Professional Documents
Culture Documents
4) Definitions
a) RIMS: Enterprise risk management is a strategic business
discipline that supports the achievement of an organisation’s
objectives by addressing the full spectrum of its risks and
managing the combined impact of those risks as an
interrelated risk portfolio
7) ERM in practice:
a) Risk management application should follow the principles
provided under PACED.
b) This includes the level of the Risk Manager or Chief Risk
Officer
c) For an organisation to fully enjoy the benefits of ERM as
detailed in the next slide it should always ensure that the
full range of significant risks facing an organisation is
evaluated. In addition
i. The interrelationship between risks should identified in order
to compile the total risk exposure of the organisation
ii. Comparisons made between the risk exposure, the risk
appetite and the risk capacity of the organisation
BENEFITS OF ENTERPRISE RISK MANAGEMENT
FIRM Risk BENEFITS
Scoredcard
Financial Reduced cost of funding and capital
Better control of CapEx approvals
Increased profitability
Accurate financial risk reporting
Enhanced corporate governance
Infrastructure Efficiency and competitive advantage
Achievement of the state of no disruption
Improved supplier and staff morale
Targeted risk and cost reduction
Reduced operating costs
Reputational Regulators satisfied
Improved utilisation of company brand
Enhanced shareholder value
Good reputation and publicity
Improved perception of organisation
Marketplace Commercial opportunities enhanced
Better marketplace presence
Increased customer spend (and satisfaction)
Higher ratio of business successes
Lower ratio of business disasters
Source: Fundamentals of Risk management, 2 nd Edition, by Paul Hopkin
Enterprise Risk Management
Increasing Gain
Range of
Risk appetite possible (95%)
Point A
Increasing Increasing
hazard opportunity
tolerance investment
Increasing loss
Worst possible
outcome (95%)
Impact
Ultimate Risk
Capacity
Optimal Risk
Exposure
Likelihood
Comfort zone
Cautious zone
Concerned zone
Critical zone
Risk Exposure
Risk capacity
Risk Appetite and The Risk Matrix
a) The slide above illustrates the concept of risk appetite, risk
exposure and risk capacity in a risk averse organisation:
i. The pink shaded area represents the comfort zone, the unshaded
represent the cautious zone area, the grey shaded area, the
concerned zone and the red shaded area, the critical zones.
ii. The risk appetite lies between the cautious and concerned zones.
iii. In the unshaded and grey shaded areas, management judgement
is required before the risk is accepted
iv. The broken shaded line represent the optimal risk exposure
v. The red shaded area represents the critical risk and these will only
be accepted if there is a business imperative.
vi. The ultimate risk capacity is well within the red shaded area.
vii. The risk capacity is well above the risk appetite and the ultimate risk
exposure.
viii. The organisation is therefore taking risks within its risk appetite and
not exceeding its risk capacity
Risk Appetite, Exposure and Capacity
(optimal)
Impact
Actual Risk
Exposure
Ultimate Risk
Capacity
Likelihood
Comfort zone
Cautious zone
Concerned zone
Concerned zone
Risk capacity
Risk Exposure
Importance of Risk Appetite
BUSINESS DESCRIPTION
COMPONENT
Target credit Maintain a credit rating of at least BBB+
rating
Earnings per share Maintain an earnings per share level within the
upper quartile of the peer group
Target capital Maintain a debt to capital ratio in the range 45%
ratio to 50%
Self-sustaining New business will not dilute target capital ratio
growth and maintain a capital working ratio in the range
1.5% to 2%
Financial strength Maintain an earnings-before-interest and taxes-
to-interest ratio between 5% and 7.5%
Customer No single customer will exceed 15% of total
dependencies sales
Regulatory Score in the upper quartile of the peer set in
compliance regulatory reviews
Social Seek a position in the upper quartile of the peer
responsibility group in social responsibility index
Risk Management and Uncertainty
Increasing gain
Opportunity
management
Increasing
opportunity
Increasing hazard
investment
tolerance
Hedging
Risk response or JVs
and loss
control Internal
control
Exposure before
risk control
measures
Insurance
Increasing loss
Response Description
Tolerate The exposure may be tolerable without any further action being
(accept/retain) taken. Even if not tolerable, the ability to do anything may be limited
or it may not be cost effective to do so.
