by paul wallis - government finance officers … 2012 | government finance review 39 mandate a risk...
TRANSCRIPT
Achieving the Value PropositionRisk ManagementBY PAUL WALLIS
February 2012 | Government Finance Review 37
Risk management is more than preventing bad things from happening. Properly implemented, it can pro-vide strategic and operational opportunities by
focusing activities on what is important to an organization. Risk management creates value by providing opportuni-ties for process improvement, controlling the risks that can hurt the organization most,breaking down silos, and help-ing the organization achieve its objectives. It empowers employees by better defining the risk framework manage-ment and staff work under, thus supporting more timely decision making and the potential for managing issues before they become problems.
Not all risk is bad. While we tend to focus on the negative when considering risk management, risk is in fact the chance of something happening that might have an impact on a juris-diction’s objectives, and it can be bad or good. In fact, as the economic situation requires managers to be more creative in dealing with budget issues, risk can be an important tool — risk and innovation are inextricably linked.
In the public sector, there are great
opportunities for streamlining process-
es and being more strategic in meeting
citizen needs. Accountability, however,
remains a major issue. Citizens expect
top-quality service, quickly, yet they
also want to be sure taxpayer money
is well managed. These conflicting objectives can mean
spending more on processes to manage certain risks that
would have less of an impact in private-sector organizations
— for instance, expense reporting, procurement, travel, and
training. The public then perceives the enhanced oversight
as increased bureaucracy and, to some extent, trusts govern-
ment less because of it.
DEFINING RISK AND RISK MANAGEMENT
Risk can simply be defined as the effect of uncertainty on
objectives or outcomes. Risk management refers to the coor-
dinated activities used to direct and control an organization’s
response to risk. Effective risk management, also referred to
as enterprise risk management or integrated risk manage-
ment, is holistic, addressing risk that affects the organization
as a whole. Risk can arise from internal or external sources,
including an organization’s inability to achieve its objectives,
client dissatisfaction, unfavorable publicity, threats to physi-
cal safety, security breaches, mismanagement, equipment
failure, and fraud.
An effective risk management initiative includes the follow-
ing attributes:
n It is a coordinated activity.
n It supports business objectives.
n It is strategic.
n It is a process, part of the organization’s fabric.
n It supports informed decision making.
n It provides reasonable assurance (because risk is not
eliminated but managed).
An organization that understands risk and risk management
can take advantages of opportunities that present themselves;
in this way, risk management can be a value proposition (see
Exhibit 1). For example, processes and controls can be ratio-
nalized, and activities focused on the
key risks. This enables a more holistic
and informed view of programs, ser-
vices, and processes.
Successful risk management is a
combination of and careful balance
between two key components: risk and
cost. Assuming that the questions in the
risk and cost columns can be answered positively, the poten-
tial value of risk management can begin to be realized.
KEY SUCCESS FACTORS
Many public-sector organizations realize the benefits and
value of risk management, applying a variety of techniques.
Good risk management frameworks are available to help
guide implementation, including the global standard, The
International Organization for Standardization’s ISO 31000 (at
www.iso.org), and the framework developed in the United
States by the Committee of Sponsoring Organizations, COSO
ERM (at www.coso.org).
Unfortunately, organizations sometimes jump right in and
try to implement risk management very quickly. This leads
to corporate, top-down approaches that can result in failure.
Organizations that are already stressed tend to view this
approach as just another corporate project that requires addi-
To a large extent, effective
risk management can shape an
organization’s culture.
38 Government Finance Review | February 2012
tional processes and more work. Another common problem
is identifying risks and finding quick solutions without con-
sidering the organization’s business or strategic objectives or
culture.
The following five activities are essential to a successful risk management initiative.
Understanding the Organization’s Culture. While it may seem daunting, this is probably the most important step. Public-sector organizations are generally risk averse. Processes and controls are developed to minimize risk as
much as possible, sometimes to a degree that causes inef-
ficiency. A hierarchical organization with strong central
management, layers of approval processes, and multi-layered
controls comprising long, detailed policies and procedures
is not managing risk effectively. Instead, it is being managed
by risk. Trust and innovation are stifled under this scenario,
diminishing the value proposition.
