Risk seminar - john crawley & emer mc aneny
Transcript of Risk seminar - john crawley & emer mc aneny
![Page 1: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/1.jpg)
John Crawley & Emer McAneny
June 2014
Risk Management
“The International Standard”
![Page 2: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/2.jpg)
• Accountant
• Banker
• Businessman
• Trainer
• Turnaround Expert
• Risk Expert
Who I am
![Page 3: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/3.jpg)
Agenda
Strategy• And the role of Risk
GRC• Governance, Risk & Compliance
Tolerance
• And why organisation are now setting “Appetite”
Identification
• Using a Stakeholder approach
Assessing
• Simplicity or complexity
Action • Everything can be dealt with as a “T”
Reporting
• Importance on Enbedding KRIs
![Page 4: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/4.jpg)
Rules of engagement
Engage
Open mind
No distractions
Challenge
Question
Enjoy
![Page 5: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/5.jpg)
What is risk and risk management?
![Page 6: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/6.jpg)
What is risk
“Effect of uncertainty on objectives”
Effect: Positive
Negative
Deviation from the expected
Objectives: Definition works best if the organisation has clear objectives
These need to be tested as part of risk management process
![Page 7: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/7.jpg)
What is the best definition of risk?
Organisation Definition of risk
ISO Guide 73
ISO 31000
Effect of uncertainty on objectives. Note that an effect
may be positive, negative, or a deviation from the expected.
Also, risk is often described by an event, a change in
circumstances or a consequence
Institute of Risk
Management
(IRM)
Risk is the combination of the probability of an event and its
consequence. Consequences can range from positive to
negative
COSO – ERM
Integrated
Framework
The possibility that an event will occur and adversely affect the
achievements of objectives
From old
AS/NZ 4360:2004
The chance of something happening that will have an impact on
objectives
![Page 8: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/8.jpg)
Definitions of risk management
Organisation Definition of risk management
ISO Guide 73
ISO 31000
Coordinated activities to direct and control an organisation
with regard to risk
Institute of Risk
Management (IRM)
Process which aims to help organisations understand,
evaluate and take action on all their risks with a view to
increasing the probability of success and reducing the
likelihood of failure
COSO – ERM
Integrated
Framework
A process affected by an entity’s board of directors,
management and other personnel, applied in strategy setting
and across the enterprise, designed to identify potential
events that may affect the entity, and manage risk to be
within its risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives.
![Page 9: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/9.jpg)
Strategy – Where are we going?
![Page 10: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/10.jpg)
Your Business Compass
![Page 11: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/11.jpg)
![Page 12: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/12.jpg)
Do things right
Do the right thing
Good
Corporate Governance
![Page 13: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/13.jpg)
What is Risk Management
Process which aims to help organisations
understand, evaluate and take action on all their
risks with a view to:
increasing the probability of success
and
reducing the likelihood of failure
![Page 14: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/14.jpg)
Why manage risk?
![Page 15: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/15.jpg)
Q What is the fundamental
reason that cars have
brakes?
![Page 16: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/16.jpg)
Q
So that cars can stop - but they also allow
cars to be driven faster A
What is the fundamental
reason that cars have brakes?
![Page 17: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/17.jpg)
Why manage risk?
Achievement Safeguarding
![Page 18: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/18.jpg)
For discussion…
What events can you
recall that support the
need for a structured
and systematic
approach to risk
management?
![Page 19: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/19.jpg)
Consider the list of disasters identified.
Was this a failure of:
- prediction?
- prioritisation?
- mobilising resources?
For discussion....
