Section Defining Risk Management. 11. Principles of Risk Management
|
|
- Jack Parsons
- 5 years ago
- Views:
Transcription
1 Section Defining Risk Management Enterprise risk management is the process, affected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Enterprise risk management further extends to the process of planning, organising, leading, and controlling the activities of an organisation in order to minimise the effects of risk on an organisation's capital and earnings. Enterprise risk management expands the process to include not just risks associated with accidental losses, but also financial, strategic, operational, and other risks. Questions to reflect on: Review the definition above and state the 5 most important characteristics of Risk Management. 11. Principles of Risk Management Risk management is a central part of the strategic management of any organisation. It is the process whereby organisations methodically address the risks attached to their activities. A successful risk management initiative should be proportionate to the level of risk in the organisation, aligned with other corporate activities, comprehensive in its scope, embedded into routine activities and dynamic by being responsive to changing circumstances. The focus of risk management is the assessment of significant risks and the implementation of suitable risk responses. The objective is to achieve maximum sustainable value from all the activities of the organisation. Risk management enhances the understanding of the potential upside and downside of the factors that can affect an organisation. It increases the probability of success and reduces both the probability of failure and the level of uncertainty associated with achieving the objectives of the organisation. Risk management should be a continuous process that supports the development and implementation of the strategy of an organisation. It should methodically address all the risks associated with all of the activities of the organisation. In all types of undertaking, there is the potential for events that constitute opportunities for benefit (upside), threats to success (downside) or an increased degree of uncertainty. It is often argued that, for health and safety risks, the consequences can only be negative and the management of safety risk should focus on prevention and mitigation of harm. However, for outsourced service providers, setting good standards of health and safety may be part of winning contracts and this demonstrates that there is an upside to safety risk management. 29 P a g e
2 The ISO Risk Management Standard describes the Principles of Risk Management as follows: Organisational Context - There s no one-size-fits-all when it comes to Risk Management. Each organisation will be affected by different Political, Economic, Societal, Technological, Legal and Environmental factors ( PESTLE ). It s also worth pointing out (the obvious) that each organisation will have different internal cultures, communication channels and levels of existing risk management processes. Make sure that your organisation s approach to risk management is aligned with its unique internal and external context as well as its risk profile. A risk profile is a written description of a set of risks. A risk profile can include the risks that the entire organisation must manage or only those that a particular function or part of the organisation must address. Stakeholder Involvement - Involve your stakeholders wherever possible. Keep them informed and understand the role they can/could play at each stage in the Risk Management process. Make sure that your approach to risk management is transparent (open, visible, and accessible). Also that it is inclusive of all decision makers from all parts of your organisation. Organisational Objectives - Use risk management to create and protect value. Create and protect value by using risk management to help achieve your organisation s objectives and improve its performance. When assessing and responding to a risk, be sure to keep the overall organisational objectives in mind (see the bigger picture). Keep things in perspective and don t lose sight of your end-goal. Management of Risk Approach - Use risk management to address the uncertainty that your organisation faces and to identify and define the nature and type of uncertainties that your organisation must deal with. Use risk management to figure out what you can do to address your organisation s uncertainties by making risk management part of your decision making process at every level to make informed choices and to prioritise actions. Make sure that your risk management approach is structured, systematic, and timely. The approach should contribute to organisational efficiency and generate consistent and reliable results based on the best information. Further make sure that decision makers understand and consider the limitations and shortcomings of the data they use to manage risk. Reporting - Keep people informed and ensure transparency and visibility. Communication is key! Roles & Responsibilities - Make sure that everyone understands the role they play at each stage of the Risk Management process. Ensure that all bases are covered by someone. Make risk management part of every process within your organisation at every level and make risk management a responsibility of every manager within your organisation. Support Structure - Ensure that everyone understands how risk is managed through the Risk Management process and who to go to if they have any questions. For example: How are risks identified? How and when are risks escalated? Where and in what format are risks documented? How and when are risks reviewed? 30 P a g e
3 Early Warning Indicators - Make sure that your organisation s approach to risk management is dynamic and responsive and that it continually senses change and responds to it. Give yourself the best chance of forecasting/anticipating the transition of a Risk to an active Issue. Ensure that everyone is communicating and that any potential issues are highlighted. It s also important to know how you should react in the event a risk does or is about to be realised e.g. who needs to know and how will you inform them? Review Cycle - Make sure that your Risk documentation is accessible and that you re regularly reviewing it. Achieve this by making the process repeats itself. Repeat your risk management process whenever and wherever objectives need to be achieved. Overcoming Barriers to the Management of Risk - Ensure you re doing everything you can to give you the best chance of successfully assessing the risk and responding to the risk. Some common barriers include: Established roles, responsibilities, accountability and ownership. An appropriate budget for embedding approach and carrying out activities. Adequate and accessible training, tools and techniques. Risk management orientation, induction and training processes. Irregular assessment of Management of Risk approach (including all of the above issues). Supportive Culture - Risk management should consider both human and cultural factors. Make sure that your approach to risk management recognises and considers the human and cultural factors that can influence the achievement of your organisation s objectives. Consider how human capabilities, perceptions and intentions can facilitate or hinder the achievement of your objectives. Make sure that everyone on the team feels comfortable raising, discussing and managing risks. Continual Improvement - Risk management should facilitate continual improvement. Review the way you manage risk as well as the procedure for assessing on-going risks. Learn from your mistakes. Questions to reflect on: After considering the Principles of Risk Management, indicate those principles in which your organisation either excel at or dismally fail with. 31 P a g e
4 12. The Risk Management Approach Corporate governance is the way an organisation is controlled to achieve its objectives. Control offers reliability within a tolerable degree of certainty. It is the glue that holds an organisation together, while risk management provides resilience. A risk management system depends on management commitment and allocation of resources during design, implementation, maintenance and monitoring the process at all levels. Resources include assignment of competent people, accurate forecasting and spending, quality material, adequate and sufficient equipment, appropriate and efficient methods, marketing the management system inside and outside the organisation. Management must set the tone for honest communication and reporting at all levels, to ensure reliable data, information, appropriate decisions, accountability and responsibility. Management should sustain commitment to a risk management process through strategic planning, rigorous monitoring, and guidance on: Defining and endorsing risk management policy Aligning organisational culture and risk management policy Aligning risk management and organisational performance indicators, objectives and strategies Achieving legal compliance Assigning accountabilities and responsibilities at appropriate levels Allocating relevant resources to risk management Communicating risk management benefits Adjusting the risk management framework to remain appropriate (ISO Risk Management Standard) 13. Risk Management Framework According to ISO 31000, a risk management framework is a set of components that support and sustain risk management throughout an organisation. There are two types of components: foundations and organisational arrangements. Foundations include your risk management policy, objectives, mandate, and commitment. And organisational arrangements include the plans, relationships, accountabilities, resources, processes, and activities you use to manage your organisation s risk. Introducing Risk Management to your organisation is can be achieved by following the process in the Figure 2 below (which is discussed in more detail further below): 32 P a g e
5 Make a commitment to risk management Improve your risk management framework Design your risk management framework - Understand Context - Formulate your policy - Design RM process - Make people accountable - Allocate resources - Internal communication - External communication - Build risk management into your organisation Monitor your risk management framework Implement your approach to risk management Figure 2 Introducing risk management to your organisation 33 P a g e
