risk management, culture & governance. agenda what is risk management? a framework for risk...
TRANSCRIPT
Risk Management, Culture & Governance
Agenda
What is risk management? A framework for risk management Establishing a good risk culture Getting risk a seat at the table Providing the right risk information to stakeholders ERM – what does the “E” stand for?
What is a risk? “The effect of uncertainty on objectives”.ISO 31000: 2009 Risk Management
“Those things that may stop you meetingyour objectives”.Susan Crago
What is risk management?Risk Management = Objectives and Outcomes Management
LIKELIHOOD(The probability
of the risk materialising in
the next 12 months)
LEVELPROBABILITY RANGE
Almost Certain (Level 5) 80% - 100% Low Low Medium High High
Likely (Level 4) 60% - 80% Low Low Medium High High
Possible (Level 3) 40% - 60% Low Low Medium Medium High
Unlikely (Level 2) 20% – 40% Low Low Medium Medium Medium
Rare (Level 1) 0% – 20% Low Low Low Medium Medium
(Level 1)(Level 2)
(Level 3) (Level 4) (Level 5)
CONSEQUENCE(assess as once off or accumulation of risks)
What risk management is not!
Establish Context Identify Assess Action
Monitor and Review
Escalate, Communicate and Consult
A framework for risk management
Establish Context
A framework for risk management
Identify
•What is our strategy and objectives?•What issues have we experienced?•What risks are we currently managing?•What is going on in the external environment?
•What are the risks that could stop us meet objectives?•What would cause those risks to occur?•What controls do we currently have in place?
Assess•How likely is it that this risk will occur?•If it does occur what will be the consequence?•How effective are the controls to manage this risk?
A framework for risk management
•Prioritisation •What will we do about the risk? Nothing or something?•If something what is the best action to take?
Action
Monitor and Review
•Who needs to make the decision about this risk?•Who needs to take any actions on this risk? •Who needs to be aware of this risk?
Escalate, Communicate and Consult
•Are we on track with managing this risk?•Has something changed so we need to review this risk?
The sales pitch
Value Proposition….
1. Making informed decisions•supports prioritisation and transparency of decision making
2. Meeting business unit objectives•alignment to the business strategy and objectives•highlights areas of potential focus
3. Preparing for the unexpected•identifying uncertainties •fewer shocks and unwelcome surprises
Good risk culture ??
Impacts of poor risk culture
Establishing a good risk culture
‘Values and culture drive people to do the right thing even when no one is looking … Although value and culture cannot always be measured quantitatively, they impact governance in powerful ways.’
John F Laker - APRA Chairman (27 February 2013)
Establishing a good risk culture
Getting risk a seat at the table
3 lines of defence•Own
and manage risks
•Risk management embedded in processes
•Promote a strong risk culture
Business Units(including Executive,
Managers and All Staff)First Line of Defence
•Independent advice, oversight and monitoring
•Advocate a risk culture and raise awareness of Risk
•Establishment of Risk Management Framework
Independent Risk FunctionSecond Line of Defence
•Independent appraisal of the control infrastructure
•Oversight of the Risk Management Framework
Internal AuditThird Line of Defence
Getting risk a seat at the table
Getting risk a seat at the table
Bendigo & Adelaide Bank Group’s Vision:“We aim to be Australia’s leading customer-
connected banking group.”
Providing the right risk information to stakeholders
“... integral to the effectiveness of risk governance, concerns the flow of information to the board. The lack of timely, relevant and comprehensive risk information [is] often a critical weakness.”
John F Laker - APRA Chairman (27 February 2013)
Good risk governance
Clear risk appetite and tolerances
Escalation of new key risks
Monitoring of actions for key risks
Monitoring of testing of key controls
Consistent across risk types
Providing the right risk information to stakeholders
ERM – what does the “E” stand for?
Effective? Efficient? Engaging? Enterprise?
Questions?