Predictable surprise
![Page 20: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/20.jpg)
ISO 31000 overviewThroughout the course we will use ISO 31000 as our core
framework
Mandate and
commitment(4.2)
Design of
framework for
managing risk(4.3)
Implementing
risk
management(4.4)
a) Creates value
b) Integral part of
organisational processes
c) Part of decision making
d) Explicitly addresses
uncertainty
e) Systematic, structured and
timely
f) Based on the best
available information
g) Tailored
h) Takes human and cultural
factors into account
i) Transparent and inclusive
j) Dynamic, iterative and
responsive to change
k) Facilitates continual
improvement and
enhancement of the
organisation
Principles(Clause 3)
Monitoring and
review of the
framework(4.5)
Continual
improvement
of the
framework(4.6)
Establishing the context
(5.3)
Risk identification
(5.4.2)
Risk evaluation
(5.4.4)
Risk analysis
(5.4.3)
Risk treatment
(5.5)
Risk assessment (5.4.2)
Co
mm
un
ica
tio
n a
nd
co
nsu
lta
tio
n (
5.2
)
Mo
nito
rin
g a
nd
re
vie
w (
5.6
)
Framework(Clause 4)
Process(Clause 5)
Reproduced from ISO 31000:2009
![Page 21: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/21.jpg)
ISO 31000 overview
Mandate and
commitment(4.2)
Design of
framework for
managing risk(4.3)
Implementing
risk
management(4.4)
a) Creates value
b) Integral part of
organisational processes
c) Part of decision making
d) Explicitly addresses
uncertainty
e) Systematic, structured and
timely
f) Based on the best
available information
g) Tailored
h) Takes human and cultural
factors into account
i) Transparent and inclusive
j) Dynamic, iterative and
responsive to change
k) Facilitates continual
improvement and
enhancement of the
organisation
Principles(Clause 3)
Monitoring and
review of the
framework(4.5)
Continual
improvement
of the
framework(4.6)
Establishing the context
(5.3)
Risk identification
(5.4.2)
Risk evaluation
(5.4.4)
Risk analysis
(5.4.3)
Risk treatment
(5.5)
Risk assessment (5.4.2)
Co
mm
un
ica
tio
n a
nd
co
nsu
lta
tio
n (
5.2
)
Mo
nito
rin
g a
nd
re
vie
w (
5.6
)
Framework(Clause 4)
Process(Clause 5)
Reproduced from ISO 31000:2009
![Page 22: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/22.jpg)
Risk management principles
![Page 23: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/23.jpg)
• creates and protects value
• integral part of organisational processes
• part of decision making
• explicitly addresses uncertainty
• systematic, structured and timely
• based on the best available information
Principles for managing risk
![Page 24: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/24.jpg)
• tailored
• takes human and cultural factors into account
• transparent and inclusive
• dynamic, iterative and responsive to change
• facilitates continual improvement
Principles for managing risk
![Page 25: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/25.jpg)
Attributes of effective risk
management
![Page 26: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/26.jpg)
Effective risk management has the following
attributes:
– proportionate
– aligned
– comprehensive
– embedded
– dynamic
What is effective risk management?
“You don’t need a sledgehammer to crack a nut”
![Page 27: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/27.jpg)
Effective risk management has the following
attributes:
– proportionate
– aligned
– comprehensive
– embedded
– dynamic
What is effective risk management?
![Page 28: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/28.jpg)
Effective risk management has the following
attributes:
– proportionate
– aligned
– comprehensive
– embedded
– dynamic
What is effective risk management?
Strategic/
programmes
Tactical/
projects
Operational/
processes
![Page 29: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/29.jpg)
Effective risk management has the following
attributes:
– proportionate
– aligned
– comprehensive
– embedded
– dynamic
What is effective risk management?
![Page 30: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/30.jpg)
Effective risk management has the following
attributes:
– proportionate
– aligned
– comprehensive
– embedded
– dynamic
What is effective risk management?
![Page 31: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/31.jpg)
Introduction to key risk
management disciplines
![Page 32: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/32.jpg)
How does enterprise risk
management (ERM) differ from
risk management? Q
![Page 33: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/33.jpg)
How does enterprise risk
management (ERM) differ from
risk management? QERM seeks to:
• include all categories of risk and uncertainty
• consider upside as well as downside
• be comprehensive – applied throughout the
organisation
A
![Page 34: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/34.jpg)
What is governance?Q
![Page 35: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/35.jpg)
What is governance?QThe system by which organisations are directed and
controlled.
