As-NZS 4360-2004 Risk Management
65
Kevin W Knight CHAIRMAN ISO WORKING GROUP - RISK MANAGEMENT TERMINOLOGY MEMBER STANDARDS AUSTRALIA / STANDARDS NEW ZEALAND JOINT TECHNICAL COMMITTEE OB/7 - RISK MANAGEMENT P0 BOX 226, NUNDAH QLD 4012 E-mail: [email protected] 0505 AS/NZS 4360:2004 THE AUSTRALIAN & NEW ZEALAND STANDARD ON RISK MANAGEMENT
-
Upload
kimberleyannpossible -
Category
Documents
-
view
2.457 -
download
42
description
AS/NZS 4360:2004THE AUSTRALIAN & NEW ZEALANDSTANDARD ON RISK MANAGEMENT
Transcript of As-NZS 4360-2004 Risk Management
Kevin W Knight
CHAIRMANISO WORKING GROUP - RISK MANAGEMENT TERMINOLOGY
MEMBERSTANDARDS AUSTRALIA / STANDARDS NEW ZEALAND
JOINT TECHNICAL COMMITTEE OB/7 - RISK MANAGEMENT
P0 BOX 226, NUNDAH QLD 4012E-mail: [email protected]
0505
AS/NZS 4360:2004 THE AUSTRALIAN & NEW ZEALAND STANDARD ON RISK MANAGEMENT
Taking a risk: it isn’t all bad• Risk taking is positive, not implicitly negative • We take risks not to avoid harm, but to
achieve benefits and gains• Taking risks is a normal unavoidable
everyday necessity• Taking controlled, informed risks is a sensible
and everyday essential part of life• The higher the risk the higher the reward• Without risk there is no progress.
MANAGING RISK RISK• We all manage risk consciously or unconsciously
- but rarely systematically• Managing risk involves both threats and
opportunities• Managing risk requires rigorous thinking• Managing risk means forward thinking• Managing risk requires accountability in decision
making• Managing risk requires communication• Managing risk requires balanced thinking• RM provides a framework to facilitate more
effective decision making
Corporate GovernanceThe way in which an organisation is governed and controlled in order to achieve its objectives. The control environment makes an organisation reliable in achieving these objectives within an acceptable degree of risk.It is the glue which holds the organisation together in pursuit of its objectives while risk management provides the resilience.
Corporate GovernanceAs I look back on my career as an independent director, I realise that my efforts were mostly futile.Management gave us reams of information about past performance and we dutifully discussed it. We were looking at the wrong information and asking the wrong questions. We should have focussed on the future and questioned the strategy and competence of management to execute it. The board did not wake up until it was too late
Guidance for Directors - Dealing with risk in the boardroom, Canadian Institute of Chartered Accounts, 2000
Risk Management as Defined in AS/NZS 4360:2004
“THE CULTURE, PROCESSES AND STRUCTURES THAT ARE DIRECTED TOWARDS REALISING POTENTIAL
OPPORTUNITIES WHILST MANAGING ADVERSE EFFECTS.”
Structure Direction
MONITOR
&
REVIEW
COMMUNICATE
CONSULT
1. Strategic Ct
2. Identify Threats
7. Manage the Risk
ASSESS
3. Analyze 4. Assess
5. Assess/
Processes Culture Communication RisksOpportunities
COMMUNICATE
&
CONSULT
MONITOR
&
REVIEW
ESTABLISH THE CONTEXT
ANALYSE RISKS
EVALUATE RISKS
TREAT RISKS
The External ContextThe Internal ContextThe Risk Management ContextDevelop Criteria & Define the Structure
Identify optionsAssess optionsPrepare and Implement treatment optionsAnalyse & evaluate residual risk
Identify existing controlsDetermineLikelihood
DetermineConsequences
Determine Level of Risk
Compare with criteria?Set priorities
Treat Risks NOYES
What can happen, when, where, how & whyIDENTIFY RISKS
RM is everybody’s RM is everybody’s business
• RM is not just the responsibility of management
• For RM to be effective it must be implemented by every person in the organisation
• RM must become an integral part of the organisational culture
• The risk makers and risk takers must be the risk managers.
