AS/NZS 4360:2004 THE AUSTRALIAN & NEW ZEALAND STANDARD ON RISK MANAGEMENT

Kevin W Knight
CHAIRMAN ISO WORKING GROUP - RISK MANAGEMENT TERMINOLOGY MEMBER STANDARDS AUSTRALIA / STANDARDS NEW ZEALAND JOINT TECHNICAL COMMITTEE OB/7 - RISK MANAGEMENT P0 BOX 226, NUNDAH QLD 4012 E-mail: kknight@bigpond.net.au

Taking a risk: it isn’t all bad
• Risk taking is positive, not implicitly negative • We take risks not to avoid harm, but to achieve benefits and gains • Taking risks is a normal unavoidable everyday necessity • Taking controlled, informed risks is a sensible and everyday essential part of life • The higher the risk the higher the reward • Without risk there is no progress.

MANAGING RISK
• We all manage risk consciously or unconsciously - but rarely systematically • Managing risk involves both threats and opportunities • Managing risk requires rigorous thinking • Managing risk means forward thinking • Managing risk requires accountability in decision making • Managing risk requires communication • Managing risk requires balanced thinking • RM provides a framework to facilitate more effective decision making

Corporate Governance
The way in which an organisation is governed and controlled in order to achieve its objectives. The control environment makes an organisation reliable in achieving these objectives within an acceptable degree of risk. It is the glue which holds the organisation together in pursuit of its objectives while risk management provides the resilience.

Corporate Governance
As I look back on my career as an independent director, I realise that my efforts were mostly futile. Management gave us reams of information about past performance and we dutifully discussed it. We were looking at the wrong information and asking the wrong questions. We should have focussed on the future and questioned the strategy and competence of management to execute it. The board did not wake up until it was too late
Guidance for Directors - Dealing with risk in the boardroom, Canadian Institute of Chartered Accounts, 2000

Risk Management as Defined in AS/NZS 4360:2004
“THE CULTURE, PROCESSES AND STRUCTURES THAT ARE DIRECTED TOWARDS REALISING POTENTIAL OPPORTUNITIES WHILST MANAGING ADVERSE EFFECTS.”

C O M M U N I C A T E C O N S U L T A S S E S S

1. Strategic Ct

2. Identify Threats

M O N I T O R & R E V I E W

3. Analyze 4. Assess

5. Assess/

7. Manage the Risk

Structure Direction

Processes

Culture

Communication

Opportunities

Risks

ESTABLISH THE CONTEXT
The External Context The Internal Context The Risk Management Context Develop Criteria & Define the Structure

C O M M U N I C A T E & C O N S U L T

IDENTIFY RISKS
What can happen, when, where, how & why

ANALYSE RISKS
Identify existing controls Determine Determine Likelihood Consequences Determine Level of Risk

M O N I T O R &

EVALUATE RISKS
Compare with criteria? Set priorities

YES

Treat Risks

NO

TREAT

RISKS

R E V I E W

Identify options Assess options Prepare and Implement treatment options Analyse & evaluate residual risk

RM is everybody’s business
• RM is not just the responsibility of management • For RM to be effective it must be implemented by every person in the organisation • RM must become an integral part of the organisational culture • The risk makers and risk takers must be the risk managers.

Step 1 : Establish the Context • external context • internal context • risk management context • risk criteria (i.e. threshold levels) • define the structure

Step 2 : Identify Risks • what can happen, when, where and how • identify key processes, tasks, activities • recognise risk areas • define risks • categorise risk

Step 3 : Analyse Risks • identify controls • determine likelihood • determine consequence/impact • determine level of risk

Step 6 : Monitor and Review Risks • process • environment • organisation • strategy • stakeholders

Communicate and consult - at all steps

Step 4 : Evaluate Risks • identify tolerable/unacceptable risks (referring risk rating against risk criteria) • prioritise risks for treatment

Accept/Retain • based on judgement or documented procedures/policy Avoid • consider discontinuing or avoiding activity • consult • risk treatment preferable to risk aversion

