scrutinising your erm framework for effectiveness
DESCRIPTION
Appreciate the link between your organization's business strategy, business model and its methodology for identifying, prioritizing and managing riskTRANSCRIPT
SCRUTINIZING YOUR ERM FRAMEWORK FOR EFFECTIVENESS
Presentation by Eneni Oduwole
IQPC ERM Africa Conference 2013, Johannesburg – South Africa
1
Eneni Oduwole – IQPC ERM Africa Conference 2013, Johannesburg – South Africa
Mandate
How to identify key risk indicators specific to your organisation and ensuring these are accounted for
Over managed or just right – how to prioritize risks within your framework
Evaluating failure of risk mitigation strategies – how to ensure processes are followed at an operational level
How to track results and prevent follow-on risks
Measurement – how to conduct qualitative risk assessments and relate this back to your framework
2
Eneni Oduwole – IQPC ERM Africa Conference 2013, Johannesburg – South Africa
Overview
Risk management = identification of risks + measurement of identified risks + control / mitigation strategy + monitoring risk exposures + reporting risk
Effective Risk Management requires that a holistic, balanced and strategic outlook toward managing prevalent and likely risk factors is employed; this concept is now christened “Enterprise-wide Risk Management (or ERM)”
ERM looks at all facets of the business from strategic planning to operations, and encompasses all exposures to risk whether operational, credit, market, liquidity, strategic, reputational, business or compliance risks that may impede achievement of set objectives
It aims at achieving the highest level of customer and shareholder value possible
3
Eneni Oduwole – IQPC ERM Africa Conference 2013, Johannesburg – South Africa
Risk Identification – A Key Element in Risk Management
This process entails the recognition, categorization, prioritization and enlisting of prevalent risks in the organization
It usually starts with the review of issues / concerns affecting a business process, product or service; thereafter close monitoring and tracking of key issues that might affect set goals and objectives is embarked upon
The identification of risks also allows for conduct of causal analysis which enables better understanding and categorization of risk drivers
Classification of risk drivers reduces redundancy and ensures easier management of risk factors in later phases of the risk management process
Classifying risks also provides for the creation of risk checklists, risk registers, and databases for future projects
4
Eneni Oduwole – IQPC ERM Africa Conference 2013, Johannesburg – South Africa
Tools Deployed for Risk Identification
Documentation Review
Other Information Gathering Techniques such as Interviews with Process Owners, Nominal Group and Delphi Techniques
Conduct of Surveys
Checklist Analysis
Root Cause Analysis
Assumption Analysis
Diagramming Techniques
All of these tools can be used in developing a database of key risk
factors to be monitored by the organization… “Key Risk Indicator Dashboard
Key Risk Indicator Dashboard”
All of these tools can be used in developing a database of key risk
factors to be monitored by the organization… “Key Risk Indicator Dashboard
Key Risk Indicator Dashboard”
5
Eneni Oduwole – IQPC ERM Africa Conference 2013, Johannesburg – South Africa
Key Risk Indicators (KRIs)
Are measurable metrics that identify trends and track possible exposures
They are quantitative parameters used to identify changes in the risk profile of business activities and processes
KRIs enable the following: Determination of volatility of risks across the business
environment Determination of risk concentrations Determination of risk patterns
Objectives for having defined KRIs should include: Ensuring that a process for predicting the pattern / behaviour of
current risk profile is in place Enabling early warning signs for emerging risks to be picked up
as they crystallize
6
Eneni Oduwole – IQPC ERM Africa Conference 2013, Johannesburg – South Africa
Identifying Organization- Specific Key Risk Indicators
Understand the strategic intent of the organization in the short, medium or long term
Drill this into expected deliverables within the respective timeframes
Determine core business activities that would be focused on to achieve these expected deliverables
Isolate the core drivers of these core business activities
Develop quantitative parameters for tracking these core drivers
Agree on trigger limits with business process owner
7