6 13.1. Make a commitment to risk management Start the drafting of the organisation s risk management policy. A policy statement defines a general commitment, direction, or intention. A risk management policy statement expresses an organisation s commitment to risk management and clarifies its general direction or intention. Formulate risk management objectives. Establish risk management performance indicators. Assign risk management responsibilities. Allocate risk management resources. Communicate risk management benefits. Support your risk management framework Design your risk management framework Understand your organisation s context To establish the context means to define the external and internal parameters that organisations must consider when they manage risk. An organisation s external context includes all of the external environmental parameters and factors that influence how it manages risk and tries to achieve its objectives. It includes its external stakeholders, its local, national, and international environment, as well as key drivers and trends that influence its objectives. It includes stakeholder values, perceptions, and relationships, as well as its social, cultural, political, legal, regulatory, financial, technological, economic, natural, and competitive environment. An organisation s internal context includes all of the internal environmental parameters and factors that influence how it manages risk and tries to achieve its objectives. It includes its internal stakeholders, its approach to governance, its contractual relationships, and its capabilities, culture, and standards. Governance includes the organisation s structure, policies, objectives, roles, accountabilities, and decision making process, and capabilities include its knowledge and human, technological, capital, and systemic resources. You should consider your organisation s context when you define the scope of its risk management program, when you formulate its risk management policy, and when you establish its risk criteria. You can achieve this by completing the following evaluations: Evaluate and understand your organisation s external context and then use this knowledge to help design your risk management framework. Evaluate and understand your organisation s external environment. Evaluate and understand your organisation s external stakeholders. A stakeholder is a person or an organisation that can affect or be affected by a decision or an activity. Stakeholders also include those who have the perception that a decision or an activity can affect them. You should distinguish between external and internal stakeholders. Evaluate and understand your organisation s external influences. 34 P a g e
7 Evaluate and understand your organisation s internal context and then use this knowledge to help design your risk management framework. Understand your organisation s internal stakeholders. Understand your organisation s governance. Understand your organisation s capabilities. Understand your organisation s culture. Understand your organisation s standards. Understand your organisation s contracts Finalise your risk management policy Establish a risk management policy for your organisation. Make a clear commitment to risk management. Explain how your policy will be implemented. Communicate your risk management policy Design your risk management process A risk management process is one that systematically applies management policies, procedures, and practices to a set of activities intended to establish the context, communicate and consult with stakeholders, and identify, analyse, evaluate, treat, monitor, and review risk. It is discussed in further detail a bit later. Develop a plan that explains how you intend to apply your organisation s risk management process Make people accountable for managing risk Identify your organisation s risk owners. A risk owner is a person or entity that has been given the authority to manage a particular risk and is accountable for doing so. Give risk owners the authority to manage risk. Make risk owners accountable for managing risk. Establish risk management performance measurement methods. Develop risk management reporting and escalation processes. 35 P a g e
8 Allocate resources for risk management Allocate appropriate resources to support your organisation s risk management activities. Consider providing people who can support your organisation s risk management activities. Consider providing resources needed to support each step of the risk management process. Consider providing information and knowledge management systems to support risk management Establish internal communication mechanisms Establish internal risk management communication and reporting processes Develop an external communication plan Develop a plan that describes how you intend to communicate with your organisation s external stakeholders. Implement your external risk management communication plan Build risk management into your organisation Make risk management an integral part of all processes and practices. Develop an organisation-wide risk management plan. An organisation s risk management plan describes how it intends to manage risk. It describes the management components, the approach, and the resources that will be used to manage risk. Typical management components include procedures, practices, responsibilities, and activities (including their sequence and timing). Risk management plans can be applied to products, processes, and projects, or to an entire organisation or to any part of it Implement your approach to risk management Develop a strategy to implement your organisation s framework. Implement your organisation s risk management framework Monitor your risk management framework Evaluate the on-going effectiveness of your organisation s risk management framework. Prepare reports on the effectiveness of your risk management framework. 36 P a g e
9 13.5. Improve your risk management framework Study the results of your risk management monitoring and review activities. Figure out how you re going to improve your risk management framework. Questions to reflect on: Paragraphs 12 & 13 in the Study Guide serves as a high-level guide for 1) Approaching Risk Management in general and 2) Establishing a Risk Management Framework. Scenario: After completion of this course it is expected of you to lead the process of implementing Risk Management in your organisation. In terms of what you learned thus far as well as your experience, critically evaluate the text in Paragraphs 12 & 13 in terms of how you would approach the process differently or what you would do additionally. 37 P a g e
10 14. Risk Architecture, Strategy & Protocols There are a number of factors that should be considered when designing and planning an ERM initiative. Figure 3 highlights the details of the risk architecture, strategy and protocols should be recorded in a risk management policy for the organisation. Table 2 serves as a checklist for to ensure all areas are covered. Risk Architecture (organisational) Risk Strategy (foundations) Risk Architecture specifies the roles, responsibilities, communication and risk reporting structure Risk strategy, appetite, attitudes and philosophy are defined in the Risk Management Policy Risk Management Process Risk Protocols Risk Protocols are presented in the form of risk guidelines for the organisation and include the rules and procedures, as well as specifying the risk management methodologies, tools and techniques that should be used Figure 3 Factors to consider when designing an ERM initiative 38 P a g e
11 Risk Architecture Statement produced that sets out risk responsibilities and lists the risk-based matters reserved for the Board Risk management responsibilities allocated to an appropriate management committee Arrangements are in place to ensure the availability of appropriate competent advice on risks and controls Risk aware culture exists within the organisation and actions are in hand to enhance the level of risk maturity Sources of risk assurance for the Board have been identified and validated Risk Strategy Risk management policy produced that describes risk appetite, risk culture and philosophy Key dependencies for success identified, together with the matters that should be avoided Business objectives validated and the assumptions underpinning those objectives tested Significant risks faced by the organisation identified, together with the critical controls required Risk management action plan established that includes the use of key risk indicators, as appropriate Necessary resources identified and provided to support the risk management activities Risk Protocols Appropriate risk management framework identified and adopted, with modifications as appropriate Suitable and sufficient risk assessments completed and the results recorded in an appropriate manner Procedures to include risk as part of business decision-making established and implemented Details of required risk responses recorded, together with arrangements to track risk improvement recommendations Incident reporting procedures established to facilitate identification of risk trends, together with risk escalation procedures Business continuity plans and disaster recovery plans established and regularly tested Arrangements in place to audit the efficiency and effectiveness of the controls in place for significant risks Arrangements in place for mandatory reporting on risk, including reports on at least the following: Risk appetite, tolerance and constraints Risk architecture and risk escalation procedures Risk aware culture currently in place Risk assessment arrangements and protocols Significant risks and key risk indicators Critical controls and control weaknesses Sources of assurance available to the Board Table 2 Checklist for an ERM initiative 39 P a g e
12 14.1. Components of a risk management policy Risk management and internal control objectives (governance) Statement of the attitude of the organisation to risk (risk strategy) Description of the risk aware culture or control environment Level and nature of risk that is acceptable (risk appetite) Risk management organisation and arrangements (risk architecture) Details of procedures for risk recognition and ranking (risk assessment) List of documentation for analysing and reporting risk (risk protocols) Risk mitigation requirements and control mechanisms (risk response) Allocation of risk management roles and responsibilities Risk management training topics and priorities Criteria for monitoring and benchmarking of risks Allocation of appropriate resources to risk management Risk activities and risk priorities for the coming year Risk management policy EXAMPLE Introduction As every organisation, the organisation faces numerous risks. These risks have the potential to disrupt achievement of the organisation s strategic and operational objectives. The organisation aims to use risk management to take better informed decisions and improve the probability of achieving its strategic and operational objectives. Corporate Governance The organisation is required to include in its annual financial statement a statement on internal control, including how the following broad principles of corporate governance have been applied: The identification and management of risk should be a continuous process linked to the achievement of the organisation s objectives. The approach to internal control should be risk based including one valuation of the likelihood and impact of risks becoming a reality. Review procedures must cover business, operational and compliance as well as financing risk. Risk assessment and internal control should be embedded in on-going operational procedures. The board of directors and risk management committee should receive regular reports during the year on internal control and risk. 40 P a g e
