Professional Documents
Culture Documents
Process
M. Bilal Qureshi
Identify risks
Analyse risks
Evaluate risks
Treat risks
NOTE 3 Risk treatment can create new risks or modify existing risks.”
2. Prioritize order of
the key initiatives
Risk based on their
Objective xx “Ready-to-Heat” Profile
•High contribution to
achieving the overall
Aggressively grow and build the ready-to-heat business by expanding the Priority •yes financial and strategic
product line (15% NSV growth & maintain shares above 30%) and broaden the objectives within the
availability of the product. Owner •Joe OP
Action Plan
7. Document the
4. List of risks that could hinder the ability to Jane to develop 2-3 innovation immediate next steps
meet the initiative’s objectives schemes within 2 months for effective initiative
execution
Joe to do market analysis
ORMIS April 21, Toronto, ISO 6
© Broadleaf Capital International, 2006
Existing Preventative Controls Control Owner Existing Reactive Controls Control Owner
1. 1.
2. 2.
3. 3.
4. Example of an integrated tool for RM Process
4.
5. 5.
6. 6.
Task (future controls) Task Owner Due Date Task (future controls) Task Owner Due Date
1. 1.
2. 2.
3. 3.
Elements of ERM 1 2 3 4 5
Initial Repeatable Defined Managed Optimized
Organization Philosophy &
Culture
Leadership Commitment
RM Capabilities
RM Process
1. Risk The focus is People tend to be risk RM is done Risks are consistently RM is done at every
management primarily on averse. Risks are proactively to managed. Staff are level in the
responding to crises identified primarily anticipate risks and encouraged to be organization, and is
culture and tends to be at operational and develop mitigation innovative. The strongly integrated
reactive rather than project levels. RM plans. Emerging risks organization fosters a with management
proactive. concepts are are considered. Focus culture of continuous practices. Individual
intuitively is on opportunities, learning and and organization
understood and not just risk participation. Staff expectations for RM
practised on ad hoc avoidance. Risk are highly committed are synchronized.
basis. A cautious implications are to organization
approach is taken to considered in all success.
RM overall. major decisions.
2. Roles and Roles and Responsibilities for Roles and RM is embedded in Individual
responsibilities responsibilities are managing risk have responsibilities for individual behaviour. accountability for
not documented and been established (job RM are clear, well Individuals are RM is firmly
for managing risk are unclear. No descriptions, terms of communicated and empowered to embedded in
individual reference, etc.), but understood manage risks. organization culture.
accountability for are not understood or throughout the Responsibility for Roles and
managing risk. RM is consistently organization. RM is an integral part responsibilities for
viewed as a followed. Risk is of goal setting and RM is aligned with
department rather managed intuitively, performance overall organization
than a process. on an ad hoc basis. planning. accountability
framework.
3. Linkage to No ethics policy or Organization has an Ethics and values Ethics and values Ethics, values and
ethics and values guidelines in place. ethics and values principles and help managers take a sensitivity to
Policy statements are statement. RM legal/political balanced approach to legal/political
issued on ad hoc philosophy is considerations are RM, and reconcile considerations are
basis. No clear reflected in written well understood by competing external consistently reflected
statements of shared code of ethics and staff, and applied forces. Ethics and in organization
values or principles, values. Philosophy is consistently values surveys practices and RM
or attention to legal attuned to legal and throughout the consider risk, and are approach.
or political political organization. RM carried out regularly. Atmosphere of
considerations. considerations. approach is closely Improvements are mutual trust exists at
Policies are aligned with ethics made. all levels of
communicated across and values. organization. Few
the organization but infractions or
applied incidents occur.
inconsistently.