Step 5 : Treat Risks

Share • insurance • outsourcing Reduce likelihood • controls • process improvement • training & education • policies and communication • audit and compliance

Reduce consequence • Business Continuity Plans • contractual arrangements • public relations

Communication & Consultation in the risk management process

COMMUNICATE & CONSULT
• ANY TWO-WAY DIALOGUE BETWEEN STAKEHOLDERS • DEVELOP COMMUNICATION STRATERGY AT THE CONTEXT STAGE • ENSURE STAKEHOLDERS PERCEPTATION OF RISK IS ADDRESSED

ACCOUNTABILITY SUPERVISION
Potential greater future role of risk management

GOVERNANCE

STRATEGIC MANAGEMENT

Traditional and current risk management application

EXECUTIVE MANAGEMENT DECISION & CONTROL OPERATIONAL MANAGEMENT

MANAGEMENT

Risk Management’s Role in Corporate Governance

STRATEGIC FRAMEWORK FOR MANAGING RISKS

Risk
Taking Risks

Business Strategies

Risk
Adding Value

Communication Consultation

Managing Risk Business Processes

Preserving Value

C O M M U N I C A T E & C O N S U L T

ESTABLISH THE CONTEXT The External Context The Internal Context The Risk Management Context Develop Criteria & Define the Structure

IDENTIFY RISKS

ANALYSE RISKS

M O N I T O R & R E V I E W

EVALUATE RISKS

Tolerate Risks

NO

YES
TREAT RISKS

ESTABLISH THE CONTEXT
• • • • • • • • • Objectives and environment Relevant Legislation Stakeholder identification & analysis Government Policy Corporate Policy Management Structures Community Expectations Criteria Consequence criteria.

Stories (business experiences)

Symbols

Rituals & Routines

An Organisation’s Paradigm

Power Structures

Control Systems

Organisational Structures

Adapted from Johnson & Scholes, 1993, p.61

ORGANISATIONAL RISK CRITERIA Organisation risk personality or propensity
Strategic management decision

Indecision Irresponsible

Aversion
Denial Dislike Disinclination

Risk tolerance range
Corporate culture

Impulsive

Excessive appetite

Board of Directors
Approves policy Approves risk limits Approves risk tolerance Provides oversight

Risk Management Committee
Monitor - Coordinate - Teach Measure - Benchmark Report to Board Enforce

Line Managers
Identify risk Propose risk limits Control Report

Executive Management
Establishes policy Establishes risk limits Establishes risk tolerances Reports to Board Enforces

ESTABLISH THE CONTEXT

C O M M U N I C A T E & C O N S U L T

IDENTIFY RISKS

What can happen, when, where, how & why

ANALYSE RISKS

M O N I T O R &

EVALUATE RISKS

YES

Treat Risks

NO

R E V I E W

TREAT

RISKS

Risk Identification
A risk is associated with • A source • An event or incident • A consequence, outcome or impact • A cause (what & why) • Controls and their level of effectiveness and application • When & where could a risk occur.

Identification of Sources of Risk
• • • • • • • • • personnel/human behaviour management activities and controls economic circumstances natural and unnatural events political circumstances technology/technical issues commercial and legal relationships public/professional/product liability the activity itself.

Risk Management Methods
Comprehensive identification using a wellstructured systematic process is critical, because a risk not identified at this stage may be excluded from further analysis. More Significantly
A well-structured process leads to quality collection of data, as strongly emphasized by AS/NZS 4360:2004. HB436:2004 Risk Management Guidelines A Companion to AS/NZS 4360:2004

ESTABLISH THE CONTEXT

C O M M U N I C A T E & C O N S U L T

IDENTIFY RISKS

ANALYSE RISKS
Identify existing controls Determine Determine Likelihood Consequences Determine Level of Risk

M O N I T O R &

EVALUATE RISKS

Treat Risk

NO

YES
TREAT RISKS

R E V I E W

Risk Analysis

Where possible confidence limits placed on estimates Best available information sources used – Separate minor risks from major – Provide data to assist in evaluation and treatment

