1

Enterprise Risk ManagementTools & Techniques

January 12, 2011

Cathy Taylor, ADP

Emerissa Babin, OPG

Michelle Reid, TSSA

2

Today’s Objectives

1. Share

2. Enable

3

Agenda

Establish context

Risk identification

Risk analysis and evaluation

Risk treatment

Monitoring and review

Communication and reporting

4

Establish Context

Define environment within which risk will be managed

Ensures risk management approach is appropriate

Considerations include:Public or privatePublicly traded or nonprofitOrganizational structureTone at the topOrganizational cultureHow are decisions made?

5

Establish Context

President & CEO

Oversight of Strategic, Financial, Operational & Transactional Risks • Risk Reports to Board Committees

• Risks to Business Plan Objectives (BURSA)• MD&A Risk Management , AIF Risk Factors

Corporate Risk Management

(CRM) Organization

6

Establish Context

ALL ALL

DEPARTMENTSDEPARTMENTS

Risk Ownership

(identification, assessment,

treatment, monitoring & reporting)

BOARD / EXECUTIVEBOARD / EXECUTIVE

RISK MANAGEMENT TEAM

AssureStakeholders

Set RiskAppetite

Define ERM & Governance Expectations

Set Policy

Build RM Capability, Process

& Tools

Framework

Monitor & report

program

Support & Set

the Tone

SetAssurance

Agenda

Monitor Risk

Reporting

Advice, Coaching & SupportPerformance

Management

7

Establish Context

Purpose The Enterprise Risk Management Framework is intended to provide guidance to …….relative to the development and implementation of an enterprise risk management program.

Scope The enterprise risk management framework is relevant to all …. activities, its employees and Board of Directors, and resultant business decisions and is to be applied at every level of the organization.

Commitment and Mandate …. is committed to maintaining a program that ensures risk management is an integral part of all ….. activities and a core capability. ….. will identify, assess, manage and monitor its enterprise risks in support of its mission and vision, objectives and priorities, as set out in the strategic plan.

Policy Statement Committed to continually improve the

8

Risk Identification

Gather and document risks that could impact achievement of objectives

Common techniques include:SurveysWorkshopsManagement interviewsEnvironment scansSWOT analysisResults of audits

9

Risk Identification

Risk Assessment Questionnaire Future discussions on the organization’s risk profile will be framed and will focus on the following questions:

1. What are the key objectives of your department / program area / function?

2. Which business objectives / performance targets do your initiatives specifically support?

3. What could inhibit achievement of your department / program area / function objectives?

4. How does the business system support or inhibit your ability to achieve your objectives?

5. Are there any processes that inhibit your ability to meet your objectives (i.e. process inefficiencies)?

6. How quickly could these factors impact your objectives (e.g. within quarter, fiscal year, forecast period, strat plan period)?

7. [Using an influence diagram if necessary] how could these factors impact your objectives?

8. What could you do to avoid these factors or minimize their impact on your objective?

10

Risk Identification

Results of Internal Audit of Compliance with Expense Policy

Business Rule Observations Risk / Impact Recommendation Management

Response

Reimbursable items are supported by proper documentation (i.e. original, itemized receipts noting HST).

During the course of our audit we found evidence that:

11

Risk Identification

CorporateObjectives/Priorities

KeyInitiatives to

Achieve Objectives

RiskMitigation & OpportunityOptimization

Activities

Significant RISKS &

OPPORTUNITIES impacting achievement

of objectives

Significant RISKS &

OPPORTUNITIES impacting achievement

of initiatives

+

Assess & ReportPerformance

Against Targets

TargetsKPI’sKRI’s

info

rm

shap

e

12

Risk Identification

13

Risk Analysis and Evaluation

Understand the risk, its causes, the likelihood of occurrence, potential impact, and the organization’s appetite and/or tolerance for the risk

Common tools include:Root cause analysisRisk assessment criteriaRisk appetite matrixRisk tolerance

14

Risk Analysis and Evaluation

Risk Statements: Important to express a risk in such a way that it can be

effectively understood and addressed Components

Event, Cause & Effect Example:

Financial loss due to default by Clients in funding of processed payroll. Inability to obtain adequate (quality/quantity) expat labour supply due to

negative perceptions about project location results in increased construction costs

Bad Risk Statements: Budget cuts Company delays all IT investments Fires

15

Risk Analysis and Evaluation

Probability Improbable (<10%)

Unlikely (10% - 30%)

Possible (30% - 70%)

Likely (70% - 90%)

Probable (>90%)

Financial Impact Minimal (<$5M)

Minor ($5M - $50M)

Notable ($50M - $200M)

Substantial ($200M - $500M)

Major (>$500M)

Quantitative assessment

16

Risk Analysis and Evaluation

Qualitative Assessment

Manageability The degree to which the outcome of a risk is controllable through the risk

treatment/mitigation actions.

