Risk Management The International Standard

Transcription

1 Risk Management The International Standard John Crawley & Emer McAneny June 2014

2 Who I am Accountant Banker Businessman Trainer Turnaround Expert Risk Expert

3 Agenda Strategy GRC Tolera nce Identifica tion Assessi ng Action Report ing And the role of Risk Governance, Risk & Compliance And why organisation are now setting Appetite Using a Stakeholder approach Simplicity or complexity Everything can be dealt with as a T Importance on Enbedding KRIs

4 Rules of engagement Engage No distractions Question Open mind Challenge Enjoy

5 What is risk and risk management?

6 What is risk Effect of uncertainty on objectives Effect: Positive Negative Deviation from the expected Objectives: Definition works best if the organisation has clear objectives These need to be tested as part of risk management process

7 What is the best definition of risk? Organisation Definition of risk ISO Guide 73 ISO Institute of Risk Management (IRM) COSO ERM Integrated Framework From old AS/NZ 4360:2004 Effect of uncertainty on objectives. Note that an effect may be positive, negative, or a deviation from the expected. Also, risk is often described by an event, a change in circumstances or a consequence Risk is the combination of the probability of an event and its consequence. Consequences can range from positive to negative The possibility that an event will occur and adversely affect the achievements of objectives The chance of something happening that will have an impact on objectives

8 Definitions of risk management Organisation Definition of risk management ISO Guide 73 ISO Coordinated activities to direct and control an organisation with regard to risk Institute of Risk Management (IRM) Process which aims to help organisations understand, evaluate and take action on all their risks with a view to increasing the probability of success and reducing the likelihood of failure COSO ERM Integrated Framework A process affected by an entity s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

9 Strategy Where are we going?

10 Your Business Compass

11

12 Corporate Governance Do things right Do the right thing Good

13 What is Risk Management Process which aims to help organisations understand, evaluate and take action on all their risks with a view to: increasing the probability of success and reducing the likelihood of failure

14 Why manage risk?

15 Q What is the fundamental reason that cars have brakes?

16 Q What is the fundamental reason that cars have brakes? So that cars can stop - but they also allow cars to be driven faster A

17 Why manage risk? Achievement Safeguarding

18 For discussion What events can you recall that support the need for a structured and systematic approach to risk management?

19 Predictable surprise For discussion... Consider the list of disasters identified. Was this a failure of: - prediction? - prioritisation? - mobilising resources?

20 ISO overview Throughout the course we will use ISO as our core framework a) Creates value b) Integral part of organisational processes c) Part of decision making Mandate and commitment (4.2) Establishing the context (5.3) d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organisation Continual improvement of the framework (4.6) Design of framework for managing risk (4.3) Monitoring and review of the framework (4.5) Implementing risk management (4.4) Communication and consultation (5.2) Risk assessment (5.4.2) Risk identification (5.4.2) Risk analysis (5.4.3) Risk evaluation (5.4.4) Risk treatment (5.5) Monitoring and review (5.6) Principles (Clause 3) Framework (Clause 4) Process (Clause 5) Reproduced from ISO 31000:2009

21 ISO overview a) Creates value b) Integral part of organisational processes c) Part of decision making Mandate and commitment (4.2) Establishing the context (5.3) d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organisation Continual improvement of the framework (4.6) Design of framework for managing risk (4.3) Monitoring and review of the framework (4.5) Implementing risk management (4.4) Communication and consultation (5.2) Risk assessment (5.4.2) Risk identification (5.4.2) Risk analysis (5.4.3) Risk evaluation (5.4.4) Risk treatment (5.5) Monitoring and review (5.6) Principles (Clause 3) Framework (Clause 4) Process (Clause 5) Reproduced from ISO 31000:2009

22 Risk management principles

23 Principles for managing risk creates and protects value integral part of organisational processes part of decision making explicitly addresses uncertainty systematic, structured and timely based on the best available information

