Module 1 - Unit ONE: Introduction to Financial Management Home | Help | Exit

KENYA SCHOOL OF GOVERNMENT

SENIOR MANAGEMENT COURSE

RISK MANAGEMENT
 SMC: RISK MANAGEMENT Home

Session Content
1. Conceptual Framework – What risk Management is all
about

1. Risk management steps and process

2. How do you mitigate against the risks?

2
 SMC: RISK MANAGEMENT Home

Definition of Risk

The possibility that an event will occur and adversely affect the achievement
of objectives
▪ Committee of Sponsoring Organizations (COSO) Enterprise Risk
Management Framework

The chance of something happening that will have an impact upon objectives
• AS/NZS 4360:1999, Risk Management

Events that may have a positive impact represent opportunities

“ Risk comes from not knowing what you

are doing.” Warren Buffet

3
 SMC: RISK MANAGEMENT Home

Risk is…

Impact our objectives

Potential for loss or

A Chance gain
an event
happening Challenge our Culture
may ..

Require re-think
of processes

Demand new work

Standards & Norms
1
4
 SMC: RISK MANAGEMENT Home

DEFINITION OF RISK

• A risk is a potential problem – it might happen and it

might not
• Conceptual definition of risk
• Risk concerns future happenings
• Risk involves change in mind, opinion, actions, places,
etc.
• Risk involves choice and the uncertainty that choice
entails
• Two characteristics of risk
• Uncertainty – the risk may or may not happen,
• Loss – the risk becomes a reality and unwanted
consequences or losses occur
5
 SMC: RISK MANAGEMENT Home

Why do we need Risk Management?

The only alternative to risk management is crisis management --- and

crisis management is much more expensive, time consuming and
embarrassing.
JAMES LAM, Enterprise Risk Management, Wiley Finance ©
2003

Without good risk management practices, government cannot

manage its resources effectively. Risk management means more than
preparing for the worst; it also means taking advantage of
opportunities to improve services or lower costs.
Sheila Fraser, Auditor General of Canada

6
 SMC: RISK MANAGEMENT Home

Why do we need Risk Management?

• Successful risk management allows for safer business operations

in terms of assets, activities and finance protection, as well as
improvement of the services it offers.
• Every organization is exposed to many types of risk; and
organizations should develop a risk management culture.
• All types of risks have to be identified, assessed and managed.
• Risk management becomes an important element of the general
management for any process – no management without effective
risk management.
• Risk management enables organizations to increase goal-
achieving probability, by identifying dangers, and coordinating
internal norms and requirements with reality.

7
 SMC: RISK MANAGEMENT Home

Risk universe

Definition: All risk types and categories across all business lines, functions,
geographical locations and legal entities that could affect an organization.
Strategic

Financial

Operational

Compliance

Environmental

8
 SMC: RISK MANAGEMENT Home

Some Typical Public Sector Risks

Economic changes such as lower economic Failure to innovate Loss or misappropriation of
growth reduce tax revenue and opportunities leading to sub- funds through fraud or
to provide a wider range of services or limit standard services impropriety
the availability or quality of existing services

Environmental damage Inconsistent policy

caused by failure of objectives resulting
regulations or in unwanted
government inspection outcomes
regime

Failure to measure
Project delays cost performance
overruns and Achieving Service adequately
inadequate quality
standards
Delivery

Failure to monitor
Inadequate service implementation
plans to maintain
continuity of service
delivery

Inadequate skills or Failure of contractors, Failure to properly Technical risk – failure to keep
resources to deliver partners or other evaluate pilot projects pace with technical
services as required government agencies to before a new service is developments, or investment
provide services as required introduced may result in in inappropriate or
problems when the service mismatched technology
becomes fully operational

9
 SMC: RISK MANAGEMENT Home

Risk management is:

1. The identification, assessment and prioritization of
risks
2. Followed by a coordinated and economical
application of resources to minimize, monitor, and
control the probability and/or impact of unfortunate
events or to maximize the realization of
opportunities.
• There are various models and approaches to risk
Management

10
 SMC: RISK MANAGEMENT Home

The COSO Framework

The COSO ERM framework defines essential components, suggests a common language,
and provides clear direction and guidance for enterprise risk management.

11
 SMC: RISK MANAGEMENT Home

A Framework For Risk Management

12
 SMC: RISK MANAGEMENT Home

ISO 31000
Defines Risk management principles as well as
providing a framework/model

13
SMC: RISK MANAGEMENT Home

Public Sector Risk Management

14
 SMC: RISK MANAGEMENT Home

Risk management should:

1. Define goals to be achieved
2. Delegate responsibility
3. Determine the area and the level on which risk
management should be conducted.
4. Define the activity, in terms of time and space
5. Determine the connection between certain activities
6. Define the risk management methodology
7. Determine the procedures in risk management
8. Making decisions and identify areas where revisions
should be made.

15
 SMC: RISK MANAGEMENT Home

The Risk Management Process should incorporate the following steps:

1. Understand your risks, e.g. in the context of your

organization;
2. Identify risks in relation to your local context and
area;
3. Describe risks, e.g. through producing an internal
risk register;
4. Score your risk, e.g. using a matrix approach;
5. Decide how you will manage your risks;

16
 SMC: RISK MANAGEMENT Home

Risk Management Steps

• There are four major steps to developing a
risk management plan
1. Identify all the possible risk events that could
affect the entity - recognize what can go wrong
2. Assess each risk in terms of probability, impact
severity and controllability
3. Develop a strategy and/or contingency for
responding to each risk. Rank the risks by
probability and impact - Impact may be
negligible, marginal, critical, and catastrophic
4. Monitor and control risks dynamically
• A Risk Management Plan should be
developed by management, implemented
and appropriately monitored.
Figure from “Project Management” by Gray and Larson

17
 SMC: RISK MANAGEMENT Home

Building a Risk Management Framework

• The first step in building the program is to identify its core
components.
• This is where organizations can leverage their existing risk
management framework to ensure consistent coordination,
collaboration, risk coverage and risk management across
the enterprise.

