RISK MANAGEMENT

BASIC PRINCIPLES, FRAMEWORK, STRATEGY AND TOOL

25/09/19 1

OUTLINE q  INTRODUCTION q  RISK MANAGEMENT PRINCIPLES q  RISK MANAGEMNT FRAMEWORK q  RISK MANAGEMENT TOOLS q  POLICY AND GUIDELINES q  RISK MANAGEMENT ARCHITECTURE q  RISK MANAGEMENT STRATEGY q  RISK MANAGEMENT PROTOCOLS q  RISK REGISTER q  CONCLUSION q  CASE STUDY

25/09/19 2

INTRODUCTION Imagine a discipline without its own common set of assumptions, concepts, principles, standards and practices that are unique among its practitioners.

Does this sound familiar? Of course it’s child rearing. You got it!

Children reared in different parts of the world are taught different things - assumptions, concepts, principles, standards, practices, culture, beliefs, identity, race relation, gender, social conditioning – all very different and presumably very confused!

25/09/19 3

INTRODUCTION Every discipline has its own common set of assumptions, concepts, principles, standards and practices that are unique among its practitioners.

Risk management is without exception. It has its own common set of assumptions, concepts, principles, standards, practices and tools that together form the risk management discipline.

It is imperative for organizations and risk management practitioners to understand and use these fundamental tenets in the practice of risk management.

25/09/19 4

INTRODUCTION The practice of risk management will be incomplete without these tenets which provide the foundation upon which risk management is designed and implemented.

There may be differences in the language used and applications of these canons due to organizational differences.

However, the objective remains the same: to manage risks that threaten objectives.

25/09/19 5

INTRODUCTION A risk management system is a series of coordinated organizational arrangements, structures, relationships, processes and procedures that are designed and embedded into the organization’s strategic and operational policies and practices.

The principles of risk management provide a sound basis (intention and purpose) for establishing and implementing an effective risk management system.

25/09/19 6

PRINCIPLES OF RISK MANAGEMENT The principles are as follows: q Risk management creates and protects value – risk

management should contribute to the demonstrable achievement of objectives and improvement of performance in, for example, tax compliance, human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, product quality, project management; efficiency in operations, corporate governance and reputation.

25/09/19 7

PRINCIPLES OF RISK MANAGEMENT The principles are as follows: q Risk management is an integral part of all

organizational processes – risk management should not be a stand-alone activity that is separate from the main activities and processes of the organization. Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning, project management and change management processes.

25/09/19 8

PRINCIPLES OF RISK MANAGEMENT The principles are as follows: q Risk management is part of decision-making – risk

management should help decision makers make informed choices, prioritize actions and distinguish among alternative courses of actions.

q Risk management explicitly addresses uncertainty – risk management should explicitly take account of uncertainty, the nature of that uncertainty and how it can be addressed.

25/09/19 9

PRINCIPLES OF RISK MANAGEMENT The principles are as follows: q Risk management is systematic, structured and timely

– risk management should be a systematic, structured and timely approach to dealing with internal and external threats and vulnerabi l i t ies to the organization’s objectives and should contribute to efficiency, and to consistent, comparable and reliable results.

25/09/19 10

PRINCIPLES OF RISK MANAGEMENT The principles are as follows: q Risk management is based on the best available

information – the inputs to the risk management process are based on information sources such as historical data, experience, stakeholders’ feedback, observations, forecasts and expert judgement. However, decision makers should inform themselves of and take into account any limitations of the data or modelling used or the possibility of divergence among experts.

25/09/19 11

PRINCIPLES OF RISK MANAGEMENT The principles are as follows: q Risk management is transparent and inclusive –

appropriate, full and timely involvement of all stakeholders and in particular, decision makers at all levels within and outside of the organization is required to ensure that risk management remains relevant and up-to-date. Involvement also allows stakeholders to be properly represented, informed and to have their views taken into account in determining risk criteria and risk treatments.

25/09/19 12

PRINCIPLES OF RISK MANAGEMENT The principles are as follows: q Risk management is tailored – risk management

should be aligned with the organization’s internal and external contexts and risk profile.

q Risk management is dynamic, iterative and responsive to change – risk management should continually sense and respond to change. As external and internal events occur, context and knowledge change, monitoring and review of risk take place, new risks emerge, some change and others disappear.

25/09/19 13

PRINCIPLES OF RISK MANAGEMENT The principles are as follows: q  Risk management facilitates continual improvement

of the organization – organizations should develop and implement strategies to improve their risk management maturity alongside all other aspects of their organizations.