Obtaining Commitment from the Board and Executive Management. High-level support is needed to gain traction.
The objective is not to get the board or senior management to
Exhibit 1: Risk Management as a Value Proposition
n Does the organization understand the risks it faces?
n Does the organization understand what the key risks are?
n Does the organization have an effective risk reporting mechanism?
n Has the organization defined its risk attitude or tolerance?
n Does the organization accept the right level of risk?
n Does the organization know if risks are being properly managed?
n Does the organization have a comprehensive risk management process or methodology in place?
n Is the organization focused on the risks that matter?
n Does the organization have duplicating or overlapping risk functions?
n Does the organization leverage automated controls versus manual controls?
n Does the organization optimize the use of technology to manage risk?
n Does the organization ahave an overall risk mitigation strategy that focuses on minimizing costs?
n Risks aligned to business, program, and process objectives.
n Alignment of risk to customer service.
n More informed decision making as risks both positive and negative are better understood.
n Service or program delivery that optimizes risk versus funding.
n The right mitigation strategies (controls) to manage the right risks.
Risk Value
Cost
Risk Value
Cost
Risk Value
Cost
February 2012 | Government Finance Review 39
mandate a risk management initiative, but to champion the
benefits and the value proposition while allocating resources.
Keeping the Process Simple. Existing frameworks pro-
vide good guidance, but overly strict adherence can be a
problem. For example, COSO has been criticized as a com-
plicated framework that is difficult to implement. An orga-
nization needs to tailor its risk management strategy based
on the critical risks it has identified. The value proposition
is to identify, assess, and mitigate key risks. The number of
risks a jurisdiction’s executive management and governing
body should address depends on individual differences, but
organizations generally consider 10 to
30 critical risks. These risks will be at a
high level and will drive more detailed
risk management at the management
and staff levels.
Linking Risks to Strategic/Business Objectives. According to a
report from the Economist Intelligence
Unit, “only 47 percent of respondents [to an EIU survey]
believe that their organization is effective at linking risk with
corporate strategy.”1 Implementing an effective risk manage-
ment strategy is difficult if it is not linked to the organization’s
strategic, program, and project objectives. Risks related
to achieving those objectives, both positive and negative,
should be identified, assessed, and mitigated.
Recognizing that Risk Management is a Form of Change Management. Organizations that introduce risk
management as an overall organizational initiative can-
not succeed without paying attention
to change management. An effective
change management process builds
organizational awareness, desire,
knowledge, and ability. Risk manage-
ment has to go through the same pro-
cess. Organizational buy-in is vital to
success. Risk management works well
in a supportive, transparent, non-auto-
Exhibit 2: The Enterprise Risk Management Process
Design mitigation strategies (controls)
Business program, process or project objectives/outcomes
Performance measures (KRI)
Risk tolerance (KRI)
Controls mitigate risk
Controls are cost effective •detective •preventative •directive •corrective
Design to seize opportunity
Define objectives/ outcomes
Identify risks or events
Analyze drivers and effects
Determine significance
and likelihood
Method for managing risk
Risk Reporting(Key risks = by category, by event, top five)
Organizational Environment or Context(Culture, risk attitude, governing body/senior management commitment, or strategic plan)
Risk categories
Event list
Scenario analysis (what if?)
Assessment questions
Risk source
Why does the risk exist? (root cause)
Potential harm (what might happen?)
Opportunity?
The relative importance, within a given context (impact)
A probability or chance of a risk or event happening (likelihood)
Avoid risk — (stay out of the program or business)
Accept the risk (take a chance)
Reduce to acceptable level
Transfer (insurance)
Risk is the chance of something
happening that might have an
impact on a jurisdiction’s objec-
tives, and it can be bad or good.
40 Government Finance Review | February 2012
cratic environment. The culture has to be open, willing to
talk about risk, and able to have meaningful, constructive
conversations. If the culture doesn’t support this openness,
success is diminished.
