Enterprise Risk Management
Session B8 Thursday, May 1st , 2014
11:30 – 12:45David FernandesIncorporating a
Risk Management Strategy Throughout the Organization
YOUR EXPECTATIONS
Incorporating a Risk Management Strategy Throughout the Organization
2Session B8 Slide #
How many in Audit Department ? <5 < 10
What do you want to get out of this presentation?
Is there any Risk Management program currently in place?
Who owns “Risk” in your company? Board? Management? Legal?
When do you want to have a ERM solution in place ?
Incorporating a
Risk Management Strategy Throughout the Organization
3Session B8 Slide #
• Developing a Risk Management Strategy.
• Integrated Approach to Risk Management.
• Establishing of a Risk Management Committee.
• Managing Risk
• Creating an Enterprise Risk Assessment.
• Setting up Control Monitoring process.
• Risk Management and Internal Audit
TOPICS
Incorporating a Risk Management Strategy Throughout the Organization
4Session B8 Slide #
TOPICS• Developing a Risk Management Strategy.
• Integrated Approach to Risk Management.
• Establishing of a Risk Management Committee.
• Managing Risk
• Creating an Enterprise Risk Assessment.
• Setting up Control Monitoring process.
• Risk Management and Internal Audit
Incorporating a Risk Management Strategy Throughout the Organization
5Session B8 Slide #
Management - the act or skill of controlling and making decisions about a business, department
Strategy - a careful plan or method for achieving a particular goal usually over a long period of time
Risk - The chance of loss or the perils to the subject matter of an insurance contract; also : the degree of probability of such loss
Developing a Risk Management Strategy
Developing a Risk Management Strategy
6Session B8 Slide #
• Risk Identification:– Identify foreseeable risks which could affect objectives, their cause(s) and possible effect(s).
• Risk Assessment: – Establish the Likelihood of occurrence and Impact for each identified risk and prioritizing risks for
further attention, grouping risks into categories to identify hotspots of risk exposure or common causes, and analyzing the combined effect of risks on corporate Goals and Objectives.
• Risk Management: – Defining the scope and objectives of the risk process, describing the techniques and tools to be used,
stating the thresholds of acceptable risk to various stakeholders, detailing roles and responsibilities etc .
• Risk Response: – Consideration of response to each risk and selecting a strategy which is appropriate, achievable and
affordable, delegating each task or activity to an owner.• Risk Monitoring:
– Ensuring that agreed actions are implemented effectively, monitoring the effect on risk exposure, and communicating risk information to stakeholders with appropriate detail and frequency.
• Risk Review: – Updating the risk process to assess the status of existing risks, determine the effectiveness of agreed
responses, identify emerging risks, and review the Risk Management Strategy
Developing a Risk Management Strategy
7Session B8 Slide #
Risk Management Strategy (RMS) provides a structured and coherent approach to identifying, assessing and managing risk. It builds in a process for regularly updating and reviewing the assessment based on new developments or actions taken.
The process of identifying and reviewing the risks that a business faces is known as Enterprise Risk Assessment (ERA).
The assessment of potential risks enables the company to : Be aware of where uncertainty surrounding events or outcomes exists and Identifies the necessary steps that should be taken to protect the company.
Risk Management Strategy can be developed and implemented by even the smallest of groups or projects or built into a complex strategy for a multi-site international organization.
Developing a Risk Management Strategy
8Session B8 Slide #
Developing a Risk Management Strategy
9Session B8 Slide #
TOPICS• Developing a Risk Management Strategy.
• Integrated Approach to Risk Management.
• Establishing of a Risk Management Committee.
• Managing Risk
• Creating an Enterprise Risk Assessment.
• Setting up Control Monitoring process.
• Risk Management and Internal Audit.
Incorporating a Risk Management Strategy Throughout the Organization
10Session B8 Slide #
Analyze key risks and current capabilitiesMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performance
Integrated Approach to Risk Management.
Integrative Risk Management starts with the premise that no measure of exposure can be taken in isolation. It is a view that is well established in a corporate context, with stress being placed on a more holistic understanding of Integrated Risk Management.
Integrated Risk Management is different from traditional management as it allows us to examine what is missing in normal business process, and why those missing elements expose us to risk.
Integrated Risk Management encourages better up-front planning and allows us to determine if our polices and capabilities are well aligned to the strategy we desire to executive.
11Session B8 Slide #
Analyze key risks and current capabilitiesMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performanceIntegrated Approach to Risk Management.
12Session B8 Slide #
Analyze key risks and current capabilitiesMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performance
Integrated Approach to Risk Management.
