risk seminar - john crawley & emer mc aneny

John Crawley & Emer McAneny

June 2014

Risk Management

“The International Standard”

• Accountant

• Banker

• Businessman

• Trainer

• Turnaround Expert

• Risk Expert

Who I am

Agenda

Strategy• And the role of Risk

GRC• Governance, Risk & Compliance

Tolerance

• And why organisation are now setting “Appetite”

Identification

• Using a Stakeholder approach

Assessing

• Simplicity or complexity

Action • Everything can be dealt with as a “T”

Reporting

• Importance on Enbedding KRIs

Rules of engagement

Engage

Open mind

No distractions

Challenge

Question

Enjoy

What is risk and risk management?

What is risk

“Effect of uncertainty on objectives”

Effect: Positive

Negative

Deviation from the expected

Objectives: Definition works best if the organisation has clear objectives

These need to be tested as part of risk management process

What is the best definition of risk?

Organisation Definition of risk

ISO Guide 73

ISO 31000

Effect of uncertainty on objectives. Note that an effect

may be positive, negative, or a deviation from the expected.

Also, risk is often described by an event, a change in

circumstances or a consequence

Institute of Risk

Management

(IRM)

Risk is the combination of the probability of an event and its

consequence. Consequences can range from positive to

negative

COSO – ERM

Integrated

Framework

The possibility that an event will occur and adversely affect the

achievements of objectives

From old

AS/NZ 4360:2004

The chance of something happening that will have an impact on

objectives

Definitions of risk management

Organisation Definition of risk management

ISO Guide 73

ISO 31000

Coordinated activities to direct and control an organisation

with regard to risk

Institute of Risk

Management (IRM)

Process which aims to help organisations understand,

evaluate and take action on all their risks with a view to

increasing the probability of success and reducing the

likelihood of failure

COSO – ERM

Integrated

Framework

A process affected by an entity’s board of directors,

management and other personnel, applied in strategy setting

and across the enterprise, designed to identify potential

events that may affect the entity, and manage risk to be

within its risk appetite, to provide reasonable assurance

regarding the achievement of entity objectives.

Strategy – Where are we going?

Your Business Compass

Do things right

Do the right thing

Good

Corporate Governance

What is Risk Management

Process which aims to help organisations

understand, evaluate and take action on all their

risks with a view to:

increasing the probability of success

and

reducing the likelihood of failure

Why manage risk?

Q What is the fundamental

reason that cars have

brakes?

Q

So that cars can stop - but they also allow

cars to be driven faster A

What is the fundamental

reason that cars have brakes?

Why manage risk?

Achievement Safeguarding

For discussion…

What events can you

recall that support the

need for a structured

and systematic

approach to risk

management?

Consider the list of disasters identified.

Was this a failure of:

- prediction?

- prioritisation?

- mobilising resources?

For discussion....

Predictable surprise

ISO 31000 overviewThroughout the course we will use ISO 31000 as our core

framework

Mandate and

commitment(4.2)

Design of

framework for

managing risk(4.3)

Implementing

risk

management(4.4)

a) Creates value

b) Integral part of

organisational processes

c) Part of decision making

d) Explicitly addresses

uncertainty

e) Systematic, structured and

timely

f) Based on the best

available information

g) Tailored

h) Takes human and cultural

factors into account

i) Transparent and inclusive

j) Dynamic, iterative and

responsive to change

k) Facilitates continual

improvement and

enhancement of the

organisation

Principles(Clause 3)

Monitoring and

review of the

framework(4.5)

Continual

improvement

of the

framework(4.6)

Establishing the context

(5.3)

Risk identification

(5.4.2)

Risk evaluation

(5.4.4)

Risk analysis

(5.4.3)

Risk treatment

(5.5)

Risk assessment (5.4.2)

Co

mm

un

ica

tio

n a

nd

co

nsu

lta

tio

n (

5.2

)

Mo

nito

rin

g a

nd

re

vie

w (

5.6

)

