Section Defining Risk Management. 11. Principles of Risk Management

Transcription

1 Section Defining Risk Management Enterprise risk management is the process, affected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Enterprise risk management further extends to the process of planning, organising, leading, and controlling the activities of an organisation in order to minimise the effects of risk on an organisation's capital and earnings. Enterprise risk management expands the process to include not just risks associated with accidental losses, but also financial, strategic, operational, and other risks. Questions to reflect on: Review the definition above and state the 5 most important characteristics of Risk Management. 11. Principles of Risk Management Risk management is a central part of the strategic management of any organisation. It is the process whereby organisations methodically address the risks attached to their activities. A successful risk management initiative should be proportionate to the level of risk in the organisation, aligned with other corporate activities, comprehensive in its scope, embedded into routine activities and dynamic by being responsive to changing circumstances. The focus of risk management is the assessment of significant risks and the implementation of suitable risk responses. The objective is to achieve maximum sustainable value from all the activities of the organisation. Risk management enhances the understanding of the potential upside and downside of the factors that can affect an organisation. It increases the probability of success and reduces both the probability of failure and the level of uncertainty associated with achieving the objectives of the organisation. Risk management should be a continuous process that supports the development and implementation of the strategy of an organisation. It should methodically address all the risks associated with all of the activities of the organisation. In all types of undertaking, there is the potential for events that constitute opportunities for benefit (upside), threats to success (downside) or an increased degree of uncertainty. It is often argued that, for health and safety risks, the consequences can only be negative and the management of safety risk should focus on prevention and mitigation of harm. However, for outsourced service providers, setting good standards of health and safety may be part of winning contracts and this demonstrates that there is an upside to safety risk management. 29 P a g e

2 The ISO Risk Management Standard describes the Principles of Risk Management as follows: Organisational Context - There s no one-size-fits-all when it comes to Risk Management. Each organisation will be affected by different Political, Economic, Societal, Technological, Legal and Environmental factors ( PESTLE ). It s also worth pointing out (the obvious) that each organisation will have different internal cultures, communication channels and levels of existing risk management processes. Make sure that your organisation s approach to risk management is aligned with its unique internal and external context as well as its risk profile. A risk profile is a written description of a set of risks. A risk profile can include the risks that the entire organisation must manage or only those that a particular function or part of the organisation must address. Stakeholder Involvement - Involve your stakeholders wherever possible. Keep them informed and understand the role they can/could play at each stage in the Risk Management process. Make sure that your approach to risk management is transparent (open, visible, and accessible). Also that it is inclusive of all decision makers from all parts of your organisation. Organisational Objectives - Use risk management to create and protect value. Create and protect value by using risk management to help achieve your organisation s objectives and improve its performance. When assessing and responding to a risk, be sure to keep the overall organisational objectives in mind (see the bigger picture). Keep things in perspective and don t lose sight of your end-goal. Management of Risk Approach - Use risk management to address the uncertainty that your organisation faces and to identify and define the nature and type of uncertainties that your organisation must deal with. Use risk management to figure out what you can do to address your organisation s uncertainties by making risk management part of your decision making process at every level to make informed choices and to prioritise actions. Make sure that your risk management approach is structured, systematic, and timely. The approach should contribute to organisational efficiency and generate consistent and reliable results based on the best information. Further make sure that decision makers understand and consider the limitations and shortcomings of the data they use to manage risk. Reporting - Keep people informed and ensure transparency and visibility. Communication is key! Roles & Responsibilities - Make sure that everyone understands the role they play at each stage of the Risk Management process. Ensure that all bases are covered by someone. Make risk management part of every process within your organisation at every level and make risk management a responsibility of every manager within your organisation. Support Structure - Ensure that everyone understands how risk is managed through the Risk Management process and who to go to if they have any questions. For example: How are risks identified? How and when are risks escalated? Where and in what format are risks documented? How and when are risks reviewed? 30 P a g e