Risk UpdatesAssessment
Risk resources across different functions and
business processes
Red flags, Mitigating controls, and Detection procedures
Risk and Controls Become aware of function-specific risks and implement adequate risk controls
Learn About the Business
Save time and quickly create customized control questionnaires on key business risks.
Control environments include: General IT Operational Finance Human Resources Business
13Session B8 Slide #
Right Sized Technology Adds More Business ValueReduces Complexity and Increases Adoption & Usage
Step 1: Risk Identification
Step 2: Risk Assessment Step 3: Risk Management
List of Possible Risks LikelihoodH/M/L
ImpactH/M/L
What are we already doing about it?
(mitigating factors)
What more can we do about it? Timescale Person
ResponsibleReviewed
Level of Risk
Integrated Approach to Risk Management.
14Session B8 Slide #
Develop connected, transparent action plans with measurable metrics
Enable mitigation through triggers and focused reporting
Analyze key risks and current capabilitiesAnalyze key risks and current capabilitiesAnalyze key risks and current capabilitiesAnalyze key risks and current capabilitiesAnalyze key risks and current capabilities
Simplify managementstrategies to vital risks.
Measure, monitor, & report risk management performanceMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performanceIdentify, assess, and prioritize business risks
Identify, assess, and prioritize business risks
Summarize results & integrate with Risk Mitigation processes
R Business Goals, Objectives & Strategists & integrate with decision – making processes
Analyze key risks and current capabilities
15Session B8 Slide #
Integrated Approach to Risk Management
Some Challenges
Building blocks of processes, roles and technologies were not properly established.
Management does not fully understand or accept their critical role and responsibilities.
Risks that the project will not achieve the desired outcomes.
Business owners fail to see the value of the process and terminate the audit program.
Obtaining a complete and controlled population of data required to support a specific test.
Companies Face A Wide Array of Risks A Common Challenge:
How can you identify and prepare for major risks to your business?
Integrated Approach to Risk Management.
16Session B8 Slide #
.
Most executi
ves focus their risk
assessment and
management efforts primarily on
financial and compliance
risks.
Risk Management Strategy that fails to simultaneously
identify and address the entire
range of major risks types, put the company in
danger
Incorporating a Risk Management Strategy
17Session B8 Slide #
Incorporating a Risk Management Strategy Throughout the Organization
TOPICS• Developing a Risk Management Strategy.
• Integrated Approach to Risk Management.
• Establishing of a Risk Management Committee.
• Managing Risk
• Creating an Enterprise Risk Assessment.
• Setting up Control Monitoring process.
• Risk Management and Internal Audit.
18Session B8 Slide #
Analyze key risks and current capabilitiesMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performance
Establishing of a Risk Management Steering Committee
Risk Management is the responsibility of every employee of the University. Different stakeholders have different objectives and levels of accountability with respect to risk management. An effective risk management framework includes a comprehensive and defined accountability for risks, controls and risk treatment tasks. The risk management framework documents the roles and responsibilities of the various components ofa risk management process.
19Session B8 Slide #
Right Sized Technology Adds More Business ValueReduces Complexity and Increases Adoption & Usage
Develop a framework for assessing different levels of audit analytic techniques and associated benefits.
Define progressive levels to evolve its use of Data / Business Analytics.
Identify the building blocks: People, Process and Technology that must be in place to optimize benefits.
Understand, plan and communicate what needs to be done to achieve and increase benefits.
Establish a proactive and comprehensive view for effective ERA and ERM.
Establishing of a risk management steering committee
Risk Management Committee
20Session B8 Slide #
Make up of the committee?
o Member from the Senior Management Team: (Board of Directors, Audit Committee, C Suite)
What are the committee’s core responsibilities?
The committee has three primary responsibilities: Establish a risk management program, Implement an annual risk assessment, Identify the organization’s exposures and Develop a risk control program.
What are main steps in creating a risk management program?
Identify and analyze risks (exposures). Prioritize risk and communicate the appropriate risk management plan, Implement the risk management plan and Monitor and update the plan as needed.
Analyze key risks and current capabilitiesMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performance
Establishing of a risk management steering committee
.
21Session B8 Slide #
TOPICS• Developing a Risk Management Strategy.
• Integrated Approach to Risk Management.
• Establishing of a Risk Management Committee.
• Managing Risk
• Creating an Enterprise Risk Assessment.
• Setting up Control Monitoring process.
• Risk Management and Internal Audit.
