THE STANDARD RISK-MANAGEMENT PROCESS
The risk-management processes of organisations can differ depending on what 3 things?
What are the 4 steps in the standard risk-management process?
What are the 2 key characteristic of the standard risk-management processes?
The nature, scale, and complexity of an organisation
- Risk identification = activities associated with identifying the actual risks to which an organisation is exposed (for better or for worse)
- Risk assessment = activities concerned with assessing and prioritising an organisation’s exposure to identified risks, in terms of probability and impact
- Risk monitoring = activities used to monitor and report on potential changes in risk exposure or the effectiveness of risk controls and RM activities in general
- Risk control = application of tools and techniques to manipulate/influence specific risk exposures, in terms of probability and or impact
A. The process is performed sequentially = one element of the process precedes the next element
B. The process is circular in continuous use = not clear where process starts and ends
THE STANDARD RISK-MANAGEMENT PROCESS
RISK IDENTIFICATION
Name 3 tools and techniques that can be used to identify risk.
RISK ASSESSMENT
What is the purpose of risk assessment?
What is the equation normally used to assess risks?
What is the problem with this equation?
- Checklists = a list of common risks within an organisation is provided to management to help them identify the risks associated with a particular activity or decision
- Root-cause analysis
- Delphi technique
Purpose = determine the potential significance of the risk(s) in question = allows risks to be placed in rank order to help establish their priority = focus management’s attention and resources
Exposure = (probability of risk event) x (impact of risk event)
Exposure = likelihood x severity
Problem = equation assumes a very simple, binary outcome
* In reality it is much more likely that a range of risk outcomes are possible
THE STANDARD RISK-MANAGEMENT PROCESS
RISK MONITORING
What is the purpose of monitoring risks? (2)
What does risk monitoring involve?
Name 3 sources.
RISK CONTROL
Name 4 tools and techniques used to control risks.
A. To provide a comprehensive picture of an organisation’s current risk profile in relation to the objectives it pursues
B. To provide an indication of how this risk profile may change
Involves the collection and dissemination of a wide range of data from different sources including:
* Loss data, on past risk events
* Performance indicators i.e. customer complaints data
* Internal/external risk reports
- Physical devices = door locks
- Financial tools = derivatives
- Tools to transfer risk = insurance and outsourcing
- Tools to help detect potential risk events = smoke alarms
THE STANDARD RISK-MANAGEMENT PROCESS
What are the 2 disadvantages of the standard risk-management process?
What are gaps and overlays?
Name an example of each?
Which case highlights the problems of a silo approach to risk-management?
(1) Is generally only focused on formal factors
(2) Is a silo approach to RM = different categories of risk managed individually, often by different people or functions across the organisation = gaps and overlaps between risk categories may be ignored
Gaps = risks go undetected/unmanaged
E.g., Cyber security risks in 20th century were ignored because responsibility for management hadn’t been assigned to any individual/function/department
Overlaps = correlations between risk types may be ignored
E.g., Sales and marketing launch new product but could create operational risks that are ignored because operational risks don’t fall within sales and marketing area of responsibility
Perrier Benzene scandal:
* 1990, high levels of the toxic substance benzene were discovered in bottles of Perrier
* The company took steps to recall the product
* When the media first found out about the problem, Perrier did not know how to respond
* Perrier’s failure to recognise and manage the growing reputation risk led to an information vacuum that provoked much more consumer anxiety than there should have been
* The brand has never regained its pre-1990 sales volume
ENTERPRISE RISK-MANAGEMENT
ERM is a hard concept to define and there is no perfect definition.
How does COSOP define ERM and what 3 things is it designed to do?
What are the 3 essential characteristics that distinguish ERM from the standard risk-management processes?
What is the role of an integrated risk function?
