vcoss – daru workshop 17 october 2012 tips, tricks and concepts for making risk management work
DESCRIPTION
VCOSS – DARU workshop 17 October 2012 Tips, Tricks and Concepts for making risk management work. Diana Borgmeyer - Risk Management Adviser. About the VMIA The Victorian Risk Management Context Governance and Risk A quick overview of AS/NZS/ISO31000 Integrating Risk Risk Framework elements - PowerPoint PPT PresentationTRANSCRIPT
VCOSS – DARU workshop
17 October 2012
Tips, Tricks and Concepts for making risk management work.
Diana Borgmeyer - Risk Management Adviser
1. About the VMIA
2. The Victorian Risk Management Context
3. Governance and Risk
4. A quick overview of AS/NZS/ISO31000
5. Integrating Risk
6. Risk Framework elements
7. Tools and Tips
8. Activity – Describing Risks
9. Risk Management Pitfalls
10.Questions
Agenda
Government
Statutory Authorities
[e.g. VMIASSA]
Agencies[e.g. public
hospitalswelfare and
housing ]
Portfolio Departments
Central agencies
External providers
[e.g. contractors]
Ministers
GovernmentGovernment
Victorian Community
Statutory Authorities
[e.g. VMIASSA]
Statutory
Authorities
Agencies[e.g. public
hospitalswelfare and
housing ]
Agencies
Portfolio Departments
Central agencies
Departments
External providers
[e.g. contractors]External providers
Ministers
VMIA Clients
11 Departments
89 Hospitals &Ambulance Services
90 Statutory Authorities
3500 Community ServiceOrganisations
VMIA Risk Services
Risk Register Software
Risk Management maturity model
The organisation-wide Risk Management Framework is
consistent and comprehensive with processes that are embedded in everyday
management and reflected in a proactive risk management
culture
The organisation employs a process of continued review and actively pursues improvement
opportunities in risk management
Risk management is integral in optimising outcomes, creating value and achieving objectives
through the use of innovation and change management
The organisation-wide Risk Management Framework is
consistent and comprehensive with processes that are part of
everyday management
The organisation-wide Risk Management Framework, risk
management processes, practices, procedures and
accountability requirements are consistently applied across the
organisation.
The organisation-wide Risk Management Framework defines how management of risk will be handled within the associated
context (organisation-wide or for a specific activity such as a
project).
It covers the lifetime of the activity. It provides information on roles, responsibilities, processes and procedures, standards, tools, facilities and documentation to be
produced. It sets the context in which risks are managed, in
terms of how they will be identified, analysed, controlled,
monitored and reviewed
The organisation-wide Risk Management Framework has
been documented and approved
The organisation is in the process of developing an organisation-
wide Risk Management Framework
Multiple and uncontrolled application of risk management principals and processes exists
within the organisation
RISK MANAGEMENT FRAMEWORK
AdvancedEffectiveIntegratingDeveloping
The organisation-wide Risk Management Framework is
consistent and comprehensive with processes that are embedded in everyday
management and reflected in a proactive risk management
culture
The organisation employs a process of continued review and actively pursues improvement
opportunities in risk management
Risk management is integral in optimising outcomes, creating value and achieving objectives
through the use of innovation and change management
The organisation-wide Risk Management Framework is
consistent and comprehensive with processes that are part of
everyday management
The organisation-wide Risk Management Framework, risk
management processes, practices, procedures and
accountability requirements are consistently applied across the
organisation.
The organisation-wide Risk Management Framework defines how management of risk will be handled within the associated
context (organisation-wide or for a specific activity such as a
project).
It covers the lifetime of the activity. It provides information on roles, responsibilities, processes and procedures, standards, tools, facilities and documentation to be
produced. It sets the context in which risks are managed, in
terms of how they will be identified, analysed, controlled,
monitored and reviewed
The organisation-wide Risk Management Framework has
been documented and approved
The organisation is in the process of developing an organisation-
wide Risk Management Framework
Multiple and uncontrolled application of risk management principals and processes exists
within the organisation
RISK MANAGEMENT FRAMEWORK
AdvancedEffectiveIntegratingDeveloping
Determining where we are
now
Targeted maturity state?