Incorporating a Risk Management Strategy Throughout the Organization
22Session B8 Slide #
Right Sized Technology Adds More Business ValueReduces Complexity and Increases Adoption & Usage
Risk AvoidanceAn organization decides to avoid the risk altogether by not entering into the activity or providing the service.This may be possible for some types of activities carried out by the organization but usually not core activities.
Risk ControlAn organization decides to continue the activity which creates the risk, but to manage it so that it will be less likely to occur and less damaging if it does occur. If an activity is central for an organization then it will need to identify what standards of staff and volunteer training are needed to carry out the activity, what good practice policies must be adhered to. There must be clear record keeping in order to ensure that it is clear that the organization met the good practice requirements laid down in its policy. Good governance is important here too as the Management Committee will need to understand the risks and the control strategies in place. Having a skilled board with an under standing of accounting law, management etc is part of a good risk control strategy.
Risk TransferAn organization decides to have a third party perform the risky activity or to transfer the consequences of the risk to another person or organization. This can be through insurance, indemnity, exemption from liability or through transferring the activity to another organization.
Mitigating Factors: These are the things which are done to reduce risk. Some of these are internal i.e. within the control of the organization and some are external i.e. they may be regulatory or imposed by funders. Some of these are in place already and it is important to take account of these in planning risk management
Managing Risk
23Session B8 Slide #
TOPICS• Developing a Risk Management Strategy.
• Integrated Approach to Risk Management.
• Establishing of a Risk Management Committee.
• Managing Risk
• Creating an Enterprise Risk Assessment.
• Setting up Control Monitoring process.
• Risk Management and Internal Audit.
Incorporating a Risk Management Strategy Throughout the Organization
24Session B8 Slide #
Creating an Enterprise Risk Assessment
Risk AreasBusiness RiskOrganizationalStrategic RisksFinancial RisksOperational RisksLegal & Compliance RisksIT & Systems Risks
Risk Catalog
Design a web- based, risk assessment survey that requires s participants to assess each risk using critical criteria:Impact – How significant is this risk to the business?Likelihood – How likely is this risk to come to pass?
Web-based Risk Survey
Trending and Velocity
If the risk comes to pass, how quickly will it impact the company?
Risk Committee
Guidance on Risk Selection and Participants
• Consolidate and analyze the responses of your survey .
• Prepare a detailed and comprehensive report.
• Include heat maps
Board Presentation
Present Graphs for Top 5 risks by impact, likelihood and velocity Top 5 risks for each category e.g. Business, Financial, Operational etc
25Session B8 Slide #
Right Sized Technology Adds More Business ValueReduces Complexity and Increases Adoption & Usage
Risk & Definition# Ref
1 B1
Business Interruption / Service Failure - • The company's capability to continue critical operations and processes are dependent on availability of energy, information technologies, skilled labor, etc.• Critical resources are not available, causing the company to experience difficulty in continuing profitable operations.• A major disaster, such as fires, earthquakes, explosions, floods or terrorism, threatens the company's ability to sustain operations, provide essential products and services or recover operating costs i.e. a disaster impacts the ability to support customers.• Physical Risks : a disaster or extreme weather conditions impact the ability to support customers e.g. tsunamis, fires, earthquakes, explosions, floods.• Regulatory / Legal : changes in government laws e.g. nationalization, import taxes / bans, energy supply impact the company's ability to sustain production.
2 B2
Business Portfolio / Mergers / Acquisitions - • The "due diligence" process is flawed and underlying business performance is not as presented by the buyer.• The company does not negotiate appropriate risk mitigation processes in the deal document.• Merger or acquisition activity results in inconsistent financial processes, lacks operational synergies or has a fragmented IT structure.• Non-delivery of expected synergy benefits / cost savings, loss of market / customer focus during integration process and loss of key employees during integration process.
Business RiskCorporate Average -
Significance
Corporate Average -
Likelihood
3.7 2.0
3.0 2.4
Trending
Creating an Enterprise Risk Assessment
26Session B8 Slide #
Analyze key risks and current capabilitiesMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performance
Creating an Enterprise Risk Assessment
27Session B8 Slide #
Analyze key risks and current capabilitiesMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performance
Creating an Enterprise Risk Assessment
1.0 2.0 3.0 4.0 5.01.0
2.0
3.0
4.0
5.0Total Company Responses
Business Technology Manufacturing Information Technology Finance Organizational Sales & Marketing
Likelihood
Sign
ifica
nce
SM1SM2SM4
T3M5
28Session B8 Slide #
Analyze key risks and current capabilitiesMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performanceCreating an Enterprise Risk Assessment
29Session B8 Slide #
TOPICS• Developing a Risk Management Strategy.
• Integrated Approach to Risk Management.