Framework(Clause 4)

Process(Clause 5)

Reproduced from ISO 31000:2009

ISO 31000 overview

Mandate and

commitment(4.2)

Design of

framework for

managing risk(4.3)

Implementing

risk

management(4.4)

a) Creates value

b) Integral part of




uncertainty


timely



g) Tailored







improvement and

enhancement of the

organisation


Monitoring and

review of the

framework(4.5)

Continual

improvement

of the

framework(4.6)


(5.3)

Risk identification

(5.4.2)

Risk evaluation

(5.4.4)

Risk analysis

(5.4.3)

Risk treatment

(5.5)


Co

mm

un

ica

tio

n a

nd

co

nsu

lta

tio

n (

5.2

)

Mo

nito

rin

g a

nd

re

vie

w (

5.6

)

Framework(Clause 4)

Process(Clause 5)


Risk management principles

• creates and protects value

• integral part of organisational processes

• part of decision making

• explicitly addresses uncertainty

• systematic, structured and timely

• based on the best available information

Principles for managing risk

• tailored

• takes human and cultural factors into account

• transparent and inclusive

• dynamic, iterative and responsive to change

• facilitates continual improvement

Principles for managing risk

Attributes of effective risk

management

Effective risk management has the following

attributes:

– proportionate

– aligned

– comprehensive

– embedded

– dynamic

What is effective risk management?

“You don’t need a sledgehammer to crack a nut”


attributes:

– proportionate

– aligned

– comprehensive

– embedded

– dynamic



attributes:

– proportionate

– aligned

– comprehensive

– embedded

– dynamic


Strategic/

programmes

Tactical/

projects

Operational/

processes


attributes:

– proportionate

– aligned

– comprehensive

– embedded

– dynamic


Introduction to key risk

management disciplines

How does enterprise risk

management (ERM) differ from

risk management? Q

How does enterprise risk

management (ERM) differ from

risk management? QERM seeks to:

• include all categories of risk and uncertainty

• consider upside as well as downside

• be comprehensive – applied throughout the

organisation

A

What is governance?Q

What is governance?QThe system by which organisations are directed and

controlled.

Generic aspects of governance include:

- the rights and duties of owners/shareholders and other

stakeholders

- how powers are shared and exercised by directors

- how the holders of power are held accountable for what

they do

A

International development of codes of

corporate governance

• principle-based approach

versus

• prescriptive (rules) based

approach

What is compliance?Q

What is compliance?QCompliance is the leadership processes that an

organisation establishes to comply with societal, trade,

professional and stakeholder needs

Examples include:

- law

- codes of practice

- contracts

- trade union agreements

- professional standards

A

What is GRC?Q

What is GRC?QGRC stands for:

• governance

• risk

• compliance

ARISK

Compliance

Governance

Risk management processMandate and

commitment(4.2)

Design of

framework for

managing risk(4.3)

Implementing

risk

management(4.4)

a) Creates value

b) Integral part of




uncertainty


timely



g) Tailored







improvement and

enhancement of the

organisation


Monitoring and

review of the

framework(4.5)

Continual

improvement

of the

framework(4.6)


(5.3)

Risk identification

(5.4.2)

Risk evaluation

(5.4.4)

Risk analysis

(5.4.3)

Risk treatment

(5.5)


Co

mm

un

ica

tio

n a

nd

co

nsu

lta

tio

n (

5.2

)

Mo

nito

rin

g a

nd

re

vie

w (

5.6

)

Framework(Clause 4)

Process(Clause 5)


ISO 31000 overview

Mandate and

commitment(4.2)

Design of

framework for

managing risk(4.3)

Implementing

risk

management(4.4)

a) Creates value

b) Integral part of




uncertainty


timely



g) Tailored







improvement and

enhancement of the

organisation


Monitoring and

review of the

framework(4.5)

Continual

improvement

of the

framework(4.6)


(5.3)