25/09/19 14

RISK MANAGEMENT FRAMEWORK The risk management principles and framework are closely related.

While the principles provide the bases for establishing and implementing effective risk management system, the framework provides the system and structure that are integrated into the organization’s policies, processes and procedures.

The framework consists of risk architecture, strategy and protocols.

25/09/19 15

RISK MANAGEMENT FRAMEWORK The architecture is the schematic structure that establishes roles and responsibilities: q Committee structure and terms of reference; q Roles and responsibilities; q  Internal reporting requirements; q External reporting controls; and q Risk management assurance arrangement.

25/09/19 16

RISK MANAGEMENT FRAMEWORK The strategy provides a broad course of actions to achieve the risk management objectives: q Risk management philosophy; q Arrangements for embedding risk management; q Risk appetite and attitude to risk; q Benchmark tests for significance; and q Specific risk statements and policies.

25/09/19 17

RISK MANAGEMENT FRAMEWORK The protocols provide the ground rules and procedures to be carried out : q Tools and techniques; q Risk classification system; q Risk assessment procedures; q Risk control rules and procedures; q Responding to incidents, issues and events; q Documentation and record keeping; q Training and communication;

25/09/19 18

RISK MANAGEMENT FRAMEWORK q Audit and assurance procedures and protocols; q Reporting, disclosures and certification.

Risk management framework has four inter-related stages: Plan: q  Identify intended benefits of risk management

initiatives and gain board support; q Plan the scope of risk management initiatives and

develop common language of risk; and q Establish common risk management strategy,

framework and roles and responsibilities. 25/09/19 19

RISK MANAGEMENT FRAMEWORK Implement: q Adopt suitable risk management tools and an agreed

risk classification system; q Establish risk benchmark (risk criteria) and undertake

risk assessment; and q Determine risk appetite and risk tolerance levels and

evaluate the existing controls.

25/09/19 20

RISK MANAGEMENT FRAMEWORK Measure: q Evaluate effectiveness of existing controls and

introduce improvements; and q Embed risk-awareness culture and align risk

management with other activities in the organization. Learn: q Monitor and review risk performance indicators to

measure risk management contribution; and q Report risk performance in line with obligations and

monitor improvement.

25/09/19 21

RISK MANAGEMENT TOOLS The most fundamental tool to risk management is the human capacity with the competences, expertise and risk-awareness culture.

Every risk management tool is useful in so far there is accompanying knowledge, skills, awareness and competences to adopt and use those tools.

25/09/19 22

RISK MANAGEMENT TOOLS A large proportion of risk is identified, analyzed and treated through human interactions.

Organizations therefore need personnel with the right knowledge, skills and attitude to effectively manage risk .

The lack of such knowledge, skills and attitude poses potential risk to the organization.

25/09/19 23

RISK MANAGEMENT TOOLS Risk management is based on information science (data, information and intelligence) and the creation and use of information is an essential tool for risk management.

Another fundamental tool for risk management is a database – a data warehouse and data extraction and analysis tools and techniques to analyze, translate and use such database.

25/09/19 24

RISK MANAGEMENT TOOLS There are many bespoke and off-the-shelf data extraction and analysis software available for use in risk management.

Organizations need to build data warehouse that seamlessly interfaces all data across the organization to enable data mining, matching and logical manipulations.

25/09/19 25

RISK MANAGEMENT POLICY AND GUIDELINES An organization needs to develop a common risk management language that is consistent across the entire entity.

The role of risk management policy is to lay the foundation for such common language.

A risk management policy is a statement of overall intentions, direction and scope of an organization’s risk management initiatives.

25/09/19 26

RISK MANAGEMENT POLICY AND GUIDELINES A risk management guideline specifies the step-by-step procedure for the interpretation and implementation of policy.

Guidelines define the implementation modalities of policy and a logical classification and proposition that are actionable within the context of the organization.

25/09/19 27

RISK MANAGEMENT ARCHITECTURE Risk management architecture consists of the following elements: q Committee and terms of reference – there should be

structured risk governing bodies at the board and executive management levels to provide oversight, direction and supervision over risk management.

q Roles and responsibilities – there should be clear roles and responsibilities for all responsible parties in the risk management process.