Communicate and consult - at all steps
Step 1 : Establish the Context• external context• internal context• risk management context• risk criteria (i.e. threshold levels)• define the structure
Step 2 : Identify Risks• what can happen, when, where and how• identify key processes, tasks, activities• recognise risk areas• define risks• categorise risk
Step 3 : Analyse Risks• identify controls• determine likelihood• determine consequence/impact• determine level of risk
Step 4 : Evaluate Risks• identify tolerable/unacceptable risks (referring risk rating against risk criteria)• prioritise risks for treatment
Step 5 : Treat Risks
Step 6 : Monitor and Review Risks• process• environment• organisation• strategy• stakeholders
Accept/Retain• based on judgement or documented procedures/policy
Avoid• consider discontinuing or avoiding activity• consult• risk treatment preferable to risk aversion
Reduce consequence• Business Continuity Plans• contractual arrangements• public relations
Share• insurance• outsourcing
Reduce likelihood• controls• process improvement• training & education• policies and communication• audit and compliance
Communication & Consultation in the risk management process
COMMUNICATE & CONSULTCOMMUNICATE & CONSULT
• ANY TWO-WAY DIALOGUE BETWEEN STAKEHOLDERS
• DEVELOP COMMUNICATION STRATERGY AT THE CONTEXT STAGE
• ENSURE STAKEHOLDERS PERCEPTATION OF RISK IS ADDRESSED
ACCOUNTABILITY
SUPERVISIONGOVERNANCE
STRATEGICSTRATEGICMANAGEMENTMANAGEMENT
MANAGEMENTEXECUTIVE
MANAGEMENTDECISION & CONTROL
OPERATIONAL MANAGEMENT
Potential greaterfuture role of riskmanagement
Traditional and currentrisk managementapplication
Risk Management’s Role in Corporate Governance
Adding Value
Preserving Value
Taking Risks
Managing Risk
STRATEGIC FRAMEWORK FOR MANAGING RISKS
CommunicationConsultation
RiskRisk
Business Processes
Business Strategies
COMMUNICATE
&
CONSULT
MONITOR
&
REVIEW
ESTABLISH THE CONTEXT
ANALYSE RISKS
EVALUATE RISKS
TREAT RISKS
The External ContextThe Internal ContextThe Risk Management ContextDevelop Criteria & Define the Structure
Tolerate Risks NO
YES
IDENTIFY RISKS
ESTABLISH ESTABLISH THE THE CONTEXT• Objectives and environment• Relevant Legislation• Stakeholder identification & analysis• Government Policy• Corporate Policy• Management Structures• Community Expectations• Criteria• Consequence criteria.
Adapted from Johnson & Scholes, 1993, p.61
An Organisation’s
Paradigm
Symbols
PowerStructures
OrganisationalStructures
ControlSystems
Rituals &Routines
Stories(business
experiences)
Organisation risk personality or propensity
Risktolerance
rangeAversion Excessive
appetiteDenial
Dislike
Disinclination
Indecision
Irresponsible
Impulsive
Strategicmanagement
decision
Corporate culture
ORGANISATIONAL ORGANISATIONAL RISK CRITERIA CRITERIA
Board of DirectorsApproves policy
Approves risk limitsApproves risk tolerance
Provides oversight
Risk Management CommitteeMonitor - Coordinate - Teach
Measure - BenchmarkReport to Board
Enforce
Line ManagersIdentify risk
Propose risk limitsControlReport
ExecutiveManagement
Establishes policyEstablishes risk limits
Establishes risk tolerancesReports to Board
Enforces
COMMUNICATE
&
CONSULT
MONITOR
&
REVIEW
ESTABLISH THE CONTEXT
ANALYSE RISKS
EVALUATE RISKS
TREAT RISKS
Treat Risks NOYES
What can happen, when, where,how & why
IDENTIFY RISKS
Risk IdentificationA risk is associated with• A source• An event or incident• A consequence, outcome or impact• A cause (what & why)• Controls and their level of effectiveness
and application• When & where could a risk occur.
Identification of Sources of Risk
• personnel/human behaviour • management activities and controls• economic circumstances• natural and unnatural events• political circumstances• technology/technical issues• commercial and legal relationships• public/professional/product liability• the activity itself.
Risk Management Methods
HB436:2004 Risk Management GuidelinesA Companion to AS/NZS 4360:2004
Comprehensive identification using a well-structured systematic process is critical, because a risk not identified at this stage may be excluded
from further analysis.
