EDS3C2 - Business Control and Systems
Transcript of EDS3C2 - Business Control and Systems
Risk – Levels of RM Sophistication
Contribution
Conform
(Control Mgmt.)
Acceptance
Reform
Doubt
(Hazard Mgmt.)
Uncertainty
Tolerance
Minimize
Inhibit/ prevent
Failure Auditing for
Avoid
Compliance
Fearful of
Requirements
Perform
(Opportunity Mgmt.) Investment
Enhance
Success
Seek
Achievement of
benefits
1. REFORM : Awareness of non-compliance Sophistication
2. CONFORM : Actions to ensure compliance
3. PERFORM : Achieve business opportunities
4. DEFORM : Inactivity caused by obsession 2
Risk Management – Risk Maturity
Level Description
Level 1 - Naive
Unaware of RM
Don’t recognize the value of structured approaches to
deal with uncertainty
Insufficient attempt to learn from past, prepare for future
threats, uncertainties
Level 2 - Novice
Aware of the benefits of RM – not implemented
efficiently
Experimenting with RM or has a RM process with
fundamental weaknesses
Level 3 - Normalized
RM built into routine business processes
RM implemented throughout the organization
Generic RM processes are formalized and benefits are
understood at all levels of the organization
Might not be consistent
Level 4 - Natural
Risk aware culture, with a proactive approach to RM
Consideration of risk is inherent to all routine processes
Risk information communicated and used to gain
competitive advantage. 3
Risk Management – Principles : should be
Principle Description
Proportionate Risk management activities must be proportionate to
the level of risk faced by the organization.
Aligned Risk management activities must be aligned with the
other activities in the organisation.
Comprehensive In order to be effective, the risk management
approach must be comprehensive.
Embedded Risk management activities need to be embedded
within the organization.
Dynamic Risk management activities must be dynamic and
responsive to emerging and changing risks.
4
Risk Management – Principles
Risk can be identified and Controlled.
What Risk Management should Deliver (CADE3)
1. Compliance with Laws and Regulations 2. Assurance regarding the management of significant Risks. 3. Decisions that pay full regard to risk considerations. 4. Efficiency, Effectiveness and Efficacy in operations, projects and strategy.
Less disruption to normal efficient operations, reduction of uncertainty in relation to change and improved decisions in relation to evaluation and selection of alternative strategies; i.e. Improved Organizational Decision
Making
Hazard Management – Outcome less Negative
Control Management – reduces the spread/ range of possible outcomes; uncertainty.
Opportunity Management – Outcomes more Positive
5
Hazard Risk – Management (7R 4T Process)
Experience
Feedback
1. Recognition of Risks
2. Ranking of Risks
3. Responding to Risks Tolerate
Treat
Transfer
Terminate
4. Resourcing Controls
5. Reaction Planning
6. Reporting on Risk 7. Reviewing and Monitoring
Information
Feedback
6
Ranking of Risks - Assessment
Description Current Level of Risk Risk Rating Controls in Actions to
Place be taken
Likelihood Impact Overall
Rating
Techniques
1. Questionnaires and Check Lists 2. Workshops and Brainstorming 3. Inspection and Audits 4. Flowcharts and Dependency Analysis 5. SWOT and PESTLE analysis
Identify key dependencies of the company – what could impact them?
1. What can undermine them? 2. What would cause uncertainty for the key dependencies? 3. What events will enhance the state of the key dependencies?
Important to quantify the risks, whenever possible.
Impact vs. Likelihood
7
Ranking of Risks - Assessment
Risk Rating = Likelihood x Impact
I m p a c t
Low Impact + High Probability (Car Accident) vs. High Impact + Low Probability (Tsunami)8
Ranking of Risks - Priority
High
I m p a c t
Risk 1
Risk 2
Risk 4
Risk 3
Risk 5
Low Likelihood
High
Risk 1 – Heart Attack, duplicates from China
Risk 2 – Earthquake, taking ill (Lecturer)
Risk 3 – Car Accident, taking ill (student)
Risk 4 – employees taking unauthorized leave
Risk 5 – Cutting your finger when grating a coconut 9
Ranking of Risks - Classification
Time Frame, Nature of the risk, source of the risk, nature of the impact
To identify similar risks, structure responsibilities and risk management approach.
Time Frame Impact (after event Type of Risk Impact
taking place)
Short Term Immediate Mostly Hazard Disruption to operations
Risks Operational Efficiency
Continuity and monitoring of
routine operations
Medium Term Month – Year Mostly Control
Effects the ability of the org. to
Risks maintain effective core
processes.
Management of tactics, projects,
change programmes, product
launches.
Long Term One – Five Years Mostly
Effects the core processes that
Risks Opportunity develop and deliver efficacious
strategy
More lethal than risks effecting
operations and tactics. 10
Ranking of Risks –Classification (Standards, Frameworks)
Standard/ COSO IRM BS 31100 FIRM Risk PESTLE
Framework Scorecard
Classification Strategic Financial Strategic Financial P
headings Operations Strategic Programme Infrastructure E
Reporting Operational Project Reputational S
Compliance Hazard Financial Marketplace T
Operational; L
E
Political : Tax policy, employment laws, environmental regulations, trade restrictions andreform, tariffs
and political stability.
Economic : Economic growth/decline, interest rates, exchange rates and inflation rate, wagerates, minimum wage, working hours, unemployment (local and national), credit availability, cost of living, etc.
Sociological : Cultural norms and expectations, health consciousness, population growth rate,age distribution, career attitudes, emphasis on safety, global warming.
Technological : Technology changes that impact your products or services, new Technologies,barriers to entry in given markets, financial decisions like outsourcing and supply chain.