13 The principal results of risk identification, evaluation and management review of its effectiveness should be reported to, and reviewed by, the risk management committee and board of directors. The risk management committee acknowledges that it is responsible for ensuring that a sound system of control is maintained and that it has reviewed the effectiveness of the risk management process. Purpose of this policy This policy is a formal acknowledgement of the commitment of the organisation to risk management. The aim of the policy is not to have risk eliminated completely from the organisation s activities, but rather to ensure that every effort is made by the organisation to manage risk appropriately to maximize potential opportunities and minimize the adverse effects of risk. Policy Objectives To confirm and communicate the organisation s commitment regarding risk management to assist in achieving its strategic and operational goals and objectives. To formalize and communicate a consistent approach in managing risks. To ensure that all significant risks to the organisation are identified, assessed and where necessary treated and reported to risk management committee. To provide a commitment to staff that risk management is a core management capability. Scope of the policy Risk is an inherent aspect of all commercial business activities. Sound risk management principles must become part of routine management activity across the organisation. The key objective of this policy is to ensure the organisation has a consistent basis for measuring, controlling, monitoring and reporting risk across the organisation at all levels. What is Risk? Risk exists as a consequence of uncertainty and is present in all activities whatever the size or complexity and whatever industry or business sector. It is important to understand that risk is a broader concept than the traditional view of merely a threat. It also recognizes the risks of taking or not taking opportunities. 41 P a g e
14 Risk includes: Threats (damaging events) which could result in failure to achieve organisational objectives. Opportunities (challenges) which if exploited could offer an improved way of achieving the desired objectives but which could potentially have negative impacts. The organisation considers all types of risk it faces, strategic, operational, financial, reputational and regulatory and compliance risks. Appendix 1 gives a list of the different categories of risks. Organisation s Approach Organisation s approach to risk management follows several key principles: The Risk Management process will be as user friendly as possible and add value. The organisation seeks to embed risk management across all divisions in all branches. The aim is to marry top down and bottom up assessments to produce a comprehensive picture of risk across all organisational activities. A key focus of the risk management process is the concentration on control improvements to mitigate significant risks, however there is a need to balance the cost and the effectiveness of the controls; for example where marginal improvements in control require substantial costs, the proposal may be unviable. Upward reporting of risk ensures that significant risks are reported and closely monitored on a regular basis at the appropriate level Roles and responsibilities Board Many organisations issue an updated version of their risk management policy each year. This ensures that the overall risk management approach is in line with current best practice. It also gives the organisation the opportunity to focus on the intended benefits for the coming year, identify the risk priorities and ensure that appropriate attention is paid to emerging risks. The policy should also describe the risk architecture of the organisation. Figure 4 illustrates typical risk architecture of a large listed company. 42 P a g e
15 The Board Overall responsibility for RM Ensure RM is embedded in all the processes and activities Review group risk profile Audit Committee Receive routine reports from RMC Set annual audit programme and priorities Monitor progress with recommendations Provide Risk Assurance to the board Oversee RM structures and processes Risk Management Committee Formulate strategy & policy based on risk appetite, attitudes and exposures Receive reports from business units, review RM activities and compile risk register Reports and make recommendations to the board Track RM activity and keep RM Context under review Disclosures committee Review and evaluate disclosure controls and procedures Consider materiality of information disclosed to external parties Direct & Mentor Reports for evaluation Business Units Prepare and update the unit risk register Set risk priorities for unit Monitor projects & risk improvements Prepare reports for RMC Mange Control risk self-certification activates Figure 4 Risk Architecture of a large Private Listed Company 43 P a g e
16 Mandate and commitment from the Board is critically important and it needs to be continuous and highprofile. Unless this mandate and commitment are forthcoming, the risk management initiative will be unsuccessful. Keeping the risk management policy up to date demonstrates that risk management is a dynamic activity fully supported by the Board. The board takes an interest in risk management to the extent necessary to obtain comfort that properly established and functioning systems of risk management are in place to protect the organisation against significant risks. Responsibilities of Board in risk management include: ensuring that the organisational strategies and risk management are aligned; obtaining assurance from management that the organisation s strategic choices were based on a rigorous assessment of risk; obtaining assurance that key risks inherent in the organisation s strategies were identified and assessed, and are being properly managed; assisting the Chief Executive Officer to deal with fiscal, intergovernmental, political and other risks beyond their direct control and influence; insisting on the achievement of objectives, effective performance management and value for money; approve the risk management policy, strategy, and implementation plan; and approve the fraud prevention policy, strategy and implementation plan Chief Executive Officer (CEO) The CEO as the CEO is the ultimate Chief Risk Officer of the organisation and is accountable for the organisation's overall governance of risk. Responsibilities of the CEO include: setting an appropriate tone by supporting and being seen to be supporting the organisation s aspirations for effective management of risks; 44 P a g e
17 delegating responsibilities for risk management to Management and internal formations such as the Audit and Risk Management Committee; holding Management accountable for designing, implementing, monitoring and integrating risk management into their day-to-day activities; holding the Management accountable for performance in terms of their responsibilities for risk management; providing leadership and guidance to enable Management and internal structures responsible for various aspects of risk management to properly perform their functions; ensuring that the control environment supports the effective functioning of risk management; developing the risk management policy, strategy, and implementation plan; developing the fraud prevention policy, strategy and implementation plan; developing the organisation's risk appetite and risk tolerance; devoting personal attention to overseeing management of the significant risks; leveraging the Audit and Risk Management Committee, Internal Audit and External Auditor for assurance on the effectiveness of risk management; ensuring appropriate action in respect of the recommendations of the Audit and Risk Management Committee, Internal Audit and External Auditor to improve risk management; and providing assurance to relevant stakeholders that key risks are properly identified, assessed and mitigated Risk Management Committee The Committee is an independent committee responsible for oversight of the Organisation s control, governance and risk management. The responsibilities of the Committee with respect to risk management are formally defined in its charter. The Committee should provide an independent and objective view of the Organisation s risk management effectiveness. 45 P a g e
18 Responsibilities of the Committee include: reviewing and recommending for the approval of the Board, the: (i) risk management policy; (ii) risk management strategy or plan; (iii) risk management implementation plan; (iv) Organisation s risk appetite, ensuring that limits are: o supported by a rigorous analysis and expert judgement; o expressed in the same values as the key performance indicators to which they apply; o set for all material risks individually, as well as in aggregate for particular categorisations of risk. evaluating the extent and effectiveness of integration of risk management within the organisation; assessing implementation of the risk management policy and plan; evaluating the effectiveness of the mitigating strategies implemented to address the material risks of the organisation; reviewing the material findings and recommendations by assurance providers on the system of risk management and monitor the implementation of such recommendations; developing its own key performance indicators for approval by the CEO; and providing timely and useful reports to the CEO and Board on the state of risk management, together with accompanying recommendations to address any deficiencies identified by the Committee Chief Risk Officer The primary responsibility of the Chief Risk Officer is to bring to bear his specialist expertise to assist the organisation to embed risk management and leverage its benefits to enhance performance. Responsibilities of the Chief Risk Officer include: working with senior management to develop the organisation s vision for risk management; developing, in consultation with management, the organisation s risk management framework incorporating, inter alia, the: o risk management policy; o risk management strategy; o risk management implementation plan; o risk identification and assessment methodology; o risk appetite and tolerance; and 46 P a g e