Risk identification

(5.4.2)

Risk evaluation

(5.4.4)

Risk analysis

(5.4.3)

Risk treatment

(5.5)


Co

mm

un

ica

tio

n a

nd

co

nsu

lta

tio

n (

5.2

)

Mo

nito

rin

g a

nd

re

vie

w (

5.6

)

Framework(Clause 4)

Process(Clause 5)


Ongoing monitoringAudit & Report Incidents Re-assess

TreatmentTolerate Treat Transfer Terminate

AssessImpact Likelihood

Set appetiteZero Low Medium High

IdentifyObjectives Tools

The “Standard” is...ISO 31000

Communication and consultation

Establish the context

Identify risks

Evaluate risks

Analyse risks

Treat risks

Risk assessment C

omm

unic

ate

and

cons

ult

Mon

itor

and

revi

ewReproduced from ISO 31000:2009


Communication

– a continual and iterative process that an organisation

conducts to provide, share or obtain information and to

engage in dialogue with stakeholders

Consultation

– a two-way process of informed communication between an

organisation and its stakeholders on an issue prior to

making a decision or determining a direction on that issue

Stakeholders

– a person or organisation that can affect, be affected or

perceive themselves to be affected by a decision or activity


• help to establish the context appropriately

• stakeholders interests understood & considered

• risks adequately identified

• bring expertise together for risk analysis

• ensure different views are considered

• secure support for risk treatment plans

• enhance appropriate change management

• develop appropriate communication plans

Purpose of communication and consultation

Effective communication about risk

• comprehensive and frequent reporting of risk

management performance is an essential element of

organisational governance

• internal and external stakeholders

• communication is upwards, downwards and across the

organisation

• communicate on significant risks and risk management

performance

• how we communicate matters as much as what we

communicate

• link to effective relationship building and behaviours


Session 2 Establish the context Risk assessmentCommunication & consultation Risk appetite and tolerance

Risk treatment Business continuity management Monitoring & review


Identify risks

Evaluate risks

Analyse risks

Treat risks

Risk assessment

Com

mun

icat

e an

d co

nsul

t

Mon

itor a

nd re

view




External context

Internal context

Context of the risk management

process

• what does the world around us look like?

• what are the drivers and trends?

• what are our objectives?

• what is our capacity?

• what are our business processes?

• how do we make decisions?

• what is the process expected to achieve?

• who will be responsible?

• what resources will be required?

• what determines whether a risk is acceptable?

• what determines whether a risk should be controlled?

• how can we measure our total risks?

Defining risk criteria

How do you Plan Ahead?

Risk assessment




Identify risks

Evaluate risks

Analyse risks

Treat risks

Risk assessment

Co

mm

un

ica

te a

nd

co

nsu

lt

Mo

nito

r a

nd

re

vie

w


Risk assessment

Risk assessment

Risk identification

– what might happen (the event)?

Risk analysis

– how likely is it to happen?

– if it does what might the impact be?

Risk evaluation

– so what!

– is it within our risk appetite and tolerance?

ISO 31000 - The Risk Process






Two main types of identification techniques

Forward looking

– brainstorming workshops

– surveys

– expert knowledge

Historic

– statistical analysis

– trend analysis

------------

----

----

----

----

----

----

----

----

Strategy

Market

Commercial

Partners

Plan execution

Technology

Health & Safety

(and CSR)

Finance

------------

--------

----

----

----

----

------------

----

----

----

----

----

----

----

----

Strategy

Market

Commercial

Partners

Plan execution

Technology

Health & Safety

(and CSR)

Finance

------------

--------

----

----

----

----

------------

--------

----

----

----

----

Injury statistics

PerspectivesFinancial

Marketing & Sales

Operations

Employees

CSR

Economic

Compliance

Perspectives to Identify KPI’s

Some risk terminology

• A risk is the effect of uncertainty on objectives

• A hazard is the source of potential harm (a hazard can be a risk source)

• A risk source has the potential, alone or in combination, to give rise to risk. We might also term this cause

• An event is the occurrence or change of a particular set of circumstances

• A consequence is the outcome of an event affecting objectives

Source: ISO Guide 73:2009



Describing a risk

Combines the cause(s), the event(s) and the effect(s)

Consequences

or effect(s)(on objectives)

Source(s)

or cause(s)(What? Why?)