3 Early Warning Indicators - Make sure that your organisation s approach to risk management is dynamic and responsive and that it continually senses change and responds to it. Give yourself the best chance of forecasting/anticipating the transition of a Risk to an active Issue. Ensure that everyone is communicating and that any potential issues are highlighted. It s also important to know how you should react in the event a risk does or is about to be realised e.g. who needs to know and how will you inform them? Review Cycle - Make sure that your Risk documentation is accessible and that you re regularly reviewing it. Achieve this by making the process repeats itself. Repeat your risk management process whenever and wherever objectives need to be achieved. Overcoming Barriers to the Management of Risk - Ensure you re doing everything you can to give you the best chance of successfully assessing the risk and responding to the risk. Some common barriers include: Established roles, responsibilities, accountability and ownership. An appropriate budget for embedding approach and carrying out activities. Adequate and accessible training, tools and techniques. Risk management orientation, induction and training processes. Irregular assessment of Management of Risk approach (including all of the above issues). Supportive Culture - Risk management should consider both human and cultural factors. Make sure that your approach to risk management recognises and considers the human and cultural factors that can influence the achievement of your organisation s objectives. Consider how human capabilities, perceptions and intentions can facilitate or hinder the achievement of your objectives. Make sure that everyone on the team feels comfortable raising, discussing and managing risks. Continual Improvement - Risk management should facilitate continual improvement. Review the way you manage risk as well as the procedure for assessing on-going risks. Learn from your mistakes. Questions to reflect on: After considering the Principles of Risk Management, indicate those principles in which your organisation either excel at or dismally fail with. 31 P a g e

4 12. The Risk Management Approach Corporate governance is the way an organisation is controlled to achieve its objectives. Control offers reliability within a tolerable degree of certainty. It is the glue that holds an organisation together, while risk management provides resilience. A risk management system depends on management commitment and allocation of resources during design, implementation, maintenance and monitoring the process at all levels. Resources include assignment of competent people, accurate forecasting and spending, quality material, adequate and sufficient equipment, appropriate and efficient methods, marketing the management system inside and outside the organisation. Management must set the tone for honest communication and reporting at all levels, to ensure reliable data, information, appropriate decisions, accountability and responsibility. Management should sustain commitment to a risk management process through strategic planning, rigorous monitoring, and guidance on: Defining and endorsing risk management policy Aligning organisational culture and risk management policy Aligning risk management and organisational performance indicators, objectives and strategies Achieving legal compliance Assigning accountabilities and responsibilities at appropriate levels Allocating relevant resources to risk management Communicating risk management benefits Adjusting the risk management framework to remain appropriate (ISO Risk Management Standard) 13. Risk Management Framework According to ISO 31000, a risk management framework is a set of components that support and sustain risk management throughout an organisation. There are two types of components: foundations and organisational arrangements. Foundations include your risk management policy, objectives, mandate, and commitment. And organisational arrangements include the plans, relationships, accountabilities, resources, processes, and activities you use to manage your organisation s risk. Introducing Risk Management to your organisation is can be achieved by following the process in the Figure 2 below (which is discussed in more detail further below): 32 P a g e

5 Make a commitment to risk management Improve your risk management framework Design your risk management framework - Understand Context - Formulate your policy - Design RM process - Make people accountable - Allocate resources - Internal communication - External communication - Build risk management into your organisation Monitor your risk management framework Implement your approach to risk management Figure 2 Introducing risk management to your organisation 33 P a g e

6 13.1. Make a commitment to risk management Start the drafting of the organisation s risk management policy. A policy statement defines a general commitment, direction, or intention. A risk management policy statement expresses an organisation s commitment to risk management and clarifies its general direction or intention. Formulate risk management objectives. Establish risk management performance indicators. Assign risk management responsibilities. Allocate risk management resources. Communicate risk management benefits. Support your risk management framework Design your risk management framework Understand your organisation s context To establish the context means to define the external and internal parameters that organisations must consider when they manage risk. An organisation s external context includes all of the external environmental parameters and factors that influence how it manages risk and tries to achieve its objectives. It includes its external stakeholders, its local, national, and international environment, as well as key drivers and trends that influence its objectives. It includes stakeholder values, perceptions, and relationships, as well as its social, cultural, political, legal, regulatory, financial, technological, economic, natural, and competitive environment. An organisation s internal context includes all of the internal environmental parameters and factors that influence how it manages risk and tries to achieve its objectives. It includes its internal stakeholders, its approach to governance, its contractual relationships, and its capabilities, culture, and standards. Governance includes the organisation s structure, policies, objectives, roles, accountabilities, and decision making process, and capabilities include its knowledge and human, technological, capital, and systemic resources. You should consider your organisation s context when you define the scope of its risk management program, when you formulate its risk management policy, and when you establish its risk criteria. You can achieve this by completing the following evaluations: Evaluate and understand your organisation s external context and then use this knowledge to help design your risk management framework. Evaluate and understand your organisation s external environment. Evaluate and understand your organisation s external stakeholders. A stakeholder is a person or an organisation that can affect or be affected by a decision or an activity. Stakeholders also include those who have the perception that a decision or an activity can affect them. You should distinguish between external and internal stakeholders. Evaluate and understand your organisation s external influences. 34 P a g e