19 o risk classification. communicating the organisation s risk management framework to all stakeholders in the organisation and monitoring its implementation; facilitating orientation and training for the Risk Management Committee; training all stakeholders in their risk management functions; continuously driving risk management to higher levels of maturity; assisting Management with risk identification, assessment and development of response strategies; monitoring the implementation of the response strategies; collating, aggregating, interpreting and analysing the results of risk assessments to extract risk intelligence; reporting risk intelligence to the CEO, Management and the Risk Management Committee; and participating with Internal Audit, Management and External Auditor in developing the combined assurance plan for the Organisation Management Management is responsible for executing their responsibilities outlined in the risk management strategy and for integrating risk management into the operational routines. Responsibilities of Management include: executing their responsibilities as set out in the risk management strategy; empowering officials to perform effectively in their risk management responsibilities through proper communication of responsibilities, comprehensive orientation and on-going opportunities for skills development; aligning the functional risk management methodologies and processes with the organisational processes; devoting personal attention to overseeing the management of key risks within their area of responsibility; maintaining a co-operative relationship with the Risk Management Unit and Risk Champion; providing risk management reports; presenting to the Risk Management and Audit Committees as requested; 47 P a g e
20 maintaining the proper functioning of the control environment within their area of responsibility; monitoring risk management within their area of responsibility; and holding officials accountable for their specific risk management responsibilities Other Employees Other employees are responsible for integrating risk management into their day-to-day activities. Responsibilities of other employees include: applying the risk management processes in their respective functions; implementing the delegated action plans to address the identified risks; informing their supervisors and/or the Risk Management Unit of new risks and significant changes in known risks; and co-operating with other role players in the risk management process and providing information as required Risk Champions The Risk Champion is a person with the skills, knowledge, leadership qualities and power of office required to champion a particular aspect of risk management. A key part of the Risk Champion's responsibility involves intervening in instances where the risk management efforts are being hampered, for example, by the lack of co-operation by Management and other officials and the lack of organisational skills and expertise. The Risk Champion also adds value to the risk management process by providing guidance and support to manage "problematic" risks and risks of a transversal nature that require a multiple participant approach. In order to fulfil his/her function, the Risk Champion should possess: a good understanding of risk management concepts, principles and processes; good analytical skills; expert power; 48 P a g e
21 leadership and motivational qualities; and good communication skills. The Risk Champion does not assume the role of the Risk Owner but should assist the Risk Owner to resolve problems Internal Auditing The role of the Internal Auditing in risk management is to provide an independent, objective assurance on the effectiveness of the Organisation s system of risk management. Internal Auditing evaluates the effectiveness of the entire system of risk management and provides recommendations for improvement where necessary. Internal Auditing develops its internal audit plan on the basis of the key risk areas. In terms of the International Standards for the Professional Practice of Internal Audit, determining whether risk management processes are effective is a judgment resulting from the Internal Auditor's assessment that: organisational objectives support and align with the Organisation's mission; significant risks are identified and assessed; risk responses are appropriate to limit risk to an acceptable level; and relevant risk information is captured and communicated in a timely manner to enable the CEO, Management, the Risk Management Committee and other officials to carry out their responsibilities. When assisting Management in establishing or improving risk management processes, Internal Auditing shall refrain from assuming management responsibilities for risk management. 49 P a g e
22 15. The Risk Management Process The risk management process is simply a roadmap to get from risk-unaware to risk-aware and risk-ready. The risk management process is guidance on the steps that will and will not be included in the process as a whole (see Figure 5 below). The purpose of the Risk Management Process is to ensure that all of the appropriate steps are implemented related to risk management. It provides a common vision of what is and is not important to the organisation from a risk perspective. Establish Context Risk Assessment Communication & Consultation Risk Identification Risk Analysis Risk Evaluation Monitor & Review Risk Treatment Figure 5 Risk Management Process 50 P a g e
23 The risk management process can be presented as a list of co-ordinated activities. There are alternative descriptions of this process, but the components listed below are usually present. This list represents the 7Rs and 4Ts of (hazard) risk management: Risk Assessment o Identification or Recognition of risks o Analysis o Evaluation or Ranking of risks Responding to significant risks o Tolerate o Treat o Transfer o Terminate Resourcing controls Reaction planning Reporting and monitoring risk performance Reviewing the risk management framework Identification, Analysis and Evaluation of risks together form the risk assessment activity. ISO uses the phrase risk treatment to include all of the 4Ts included under the heading risk response. The Risk Management process should be established by senior management. It should be consistent from one assessment to the next, but not necessarily from one organisation to the next. Different organisations will have different areas of concern as regards risk processes. Also, the levels of depth may vary widely across organisations, as some have a passion for process, while others apply simpler approaches. Risk assessment will be required as part of the decision-making processes intended to exploit business opportunities. One way of ensuring that risk is part of business decision-making is to ensure that a risk assessment is attached to all strategy papers presented to the Board. Likewise, risk assessment of all proposed projects should be undertaken and further risk assessments should be undertaken throughout the project. Finally, risk assessments are also required in relation to routine operations. Other considerations relevant to undertaking risk assessments include decisions on how the risk assessments will be recorded. It is at this stage that an organisation will decide the level of detail that will be recorded about each risk in the risk description. Another important part of the risk assessment procedures will be the identification of the risk classification system to be used by the organisation. 51 P a g e
24 15.1. Recording Risk Assessments Risk assessment involves the identification of risks followed by their evaluation or ranking. It is important to have a template for recording appropriate information about each risk. Risk identification establishes the exposure of the organisation to risk and uncertainty. Table 3 shows the range of information that may need to be recorded. The objective of a template is to enable the information to be recorded in a table, risk register, spreadsheet or a computer-based system. Although a simple description of a risk is sometimes sufficient, there are circumstances where a detailed risk description may be required in order to facilitate a comprehensive risk assessment process. The consequences of a risk materialising may be negative (hazard risks), positive (opportunity risks) or may result in greater uncertainty. 1 Name or title of risk Unique identifier. 2 Scope of risk Scope of risk and details of possible events, including description of the events, their size, type and number. 3 Nature of risk Classification of risk. 4 Stakeholders Stakeholders, both internal and external, and their expectations 5 Risk evaluation Likelihood and magnitude of event and possible impact or consequences should the risk materialise at current level. 6 Loss experience Previous incidents and prior loss experience of events related to the risk. 7 Risk tolerance, appetite Loss potential and anticipated financial impact of the risk or attitude. Target for control of risk and desired level of performance. Risk attitude, appetite, tolerance or limits for the risk. 8 Risk response, treatment Existing control mechanisms and activities and controls. Level of confidence in existing controls. Procedures for monitoring and review of risk performance. 9 Potential for risk improvement 10 Strategy and policy developments Potential for cost-effective risk improvement or modification. Recommendations and deadlines for implementation. Responsibility for implementing any improvements. Responsibility for developing strategy related to the risk. Responsibility for auditing compliance with controls. Table 3 Recording Risk Assessments 52 P a g e
25 15.2. Risk Classification Systems An important part of analysing a risk is to determine the nature, source or type of impact of the risk. Evaluation of risks in this way may be enhanced by the use of a risk classification system. Risk classification systems are important because they enable an organisation to identify accumulations of similar risks. A risk classification system will also enable an organisation to identify which strategies, tactics and operations are most vulnerable. Risk classification systems are usually based on the division of risks into those related to: - Financial control / Compliance, - Infrastructure / Operational efficiency, - Reputational exposure and - Market place activities / Strategic However, there is no risk classification system that is universally applicable to all types of organisations. This may be especially true for organisations operating in the public sector and those involved in the delivery of services to the public. There are many risk classification systems available and the one selected will depend on the size, nature and complexity of the organisation. ISO does not recommend a specific risk classification system and each organisation will need to develop the system most appropriate to the range of risks that it faces. Internal and external factors can give rise to risks. Figure 6 is based on the FIRM Risk Scorecard risk classification system and it provides examples of internal and external key risk drivers. The classification is then further elaborated upon in Table P a g e
26 EXTERNALLY DRIVEN FINANCIAL / COMPLIANCE RISK Accounting Standards Interest rates Foreign exchange Funds & Credit INFRASTRUCTURE / OPERATIONS RISK Communications Transport links Supply chains Terrorism Natural Disasters Pandemic Internal control Fraud Historical liabilities Recruitment People skills Health & safety Premises INTERNALLY DRIVEN M&A Activity R&D Activity IP Contracts Brand extension Brand composition Control Economic environment Technology developments Competition Customer demand Regulatory requirements MARKET PLACE / STRATEGIC RISK Product recall CSR Public perception Regulator enforcement Competitor Behaviour REPUTATIONAL RISK EXTERNALLY DRIVEN Figure 6 Drivers of Risk 54 P a g e