Event or

circumstance

giving rise to

the uncertainty(Uncertainty)

KPI - Financial

Liquidity

₋ Current Ratio

₋ Quick Ratio

Financial Strength

₋ Interest Cover

₋ Debt to Equity Ratio

Corporate Value

₋ Dividend/Drawings Yield

Your Risk Register – Step 1

KPI Categories to Risks

Fill in 1 Financial risk

KPI - Marketing & Sales

₋ Net Promoter Score“How likely are you to recommend this

business to a colleague or friend?”

₋ Do customer expectations match the service we deliver?

₋ How involved/emotionally attached are your customers to your organisation?

Marketing & Sales


Fill in 1 Marketing & Sales risk

KPI - Operational & Technology

₋ How suitable and operational is our equipment? How technologically advanced are we?

₋ Are we realising our full production/ work potential?

₋ How long does it take to fill an order/provide a service?

Operational & Technology


Fill in 1 Operational & Technology risk

KPI - Employees

— How well do you protect and support your employees?

— How well does the organisation vet its employees?

— How well are the skills of the employees matched to the needs of the organisation?

— Do you offer and encourage training?

KPI - Employees


Fill in 1 risk associated with your Employees

KPI - Corporate Social Responsibility

₋ Are you compliant with Environmental regulations/standards?

₋ Are your suppliers socially conscious? i.e. Fairtrade for foodstuffs, ethical manufacturers for clothing

₋ Do your manufacturing facilities meet ethical standards?

Corporate Social Responsibility


Fill in 1 Corporate Social Responsibility risk

KPI - Economic

₋ What would the financial effect of a change of +/- 1% in the interest rate paid or charged ?

₋ To what extent is our business exposed to the collapse of a particular industry, economy or sector?

₋ To what extent is our business’s customer base exposed to the collapse of a particular industry?

Economic


Fill in 1 Economic risk

KPI - Compliance

₋ Comprehensiveness of the organisations Governance procedures

“What is the effect of the new Legislation for your business?”

₋ To what extent is our organisation open to legal challenge?

Compliance


Fill in 1 Compliance risk

• the outcome of a risk event is not always

negative

• think of some examples where a risk event

can result in positive or beneficial outcomes

• discuss how the risk wheel and the bow tie

technique can be used to identify

opportunities

Risks aren’t always bad

For discussion..

RecapMandate and

commitment(4.2)

Design of

framework for

managing risk(4.3)

Implementing

risk

management(4.4)

a) Creates value

b) Integral part of




uncertainty


timely



g) Tailored







improvement and

enhancement of the

organisation


Monitoring and

review of the

framework(4.5)

Continual

improvement

of the

framework(4.6)


(5.3)

Risk identification

(5.4.2)

Risk evaluation

(5.4.4)

Risk analysis

(5.4.3)

Risk treatment

(5.5)


Co

mm

un

ica

tio

n a

nd

co

nsu

lta

tio

n (

5.2

)

Mo

nito

rin

g a

nd

re

vie

w (

5.6

)

Framework(Clause 4)

Process(Clause 5)



Positive Risk

Fill in 2 Positive Risks

Risk evaluation -

risk appetite and tolerance

The Risk Process






• the amount of risk an organisation is willing to seek or accept in pursuit of its long-term objectives

Risk appetite

• the boundaries of risk taking outside of which the organisation is not prepared to venture in pursuit of its long-term objectives

Risk tolerance

• the full range of risks which could impact, either positively or negatively, on the ability of the organisation to achieve its long-term objectives