Source: Courtesy use by Victorian Managed Insurance Authority (2010 year version)
Victorian Government Context
Risk management in context
• Whole of Government framework and attestation
◦ risk management process consistent with AS/NZS ISO 31000
◦ internal control system so the executive understand, manage and satisfactorily control risk exposures
◦ Responsible body verifies the assurance made and risk profile critically reviewed in last 12 months
• Inter-agency risk
DHS Service Level Agreement 2012-15
Risk Management Clause 3.20.2 acknowledges that risk management is an integral part of good organisational
practice.
The service agreement requires an organisation’s CEO or Board Member to attest annually that it is managing risk in accordance with the AUS/NZS/ISO 31000:2009 standard and the risk management processes satisfactorily and effectively manage the organisations risks and;
within the twelve months prior to attestation, the organisation has undertaken a review of risk management processes.
Risks we see of concern to Health and Community Sector Boards
Governance failures
Direct care workforce sustainability
Service delivery failures
Damage to stakeholder relationships/Reputation
Failure to adapt to changing service and funding models
Funding uncertainty
Inadequate emergency preparedness/response
Regulatory or funding standards non-compliance
Page 12
Common Risk Areas
• Client dissatisfaction
• Unfavourable publicity and/or reputation damage
• Mismanagement (eg. projects, finance)
• Threat to physical safety
• Failure of equipment or computer systems
• Breach of legal obligations and contractual responsibility
• Fraud
• Deficiencies in financial controls and reporting
• Unethical behaviour
• Failure to protect assets and goodwill
Governance and Risk
Governance
“Corporate governance generally refers to the processes by which organisations are directed, controlled and held to account.
It encompasses authority, accountability, stewardship, leadership, direction and control exercised in an organisation”[1]
[1] Standards Australia, AS 8000-2003 Corporate Governance – Good governance principles, July 2003, p7
‘…the set of responsibilities and practices, policies and procedures, exercised by an agency’s executive, to provide strategic direction, ensure objectives are achieved, manage risks and use resources responsibly and with accountability.’1
Definition of Public Sector Governance
Good Governance is about both:
• Performance – how an agency uses governance arrangements to contribute to its overall performance and delivery of services or programmes.
• Conformance – how an agency uses governance arrangements to ensure it meets the requirements of the law, regulations, published standards and community expectations on probity and accountability.
1. adapted from , ANAO Implementation of program and policy initiatives; Better Practice Guide 2006,p.13.
Governance - common elements
Strategy & DirectionStrategy & Direction
• Corporate Plan
• Business Plan
• Operational Plans
• Strategic, IT, HR & asset plans
• Annual Plan
Strategy & DirectionStrategy & Direction
• Corporate Plan
• Business Plan
• Operational Plans
• Strategic, IT, HR & asset plans
• Annual Plan
Compliance & AccountabilityCompliance & Accountability
• Annual Report
• Delegations
• Policies & Procedures
• Audit/ Risk Committee
• Audit methodologies
• Internal Audit
Compliance & AccountabilityCompliance & Accountability
• Annual Report
• Delegations
• Policies & Procedures
• Audit/ Risk Committee
• Audit methodologies
• Internal Audit
Structures & RelationshipsStructures & Relationships
• Organisational Structure• Core competency criteria• Standards of Behaviour• Client surveys• Training programs• Roles and responsibilities• Communication• Business processes
Structures & RelationshipsStructures & Relationships
• Organisational Structure• Core competency criteria• Standards of Behaviour• Client surveys• Training programs• Roles and responsibilities• Communication• Business processes
Performance MonitoringPerformance Monitoring
• Monthly Financial Statements
• Balanced Scorecard
• Performance Management
Performance MonitoringPerformance Monitoring
• Monthly Financial Statements
• Balanced Scorecard
• Performance Management
Risk Management
StewardshipStewardship
LeadershipLeadership ControlControlGoverning BodyGoverning Body
How governance & risk management underpin an organisation’s performance
Source: Public Sector Governance Better Practice Guide – Volume 1, Australian National Audit Office, July 2003
Core principles underpinning Governance frameworks
• Accountability & Compliancebeing answerable for decisions and have appropriate compliance mechanisms
• Transparency & structureclear roles, duties and procedures in decision making
• Leadership‘tone at the top’ to achieve organisation-wide commitment from the top
• Integrityacting impartially, ethically and in the interests of the organisation 1]
[1] Public sector governance and the individual officer – guidance paper no.1- Better Practice Guide, Australian National Audit Office, July 2003
Good governance attributes
• Clear roles & responsibilities
• Ethics based culture
• Accountability through control, monitoring and review
• Effective governing body
• Communication & awareness
• Transparent external reporting
• Integrated risk management practices in planning, operations & reporting
risk management?