27 Financial control / Compliance Infrastructure / Operational efficiency Reputational exposure Market place activities / Strategic Description Risks that can impact the way in which money is managed and profitability is achieved Risks that will impact the level of efficiency and dysfunction within the core processes Risks that will impact desire of customers to deal or trade and level of customer retention Internal or Internal Internal External External External Risk Quantifiable Usually Sometimes Not always Yes Measurement (performance indicator) Gains and losses from internal financial control Level of efficiency in processes and operations Nature of publicity and effectiveness of marketing profile Performance gap Control mechanisms Procedures Failure of procedures to control internal financial risks Accounting standards Internal control Delegation of authority Process Failure of processes to operate without dysfunction Process control Loss control Insurance and risk financing Perception Failure to achieve the desired perception of the organisation Marketing Advertising Reputation and brand protection Table 4 Features of the FIRM Risk Classification System (Hopkin, 2010:134) Risks that will impact the level of customer trade or expenditure and customer retention Income from commercial and market activities Presence Failure to achieve required presence in the marketplace Opportunity assessment Strategic and business plans Risk Assessment Risk assessment is a fundamentally important part of the risk management process. In order to achieve a comprehensive risk management approach, an organisation needs to undertake suitable and sufficient risk assessments. A range of the most common risk assessment techniques is set out in Table P a g e
28 Risk Identification Risk identification is a natural progression from Understand your organisation s context. Risk identification ascertains which risks have the potential of affecting the organisation and documenting the risks' characteristics. Risk identification establishes the exposure of the organisation to risk and uncertainty. This requires an intimate knowledge of the organisation, the market in which it operates, the legal, social, political and cultural environment in which it exists, as well as an understanding of strategic and operational objectives. This will include knowledge of the factors critical to success and the threats and opportunities related to the achievement of objectives. It should be approached in a methodical way to ensure that all value-adding activities within the organisation have been evaluated and all the risks flowing from these activities defined. Questionnaires and checklists Workshops and brainstorming Inspections and audits Flowcharts and dependency analysis HAZOP and FMEA approaches SWOT and PESTLE analyses Use of structured questionnaires and checklists to collect information to assist with the recognition of the significant risks Collection and sharing of ideas and discussion of the events that could impact the objectives, stakeholder expectations or key dependencies Physical inspections of premises and activities and audits of compliance with established systems and procedures Analysis of processes and operations within the organisation to identify critical components that are key to success Hazard and Operability studies and Failure Modes Effects Analysis are quantitative technical failure analysis techniques Strengths Weaknesses Opportunities Threats (SWOT) and Political Economic Social Technological Legal Environmental(PESTLE) analyses offer structured approaches to risk recognition Table 5 Risk Assessment techniques At the beginning of the Risk Identification process it is a good idea to have gathered all of the inputs you and your team will need. The inputs to the Risk Identification Process are: The Organisation s Strategic Plan - The Strategic Plan is used to gain an understanding of the organisation's mission, vision, values, objectives, implementation plans and other elements. Risk Management Plan - The Risk Management Plan (if in existence) provides the blueprint of overseeing risk management throughout the project describing who, what, when, where, why, and how. The Risk Management Plan provides the following four critical inputs to Risk Identification: Assignment of roles and responsibilities. It identifies the who of risk management by assigning the handling of specific tasks and roles to specific individuals. Budget provisions for risk management activities identify the approved funds available for riskmanagement activities. You will need to track your actual costs against these approved budget numbers. 56 P a g e
29 Schedule for risk management including the time needed for risk-management activities. Categories of risk. The risk categories are used during Risk Identification to organise and prioritise risks as they are identified. Organisational process assets - Organisational process assets provide information from prior projects including historical information and lessons learned. Enterprise environmental factors - These factors include any and all external environmental factors and internal organisational environmental factors that surround or influence the organisation s success. The tools and techniques used for the Risk Identification process are designed to help the gather information, analyse it, and identify risks to and opportunities for the organisation s objectives. After determining your organisational context a Risk Identification Checklist is a useful tool to start the process of identifying risks (Template A). The information gathered is entered on the Risk Register (Template E), which is the primary output of Risk Identification. The Risk Register will ultimately contain the results of the Risk Assessment and Risk Response Planning. The Risk Register illustrates all identified risks, including description, category, and cause, probability of occurring, and impact on objectives, proposed responses, owners, and current status. While the Risk Register will become the comprehensive output, the Risk Identification process results in four entries in the Risk Register: Lists of identified risks with their root causes and risk assumptions are listed. List of potential responses identified here will serve as inputs to the Risk Response Planning process. Root causes of risk are fundamental conditions which cause the identified risk. Updated risk categories. The process of identifying risks can lead to new risk categories being added. Communicate and consult with stakeholders during all stages of the risk management process. Use a consultative team approach to communicate and consult with your organisation s stakeholders. Communication and consultation is a dialogue between an organisation and its stakeholders. This dialogue is both continual and interactive. It is a two-way process that involves both sharing and receiving information about the management of risk. However, this is not joint decision making. Once communication and consultation is finished, decisions are made and directions are established by the organisation, not by stakeholders. Discussions could be about the existence of risks, their nature, form, likelihood, and significance, as well as whether or not risks are acceptable or should be treated, and what treatment options should be considered. 57 P a g e
West Coast District Municipality. Risk Management Policy
West Coast District Municipality Risk Management Policy TABLE OF CONTENTS Page No. RISK MANAGEMENT POLICY 5 1. OVERVIEW 6 1.1. Policy Objective 6 1.2. Policy Statement 6 1.3. Risk Management Approach 6
More informationIntroduction. The Assessment consists of: A checklist of best, good and leading practices A rating system to rank your company s current practices.
ESG / CSR / Sustainability Governance and Management Assessment By Coro Strandberg President, Strandberg Consulting www.corostrandberg.com September 2017 Introduction This ESG / CSR / Sustainability Governance
More informationM_o_R (2011) Foundation EN exam prep questions
M_o_R (2011) Foundation EN exam prep questions 1. It is a responsibility of Senior Team: a) Ensures that appropriate governance and internal controls are in place b) Monitors and acts on escalated risks
More informationAPPENDIX 1. Transport for the North. Risk Management Strategy
APPENDIX 1 Transport for the North Risk Management Strategy Document Details Document Reference: Version: 1.4 Issue Date: 21 st March 2017 Review Date: 27 TH March 2017 Document Author: Haddy Njie TfN
More informationก ก Tools and Techniques for Enterprise Risk Management (ERM)
ก ก Tools and Techniques for Enterprise Risk Management (ERM) COSO ERM ISO ERM 31 2554 10:45 12:15.. 301, 302, 307 ก ก COSO Internal Control ERM Integrated Framework Application Technique ISO 31000 Guide
More informationMEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework
MEMORANDUM To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 Re: ERM Policy and Framework Executive Summary Attached are the draft Enterprise Risk Management
More informationMaster Class: Construction Health and Safety: ISO 31000, Risk and Hazard Management - Standards
Master Class: Construction Health and Safety: ISO 31000, Risk and Hazard Management - Standards A framework for the integration of risk management into the project and construction industry, following
More informationRisk Management. Policy No. 14. Document uncontrolled when printed DOCUMENT CONTROL. SSAA Vic
Document uncontrolled when printed Policy No. 14 Risk Management DOCUMENT CONTROL Version: Date approved by Board: On behalf of Board: Jack Wegman 17 March 2015 26 March 2015 Denis Moroney President Next
More informationRisk Management Strategy January NHS Education for Scotland RISK MANAGEMENT STRATEGY
NHS Education for Scotland RISK MANAGEMENT STRATEGY January 2016 1 Contents 1. NES STATEMENT ON RISK MANAGEMENT 2 RISK MANAGEMENT STRATEGY 3 RISK MANAGEMENT STRUCTURES 4 RISK MANAGEMENT PROCESSES 5 RISK
More informationRisk Management Framework
Risk Management Framework Anglican Church, Diocese of Perth November 2015 Final ( Table of Contents Introduction... 1 Risk Management Policy... 2 Purpose... 2 Policy... 2 Definitions (from AS/NZS ISO 31000:2009)...
More informationCITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK MANAGEMENT POLICY
CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY Effective Date 1 July 2015 TABLE OF CONTENTS 1. POLICY STATEMENT... 3 2. POLICY CONTEXT... 4 3. PURPOSE... 5 4. POLICY SCOPE AND APPLICATION... 6 5. RISK
More informationRISK MANAGEMENT POLICY October 2015
RISK MANAGEMENT POLICY October 2015 1. INTRODUCTION 1.1 The primary objective of risk management is to ensure that the risks facing the business are appropriately managed. 1.2 Paringa Resources Limited
More informationINTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS
Guidance Paper No. 2.2.x INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS GUIDANCE PAPER ON ENTERPRISE RISK MANAGEMENT FOR CAPITAL ADEQUACY AND SOLVENCY PURPOSES DRAFT, MARCH 2008 This document was prepared
More informationThere are many definitions of risk and risk management.