4. Valuing risk High level of People are consulted The working Recognition and Staff encouraged and
management scepticism exists and given environment supports rewards programs recognized for
within organization. opportunity to a proactive approach encourage staff to identifying risks and
behaviour Mixed messages are participate in RM. to managing risks. manage risks and opportunities, and for
given to staff. RM is Staff contribution to Information on risk is take advantage of identifying risks not
not considered in managing risk is shared openly. opportunities. being appropriately
assessing and recognized on ad hoc Strong sense of Management is managed. Staff
rewarding basis. Performance in teamwork exists committed to continuously cited
performance. Staff managing risks is across the continuous RM for their exemplary
contribution to considered in organization. learning. Sanctions in behaviour. Value of
managing risk is not recognition and place for knowingly human capital in the
recognized or valued. rewards programs. ignoring risks. Staff organization is
development is a measured.
major organization
priority.
5. Leadership RM is the concern of RM initiatives are Senior management Senior management Board and senior
managers, and is supported by senior regularly engaged in oversee and management
dealt with on an ad management on ad formal RM process. champion the commitment for RM
hoc basis. RM hoc basis. Risks are Minimal Board organization’s RM clearly articulated,
concepts are ill managed by engagement. framework, and lead and strongly
defined and not well operational by example. Some embedded at all
understood. No managers. No Board Board engagement. levels of the
leadership engagement. organization.
engagement.
6. Risk The organization has Some RM policies Organization RM Organization RM Board approved RM
management no formal RM for specific areas framework in place. framework and framework and
framework or policy. have been formally policy. These are policy are well
framework & documented to well communicated communicated,
policy address specific risks. and followed. followed and
compliance is
monitored.
7. Roles and Unclear roles and Specialists are Senior management Senior management Senior management
responsibilities of responsibilities for responsible for assume responsibility roles and promote and support
RM. The audit managing risks. for RM practices. responsibilities for research into RM
senior function is seen as Managers identify Collectively, they RM are well best practice to
management responsible for and respond to risks identify and assess documented in ensure evidence-
identifying risks. on an ad hoc basis. key organization accountability based approach.
risks, and develop agreements or They are seen as
mitigation plans. governance leaders and
documents. They are innovators for
consistently applied implementing state of
and monitored. the art RM concepts.
9. Risk Limited RM tools Managers tend to use Managers have Wide range of RM RM tools and
management and techniques are their own individual access to various RM tools/techniques techniques are
available. approach for risk techniques that available to all staff integrated with other
techniques analysis. Available integrate financial who understand how management decision
RM techniques have and non-financial to use them, as well support tools. Strong
limited focus in information for risk as their benefits and interface with IS.
specialised areas analysis. Tools are limitations. Periodic review and
(e.g., finance, OH&S, used with specialist Knowledge transfer update of tools and
IT project support. occurs between techniques.
management). specialists and
managers.
10. Specialist No specialist support Specialists are used Specialists are known The expert advisory Specialists advise on
support for RM. by management to throughout the role of specialists is broad range of issues,
carry out basic risk organisation and valued by all levels on an integrated
analysis on an ad hoc often called upon by of management. basis, through multi-
basis. managers to provide Specialist support disciplinary teams.
RM analysis and viewed as a key Externally
advice on specific enabler in initiating recognized.
issues. change.
11. Risk No formal process to Risks are identified Formal risk Formal process and Risk assessment
identification & identify and assess for specific areas, assessment process tools available to process and tools are
risks. and assessed by and tools available to managers who integrated with other
assessment managers on an ad managers. Tools are understand their management decision
hoc basis. No formal used with specialist benefits/limitations, support tools. Strong
process in place. No support. Risks are and know how to interface with
attempt to aggregate identified across the apply them. More organization
risks across the organisation to sophisticated tools management
organization. provide aggregate available with information systems.
view. specialist support.
Risk categories
provide aggregate
view for better
understanding.
12. Risk Risk tolerance is not Risk tolerance is not Risk tolerance is Common Risk tolerance levels
tolerance defined. defined. Specific risk somewhat defined for understanding and established at all
levels are accepted or the organization and application of levels of the
rejected intuitively. used by management. specific risk tolerance organization guide
levels. decision making.