More Significantly
A well-structured process leads to quality collection of data, as strongly emphasized by AS/NZS 4360:2004.
COMMUNICATE
&
CONSULT
MONITOR
&
REVIEW
ESTABLISH THE CONTEXT
ANALYSE RISKS
EVALUATE RISKS
TREAT RISKS
Identify existing controlsDetermineLikelihood
DetermineConsequences
Determine Level of Risk
Treat Risk NOYES
IDENTIFY RISKS
Risk Analysis
• Purpose– Separate minor risks from major– Provide data to assist in evaluation and treatment
• Preliminary Analysis– Excluded Risks where possible should be listed
Where possible confidence limits placed on estimates
Best available information sources used
Examples of Qualitative Analysis
• Checklists and Questionnaires• SWOT Analysis• Physical Inspections• Analysis Based on Records of the
Operation• Flowcharts • Event trees.
TRANSFORMATION PROCESSINPUTS OUTPUTS
Intrinsic/ExtrinsicRewards
Resources(Skills & Experience)
OrganisationalEnvironment(Internal/External)
Power(Authority,Knowledge,Delegations)
I m p a c t s
Influences attitudes,approach and process Influences
efficiency
Influences attitudes and approach
Affects Affects
Affects
Affects
Resources(Financial)
Affects
Stakeholders(External/Internal)
Influences
CulturalWeb
Source: HD 240:2000
S.W.O.T. ANALYSIS
Examples of Quantitative Analysis
• Computer Modelling• Fault Tree Analysis• Hazard Indices• Statistical Analysis.
Examples of Likelihood Tables
1Rare
2Unlikely
3Possible
4Likely
5Almost Certain
Likelihood Ex. 1
1Almost Never
2Low Potential
3Potential
4Common
Likelihood Ex. 2
1Low Frequency
2Moderately Frequent
3High Frequency
Likelihood Ex. 3
It Is up to each organisation to define the parameters that allow users to assess likelihood
Examples of Consequence Tables
1Insignificant
2Minor
3Moderate
4Major
5Catastrophic
Consequence Ex. 1
1Negligible
2Medium
3Severe
4Critical
Consequence Ex. 2
1Insignificant
2Moderate
3Significant
Consequence Ex. 3
It Is up to each organisation to define the severity of impact that allow users to assess consequence
Examples of Risk Rating Tables
1Very Low
2Low
3Tolerable
4High
5Very High
Risk Rating Ex. 1
1Low
2Moderate
3Significant
4Extreme
Risk Rating Ex. 2
1Low
2Medium
3High
Risk Rating Ex. 3
It Is up to each organisation to define the terminology for risk rating levels, and how this is set in the risk rating
matrix.
Example Of A Risk Rating Matrix
AS/NZS4360 – 2004 emphasises that organisations tailor the criteria that drives assessment and analysis to suit the nature and business environment of their
operations.
COMMUNICATE
&
CONSULT
MONITOR
&
REVIEW
ESTABLISH THE CONTEXT
ANALYSE RISKS
EVALUATE RISKS
TREAT RISKS
Compare against criteria?Set priorities
Treat risks NOYES
IDENTIFY RISKS
Risk Evaluation
Comparing levels of risk found in analysis with previously established criteria
Consider• Objectives of project and opportunities
• Tolerability of risks to others
• Whether a risk needs treatment
• Deciding whether risk can be accepted
• Whether an activity should be undertaken
• Priorities for treatment
AVOIDRISKS
REDUCELIKELIHOOD
REDUCE
ACCEPTABLEOR
TOLERABLELEVEL OF RISK
REDUCE CONSEQUENCES
ALMOST CERTAIN
LIKELY
MODERATE
UNLIKELY
RARE
0 INSIGNIFICANT MINOR MAJOR CRITICAL EXTREME
SEVERITY/IMPACT/CONSEQUENCES
FREQ
UENC
Y/LI
KELI
HOOD
Risk TolerabilityRISK TOLERABILITY
Risk Tolerability
AVOIDRISKS
REDUCELIKELIHOOD
REDUCE
TOLERABLELEVEL OF RISK
REDUCECONSEQUENCES
CERTAIN 1
ALMOST CERTAIN
LIKELY
POSSIBLE
UNLIKELY
0 $1,000MILD
SEVERITY/IMPACT/CONSEQUENCES
FREQ
UENC
Y/LI
KELI
HOOD
NOT POSSIBLE$100,000
MODERATE$1M
SEVERE$100M
DISASTEROUS TOTAL
RISK TOLERABILITY
Risk Tolerability
AVOIDRISKS