7 Evaluate and understand your organisation s internal context and then use this knowledge to help design your risk management framework. Understand your organisation s internal stakeholders. Understand your organisation s governance. Understand your organisation s capabilities. Understand your organisation s culture. Understand your organisation s standards. Understand your organisation s contracts Finalise your risk management policy Establish a risk management policy for your organisation. Make a clear commitment to risk management. Explain how your policy will be implemented. Communicate your risk management policy Design your risk management process A risk management process is one that systematically applies management policies, procedures, and practices to a set of activities intended to establish the context, communicate and consult with stakeholders, and identify, analyse, evaluate, treat, monitor, and review risk. It is discussed in further detail a bit later. Develop a plan that explains how you intend to apply your organisation s risk management process Make people accountable for managing risk Identify your organisation s risk owners. A risk owner is a person or entity that has been given the authority to manage a particular risk and is accountable for doing so. Give risk owners the authority to manage risk. Make risk owners accountable for managing risk. Establish risk management performance measurement methods. Develop risk management reporting and escalation processes. 35 P a g e

8 Allocate resources for risk management Allocate appropriate resources to support your organisation s risk management activities. Consider providing people who can support your organisation s risk management activities. Consider providing resources needed to support each step of the risk management process. Consider providing information and knowledge management systems to support risk management Establish internal communication mechanisms Establish internal risk management communication and reporting processes Develop an external communication plan Develop a plan that describes how you intend to communicate with your organisation s external stakeholders. Implement your external risk management communication plan Build risk management into your organisation Make risk management an integral part of all processes and practices. Develop an organisation-wide risk management plan. An organisation s risk management plan describes how it intends to manage risk. It describes the management components, the approach, and the resources that will be used to manage risk. Typical management components include procedures, practices, responsibilities, and activities (including their sequence and timing). Risk management plans can be applied to products, processes, and projects, or to an entire organisation or to any part of it Implement your approach to risk management Develop a strategy to implement your organisation s framework. Implement your organisation s risk management framework Monitor your risk management framework Evaluate the on-going effectiveness of your organisation s risk management framework. Prepare reports on the effectiveness of your risk management framework. 36 P a g e

9 13.5. Improve your risk management framework Study the results of your risk management monitoring and review activities. Figure out how you re going to improve your risk management framework. Questions to reflect on: Paragraphs 12 & 13 in the Study Guide serves as a high-level guide for 1) Approaching Risk Management in general and 2) Establishing a Risk Management Framework. Scenario: After completion of this course it is expected of you to lead the process of implementing Risk Management in your organisation. In terms of what you learned thus far as well as your experience, critically evaluate the text in Paragraphs 12 & 13 in terms of how you would approach the process differently or what you would do additionally. 37 P a g e

10 14. Risk Architecture, Strategy & Protocols There are a number of factors that should be considered when designing and planning an ERM initiative. Figure 3 highlights the details of the risk architecture, strategy and protocols should be recorded in a risk management policy for the organisation. Table 2 serves as a checklist for to ensure all areas are covered. Risk Architecture (organisational) Risk Strategy (foundations) Risk Architecture specifies the roles, responsibilities, communication and risk reporting structure Risk strategy, appetite, attitudes and philosophy are defined in the Risk Management Policy Risk Management Process Risk Protocols Risk Protocols are presented in the form of risk guidelines for the organisation and include the rules and procedures, as well as specifying the risk management methodologies, tools and techniques that should be used Figure 3 Factors to consider when designing an ERM initiative 38 P a g e

11 Risk Architecture Statement produced that sets out risk responsibilities and lists the risk-based matters reserved for the Board Risk management responsibilities allocated to an appropriate management committee Arrangements are in place to ensure the availability of appropriate competent advice on risks and controls Risk aware culture exists within the organisation and actions are in hand to enhance the level of risk maturity Sources of risk assurance for the Board have been identified and validated Risk Strategy Risk management policy produced that describes risk appetite, risk culture and philosophy Key dependencies for success identified, together with the matters that should be avoided Business objectives validated and the assumptions underpinning those objectives tested Significant risks faced by the organisation identified, together with the critical controls required Risk management action plan established that includes the use of key risk indicators, as appropriate Necessary resources identified and provided to support the risk management activities Risk Protocols Appropriate risk management framework identified and adopted, with modifications as appropriate Suitable and sufficient risk assessments completed and the results recorded in an appropriate manner Procedures to include risk as part of business decision-making established and implemented Details of required risk responses recorded, together with arrangements to track risk improvement recommendations Incident reporting procedures established to facilitate identification of risk trends, together with risk escalation procedures Business continuity plans and disaster recovery plans established and regularly tested Arrangements in place to audit the efficiency and effectiveness of the controls in place for significant risks Arrangements in place for mandatory reporting on risk, including reports on at least the following: Risk appetite, tolerance and constraints Risk architecture and risk escalation procedures Risk aware culture currently in place Risk assessment arrangements and protocols Significant risks and key risk indicators Critical controls and control weaknesses Sources of assurance available to the Board Table 2 Checklist for an ERM initiative 39 P a g e