Definition of risk There are many definitions of risk and risk management. The definition set out in ISO Guide 73 is that risk is the effect of uncertainty on objectives. In order to assist with the application
More informationBournemouth Primary MAT Risk Management Policy
Bournemouth Primary MAT Risk Management Policy 1. Introduction The Bournemouth Primary Multi-Academy Trust (the Trust) operates a risk management system in order to identify and manage key exposures and
More informationCorporate Governance of Federally-Regulated Financial Institutions
Draft Guideline Subject: -Regulated Financial Institutions Category: Sound Business and Financial Practices Date: I. Purpose and Scope of the Guideline The purpose of this guideline is to set OSFI s expectations
More informationBERGRIVIER MUNICIPALITY. Risk Management Risk Appetite Framework
BERGRIVIER MUNICIPALITY Risk Management Risk Appetite Framework APRIL 2018 1 Document review and approval Revision history Version Author Date reviewed 1 2 3 4 5 This document has been reviewed by Version
More informationPolicy No. Contact Brian Orpin Version 3.0 Issue Date 28/11/2014 Telephone Review Date IA Date 09/08/2013
Information Governance Management of Risk Policy Policy No. Contact Brian Orpin Version 3.0 Email Brian.orpin@nhs.net Issue Date 28/11/2014 Telephone 0131 314 5360 Review Date IA Date 09/08/2013 Change
More informationRisk Management Relevance to PAS 55 (ISO 55000) Deciding on processes to implement risk management
Risk Management Relevance to PAS 55 (ISO 55000) Deciding on processes to implement risk management Jeff Hollingdale DQS South Africa jeffh@dqs.co.za PAS 55 Risk Management The guideline states: (4.4.7);
More informationRisk Management Policy
Risk Management Policy 1 Document configuration control Policy Title Author/Job Title Policy Version Version 1.0 Status Reference and guidance Consultation Forum Risk Management Policy Jonathan Sutton
More informationNagement. Revenue Scotland. Risk Management Framework. Revised [ ]February Table of Contents Nagement... 0
Nagement Revenue Scotland Risk Management Framework Revised [ ]February 2016 Table of Contents Nagement... 0 1. Introduction... 2 1.2 Overview of risk management... 2 2. Policy Statement... 3 3. Risk Management
More informationIntroduction. The Assessment consists of: Evaluation questions that assess best practices. A rating system to rank your board s current practices.
ESG / Sustainability Governance Assessment: A Roadmap to Build a Sustainable Board By Coro Strandberg President, Strandberg Consulting www.corostrandberg.com November 2017 Introduction This is a tool for
More informationRisk Management Policy
Risk Management Policy Version: 3 Board Endorsement: 11 January 2014 Last Review Date: 3 January 2014 Next Review Date: July 2014 Risk Management Policy 1 Table of Contents 1 Introduction... 3 2 Overview...
More informationRisk Management Policy. September 2015
Risk Management Policy September 2015 Contents Policy Statement... 3 AA s Commitment to Risk Management... 3 Risk Management Principles... 4 Governance Framework... 6 Roles and Responsibilities... 7 Board...
More informationENTERPRISE RISK MANAGEMENT POLICY FRAMEWORK
ANNEXURE A ENTERPRISE RISK MANAGEMENT POLICY FRAMEWORK CONTENTS 1. Enterprise Risk Management Policy Commitment 3 2. Introduction 4 3. Reporting requirements 5 3.1 Internal reporting processes for risk
More informationBERMUDA MONETARY AUTHORITY THE INSURANCE CODE OF CONDUCT FEBRUARY 2010
Table of Contents 0. Introduction..2 1. Preliminary...3 2. Proportionality principle...3 3. Corporate governance...4 4. Risk management..9 5. Governance mechanism..17 6. Outsourcing...21 7. Market discipline
More informationGoodman Group. Risk Management Policy. Risk Management Policy
Goodman Group Contents 1. Overview... 3 1.1 Introduction... 3 1.2 Objectives of the... 3 1.3 Application... 3 1.4 Operative Provisions... 4 2. Risk Management... 5 2.1 Overview of Risk Management... 5
More informationRisk Management Strategy Highland Council Pension Fund
Risk Management Strategy Highland Council Pension Fund Approved Pensions Committee 9 August 2018 3 1. Introduction 1.1 Risk management is a key element of Corporate Governance and the Highland Council
More informationRISK MANAGEMENT FRAMEWORK
RISK MANAGEMENT FRAMEWORK 1. INTRODUCTION (Company) acknowledges that risk is inherent in its business. The Company s risk management framework is an important tool to guide the organisation towards achieving
More informationNagement. Revenue Scotland. Risk Management Framework
Nagement Revenue Scotland Risk Management Framework Table of Contents 1. Introduction... 2 1.2 Overview of risk management... 2 2. Policy statement... 3 3. Risk management approach... 4 3.1 Risk management
More informationRisk Management Policy
DYNAMIC ARCHISTRUCTURES LIMITED Risk Management Policy DYNAMIC ARCHISTRUCTURES LIMITED Regd. Address: 409, Swaika Centre, 4A Pollock Street, Kolkata - 700001 (West Bengal) CONTENTS Sr. Particulars Page
More informationANNUAL GOVERNANCE STATEMENT FOR THE POLICE AND CRIME COMMISSIONER FOR NORFOLK AND THE CHIEF CONSTABLE FOR NORFOLK
ANNUAL GOVERNANCE STATEMENT FOR THE POLICE AND CRIME COMMISSIONER FOR NORFOLK AND THE CHIEF CONSTABLE FOR NORFOLK 1. INTRODUCTION This Annual Governance Statement reflects the position as at September
More informationSolvency Assessment and Management: Stress Testing Task Group Discussion Document 96 (v 3) General Stress Testing Guidance for Insurance Companies
Solvency Assessment and Management: Stress Testing Task Group Discussion Document 96 (v 3) General Stress Testing Guidance for Insurance Companies 1 INTRODUCTION AND PURPOSE The business of insurance is
More informationDraft Guideline. Corporate Governance. Category: Sound Business and Financial Practices. I. Purpose and Scope of the Guideline. Date: November 2017
Draft Guideline Subject: Category: Sound Business and Financial Practices Date: November 2017 I. Purpose and Scope of the Guideline This guideline communicates OSFI s expectations with respect to corporate
More informationRisk Management Strategy Draft Copy
Risk Management Strategy 2017 Draft Copy FOREWORD Welcome to the Council s Strategic & Operational Risk Management Strategy, refreshed in May 2017. The aim of the Strategy is to improve strategic and operational
More informationRisk Management Procedure
Risk Management Procedure 2017 Number: Date Written: Authorised by: Review Date: Version 4.0 15 December 2016 Bernie Wilson 30 December 2018 Contents Amendment and Review... 2 Document Control / Amendments...