24 Principles for managing risk tailored takes human and cultural factors into account transparent and inclusive dynamic, iterative and responsive to change facilitates continual improvement

25 Attributes of effective risk management

26 What is effective risk management? Effective risk management has the following attributes: proportionate aligned comprehensive embedded dynamic You don t need a sledgehammer to crack a nut

27 What is effective risk management? Effective risk management has the following attributes: proportionate aligned comprehensive embedded dynamic

28 What is effective risk management? Effective risk management has the following attributes: proportionate aligned comprehensive embedded dynamic Strategic/ programmes Tactical/ projects Operational/ processes

29 What is effective risk management? Effective risk management has the following attributes: proportionate aligned comprehensive embedded dynamic

30 What is effective risk management? Effective risk management has the following attributes: proportionate aligned comprehensive embedded dynamic

31 Introduction to key risk management disciplines

32 Q How does enterprise risk management (ERM) differ from risk management?

33 Q How does enterprise risk management (ERM) differ from risk management? ERM seeks to: include all categories of risk and uncertainty consider upside as well as downside be comprehensive applied throughout the organisation A

34 Q What is governance?

35 Q What is governance? The system by which organisations are directed and controlled. Generic aspects of governance include: - the rights and duties of owners/shareholders and other stakeholders - how powers are shared and exercised by directors - how the holders of power are held accountable for what they do A

36 International development of codes of corporate governance principle-based approach versus prescriptive (rules) based approach

37 Q What is compliance?

38 Q What is compliance? Compliance is the leadership processes that an organisation establishes to comply with societal, trade, professional and stakeholder needs Examples include: - law - codes of practice - contracts - trade union agreements - professional standards A

39 Q What is GRC?

40 Q What is GRC? GRC stands for: governance risk compliance RISK Compliance Governance A

41 a) Creates value b) Integral part of organisational processes c) Part of decision making Risk management process Mandate and commitment (4.2) Establishing the context (5.3) d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organisation Continual improvement of the framework (4.6) Design of framework for managing risk (4.3) Monitoring and review of the framework (4.5) Implementing risk management (4.4) Communication and consultation (5.2) Risk assessment (5.4.2) Risk identification (5.4.2) Risk analysis (5.4.3) Risk evaluation (5.4.4) Risk treatment (5.5) Monitoring and review (5.6) Principles (Clause 3) Framework (Clause 4) Process (Clause 5) Reproduced from ISO 31000:2009

42 ISO overview a) Creates value b) Integral part of organisational processes c) Part of decision making Mandate and commitment (4.2) Establishing the context (5.3) d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organisation Continual improvement of the framework (4.6) Design of framework for managing risk (4.3) Monitoring and review of the framework (4.5) Implementing risk management (4.4) Communication and consultation (5.2) Risk assessment (5.4.2) Risk identification (5.4.2) Risk analysis (5.4.3) Risk evaluation (5.4.4) Risk treatment (5.5) Monitoring and review (5.6) Principles (Clause 3) Framework (Clause 4) Process (Clause 5) Reproduced from ISO 31000:2009

43 The Standard is...iso Objectives Identify Tools Set appetite Zero Low Medium High Impact Assess Likelihood Treatment Tolerate Treat Transfer Terminate Ongoing monitoring Audit & Report Incidents Re-assess

44 Communication and consultation

45 Communication and consultation Establish the context Risk assessment Communicate and consult Identify risks Analyse risks Evaluate risks Monitor and review Treat risks Reproduced from ISO 31000:2009

46 Communication and consultation Communication a continual and iterative process that an organisation conducts to provide, share or obtain information and to engage in dialogue with stakeholders Consultation a two-way process of informed communication between an organisation and its stakeholders on an issue prior to making a decision or determining a direction on that issue Stakeholders a person or organisation that can affect, be affected or perceive themselves to be affected by a decision or activity

47 Purpose of communication and consultation help to establish the context appropriately stakeholders interests understood & considered risks adequately identified bring expertise together for risk analysis ensure different views are considered secure support for risk treatment plans enhance appropriate change management develop appropriate communication plans