Risk universe

Key terms

Risk appetite can be complex

– simplification can be attractive but can lead to

meaningless approaches

Needs to be measurable

– otherwise statements empty and useless

– key performance drivers need to be understood

– key risk and key control indicators need to be developed

Not a single fixed concept

– there may be a range of appetites within an organisation

– appetites may vary overtime influenced by changes in the

risk and control environment or the benefits to be gained

Key principles

Developed in the context of the organisation’s risk management capability

– an understanding of risk appetite unlikely to emerge before a level of risk management maturity reached

Must take into account strategic, tactical and operational levels

– risk appetite needs to be addressed at all levels

Must be integrated into the control culture – linked to both the propensity to take risk (often greater

at strategic level) and also the propensity to exercise control (more prevalent at operational level)

Key principles

• prioritise risks in terms of their significance

• provide some consistency about the perception of significance

• decide how to allocate scarce resources

• decide whether to proceed with a new strategy, project or investment

• inform decisions on risk appetite

Why is risk analysis and evaluation

important?

Benchmark to determine significance

₋ Financial – sums involved

₋ Disruption – length of time

₋ Reputational - profile

Appetite

Hungry?

Not enough risk

Over Fed?

Too Much Risk

Attitude?

1. That’s Grand

2. Don’t Push It

3. Your taking the P**s

Appetite – Healthy Eating(Tolerance)

• Increased sales

• Cost EfficiencyHigh

• Lack of staff expertise & training

• Inefficient admin/operationsMedium

• Not achieving value for money

• Unsatisfactory fundingLow

• Severe reputational damage

• Compliance FailureZero


Risk Appetite

Enter- High- Medium- Low- Zero

Beside each of the risks you have identified

Risk profiling – consequence;

probability matrix – risk registers

The Risk Process






Risk matrix

Lik

elih

ood

ImpactP

robable

Possib

leR

em

ote

Low Medium High

Likelihood

Estimation Descriptors Indicators

Probable Likely to occur each year or

more than a 25% chance of

occurrence

Potential of it occurring

several times within the time

period (e.g. ten years).

Has occurred recently

Possible Likely to occur in a ten-year

time period or less than a

25% chance of occurrence

Could occur more than once

within the time period (e.g.

ten years).

Is there a history of

occurrence?

Remote Not likely to occur in a ten-

year period or less than a 2%

chance of occurrence

Has not occurred.

Unlikely to occur

Estimating likelihood - criteria

Within the next 12 months the event is:Almost certain

• Frequent occurrence > 90% chance

Likely

• Regular occurrence > 60% chance

Possible

• Occasional occurrence > 10% chance

Unlikely

• Has never occurred < 10% chance

Impact

High

Financial impact on the organisation is likely to exceed €x

Significant impact on delivery of the organisation’s strategic

or operational activities

Significant stakeholder concern

Medium

Financial impact on the organisation likely to be between

€x and €y

Moderate impact on organisation’s strategic or operational

activities

Moderate stakeholder concern

Low

Financial impact on the organisation likely to be less than

€y

Low impact on the organisation’s strategic or operational

activities

Low stakeholder concern

Estimating impact – criteria REPUTATION FINANCE SERVICE

DELIVERY

COMPLIANCE SAFETY

EXTREME Loss of credibility

key stakeholders;

extensive adverse

media; external

intervention

Financial loss

exceeding

£/$ ???

Total sustained

disruption to

critical services

Intervention by

regulator; serious

breach of legal or

contractual

obligation

Fatality

(multiple)

HIGH Significant loss of

trust; significant

adverse media

Financial loss

exceeding

£ /$???

Significant

sustained

disruption to

critical services

Censure by

regulator; breach

of legal or

contractual

obligation

Serious injury or ill-

health (disabling)

MEDIUM Significant

complaints

Financial loss

exceeding

£/$???