BUILDING THE VALUE PROPOSITION
For risk management to be viewed as a value proposition,
it must be a key component of organizational governance.
That means it is built into the normal business practices of
the organization. Exhibit 2 illustrates a six-step process to help
organizations build the value proposition, based on business
processes already in place, including strategic and operation-
al planning, performance reporting, and control design.
Jurisdictions need to assess the organizational environment
or context to determine risk management readiness. Not all
public-sector organizations are ready to
embrace enterprise risk management.
If there is uncertainty about the culture,
commitment or expected value, it is
best to stop here and address gaps.
Organizations can use the six-step
model as a guide. Do all areas of the
organization understand the key stra-
tegic objectives and how the organi-
zation’s functions and processes support those objectives?
For example, a key strategic objective for a public-sector
organization might be to “protect, enhance, and restore the
environment,” and a number of specific business objectives
and processes support this objective. They could include
recruiting the right people with the right skills, purchasing
the right goods and services at the right time, and providing
adequate funding. Aligning objectives and defining outcomes
sets the stage for risk management.
Given the organization’s understanding of its objectives and
desired outcomes, how does it measure success — what are
its performance measures? And, based on those measures,
what is its tolerance for risk? For instance, a certain error rate
on processing accounting transactions might be acceptable
because eliminating the risk costs more than it saves. What is
that rate, and when it is exceeded, can
the organization proactively manage
corrective action?
Can the organization identify the risks
and opportunities that affect its objec-
tives? Analyzing scenarios and asking
the “what if” question provides the
decision framework needed to identify
key risks and balance negatives against
Exhibit 3: Risk Categories
Strategic Risk
Political
Social
Economic
Environmental
Governance
Asset Planning
Strategic Planning
Operational Risk
People
Technology/Information
Emergency/Business Recovery
Contractual/Procurement
Service Delivery/Process
Financial Risk
Credit
Capital Adequacy
Market
Compliance Risk
Law
Regulations
Policy
Reputational Risk
Integration
An organization that understands
risk and risk management can take
advantages of opportunities that
present themselves.
February 2012 | Government Finance Review 41
opportunities. Potential risk events include natural disasters,
economic downturn, funding cuts, workforce availability,
privacy concerns, and increased legislation.
Managing each potential risk event or scenario can be com-
plex and time consuming. Categorizing risks is often helpful,
as it allows the jurisdiction to manage risks from an organi-
zation-wide level. For example, workforce availability might
threaten a number of key business objectives. If it becomes
an issue throughout the organization, it can be managed as
a risk category across the jurisdiction, instead of in silos or at
the specific business process or program level. When catego-
rizing, keep in mind that risks do not operate in isolation; they
are interrelated or integrated. An operational risk can lead to
a reputational risk.
Exhibit 3 provides an example of five broad public risk
categories and the types of risks that could be attributed to
each category.
Once risks are identified, what is their likelihood and poten-
tial impact? The assessment process helps management focus
on the key risks, enabling quicker implementation of risk
management and thus providing value faster. This is a time
when opportunity can be realized; the organization can be
made more efficient by eliminating services or processes that
do not meet business objectives or address any significant
risks. Changes like these can reduce bureaucracy and open
the door to innovation.
A popular tool for accessing risk is the heat map. Jurisdictions
can use internal surveys, risk workshops, or interviews to col-
lect information to populate the heat map, shown in Exhibit
4. Once risk information is collected and analyzed, the
organization can develop its a risk profile. In this example,
reputational and business recovery risk represent key risks
and would deserve more attention and mitigation (control
strategies) than, say, policy risk, which is likely to happen but
unlikely to have much of an impact. As a medium to low risk,
it would require less attention.
