Professional Documents
Culture Documents
Systems
Types of Risks
1
Risk – Levels of RM Sophistication
Contribution
Perform
(Opportunity Mgmt.)
Investment
Conform
Enhance
(Control Mgmt.)
Success
Acceptance Seek
Reform Doubt
(Hazard Mgmt.) Uncertainty Achievement of
Tolerance Minimize benefits
Inhibit/ prevent
Failure Auditing for
Avoid Compliance
Fearful of
Requirements
Sophistication
1. REFORM : Awareness of non-compliance
2. CONFORM : Actions to ensure compliance
3. PERFORM : Achieve business opportunities
4. DEFORM : Inactivity caused by obsession 2
Risk Management – Risk Maturity
Level Description
Level 1 - Naive Unaware of RM
Don’t recognize the value of structured approaches to
deal with uncertainty
Insufficient attempt to learn from past, prepare for future
threats, uncertainties
Level 2 - Novice Aware of the benefits of RM – not implemented
efficiently
Experimenting with RM or has a RM process with
fundamental weaknesses
Level 3 - Normalized RM built into routine business processes
RM implemented throughout the organization
Generic RM processes are formalized and benefits are
understood at all levels of the organization
Might not be consistent
Level 4 - Natural Risk aware culture, with a proactive approach to RM
Consideration of risk is inherent to all routine processes
Risk information communicated and used to gain
competitive advantage. 3
Risk Management – Principles : should be
Principle Description
4
Risk Management – Principles
Risk can be identified and Controlled.
What Risk Management should Deliver (CADE3)
1. Compliance with Laws and Regulations
2. Assurance regarding the management of significant Risks.
3. Decisions that pay full regard to risk considerations.
4. Efficiency, Effectiveness and Efficacy in operations, projects and strategy.
Less disruption to normal efficient operations, reduction of uncertainty in
relation to change and improved decisions in relation to evaluation and
selection of alternative strategies; i.e. Improved Organizational Decision
Making
Hazard Management – Outcome less Negative
Control Management – reduces the spread/ range of possible outcomes; uncertainty.
Opportunity Management – Outcomes more Positive
5
Hazard Risk – Management (7R 4T Process)
1. Recognition of Risks
2. Ranking of Risks
Information
3. Responding to Risks Feedback
Experience Tolerate
Feedback Treat
Transfer
Terminate
4. Resourcing Controls
5. Reaction Planning
6. Reporting on Risk
6
Ranking of Risks - Assessment
Description Current Level of Risk Risk Rating Controls in Actions to
Place be taken
Likelihood Impact Overall
Rating
Techniques
1. Questionnaires and Check Lists
2. Workshops and Brainstorming
3. Inspection and Audits
4. Flowcharts and Dependency Analysis
5. SWOT and PESTLE analysis
Identify key dependencies of the company – what could impact them?
1. What can undermine them?
2. What would cause uncertainty for the key dependencies?
3. What events will enhance the state of the key dependencies?
Important to quantify the risks, whenever possible.
Impact vs. Likelihood
7
Ranking of Risks - Assessment
Risk Rating = Likelihood x Impact
I
m
p
a
c
t
Low Impact + High Probability (Car Accident) vs. High Impact + Low Probability (Tsunami)8
Ranking of Risks - Priority
High
Risk 1
I Risk 2
m
p
a
c
Risk 4
t Risk 3
Risk 5
Low High
Likelihood
Risk 1 – Heart Attack, duplicates from China
Risk 2 – Earthquake, taking ill (Lecturer)
Risk 3 – Car Accident, taking ill (student)
Risk 4 – employees taking unauthorized leave
9
Risk 5 – Cutting your finger when grating a coconut
Ranking of Risks - Classification
Time Frame, Nature of the risk, source of the risk, nature of the impact
To identify similar risks, structure responsibilities and risk management approach.
Time Frame Impact (after event Type of Risk Impact
taking place)
Short Term Immediate Mostly Hazard Disruption to operations
Risks Operational Efficiency
Continuity and monitoring of
routine operations
Medium Term Month – Year Mostly Control Effects the ability of the org. to
Risks maintain effective core
processes.
Management of tactics, projects,
change programmes, product
launches.
Long Term One – Five Years Mostly Effects the core processes that
Risks Opportunity develop and deliver efficacious
strategy
More lethal than risks effecting
10
operations and tactics.