• Purpose

• Preliminary Analysis
– Excluded Risks where possible should be listed

Examples of Qualitative Analysis
Checklists and Questionnaires SWOT Analysis Physical Inspections Analysis Based on Records of the Operation • Flowcharts • Event trees. • • • •

S.W.O.T. ANALYSIS
Resources
Stakeholders (External/ Internal)

(Skills & Experience) Impacts

Resources (Financial)
Affects

Influences

INPUTS

TRANSFORMATION PROCESS

OUTPUTS

Influences attitudes, approach and process Influences efficiency

Cultural Web Affects

Organisational Environment (Internal/External)

Affects

Power (Authority, Knowledge, Delegations)
Affects

Intrinsic/ Extrinsic Rewards
Affects

Source: HD 240:2000

Influences attitudes and approach

Examples of Quantitative Analysis
• • • • Computer Modelling Fault Tree Analysis Hazard Indices Statistical Analysis.

Examples of Likelihood Tables
Likelihood Ex. 1 Almost Certain Likely Possible Unlikely Rare 5 4 3 2 1 Likelihood Ex. 2 Common Potential Low Potential Almost Never 4 3 2 1 Likelihood Ex. 3 High Frequency Moderately Frequent Low Frequency 3 2 1

It Is up to each organisation to define the parameters that allow users to assess likelihood

Examples of Consequence Tables
Consequence Ex. 1 Catastrophic Major Moderate Minor Insignificant 5 4 3 2 1 Consequence Ex. 2 Critical Severe Medium Negligible 4 3 2 1 Consequence Ex. 3 Significant Moderate Insignificant 3 2 1

It Is up to each organisation to define the severity of impact that allow users to assess consequence

Examples of Risk Rating Tables
Risk Rating Ex. 1 Very High High Tolerable Low Very Low 5 4 3 2 1 Risk Rating Ex. 2 Extreme Significant Moderate Low 4 3 2 1 Risk Rating Ex. 3 High Medium Low 3 2 1

It Is up to each organisation to define the terminology for risk rating levels, and how this is set in the risk rating matrix.

Example Of A Risk Rating Matrix

AS/NZS4360 – 2004 emphasises that organisations tailor the criteria that drives assessment and analysis to suit the nature and business environment of their

operations.

ESTABLISH THE CONTEXT

C O M M U N I C A T E & C O N S U L T

IDENTIFY RISKS

ANALYSE RISKS

M O N I T O R & R E V I E W

EVALUATE RISKS

Compare against criteria? Set priorities
Treat risks

NO

YES
TREAT RISKS

Risk Evaluation
Consider
• • • • • • Objectives of project and opportunities Tolerability of risks to others Whether a risk needs treatment Deciding whether risk can be accepted Whether an activity should be undertaken Priorities for treatment

Comparing levels of risk found in analysis with previously established criteria

RISK Risk Tolerability TOLERABILITY
SEVERITY/IMPACT/CONSEQUENCES
ALMOST CERTAIN

REDUCE LIKELIHOOD
LIKELY

AVOID RISKS REDUCE
FREQUENCY/LIKELIHOOD
CRITICAL EXTREME

MODERATE

UNLIKELY

RARE

ACCEPTABLE OR TOLERABLE LEVEL OF RISK
INSIGNIFICANT

REDUCE CONSEQUENCES

0

MINOR

MAJOR

RISK Risk Tolerability TOLERABILITY
SEVERITY/IMPACT/CONSEQUENCES
CERTAIN 1

REDUCE LIKELIHOOD
ALMOST CERTAIN

AVOID RISKS REDUCE
FREQUENCY/LIKELIHOOD

LIKELY

POSSIBLE

TOLERABLE LEVEL OF RISK
UNLIKELY

REDUCE CONSEQUENCES

NOT POSSIBLE 0

$1,000 MILD

$100,000 MODERATE

$1M $100M SEVERE DISASTEROUS

TOTAL

RISK Risk Tolerability TOLERABILITY
SEVERITY/IMPACT/CONSEQUENCES
CERTAIN 1

REDUCE LIKELIHOOD
ALMOST CERTAIN

AVOID RISKS REDUCE
FREQUENCY/LIKELIHOOD
TOTAL

LIKELY

POSSIBLE

UNLIKELY TOLERABLE LEVEL OF RISK $1,000 MILD

REDUCE CONSEQUENCES

NOT POSSIBLE 0

$100,000 MODERATE

$1M $100M SEVERE DISASTEROUS

Risk magnitude

Intolerable Region
L E V E L

Risk cannot be justified except in extraordinary circumstances

As O Low F As R I Reasonably S K Practicable
Broadly acceptable region “de minimus” risk