• An integral part of the organisation’s management system
• Essential for ‘good governance’
• Offers common language and consistency
• Embeds the risk management process in decision making
• Don’t simply ask ‘what may go wrong?’ .…. ask ‘what must go right?’
• Good risk management doesn’t stifle progress and innovation – it drives success
“Looking back, I wish I had pressed harder. It’s easy to say after the fact.”
Yukinobu Okamura, Head of Active Fault and Earthquake Research Centre, recalling tsunami concerns he raised in June 2009 at a Japan Trade Ministry meeting to assess reactor safety.
Tsunami Warnings ignored, The Age March 26 2011
“Details of risks were either not satisfactorily conveyed to senior executives and ministers or, if conveyed, were not acted on.”
Energy Efficient Homes Package (Ceilings Insulation)
Senate Inquiry Report (15 July 2010)
Why do strategies fail?
Only 10% of organisations execute their
strategy
Barriers to Strategy Execution
Only 5% of the workforce
understands the strategy
Vision Barrier
Only 25% of managers have incentives linked
to strategy
People Barrier
85% of executive teams spend less than
one hour per month discussing strategy
Management Barrier
60% of organisations
don’t link budgets to strategy
Resource Barrier
The problem isn’t lack of strategy. It’s the lack of ability
to successfully manage the execution of what looks
strategically good on paper.
Reference: Robert Kaplan and David Norton - The Balanced Scorecard and The Strategy Focused Organization
Six key questions
Essentially, risk management seeks to answer these basic questions:
• what are we trying to achieve?
• what events or circumstances could affect the achievement of our objectives?
• what are the consequences?
• how likely is it of these events?
• what can we do to manage these outcomes?
• how will we maximise opportunities?
AS/NZS ISO 31000:2009
The definition of risk?
“The effect of uncertainty on objectives”Uncertainty is the state , even partial, of deficiency of information
related to, understanding or knowledge of, an event, its consequence, or likelihood.
AS/NZS ISO 31000:2009
The aim of risk management is not the management of risk but the achievement of objectives.
Process for managing risk
(Clause 5)
Overview of AS/NZS/ISO31000
Principles for managing risk
(Clause 3)
1) Creates value
2) Integral part of organisational processes
3) Part of decision making
4) Explicitly addresses uncertainty
5) Systematic, structured & timely
6) Based on the best available information
7) Tailored
8) Takes human & cultural factors into account
9) Transparent & inclusive
10) Dynamic, iterative & responsive to change
11) Facilitates continual improvement & enhancement of the organisation
Framework for managing risk
(Clause 4)
Attributes of enhanced risk management
(Annex A - Informative)
Risk Assessment
Establishing the Context
Risk Identification
Risk Analysis
Risk Evaluation
Risk TreatmentC
om
mu
nic
atio
n &
Co
nsu
ltat
ion
Mo
nit
ori
ng
& R
evie
w
Mandate & commitment
Continual improvement
of the framework
Design of framework
for managing risk
Monitoring & review of
the framework
Implementing risk
management
AS / NZS ISO 31000:2009 - Risk management principles
1. Creates value
2. Integral part of organisational processes
3. Part of decision making
4. Explicitly addresses uncertainty
5. Systematic, structured and timely
6. Based on the best available information
7. Tailored
8. Takes human and cultural factors into account
9. Transparent and inclusive
10. Dynamic, iterative and responsive to change
11. Facilitates continual improvement and enhancement of the organisation
Should be reflected in your organisation’s
approach
Risk management should be embedded in all the organisation's practices and processes in a way that it
is relevant, effective and efficient. The risk management process should become part of, and not
separate from, those organisational processes. In particular, risk management should be embedded into
the policy development, business and strategic planning and review, and change management
processes.