48 Effective communication about risk comprehensive and frequent reporting of risk management performance is an essential element of organisational governance internal and external stakeholders communication is upwards, downwards and across the organisation communicate on significant risks and risk management performance how we communicate matters as much as what we communicate link to effective relationship building and behaviours

49 Establishing the context Session 2 Communication & consultation Establish the context Risk assessment Risk appetite and tolerance Risk treatment Business continuity management Monitoring & review

50 Establishing the context Establish the context Risk assessment Communicate and consult Identify risks Analyse risks Evaluate risks Monitor and review Treat risks Reproduced from ISO 31000:2009

51 Establishing the context External context what does the world around us look like? what are the drivers and trends? Internal context what are our objectives? what is our capacity? what are our business processes? how do we make decisions? Context of the risk management process what is the process expected to achieve? who will be responsible? what resources will be required? Defining risk criteria what determines whether a risk is acceptable? what determines whether a risk should be controlled? how can we measure our total risks?

52 How do you Plan Ahead?

53

54 Risk assessment Session 2 Communication & consultation Establish the context Risk assessment Risk appetite and tolerance Risk treatment Business continuity management Monitoring & review

55 Risk assessment Establish the context Risk assessment Communicate and consult Identify risks Analyse risks Evaluate risks Monitor and review Treat risks Reproduced from ISO 31000:2009

56 Risk identification Risk assessment what might happen (the event)? Risk analysis how likely is it to happen? if it does what might the impact be? Risk evaluation so what! is it within our risk appetite and tolerance?

57 ISO The Risk Process Identify Objectives Tools Set appetite Zero Low Medium High Impact Assess Likelihood Treatment Tolerate Treat Transfer Terminate Ongoing monitoring Audit & Report Incidents Re-assess

58 Two main types of identification techniques Forward looking brainstorming workshops surveys expert knowledge Historic statistical analysis trend analysis Strategy Plan execution Commercial Market Technology Finance Partners Health & Safety (and CSR) Injury statistics

59 Perspectives to Identify KPI s Operations Employees CSR Marketing & Sales Economic Financial Perspectives Compliance

60 Some risk terminology A risk is the effect of uncertainty on objectives A hazard is the source of potential harm (a hazard can be a risk source) A risk source has the potential, alone or in combination, to give rise to risk. We might also term this cause An event is the occurrence or change of a particular set of circumstances A consequence is the outcome of an event affecting objectives Source: ISO Guide 73:2009 Session 2 Communication & consultation Establish the context Risk assessment Risk appetite and tolerance Risk treatment Business continuity management Monitoring & review

61 Describing a risk Combines the cause(s), the event(s) and the effect(s) Source(s) or cause(s) (What? Why?) Event or circumstance giving rise to the uncertainty (Uncertainty) Consequences or effect(s) (on objectives)

62 KPI - Financial Liquidity Current Ratio Quick Ratio Financial Strength Interest Cover Debt to Equity Ratio Corporate Value Dividend/Drawings Yield

63 Your Risk Register Step 1 KPI Categories to Risks Fill in 1 Financial risk

64 KPI - Marketing & Sales Net Promoter Score How likely are you to recommend this business to a colleague or friend? Do customer expectations match the service we deliver? How involved/emotionally attached are your customers to your organisation?

65 Marketing & Sales KPI Categories to Risks Fill in 1 Marketing & Sales risk

66 KPI - Operational & Technology How suitable and operational is our equipment? How technologically advanced are we? Are we realising our full production/ work potential? How long does it take to fill an order/provide a service?

67 Operational & Technology KPI Categories to Risks Fill in 1 Operational & Technology risk

68 KPI - Employees How well do you protect and support your employees? How well does the organisation vet its employees? How well are the skills of the employees matched to the needs of the organisation? Do you offer and encourage training?

