demystifying risk management€¦ · 2019-03-01 · demystifying risk management governance, risk...
TRANSCRIPT
Demystifying
Risk ManagementGovernance, Risk & Compliance Conference, Crowne Plaza, Santy.26th February 2019
Jason Dowling CPA
Partner Whelan Dowling & Associates and CEO Red Flare
A little bit about me!!
• Jason Dowling CPA
• Partner – Whelan Dowling & Associates
• Director & Co-Founder Red Flare
• Specialise in G.R.C. and I.A.
• >25 Years Practice
• Married – 3 Kids
• Twin
• Nearly became a fireman
Approach for today
GRC – Three Lines of Defence
Risk Terminology
Operational Risk Framework
Risk Appetite, Tolerance & Capacity
Risk appetite setting
Risk monitoring & reporting
Regulators View
Risk Management Systems
GRC Framework
Risk Terminology
Risk framework
Risk appetite
Risk tolerance
Risk capacity
Risk universe
Risk indicators / Key Risk Indicator’s
Loss events / incidents
Risk reporting and documentation
Quantitative and Qualitative risk analysis
Risk Terminology
Risk causes
Risk consequences
Risk mitigation
Risk controls
Risk assessment
Risk root cause analysis
Inherent Risk & Residual Risk
Impact & Probability - Matrix
Emerging risks
Risk Management
Risk Framework
Operational Risk Framework
Risk Appetite & Capacity is Set By the Board!!
Risk Structure for Directors Meetings
Top of the Pyramid
- Risk Appetite
Would you ever take up hang gliding? What about base jumping?
Would you drive a car if the seat belt was broken? To get to an important
meeting maybe?
If you were down to your last €100, would you bet €10 on a horse after a
hot tip? €20? Your whole €100?
At age 65, would you invest 25 per cent of your pension fund in the share
market? 50 per cent? 100 per cent? Or none at all?
Would you cross the top of Santry Avenue to save a minute walking to the
pedestrian crossing?
Risk Framework
Top of the Pyramid - Risk AppetiteHow Long Is O’Connell Bridge ?
Understanding Risk Capacity
Top of the Pyramid
- Risk Appetite
The UK’s Financial Services Authority (FSA) states:
❑ “Risk appetite is the amount of risk that one is prepared to
accept, tolerate, or be exposed to at any point in time.”
Understanding Risk Capacity
Risk Capacity - The maximum amount of risk an entity is able to
support within its available financial resources
❖ Versus
Risk Tolerance - The maximum amount or type of risk the entity is
prepared to tolerate above risk appetite.
Understanding Risk Capacity
Risk Examples – Category Event Appetite Capacity
School – Insurance – Accidents – Zero (2)– Medium (13)
Nursing Home – Conduct – HIQA – Zero (2)- Low (7)
Rugby / Football Club – Liquidity – Relegation – Low(2) – Medium (13)
Airline – Environmental – Terrorism – Zero – Low
Cruise Line – Operational – Loss of Life – Zero – Low
Farming – Insurance – Weather – Low - Medium
Construction – Capital – Cashflow – Medium (13) – High (17)
Semi State Transport – Strategy – Strike – Low - High
High Street Retailer – Market – Online Retail – Medium - Medium
Xmas Tree Sales – Business Model – Seasonal – Low – Medium
Funeral Home – Market – Cure Cancer – High (17) - Extreme (22)
Matching Score to Appetite
Mapping Risk Appetite to Scoring Matrix
You Need To Define Individual Scores and
relate back to appetite.
Objectives of an Effective Risk
Appetite Statement
Another way of thinking: RAF is an enabler to take accepted levels of risks inthe pursuit of its strategy. Hence it needs to be within the DNA of all staff asthey all have a role in ensuring the strategy is achieved.
A RAS allows staff to answer:
❑ How much risk can I take on to deliver on this objective?
❑ Can I pursue this new business opportunity?
❑ What is the guide on pricing for a particular type of product / customer / market?
Risk appetite formulation is a key element of overall strategy
Risk capacity – a company’s ability to take on risk – is compared against a company’s planned risk profile in the self-assessment process
Risk monitoring is included in the broader KPI’s that support strategy
As with strategy, risk appetite needs to be dynamic and periodically reviewed
Failures In Governance & Risk Management can
Lead To …
Thou Shalt Obey
Your Prescribed
Legislation
Not Maybe or
Might!!
What Does the Regulator Think?
Risk Reporting
Risk Reporting
Risk Reporting
Risk Reporting For CU’s – Charities Could Adopt
Reports should cover the following at a minimum:
• significant risks and the effectiveness of systems and controls;
• any risk events that have occurred and the actions taken or proposed to mitigate
the risk;
• likely or actual deviations from risk tolerance levels or established systems and
controls and should include the timeframe and status of any activities that are
proposed to address these;
• any negative trends in higher risk areas and any recommended changes to risk
management activities;
• any new risks including their risk assessment, risk rating and systems and controls;
• any material emerging risks and recommended course of action;
• updates on risk management actions arising from previous reports that have been
approved by the board of directors (or risk committee where one exists); and
• any recommended remedial action required.
What is Strategy
What is Strategy – Thompson and Strickland
Everybody is required to face the three central
questions
❑ What is our present situation?
❑ Where do we want to go from here?
❑ How are we going to get there?
Strategic Delivery Formulating an effective strategy is not enough unless its successful
execution is enabled by the right business model with properly
embedded risk management and governance framework.
➢ Achievable Goals
➢ Clearly defined targets
➢ KPIS
➢ Strong Reporting
Framework
➢ Biggest Risk if Failure
of Strategy
Risk Management & Technology
Considerations Risk Systems
Excel Spreadsheets – Size, Version Control, Embedding
Integrated API’s in Risk Systems
Automatic Notifications
Audit Trail
Realtime Reporting – Filters, Historic Reporting
Internal Control Framework
Cloud vs Prem
Cost vs Benefit
Loss events / incidents / leading indicators
Bow Tie Risk Management – Cause & Consequences
Risk reporting and documentation
Value Add – Makes Life Easier
Shameless Plug – Buy Red Flare
Questions??
Contact details
Jason Dowling CPA
01-6771411
Thank you for your time!