12 14.1. Components of a risk management policy Risk management and internal control objectives (governance) Statement of the attitude of the organisation to risk (risk strategy) Description of the risk aware culture or control environment Level and nature of risk that is acceptable (risk appetite) Risk management organisation and arrangements (risk architecture) Details of procedures for risk recognition and ranking (risk assessment) List of documentation for analysing and reporting risk (risk protocols) Risk mitigation requirements and control mechanisms (risk response) Allocation of risk management roles and responsibilities Risk management training topics and priorities Criteria for monitoring and benchmarking of risks Allocation of appropriate resources to risk management Risk activities and risk priorities for the coming year Risk management policy EXAMPLE Introduction As every organisation, the organisation faces numerous risks. These risks have the potential to disrupt achievement of the organisation s strategic and operational objectives. The organisation aims to use risk management to take better informed decisions and improve the probability of achieving its strategic and operational objectives. Corporate Governance The organisation is required to include in its annual financial statement a statement on internal control, including how the following broad principles of corporate governance have been applied: The identification and management of risk should be a continuous process linked to the achievement of the organisation s objectives. The approach to internal control should be risk based including one valuation of the likelihood and impact of risks becoming a reality. Review procedures must cover business, operational and compliance as well as financing risk. Risk assessment and internal control should be embedded in on-going operational procedures. The board of directors and risk management committee should receive regular reports during the year on internal control and risk. 40 P a g e

13 The principal results of risk identification, evaluation and management review of its effectiveness should be reported to, and reviewed by, the risk management committee and board of directors. The risk management committee acknowledges that it is responsible for ensuring that a sound system of control is maintained and that it has reviewed the effectiveness of the risk management process. Purpose of this policy This policy is a formal acknowledgement of the commitment of the organisation to risk management. The aim of the policy is not to have risk eliminated completely from the organisation s activities, but rather to ensure that every effort is made by the organisation to manage risk appropriately to maximize potential opportunities and minimize the adverse effects of risk. Policy Objectives To confirm and communicate the organisation s commitment regarding risk management to assist in achieving its strategic and operational goals and objectives. To formalize and communicate a consistent approach in managing risks. To ensure that all significant risks to the organisation are identified, assessed and where necessary treated and reported to risk management committee. To provide a commitment to staff that risk management is a core management capability. Scope of the policy Risk is an inherent aspect of all commercial business activities. Sound risk management principles must become part of routine management activity across the organisation. The key objective of this policy is to ensure the organisation has a consistent basis for measuring, controlling, monitoring and reporting risk across the organisation at all levels. What is Risk? Risk exists as a consequence of uncertainty and is present in all activities whatever the size or complexity and whatever industry or business sector. It is important to understand that risk is a broader concept than the traditional view of merely a threat. It also recognizes the risks of taking or not taking opportunities. 41 P a g e

14 Risk includes: Threats (damaging events) which could result in failure to achieve organisational objectives. Opportunities (challenges) which if exploited could offer an improved way of achieving the desired objectives but which could potentially have negative impacts. The organisation considers all types of risk it faces, strategic, operational, financial, reputational and regulatory and compliance risks. Appendix 1 gives a list of the different categories of risks. Organisation s Approach Organisation s approach to risk management follows several key principles: The Risk Management process will be as user friendly as possible and add value. The organisation seeks to embed risk management across all divisions in all branches. The aim is to marry top down and bottom up assessments to produce a comprehensive picture of risk across all organisational activities. A key focus of the risk management process is the concentration on control improvements to mitigate significant risks, however there is a need to balance the cost and the effectiveness of the controls; for example where marginal improvements in control require substantial costs, the proposal may be unviable. Upward reporting of risk ensures that significant risks are reported and closely monitored on a regular basis at the appropriate level Roles and responsibilities Board Many organisations issue an updated version of their risk management policy each year. This ensures that the overall risk management approach is in line with current best practice. It also gives the organisation the opportunity to focus on the intended benefits for the coming year, identify the risk priorities and ensure that appropriate attention is paid to emerging risks. The policy should also describe the risk architecture of the organisation. Figure 4 illustrates typical risk architecture of a large listed company. 42 P a g e