More informationENTERPRISE RISK MANAGEMENT (ERM) POLICY
ENTERPRISE RISK MANAGEMENT (ERM) POLICY November 2014 TABLE OF CONTENTS I. INTRODUCTION.... 3 A. Purpose... 3 B. Scope. 3 C. Enterprise Risk Management Vision 3 D. ERM Goals and Objectives. 4 II. RISK
More informationRisk Management. Seminar June Compiled by: Raaghieb Najjaar, Yaeesh Yasseen & Rashied Small
Risk Management Seminar June 2017 Compiled by: Raaghieb Najjaar, Yaeesh Yasseen & Rashied Small Defining Risk Risk reflects the chance that the actual event may be different than the planned / expected
More informationKidsafe NSW Risk Management Plan. August 2014
Kidsafe NSW Risk Management Plan August 2014 Document Control Document Approval Name & Position Signature Date Document Version Control Version Status Date Prepared By Comments Document Reviewers Name
More informationScouting Ireland Risk Management Framework
No. SID 124A/15 Gasóga na héireann/scouting Ireland Issued Amended 20 th June 2015 Deleted Source: National Management Committee Scouting Ireland Risk Management Framework Revision Date Description # 20/06/2015
More informationExecutive Board Annual Session Rome, May 2015 POLICY ISSUES ENTERPRISE RISK For approval MANAGEMENT POLICY WFP/EB.A/2015/5-B
Executive Board Annual Session Rome, 25 28 May 2015 POLICY ISSUES Agenda item 5 For approval ENTERPRISE RISK MANAGEMENT POLICY E Distribution: GENERAL WFP/EB.A/2015/5-B 10 April 2015 ORIGINAL: ENGLISH
More informationProcedure: Risk management
Procedure: Risk management Purpose To outline the procedures involved for identification, assessment and management of risks. Procedure Introduction 1. This procedure outlines the University s Risk Awareness
More informationEnergize Your Enterprise Risk Management
Energize Your Enterprise Risk Management Presented By Mark Caiazzo, CISA, CISM, CRISC Tammy Michaud, CPA May 15, 2017 Reviewed: Agenda Enterprise Risk Management Defined Benefits of ERM Key Components
More informationVersion: th November 2010 RISK MANAGEMENT POLICY
Version: 1.2-25th November 2010 RISK MANAGEMENT POLICY Document History Document Location To be completed. Revision History Date of this revision: 17/09/2010 Date of next revision: N/A Revision Number
More informationApplying COSO s Enterprise Risk Management Integrated Framework
Applying COSO s Enterprise Risk Management Integrated Framework COSO COSO stands for the Committee Of Sponsoring Organizations of the Treadway Commission. The sponsoring organizations are: Institute of
More informationRisk Management Strategy
Risk Management Strategy 2016 2019 Version: 6 Policy Lead/Author & Deputy Director of Quality position: Ward / Department: Nursing Directorate Replacing Document: Version 5 Approving Committee Quality
More informationApplying COSO s Enterprise Risk Management Integrated Framework. September 29, 2004
Applying COSO s Enterprise Risk Management Integrated Framework September 29, 2004 Today s organizations are concerned about: Risk Management Governance Control Assurance (and Consulting) ERM Defined:
More informationPrincipal risks and uncertainties
Principal risks and uncertainties Strategic report Principal risks are a risk or a combination of risks that, given the Group s current position, could seriously affect the performance, future prospects
More informationENTERPRISE RISK MANAGEMENT (ERM) POLICY Republic Glass Holdings Corporation. Purpose. Goals
Purpose This Enterprise Risk Management Policy (the ERM policy) provides the framework for managing risks across ( RGHC or the Company ). It contains the policies to guide employees, management and the
More informationRisk Management Strategy
Risk Management Strategy Job title of lead contact: Corporate Services Manager Version number: Version 1 Group responsible for approving Executive Team / Governing Body the document: Date of final approval:
More informationRisk Management Policy
Version: 2.0 New or Replacement: Policy number: Document author(s): Replacement ULHT-MD-GOV-RM-PMIMSI Paul White, Risk Manager Contributor(s): Members of the Trust Board & Senior Leadership Team Approved
More informationINTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS
Guidance Paper No. 2.2.6 INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS GUIDANCE PAPER ON ENTERPRISE RISK MANAGEMENT FOR CAPITAL ADEQUACY AND SOLVENCY PURPOSES OCTOBER 2007 This document was prepared
More informationRisk Management Policy Adopted by:
Risk Management Policy Adopted by: Infigen Energy Limited Infigen Energy (Bermuda) Limited Infigen Energy RE Limited in its capacity as Responsible Entity of Infigen Energy Trust Adopted: 17 December 2009
More informationRisk Management. Webinar - July 2017
Risk Management Webinar - July 2017 Compiled by: Raaghieb Najjaar, Yaeesh Yasseen & Rashied Small Adapted and Facilitated by: Professor Enslin J. van Rooyen Risk Management - June 2017 2 Defining Risk
More informationRisk Management Policy and Framework
Risk Management Policy and Framework Risk Management Policy Statement ALS recognises that the effective management of risks is a fundamental component of good corporate governance and is vital for the
More informationApproved by: Diocesan Council 17 December 2015
DIOCESAN COUNCIL POLICY 39 Risk Management Approved by: Diocesan Council 17 December 2015 1 PREAMBLE The Perth Diocesan Trustees under the authority of the Diocesan Trustees Statute 1952 have the responsibility
More informationRisk Management Framework. Metallica Minerals Ltd
Risk Management Framework Metallica Minerals Ltd Risk Management Framework 23 March 2012 Table of Contents Contents 1. Introduction... 3 2. Risk Management Approach... 3 3. Roles and Responsibilities...
More informationRISK MANAGEMENT FRAMEWORK OVERVIEW
Perpetual Limited RISK MANAGEMENT FRAMEWORK OVERVIEW September 2017 Classification: Public Page 1 of 6 COMMITMENT TO RISK MANAGEMENT As a publicly listed company and provider of financial products and
More informationGUIDELINES FOR THE INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS FOR LICENSEES
SUPERVISORY AND REGULATORY GUIDELINES: 2016 Issued: 2 August 2016 GUIDELINES FOR THE INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS FOR LICENSEES 1. INTRODUCTION 1.1 The Central Bank of The Bahamas ( the
More informationRisk Management: Principles, Methodologies and Techniques. Peter Getugi Internal Audit Manager ILRI
Risk Management: Principles, Methodologies and Techniques Peter Getugi Internal Audit Manager ILRI NAIROBI 22 JUNE, 2010 Session Objectives What is Risk Management? Why is Risk Management importance rising?
More information2 nd INDEPENDENT EXTERNAL EVALUATION of the EUROPEAN UNION AGENCY FOR FUNDAMENTAL RIGHTS (FRA)
2 nd INDEPENDENT EXTERNAL EVALUATION of the EUROPEAN UNION AGENCY FOR FUNDAMENTAL RIGHTS (FRA) TECHNICAL SPECIFICATIONS 15 July 2016 1 1) Title of the contract The title of the contract is 2nd External
More informationINTEGRATED RISK MANAGEMENT GUIDELINE
INTEGRATED RISK MANAGEMENT GUIDELINE Initial publication: April 2009 Updated: May 2015 TABLE OF CONTENTS Preamble... ii Scope... iii Coming into effect and updating... iv Introduction... v 1. Integrated
More information1. Define risk. Which are the various types of risk?
1. Define risk. Which are the various types of risk? Risk, is an integral part of the economic scenario, and can be termed as a potential event that can have opportunities that benefit or a hazard to an
More informationGUIDANCE NOTE ASSET MANAGEMENT BY AUTHORIZED INSURERS
GN13 GUIDANCE NOTE ON ASSET MANAGEMENT BY AUTHORIZED INSURERS Office of the Commissioner of Insurance June 2004 GN13 Guidance Note on Asset Management By Authorized Insurers Table of Contents Page Preamble...
More informationCorporate Governance Guideline
Office of the Superintendent of Financial Institutions Canada Bureau du surintendant des institutions financières Canada Corporate Governance Guideline January 2003 EFFECTIVE CORPORATE GOVERNANCE IN FEDERALLY
More informationRisk Management Policy
Risk Management Policy 1 Purpose and scope of this Policy 1.1 CSG Limited (CSG) is committed to managing its risks in a consistent and practical manner. Effective risk management is directly focussed on
More informationPrudential Standard GOI 3 Risk Management and Internal Controls for Insurers
Prudential Standard GOI 3 Risk Management and Internal Controls for Insurers Objectives and Key Requirements of this Prudential Standard Effective risk management is fundamental to the prudent management
More informationAn Introductory Presentation for ECU Staff
Risk Management at ECU An Introductory Presentation for ECU Staff Phillip Draber Manager, Risk and Assurance Outcomes By the end of this session you should: Be able to complete and document risk management
More informationRisk Management Policy and Strategy
Risk Management Policy and Strategy Version: 2.1 Bodies consulted: Approved by: Directors and Managers responsible for risk Board of Directors Date Approved: 28 March 2017 Lead Manager: Lead Director:
More informationOECD GUIDELINES ON INSURER GOVERNANCE
OECD GUIDELINES ON INSURER GOVERNANCE Edition 2017 OECD Guidelines on Insurer Governance 2017 Edition FOREWORD Foreword As financial institutions whose business is the acceptance and management of risk,
More informationD7 Risk Management Policy
D7 Risk Management Policy Purpose and scope The aim of Kelda s policy is to establish and embed effective risk management in normal business process and culture. This will improve Kelda s ability to predict
More informationPILLAR 3 DISCLOSURES MERCER UK AUGUST 2016
PILLAR 3 DISCLOSURES MERCER UK AUGUST 2016 CONTENTS 1. Background... 1 1.1 Basis of Disclosures... 2 1.2 Frequency of Publication... 2 1.3 Verification... 2 1.4 Media & Location of Publication... 2 2.