69 KPI - Employees KPI Categories to Risks Fill in 1 risk associated with your Employees

70 KPI - Corporate Social Responsibility Are you compliant with Environmental regulations/standards? Are your suppliers socially conscious? i.e. Fairtrade for foodstuffs, ethical manufacturers for clothing Do your manufacturing facilities meet ethical standards?

71 Corporate Social Responsibility KPI Categories to Risks Fill in 1 Corporate Social Responsibility risk

72 KPI - Economic What would the financial effect of a change of +/- 1% in the interest rate paid or charged? To what extent is our business exposed to the collapse of a particular industry, economy or sector? To what extent is our business s customer base exposed to the collapse of a particular industry?

73 Economic KPI Categories to Risks Fill in 1 Economic risk

74 KPI - Compliance Comprehensiveness of the organisations Governance procedures What is the effect of the new Legislation for your business? To what extent is our organisation open to legal challenge?

75 Compliance KPI Categories to Risks Fill in 1 Compliance risk

76 Risks aren t always bad For discussion.. the outcome of a risk event is not always negative think of some examples where a risk event can result in positive or beneficial outcomes discuss how the risk wheel and the bow tie technique can be used to identify opportunities

77 a) Creates value b) Integral part of organisational processes c) Part of decision making Recap Mandate and commitment (4.2) Establishing the context (5.3) d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organisation Continual improvement of the framework (4.6) Design of framework for managing risk (4.3) Monitoring and review of the framework (4.5) Implementing risk management (4.4) Communication and consultation (5.2) Risk assessment (5.4.2) Risk identification (5.4.2) Risk analysis (5.4.3) Risk evaluation (5.4.4) Risk treatment (5.5) Monitoring and review (5.6) Principles (Clause 3) Framework (Clause 4) Process (Clause 5) Reproduced from ISO 31000:2009

78 Your Risk Register Step 1 Positive Risk Fill in 2 Positive Risks

79 Risk evaluation - risk appetite and tolerance

80 Objectives The Risk Process Identify Tools Set appetite Zero Low Medium High Impact Assess Likelihood Treatment Tolerate Treat Transfer Terminate Ongoing monitoring Audit & Report Incidents Re-assess

81 Key terms Risk appetite the amount of risk an organisation is willing to seek or accept in pursuit of its long-term objectives Risk tolerance the boundaries of risk taking outside of which the organisation is not prepared to venture in pursuit of its long-term objectives Risk universe the full range of risks which could impact, either positively or negatively, on the ability of the organisation to achieve its long-term objectives

82 Risk appetite can be complex simplification can be attractive but can lead to meaningless approaches Needs to be measurable Key principles otherwise statements empty and useless key performance drivers need to be understood key risk and key control indicators need to be developed Not a single fixed concept there may be a range of appetites within an organisation appetites may vary overtime influenced by changes in the risk and control environment or the benefits to be gained

83 Key principles Developed in the context of the organisation s risk management capability an understanding of risk appetite unlikely to emerge before a level of risk management maturity reached Must take into account strategic, tactical and operational levels risk appetite needs to be addressed at all levels Must be integrated into the control culture linked to both the propensity to take risk (often greater at strategic level) and also the propensity to exercise control (more prevalent at operational level)

84 Why is risk analysis and evaluation important? prioritise risks in terms of their significance provide some consistency about the perception of significance decide how to allocate scarce resources decide whether to proceed with a new strategy, project or investment inform decisions on risk appetite

85 Benchmark to determine significance Financial sums involved Disruption length of time Reputational - profile

86 Appetite Hungry? Over Fed? Not enough risk Too Much Risk

87 Attitude? 1. That s Grand 2. Don t Push It 3. Your taking the P**s

88 Appetite Healthy Eating (Tolerance) High Medium Low Increased sales Cost Efficiency Lack of staff expertise & training Inefficient admin/operations Not achieving value for money Unsatisfactory funding Zero Severe reputational damage Compliance Failure

89 Your Risk Register Step 2 Risk Appetite Enter - High - Medium - Low - Zero Beside each of the risks you have identified