Fit-for-purpose
(Source: AS/NZS/ISO31000:2009 Risk Management – Principles and Guidelines)
Risk Terminology
• Risk: chance of something happening that will have an impact on objectives
• Likelihood: chance of something happening
• Consequence: outcome of risk on objectives
• Risk Rating: overall rating which determines actions & risk treatments by the Board, CEO & Executive
• Control: includes any process, policy, device or practice or actions which modify risk
• Control Effectiveness: assessment of the effectiveness of controls to determine if any gaps exist
• Risk Owner: person or entity with the accountability & authority to manage a risk
• Risk Treatment: can involve avoiding the risk, increasing risk to gain an opportunity, remove the source, change
the likelihood or consequence, sharing the risk, retaining the risk
Integrating risk
What are the benefits of a Enterprise wide approach to Risk Management?
• Enables identification of threats and opportunities for an agency
• Improves and informs the planning process
• Reduces likelihood of costly “surprises”
• Contributes to improved resource allocation
• Improves efficiency and performance
• Improves accountability
• Encourages continual improvement
• Managing risks in order to meet our ‘objectives’
• ‘Choosing which risks to take ……. and then managing them well’
Risk and planning - a comprehensive process
Page 34
•Designed to identify, analyse, evaluate, treat, monitor and communicate risks that could prevent an organisation from achieving its objectives.
•Covers strategic, operational, financial and compliance risks.
•The term “enterprise-wide risk management” is widely used both by the Victorian public sector and the private, both the for and not for profit sectors to describe this comprehensive approach.
Link strategy, operations and risk management
OrganisationalObjectives
OrganisationalObjectives
StrategiesStrategies
Key PerformanceIndicators & Targets
Key PerformanceIndicators & Targets
Strategic RisksStrategic Risks
Department AOperational Objectives,
Indicators & Targets
Department AOperational Objectives,
Indicators & Targets
Service COperational Objectives,
Indicators & Targets
Service COperational Objectives,
Indicators & Targets
Program BOperational Objectives,
Indicators & Targets
Program BOperational Objectives,
Indicators & Targets
Operational RisksOperational Risks
Cascade & Align Strategic Objectives,
Key Performance Indicators & Targets
Cascade & Align Strategic Objectives,
Key Performance Indicators & Targets
Organisational-WideRisk Register
Organisational-WideRisk Register
Link Risk ManagementLink Risk ManagementTo Strategic PlanningTo Strategic Planning
Risk ReportingRisk Reporting(Reporting System)(Reporting System)
Link Risk ManagementLink Risk ManagementTo Operational PlanningTo Operational Planning
Cascading ProcessCascading Process
Sta
ge
3
Sta
ge
3
Sta
ge
1
Sta
ge
2
Different levels, different types of risks
Risks ultimately should be filtered to the lowest level
possible for ownership and
mitigation
Enterprise Level
Program Level
Project Level
Subproject Level
RISKS
Different levels of risk
Vision and Mission
Corporate strategy and objectives
Executive
Corporate Plan
Management and staff
Business PlanBusiness and operational objectives
Project objectives
Project managers
Project Plan
Strategic Risks
Operational Risks
Project Risks
Emerging
Emerging
Emerging
Measures/Targets
Measures/Targets
Measures/Targets
Differences and similarities between strategic and operational risks?