Generic aspects of governance include:
- the rights and duties of owners/shareholders and other
stakeholders
- how powers are shared and exercised by directors
- how the holders of power are held accountable for what
they do
A
![Page 36: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/36.jpg)
International development of codes of
corporate governance
• principle-based approach
versus
• prescriptive (rules) based
approach
![Page 37: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/37.jpg)
What is compliance?Q
![Page 38: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/38.jpg)
What is compliance?QCompliance is the leadership processes that an
organisation establishes to comply with societal, trade,
professional and stakeholder needs
Examples include:
- law
- codes of practice
- contracts
- trade union agreements
- professional standards
A
![Page 39: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/39.jpg)
What is GRC?Q
![Page 40: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/40.jpg)
What is GRC?QGRC stands for:
• governance
• risk
• compliance
ARISK
Compliance
Governance
![Page 41: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/41.jpg)
Risk management processMandate and
commitment(4.2)
Design of
framework for
managing risk(4.3)
Implementing
risk
management(4.4)
a) Creates value
b) Integral part of
organisational processes
c) Part of decision making
d) Explicitly addresses
uncertainty
e) Systematic, structured and
timely
f) Based on the best
available information
g) Tailored
h) Takes human and cultural
factors into account
i) Transparent and inclusive
j) Dynamic, iterative and
responsive to change
k) Facilitates continual
improvement and
enhancement of the
organisation
Principles(Clause 3)
Monitoring and
review of the
framework(4.5)
Continual
improvement
of the
framework(4.6)
Establishing the context
(5.3)
Risk identification
(5.4.2)
Risk evaluation
(5.4.4)
Risk analysis
(5.4.3)
Risk treatment
(5.5)
Risk assessment (5.4.2)
Co
mm
un
ica
tio
n a
nd
co
nsu
lta
tio
n (
5.2
)
Mo
nito
rin
g a
nd
re
vie
w (
5.6
)
Framework(Clause 4)
Process(Clause 5)
Reproduced from ISO 31000:2009
![Page 42: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/42.jpg)
ISO 31000 overview
Mandate and
commitment(4.2)
Design of
framework for
managing risk(4.3)
Implementing
risk
management(4.4)
a) Creates value
b) Integral part of
organisational processes
c) Part of decision making
d) Explicitly addresses
uncertainty
e) Systematic, structured and
timely
f) Based on the best
available information
g) Tailored
h) Takes human and cultural
factors into account
i) Transparent and inclusive
j) Dynamic, iterative and
responsive to change
k) Facilitates continual
improvement and
enhancement of the
organisation
Principles(Clause 3)
Monitoring and
review of the
framework(4.5)
Continual
improvement
of the
framework(4.6)
Establishing the context
(5.3)
Risk identification
(5.4.2)
Risk evaluation
(5.4.4)
Risk analysis
(5.4.3)
Risk treatment
(5.5)
Risk assessment (5.4.2)
Co
mm
un
ica
tio
n a
nd
co
nsu
lta
tio
n (
5.2
)
Mo
nito
rin
g a
nd
re
vie
w (
5.6
)
Framework(Clause 4)
Process(Clause 5)
Reproduced from ISO 31000:2009
![Page 43: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/43.jpg)
Ongoing monitoringAudit & Report Incidents Re-assess
TreatmentTolerate Treat Transfer Terminate
AssessImpact Likelihood
Set appetiteZero Low Medium High
IdentifyObjectives Tools
The “Standard” is...ISO 31000
![Page 44: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/44.jpg)
Communication and consultation
![Page 45: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/45.jpg)
Establish the context
Identify risks
Evaluate risks
Analyse risks
Treat risks
Risk assessment C
omm
unic
ate
and
cons
ult
Mon
itor
and
revi
ewReproduced from ISO 31000:2009
Communication and consultation
![Page 46: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/46.jpg)
Communication
– a continual and iterative process that an organisation
conducts to provide, share or obtain information and to
engage in dialogue with stakeholders
Consultation
– a two-way process of informed communication between an
organisation and its stakeholders on an issue prior to
making a decision or determining a direction on that issue
Stakeholders
– a person or organisation that can affect, be affected or
perceive themselves to be affected by a decision or activity
Communication and consultation
![Page 47: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/47.jpg)
• help to establish the context appropriately
• stakeholders interests understood & considered
• risks adequately identified
• bring expertise together for risk analysis
• ensure different views are considered
• secure support for risk treatment plans
• enhance appropriate change management
