Risk Management

Andy Wynne

Profit is the reward for taking risk

Corporate Failure = Poor Risk Management?

South Sea Bubble US Savings and Loans Maxwell BCCI Polly Peck Barings

More recently:

20 year study of Fortune 500 companies

Crises prepared (proactive) Crisis prone (reactive)

Crises prepared companies stay in business nearly 25% longer. Crises prone companies have half the profit rate.

What is Risk?

Risk is something which may (or may not) happen which would have an (negative) effect on the achievement of an organisation's objectives.

Risk Management

Know your objectives and risk attitude Identify risks Assess risk Manage risk Monitor, learn and improve, reconsider

 1992 COSO report on internal control growing recognition of importance of risk management: Rutterman and then Turnbull - UK Sarbannes-Oxley - US King Report South Africa ECSAFA Guidance on governance

COSO report on Enterprise Risk Management published in 2004

Internal control is now part of risk management
Emphasis on risk control across the organisation

Enterprise risk management is a

process, effected by an entitys board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives

Certain fundamental concepts:

A process, ongoing and flowing through an entity Effected by people at every level of an organization Applied in strategy setting Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk

Fundamental concepts:

(cont)

Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite Able to provide reasonable assurance to an entitys management and board of directors Geared to achievement of objectives in one or more separate but overlapping categories

Eight components

1. Internal Environment

The tone of an organization How risk is viewed and addressed Risk management philosophy Risk appetite Integrity and ethical values.

2. Objective Setting

Objectives needed to identify potential risks Agreed objective setting process Chosen objectives support entitys mission Chosen objectives consistent with its risk appetite.

3. Event Identification

Internal and external events identified Distinguish between risks and opportunities Consider all risk categories.

4. Risk Assessment

To assist their management analyze risks: Likelihood Impact Also asses risks as inherent and residual basis.

5. Risk Response

Select appropriate response: Terminate (avoid) Tolerate (accept) Treat (reduce) Transfer (Share).

6. Control Activities

Policies and procedures to help ensure the risk responses are effectively carried out. The traditional internal controls.

7. Information & Communication

Management information is produced and provided. Effective communication occurs down, across, and up the entity.

8. Monitoring

The whole enterprise risk management process is monitored and amended as necessary.

Four risk categories

Four categories of risk

Entity objectives can be viewed in the context of four categories:

Strategic Operations Reporting Compliance

Four levels within entity

Levels within the organisation

Considers activities at all levels of the organization:

Enterprise-level
Division Business unit

Subsidiary

Risk Management part 2

Andy Wynne

Risk management cycle

The risk management cycle

Establish a business framework Identify all risks Assess the risks Deal with the risks Monitor the arrangements

Establish a business framework

Corporate attitude to risk risk appetite Integrate risk into general management activities part of business planning

Allocate responsibilities for risk management

Agree an approach, processes and timetable Ensure risk awareness and communication.

Identify all risks

Political Financial Health & safety Legal & regularity Corporate issues Commercial Operational Reputational.

Assess the risks - impact

1 The organisation would not survive 2 Major effect on achievement of business plan or quality of services

3 Significant impact on achieving business plan or quality of services

4 Some impact on staff and minor effect on clients 5 Insignificant impact on organisation or staff

Assess the risks - likelihood

1 Certain more than 80% 2 Probable, each year 50-80% 3 Possible, every three years 2550% 4 Unlikely, maybe over 5 years 5-25% 5 Remote less than 5%

Assess the risks

High

Medium Risk

High Risk

I M P A C T Low

Loss of phones Loss ofcomputers

Credit risk Customer has a long wait Customer cant get through Customer cant get answers

Low Risk

Medium Risk

Fraud Lost transactions Employee morale

Entry errors Equipment obsolescence Repeat calls for same problem

PROBABILITY

High

Risk landscape

Outcome

Measure

Risk

Likelihood

Impact

Control activities

Satisfied customers

% of customers stating they are satisfied in survey % of focus group participants satisfied with product

Product technically fails

Medium

High

New product development Quality control Returns policy

Deal with the risks

Select appropriate response: Terminate (avoid or stop activity) Tolerate (accept, low impact or contingency plans) Treat (reduce by implementing sound internal controls) Transfer (share, usually by insurance).

Deal with the risks

High
I M P A C T Low

(cont)

Medium Risk

High Risk

Share Low Risk

Mitigate & Control Medium Risk

Accept

Control

PROBABILITY

High

Monitor the arrangements

Full review every three years Formal review at each level every year As part of the business planning process.

Sound internal control

Sound internal control

Internal control can be considered sound if risk management is effective. Are each of the eight components functioning properly? Small entities can have effective risk management is each component is present and adequate.

Limitations of risk management

Limitations of risk management

Depends on human judgement Breakdowns occur because of human failures, errors etc Controls can be overcome by collusion or fraud Managers may override risk management policies.

Limited implementation?

Half of health bodies in UK have yet to identify their principle risks. Half of local councils have yet to establish risk registers In central government only 1 in 10 ministries consider their processes are fully embedded.

Conclusions

Risk management is an essential part of management. How formal do you want to make it? You now have the information to adopt a more formal approach!

Further Guidance

PEFA Performance Management Framework: http://www.pefa.org COSO Enterprise Risk Management: http://www.coso.org UK HM Treasury guidance on risk management: http://www.hmtreasury.gov.uk./media/FE6/60/FE66035B-BCDCD4B3-11057A7707D2521F.pdf UK NAO report on risk management: http://www.nao.org.uk/publications/nao_reports/0304/03041078es.pdf