DECIDING WHAT TO DO
After key risks have been identified and assessed, four deci-
sion options are available:
n Avoid. Decide against providing a program or service
because the cost or risk is greater than the opportunity or
benefit the program or service provides.
n Accept. Consider options and recognize tradeoffs, if the
opportunities presented might be greater than the cost or
risk of loss or harm. There is always a level of uncertainty,
which is the price of innovation.
n Reduce or Mitigate. Find a balance between oppor-
tunity and risk of loss or harm by evaluating cost versus
likelihood and impact and then implement the appropri-
ate mitigation strategies or controls.
n Transfer. Share the burden with a third party, combining
acceptance and reduction of the risk. Examples include
insurance, service-level contracts, and partnership agree-
ments. An organization cannot insure against or transfer
every risk, so it needs to make informed decisions about
what risks to accept, avoid, and mitigate. Getting the right
balance is the value proposition.
Exhibit 4: Example of a Risk Heat Map
Risk
1. Reputational
2. Technology
3. People
4. Economic
5. Business Recovery
6. Credit
7. Social
8. Policy
Impa
ct
Likelihood
1 2 3 4 5
7
4
6
8
23
1
5
5
4
3
2
1
42 Government Finance Review | February 2012
If the organization decides to reduce
or mitigate risk, a variety of mitigation
strategies are available. They include
preventative, detective, directive, and
corrective controls.
Preventative Controls. These are
designed to limit the possibility of
an undesirable outcome. The more
important it is that an undesirable out-
come not arise, the more important it
becomes to implement appropriate preventative controls,
which tend to be the most cost effective and proactive con-
trols. Examples include authorizations and approvals, physi-
cal access controls, and automated controls that limit access
or ability to initiate transactions.
Detective Controls. Designed to identify occasions when
an undesirable outcome has been realized, these controls
are appropriate only when it is possible to accept the loss or
damage incurred and then attempt to correct after the event.
Examples include reconciliations, post-
implementation reviews, exception
reports, and monitoring and oversight
controls.
Directive Controls. Designed to
ensure that a particular outcome is
achieved, this type of control does not
prevent or detect undesirable events.
Instead, it encourages positive behav-
ior. These are “soft” controls, embed-
ded in the culture of an organization. Examples include value
statements, ethics, codes of conduct, policies, performance
guidelines, and education and training.
Corrective Controls. These are designed to correct unde-
sirable outcomes that have already occurred. They provide a
means of recourse for achieving some recovery against loss or
damage. Examples include insurance and business recovery
planning.
Organizations need to put the right control in place for
a given risk. Apart from the most extreme undesirable out-
come (such as loss of human life), it is normally sufficient
for a mitigation strategy to give a reasonable assurance of
confining likely loss within the risk attitude or tolerance of
the organization. Every control action has an associated cost,
so the control should provide value for the money spent, in
relation to the risk being controlled. Again, generally speak-
ing, the purpose of control is to constrain risk rather than to
eliminate it.
CONCLUSIONS
Risk management helps expose uncertainty and allows
for full exploration of an issue, which helps provide all the
information needed to make good decisions for the organiza-
tion. Although risk management cannot guarantee the one
“right” decision, it does help provide the best information
possible. y
Note
1. Beyond Box Ticking: A New Era for Risk Management, The Economist Intelligence Unit, 2009.
PAUL WALLIS is director, internal audit, for the Region of Peel,
Ontario, Canada. He can be reached at [email protected]
The Role of the Finance Officer
The chief financial officer (CFO) plays a significant role in risk management and risk governance. According to a survey conducted by the Economist Intelligence Unit, the CFO was cited as second in ultimate responsibility for risk management content and process, after the head of an organization (chief executive officer or equivalent).*
A jurisdiction’s CFO and financial officers have a strategic view of the entire organization and can help advise other senior officials and governing bodies about the risks the organization faces. By further integrating the risk management tools avail-able, financial officers can help the organization assess, manage, and report the organization’s key risks.
However, financial officers do not have exclusive responsibility for risk. That responsibility is organization-wide. Jurisdictions need to develop a risk management culture that builds aware-ness and organizational buy-in; CFOs and their staffs have an important role in building that awareness and shaping the culture.
* Beyond Box Ticking: A New Era for Risk Management, The Economist Intelligence Unit, 2009.
Public-sector organizations devel-
op processes and controls to
minimize risk as much as pos-
sible, sometimes to a degree that
causes inefficiency.