Ranking of Risks –Classification (Standards, Frameworks)
Standard/ COSO IRM BS 31100 FIRM Risk PESTLE
Framework Scorecard
and political stability.
Political : Tax policy, employment laws, environmental regulations, trade restrictions andreform, tariffs
Economic : Economic growth/decline, interest rates, exchange rates and inflation rate,
wagerates, minimum wage,working hours, unemployment (local and national), credit
availability, cost of living, etc.
Sociological : Cultural norms and expectations, health consciousness, population growth rate,age
distribution, career attitudes, emphasis on safety, global warming.
Technological : Technology changes that impact your products or services, new Technologies,barriers to
entry in given markets, financial decisions like outsourcing and supply chain.
Legal : Changes to legislation that may impact employment, access to materials, quotas,resources,
imports/exports, taxation etc.
Environmental/ Ethical : Ecological and environmental aspects, although many of these
factors will be economic or social in nature 11
Ranking of Risks –Classification (FIRM)
Financial Infrastructure Reputational Marketplace
Description Risks that can impact Risks that will Risks that will Risks that will impact
the way in which impact the level of impact desire of the level of customer
money is managed efficiency and customers to deal or trade or expenditure
and profitability is dysfunction within trade and level and customer
achieved the core process customer retention retention
Measurement Gains and losses Level of efficiency Nature of publicity Income from
(performance from internal in process and and effectiveness of commercial and
indicator financial control operations marketing profile marketing activities
Performance Procedures Process Perception Presence
Gap Failure in procedures Failure of Failure to achieve Failure to achieve
to control internal processes to the desired required presence in
financial risks operate without perception of the the marketplace
dysfunction organisation
Control CapEx standards Process Control Marketing Strategic and
Mechanisms Internal Control Loss control Advertising business plans
Delegation of Insurance and Reputation and Opportunity
authority risk financing Brand assessment 12
protection
Ranking of Risks –Classification (personal issues)
Dependency Long Term Medium Term Short Tern
Financial Risks : Procedures gap: How well do your procedures manage your finances?
Financial Impact on Balance sheet of 0.25%
Profit and Loss impact of 2.5% annual profit
Infrastructure Disruption of normal operations by 0.5 days
Increased cost of operation exceeds 10% budget
Reputational Share price falls by 10%
Event is on National TV, radio or news papers
Marketplace Impact on Balance Sheet of 0.5% turnover
Profit and Loss impact of 1% annual profit
Lose projects worth 1 million to competition
14
Responding to Risks – 4Ts
High
Transfer Terminate
Risk to another party The activity of generating the risk
Impact
Tolerate Treat
The risk and its likely The risk to reduce the likely impact
impact or exposure
Low High
Likelihood
15
Risk – ISO 31000 Risk Management Process
16
Risk – IRM Risk Management Process
17
Risk – Risk Management Framework (RASP)
Risk Protocols
Rules and Guidelines
Policies and Procedures
Risk Management Methodologies
Tools and Techniques
18
Risk – Risk Architecture Audit Committee
The Board
Receive reports from Group RM
routine
committee
Overall responsibility for risk
management Set audit Programme
Monitor progresswith audit
recommendations
Executive Committee
Ensure risk management is
embedded into all processes
Review group risk profile
Disclosures Committee
Review and evaluate disclosure
Group risk management (RM) committee controls and procedures
Formulation of strategy and policy Information disclosed to
Compile group risk register external parties
Receive reports from divisions
Track RM activity in the divisions
Divisional Management
Prepare and Maintain the divisional risk register
Reports for evaluation Set risk priorities for division
Monitor projects and risk improvements
Inform and Monitor Manage self-certification activities
Prepare reports and group RM committee
19
Risk – Risk Appetite
20
Risk – Risk Appetite (Risk Averse)
High
Risk Universe
(Concern)
Comfort Zone
Caution Zone
Impact
Comfort Zone
High
Intermediary Inherent
Control 2
Control 1
Current
Impact
Control 3
Target
23
Risk – Capacity
Risk Appetite – Risk level that is appropriate for the organization (decided by the board).
Risk Exposure – Actual risk the organization is taking.
Risk Capacity – How much risk the organization can afford to take.
Risk Capacity
Financial Strength
Robustness of its infrastructure
Strength of its brand and reputations
The competitive nature of the industry/ market place it operates
24