15 The Board Overall responsibility for RM Ensure RM is embedded in all the processes and activities Review group risk profile Audit Committee Receive routine reports from RMC Set annual audit programme and priorities Monitor progress with recommendations Provide Risk Assurance to the board Oversee RM structures and processes Risk Management Committee Formulate strategy & policy based on risk appetite, attitudes and exposures Receive reports from business units, review RM activities and compile risk register Reports and make recommendations to the board Track RM activity and keep RM Context under review Disclosures committee Review and evaluate disclosure controls and procedures Consider materiality of information disclosed to external parties Direct & Mentor Reports for evaluation Business Units Prepare and update the unit risk register Set risk priorities for unit Monitor projects & risk improvements Prepare reports for RMC Mange Control risk self-certification activates Figure 4 Risk Architecture of a large Private Listed Company 43 P a g e

16 Mandate and commitment from the Board is critically important and it needs to be continuous and highprofile. Unless this mandate and commitment are forthcoming, the risk management initiative will be unsuccessful. Keeping the risk management policy up to date demonstrates that risk management is a dynamic activity fully supported by the Board. The board takes an interest in risk management to the extent necessary to obtain comfort that properly established and functioning systems of risk management are in place to protect the organisation against significant risks. Responsibilities of Board in risk management include: ensuring that the organisational strategies and risk management are aligned; obtaining assurance from management that the organisation s strategic choices were based on a rigorous assessment of risk; obtaining assurance that key risks inherent in the organisation s strategies were identified and assessed, and are being properly managed; assisting the Chief Executive Officer to deal with fiscal, intergovernmental, political and other risks beyond their direct control and influence; insisting on the achievement of objectives, effective performance management and value for money; approve the risk management policy, strategy, and implementation plan; and approve the fraud prevention policy, strategy and implementation plan Chief Executive Officer (CEO) The CEO as the CEO is the ultimate Chief Risk Officer of the organisation and is accountable for the organisation's overall governance of risk. Responsibilities of the CEO include: setting an appropriate tone by supporting and being seen to be supporting the organisation s aspirations for effective management of risks; 44 P a g e

17 delegating responsibilities for risk management to Management and internal formations such as the Audit and Risk Management Committee; holding Management accountable for designing, implementing, monitoring and integrating risk management into their day-to-day activities; holding the Management accountable for performance in terms of their responsibilities for risk management; providing leadership and guidance to enable Management and internal structures responsible for various aspects of risk management to properly perform their functions; ensuring that the control environment supports the effective functioning of risk management; developing the risk management policy, strategy, and implementation plan; developing the fraud prevention policy, strategy and implementation plan; developing the organisation's risk appetite and risk tolerance; devoting personal attention to overseeing management of the significant risks; leveraging the Audit and Risk Management Committee, Internal Audit and External Auditor for assurance on the effectiveness of risk management; ensuring appropriate action in respect of the recommendations of the Audit and Risk Management Committee, Internal Audit and External Auditor to improve risk management; and providing assurance to relevant stakeholders that key risks are properly identified, assessed and mitigated Risk Management Committee The Committee is an independent committee responsible for oversight of the Organisation s control, governance and risk management. The responsibilities of the Committee with respect to risk management are formally defined in its charter. The Committee should provide an independent and objective view of the Organisation s risk management effectiveness. 45 P a g e

18 Responsibilities of the Committee include: reviewing and recommending for the approval of the Board, the: (i) risk management policy; (ii) risk management strategy or plan; (iii) risk management implementation plan; (iv) Organisation s risk appetite, ensuring that limits are: o supported by a rigorous analysis and expert judgement; o expressed in the same values as the key performance indicators to which they apply; o set for all material risks individually, as well as in aggregate for particular categorisations of risk. evaluating the extent and effectiveness of integration of risk management within the organisation; assessing implementation of the risk management policy and plan; evaluating the effectiveness of the mitigating strategies implemented to address the material risks of the organisation; reviewing the material findings and recommendations by assurance providers on the system of risk management and monitor the implementation of such recommendations; developing its own key performance indicators for approval by the CEO; and providing timely and useful reports to the CEO and Board on the state of risk management, together with accompanying recommendations to address any deficiencies identified by the Committee Chief Risk Officer The primary responsibility of the Chief Risk Officer is to bring to bear his specialist expertise to assist the organisation to embed risk management and leverage its benefits to enhance performance. Responsibilities of the Chief Risk Officer include: working with senior management to develop the organisation s vision for risk management; developing, in consultation with management, the organisation s risk management framework incorporating, inter alia, the: o risk management policy; o risk management strategy; o risk management implementation plan; o risk identification and assessment methodology; o risk appetite and tolerance; and 46 P a g e