ERM = a process, effected by board and SM, applied in strategy setting across the enterprise, designed to:
1. Identify potential events that may affect the entity
2. Manage risk to be within risk appetite
3. Provide reasonable assurance for achievement of objectives
(ERM is a process! = remains focused on the identification, assessment, monitoring and control of risk, but extends the standard RM process)
(1) A holistic focus = ERM should be applied across an organisation = embraces all types of risk in every part of organisation = recognises that different risks, functions, business lines, and processes are all interconnected
*ERM can be implemented through the creation of an integrated risk function
Integrated risk function = looks at all risks across all levels of the organisation to build a comprehensive picture of where risk lies within the organisation
(2) An emphasis on value-added RM = ERM (if applied correctly) should create and protect value for an organisation through effective strategic level RM decision-making and operations that function smoothly without costly interruption
(3) The blending of formal and informal RM tools and activities
*Formal factors = tangible systems, processes, procedures, policies, committees and forums that exist within organisations, as well as organisation structures and hierarchies
*Informal factors = organisational culture, social networks and how risk and RM are perceived e.g., risk viewed as threat or opportunity or RM as costly or value adding
ENTERPRISE RISK-MANAGEMENT
What are the 5 organisation-wide benefits of ERM?
- Improved reporting to support strategic decision-making
= Board and SM should be able to make better strategic decisions by having a holistic understanding of risks = can achieve a better balance of risk and return (take risk where only justified by potential returns) - Avoidance of silos
= ensure gaps and unrecognised overlaps in risk profile are avoided - Improved operational efficiency and cost effectiveness
= reduce costs of RM activity by better co-ordinating RM activity across the organisation
= reduce duplication of controls and learn from mistakes - Improved profitability and equity value
*For profit organisation = insulate organisation-wide cash flows from unnecessary volatility
*NFP = reduce costly risk events - Improved ability to achieve other business objectives
= helps achieve non-commercial objectives (CSR and sustainability)
ENTERPRISE RISK-MANAGEMENT
What are the 3 local (business units, departments, and functions) benefits of ERM?
- Consistent decision-making
= helps ensure all decision-makers achieve an appropriate balance between risk and return that is consistent with the organisation’s appetite for risk and its strategy and objectives - Effective resource allocation for RM
= ensure funds are allocated on a risk-exposure basis = high-risk areas receive more resources and central support - Spreading risk ownership, allowing risks to be managed by the local experts
= operational and internal control risks are hard to manage via a central risk function because are diverse and require local insight
= ERM allows local managers to manage operational and internal risks with escalation procedures, should a risk event occur
ENTERPRISE RISK-MANAGEMENT
What are the 2 consequences of implementing ERM processes poorly?
How can an organisation that uses ERM have an effective approach?
What are the 6 elements of an effective ERM process?
(1) can be costly
(2) may result in ineffective decision making at an organisation-wide and local level
Should go beyond the core elements of the standard RM process i.e.., consider the following 6 additional factors when implementing and effective ERM process
- ERM policies and procedures
- Risk appetite = an organisation has to take risks to achieve its objectives
- Enterprise risk reporting = provide board holistic picture without large amounts of detail
- Risk and audit committees
- Escalation and whistleblowing
- Business continuity management
ENTERPRISE RISK-MANAGEMENT - ERM POLOCIES AND PROCEDURES
Any formalised risk-management process requires a documented policy and an associated set of procedures to ensure that it is used correctly.
Explain the purpose of drafting an ERM policy / Why is an ERM policy needed? (2)
Name 3 things that an ERM policy should include?
One way to structure the contents of an ERM policy is to adopt the what?
An ERM policy is needed to:
(1) ensure that risks are managed in a consistent manner across an organisation and that risk exposures are kept within the organisation’s risk appetite
(2) make clear roles and responsibilities for RM at an organisation-wide and a local level
- The organisation’s overarching approach to risk
- Roles and responsibilities for ERM, including the role of the board and SM
- The reporting structure for ERM, including reporting lines into the CRO/ risk committee
The Risk Architecture, Strategy and Protocols (RASP) approach outlined in ISO 31000
ENTERPRISE RISK-MANAGEMENT - RISK AND AUDIT COMMITTEES
Almost all organisations should have an audit committee, though not all will have a risk committee (can be combined into one).
From an ERM perspective, what are the 2 key considerations for the committee? (Committee should consider?)
- The relevant committee should consider the potential for threats and opportunities
* Audit committees are focused on internal control and risk reduction = where risk and audit committee is combined it can be hard to get into a more risk-positive opportunity mindset
*Separate risk and audit committee to avoid any conflict of interest between internal control and opportunity-taking - The risk committee must consider all categories of risk across the whole organisation = the committee should consider risks which, may have a significant effect on the strategy and business objectives
ENTERPRISE RISK-MANAGEMENT - ESCALATION AND WHISTLEBLOWING
Concerns regarding control failures or other unauthorised breaches of policies and procedures including criminal acts must be reported in what way and to who?
