Professional Documents
Culture Documents
Andy Wynne
More recently:
Crises prepared companies stay in business nearly 25% longer. Crises prone companies have half the profit rate.
What is Risk?
Risk is something which may (or may not) happen which would have an (negative) effect on the achievement of an organisation's objectives.
Risk Management
Know your objectives and risk attitude Identify risks Assess risk Manage risk Monitor, learn and improve, reconsider
1992 COSO report on internal control growing recognition of importance of risk management: Rutterman and then Turnbull - UK Sarbannes-Oxley - US King Report South Africa ECSAFA Guidance on governance
A process, ongoing and flowing through an entity Effected by people at every level of an organization Applied in strategy setting Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk
Fundamental concepts:
(cont)
Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite Able to provide reasonable assurance to an entitys management and board of directors Geared to achievement of objectives in one or more separate but overlapping categories
Eight components
1. Internal Environment
The tone of an organization How risk is viewed and addressed Risk management philosophy Risk appetite Integrity and ethical values.
2. Objective Setting
Objectives needed to identify potential risks Agreed objective setting process Chosen objectives support entitys mission Chosen objectives consistent with its risk appetite.
3. Event Identification
Internal and external events identified Distinguish between risks and opportunities Consider all risk categories.
4. Risk Assessment
To assist their management analyze risks: Likelihood Impact Also asses risks as inherent and residual basis.
5. Risk Response
Select appropriate response: Terminate (avoid) Tolerate (accept) Treat (reduce) Transfer (Share).
6. Control Activities
Policies and procedures to help ensure the risk responses are effectively carried out. The traditional internal controls.
Management information is produced and provided. Effective communication occurs down, across, and up the entity.
8. Monitoring
The whole enterprise risk management process is monitored and amended as necessary.
Enterprise-level
Division Business unit
Subsidiary
Establish a business framework Identify all risks Assess the risks Deal with the risks Monitor the arrangements
Corporate attitude to risk risk appetite Integrate risk into general management activities part of business planning
Political Financial Health & safety Legal & regularity Corporate issues Commercial Operational Reputational.
1 The organisation would not survive 2 Major effect on achievement of business plan or quality of services
1 Certain more than 80% 2 Probable, each year 50-80% 3 Possible, every three years 2550% 4 Unlikely, maybe over 5 years 5-25% 5 Remote less than 5%
Medium Risk
High Risk
I M P A C T Low
Credit risk Customer has a long wait Customer cant get through Customer cant get answers
Low Risk
Medium Risk
PROBABILITY
High
Risk landscape
Outcome
Measure
Risk
Likelihood
Impact
Control activities
Satisfied customers
% of customers stating they are satisfied in survey % of focus group participants satisfied with product
Medium
High
Select appropriate response: Terminate (avoid or stop activity) Tolerate (accept, low impact or contingency plans) Treat (reduce by implementing sound internal controls) Transfer (share, usually by insurance).
(cont)
Medium Risk
High Risk
Accept
Control
PROBABILITY
High
Full review every three years Formal review at each level every year As part of the business planning process.
Internal control can be considered sound if risk management is effective. Are each of the eight components functioning properly? Small entities can have effective risk management is each component is present and adequate.
Depends on human judgement Breakdowns occur because of human failures, errors etc Controls can be overcome by collusion or fraud Managers may override risk management policies.
Limited implementation?
Half of health bodies in UK have yet to identify their principle risks. Half of local councils have yet to establish risk registers In central government only 1 in 10 ministries consider their processes are fully embedded.
Conclusions
Risk management is an essential part of management. How formal do you want to make it? You now have the information to adopt a more formal approach!
Further Guidance
PEFA Performance Management Framework: http://www.pefa.org COSO Enterprise Risk Management: http://www.coso.org UK HM Treasury guidance on risk management: http://www.hmtreasury.gov.uk./media/FE6/60/FE66035B-BCDCD4B3-11057A7707D2521F.pdf UK NAO report on risk management: http://www.nao.org.uk/publications/nao_reports/0304/03041078es.pdf