• develop appropriate communication plans
Purpose of communication and consultation
![Page 48: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/48.jpg)
Effective communication about risk
• comprehensive and frequent reporting of risk
management performance is an essential element of
organisational governance
• internal and external stakeholders
• communication is upwards, downwards and across the
organisation
• communicate on significant risks and risk management
performance
• how we communicate matters as much as what we
communicate
• link to effective relationship building and behaviours
![Page 49: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/49.jpg)
Establishing the context
Session 2 Establish the context Risk assessmentCommunication & consultation Risk appetite and tolerance
Risk treatment Business continuity management Monitoring & review
![Page 50: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/50.jpg)
Establish the context
Identify risks
Evaluate risks
Analyse risks
Treat risks
Risk assessment
Com
mun
icat
e an
d co
nsul
t
Mon
itor a
nd re
view
Reproduced from ISO 31000:2009
Establishing the context
![Page 51: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/51.jpg)
Establishing the context
External context
Internal context
Context of the risk management
process
• what does the world around us look like?
• what are the drivers and trends?
• what are our objectives?
• what is our capacity?
• what are our business processes?
• how do we make decisions?
• what is the process expected to achieve?
• who will be responsible?
• what resources will be required?
• what determines whether a risk is acceptable?
• what determines whether a risk should be controlled?
• how can we measure our total risks?
Defining risk criteria
![Page 52: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/52.jpg)
How do you Plan Ahead?
![Page 53: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/53.jpg)
![Page 54: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/54.jpg)
Risk assessment
Session 2 Establish the context Risk assessmentCommunication & consultation Risk appetite and tolerance
Risk treatment Business continuity management Monitoring & review
![Page 55: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/55.jpg)
Establish the context
Identify risks
Evaluate risks
Analyse risks
Treat risks
Risk assessment
Co
mm
un
ica
te a
nd
co
nsu
lt
Mo
nito
r a
nd
re
vie
w
Reproduced from ISO 31000:2009
Risk assessment
![Page 56: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/56.jpg)
Risk assessment
Risk identification
– what might happen (the event)?
Risk analysis
– how likely is it to happen?
– if it does what might the impact be?
Risk evaluation
– so what!
– is it within our risk appetite and tolerance?
![Page 57: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/57.jpg)
ISO 31000 - The Risk Process
Ongoing monitoringAudit & Report Incidents Re-assess
TreatmentTolerate Treat Transfer Terminate
AssessImpact Likelihood
Set appetiteZero Low Medium High
IdentifyObjectives Tools
![Page 58: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/58.jpg)
Two main types of identification techniques
Forward looking
– brainstorming workshops
– surveys
– expert knowledge
Historic
– statistical analysis
– trend analysis
------------
----
----
----
----
----
----
----
----
Strategy
Market
Commercial
Partners
Plan execution
Technology
Health & Safety
(and CSR)
Finance
------------
--------
----
----
----
----
------------
----
----
----
----
----
----
----
----
Strategy
Market
Commercial
Partners
Plan execution
Technology
Health & Safety
(and CSR)
Finance
------------
--------
----
----
----
----
------------
--------
----
----
----
----
Injury statistics
![Page 59: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/59.jpg)
PerspectivesFinancial
Marketing & Sales
Operations
Employees
CSR
Economic
Compliance
Perspectives to Identify KPI’s
![Page 60: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/60.jpg)
Some risk terminology
• A risk is the effect of uncertainty on objectives
• A hazard is the source of potential harm (a hazard can be a risk source)
• A risk source has the potential, alone or in combination, to give rise to risk. We might also term this cause
• An event is the occurrence or change of a particular set of circumstances
• A consequence is the outcome of an event affecting objectives
Source: ISO Guide 73:2009
Session 2 Establish the context Risk assessmentCommunication & consultation Risk appetite and tolerance
Risk treatment Business continuity management Monitoring & review
![Page 61: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/61.jpg)
Describing a risk
Combines the cause(s), the event(s) and the effect(s)
Consequences
or effect(s)(on objectives)
Source(s)
or cause(s)(What? Why?)