• Establishing of a Risk Management Committee.
• Managing Risk
• Creating an Enterprise Risk Assessment.
• Setting up Control Monitoring Process.
• Risk Management and Internal Audit
Incorporating a Risk Management Strategy Throughout the Organization
30Session B8 Slide #
Setting up Control Monitoring Process.
• Do not over-react to the initial wave of responses to your risk assessment – these will probably have some ‘white noise.”
• Establish the facts..Interview.
• Effective leadership is to create an environment where people are encouraged to identify risks and possible solutions.
• Pay Attention to the Detail: not getting lost in the weeds, but being able to sift the wheat from the chaff.
• Evaluate all outcomes and alternatives.
• Revisit the directives given to make sure they were executed .
Ownership: ERM belongs to the leadership team not consultants.
Fact: ERM only works when the bad news is faced up and dealt with not punished nor rationalized. D E E P E R
31Session B8 Slide #Responsibility: belongs to everyone.
Right Sized Technology Adds More Business ValueReduces Complexity and Increases Adoption & Usage
Setting up Control Monitoring Process.
Assigning responsibilities is an integral part of monitoring risk
• Role of the executive committee• Risk Champion / Sponsor• Unit responsible for risk mitigation
Risk assessment and monitoring techniques
Methods for assessing and monitoring risks assist managers in identifying where they should focus their energies and resources• Workshops• Questionnaires.• Control self-assessment• Identification templates.• “Bottom up" risk assessments.
32Session B8 Slide #
Right Sized Technology Adds More Business ValueReduces Complexity and Increases Adoption & Usage
Incorporating a Risk Management Strategy Throughout the Organization
When anyone asks me how I can best describe my experience in nearly forty years at sea, I merely say, uneventful.
Of course there have been winter gales, and storms and fog and the like, but in all my experience, I have never been in any accident of any sort worth speakingabout.
I never saw a wreck and never have been wrecked, nor was I ever in any predicament that threatened to end in disaster of any sort.
You see, I am not very good material for a story.
Edward J. Smith, Captain, RMS Titanic© 2005 Christie's Images
Checklist
33Session B8 Slide #
TOPICS• Developing a Risk Management Strategy.
• Integrated Approach to Risk Management.
• Establishing of a Risk Management Committee.
• Managing Risk
• Creating an Enterprise Risk Assessment.
• Setting up Control Monitoring process.
• Risk Management and Internal Audit
34Session B8 Slide #
Incorporating a Risk Management Strategy Throughout the Organization
Right Sized Technology Adds More Business ValueReduces Complexity and Increases Adoption & Usage
Risk Management and Internal Audit
35Session B8 Slide #
NoTolerance
SeriousConcern s
ModerateConcern
GeneralTolerance
HighestTolerance
FinancialStability
Oversightconcern forfinancialintegrityBudgetovershotCredit ratingsdowngraded
Financialstatementssubject tostrong auditcommentNot withinbudgetThreats tocredit rating
Auditcomments onfinancialreportsBudgetpressuresappearing
FinancialReportingSoundPositive auditreportsWithin budget
Sound BalanceSheetWithin BudgetStrong creditrating
StaffEngagement
Major staffmoral andcommitmentnow apersistentpattern.Attrition is sogreat thatreplacementscannot befound and turnaway offers.Grievancespreoccupy theorganizationand threatento move intoarbitration
Staff moralshowing astrongdownwardtrend overmany monthsAttritiongenerallyacross theorganizationcreatingoperationalpressureGrievancesare increasingand morepervasive.
Staff surveysreport staffconcern abouttheiralignment toorganizationalgoalsAttritionincreasing, butin isolatedareas.Grievancesshow anincreasing pattern.
StaffcommitmentreportedpositiveAttritionwithinacceptable andreplaceablerangeGrievancesoccurring butnot in large numbers
Staff reporthigh level ofcommitmentto work –multi-yearpatternVery low levelof attritionLow level ofinternalgrievances
Risk Management and Internal Audit
36Session B8 Slide #
• Tone from the Top: present risks to the Risk Committee for their consideration.
• Acceptance: Risk Committee formally accept the risks to the organization.
• Clarification: Review the organizations core values and identify adverse risks.
• Training: Address challenging issues associated with risk perceptions. • Identification: Clarify the Company’s core values for the organization and
• Communication: include appropriate sharing of information and of concerns.
• Assessment: Assign priorities to top risks, integrate these into existing operational plans.
• Leadership: Demonstrate ability to innovate and motivate your partners.
Risk Management and Internal Audit
37Session B8 Slide #
Top Related