Eneni Oduwole – IQPC ERM Africa Conference 2013, Johannesburg – South Africa
Identifying Organization- Specific Key Risk Indicators
(cont’d) Monitor the trends of these parameters, where adverse trends
are observed:
Conduct a Causal Analysis to determine prevalent risk factors
Determine areas of the business affected by this adverse trend
Identify likely constraint to the organization resulting from this adverse trend
Estimate impact and severity to the organization should the risk crystallize
Report on risk trend identified
8
Eneni Oduwole – IQPC ERM Africa Conference 2013, Johannesburg – South Africa
Prioritizing Risks
Requires the estimation of risk factors into defined categories for risk treatment
These categories are: High – Medium – Low Risks (for 3-tiered Risk Bands) High – Medium/High – Medium – Medium/Low and Low Risks
(for 5-tiered Risk Bands)
These bands are defined to direct the organization on appropriate risk treatments required for identified risk factors
Defined risk categories are also indicative of likely risk exposure (impact x probability)
High Probability
Medium Probability
Low Probability
Low Impact Medium Impact High Impact
9
Eneni Oduwole – IQPC ERM Africa Conference 2013, Johannesburg – South Africa
Prioritizing Risks In Your Organization
Risk prioritization must be based on the following:
The Risk Appetite of the organization
The Business Model of the organization
Regulatory Requirements
Business objectives in the short, medium and long terms
Risk – Reward Analysis
Response style of the organization
Maturity of the Risk-Aware Culture
10
Eneni Oduwole – IQPC ERM Africa Conference 2013, Johannesburg – South Africa
Dealing with the Risk Exposures
Terminate: when cost is higher than benefit; no competencies for managing risk
Tolerate: when cost is within risk appetite levels or insignificant to benefit; no brainer
Treat: when benefit from business venture is seriously threatened; staff and business model / structure can implement and support control
Transfer: when benefit is threatened but staff / business model may not support required control (risk may be shared or transferred completely)
11
Eneni Oduwole – IQPC ERM Africa Conference 2013, Johannesburg – South Africa
Considerations for Selecting Appropriate Action Plans
Policy Changes: Consider regulatory / legal / ethical issues such as modifications of banking & related policies
In-House Actions: Consider appropriate plans that would fit into the organization’s business strategy / model / structure, and culture
Simplicity: Action plans should be rid of complexities / complex methodologies which might sabotage the correction process; new process / control should be easy for auditors to review
Implementation: Incorporation of related activities into routine business processes should be seamless; relevant parties should be carried along; controls should be cost effective
Review: Tracking of implementation should be easy; effectiveness of control should be tested periodically
12
Eneni Oduwole – IQPC ERM Africa Conference 2013, Johannesburg – South Africa
Tracking Results of Action Plans
11
22
3344
55
If If RequiredRequired
13
Eneni Oduwole – IQPC ERM Africa Conference 2013, Johannesburg – South Africa
Conclusion
A qualitative Risk Assessment is usually the first step required for identifying prevalent risk drivers and attributes
It is important that the Risk Assessment approach adopted is based on the Organization’s culture, behaviour and attitude in managing issues
The Risk Maturity of the Organization should also be considered
For very structured organizations, brainstorming approaches would yield better results whilst for less structured organizations the conduct of interviews would be more worthwhile
For optimal results, I strongly recommend a hybrid approach with all levels of staff involved; this way both strategic and operational risk exposures organization-wide are unearthed
14
Eneni Oduwole – IQPC ERM Africa Conference 2013, Johannesburg – South Africa
Food for Thought
“The key to successful ERM practices depends on the behavioural attributes of the organization at all levels.” – RIMS
“One of the greatest contributions of a risk manager – arguably the single greatest – is just carrying a torch around and providing transparency.” Enterprise Risk Management, (Chapter 5 “Becoming the Lamp Bearer” by Anette Mikes)
15
Eneni Oduwole – IQPC ERM Africa Conference 2013, Johannesburg – South Africa
Thank you!Contact details:
E-mail – [email protected]
Tel.: 234-8033045896
Thank you!Contact details:
E-mail – [email protected]
Tel.: 234-8033045896
16