90 Risk profiling consequence; probability matrix risk registers

91 Objectives The Risk Process Identify Tools Set appetite Zero Low Medium High Impact Assess Likelihood Treatment Tolerate Treat Transfer Terminate Ongoing monitoring Audit & Report Incidents Re-assess

92 Risk matrix Probable Possible Remote Likelihood Low Medium High Impact

93 Likelihood Estimation Descriptors Indicators Probable Possible Likely to occur each year or more than a 25% chance of occurrence Likely to occur in a ten-year time period or less than a 25% chance of occurrence Potential of it occurring several times within the time period (e.g. ten years). Has occurred recently Could occur more than once within the time period (e.g. ten years). Is there a history of occurrence? Remote Not likely to occur in a tenyear period or less than a 2% chance of occurrence Has not occurred. Unlikely to occur

94 Estimating likelihood - criteria Within the next 12 months the event is: Almost certain Frequent occurrence > 90% chance Likely Regular occurrence > 60% chance Possible Occasional occurrence > 10% chance Unlikely Has never occurred < 10% chance

95 Impact High Medium Low Financial impact on the organisation is likely to exceed x Significant impact on delivery of the organisation s strategic or operational activities Significant stakeholder concern Financial impact on the organisation likely to be between x and y Moderate impact on organisation s strategic or operational activities Moderate stakeholder concern Financial impact on the organisation likely to be less than y Low impact on the organisation s strategic or operational activities Low stakeholder concern

96 Estimating impact criteria REPUTATION FINANCE SERVICE DELIVERY COMPLIANCE SAFETY EXTREME Loss of credibility key stakeholders; extensive adverse media; external intervention Financial loss exceeding /$??? Total sustained disruption to critical services Intervention by regulator; serious breach of legal or contractual obligation Fatality (multiple) HIGH Significant loss of trust; significant adverse media Financial loss exceeding /$??? Significant sustained disruption to critical services Censure by regulator; breach of legal or contractual obligation Serious injury or illhealth (disabling) MEDIUM Significant complaints Financial loss exceeding /$??? Some short-term disruption to services Failure to meet recommended best practice Injury or ill-health resulting in lost time LOW Isolated complaints Low-level or no financial loss Minor disruption to services Failure to meet internal standards or SLA Minor injury (no lost time)

97 Putting it all together PROBABLE Likely to occur each year or more than a 25% chance of occurrence LIKLIHOOD POSSIBLE Likely to occur in a ten year time period or less than a 25% chance of occurrence REMOTE Not likely to occur in a ten year period or less than a 2% chance of occurrence LOW MEDIUM HIGH financial impact on the organisation is likely to be less than x low impact on delivery of the organisation s strategic or operational activities low stakeholder concern financial impact on the organisation is likely to be between x and x moderate impact on delivery of the organisation s strategic or operational activities moderate stakeholder concern financial impact on the organisation is likely to exceed x significant impact on delivery of the organisation s strategic or operational activities significant stakeholder concern IMPACT

98 Opportunity and risk matrix Two-sided Risk Matrix 1:100

99 Likelihood & Impact Likelihood High Medium Low Zero Impact High Medium Low Zero

100 Risk Score Likelihood High Medium Medium High Impact High High Low Low Score High Judgement Judgement Judgement

101 Your Risk Register Step 3 Risk Score Enter - High - Medium - Low - Zero For Impact, Likelihood and risk score beside each of the risks you have identified

102 Risk evaluation

103 Evaluate Risk score Risk score Risk appetite Good Risk score Risk appetite Treat

104 Your Risk Register Step 4 Do you need to take Action? Enter - Yes if your risk score is not equal to appetite - No if your risk score is equal to appetite

105 Risk treatment

106 Objectives The Risk Process Identify Tools Set appetite Zero Low Medium High Impact Assess Likelihood Treatment Tolerate Treat Transfer Terminate Ongoing monitoring Audit & Report Incidents Re-assess