25/09/19 28

RISK MANAGEMENT ARCHITECTURE q  Internal reporting requirements – management and

board should establish clear reporting requirement and responsibility for individuals to provide accountability of their actions and use of resources.

q External reporting controls – there should be clear controls in place for dissimilating information to outside parties subject to confidentiality and data privacy policies.

25/09/19 29

RISK MANAGEMENT ARCHITECTURE q Risk management assurance arrangement – the board

and executive management should establish a system that provides independent check and assurance on the adequacy and effectiveness of the risk management process.

25/09/19 30

RISK MANAGEMENT STRATEGY Risk management strategy consists of the following elements: q Risk management philosophy – the board and

executive management should form a system of shared beliefs and attitudes that characterize how risks and risk management are viewed in the organization.

q Arrangements for embedding risk management – risk management should be embedded into organizational processes, procedures, activities and responsibilities.

25/09/19 31

RISK MANAGEMENT STRATEGY q Risk appetite and risk attitude – the board and

executive management should set and communicate the organization’s risk appetite (the level of risk) that the organization is willing to accept and risk attitude ( behavior) toward risk.

q Benchmark tests for significance – the risk management policy and strategy should have thresholds for determining the significance and severity of risks.

25/09/19 32

RISK MANAGEMENT STRATEGY q Specific risk statements and policies – the risk

management framework should have rules for specific risk categories.

q Risk assessment techniques – the risk management framework should have established methodologies for risk identification, analysis and evaluation.

q Risk priorities for the present year – the board and executive management should set and communicate risk management priorities for each year.

25/09/19 33

RISK MANAGEMENT PROTOCOLS Risk management protocols consist of the following elements: q Tools and techniques – organizations should have

appropriate risk management tools, for example, computer software applications, data mining tools and common techniques.

q Risk classification system – organization should establish common risk classification system based on the nature and severity of risks.

q Risk assessment procedures – organizations should establish common risk assessment procedures such as interviews, questionnaires, surveys, focus group, research, etc.

25/09/19 34

RISK MANAGEMENT PROTOCOLS q Risk control rules and procedures – risk management

polices should establish control rules and procedures for carrying out risk treatments.

q Responding to incidents, issues and events – there should be clear to-do-list of activities to perform in case of emergencies, etc.

q Documentation and record keeping – policy should establish the nature and form of documents and records to be maintained, electronic or manual.

25/09/19 35

RISK MANAGEMENT PROTOCOLS q Training and communication – staff at all levels of the

entity should have periodic risk management training. Important risk management tips and massages should be communicated to all staff within the organization on a regular basis.

q Audit and assurance procedures and protocols – risk management system should have clear documented audit trail and procedures for audit and assurance should be established.

25/09/19 36

RISK MANAGEMENT PROTOCOLS q Reporting, disclosures and certification – an entity

should have documented reporting and disclosure policies. Risk management certification at the entity and individual levels is important.

25/09/19 37

RISK REGISTER A risk register is a tool for capturing risks and actions to manage each risk.

The register is regularly updated to add new risks and remove risks that no longer exist.

The risk register is a summary of the risk management process use to continually monitor risks and events in the internal and external environments.

25/09/19 38

RISK REGISTER – Sample

ComplianceRiskRegister

RiskID

DateIdentified

RiskDescription

LikelihoodofRiskoccurring

ImpactifRiskOccurs

SeverityofRisk

RiskOwner

RiskTreatmentStrategies

102 April5,2017

Incompletetaxreturnsfrommanystart-ups

High High Severe TaxpayerServices

Conducttaxclinics

146 Aug.27,2018

Taxreturnsarenotthoroughlyanalyzedbyanalysts

Medium High High HumanResourceServices

Conductdataanalyticstrainingforanalysts

76 July20,2018

MultipleTINsfortaxpayersonthetaxregister

Low Medium High SpecialProjectTeam

Undertakedatacleansingproject

25/09/19 39

CONCLUSION q Revenue author i t ies must estab l ish r isk

management system which provides reasonable assurance that objectives are being achieved.

q There must be clear documented risk management policies, processes and procedures.

q Appropriate tools, techniques and protocols are necessary for effective risk management.

q A risk register captures and updates risks to the organization’s objectives and treatment strategies.

25/09/19 40

CASE STUDY A revenue authority has set up a team to develop a risk management compendium. The team needs to identify and define elements of the components of the risk management system: q Principles q Framework q Architecture q Strategy q Protocols In a group of five persons, state and define two elements of each component of the compendium.

25/09/19 41

25/09/19 42