• Both follow principles of AS/NZS ISO 31000:2009
• Differences can include:
• Risk context strategic risks most likely to impact organisational goals/objectives
• Participants (senior executives, audit, some board)
• Treatments for high level risks may vary
• Methods used for identifying and evaluating risk may vary
• Timelines can be different – some goals are longer term
• Requires strategic thinking
• Ideally strategic risks are identified before operational risks
• Both strategic and operational risks should be centrally managed
Strategic Risk Assessment
establish context
identify risks
analyse risks
evaluate risks
treat risks
Com
mun
icat
e an
d C
onsu
lt
Mon
itor a
nd R
evie
w
Assess Risk
For strategic riskassessment of the whole organisation‘goals, objectives &
strategies areestablished as
part of the organisational
context
A strategy focused risk assessment process
• The Generals are told the strategy is to capture ‘important assets’
• They think “which assets are important?” (strategic context)
• They consider:• do they have enough personnel/skills, support (organisational context)• how can the strategy fail/achieved? (risk management context)
• To improve success rates they will need to develop a high level plan on the strategy and its key objectives (strategic plan)
• They will need evaluate if there will be issues that may impede the strategic plan (eg ambush, not enough soldiers, wrong information about assets (strategic risk assessment)
• Once you understand the threats you will then put in plans to avoid them and fine tune the plan before giving it to the officers to execute
• The officers will develop operational orders for the soldiers to follow about how the offensive will take place (timings, supplies required, equipment needed, signals etc) (operational plans)
• The officers will determine what risks there would be to the soldiers undertaking the offensive (injury, failed equipment, loss of communication etc) (operational risks)
Example: The Head of the Defence force has a strategy to engage the enemy to regain a key piece of land
Example of strategic risks
Strategic goal: Ensuring a safe, reliable and sustainable water supply
Strategic objectives: (a) Incidents of poor water quality will be reduced by 15%by 2011
(b) Water monitoring activities will increase by 10% within12 months
Strategic risks: (1) Inadequate policies and procedures to improve waterLeading to unexpected poor water quality
(2) Funding for water monitoring will be diverted to anotherprogram reducing capacity to meet targets
(3) Government may change its priorities for resource Management, leading to inability to ensure a sustainableSafe water supply
Outcome based risk assessment
• Used where the objectives have not been defined
• Focuses on the outcomes without defining strategic objectives
Identifies outcomes whichmay be unacceptable
How they may occur
Outcomes that will beof consequence to the
organisation’s stakeholders
A practical example of linking strategy with planning
Example of embedding risk management in already established practices.
Lets ImproveLets ImproveLets ImproveLets Improve
Is this an interpersonal/ HR
issue?
Is this an interpersonal/ HR
issue?Is this a risk to the
organisation?
Is this a risk to the organisation?
Have you followed the conflict
resolution process?
Have you followed the conflict
resolution process?
Does the situation require further improvement?
Does the situation require further improvement?
Complete a Confidential Quality Improvement Form
Complete a Confidential Quality Improvement Form
Is this a service issue?
Is this a service issue?
Have you discussed it with
the Service Coordinator?
Have you discussed it with
the Service Coordinator?
Does the situation require further improvement?
Does the situation require further improvement?
Complete a Quality Improvement Form
Complete a Quality Improvement Form
Have you got a great idea or suggestion?
Have you got a great idea or suggestion?
This is wonderfulThis is wonderful
Complete a Quality Improvement Form
Complete a Quality Improvement Form
Is this a maintenance
issue?
Is this a maintenance
issue?
Have you discussed it with your superior?
Have you discussed it with your superior?
Document in Maintenance Book
Document in Maintenance Book
Does the situation require further improvement?
Does the situation require further improvement?
Complete a Quality Improvement Form
Complete a Quality Improvement Form
Is this a publicsafety issue,
near miss or incident?
Is this a publicsafety issue,
near miss or incident?
Have you discussed it with your superior?
Have you discussed it with your superior?
Does the situation require further improvement?
Does the situation require further improvement?
Complete a Quality Improvement Form
Complete a Quality Improvement Form
Complete Near Miss or Incident
Form
Complete Near Miss or Incident
Form
Have you discussed the risk with your superior?
Have you discussed the risk with your superior?
Update Risk Register, Develop
Risk Treatment Plan
Update Risk Register, Develop
Risk Treatment Plan
Does the situation require further improvement?
Does the situation require further improvement?
Complete a Quality Improvement Form
Complete a Quality Improvement Form
Summary comments on risk integration • ‘One size does not fit all’, depends on
the management maturity, industry and commitment
• Focus on what makes sense to the board and management – keep it practical and tailored
• Risk disciplines can work well effectively with the planning, reporting, compliance, board committee and HR culture functions
• Governance foundations: cultural tone at the top, role clarity, transparency & communication is key
Risk Framework elements
Risk appetite and risk ratingLarge Appetite for Risk
Standard
Plan for All Extreme Risks
Risk Averse
Increasing Likelihood Increasing Likelihood
Increasing Likelihood Increasing Likelihood
Incr
easi
ng
Imp
act
In
crea
sin
g Im
pac
t
Board
CEO
Manager
Staff
Incr
easi
ng
Imp
act
In
crea
sin
g Im
pac
t
Risk-opportunity matrix
Likelihood
A
Almost Certain
B
Likely
C
Possible
Watching brief
D
UnlikelyWatching
brief
E
Rare
High Low Low High
Negative ImpactConsequence of Failure
Positive ImpactBenefit of Success
Rigorously Rigorously manage these manage these exposuresexposures
Actively Actively pursue these pursue these opportunitiesopportunities
Descriptors
Rating
Personal injury Financial Reputation Environmental Operational
Insignificant No injury sustained. Minor loss resulting in only minimal impact to local area budget.