Event or
circumstance
giving rise to
the uncertainty(Uncertainty)
![Page 62: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/62.jpg)
KPI - Financial
Liquidity
₋ Current Ratio
₋ Quick Ratio
Financial Strength
₋ Interest Cover
₋ Debt to Equity Ratio
Corporate Value
₋ Dividend/Drawings Yield
![Page 63: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/63.jpg)
Your Risk Register – Step 1
KPI Categories to Risks
Fill in 1 Financial risk
![Page 64: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/64.jpg)
KPI - Marketing & Sales
₋ Net Promoter Score“How likely are you to recommend this
business to a colleague or friend?”
₋ Do customer expectations match the service we deliver?
₋ How involved/emotionally attached are your customers to your organisation?
![Page 65: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/65.jpg)
Marketing & Sales
KPI Categories to Risks
Fill in 1 Marketing & Sales risk
![Page 66: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/66.jpg)
KPI - Operational & Technology
₋ How suitable and operational is our equipment? How technologically advanced are we?
₋ Are we realising our full production/ work potential?
₋ How long does it take to fill an order/provide a service?
![Page 67: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/67.jpg)
Operational & Technology
KPI Categories to Risks
Fill in 1 Operational & Technology risk
![Page 68: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/68.jpg)
KPI - Employees
— How well do you protect and support your employees?
— How well does the organisation vet its employees?
— How well are the skills of the employees matched to the needs of the organisation?
— Do you offer and encourage training?
![Page 69: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/69.jpg)
KPI - Employees
KPI Categories to Risks
Fill in 1 risk associated with your Employees
![Page 70: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/70.jpg)
KPI - Corporate Social Responsibility
₋ Are you compliant with Environmental regulations/standards?
₋ Are your suppliers socially conscious? i.e. Fairtrade for foodstuffs, ethical manufacturers for clothing
₋ Do your manufacturing facilities meet ethical standards?
![Page 71: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/71.jpg)
Corporate Social Responsibility
KPI Categories to Risks
Fill in 1 Corporate Social Responsibility risk
![Page 72: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/72.jpg)
KPI - Economic
₋ What would the financial effect of a change of +/- 1% in the interest rate paid or charged ?
₋ To what extent is our business exposed to the collapse of a particular industry, economy or sector?
₋ To what extent is our business’s customer base exposed to the collapse of a particular industry?
![Page 73: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/73.jpg)
Economic
KPI Categories to Risks
Fill in 1 Economic risk
![Page 74: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/74.jpg)
KPI - Compliance
₋ Comprehensiveness of the organisations Governance procedures
“What is the effect of the new Legislation for your business?”
₋ To what extent is our organisation open to legal challenge?
![Page 75: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/75.jpg)
Compliance
KPI Categories to Risks
Fill in 1 Compliance risk
![Page 76: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/76.jpg)
• the outcome of a risk event is not always
negative
• think of some examples where a risk event
can result in positive or beneficial outcomes
• discuss how the risk wheel and the bow tie
technique can be used to identify
opportunities
Risks aren’t always bad
For discussion..