What should whistleblowing procedures be?
BUSINESS CONTINUITY MANAGEMENT
Given the impossibility of eliminating all risk, an effective ERM process must include mechanisms to ensure what?
Reported in a consistent manner across the organisation to a single point of contact = could be CRO, cosec, or gov. prof.
Whistleblowing procedures should only ever be organisation-wide, given the potential seriousness of the information provided
* However, for risk events or control failures that are not of organisation-wide significance, local management escalation processes may be required
To ensure that the initial impacts of risk events, and their longer-term effects on the continuity of the organisation’s operations, are properly managed and mitigated where it is cost effective to do so.
ROLES AND RESPONSIBILITIES FOR RISK-MANAGEMENT - BOARD AND EXECUTIVE MANAGEMENT
What is the role of the board? (4)
Boards only need what information on risks?
(1) determine risk appetite
(2) periodically monitor the risk profile to ensure the organisation remains within the agreed appetite for risk
(3) must ensure that it receives appropriate assurance from management that the organisation has an appropriate risk-management process in place and that this process is used correctly
(4) have oversight responsibility
Board only needs information on risks that may cause the organisation to breach its risk appetite = these are the risks that may affect the strategy of an organisation and its ability to achieve its objectives
ROLES AND RESPONSIBILITIES FOR RISK-MANAGEMENT - RISK COMMITTEES
What 2 factors will determine whether an organisation will have combined or separate risk committee?
Why do risk committees exist? (3)
Who does the risk committee report to?
Its (1) structural complexity and (2) whether it has an ERM process in place (if yes then usually separate)
Risk committees exist to:
1. take a more detailed look at the RM process, risk profile and risk appetite
2. review and approve RM policies and procedures (but board has final approval)
3. provide assurance and ensure that the organisational risk profile does not exceed appetite
Report directly to the board = board delegated committee
ROLES AND RESPONSIBILITIES FOR RISK-MANAGEMENT - CHIEF RISK OFFICER
Which organisations usually have a CRO?
What is the role of the CRO? (5)
Only large organisations or organisations that have implemented ERM process
Role:
- To support the board and risk committee in the fulfilment of their responsibilities
*= including raising any concerns that the CRO may have regarding risks - To direct the work of the organisation’s risk function
- To oversee the RM activities of the whole organisation
- Ensure that risks are managed consistently with the risk appetite, and RM policies and procedures
- To work with the compliance and internal audit functions to ensure that regulatory-compliant RM governance arrangements are in place across the organisation
ROLES AND RESPONSIBILITIES FOR RISK-MANAGEMENT - RISK MANAGER AND RISK FUNCTION
Most organisations will have either a dedicated risk manager or an individual with responsibility for risk-management within their role.
What is the role of the risk manager and wider risk function? (5)
- oversee, co-ordinate and facilitate RM activity across an organisation
- Risk monitoring and reporting = collect risk-exposure and RM information from across the organisation to provide risk reports to board, CRO, risk committee
- Help with risk identification and assessment exercises = completion of risk registers
- Provide advice about how to effectively control specific risks and training on the organisation’s RM policies and procedures to other functions
- Support the design and implementation of RM processes = draft RM policies and procedures
ROLES AND RESPONSIBILITIES FOR RISK-MANAGEMENT - COMPLIANCE MANAGER AND COMPLIANCE FUNCTION
What is the role of the compliance manager or function? (4)
Why is it important that the compliance manager or function works closely with the risk manager or function?
- Ensure that the design and ongoing operation of an organisation’s RM processes are compliant with all applicable rules and guidance
- Ensuring that health-and-safety risks and environmental risks are managed appropriately
- Support oversight of the RM policy and processes to ensure that the compliance relevant elements are implemented appropriately across the organisation
- Act as an intermediary between the organisation and RM related regulatory and supervisory bodies = e.g. Providing RM information to them and answering questions
Because the compliance manager or function can help to ensure that RM processes are designed in a compliant manner
ROLES AND RESPONSIBILITIES FOR RISK-MANAGEMENT - INTERNAL AUDIT
What is the role of internal audit? (3)
The risk and audit functions will usually work closely together, supporting each other’s activities, but what should be monitored?