Minor complaints resolved quickly with routine procedures.
Negligible, transient damage. No threat to safety.
Negligible short-term disruption to non-essential services.
Minor Minor injury requiring first aid only.
Loss that impacts on a single service, but does not threaten that service’s overall budget.
Complaints resolved by written response.
Transient environmental damage requiring minor corrective action.
Short term disruption to services, not resulting in loss of business continuity.
Moderate Injury requiring minor or short term medical intervention.
Loss of more than $500,000. Includes losses of < $500,000 that threaten the overall budget of a single service.
Adverse publicity or media coverage not resulting in damage to operations.
Short term environmental damage. May pose threat to public safety requiring minor treatment for injuries.
Short term disruption to services, resulting in short term loss of business continuity.
Major Serious injury requiring significant or long term medical intervention.
$500,000 to $1M Adverse publicity resulting in damage to operations, but not loss of confidence in hospital management.
Long term environmental damage.Threat to safety, resulting in hospitalization of casualties.
Substantial disruption to multiple services resulting in short to medium term loss of business continuity.
Catastrophic Multiple unexpected deaths or injuries resulting in permanent disability.
> $1M Significant / continued negative publicity.Loss of confidence in hospital management by community or government.Includes parliamentary inquiry.
Permanent environmental damage.Life threatening effect on public safety.
Substantial disruption to multiple services, threatening the survival or long term business continuity of the organisation.
Example – Consequence (Impact) table
Example – Likelihood Table
Rating Description
Almost certain The event will definitely occur, probably multiple times in a year.
Likely There is a strong likelihood that the event will occur at least once in the next 6-12 months.
Possible There is a 50/50 chance of the event occurring within the next year. Event is equally likely to occur as not.
Unlikely The event is not likely to occur in the next 12 months, but there is a slight possibility of occurrence.
Rare Highly unlikely to occur in the next 5 years. No history of adverse event in this organisation.
Roles & Responsibilities
Executive
•Be a risk owner
•Integrate into Quality & Business plans, risk treatment actions
•Monitor for emerging risks
•Ensure KPI’s & audit data is monitored
Managers
•Manage local risks & escalate risks outside of delegation
•Understand the risks for the Program/Division/Unit
•Ensure completion of Quality & Business plan activities
•Undertake audit activities linked to key risks
Risk management responsibilities
The Board • Sets risk appetite and tolerance• Directs strategy and reviews strategic risks• Receives risks and risk controls reports from management (via Risk Management Committee
or Executive Management Committee)• Receives report from Risk and Quality or Risk and Audit Committee on the process for
managing risk and on the management of key risks
Operational Management
• Owns risks and their management• Reports to the Board (self certification) on their management of risks
Risk Management Committee
• Provides corporate oversight of risks and their management • Learns from incidents and events• Monitors leading indicators of changes in risk
Risk Management Sub-Committee
• Provides expert resources for specific areas of operational risk such as health and safety• Manages the transfer of risk via outsourcing and insurance• Analyses risks and reports to the Risk Management Committee.