Treat (control or The purpose of treatment is not to obviate the risk but to reduce it to
reduce manageable levels. The activity giving rise to the risk is retained but
controls are instituted to constrain the risk to acceptable levels. The
greater number of risks will fall into this category.
Transfer or insure Transfer may be the best response to some risks. It could be by
or contract insurance, subcontracting or going into a joint venture. A third party
absorbs part of the risk.
Terminate or avoid Terminate or avoid the source of the risk. This option may be limited
or eliminate in the public sector. Termination also means foregoing the
opportunities that may be related to pursuing the activity bearing the
risk.
Risk Matrix and
the 4Ts of Hazard Management
Impact
Transfer Terminate
the risk to another the activity generating the
party risk
Tolerate Treat
the risk and its likely the risk to reduce the likely
impact impact and exposure
Likelihood
Risk Matrix and
the 4Ts of Hazard Management
2) Treat Risk
a) Applied mostly in situations of high likelihood and low
impact risk
b) Normally done at inherent or current level so that when
treatment measures have been put in place, the new
current or target level will be acceptable.
c) Consideration is given to both the likelihood and
impact of the risk
d) Cost-effective treatment measures should be directed
at reducing the likelihood of the risk occurring and
reducing its impact if it materialises
Risk Responses
3) Transfer/Share Risk
a) Normally associated with situations of low-
likelihood/high impact risk
i. Insurance is the main tool used for hazard risk transfer
and to a lesser extent control risk
ii. However some risk cannot be insured because of the
cost involved or are uninsurable
iii. Other forms are, joint-ventures, risk hedging, and out-
sourcing.
iv. The cost of transfer is a component of risk financing
Risk Responses
4) Terminate/Avoid Risk
a) Mostly associated with high-likelihood, high-impact risk.
It may mean:
i. Stopping the process or activity
ii. Substituting an alternative process
iii. Outsourcing the activity associated with the risk
b) Where an organisation cannot terminate a risk because
the activity associated with the risk is fundamental to its
operations, alternative control measures would be
necessary.
i. Control measures may be a combination of risk treatment
and risk transfer.
ii. Some risks however may just have to be accepted
despite the fact that they will be at unacceptable levels.
Risk Responses for Control Risks
(The 4As of Control Risk)
Accept Adapt
the uncertainty procedures and
attached to the risk introduce controls
Risk exposure
Responses for Project Risk
1) Range of responses
a) Low-uncertainty and low-exposure risks will be
accepted. Bring in controls that detect failures
b) Low-uncertainty but high exposure risks, introduce
relevant controls and adapt appropriate procedures.
Reduces the level of uncertainty
c) Low-exposure but high-uncertainty risks, transfer to
a third party or adopt contingency plans to manage
them.
d) High-exposure and high-uncertainty risks, avoid
within the project, when feasible
Risk Response for Opportunity Risks
(The 4 Es of Opportunity Risk Management)
Exploit Exit
Opportunity until Depending on risk
competitors arrive appetite and capacity
Exist Explore
In mature/declining Entrepreneurial
markets opportunities
Risk
Exposure
Risk Response for Opportunity Risks
(The 4 Es of Opportunity Risk Management)
1) Range of Responses:
a) High risk/low potential rewards (Start-up):
Explore entrepreneurial opportunities
b) High risk/high reward: if growth is too slow whilst
risk remains too high, exit from those operations
depending on risk appetite and risk capacity
c) High rewards/low risk: Exploit opportunities until
competition arrives
d) Low exposure and low potential rewards
(mature market): you may stay in. Exist or accept
the situation.
Opportunity Risks and Risk Appetite
Potential
Reward Expand if
resources allow
Level of Risk
Opportunity Risks and Risk Appetite
Critical line
Judgement line
Cautious or
Comfort Zone Concerned Zone
Dominant response Dominant response
will be will be
TOLERATE Treat
Likelihood
Risk Control
2) Type of Controls
a) The table on the next slide describe the range of
controls that can be applied to hazard risks.