Tolerable only if risk
reduction is impracticable or if its cost is greatly disproportionate to the improvement gained

Tolerable if cost of reduction
would exceed the improvements gained Necessary to maintain assurance that the risk remains at this level

ESTABLISH THE CONTEXT

C O M M U N I C A T E & C O N S U L T

IDENTIFY RISKS

ANALYSE RISKS

M O N I T O R & R E V I E W

EVALUATE RISKS

Treat risks

YES
TREAT RISKS

NO

Identify options; Assess options; Prepare and Implement treatment options; Analyse & evaluate residual risk

LEVEL OF RISK (RISK VALUE)

}

SATISFACTORY MOST COST EFFECTIVE ACCEPTED PRACTICE

}

}

COST OF REDUCING RISK ($)

THE TRADE-OFF BETWEEN LEVEL OF RISK AND COST OF REDUCING RISK B.F.Hough 1985

}

BEST ACHIEVABLE ABSOLUTE MINIMUM

}

COST OF RISK REDUCTION MEASURES
O V E R A L L L E V E L O F R I S K

I M P L E M E N T USE JUDGEMENT

UNECONOMIC

CUMULATIVE COST OF RISK REDUCTION MEASURES

Risk Treatment
• reduce
– likelihood – consequences

• • • •

business continuity management sharing in full or in part (this creates a new risk) avoid (but not because of aversion) retain residual (but not by default)

REDUCE LIKELIHOOD
Risk prevention
• compliance programmes • inspection & process controls • security devices, alarms and processes • preventive maintenance • training & education.

REDUCE CONSEQUENCES
Risk reduction
• • • • medical & first aid procedures off site data & information storage fraud control planning fire suppression.

Business Continuity Management
• • • • • • emergency evacuation plans off site data & information storage business contingency plans business relocation plans business resumption plans review, reassess and revise plans.

SHARING RISK
Contractual transfer of legal responsibility
• • • • sub contracting of hazardous processes exclusion clauses outsourcing partnerships & joint ventures

Insurance

AVOID
Reduce probability of loss to zero • cease activity • closure of facility • sell business.

RETAIN RESIDUAL RISKS
Losses funded from general operating expenses • vital to record all incidents • ensure retention is not due to failure to identify.

Treatment Options
• Consider
• • • • • • Opportunities created by risk Cost of implementation vs benefits Extent of risk reduction vs benefits Criteria of acceptability Rare but severe risks Risk perception and communication.

In general

Costs of managing risk commensurate with benefits Adverse impacts As Low As Reasonably Achievable

Treatment Plans
Document how options implemented
      Responsibilities Schedules Expected outcomes Budgeting Performance measures Review processes

ESTABLISH THE CONTEXT
The External Context The Internal Context The Risk Management Context Develop Criteria & Define the Structure

C O M M U N I C A T E & C O N S U L T

IDENTIFY RISKS
What can happen, when, where, how & why

ANALYSE RISKS
Identify existing controls Determine Determine Likelihood Consequences Determine Level of Risk

M O N I T O R & R E V I E W

EVALUATE RISKS
Compare with criteria? Set priorities

YES

Treat Risks

NO

TREAT

RISKS

Identify options Assess options Prepare and Implement treatment options Analyse & evaluate residual risk

AS/NZS 4360:2004 Extending The Process
• The role of assurance activity, not just as a risk control, but as part of ‘Monitor and Review’ should be developed. • This should go further than just audit.
Other interested stakeholders can also benefit from the risk process, such as quality assurance, safety & environment management. The latest update is facilitating linkages between different stakeholders.