19 o risk classification. communicating the organisation s risk management framework to all stakeholders in the organisation and monitoring its implementation; facilitating orientation and training for the Risk Management Committee; training all stakeholders in their risk management functions; continuously driving risk management to higher levels of maturity; assisting Management with risk identification, assessment and development of response strategies; monitoring the implementation of the response strategies; collating, aggregating, interpreting and analysing the results of risk assessments to extract risk intelligence; reporting risk intelligence to the CEO, Management and the Risk Management Committee; and participating with Internal Audit, Management and External Auditor in developing the combined assurance plan for the Organisation Management Management is responsible for executing their responsibilities outlined in the risk management strategy and for integrating risk management into the operational routines. Responsibilities of Management include: executing their responsibilities as set out in the risk management strategy; empowering officials to perform effectively in their risk management responsibilities through proper communication of responsibilities, comprehensive orientation and on-going opportunities for skills development; aligning the functional risk management methodologies and processes with the organisational processes; devoting personal attention to overseeing the management of key risks within their area of responsibility; maintaining a co-operative relationship with the Risk Management Unit and Risk Champion; providing risk management reports; presenting to the Risk Management and Audit Committees as requested; 47 P a g e

20 maintaining the proper functioning of the control environment within their area of responsibility; monitoring risk management within their area of responsibility; and holding officials accountable for their specific risk management responsibilities Other Employees Other employees are responsible for integrating risk management into their day-to-day activities. Responsibilities of other employees include: applying the risk management processes in their respective functions; implementing the delegated action plans to address the identified risks; informing their supervisors and/or the Risk Management Unit of new risks and significant changes in known risks; and co-operating with other role players in the risk management process and providing information as required Risk Champions The Risk Champion is a person with the skills, knowledge, leadership qualities and power of office required to champion a particular aspect of risk management. A key part of the Risk Champion's responsibility involves intervening in instances where the risk management efforts are being hampered, for example, by the lack of co-operation by Management and other officials and the lack of organisational skills and expertise. The Risk Champion also adds value to the risk management process by providing guidance and support to manage "problematic" risks and risks of a transversal nature that require a multiple participant approach. In order to fulfil his/her function, the Risk Champion should possess: a good understanding of risk management concepts, principles and processes; good analytical skills; expert power; 48 P a g e

21 leadership and motivational qualities; and good communication skills. The Risk Champion does not assume the role of the Risk Owner but should assist the Risk Owner to resolve problems Internal Auditing The role of the Internal Auditing in risk management is to provide an independent, objective assurance on the effectiveness of the Organisation s system of risk management. Internal Auditing evaluates the effectiveness of the entire system of risk management and provides recommendations for improvement where necessary. Internal Auditing develops its internal audit plan on the basis of the key risk areas. In terms of the International Standards for the Professional Practice of Internal Audit, determining whether risk management processes are effective is a judgment resulting from the Internal Auditor's assessment that: organisational objectives support and align with the Organisation's mission; significant risks are identified and assessed; risk responses are appropriate to limit risk to an acceptable level; and relevant risk information is captured and communicated in a timely manner to enable the CEO, Management, the Risk Management Committee and other officials to carry out their responsibilities. When assisting Management in establishing or improving risk management processes, Internal Auditing shall refrain from assuming management responsibilities for risk management. 49 P a g e

22 15. The Risk Management Process The risk management process is simply a roadmap to get from risk-unaware to risk-aware and risk-ready. The risk management process is guidance on the steps that will and will not be included in the process as a whole (see Figure 5 below). The purpose of the Risk Management Process is to ensure that all of the appropriate steps are implemented related to risk management. It provides a common vision of what is and is not important to the organisation from a risk perspective. Establish Context Risk Assessment Communication & Consultation Risk Identification Risk Analysis Risk Evaluation Monitor & Review Risk Treatment Figure 5 Risk Management Process 50 P a g e

23 The risk management process can be presented as a list of co-ordinated activities. There are alternative descriptions of this process, but the components listed below are usually present. This list represents the 7Rs and 4Ts of (hazard) risk management: Risk Assessment o Identification or Recognition of risks o Analysis o Evaluation or Ranking of risks Responding to significant risks o Tolerate o Treat o Transfer o Terminate Resourcing controls Reaction planning Reporting and monitoring risk performance Reviewing the risk management framework Identification, Analysis and Evaluation of risks together form the risk assessment activity. ISO uses the phrase risk treatment to include all of the 4Ts included under the heading risk response. The Risk Management process should be established by senior management. It should be consistent from one assessment to the next, but not necessarily from one organisation to the next. Different organisations will have different areas of concern as regards risk processes. Also, the levels of depth may vary widely across organisations, as some have a passion for process, while others apply simpler approaches. Risk assessment will be required as part of the decision-making processes intended to exploit business opportunities. One way of ensuring that risk is part of business decision-making is to ensure that a risk assessment is attached to all strategy papers presented to the Board. Likewise, risk assessment of all proposed projects should be undertaken and further risk assessments should be undertaken throughout the project. Finally, risk assessments are also required in relation to routine operations. Other considerations relevant to undertaking risk assessments include decisions on how the risk assessments will be recorded. It is at this stage that an organisation will decide the level of detail that will be recorded about each risk in the risk description. Another important part of the risk assessment procedures will be the identification of the risk classification system to be used by the organisation. 51 P a g e