Source Consequences
Flood Financial
Fire Infrastructure
Cost containment
Loss prevention
Damage
to
Earthquake Reputational
Premises
Break-in Marketplace
Damage limitation
Prevention
Corrective
Directive
Detective
Bow-tie and Types of Controls
1) Preventive Controls
a) These are designed to prevent wrongful acts before
they occur. Like they say, prevention is better than
cure but these will not prevent or eliminate all risks
cost-effectively.
b) Examples are:
i. Separation of duties
ii. Use of barriers or guards
iii. Use of passwords
iv. Staff rotation or regular change of supervisors.
v. Elimination of a hazardous or substitution of the
hazard with something less hazardous.
Risk Control
Advantages are:
They are generally considered simple and cost-effective.
They eliminate the hazard so that no further consideration
of it is required.
Disadvantages are:
It may mean elimination of beneficial activities or
substituting them with something less efficient and
effective.
Risk Control
2) Corrective Controls
a) These are designed to correct wrongful acts when they
have happened.
b) Examples are controls related to loss limitation activities
3) Directive Controls
a) Designed to advise staff on how they should undertake
tasks.
b) Examples are:
i. Financial instructions
ii. General Orders
iii. Health and Safety Instructions
c) Advantages are that they can be explained during a normal
training and instruction session provided for all staff.
d) They however may require constant supervision and reminding.
Risk Control
4) Detective Controls
a) These are designed to detect wrongful acts when they
occur. They are closely related to review and monitoring
exercises undertaken as part of the risk management
process.
b) Examples are:
Stock or assets checks to ensure that stocks or assets have
not been removed without authorisation.
Reconciliations
Performance appraisals do detect if staff are performing to set
standards
c) They are often simple. In certain circumstances they have
to be performed to detect the risk. Prevention and other
control types may not detect these risks.
d) The disadvantage is that the event would have already
occurred.
?
Control of Selected Hazard Risks
Control of Selected Hazard Risks
1) Cost of Control
a) To reduce risk from an inherent to a residual or target
level of risk, internal controls have to be introduced.
a) These controls have a cost and such costs form part of
total cost of risk for the organisation
b) In considering the current/residual/target level of risk, an
organisation has to consider the costs involved.
c) These form part of the total cost of risk for the
organisation
d) Part of the risk management exercise involves the
evaluation of the cost effectiveness of these controls
Control of Selected Hazard Risks
Control 1
Control 2
Likelihood
Control of Selected Hazard Risks
Net cost of
Risk
Cost of
controls
Potential
loss
1. FRAUD
Why Fraud Occurs
The Fraud Triangle
Fraud
An organisation will need to carry out an analysis of the
effectiveness of its fraud controls
This includes:
Check the losses in terms of money and goods, and
Evaluating areas where controls are insufficient.
This should be a proactive action that includes:
An analysis of vulnerable assets
Who is responsible
How fraud might be undertaken, and
Effectiveness of existing controls
When fraud occurs, this should be investigated and a
report supplied to the audit committee.
In addition, an organisation should have a fraud policy
Risk Control
• Dangerous machinery
• Pressure systems
• Noise and vibration
• Electrical safety
• Hazardous substances
• Lifting and manual handling
• Slips, trips and falls
• Human factors and repetitive strain injury
• Radiation
• Vehicle and driving risks
• Fire safety
• Stress at work
2. Health and Safety
Possible controls:
• Detailed contract stating expectations and
requirements
• Extensive training for franchisees on the quality
of the product.
• Arrangement for procurement of supplies
7. Control of Marketplace Risks
1) Technology Developments
a) Technology Developments:
i. These include the need to keep up with technology
changes in the industry.
ii. It also means keeping up with customer
expectations and demands, covering convenience,
quality, price and fashion.
iii. Possible controls are:
i. Joint-venture partnerships
ii. Share expertise
iii. Share cost of developing new technologies.
Risk Control
2) Regulatory
a) This involves compliance with various
regulatory agencies.
