONTROL SELF ASSESSMENTBy Sako Mayrick

ELSAM MANAGEMENT CONSULTANTS

EMAC

Operational Risk Management Framework

and

Control Self Assessment

EMAC

Pillars of Operational Risk Management

Los

ses

EXECUTIVE MANAGEMENT

CS

A

Issu

es

Indi

cato

rs

Qualitative/Quantitative Analyses

Common Operational Risk Classification Scheme

Control Self Assessment Framework

EMAC


Control-Self Assessment Definition Control-Self Assessment Objectives Enterprise wide Control Self Assessment Framework

Balanced Scorecard CSA Methodology Results

Corporate Governance CSA Rollout - Project Time Line

Outline

EMAC


Control-Self Assessment is a risk management tool used by business managers to transparently assess risk and control strengths and weaknesses against a Control Framework. The “self” assessment refers to the involvement of management and staff in the assessment process.

Definition

EMAC


Communication To ensure better communication of DG’s objectives and strategies to all business lines To ensure business line managers communicate their risks and controls more effectively

Education To ensure business line managers have a better comprehension of effective risk control To ensure business line managers have a better comprehension of risk management

Proactive Management To ensure business line managers align their objectives and strategies with the DG's

objectives and strategies To ensure business line managers assume greater responsibility and accountability for

their risks and controls To ensure business line managers monitor their risk effectively and timely To ensure business line managers utilize and allocate their resources effectively

Objectives

EMAC

Enterprise-wide CSA Framework

To foster a proactive management framework which is pervasive throughout organisation

Goal

EMAC

Enterprise-wide CSA Framework

XXXX OBJECTIVES

EMAC

Step 1: Objective Setting

Balanced Scorecard * A tool that translates a firm’s mission and strategy into a comprehensive set of

performance measures that provides the framework for a strategic measurement and management system

Objectives Ensures linkage between the objective of senior management and the businesses Increased focus on the appropriateness of the objectives Reinforced as the central “top down” articulation of goals Provides a framework within which the oversight functions, risk management

and the business lines operate

EMAC

Step 2: CSA Methodology

ORCA Framework

Objectives

Risk Assessment of Key Processes

Controls

Action Plans

The ORCA framework components fit logically together to form a comprehensive relationship between firm-wide objectives, processes and risks, and controls. This relationship may be viewed as the core of a firm’s internal control.

EMAC


ORCA FrameworkTo find equilibrium, the business managers must carefully

assess the risks inherent within their key processes and apply controls that will work at a reasonable cost.

EMAC


ORCA Framework

EMAC


Key Indicators

Metrics to measure the effectiveness of controls in the mitigating

or managing risks TO measure operational problems TO monitor the quality of the services provided TO provide early warning for problems TO aid in the containment of losses TO determine trends TO set limits for risk or escalation criteria TO facilitate everyday decisions.

EMAC

General Approaches for CSA

Facilitated meetings – group workshops

Questionnaires – yes/no answers

Management analysis – self studies

137

EMAC

Corporate Governance

The enterprise-wide CSA framework presented here is a key component of a robust corporate governance structure. It enables the organization to inform executive management of the current state of the firm’s risk environment on an ongoing basis

EMAC

Tools for CRSA

139

EMAC

Tools for CRSA

140

EMAC

Advantages of CSA

The presented enterprise-wide control self-assessment framework:

Provides flexibility and dynamism to evolve with the changing firm

Allows a firm to manage risks from both the “top-down” and “bottom-up” perspectives

Is an integral component of a strong corporate governance structure

EMAC

Way Forward

CRSA is an important management tools We have matured in risk management and

therefore it is time to move a step further through CRSA

We have a new issues in place, a need for control review is imperative

There a critical need for organisations to prepare CRSA for efficiency and effectiness of operations

142