More information28 July May October 2016
Policy Name Risk Management Policy & Procedure Related Policies and Legislation AISWA Guidelines Risk Management Policy Category Planning & Management Relevant Audience Date of Issue / Last Revision All
More informationSOL PLAATJE MUNICIPALITY
RISK MANAGEMENT AND INTERNAL CONTROL Approved As Per Resolution CR 500 dd 17-11-05 INDEX 1. INTRODUCTION 2. PURPOSE AND SCOPE 3. OBJECTIVE OF THE RISK POLICY 4. RISK MANAGEMENT FRAMEWORK 5. ACCOUNTABILTY
More informationBest Practices in ENTERPRISE RISK MANAGEMENT. [ Managing Risks Holistically ]
Best Practices in ENTERPRISE RISK MANAGEMENT [ Managing Risks Holistically ] INTRODUCTIONS MODERATOR: Bob Lipps, JD, CPA PANELISTS: Ron Wilcox Abel Pomar Karen Gordon, Esq. THE EVOLUTION OF RISK Traditional
More informationRisk Management Plan PURPOSE: SCOPE:
Management Plan Authority Source: Vice-Chancellor Approval Date: 16/05/2018 Publication Date: 17/05/2018 Review Date: 17/05/2021 Effective Date: 16/05/2018 Custodian: General Counsel and University Secretary
More informationThe Australian National University Fraud Control Framework. Corporate Governance & Risk Office
The Australian National University Fraud Control Framework 2017 2018 Corporate Governance & Risk Office Corporate Governance and Risk Office 21 July 2017 The Australian National University Canberra ACT
More informationGUIDELINE ON ENTERPRISE RISK MANAGEMENT
GUIDELINE ON ENTERPRISE RISK MANAGEMENT Insurance Authority Table of Contents Page 1. Introduction 1 2. Application 2 3. Overview of Enterprise Risk Management (ERM) Framework and 4 General Requirements
More informationSOLVENCY & FINANCIAL CONDITION REPORT. SureStone Insurance dac
SOLVENCY & FINANCIAL CONDITION REPORT SureStone Insurance dac March 31 2017 TABLE OF CONTENTS SUMMARY 1 A BUSINESS AND PERFORMANCE 2 B SYSTEM OF GOVERNANCE 5 C RISK PROFILE 19 D VALUATION FOR SOLVENCY
More informationCERA Module 1 Exam 2016
CERA Module 1 Exam 2016 You can reach 90 points in total. 45 points are required in order to pass the exam. Good luck! Case study Filling the role of CRO Assume that you have been appointed CRO of the
More informationIOPS Technical Committee DRAFT GOOD PRACTICES FOR GOVERNANCE OF PENSION SUPERVISORY AUTHORITIES. Version for public consultation
IOPS Technical Committee DRAFT GOOD PRACTICES FOR GOVERNANCE OF PENSION SUPERVISORY AUTHORITIES Version for public consultation DRAFT GOOD PRACTICES FOR GOVERNANCE OF PENSION SUPERVISORY AUTHORITIES Introduction:
More informationRisk Management Framework
Risk Management Framework Introduction The outgoing Corporate Strategy 2013-18 and incoming University Strategy 2018-23 continues on a trajectory towards Vision 2025 in an increasingly competitive Higher
More informationLONDON BOROUGH OF ENFIELD RISK MANAGEMENT STRATEGY
LONDON BOROUGH OF ENFIELD RISK MANAGEMENT STRATEGY JANUARY 2013 1 Version Control Reference Comments Approval date 05 09 12 19 11 12 10 01 13 2 FOREWORD Welcome to the Council s Risk Management Strategy.
More informationDEPOSIT INSURANCE CORPORATION OF ONTARIO BY-LAW NO. 5 STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES
DEPOSIT INSURANCE CORPORATION OF ONTARIO BY-LAW NO. 5 STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES A By-law made under paragraph (g) of subsection 264(1) of the Credit Unions and Caisses Populaires
More informationPerpetual s Risk Management Framework
Perpetual s Risk Management Framework Perpetual s Risk Management Framework Context Perpetual Limited (Perpetual) is a diversified financial services firm, listed on the Australian Securities Exchange.
More informationTailored and experiential training for the insurance industry
Tailored and experiential training for the insurance industry We believe in learning by doing. Our experiential approach to learning helps engage participants at a deep level and ensure they gain practical
More informationDelivering Clarity to Credit Unions Through Expertise and Experience
Jeff Owen, The Rochdale Group September 2012 Delivering Clarity to Credit Unions Through Expertise and Experience Enterprise Risk Management Lending Execution and Risk Management Merger Strategy and Realization
More informationRISK MANAGEMENT FRAMEWORK
Risk Management Framework RISK MANAGEMENT FRAMEWORK Purpose This Risk Management Framework introduces St. Michael s College s approach to risk management. It includes a definition of risk, a summary of
More informationDEPOSIT INSURANCE CORPORATION OF ONTARIO BY-LAW NO. 5 STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES
DEPOSIT INSURANCE CORPORATION OF ONTARIO BY-LAW NO. 5 STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES A by-law made under paragraph (g) of subsection 264(1) of the Credit Unions and Caisses Populaires
More informationSolvency II Detailed guidance notes for dry run process. March 2010
Solvency II Detailed guidance notes for dry run process March 2010 Introduction The successful implementation of Solvency II at Lloyd s is critical to maintain the competitive position and capital advantages
More informationRisk Management Strategy
Resources Risk Management Strategy Successful organisations are not afraid to take risks; Unsuccessful organisations take risks without understanding them. Issue: Version 3 - November 2011 Group: Resources
More informationMINDA INDUSTRIES LIMITED RISK MANAGEMENT POLICY
` MINDA INDUSTRIES LIMITED RISK MANAGEMENT POLICY MINDA INDUSTRIES LIMITED RISK MANAGEMENT POLICY 1. Vision To develop organizational wide capabilities in Risk Management so as to ensure a consistent,
More informationPST Board Assurance Framework
PST Board Assurance Framework 14 th January 2016 PST Board Assurance Framework Registered Address (No: IP030872) Fratton Park Frogmore Road Portsmouth PO4 8RA Prepared by Dr Mark Farwell PST Secretary
More informationRISK MANAGEMENT FRAMEWORK
RISK MANAGEMENT FRAMEWORK Approving authority Approval date University Council 5 August 2013 (3/2013 meeting) Advisor Vice President (Corporate Services) vpcorporateservices@griffith.edu.au (07) 373 57343
More informationENTERPRISE RISK MANAGEMENT (ERM) The Conceptual Framework
ENTERPRISE RISK MANAGEMENT (ERM) The Conceptual Framework ENTERPRISE RISK MANAGEMENT (ERM) ERM Definition The Conceptual Frameworks: CAS and COSO Risk Categories Implementing ERM Why ERM? ERM Maturity
More informationJFSC Risk Overview: Our approach to risk-based supervision
JFSC Risk Overview: Our approach to risk-based supervision Contents An Overview of our approach to riskbased supervision An Overview of our approach to risk-based supervision Risks to what? Why publish
More informationINTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE. Nepal Rastra Bank Bank Supervision Department. August 2012 (updated July 2013)
INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE Nepal Rastra Bank Bank Supervision Department August 2012 (updated July 2013) Table of Contents Page No. 1. Introduction 1 2. Internal Capital Adequacy
More informationIngenious Capital Management Limited: Pillar III Disclosure
CONTENTS 1. Introduction 2. Risk Management 3. Capital Resources 4. Internal Capital Adequacy Assessment Process (ICAAP) 5. Remuneration Policy Disclosure 1. INTRODUCTION 1.1 Scope of Application Ingenious
More informationRISK MANAGEMENT MANUAL
ABN 70 074 661 457 RISK MAGEMENT MANUAL QUALITY ASSURANCE - ISO 9001 ENVIRONMENTAL MAGEMENT - ISO 14001 OCCUPATIOL HEALTH AND SAFETY - AS 4801 This is a Controlled Document if stamped CONTROLLED in RED.
More informationUCISA TOOLKIT. Major Project Governance Assessment. version 1.0
UCISA TOOLKIT Major Project Governance Assessment version 1.0 Contents Introduction 1 Roles and responsibilities 2 Definition of a Major Project 3 Guidance for using the Toolkit 4 Governance elements 4
More information