![Page 77: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/77.jpg)
RecapMandate and
commitment(4.2)
Design of
framework for
managing risk(4.3)
Implementing
risk
management(4.4)
a) Creates value
b) Integral part of
organisational processes
c) Part of decision making
d) Explicitly addresses
uncertainty
e) Systematic, structured and
timely
f) Based on the best
available information
g) Tailored
h) Takes human and cultural
factors into account
i) Transparent and inclusive
j) Dynamic, iterative and
responsive to change
k) Facilitates continual
improvement and
enhancement of the
organisation
Principles(Clause 3)
Monitoring and
review of the
framework(4.5)
Continual
improvement
of the
framework(4.6)
Establishing the context
(5.3)
Risk identification
(5.4.2)
Risk evaluation
(5.4.4)
Risk analysis
(5.4.3)
Risk treatment
(5.5)
Risk assessment (5.4.2)
Co
mm
un
ica
tio
n a
nd
co
nsu
lta
tio
n (
5.2
)
Mo
nito
rin
g a
nd
re
vie
w (
5.6
)
Framework(Clause 4)
Process(Clause 5)
Reproduced from ISO 31000:2009
![Page 78: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/78.jpg)
Your Risk Register – Step 1
Positive Risk
Fill in 2 Positive Risks
![Page 79: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/79.jpg)
Risk evaluation -
risk appetite and tolerance
![Page 80: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/80.jpg)
The Risk Process
Ongoing monitoringAudit & Report Incidents Re-assess
TreatmentTolerate Treat Transfer Terminate
AssessImpact Likelihood
Set appetiteZero Low Medium High
IdentifyObjectives Tools
![Page 81: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/81.jpg)
• the amount of risk an organisation is willing to seek or accept in pursuit of its long-term objectives
Risk appetite
• the boundaries of risk taking outside of which the organisation is not prepared to venture in pursuit of its long-term objectives
Risk tolerance
• the full range of risks which could impact, either positively or negatively, on the ability of the organisation to achieve its long-term objectives
Risk universe
Key terms
![Page 82: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/82.jpg)
Risk appetite can be complex
– simplification can be attractive but can lead to
meaningless approaches
Needs to be measurable
– otherwise statements empty and useless
– key performance drivers need to be understood
– key risk and key control indicators need to be developed
Not a single fixed concept
– there may be a range of appetites within an organisation
– appetites may vary overtime influenced by changes in the
risk and control environment or the benefits to be gained
Key principles
![Page 83: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/83.jpg)
Developed in the context of the organisation’s risk management capability
– an understanding of risk appetite unlikely to emerge before a level of risk management maturity reached
Must take into account strategic, tactical and operational levels
– risk appetite needs to be addressed at all levels
Must be integrated into the control culture – linked to both the propensity to take risk (often greater
at strategic level) and also the propensity to exercise control (more prevalent at operational level)
Key principles
![Page 84: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/84.jpg)
• prioritise risks in terms of their significance
• provide some consistency about the perception of significance
• decide how to allocate scarce resources
• decide whether to proceed with a new strategy, project or investment
• inform decisions on risk appetite
Why is risk analysis and evaluation
important?
![Page 85: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/85.jpg)
Benchmark to determine significance
₋ Financial – sums involved
₋ Disruption – length of time
₋ Reputational - profile
![Page 86: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/86.jpg)
Appetite
Hungry?
Not enough risk
Over Fed?
Too Much Risk
![Page 87: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/87.jpg)
Attitude?
1. That’s Grand
2. Don’t Push It
3. Your taking the P**s
![Page 88: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/88.jpg)
Appetite – Healthy Eating(Tolerance)
• Increased sales
• Cost EfficiencyHigh
• Lack of staff expertise & training
• Inefficient admin/operationsMedium
• Not achieving value for money
• Unsatisfactory fundingLow
• Severe reputational damage
• Compliance FailureZero
![Page 89: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/89.jpg)
Your Risk Register – Step 2
Risk Appetite
Enter- High- Medium- Low- Zero
Beside each of the risks you have identified
![Page 90: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/90.jpg)
Risk profiling – consequence;
probability matrix – risk registers
![Page 91: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/91.jpg)
The Risk Process
Ongoing monitoringAudit & Report Incidents Re-assess
TreatmentTolerate Treat Transfer Terminate
AssessImpact Likelihood
Set appetiteZero Low Medium High
IdentifyObjectives Tools
![Page 92: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/92.jpg)
Risk matrix
Lik
elih
ood
ImpactP
robable
Possib
leR
em
ote
Low Medium High
![Page 93: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/93.jpg)
Likelihood
Estimation Descriptors Indicators
Probable Likely to occur each year or
more than a 25% chance of
occurrence
Potential of it occurring
several times within the time
period (e.g. ten years).