107 Risk treatment Establish the context Risk assessment Communicate and consult Identify risks Analyse risks Evaluate risks Monitor and review Treat risks Reproduced from ISO 31000:2009

108 What is risk treatment? A process to modify risk (ISO 31000) Risk treatment (or response) involves: the selection of one or more options for modifying risks implementing those options the treatments then provide controls or modify current controls Controls include any process, policy, device, practice or other actions which modify the risk

109 Risk treatment is a cyclical process Examine cost and benefit of the treatment Deciding whether the residual risk level is tolerable Assessing the effectiveness of that treatment If not tolerable, generating a new risk treatment

110 Risk treatment plans (action plans) The purpose of risk treatment plans is to document how the chosen treatment options will be implemented. Information should include: a description of what the planned action is expected benefit(s) to be gained performance measurements and constraints accountabilities (risk owners and control owners) reporting and monitoring requirements resourcing requirements timing and scheduling

111 Treatment Tolerate Treat Transfer Terminate

112

113 Treatment - Step 4 4 T s What Treatment could you use? Enter one or more of the following - Treat fill in what you would do to treat - Transfer fill in what you would do to transfer - Tolerate fill in what you would do to tolerate - Terminate fill in what you would do to terminate

114 Monitoring and review

115 Monitoring and review Establish the context Risk assessment Communicate and consult Identify risks Analyse risks Evaluate risks Monitor and review Treat risks Reproduced from ISO 31000:2009

116 Objectives The Risk Process Identify Tools Set appetite Zero Low Medium High Impact Assess Likelihood Treatment Tolerate Treat Transfer Terminate Ongoing monitoring Audit & Report Incidents Re-assess

117 A process not an event T s Incidents Reassess Action Plans & Owners Inline with Appetite? Once Yearly

118 Purpose of monitoring and review ensure controls effective and efficient obtain information to improve risk assessment learn the lessons from events changes, trends, successes and failures detect change to internal or external context or to the risk itself identify emerging risks

119 Key risk and control indicators KRIs Metrics to help identify changes that could alter the overall assessment of key risk events KCIs Metrics to help assess the effectiveness of key controls

120 Workshop exercise Key risk indicators For the case study provided identify the metrics that were used or could have been used to indicate a change in the risk environment. Key control indicators For the case study provided identify the metrics that were used or could have been used to measure the effectiveness of existing controls

121 Define monitoring and review responsibilities risk owners control owners responsibility for the review of the whole process How frequently should Things to consider risks and their control measures be reviewed? the effectiveness of the ERM process be reviewed? Benchmarking and maturity models

122 Business continuity management Session 2 Communication & consultation Establish the context Risk assessment Risk appetite and tolerance Risk treatment Business continuity management Monitoring & review

123 ISO overview a) Creates value b) Integral part of organisational processes c) Part of decision making Mandate and commitment (4.2) Establishing the context (5.3) d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organisation Continual improvement of the framework (4.6) Design of framework for managing risk (4.3) Monitoring and review of the framework (4.5) Implementing risk management (4.4) Communication and consultation (5.2) Risk assessment (5.4.2) Risk identification (5.4.2) Risk analysis (5.4.3) Risk evaluation (5.4.4) Risk treatment (5.5) Monitoring and review (5.6) Principles (Clause 3) Framework (Clause 4) Process (Clause 5) Reproduced from ISO 31000:2009

124 What is a risk management framework? a system of leadership, commitment and processes foundation for a mutual understanding - to communicate effectively an opportunity to gain commitment provides direction for all levels of management Continual improvement of the framework (4.6) Mandate and commitment (4.2) Design of framework for managing risk (4.3) Monitoring and review of the framework (4.5) Framework (Clause 4) Implementing risk management (4.4)

125 Embedding risk management Group Discussion Think back to previous case histories discussed - why did the established controls systems fail? what do the case studies tell us about the risk culture of the organisation? what are the critical factors for embedding risk management?

