presentation qrm shc
DESCRIPTION
Risk ManagementTRANSCRIPT
Purpose To safeguard the organisation, its customers, reputation, assets and the interests of stakeholders by identifying and managing all risks and to meet the achievement of its business objectives to ensure that growth is achieved in a controlled, responsible and sustainable manner.
Presentation:
Quality Risk Management
Peter D. Schellinck Antwerp, 6 June 2011
Risk Assessment?
A strategic approach to planning, at all levels and across all functions of an organization, that identifies exposures of activities and assists in making risk adjusted business decisions every day. GET RID OF SILOS
Risk Appetite? • Risk appetite is the degree of uncertainty an organisation is
willing to accept to reach its goals. • Risk appetite is a key factor in evaluating strategic options. • Risk Assessment helps management consider risk appetite
when setting goals that align with overall company strategy, and managing risks related to that strategy.
Work with the company’s management to decide: • What is your company’s risk tolerance?
• How much or what are you willing to risk to accomplish the mission or activity?
• How much can your company afford to lose in any one occurrence or in the aggregate?
Understanding the company and the activity
What does the Company do?
(Mission, Goals, Objectives)
Does the activity fit the Company’s
mission, goals, objectives?
What could happen?
• Could there be bodily injury, property damage or other liability exposures caused by this service or activity?
• Is there any impact on workload?
• Could there be any damage to the systems?
What is Risk?
The danger or probability of loss.
Group Risk Management
Charter
Develop a Group Risk Governance
1. Get a good understanding of the company’s risk profile 2. Manage and monitor the key risk within their tolerances 3. Get Organised: Organisation and Framework 4. Establish a process for assessing risk appetite taking into account:
a) Current risk portfolio b) External stakeholders expectations: regulators, rating agencies, investors (long
term / short term), employees, customers,… c) Economic cycles d) Board of Directors
Risk Management:
1. Driven by strategy 2. Part of the management process of the company 3. Inherent to good governance
Risk Management Approach
The conventional approach to risk defines it as being the chance, in quantifiable terms, of an accident occurrence. The process of risk assessment and management is generally based on three sets of sequenced and inter-related activities:
– the assessment of risk in terms of what can go wrong, the probability of it going wrong, and the possible consequences;
– the management of risk in terms of what can be done, the options and trade-offs available between the costs, benefits and risks; and
– the impact of risk management decisions and policies on the future options and undertakings.
Performing each set of activity requires multi-perspective analysis and modelling of all conceivable sources and impacts of risks as well as viable options for decision making and management.
Risk Assessment: agree on a definition
Risk Management for each activity consists of:
– Data Model – Risk Management Processes – Application Development – RM Framework & Sub-process References
• Definition of Scope and Framework • Monitor and Review • Operational Processes • Risk Acceptance • Risk Assessment • Risk Communication • Risk Treatment
Risk Assessment structure
Risk Management infrastructure bridges organizational silos to help the organization in its efforts to:
• Synchronize – coordinate risk management across institutional boundaries • Harmonize – help risk managers all speak the same language and define risk in the same
manner • Rationalize – eliminate duplication of effort
The goals of a common risk management infrastructure include:
• Get everyone “singing from the same song sheet” – Constrain, guide, or channel behaviours in ways that align with the goals, strategies, and tactics established by management and the board
• Create the ability to manage risk exposures so that the organization can take enough of
the right risks to pursue its strategic goals • Create “risk aware” thinking and decision making at all levels • Enable appropriate flows of risk information up, down, and across the organization • Enable and support management of risks at the appropriate level
Risk Management Infrastructure
• The framework to be established can be inspired from the recommendations of the Committee of Sponsoring Organisation of the Treadway Commission (COSO I and II), the Institute of Risk Management, based on AIRMIC (Association of Insurers and Risk Managers), ISO 31000, the Australia and New Zealand standard 4360 (AS/NZ 4360 - 1999), the AMRAE (Association pour le Management des Risques et des Assurances de l’Entreprise), the RIMS (Risk and Insurance Management Society), ECGI (European Corporate Governance Institute) and other internationally respected advisers on risk management.
• The Occupational Health and Safety Assessment Series, OHSAS 18000, has been developed to
help organizations control and minimize occupational health and safety risks. OHSAS 18001 is a specific standard for occupational health and safety management systems designed to eliminate or minimize the risk to employees and other interested parties who may be exposed to occupational health and safety risks associated with the business’ activities. OHSAS 18001 is compatible with ISO 9001 and ISO 14001 management systems. OHSAS 18001 represents a progression of a management system philosophy, from quality to environmental, continuing to occupational health and safety.
• One of the main elements of the security amendment of the Community Customs Code ( Regulation (EC) 648/2005) is the creation of the AEO concept. On the basis of Article 5a of the security amendments, Member States can grant the AEO status to any economic operator meeting the following common criteria: customs compliance, appropriate record-keeping, financial solvency and, where relevant, security and safety standards.
Regulatory context: In Belgium: as from April 6, 2010 a corporate governance statement is mandatory!
Rules and Regulations: snap shot!
Identify Risk
Risk Mitigation
Option
Analyze Risk
Monitor Risk
Mitigation Plan
Lessons Learned
Implement Mitigation
Plan
Identify risk by: • Main assumptions • Brainstorm • Past Experience • Potential sources • Examine the context • Worst case scenario
• Evaluate potential impact of risk • Estimate probability • Rank and Prioritise Risk
• Assign owner • Level of effort required • Estimated cost • Schedule of risk reduction activities • Program activities and milestones • Metrics for tracking & monitoring • Party responsible for managing mitigation & avoidance • Escalation strategy
Control
Assumption
Transfer
Avoidance
Monthly Reporting • Review effectiveness
• Review risk approach • Confirm project/activity is within risk parameters
Ongoing Risk Assessment
Risk Management Methodology
Risk Assessment Cycle
Risk Management
Planning
Risk Monitoring &
Control
Risk Identification
Qualitative Risk
Analysis
Quantitative Risk
Analysis Risk
Response Planning
Decide how?