Some short-term

disruption to

services

Failure to meet

recommended

best practice

Injury or ill-health

resulting in lost time

LOW Isolated

complaints

Low-level or

no financial

loss

Minor disruption to

services

Failure to meet

internal standards

or SLA

Minor injury (no lost

time)

LIK

LIH

OO

D

PROBABLE

Likely to occur each year or

more than a 25% chance of

occurrence

3 3 6 9

POSSIBLE

Likely to occur in a ten year

time period or less than a 25%


2 2 4 6

REMOTE

Not likely to occur in a ten year

period or less than a 2%


1 1 2 3

1 2 3

LOW MEDIUM HIGH

•financial impact on the

organisation is likely to be

less than £x

•low impact on delivery of the

organisation’s strategic or

operational activities

•low stakeholder concern


organisation is likely to be

between £x and £x

•moderate impact on delivery

of the organisation’s strategic

or operational activities

•moderate stakeholder

concern


organisation is likely to

exceed £x

•significant impact on

delivery of the

organisation’s strategic or

operational activities

•significant stakeholder

concern

IMPACT

Putting it all together

Opportunity and risk matrix

Two-sided Risk Matrix

1:100

Likelihood & Impact

LikelihoodHigh

Medium

Low

Zero

ImpactHigh

Medium

Low

Zero

Risk Score

Likelihood

High

Medium

Medium

High

Impact

High

High

Low

Low

Score

High

Judgement

Judgement

Judgement


Risk Score

Enter- High- Medium- Low- Zero

For Impact, Likelihood and risk score beside each of the risks you have identified

Risk evaluation

Evaluate Risk score

Risk score

Risk appetite

Good

Risk score

Risk appetite

Treat


Do you need to take Action?

Enter

- Yes if your risk score is not equal to appetite

- No if your risk score is equal to appetite

Risk treatment

The Risk Process







Identify risks

Evaluate risks

Analyse risks

Treat risks

Risk assessment

Com

mun

icat

e an

d co

nsul

t

Mon

itor

and

revi

ew


Risk treatment

A process to modify risk (ISO 31000)

Risk treatment (or response) involves:

– the selection of one or more options for modifying

risks

– implementing those options

– the treatments then provide controls or modify current

controls

Controls include any process, policy, device, practice or other

actions which modify the risk

What is risk treatment?

Risk treatment is a cyclical process

Deciding

whether the

residual risk

level is

tolerable

Assessing

the

effectiveness

of that

treatment

Examine

cost and

benefit of the

treatment

If not

tolerable,

generating a

new risk

treatment

The purpose of risk treatment plans is to document how the chosen treatment options will be implemented.

Information should include:– a description of what the planned action is

– expected benefit(s) to be gained

– performance measurements and constraints

– accountabilities (risk owners and control owners)

– reporting and monitoring requirements

– resourcing requirements

– timing and scheduling

Risk treatment plans (action plans)

Treatment

Tolerate Treat

Transfer Terminate

Treatment - Step 4

4 T’s

What Treatment could you use?

Enter one or more of the following

- Treat fill in what you would do to treat

- Transfer fill in what you would do to transfer

- Tolerate fill in what you would do to tolerate

- Terminate fill in what you would do to terminate

Monitoring and review


Identify risks

Evaluate risks

Analyse risks

Treat risks

Risk assessment

Com

mun

icat

e an

d co

nsul

t

Mon

itor a

nd re

view


Monitoring and review

The Risk Process






A process not an event

• Action Plans & OwnersT’s

• Inline with Appetite?Incidents

• Once YearlyReassess

http://www.google.ie/imgres?q=incident&hl=en&biw=1140&bih=562&tbm=isch&imgrefurl=http://www.warwickshirevoyager.com/mapexplained.aspx&tbnid=rdkk1q8BvjqZNM&docid=PL85k3HzrqfbeM&ved=0CFgQhRYoAA&ei=vTOdUIz5L4yZhQecl4GADA&dur=4506

http://www.google.ie/imgres?q=incident&hl=en&biw=1140&bih=562&tbm=isch&imgrefurl=http://www.warwickshirevoyager.com/mapexplained.aspx&tbnid=rdkk1q8BvjqZNM&docid=PL85k3HzrqfbeM&ved=0CFgQhRYoAA&ei=vTOdUIz5L4yZhQecl4GADA&dur=4506

