Conference and Exhibition for Smaller Housing Associations

Transcription

1 Conference and Exhibition for Smaller Housing Associations B3: A practical approach to managing risks for smaller housing associations Speaker: Chair: Mike Morley-Fletcher Risk Management Consultant Devonshires Business Advisory Services John Butler Finance Policy Officer National Housing Federation

2 A practical approach to managing risks NHF Conference for Smaller Housing Associations 6 th November 2013 Presented by: Mike Morley-Fletcher Devonshires Business Advisory Service mike.morley-fletcher@devonshiresbas.co.uk

3 Who is this?

4 Who is this?

5 Not one percent more! In the 2013 film, Rush, about James Hunt and Niki Lauda s rivalry in the 1976 Formula 1 season

6 Not one percent more! In the 2013 film, Rush, about James Hunt and Niki Lauda s rivalry in the 1976 Formula 1 season Niki Lauda is driving his future wife to the station and she asks him why, if he is a formula 1 racing driver, is he driving so sedately: Niki Lauda: There's no need to drive fast. We're not in a hurry, we're not being paid. There is no reward for the risk. So why would I drive fast? Marlene Knaus: Because I'm asking you to. [He speeds up and marries her shortly afterwards]

7 Not one percent more! In the 2013 film, Rush, about James Hunt and Niki Lauda s rivalry in the 1976 Formula 1 season Niki Lauda is driving his future wife to the station and she asks him why, if he is a formula 1 racing driver, is he driving so sedately: Niki Lauda: There's no need to drive fast. We're not in a hurry, we're not being paid. There is no reward for the risk. So why would I drive fast? Marlene Knaus: Because I'm asking you to. Niki Lauda argues his case for cancelling the 1976 German Grand Prix, due to atrocious weather conditions: Niki Lauda: I accept that every time I get into my car, there's 20% chance I could die and I could live with it. But not one percent more! And today with the rain, the risk is more. [They raced, he crashed and almost died] [He speeds up and marries her shortly afterwards]

8 Agenda 1. Key tools to start with: - risk process and tools - infrastructure - people

9 Agenda 1. Key tools to start with: - risk process and tools - infrastructure - people 2. Fine tuning your performance: - risk appetite - risk dashboard

10 1) Key tools to start with Risk process and tools - risk management cycle - risk universe - risk map - assurance map Infrastructure - who, when, what People - roles and responsibilities

11 IMPACT Risk Management cycle OBJECTIVES & PLAN 1) Validate Objective measures targets timescales risk risk 5) Identify Further Actions & Monitoring Mechanisms FURTHER ACTIONS TARGET actions who when now then 1) avoid risk GM 3/ ) fix, prevent risk I T 5/ ) contingency plan MD 5/ MONITORING MECHANISM report who to whom when 4) management report SD Exco 12/ 12 5) internal audit IA AC 16/12 4) Assess Risk Gap return Risk Appetite? mitigation risk risk 2) Identify Risks to Achievement risk 4) critical 3) serious 2) moderate 1) low risk risk 3) Evaluate Risks 1) remote 2) possible 3) probable 4) likely LIKELIHOOD

12 Risk Universe

13 A Risk Universe is a comprehensive view of the risks threatening the business and you would use it to support the development of a risk universe for your organisation. It encourages the business, risk managers and assurance providers to have a common view of risk and is used by all parts of the business, including internal audit to manage the risks faced by the business. Inherent risks are categorised between: Strategic Risks = doing the wrong thing Operational risks = doing the right thing, wrongly Risk Universe Compliance risks = not doing what should be done Financial risks = doing it in a way that loses money or incurs unnecessary liabilities

14 Risk Profiling RISK MAP (net risk) (g) high (d) high (b) critical (a) critical 4) critical (> 200k) G IMPACT (max pa) 3) serious ( k) 2) moderate ( k) (k) medium (h) medium (e) high (c) critical N T (n) low (l) medium (i) medium (f) high (p) v.low (o) low (m) medium (j) medium 1) manageable (< 50k) 1) Remote (< 10%) 2) Possible (10-50%) 3) Probable (50-80%) 4) Likely (> 80%) LIKELIHOOD (over BP period)

15 Risk Profiling RISK MAP (net risk) (g) high (d) high (b) critical (a) critical G N = Gross exposure, before controls = Net exposure, after controls 4) critical (> 200k) G T = Target exposure, after further actions IMPACT (max pa) 3) serious ( k) 2) moderate ( k) (k) medium (h) medium (e) high (c) critical N T (n) low (l) medium (i) medium (f) high IMPACT Criteria Score Description Relative % Actual (eg, on Margin of 1m) 4 Critical > 20% > 200K 3 Serious 10-20% k 2 Moderate 5 10% k 1 Manageable 0-5% < 50k LIKELIHOOD Criteria (p) v.low (o) low (m) medium (j) medium Score Description Likelihood 1) manageable (< 50k) 1) Remote (< 10%) 2) Possible (10-50%) 3) Probable (50-80%) 4) Likely (> 80%) LIKELIHOOD (over BP period) 4 Likely > 80% 3 Probable 50-80% 2 Possible 10 50% 1 Remote 0-10%