Risk and Audit Committee
• Receives reports from Internal Audit on the process for managing risk and on the management of key risks
Internal Audit Team
• Provides assurance to the Audit Committee on the system of internal control and risk management
• Provides assurance to the Audit Committee and the Risk Management Committee on the management of specific risks
Risk Management Tools and Tips
Volume of risk information
Board
Executive Management
Business UnitsOperational and strategic risk information at Business level
Significant / key operational and strategic risk information
Strategic / Critical risk issues
Op Risk Mgt Committee
Risk/ Audit Committee
Exec Risk Mgt Committee
Reporting – the right things at the right level
RISK MANAGEMENT
CYCLE
IDENTIFYRISK
ASSESSRISK
ASSESSCONTROL
MEASURES
IDENTIFYCONTROL MEASURES
IMPLEMENTSOLUTIONS
MONITORPERFORMANCE
The Risk Management Process for Operational Managers
“You cannot manage what you don’t measure”
Robert S. Kaplan
Harvard Business School
Co-creator of Balanced Scorecard
(with David P. Norton)
Reporting
•Formally report risks and risk treatments with sufficient detail to enable clear understanding of how risks are being managed.
• Board and/ or Management guidance on what information they would like to see in risk reports
• Agreed template or format for recording risk and risk treatment information
• Agreed template or format for risk reporting
• Agreement on when and how often risk reports will be produced
• Recipients/ stakeholders of risk reports identified and agreed
• Different risk reports meeting different stakeholder’s needs.
Staff encouraged and/ or
incentivised to report risk or suggest risk
reduction strategies.
Staff encouraged and/ or
incentivised to report risk or suggest risk
reduction strategies.
Who receives risk reports in your organisation?
Who should receive reports?
Risk as a management agenda item
• What is happening in other jurisdictions ………. could that happen here?
• Are we meeting our legal, regulatory and compliance requirements …… if not, why not?
• How do we compare to other jurisdictions when managing the risk of ....?
• What are the risks that could stop us from achieving our KPIs?
• What are the risks that could stop us from achieving our ‘objectives’?
• How could the next be harmed?
• Where will the next ‘scandal’ or adverse media involving the agency come from?
• Risk management update – new practices, policies, procedures, protocols, communiqués and expectations
Risk as an management agenda item?
• Progress against the top 5-10-20 risks
• What are we doing about …(risk)….?
• What does our data tell us about our risks?
• How effective are our ‘risk controls’ for …(risk)…?
• For this risk ….. what do we need to stop doing, start doing and keep doing?
• What do we need to change to achieve best practice in managing the risk of.....?
• Risks with projects or new initiatives?
• What are the commonly used ‘work arounds’ in high risk areas?
Case Study: Melbourne Zoo
Operational Risk Reporting to:
• Management (CEO) and Animal Welfare Peer Review Committee
Includes:
• Animal escapes / disappearances
• Births, deaths (eg by cause and by age)
• Complaints (eg queries about treatment of animals)
• Staff injuries (eg snake bites and low flying owls)
• Animal rescue and rehabilitation
Risk Descriptions
•The risk of (what, where, when)…. caused by (how)…. resulting in (impact/ consequences).…
Describing the risk
Examples
• The risk of extreme weather conditions (storm, hail, ice, heat), caused by seasonal variations, resulting in injury/ death to staff and/or public members.
• Loss of skill base in the organisation threatens long-term sustainability of the workforce.
Risk Statement
The risk of ………. (what, where, when)
caused by ………. (how)
resulting in.......... (impact/consequences)
Sample Template
Activity – Defining Risks
In groups select a source of risk/common risk area or a risk from your risk register that you have concerns about and:
• Re define and describe the risk using agreed risk language
• Complete the template
• Discuss potential treatment strategies
Risk Management Pitfalls
So what does your risk management look like?
Risk management - pitfalls?
• Poor culture
• Believing ……… ‘that will never happen here’
• RM strategy is not driven from the ‘top down’
• Poorly defined accountability for risk management
• Risk management is not linked to corporate strategy
• Risk management is positioned as ‘compliance’
• Risk management fails, often with catastrophic outcomes, when the organisation’s processes are ignored or overlooked
• Past mistakes are overlooked – no corporate learning
• Framework does not accurately reflect the organisation’s maturity or capability
Risk management - pitfalls?
• Soft issues ignored (behaviours / attitudes)
• Over reliance on the ‘Risk Manager’
• Risk is managed in ‘silos’
• Framework has not been translated into an ‘action plan’
• Use of technical jargon in preference to plain language statements and ‘true life’ examples
• Not tough enough on language that conceals risks
• Not utilising available data / information
• Broad / non-specific risk descriptions
• Failure to use risk information to inform decision making