• ensure controls effective and efficient

• obtain information to improve risk assessment

• learn the lessons from events

– changes, trends, successes and failures

• detect change to internal or external context or

to the risk itself

• identify emerging risks

Purpose of monitoring and review

Key risk and control indicators

KRIs

Metrics to help

identify changes

that could alter the

overall assessment

of key risk events

KCIs

Metrics to help

assess the

effectiveness of

key controls

Key risk indicators

For the case study provided identify

the metrics that were used or could

have been used to indicate a change in

the risk environment.

Key control indicators

For the case study provided identify

the metrics that were used or could

have been used to measure the

effectiveness of existing controls

Workshop exercise

Define monitoring and review responsibilities

– risk owners

– control owners

– responsibility for the review of the whole process

How frequently should

– risks and their control measures be reviewed?

– the effectiveness of the ERM process be reviewed?

Benchmarking and maturity models

Things to consider

Business continuity management



ISO 31000 overview

Mandate and

commitment(4.2)

Design of

framework for

managing risk(4.3)

Implementing

risk

management(4.4)

a) Creates value

b) Integral part of




uncertainty


timely



g) Tailored







improvement and

enhancement of the

organisation


Monitoring and

review of the

framework(4.5)

Continual

improvement

of the

framework(4.6)


(5.3)

Risk identification

(5.4.2)

Risk evaluation

(5.4.4)

Risk analysis

(5.4.3)

Risk treatment

(5.5)


Co

mm

un

ica

tio

n a

nd

co

nsu

lta

tio

n (

5.2

)

Mo

nito

rin

g a

nd

re

vie

w (

5.6

)

Framework(Clause 4)

Process(Clause 5)


What is a risk management framework?

• a system of leadership, commitment and processes

• foundation for a mutual understanding - to communicate effectively

• an opportunity to gain commitment

• provides direction for all levels of management

Mandate and

commitment(4.2)

Design of

framework for

managing risk(4.3)

Implementing

risk

management(4.4)

Monitoring and

review of the

framework(4.5)

Continual

improvement

of the

framework(4.6)

Framework(Clause 4)

Think back to previous case histories discussed -• why did the established controls systems fail?• what do the case studies tell us about the risk culture of the organisation? • what are the critical factors for embedding risk management ?

Group Discussion

Embedding risk management


Visible commitment from the top

– articulated and endorsed through a policy and framework for managing risk

– lead through actions – risk-based decision making, aligned with strategic objectives

– clear understanding of the risks to the business. Set risk tolerance and risk appetite

– active support and adequate resource for risk management initiatives

– assurance on status of key risks (KRI’s) and controls (KCI’s) sought and followed through

An organisational framework to ensure

– clearly defined responsibility and accountability

– training for all relevant stakeholder groups to raise

awareness of benefits, establish responsibilities and

improve skills in management of risk

– ownership clearly established for risks and key

controls

– clearly defined lines for reporting and communication


Integration into management processes

– ensure the benefits for business and resource planning are clearly established through integration with the ‘normal’ business planning processes

– integrate into performance management system and establish KPI’s

– integrate with reporting and review systems, including internal audit

– include development of risk management skills within leadership and management development programmes


• clear and concise outline of the organisation’s

requirements

• providing uniformity and consistency in the risk

management process across all operations

• provides a high level overview and description of

the risk management process

Purpose of a risk management policy

Session 3

• developed and owned at board level

• developed with consideration as to how

compliance with the policy will be monitored

• reviewed regularly

– annual review

The policy should be…

Session 3

• who are your key

stakeholders?