MONITOR & REVIEW
• RM is a journey not a destination • What may be of minor significance today may be the disaster of tomorrow • Review is an integral part of the risk management process

AS/NZS 4360:2004 Role Of Assurance Activity

Recording the Risk Management Process
• demonstrates process conducted properly • provides a record of risks • provides decision makers with plan for approval and implementation • provides accountability tool • facilitates monitoring and review • provides an audit trail • enables sharing and communication of information.

Establishing Effective Risk Management
• • • • • • • Board & Management commitment Risk management planning Culture change Accountability & authority Customise to organisational paradigm Ensure adequate resources Board monitoring and review of risk management effectiveness

POLICY DEVELOPMENT
• NO MORE THAN ONE PAGE • MUST BE SIMPLE, ACHIEVABLE, UNDERSTANDABLE & AUDITABLE • THE RISK MAKERS AND THE RISK TAKERS MUST BE THE RISK MANAGERS • SERVES AS A PLATFORM FOR ORGANISATIONAL GUIDELINES

RISK MANAGEMENT FRAMEWORK
Risk Management Processes The framework will be implemented by each business unit in accordance with the policy by: • Maintaining documented business risk profiles using analytical techniques to identify, evaluate, and manage risks in compliance with AS/NZS 4360:2004 • Communication of risk management issues, where appropriate, to all relevant stakeholders

C O M M U N I C A T E C O N S U L T

1. Strategic Ct

2. Identify Threats

M O N I T O R &

A S S E S S

3. Analyze 4. Assess

5. Assess/

R E V I E W

“The culture, processes and structures that are directed towards realising potential opportunities whilst managing adverse effects.”

7. Manage the Risk Processes

RISK MANAGEMENT FRAMEWORK
Risk Management Structure & Responsibility The Board approves the corporate risk management policy and framework. The Board Risk Management Committee reviews the effectiveness of the policy. All managers and staff are accountable for managing risk. The Risk Management “Champion” is responsible for facilitating the risk management program and reporting to the Board Risk Management Committee.
“The culture, processes and structures that are directed towards realising potential opportunities whilst managing adverse effects.”
Structure Direction

“STRATEGIC MANAGEMENT OF RISK”
“Managing risk is a way of confidently taking the right risks and then managing the outcomes for success”

Opportunities

Risks

Risk Management and the Strategic Planning Cycle
• Future State/ End Vision • SWOT, Opportunities and Risks • Strategy & Tactics Planning Review & Change • Strategic Learning • Strategic Alignment • Strategic Intelligence Execution/ Integration • Manage Tactics • Manage Tasks • Manage Risks

Processes

Monitor Performance • Performance • Capability • External Environment

Conduct risk profiling Review performance Jan Strategic planning

Implement and monitor treatment actions

Sep Budget and business planning

May Determine risk treatment actions

The Operational Risk Management Cycle

RISK

MANAGEMENT

BENEFITS

• Fewer surprises • Exploitation of opportunities • Improved planning, performance and effectiveness • Economy and efficiency • Improved stakeholder relationships • Improved information for decision making • Enhanced reputation • Director protection • Accountability, assurance and governance • Personal wellbeing.

RISK MANAGEMENT OUTCOMES
RM leads to
• • • • • more informed decision making business continuity planning minimising disruptions better utilisation of resources strengthening of the culture of continuous improvement • best practice • a quality organisation

YOU DO NOT HAVE TO DO IT!!
SURVIVAL IS NOT

COMPULSORY

The greatest risk of all is to take no risk at all!

The Journey Continues
A journey ………. A race In pursuit of performance Building Value

AS/NZS 4360:2004 and its accompanying Handbook provide generic guidance on how to embed risk management, and introduces the concept of “positive” risk to help you on the way.
C O M M U N I C A T E C O N S U L T 1. Strategic Ct 2. Identify Threats M O N I T O R & R E V I E W A S S E S S 3. Analyze 4. Assess 5. Assess/ 7. Manage the Risk

Opportunities

Risks

Structure

Direction

Processes

Culture

Communication

Sign up to vote on this title
UsefulNot useful