Professional Documents
Culture Documents
ISO 31000:2009
Mumbai , Bhopal and USA – Unthinkable risk which matured
2
Why talk about risk?
National Guidance
on Implementing ISO 31000:2009
From NSAI in Ireland
Background…
• Risk management project by Grant Thornton was started
in 2008.
• Control self assessment methodology followed for
deployment by appointing Risk Champions within
functions.
• Qualitative Analysis with 3x3 matrix (High, Medium,
Low).
• Prepared Policy Manual, Polarization Document &
Review Process for consistency in rating the risk.
• Training & Seekh sessions conducted across all
functions to disseminate the concept for Mapping Risk
Statement, As Is Control & Mitigation Plan
6
Current Process…
7
Risk
• Risk as “An event which can
prevent, hinder, fail to further or
otherwise obstruct the enterprise
in achieving its objectives.”
• RISK is any uncertainty which
impede the achievements of
objectives.
• Business risk as “The threat that
an event or action will adversely
affect an enterprise’s ability to
maximize stakeholder value and
to achieve its business
objectives.”
8
How to Identify Risk
• Process flow technique with scenario building
methodology is used for risk mapping .
9
Event identification
Internal and external events affecting achievement of an entity’s objectives must be
identified, distinguishing between risks and opportunities. Opportunities are channelled
back to management’s strategy or objective-setting processes
(Severity) (Probability)
Mitigating Control Effectiveness / As is
Controls & Residual Risk
• MCE- All the identified risks will be mapped to the existing controls/practices. The control
strength will be assessed for its effectiveness to mitigate the identified risks by carrying
out process walkthroughs, observation, exception monitoring etc. The controls to be
mapped at the likelihood stage to ensure the risk vulnerability is addresses.
• All risks and the existing controls are measured to get a residual risk exposure.
New Action
Consider “As
Inherent Value Residual Value Plans to
Is“ Control
of Risk of Risk mitigate
Strength
remaining risk
11
10/05/2022
Risk Response
• Terminate: Avoid - disposal, not performing
• Treat: Reduce - diversifying
• Transfer: Share - insuring, JV
• Tolerate: Accept - self insurance
Control Activities
• Policies and procedures that help ensure that the
risk responses, as well as other entity directives, are
carried out. (check for design effectiveness and operating
efficiency)
Linkages With Different Areas
• IMS Process
• BSC Linkage
• Risk Identification & mapped
• Mention in IMS process
13
Risk Valuation Process
Inherent Value or Gross Risk
• Inherent Value or gross risk is as a result of likelihood X
impact.
Commercial
Circles, EAG, COS, Information BD, RG committee
Corporate Finance, Legal & Sub Committee
P&T, CEG & Safety Technology HR, IR & Admin.
Communication Regulatory Sub
Sub Committee Sub PM, PSC, PE & C Sub-Committee
Sub Committee committee CS Sub
committee Sub committee
Committee
15
Risk Governance
• To address the issues like team efforts & ownership, Risk Management
Sub Committees have been formed.
• Keys duties and responsibilities of Sub Committee:
o Assisting the various functions to identify, assess , analyse and manage risks
o Quantification of risk in value terms
o Developing risk response processes
o Monitoring the relative performance of function
o Identifying the areas, which need insurance or financial cover to protect against
loss
o Ensuring the implementation of risk mitigation plans
o Escalation of issues requiring policy approvals and amendments
o Reviewing and discussing significant risk issues & ensuring horizontal
collaboration in the development of mitigation strategies and the establishment of
corporate priorities in resource allocation
o Reporting new risks or failures of existing control measures with remedial
action
o Keeping the risk portfolio & related action plans updated, along with periodic
confirmation & self assessment signoff
16
To Identify Impact
• It should have Direct impact on Bottom line.
• Examples:
o Power Purchase Cost
o Sales & revenue & profit
o Revenue gap
o Billing efficiency
o Cash flow effect, cost per consumer
o Excess payment
o Loss on interest income
o Loss on rebates on early payments
o Wrong salary disbursement
o Loss on LD charges
17
Leading Indicators of Risk Event
Proactively
take action Chain Of events
Risk Event
Intermediate
Event
(Leading
Indicators of
Event?)
Root Cause
Event
(Leading
Indicators of
Event?) Reduce or eliminate
the impact
Early mitigation
strategies
18
Advantages of ERM
• Problem anticipation –better preparedness &
response to uncertainty
19
Risk Polarisation For Quantitative Approach and Evaluation Approach
The risks are ranked according to their significance & likelihood of occurrence and the residual
exposure is determined by assessing their corresponding mitigating control effectiveness
1 Less than 5% Not likely, almost impossible to occur Similar instances have never occurred in the
between year 2 (from now) to 5 years past
2 5% to 9% May occur once or twice between year 2 Though not routinely, but there have been
(from now) to 5 years similar instances in last 2 to 5 years
3 10 % to 49% Possible , may arise once or twice within There have been 1 or 2 similar instances in
the immediate next year the past year
High, May arise several times within the Similar instances have occurred several
4 50% to 80% immediate next year times in the past year
Very high, Almost a routine feature
20 every Similar instances have commonly occurred
5 Over 80% month within the immediate next year every month in the past
Risk Management Format
Tatat Power Delhi Distribution Limited Risk Profile
Risk No. (AA11)
RMSC Name of Committee Risk Rating Shall be based on
Function Name of Function Primary Risk Owner Name of Function Head
residual risk & to
Process Name Name of Process Risk Sub-Owner(s) Name of Process Owner
be given by TA
Linkage to BSC Possibleoutcomes/ Risk Champion Name of Risk Champion after consolidation
Risk Description consequence of a risk
Risk Statement