18
 SMC: RISK MANAGEMENT Home

Identify the Risks

• Generate list of all possible risks by
• brainstorming
• Physical audits
• Research
• Analysis of trends
• Access to records – accident reports, near misses
• Risk assessments
• Focus on risk events, rather than risk consequences
• For example, “instrument does not return correct data” is a
consequence of events like poor circuit design, incorrect or
failed components, poor software implementation
• First focus on overall organization risks, then identify specific
risks
• Emphasize critical thinking

19
 SMC: RISK MANAGEMENT Home

Assessing the risk impact

• Not all risks need to be subject to monitoring and control
• Use a Scenario Analysis to assess the risk event impact
• Determine all consequences and their severity if the
event happens
• Identify when the event likely happen
• Estimate the probability that the risk event will occur
• Determine how difficult it will be to detect the event
occurrence

20
 SMC: RISK MANAGEMENT Home

Ranking the Risk Importance

• Rank risks from those that can be neglected to those that require
elevated vigilance
• A Risk Severity Matrix can be helpful in prioritizing risks
• Plot of event probability versus impact
• Red zone identifies the most important events
• Yellow zone lists risks that are moderately important RISK PRIORITIZATION MATRIX

• Green zone events probably can be safely ignored 5

RISK
4 IxL

IMPACT
RISK
3 IxL

RISK
1 IxL

1 2 3 4 5

LIKELIHOOD

• Note that the zones are not symmetrical across the matrix
– High impact low probability events much more important than likely low
impact events
21
 SMC: RISK MANAGEMENT Home

Risk Management Infrastructure

22
 SMC: RISK MANAGEMENT Home

Risk reporting and communications

Risk Level Action and Level of Involvement Required

• Inform Chief Executive Officer and Board of Directors

Critical Risk
• Immediate action required

• Inform Chief Executive Officer

High Risk • Strategy Team involvement/attention is essential to manage risks
– provide report to Board as appropriate

• Management mitigation and ongoing monitoring required

Moderate Risk
• Inform relevant Strategy Team members

• Accept, but monitor risks

Low Risk
• Manage by routine procedures within the program and site
23
 SMC: RISK MANAGEMENT Home

Risk Response Strategies

• Retaining risk (accepting)
• Usually for events with low probability but high impact when no alternate
strategy is feasible
• Have a contingency plan ready in case event occurs
• Mitigating risk (reducing)
• Actions are taken during to either A) reduce the likelihood of a risk, or B)
reduce the impact of the risk
• For example, testing electrical components after receipt would reduce the
likelihood that “bad” parts would be used in a circuit
• Sharing risk
• Multiple units assume some portion of the risk
• Transferring risk
• Risk is assumed and managed by a unit outside the organization
• Terminating risk

24
 SMC: RISK MANAGEMENT Home

Develop a Response for Risks

• A risk response plan identifies the primary components
necessary for managing the risk
• What response strategy will be used
• How will the risk event be detected and the response
triggered
• What plan will be put in place in response to the event
• Who will be responsible for monitoring and controlling
the risk

25
 SMC: RISK MANAGEMENT Home

Contingency Planning
• Risks associated with the technical aspects can have the most sever
outcomes
• Can be mitigated by building and testing prototypes of critical components
• Have available backup or alternate designs that have much lower risk
• Risks associated with the schedule usually require a trade-off
• Manage “slack” time to provide resources for delayed components
• Bring in more people (increase costs) or reduce performance
• Risks associated with costs usually result from estimate errors and
omissions
• Time & cost are related; trade-off schedule delays with lower cost
• “Descope” options that remove components of the project, but still allow the
primary mission to proceed
• All “budgets” (mass, power, schedule, cost) should include a reserve
percentage that can be expended as risk events occur

26
 SMC: RISK MANAGEMENT Home

Risk Response Process Control

• The Risk Management Plan should specify the risks, risk responses,
and mechanisms used to control the process
• Need to continuously monitor for risk triggers
• Potential risk events should be identified early and monitoring for such events
immediately commence
• Each risk is assigned to a specific person
• Has the expertise & authority to identify & response to an event
• Need environment where problems are readily reported, embraced &
solved
• Changes in any aspect need to be documented and communicated
• Who will have the authority to approve a change
• Use written form to track changes
• Who is notified of what changes and when

27
 SMC: RISK MANAGEMENT Home

Using Risk Registers

• Risk registers/logs kept as permanent record
• Record –
• Type
• Who is responsible
• Date identified
• Description
• Cost
• Probability
• Impact
• Response actions

28
 SMC: RISK MANAGEMENT Home

Resources Needed to Mitigate Risk

• Budget
• External consultants/advisors
• Human resource
• Software systems

29
 SMC: RISK MANAGEMENT Home

Managing & Mitigating Risk

• Understand your risks
• Develop a risk policy
• Put written procedures in place
• Assign roles and responsibilities
• Train staff
• Communicate effectively
• Keep records
• Conduct internal audits
• Review audit findings
• Put contingency plan in place
• Engage external assessors

30
SMC: RISK MANAGEMENT Home

END

31