126 Embedding risk management Visible commitment from the top articulated and endorsed through a policy and framework for managing risk lead through actions risk-based decision making, aligned with strategic objectives clear understanding of the risks to the business. Set risk tolerance and risk appetite active support and adequate resource for risk management initiatives assurance on status of key risks (KRI s) and controls (KCI s) sought and followed through

127 Embedding risk management An organisational framework to ensure clearly defined responsibility and accountability training for all relevant stakeholder groups to raise awareness of benefits, establish responsibilities and improve skills in management of risk ownership clearly established for risks and key controls clearly defined lines for reporting and communication

128 Embedding risk management Integration into management processes ensure the benefits for business and resource planning are clearly established through integration with the normal business planning processes integrate into performance management system and establish KPI s integrate with reporting and review systems, including internal audit include development of risk management skills within leadership and management development programmes

129 Purpose of a risk management policy clear and concise outline of the organisation s requirements providing uniformity and consistency in the risk management process across all operations provides a high level overview and description of the risk management process Session 3

130 The policy should be developed and owned at board level developed with consideration as to how compliance with the policy will be monitored reviewed regularly annual review Session 3

131 What will ERM deliver? Group exercise who are your key stakeholders? what do you hope the ERM process will deliver to you and to your key stakeholders?

132 So what will risk management do for me? The elevator pitch 5 a framework for control 4 better informed decision making 3 reduced volatility 2 improved stakeholder relationships 1 protection of company assets

133 And finally The greatest risk is to take no risk at all, because if we don t take risks there s no advancement, there s no progress and there s no profitability. Kevin Knight Chairman, ISO working group on risk management standards

134 ISO overview a) Creates value b) Integral part of organisational processes c) Part of decision making Mandate and commitment (4.2) Establishing the context (5.3) d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organisation Continual improvement of the framework (4.6) Design of framework for managing risk (4.3) Monitoring and review of the framework (4.5) Implementing risk management (4.4) Communication and consultation (5.2) Risk assessment (5.4.2) Risk identification (5.4.2) Risk analysis (5.4.3) Risk evaluation (5.4.4) Risk treatment (5.5) Monitoring and review (5.6) Principles (Clause 3) Framework (Clause 4) Process (Clause 5) Reproduced from ISO 31000:2009

135 Institute of Risk Management education Fundamentals of Risk Management International Certificate in Risk Management leads to Certificate membership grade International Diploma in Risk Management leads to Member grade of the IRM Fellowship of the IRM is achieved through continuing professional development Specialist subjects risk management in financial services business continuity and crisis management information systems risk

136 References and further reading IRM Fundamentals of Risk Management Paul Hopkin Kogan Page ISBN: British Standards BS (2008) Risk management code of practice, COSO Enterprise Risk Management Integrated Framework (2004) Executive Summary, Financial Reporting Council Internal Control Revised Guidance for Directors on the Combined Code (2005), Institute of Risk Management A Risk Management Standard (2002), International Standard ISO Risk Management Principles and guidelines, ISO Guide 73(2009) Risk management Vocabulary Guidelines for use in standards, British Standard BS (2006) Business continuity management Code of practice, HM Treasury (2004) Orange Book: Management of risk principles and concepts, International Standard IEC/FDIS (2009) Risk Management Risk assessment techniques, Institute of Internal Audits (2004) The Role of Auditing in Enterprise-wide Risk Management, Office of Government Commerce (2007) Management of Risk: Guidance for Practioners,

137 So to recap

138 The Standard is...iso Objectives Identify Tools Set appetite Zero Low Medium High Impact Assess Likelihood Treatment Tolerate Treat Transfer Terminate Ongoing monitoring Audit & Report Incidents Re-assess

139 Tutor John Crawley LinkedIN

140 Institute of Risk Management T H A N K Y O U

141 Bow tie analysis Causes Consequences Event Underlying threats Immediate threats Immediate consequences Ultimate consequences Control measures Recovery measures