Has occurred recently
Possible Likely to occur in a ten-year
time period or less than a
25% chance of occurrence
Could occur more than once
within the time period (e.g.
ten years).
Is there a history of
occurrence?
Remote Not likely to occur in a ten-
year period or less than a 2%
chance of occurrence
Has not occurred.
Unlikely to occur
![Page 94: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/94.jpg)
Estimating likelihood - criteria
Within the next 12 months the event is:Almost certain
• Frequent occurrence > 90% chance
Likely
• Regular occurrence > 60% chance
Possible
• Occasional occurrence > 10% chance
Unlikely
• Has never occurred < 10% chance
![Page 95: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/95.jpg)
Impact
High
Financial impact on the organisation is likely to exceed €x
Significant impact on delivery of the organisation’s strategic
or operational activities
Significant stakeholder concern
Medium
Financial impact on the organisation likely to be between
€x and €y
Moderate impact on organisation’s strategic or operational
activities
Moderate stakeholder concern
Low
Financial impact on the organisation likely to be less than
€y
Low impact on the organisation’s strategic or operational
activities
Low stakeholder concern
![Page 96: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/96.jpg)
Estimating impact – criteria REPUTATION FINANCE SERVICE
DELIVERY
COMPLIANCE SAFETY
EXTREME Loss of credibility
key stakeholders;
extensive adverse
media; external
intervention
Financial loss
exceeding
£/$ ???
Total sustained
disruption to
critical services
Intervention by
regulator; serious
breach of legal or
contractual
obligation
Fatality
(multiple)
HIGH Significant loss of
trust; significant
adverse media
Financial loss
exceeding
£ /$???
Significant
sustained
disruption to
critical services
Censure by
regulator; breach
of legal or
contractual
obligation
Serious injury or ill-
health (disabling)
MEDIUM Significant
complaints
Financial loss
exceeding
£/$???
Some short-term
disruption to
services
Failure to meet
recommended
best practice
Injury or ill-health
resulting in lost time
LOW Isolated
complaints
Low-level or
no financial
loss
Minor disruption to
services
Failure to meet
internal standards
or SLA
Minor injury (no lost
time)
![Page 97: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/97.jpg)
LIK
LIH
OO
D
PROBABLE
Likely to occur each year or
more than a 25% chance of
occurrence
3 3 6 9
POSSIBLE
Likely to occur in a ten year
time period or less than a 25%
chance of occurrence
2 2 4 6
REMOTE
Not likely to occur in a ten year
period or less than a 2%
chance of occurrence
1 1 2 3
1 2 3
LOW MEDIUM HIGH
•financial impact on the
organisation is likely to be
less than £x
•low impact on delivery of the
organisation’s strategic or
operational activities
•low stakeholder concern
•financial impact on the
organisation is likely to be
between £x and £x
•moderate impact on delivery
of the organisation’s strategic
or operational activities
•moderate stakeholder
concern
•financial impact on the
organisation is likely to
exceed £x
•significant impact on
delivery of the
organisation’s strategic or
operational activities
•significant stakeholder
concern
IMPACT
Putting it all together
![Page 98: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/98.jpg)
Opportunity and risk matrix
Two-sided Risk Matrix
1:100
![Page 99: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/99.jpg)
Likelihood & Impact
LikelihoodHigh
Medium
Low
Zero
ImpactHigh
Medium
Low
Zero
![Page 100: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/100.jpg)
Risk Score
Likelihood
High
Medium
Medium
High
Impact
High
High
Low
Low
Score
High
Judgement
Judgement
Judgement
![Page 101: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/101.jpg)
Your Risk Register – Step 3
Risk Score
Enter- High- Medium- Low- Zero
For Impact, Likelihood and risk score beside each of the risks you have identified
![Page 102: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/102.jpg)
Risk evaluation
![Page 103: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/103.jpg)
Evaluate Risk score
Risk score
Risk appetite
Good
Risk score
Risk appetite
Treat
![Page 104: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/104.jpg)
Your Risk Register – Step 4
Do you need to take Action?