REDUCELIKELIHOOD
REDUCE
TOLERABLELEVEL
OF RISK
REDUCE CONSEQUENCES
SEVERITY/IMPACT/CONSEQUENCES
FREQ
UENC
Y/LI
KELI
HOOD
CERTAIN 1
ALMOST CERTAIN
LIKELY
POSSIBLE
UNLIKELY
0 $1,000MILD
NOT POSSIBLE$100,000
MODERATE$1M
SEVERE$100M
DISASTEROUS TOTAL
RISK TOLERABILITY
Risk magnitude Intolerable Region
Risk cannot be justified except in extraordinarycircumstances
Tolerable only if risk reduction is impracticable or if its cost is greatlydisproportionate to the improvement gained
Broadly acceptable region “de minimus” risk
Necessary to maintain assurancethat the risk remains at this level
AsLowAsReasonablyPracticable
Tolerable if cost of reductionwould exceed the improvementsgained
LEVEL OF
RISK
COMMUNICATE
&
CONSULT
MONITOR
&
REVIEW
ESTABLISH THE CONTEXT
ANALYSE RISKS
EVALUATE RISKS
TREAT RISKS
Identify options; Assess options;Prepare and Implement treatment options; Analyse & evaluate residual risk
Treat risksNOYES
IDENTIFY RISKS
COST OF REDUCING RISK ($)
LEVE
L O
F R
ISK
(RIS
K V
ALU
E)
}
} }
}}
SATISFACTORY
MOST COST EFFECTIVE
ACCEPTED PRACTICE
ABSOLUTE MINIMUM
BEST ACHIEVABLE
THE TRADE-OFF BETWEEN LEVEL OF RISK AND COST OF REDUCING RISK B.F.Hough 1985
OVERALL
LEVEL
OF
RISK CUMULATIVE COST OF RISK REDUCTION MEASURES
COST OF RISK REDUCTION MEASURES
IMPLEMENT
USEJUDGEMENT UNECONOMIC
Risk Treatment• reduce
– likelihood– consequences
• business continuity management• sharing in full or in part (this creates a new risk)
• avoid (but not because of aversion)
• retain residual (but not by default)
REDUCE LIKELIHOOD
Risk prevention• compliance programmes• inspection & process controls• security devices, alarms and
processes• preventive maintenance• training & education.
REDUCE REDUCE CONSEQUENCES
Risk reduction• medical & first aid procedures• off site data & information storage• fraud control planning• fire suppression.
Business Continuity Management
• emergency evacuation plans• off site data & information storage• business contingency plans• business relocation plans• business resumption plans• review, reassess and revise plans.
SHARING RISKContractual transfer of legal
responsibility• sub contracting of hazardous processes• exclusion clauses• outsourcing• partnerships & joint venturesInsurance
AVOIDReduce probability of loss to zero• cease activity• closure of facility• sell business.
RETAIN RESIDUAL RISKS
Losses funded from general operating expenses
• vital to record all incidents• ensure retention is not due to
failure to identify.
Treatment Options• Consider• Opportunities created by risk• Cost of implementation vs benefits • Extent of risk reduction vs benefits• Criteria of acceptability• Rare but severe risks• Risk perception and communication.
In general Costs of managing risk commensurate with benefits Adverse impacts As Low As Reasonably Achievable
Treatment PlansDocument how options implemented
Responsibilities
Schedules
Expected outcomes
Budgeting
Performance measures
Review processes
COMMUNICATE
&
CONSULT
MONITOR&REVIEW
ESTABLISH THE CONTEXT
ANALYSE RISKS
EVALUATE RISKS
TREAT RISKS
The External ContextThe Internal ContextThe Risk Management ContextDevelop Criteria & Define the Structure
Identify optionsAssess optionsPrepare and Implement treatment optionsAnalyse & evaluate residual risk
Identify existing controlsDetermineLikelihood
DetermineConsequences
Determine Level of Risk
Compare with criteria?Set priorities
Treat Risks NOYES
What can happen, when, where, how & whyIDENTIFY RISKS
AS/NZS 4360:2004Extending The Process
• The role of assurance activity, not just as a risk control, but as part of ‘Monitor and Review’ should be developed.