24 15.1. Recording Risk Assessments Risk assessment involves the identification of risks followed by their evaluation or ranking. It is important to have a template for recording appropriate information about each risk. Risk identification establishes the exposure of the organisation to risk and uncertainty. Table 3 shows the range of information that may need to be recorded. The objective of a template is to enable the information to be recorded in a table, risk register, spreadsheet or a computer-based system. Although a simple description of a risk is sometimes sufficient, there are circumstances where a detailed risk description may be required in order to facilitate a comprehensive risk assessment process. The consequences of a risk materialising may be negative (hazard risks), positive (opportunity risks) or may result in greater uncertainty. 1 Name or title of risk Unique identifier. 2 Scope of risk Scope of risk and details of possible events, including description of the events, their size, type and number. 3 Nature of risk Classification of risk. 4 Stakeholders Stakeholders, both internal and external, and their expectations 5 Risk evaluation Likelihood and magnitude of event and possible impact or consequences should the risk materialise at current level. 6 Loss experience Previous incidents and prior loss experience of events related to the risk. 7 Risk tolerance, appetite Loss potential and anticipated financial impact of the risk or attitude. Target for control of risk and desired level of performance. Risk attitude, appetite, tolerance or limits for the risk. 8 Risk response, treatment Existing control mechanisms and activities and controls. Level of confidence in existing controls. Procedures for monitoring and review of risk performance. 9 Potential for risk improvement 10 Strategy and policy developments Potential for cost-effective risk improvement or modification. Recommendations and deadlines for implementation. Responsibility for implementing any improvements. Responsibility for developing strategy related to the risk. Responsibility for auditing compliance with controls. Table 3 Recording Risk Assessments 52 P a g e

25 15.2. Risk Classification Systems An important part of analysing a risk is to determine the nature, source or type of impact of the risk. Evaluation of risks in this way may be enhanced by the use of a risk classification system. Risk classification systems are important because they enable an organisation to identify accumulations of similar risks. A risk classification system will also enable an organisation to identify which strategies, tactics and operations are most vulnerable. Risk classification systems are usually based on the division of risks into those related to: - Financial control / Compliance, - Infrastructure / Operational efficiency, - Reputational exposure and - Market place activities / Strategic However, there is no risk classification system that is universally applicable to all types of organisations. This may be especially true for organisations operating in the public sector and those involved in the delivery of services to the public. There are many risk classification systems available and the one selected will depend on the size, nature and complexity of the organisation. ISO does not recommend a specific risk classification system and each organisation will need to develop the system most appropriate to the range of risks that it faces. Internal and external factors can give rise to risks. Figure 6 is based on the FIRM Risk Scorecard risk classification system and it provides examples of internal and external key risk drivers. The classification is then further elaborated upon in Table P a g e

26 EXTERNALLY DRIVEN FINANCIAL / COMPLIANCE RISK Accounting Standards Interest rates Foreign exchange Funds & Credit INFRASTRUCTURE / OPERATIONS RISK Communications Transport links Supply chains Terrorism Natural Disasters Pandemic Internal control Fraud Historical liabilities Recruitment People skills Health & safety Premises INTERNALLY DRIVEN M&A Activity R&D Activity IP Contracts Brand extension Brand composition Control Economic environment Technology developments Competition Customer demand Regulatory requirements MARKET PLACE / STRATEGIC RISK Product recall CSR Public perception Regulator enforcement Competitor Behaviour REPUTATIONAL RISK EXTERNALLY DRIVEN Figure 6 Drivers of Risk 54 P a g e