- Provide assurance that the design and implementation of organisation’s RM process is effective
- May conduct audits of the risk function and RM process
= Benchmarking this process against industry standards or audits to determine whether managers are using the process correctly - May provide an opinion on whether the organisation (whole or specific functions) are keeping the risk profile within risk appetite
Such a close working relationship should not interfere with the independence of the internal audit function
ROLES AND RESPONSIBILITIES FOR RISK-MANAGEMENT - COMPANY SECRETARY / GOVERNANCE PROFESSIONAL
How does the role of the company secretary / governance professional in relation to risk-management vary?
Where company secretaries have direct responsibility for risk management, what will their role be? (3)
Where company secretaries are not directly responsible for risk management, what will their role be? (2)
What will this include? (2)
A company secretary or governance professional will need to work closely with who and why?
Role may vary:
* In some organisations will have direct responsibility for RM
*In others they will play more of a supporting role
Involved in the oversight of RM activities across the organisation, might also have compliance related responsibilities, and be responsible for purchase of insurance
(1) Role will move closer to that of an audit function = provide assurance on the effectiveness of the design and implementation of RM process, policies, procedures and activities
(2) Ensure that the board fulfils its RM responsibilities:
1. conducting board effectiveness reviews (including RM skills and experience)
2. advising the board on its RM responsibilities and ensure board agendas devote sufficient time to RM
Work closely with the risk and compliance functions, and CRO, to ensure the board receives the risk reports and RM assurance it needs to fulfil its obligations
ROLES AND RESPONSIBILITIES FOR RISK-MANAGEMENT - FINANCE FUNCTION
What is the role of the finance function? (2)
Role:
(1) ensure that it manages the risks associated with its activities consistently with RM policy and procedures and the risk appetite
(2) provide a range of financial information to the risk function to support risk monitoring and reporting
ROLES AND RESPONSIBILITIES FOR RISK-MANAGEMENT
HEALTH AND SAFETY FUNCTION
What is the role of the health and safety manager/function? (3)
H&S function/manager:
1. Responsibility for overseeing H&S matters
- Be compliant with any relevant regulations and organisation’s RM policy and procedures
- report information about H&S risks to the risk manager to ensure they have a comprehensive picture of exposure to risk
ROLES AND RESPONSIBILITIES FOR RISK-MANAGEMENT
HUMAN RESOURCE MANAGEMENT FUNCTION
What is the role of the HR manager or function? (4)
HR function/manager:
(1) to support the completion of risk assessments that have a people dimension
(2) responsible for ensuring that HR-related risk controls are operating effectively across the organisation, such as recruitment and disciplinary controls, escalating any concerns where appropriate
(3) supply the risk function with risk monitoring-related information, such as staff-turnover statistics or absence rates
(4) support the assessment and management of risk culture
ROLES AND RESPONSIBILITIES FOR RISK-MANAGEMENT
INFORMATION SECURITY FUNCTION
What is the role of the information security function? (2)
Information Security:
1. Manage information security risk in a manner that is consistent with the organisation’s RM policy, process, and appetite for risk
- Supply information to the risk manager or function to support their risk monitoring and reporting activities
ROLES AND RESPONSIBILITIES FOR RISK-MANAGEMENT
MARKETING AND PUBLIC RELATIONS FUNCTION
What is the role of marketing and PR function? (2)
Marketing and PR:
(1) to comply with all relevant RM policies and procedures
(2) help prevent adverse risk report (PR function can be an important source of information regarding any negative press reporting about the organisation)
ROLES AND RESPONSIBILITIES FOR RISK-MANAGEMENT
OPERATIONS FUNCTION
What is the role of an operations manager? (2)
Operations managers must:
(A) ensure that day-to-day operational risks are managed in accordance with the relevant RM policies and procedures
(B) escalate any significant increases in risk exposure and information on any significant risk events that occur
-
The global risk environment20
-
Regulatory frameworks16
-
Sector regulators21
-
Risk-management frameworks and standards25
-
Key risk-management concepts28
-
Risk-management as a foundation of organisation success14
-
Risk-management processes, perspectives, and responsibilities24
-
Framework for governance, risk, and compliance28
-
Evaluating and reporting risk38
-
Risk culture, appetite, and tolerance24
-
Compliance management18
-
Risk-control strategies25
-
Risk-management in practice20
-
Trends and future developments for risk-management27
-
More trends and future developments for risk-management30