• This should go further than just audit.
Other interested stakeholders can also benefit from the risk process, such as quality assurance, safety &
environment management. The latest update is facilitating linkages between different stakeholders.
MONITOR & REVIEW• RM is a journey not a destination• What may be of minor significance
today may be the disaster of tomorrow
• Review is an integral part of the risk management process
AS/NZS 4360:2004Role Of Assurance Activity
Recording the Risk Management Process
• demonstrates process conducted properly
• provides a record of risks• provides decision makers with plan for
approval and implementation• provides accountability tool• facilitates monitoring and review• provides an audit trail• enables sharing and communication of
information.
Establishing Effective Risk Management
• Board & Management commitment• Risk management planning• Culture change• Accountability & authority• Customise to organisational paradigm• Ensure adequate resources• Board monitoring and review of risk
management effectiveness
POLICY DEVELOPMENT
• NO MORE THAN ONE PAGE• MUST BE SIMPLE, ACHIEVABLE,
UNDERSTANDABLE & AUDITABLE• THE RISK MAKERS AND THE RISK
TAKERS MUST BE THE RISK MANAGERS• SERVES AS A PLATFORM FOR
ORGANISATIONAL GUIDELINES
RISK MANAGEMENT FRAMEWORKRisk Management ProcessesThe framework will be implemented by each business unit in
accordance with the policy by:
• Maintaining documented business risk profiles using analytical techniques to identify, evaluate, and manage risks in compliance with AS/NZS 4360:2004
• Communication of risk management issues, where appropriate, to all relevant stakeholders
“The culture, processes and structures that are directed towards realising potential opportunities
whilst managing adverse effects.”
Processes
MONITOR
&
REVIEW
COMMUNICATE
CONSULT
1. Strategic Ct
2. Identify Threats
7. Manage the Risk
ASSESS
3. Analyze 4. Assess
5. Assess/
RISK MANAGEMENT FRAMEWORK
Risk Management Structure & Responsibility
The Board approves the corporate risk management policy and framework.
The Board Risk Management Committee reviews the effectiveness of the policy.
All managers and staff are accountable for managing risk.
The Risk Management “Champion” is responsible for facilitating the risk management program and reporting to the Board Risk Management Committee.
“The culture, processes and structures that are directed towards realising potential opportunities
whilst managing adverse effects.”
Structure Direction
“STRATEGIC MANAGEMENT OF RISK”
“Managing risk is a way of confidentlytaking the right risks
and then managing the outcomes for success”
RisksOpportunities
Processes
Risk Management and the Strategic Planning Cycle
Review& Change
MonitorPerformance
• Performance• Capability• External Environment
Execution/Integration
• Manage Tactics• Manage Tasks• Manage Risks
Planning
• Future State/ End Vision• SWOT, Opportunities and Risks• Strategy & Tactics
• Strategic Learning• Strategic Alignment• Strategic Intelligence
Jan
MaySep
Review performance
Conduct risk profiling
Strategic planning
Determine risk treatment actions
Budget and business planning
Implement and monitor treatment actions
The Operational Risk Management Cycle
RISK MANAGEMENT BENEFITS • Fewer surprises• Exploitation of opportunities• Improved planning, performance and
effectiveness• Economy and efficiency• Improved stakeholder relationships• Improved information for decision making• Enhanced reputation• Director protection• Accountability, assurance and governance• Personal wellbeing.
RISK MANAGEMENT OUTCOMES RM leads to• more informed decision making• business continuity planning• minimising disruptions• better utilisation of resources• strengthening of the culture of
continuous improvement• best practice• a quality organisation
YOU DO NOT HAVE TO DO IT!!
SURVIVAL IS NOT
COMPULSORY
The greatest risk of all
is to take no risk at all!
RisksOpportunities
Structure Direction
MONITOR
&
REVIEW
COMMUNICATE
CONSULT
1. Strategic Ct
2. Identify Threats
7. Manage the Risk
ASSESS
3. Analyze 4. Assess
5. Assess/
Processes Culture Communication
In pursuit of performanceA raceA journey ………. Building Value
The Journey Continues
AS/NZS 4360:2004 and its accompanying Handbook provide generic guidance on how to embed risk management, and introduces the concept of “positive” risk to help you on
the way.