27 Financial control / Compliance Infrastructure / Operational efficiency Reputational exposure Market place activities / Strategic Description Risks that can impact the way in which money is managed and profitability is achieved Risks that will impact the level of efficiency and dysfunction within the core processes Risks that will impact desire of customers to deal or trade and level of customer retention Internal or Internal Internal External External External Risk Quantifiable Usually Sometimes Not always Yes Measurement (performance indicator) Gains and losses from internal financial control Level of efficiency in processes and operations Nature of publicity and effectiveness of marketing profile Performance gap Control mechanisms Procedures Failure of procedures to control internal financial risks Accounting standards Internal control Delegation of authority Process Failure of processes to operate without dysfunction Process control Loss control Insurance and risk financing Perception Failure to achieve the desired perception of the organisation Marketing Advertising Reputation and brand protection Table 4 Features of the FIRM Risk Classification System (Hopkin, 2010:134) Risks that will impact the level of customer trade or expenditure and customer retention Income from commercial and market activities Presence Failure to achieve required presence in the marketplace Opportunity assessment Strategic and business plans Risk Assessment Risk assessment is a fundamentally important part of the risk management process. In order to achieve a comprehensive risk management approach, an organisation needs to undertake suitable and sufficient risk assessments. A range of the most common risk assessment techniques is set out in Table P a g e

28 Risk Identification Risk identification is a natural progression from Understand your organisation s context. Risk identification ascertains which risks have the potential of affecting the organisation and documenting the risks' characteristics. Risk identification establishes the exposure of the organisation to risk and uncertainty. This requires an intimate knowledge of the organisation, the market in which it operates, the legal, social, political and cultural environment in which it exists, as well as an understanding of strategic and operational objectives. This will include knowledge of the factors critical to success and the threats and opportunities related to the achievement of objectives. It should be approached in a methodical way to ensure that all value-adding activities within the organisation have been evaluated and all the risks flowing from these activities defined. Questionnaires and checklists Workshops and brainstorming Inspections and audits Flowcharts and dependency analysis HAZOP and FMEA approaches SWOT and PESTLE analyses Use of structured questionnaires and checklists to collect information to assist with the recognition of the significant risks Collection and sharing of ideas and discussion of the events that could impact the objectives, stakeholder expectations or key dependencies Physical inspections of premises and activities and audits of compliance with established systems and procedures Analysis of processes and operations within the organisation to identify critical components that are key to success Hazard and Operability studies and Failure Modes Effects Analysis are quantitative technical failure analysis techniques Strengths Weaknesses Opportunities Threats (SWOT) and Political Economic Social Technological Legal Environmental(PESTLE) analyses offer structured approaches to risk recognition Table 5 Risk Assessment techniques At the beginning of the Risk Identification process it is a good idea to have gathered all of the inputs you and your team will need. The inputs to the Risk Identification Process are: The Organisation s Strategic Plan - The Strategic Plan is used to gain an understanding of the organisation's mission, vision, values, objectives, implementation plans and other elements. Risk Management Plan - The Risk Management Plan (if in existence) provides the blueprint of overseeing risk management throughout the project describing who, what, when, where, why, and how. The Risk Management Plan provides the following four critical inputs to Risk Identification: Assignment of roles and responsibilities. It identifies the who of risk management by assigning the handling of specific tasks and roles to specific individuals. Budget provisions for risk management activities identify the approved funds available for riskmanagement activities. You will need to track your actual costs against these approved budget numbers. 56 P a g e

29 Schedule for risk management including the time needed for risk-management activities. Categories of risk. The risk categories are used during Risk Identification to organise and prioritise risks as they are identified. Organisational process assets - Organisational process assets provide information from prior projects including historical information and lessons learned. Enterprise environmental factors - These factors include any and all external environmental factors and internal organisational environmental factors that surround or influence the organisation s success. The tools and techniques used for the Risk Identification process are designed to help the gather information, analyse it, and identify risks to and opportunities for the organisation s objectives. After determining your organisational context a Risk Identification Checklist is a useful tool to start the process of identifying risks (Template A). The information gathered is entered on the Risk Register (Template E), which is the primary output of Risk Identification. The Risk Register will ultimately contain the results of the Risk Assessment and Risk Response Planning. The Risk Register illustrates all identified risks, including description, category, and cause, probability of occurring, and impact on objectives, proposed responses, owners, and current status. While the Risk Register will become the comprehensive output, the Risk Identification process results in four entries in the Risk Register: Lists of identified risks with their root causes and risk assumptions are listed. List of potential responses identified here will serve as inputs to the Risk Response Planning process. Root causes of risk are fundamental conditions which cause the identified risk. Updated risk categories. The process of identifying risks can lead to new risk categories being added. Communicate and consult with stakeholders during all stages of the risk management process. Use a consultative team approach to communicate and consult with your organisation s stakeholders. Communication and consultation is a dialogue between an organisation and its stakeholders. This dialogue is both continual and interactive. It is a two-way process that involves both sharing and receiving information about the management of risk. However, this is not joint decision making. Once communication and consultation is finished, decisions are made and directions are established by the organisation, not by stakeholders. Discussions could be about the existence of risks, their nature, form, likelihood, and significance, as well as whether or not risks are acceptable or should be treated, and what treatment options should be considered. 57 P a g e