Legal : Changes to legislation that may impact employment, access to materials, quotas,resources, imports/exports, taxation etc.
Environmental/ Ethical : Ecological and environmental aspects, although many of these
factors will be economic or social in nature 11
Ranking of Risks –Classification (FIRM)
Financial Infrastructure Reputational Marketplace
Description Risks that can impact Risks that will Risks that will Risks that will impact
the way in which impact the level of impact desire of the level of customer
money is managed efficiency and customers to deal or trade or expenditure
and profitability is dysfunction within trade and level and customer
achieved the core process customer retention retention
Internal or Internal Internal External External External Risk
Quantifiable Usually Sometimes Not always Yes
Measurement Gains and losses Level of efficiency Nature of publicity Income from
(performance from internal in process and and effectiveness of commercial and
indicator financial control operations marketing profile marketing activities
Performance Procedures Process Perception Presence
Gap Failure in procedures Failure of Failure to achieve Failure to achieve
to control internal processes to the desired required presence in
financial risks operate without perception of the the marketplace
dysfunction organisation
Control CapEx standards Process Control Marketing Strategic and
Mechanisms Internal Control Loss control Advertising business plans
Delegation of Insurance and Reputation and Opportunity
authority risk financing Brand assessment 12
protection
Ranking of Risks –Classification (personal issues)
Dependency Long Term Medium Term Short Tern
Financial Risks : Procedures gap: How well do your procedures manage your finances?
Investments Pension arrangement Share purchase Betting habits
Property purchase Business opportunities Insurance arrangements
Expenditure Accommodation Car purchase Shopping behavior
Holiday pattern Rail season ticket Travel arrangements
Credit card ownership
Infrastructure Risks : Process gap: How well does your body facilitate your processes?
Health Family history Medical treatment Exercise
Personal lifestyle Dieting Alcohol and Drugs
Vegetarianism Weight gain Illness / Accident
Emotional Marriage and Children Friendships Hobbies
Ethnic origins Cosmetic Surgery Sex
Sexuality
Reputational Risks : Perception Gap: How are you perceived by your peer group?
Personal Personality Mood and temperament Clothes
Neighborhood Charity work Personal Hygiene
Criminal Behavior Charity Donations
Professional Intelligence Qualifications Attending Trainings
Behavior patterns Redundancy Continuous Learning
Changing jobs
Marketplace Risks : Presence Gap : What is your presence in the marketplace?
Occupation Career Selection Society Memberships Society Activities
Education Presenting training
Income Ambition Extra part-time work Selling possessions 13
Seniority Sales of shares Casual Work
Ranking of Risks –Significance
FIRM risk Scorecard Typical Benchmark test for significance
Financial
Impact on Balance sheet of 0.25%
Profit and Loss impact of 2.5% annual profit
Infrastructure
Disruption of normal operations by 0.5 days
Increased cost of operation exceeds 10% budget
Reputational
Share price falls by 10%
Event is on National TV, radio or news papers
Marketplace
Impact on Balance Sheet of 0.5% turnover
Profit and Loss impact of 1% annual profit
Lose projects worth 1 million to competition
14
Responding to Risks – 4Ts
High
Transfer
Terminate
Risk to another party The activity of generating the risk
Impact
Treat
Tolerate
The risk to reduce the likely impact
The risk and its likely
or exposure
impact
Low Likelihood
High
15
Risk – Risk Management Framework (RASP)
Risk Architecture Risk Strategy
Roles Objectives, Mandate
Responsibilities Commitment
Communication Appetite
Activities and processes Attitudes
Risk Reporting structure
Action to be taken
Risk Management Process
Risk Protocols
Rules and Guidelines
Policies and Procedures
Risk Management Methodologies
Tools and Techniques
18
Risk – Risk Architecture
The Board
Overall responsibility for risk management
Audit Committee Receive routine reports from Group RM
committee
Set audit Programme
Monitor progress with audit recommendations
Executive Committee Ensure risk management is
embedded into all processes
Review group risk profile
Disclosures Committee
Review and evaluate disclosure
Group risk management (RM) committee controls and procedures
Formulation of strategy and policy Information disclosed to
Compile group risk register external parties Receive reports from divisions
Track RM activity in the divisions
Reports for evaluation
Inform and Monitor
Divisional Management Prepare and Maintain the divisional risk register
Set risk priorities for division
Monitor projects and risk improvements
Manage self-certification activities
Prepare reports and group RM committee
19
Risk – Risk Appetite
Type of Risk Maximum Exposure of Description
Management the risk
Hazard Mgmt. Hazard Tolerance The negative outcome which is tolerable to
the company
Control Mgmt. Control Acceptance Cost associated with controlling the risks
Opportunity Opportunity Investment Resources the company is willing to risk in
Mgmt. pursuit of opportunity risk
Risk Appetite= Hazard Tolerance + Control Acceptance + Opportunity Investment 20
Risk – Risk Appetite (Risk Averse)
High
Risk Universe
(Concern)
Impact Caution Zone
Comfort Zone
Low Likelihood High
21
Risk – Risk Appetite (Risk Aggressive)
High Risk Universe
(Concern)
Caution Zone
Impact
Comfort Zone
Low Likelihood High
22
Risk – Controls and Risks
High
Intermediary Inherent
Control 2
Control 1
Current
Impact
Control 3
Target
Low Likelihood High
23
Risk – Capacity
Risk Appetite – Risk level that is appropriate for the organization (decided by the board).
Risk Exposure – Actual risk the organization is taking.
Risk Capacity – How much risk the organization can afford to take.
Risk Capacity
Financial Strength
Robustness of its infrastructure
Strength of its brand and reputations
The competitive nature of the industry/ market place it operates
24