16 Assurance Map Use Risk Assessment to identify who assesses the most significant risks, who manages them, and who monitors and provides assurance on them. Shows gaps in coverage for key risks (potential exposure, surprise) and duplication of effort (wastage of resource and distraction for business). Use to improve or rationalise. Significant Risks High Risks Economic Conditions Industry Consolidation Interest Rate Volatility Non-core Marketing activities of Brands New Product Development Management Capability Medium Risks Environmental Regulation Recruitment & Retention Income-stream Customer Migration volatility Regulatory Compliance Supplier Dependence IT Infrastructure Low Risks Cost Real Estate control Business Continuity Risk Level Risk Assessment, Management & Assurance Activities Mapping Operations, eg, Support eg, Corporate Development Sales Marketing Service HR IT Finance HR Tax IT Finance Support Affairs Legal & Legal Management Representation Monitoring eg, Control Self Assessment Compliance Internal Audit Other Internal Assurance Provider Code ASSESS IMPROVE MONITOR Potential Risk Coverage Gap Potential Risk Management Inefficiencies Opportunity to use CSA more? Change scope of Internal Audit?

17 On an ongoing basis 5) Top-down, bottom-up A) Executive Directors B) Executive Committee Business areas/ project teams assess risks and plan appropriate mitigation actions to support intelligent risk-taking Risk Management Infrastructure review risk insights from own areas Half-yearly Group Risk Profile collectively agrees Group Risk Profile & responsive mitigation plans C) CEO presents Group Risk Profile to Group Board Exec Director Group Board Strategic plans Significant projects Business as usual Exec Director Exec Director Executive Committee Group Risk Profile D) Executive Committee tracks completion of actions E) Internal Audit reviews Mitigation Plans & inputs to Audit Programme F) Audit Committee monitors effectiveness of risk management process

18 People: roles and responsibilities Staff/ risk owners Exec Team CEO Risk manager

19 People: roles and responsibilities Board Risk Committee Staff/ risk owners Audit Committee Exec Team CEO Risk manager

20 People: roles and responsibilities Board Risk Committee Staff/ risk owners Audit Committee Exec Team CEO Risk manager Regulator Funders Shareholder Residents Communities

21 People: roles and responsibilities Board Risk Committee Staff/ risk owners Audit Committee Exec Team CEO Risk manager Regulator Funders Shareholder Residents Communities

22 People: roles and responsibilities Board Risk Committee Staff/ risk owners Audit Committee Exec Team CEO (= CRO) Risk manager Regulator Funders Shareholder Residents Communities

23 Putting it into practice The ICAEW report Getting It Right, a report on risk governance in non-financial services companies, October 2009 What s needed is not more rules, not even more principles, but for companies to make a good job of putting into practice those we already have.

24 2) Fine tuning your performance Risk appetite - what is it? - why do we need it? - how to determine it? - challenges? Risk dashboard - early warning - resilience

25 Risk Appetite: what is it? why we need it? How much risk are you willing to take? Tipping point, calibrates risk management How much risk are you willing to tolerate? Key to risk taking it depends on: - the size of the prize, - your assessment of risk, and - your confidence in your controls

26 Risk Appetite: what is it? why we need it? How much risk are you willing to take? Tipping point, calibrates risk management How much risk are you willing to tolerate? Key to risk taking Shows the tipping point, the difference between right and wrong Calibrates decision making, how much risk to get how much reward? Sets level of Delegation of Authorities Can be used to communicate and monitor acceptable levels of risk taking Challenges right level of reward and control (including the cost of control) Renewed focus for regulators

27 How to determine Risk Appetite? Board set directional Tone from the Top / Risk Attitude as guide for Risk Appetite Management, for key risks: - identify Key Risk Indicators (may need input from direct risk owner) - set limits of appetite/ tolerance (upper and/ or lower) - consider consistency and aggregation of separate appetites/ tolerances Board validate Management s set of risk appetites/ tolerances Management - document in policies, articulate in leadership communications, reinforce by actions - monitor and report breaches, use approaching breaches as early warning Tone from the Top / Risk Attitude scale Monitoring Key Risk Indicators Monitoring Risk Appetite Value Risk Tolerance Risk Appetite Time Risk Indicator

28 Measuring and monitoring risks as part of performance dashboard We need them for our cars, why not for our businesses? To go faster, further and more safely Risk Dashboard KCI Speed camera detector KPI KPI KRI KRI KCI KRI KPI KRI

29 AOB Any questions?

30 Risk/ return analysis

31 Risk/ return analysis

32 Risk/ return analysis

33 Risk/ return analysis