14. Performance No formal Performance Organization-wide Risk indicators are Strategic and
measurement performance measurement at performance interpreted in relation operational risk
measurement system departmental level measurement system to other corporate indicators and
in place. involves monitoring includes monitoring performance performance
of risks. Some risk of risk indicators. measures. Regular measures are closely
indicators have been monitoring and linked. Regular
developed but not review by Executive. monitoring and
consistently applied. review by Executive
and the Board.
17. Controls Existing controls are Controls are used on Controls reflect Risk significance, as The organization’s
not linked to an ad hoc basis to corporate objectives well as the cost/ control environment
corporate objectives respond to new risks. and risk appetites. benefit of mitigation is integrally linked to
or risk appetites. No Limited cost/ benefit Cost/ benefit analysis options is considered objectives, risk
criteria in place to analysis of controls. of controls is prior to appetites and RM
evaluate controls Controls regularly conducted. implementing strategies. Controls
effectiveness. effectiveness is not Controls compliance controls. Compliance compliance and
monitored on a and effectiveness is with, and effectiveness is
regular basis. monitored at high effectiveness of, regularly monitored
level. controls is regularly and reported against,
monitored and and improvements
reported throughout made as required.
the organization.
18. Linkage with RM is not linked with Risks are considered Formal consideration Formal RM process RM process is fully
strategic and organization planning in development of of risks is integral integral to strategic embedded in
processes. business and part of strategic and and operational organization
operational operational plans on operational planning. planning. Risks are planning at all levels.
planning ad hoc and prioritized, and A variety of
inconsistent basis. cost/benefit of modelling techniques
mitigation options used to quantify
are assessed. risks.
20. Linkage to No formal internal Ad hoc Communication on Risk information is RM best practices
internal communication communication on risk issues follows shared across the and lessons learned
channels for risk risk issues at normal reporting organization. A pro- are regularly
communication issues. departmental level. channels. Some active effort made to communicated to the
and feedback on Managers tend to sharing of communicate organization via
risks work independently information across information on RM newsletter, web page,
with some the organization. best practices and orientation, etc.
interaction. lessons learned.
21. Linkage to No formal Communication with Formal process to Regular reporting to Careful consideration
communication communication with stakeholders is ad communication with stakeholders on of stakeholder
external stakeholders hoc. Risk information stakeholders on risk performance and interests in risk
with external on risk issues. is communicated on a issues. risks. Stakeholder mitigation. The
stakeholders “need to know” feedback obtained organization is
basis. and considered in widely respected by
risk mitigation. stakeholders.
siness
sks
Fac
bu
on ri
ork
ilitat
ting Ma
Ch
cross the
ew
am
in
ng
ram
l
g ris
va
pio
porti
na
pro
Gi
Mf
nin
k wo
vin
gemen
ap
tic re
ge
ER
g risks a
g
e
rd
ad
tit
Re
rksh
sta
pe
a
t he
vi c
vie
Bo
Holis
ap
t’s re
blis
e
wi
ops
ting
for
s
k
on
ng
se
ris
hm
Monitorin
th s
gy
ide
sponse
Ev ce
era
e
e
en
th
alu ro
ate
m
nt
tp
ng
ati
Op
an
t
ify
str
ng
of
n
tti
ag e on
ing
rep
Se
em
ER em nt
RM
to risks
ort g e
&
Ev in en a m
alu M an ge
ev
go to
ing
at ing m ana isks
alu
fm
fm k m r
lop
isk R ate ris by and
at
at e
Ma ria er g
ve
c
ing
l s es
Givi nag l ri
s k al r
i sin ran ro ons
su cont
De
ng a e po s p
ris
ssur m s isk A s r e
e nt p Im isk
k
anc on r
s
e th roc s n s
at ri es s isio
Giving
sks
are es n g dec
i ehalf
assura
nce on
corr
e c Tak m ent’s b
tly e a ge
the Ris valu n Man
k Mana
gemen
ated
g i n g risks o
t proce Man a
sses s
Giving assurance that the con
trol systems are effective Accountability for risks and control