Find them
Sift
Measure
Decide actions
Act and measure
Reporting: • Risks • Incidents
• Avoid, reduce, share, accept • Action plans linked to budget and planning
Risk Universe
To fulfil their responsibilities and to provide value, board members should:
• Put risk on the agenda. Make time for risk before risk demands it. Every board meeting is not too often to discuss risk.
• Inventory the current risk structure. How are risks managed? Are silos being bridged?
• Summon the management team. Engage in periodic risk dialogue. Identify risks that will prevent the organization from executing on its key strategies.
• Discuss risk scenarios. Where do the greatest opportunities lie? What could thwart the organization’s strategic objectives?
• Check organizational appetite — and diet. Determine how much risk the organization is able to take on. How much is it willing to take on? And how much is it actually taking on? Are these in line?
• Get reasonable assurance. Ask management: How confident are you? Why?
• Get independent reassurance. Have internal audit or an outside consultant evaluate the effectiveness of the full risk management program. Can management’s assurances be relied upon?
Board Recommendations
Books have been written on what went wrong. But here’s a quick summary: 1) The potential interaction of multiple risks was underestimated or
disregarded. 2) Probabilistic modelling was overemphasized; shortcuts were taken;
scenario planning was underutilized; transparency into potential issues was absent.
3) Risk managers were isolated in silos. 4) Warnings were ignored; those who delivered them were dismissed as
naysayers or criticized for not being team players. 5) A short-term perspective with a single-minded focus on making the
quarterly numbers predominated. 6) Companies lacked a comprehensive approach to firm-wide risk
management; authority and responsibility were poorly controlled and defined.
7) Risk management often focused on compliance rather than performance, leading to inadequate assessments and responses.
In other words: It’s time to become Risk Intelligent with QRM.
Risk intelligent
1. With QMR, a common definition of risk, which addresses both value
preservation and value creation, is used consistently throughout the organization.
2. With QMR, a common risk framework supported by appropriate standards is used throughout the organization to manage risks.
3. With QRM, key roles, responsibilities, and authority relating to risk management are clearly defined and delineated within the organization.
4. With QRM, a common risk management infrastructure is used to support the business units and functions in the performance of their risk responsibilities.
5. With QRM, governing bodies (e.g., Boards, Audit Committees, etc.) have appropriate transparency and visibility into the organization’s risk management practices to discharge their responsibilities.
QRM: Quality Risk Management 1
6. With QRM, executive management is charged with primary
responsibility for designing, implementing, and maintaining an effective risk program.
7. With QRM, business units (departments, agencies, etc.) are responsible for the performance of their business and the management of risks they take within the risk framework established by executive management.
8. With QRM, certain functions (e.g., HR, finance, IT, tax, legal etc.) have a pervasive impact on the business and provide support to the business units as it relates to the organization’s risk program.
9. With QRM, certain functions (e.g., internal audit, risk management, compliance, etc.) provide objective assurance as well as monitor and report on the effectiveness of an organization’s risk program to governing bodies and executive management.
QRM: Quality Risk Management 2
Matrix for Risk Reporting
Financial
0 mln €
1 mln €
5 mln €
10 mln €
20 mln €
50 mln €
100% 80% 40% 20% 0% 60%
Loss of Cash Flow
Sustainability Reporting
Social performance
Our employees
Number of full time employees (FTE) Gender (female representation) % Employee engagement % Performance appraisals %
Safety
Lost time injury frequency (LTIF) frequency Fatalities number
Economic performance
Revenue Euro million
Electricity cost Euro million
Sustainability Reporting
Environmental performance Energy consumption Fuel oil 1,000 tonnes Diesel 1,000 tonnes Natural gas 1,000 tonnes Electricity 1,000 MWh Energy consumption GJ Greenhouse gas (GHG) emissions GHG emissions 1,000 tonnes CO2 Direct GHG emissions (Scope 1 GHG Protocol) CO2 1,000 tonnes CH4 1,000 tonnes N2O 1,000 tonnes HFC 1,000 tonnes PFC 1,000 tonnes SF6 1,000 tonnes Indirect GHG emissions (Scope 2 GHG Protocol) CO2 1,000 tonnes CH4 1,000 tonnes N2O 1,000 tonnes
Other air emissions SOx 1,000 tonnes NOx 1,000 tonnes VOCs 1,000 tonnes Particulate matters 1,000 tonnes Other resource consumption Steel consumption 1,000 tonnes Waste total e 1,000 tonnes – recycled (composting, reused, recycled) 1,000 tonnes – solid (landfill, on-site storage, incineration) 1,000 tonnes – hazardous (controlled deposit) 1,000 tonnes Water consumption 1,000 m3 – surface water 1,000 m3 – ground water 1,000 m3 – rain water 1,000 m3 – municipal water supplies /water utilities 1,000 m3 Spills m3
Sustainability Reporting
Injuries by activity Activity Total Equipment Overhaul – Major Insulation/Fire Proofing
Shore leave
Working aloft (at heights) Anchor handling Small Craft Operations Falling Object Towing
Tank Cleaning Equipment Overhaul – Minor Unknown
General Movement Bunker transfer operation Enclosed space activities Gangway/pilot operations Welding/burning
Safety drill, training
Maintenance - Minor Painting/Blasting Crane Operations Use Of Power Tools
Mooring/Unmooring Operation Off-duty activities Cargo Operations Domestic Manual Handling Other Maintenance – Major Totals
Total