Stakeholder Sensitivity The extent of the reaction of external stakeholders (public, shareholder,

regulator, etc.) to the risk or how tolerant the stakeholders are of the risk; and What their expectations are for managing the risk.

Urgency The promptness needed to implement mitigation for a risk in order for it to be

effective. This criterion refers to how pressing the need is for mitigation as opposed to the imminence of the risk itself.

17

Risk Analysis and Evaluation

Likelihood Description

1 The event may occur within the next three to five years or within the strategic planning period

2 The event may occur within the next twenty-four months or within the forecast period

3 The event may occur within twelve months or within the current fiscal year

4 The event may occur within three months or in the current quarter

18

Risk Analysis and Evaluation

Impact Definition Description Example

1 Opportunity The company will exceed its objectives and balanced scorecard targets

The company will exceed its revenue and net margin objectives. The company has the opportunity to invest in and/or reassign employees to critical risks or areas of the business.

2 Negligible The event will not impede The company’s ability to meet its business plan objectives and associated balanced scorecard targets

The company will meet its revenue and net margin objectives.

3 Moderate Some elements of the business objectives and associated balanced scorecard targets will be delayed or not achieved, as a result of the realization or occurrence of the event

The company will not meet its revenue target but may through expense reduction meet net margin targets

4 Critical The company will not meet its business plan objectives and associated balanced scorecard targets, as a result of the realization or occurrence of the event

The company will not meet critical or material elements of its revenue and/or net margin targets

19

Risk Analysis and Evaluation

20

Risk Analysis and Evaluation

Risk Appetite Level Definition

High risk appetite (1)

The company is willing to accept risks that may negatively impact achievement of its strategic priorities, business plan objectives and associated balanced scorecard targets.

Moderate risk appetite (2)

The company is willing to accept some risks that may negatively impact achievement of its strategic priorities, business plan objectives and associated balanced scorecard targets.

Low risk appetite (3)

The company is willing to accept some risks in certain circumstances that may negatively impact achievement of its strategic priorities, business plan objectives and associated balanced scorecard targets.

Zero risk appetite(4)

The company is not willing to accept any risks under any circumstances that may negatively impact achievement of its strategic priorities, business plan objectives and associated balanced scorecard targets.

21

Break

Please be back in 10 minutes

22

Risk Treatment

Select and implement options to modify risk

Typical risk treatment concepts include:Avoid risk (cancel product line, sell business

unit)Transfer risk (out-source function or enter

contract to transfer risk)Control risk (change process, training, etc)Fund risk (insurance)

23

Risk Treatment

24

Risk Treatment

    RISK MATRIX    E L M H H H

D L M M H H

C L L M H H

B L L M M H

A L L M M H

  1 2 3 4 5

SEVERITY RATING

LIK

EL

IHO

OD

RA

TIN

G

X

Risk 1(Inherent)

TOO MUCH CONTROL so:A - removing procedure B - reduce insurance costs/increase insurance deductible

AB

Risk 1(Residual)

25

Risk Treatment

Risk Likelihood Impact Risk

Score Risk

Appetite Strategy Lead Actions Status Target

26

Risk Treatment

27

Monitor and Review

Periodic monitoring of risk treatment plans and influence on risksEnsure treatment plans existEnsure they are effectiveObtain additional info for further assessmentIdentify emerging risks

Most common tool or technique is audit

28

Monitor and Review

29

Monitor and Review

SEVERITY RATING

54321 

HMMLLA

HMMLLB

HHMLLC

HHMMLD

HHHMLE  RISK MATRIX  

LIK

EL

IHO

OD

RA

TIN

G

Risk 2(Inherent)

Risk 1(Residual)

Risk 1(Inherent)

Risk based Audit program – which risk to audit?

Risk 2(Residual)

30

Communication and Reporting

Create awareness, facilitate understanding, foster adoption / engagement

Governance or legislative requirements

31

Communication and Reporting

Rank the Relative Risk of 30 Activities / Technologies with "1" being the highest risk & "30" being the lowest risk

Me Public* Experts* Me Public* Experts*

Alcoholic Beverages Mountain Climbing

Bicycles Nuclear Power

Commercial Aviation Pesticides

Contraceptives Police WorkElectrical Power (non-nuclear) Power Mowers

Firefighting Prescription Antibiotics

Food Colouring Private Aviation

Food Preservatives Railroads

Handguns Skiing

Highschool/College Football Smoking

Home Appliances Spray Cans

Hunting Surgery

Large Construction Swimming

Motor Vehicles Vaccinations

Motorcycles X-rays

* source - study by Dr. Paul Slovic, Decision Research, Eugene Oregon

32

Communication and Reporting

33

Questions?

34

Announcements

CE CertificatesRIMS ERM Centre of ExcellenceNew RIMS logoCurling bonspeil – February 8, 2011One-day Conference – March 9, 2011Volunteer

35

Thank you!