Learning from Controls
Control-benefit Analysis
Before
control
After
control
Cost
of
control
Likelihood of loss
Learning from Controls
a) Decisions have to be made on the most appropriate and
cost effective controls to be used to manage hazard risks.
i. The figure on the previous slide demonstrates the profile
of expected losses before and after a specific control is
introduced.
ii. Whether a control is introduced is a matter of
organisational judgement
iii. If the risk has a low likelihood of materialising, then the
cost of the control may be greater than the anticipated
benefits.
iv. Therefore when evaluating the reduced exposure to loss,
there is also the need to look at the cost of the applicable
control.
Learning from Risk Control
1. Planning 2. Implementing
(strategic and business (core processes and functions)
objectives)
• Project risk management
• Investment appraisal • Plan implementation
• Design of control • Implementation of control
• Feasibility study
4. Learning 3. Measuring
(continuous improvement) (key performance indicators)
i) Advantages
i. It provides indemnity against an expected loss.
ii. Can reduce uncertainty regarding hazard events if
they occur.
iii. Can provide economic benefits to the insured. The
loss may be greater than the premiums.
iv. Can provide access to specialist services as part of
the insurance premium, such as advice on loss
control.
Insurance and Risk Transfer
j) Disadvantages:
i. Delays experienced in obtaining settlement of claims.
ii. Difficulties arising in quantifying the financial costs
associated with the loss.
iii. Disputes regarding extent of insurance coverage and
exact terms and condition of the contract.
iv. Under-insurance by the insurer arising from difficulty in
deciding the limit of indemnity appropriate for liability
exposures.
Insurance and Risk Transfer
2) Alternatives to Insurance
a) Alternatives to insurance in the case of hazard
risks:
i. Conventional insurance
ii. Contractual transfer of risk
iii. Captive insurance companies
iv. Pooling of risks in mutual insurance companies
v. Derivatives and other financial instruments
Insurance and risk Transfer
(Contractual risk Transfer)
3) Types of Insurance:
a) Legal and contractual obligations
i. Employers' liability-compensation to employees injured
at work.
ii. Public liability- compensation to public or customers
iii. Product liability- compensation for damage or injury
iv. Professional indemnity- compensation to client for
negligent advice.
Insurance and Risk Transfer
4) Evaluation of Insurance
a) Because of the many different types of insurance
available , it is critical that each organisation evaluates its
insurance requirements
b) The following factors need to be considered:
i. Specific activities and features of the organisation
ii. The portfolio of risks the organisation faces-this results in a
careful review of how much insurance an organisation
wishes to purchase
c) The table below provides a checklist for organisations to
decide which types of insurance are required
Identifying the Necessary Insurance
Features of the Business Insurance Requirement
1 Business has employees Employers’
liability
2 Employees travel outside the country Business travel
3 Members of the public could be affected Public liability
4 Business supplies products or components Product liability
or recall
5 Business provides professional advice Professional
liability
6 They or dishonesty by employees could Fidelity
occur guarantee
7 Business occupies business premises Premises
insurance
8 Premises has machinery or other stock Contents cover
9 Business depends on machinery or Engineering
computers insurance
10 Business could be disrupted by fire, flood Business
etc interruption
11 Business is involved in transporting goods Goods in transit
12 Business has motor vehicles on public Motor
roads
13 Business provides life benefits to Life and health
employees
14 Certain staff are key to operation of Key person
business
15 Business would suffer in event of a bad Trade credit
debt
16 Business has directors and/officers (D & O) D and O liability
Insurance and Risk Transfer
5) Purchase of Insurance
a) The following factors need to be considered in purchasing
insurance:
i. Cost: the premiums required from the insured, level of self-
insurance (excess/deductible)
ii. Coverage: limitations, warranties and exclusions.
iii. The capacity of the insurer is willing to offer in relation to the
value of the assets/exposure that need to be insured
iv. The capabilities of the insurer to provide other services like
loss control services and assistance with business continuity
planning.
v. The financial security, status, and capabilities of the
insurer.
vi. Compliance; taxes, with requirements to issue contract
before the policy commences (contract certainty) and issues
relating to acceptance/approval/admittance of policy in
certain countries.
Thank you for your attention