• what do you hope the

ERM process will

deliver to you and to

your key stakeholders?

Group exercise

What will ERM deliver?

5• a framework for control

4• better informed decision making

3 • reduced volatility

2 • improved stakeholder relationships

1• protection of company assets

So what will risk management do for me?

‘The elevator pitch’

The greatest risk is to take no risk at all, because if

we don’t take risks there’s no advancement,

there’s no progress and there’s no profitability.

And finally…

Kevin Knight Chairman, ISO working group on risk management standards

ISO 31000 overviewMandate and

commitment(4.2)

Design of

framework for

managing risk(4.3)

Implementing

risk

management(4.4)

a) Creates value

b) Integral part of




uncertainty


timely



g) Tailored







improvement and

enhancement of the

organisation


Monitoring and

review of the

framework(4.5)

Continual

improvement

of the

framework(4.6)


(5.3)

Risk identification

(5.4.2)

Risk evaluation

(5.4.4)

Risk analysis

(5.4.3)

Risk treatment

(5.5)


Co

mm

un

ica

tion

an

d c

on

sulta

tion

(5.2

)

Mo

nito

rin

g a

nd

re

vie

w (

5.6

)

Framework(Clause 4)

Process(Clause 5)


• Fundamentals of Risk Management

• International Certificate in Risk Management– leads to Certificate membership grade

• International Diploma in Risk Management– leads to Member grade of the IRM

– Fellowship of the IRM is achieved through continuing professional development

• Specialist subjects– risk management in financial services

– business continuity and crisis management

– information systems risk

Institute of Risk Management – education

References and further reading• IRM Fundamentals of Risk Management – Paul Hopkin – Kogan Page £35.00

ISBN: 978-0-7494-5942-0

• British Standards BS 31100 (2008) Risk management – code of practice, www.standardsuk.com

• COSO Enterprise Risk Management – Integrated Framework (2004) Executive Summary, www.coso.org

• Financial Reporting Council Internal Control Revised Guidance for Directors on the Combined Code (2005), www.frc.org.uk

• Institute of Risk Management – A Risk Management Standard (2002), www.theirm.org

• International Standard ISO 31000 Risk Management – Principles and guidelines, www.iso.org

• ISO Guide 73(2009) Risk management – Vocabulary – Guidelines for use in standards, www.iso.org

• British Standard BS 25999-1 (2006) Business continuity management Code of practice, www.standardsuk.com

• HM Treasury (2004) Orange Book: Management of risk – principles and concepts, www.hm-treasury.gov.uk

• International Standard IEC/FDIS 31010 (2009) Risk Management – Risk assessment techniques, www.iso.org

• Institute of Internal Audits (2004) The Role of Auditing in Enterprise-wide Risk Management, www.theiaa.org

• Office of Government Commerce (2007) Management of Risk: Guidance for Practioners, www.tsoshop.co.uk

http://www.standardsuk.com/

http://www.coso.org/

http://www.frc.org.uk/

http://www.theirm.org/

http://www.iso.org/

http://www.iso.org/

http://www.standardsuk.com/

http://www.hm-treasury.gov.uk/

http://www.iso.org/

http://www.theiaa.org/

http://www.tsoshop.co.uk/

So to recap…






The “Standard” is...ISO 31000

Tutor

• John Crawley

• [email protected]

• + 353 1 210 4753

• www.TheFinanceExpert.ie

• LinkedIN

• Tweet: @AFinanceExpert

mailto:[email protected]

http://www.thefinanceexpert.ie/

T H A N K Y O U

Institute of Risk Management

Bow tie analysis

Event

Causes Consequences

Immediate

consequences

Ultimate

consequences

Underlying

threats

Immediate

threats

Control

measures

Recovery

measures

risk seminar - john crawley & emer mc aneny

Business

word risk

risk managementprocess

risk appetite

risk management process

enterprise risk management

risk management strategy

formal definitions of

best definition of risk