Enter
- Yes if your risk score is not equal to appetite
- No if your risk score is equal to appetite
![Page 105: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/105.jpg)
Risk treatment
![Page 106: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/106.jpg)
The Risk Process
Ongoing monitoringAudit & Report Incidents Re-assess
TreatmentTolerate Treat Transfer Terminate
AssessImpact Likelihood
Set appetiteZero Low Medium High
IdentifyObjectives Tools
![Page 107: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/107.jpg)
Establish the context
Identify risks
Evaluate risks
Analyse risks
Treat risks
Risk assessment
Com
mun
icat
e an
d co
nsul
t
Mon
itor
and
revi
ew
Reproduced from ISO 31000:2009
Risk treatment
![Page 108: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/108.jpg)
A process to modify risk (ISO 31000)
Risk treatment (or response) involves:
– the selection of one or more options for modifying
risks
– implementing those options
– the treatments then provide controls or modify current
controls
Controls include any process, policy, device, practice or other
actions which modify the risk
What is risk treatment?
![Page 109: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/109.jpg)
Risk treatment is a cyclical process
Deciding
whether the
residual risk
level is
tolerable
Assessing
the
effectiveness
of that
treatment
Examine
cost and
benefit of the
treatment
If not
tolerable,
generating a
new risk
treatment
![Page 110: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/110.jpg)
The purpose of risk treatment plans is to document how the chosen treatment options will be implemented.
Information should include:– a description of what the planned action is
– expected benefit(s) to be gained
– performance measurements and constraints
– accountabilities (risk owners and control owners)
– reporting and monitoring requirements
– resourcing requirements
– timing and scheduling
Risk treatment plans (action plans)
![Page 111: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/111.jpg)
Treatment
Tolerate Treat
Transfer Terminate
![Page 112: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/112.jpg)
![Page 113: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/113.jpg)
Treatment - Step 4
4 T’s
What Treatment could you use?
Enter one or more of the following
- Treat fill in what you would do to treat
- Transfer fill in what you would do to transfer
- Tolerate fill in what you would do to tolerate
- Terminate fill in what you would do to terminate
![Page 114: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/114.jpg)
Monitoring and review
![Page 115: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/115.jpg)
Establish the context
Identify risks
Evaluate risks
Analyse risks
Treat risks
Risk assessment
Com
mun
icat
e an
d co
nsul
t
Mon
itor a
nd re
view
Reproduced from ISO 31000:2009
Monitoring and review
![Page 116: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/116.jpg)
The Risk Process
Ongoing monitoringAudit & Report Incidents Re-assess
TreatmentTolerate Treat Transfer Terminate
AssessImpact Likelihood
Set appetiteZero Low Medium High
IdentifyObjectives Tools
![Page 117: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/117.jpg)
A process not an event
• Action Plans & OwnersT’s
• Inline with Appetite?Incidents
• Once YearlyReassess
![Page 118: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/118.jpg)
• ensure controls effective and efficient
• obtain information to improve risk assessment
• learn the lessons from events
– changes, trends, successes and failures
• detect change to internal or external context or
to the risk itself
• identify emerging risks
Purpose of monitoring and review
![Page 119: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/119.jpg)
Key risk and control indicators
KRIs
Metrics to help
identify changes
that could alter the
overall assessment
of key risk events
KCIs
Metrics to help
assess the
effectiveness of
key controls
![Page 120: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/120.jpg)
Key risk indicators
For the case study provided identify
the metrics that were used or could
have been used to indicate a change in
the risk environment.
Key control indicators
For the case study provided identify
the metrics that were used or could
have been used to measure the
effectiveness of existing controls
Workshop exercise
![Page 121: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/121.jpg)
Define monitoring and review responsibilities
– risk owners
– control owners
– responsibility for the review of the whole process
How frequently should
– risks and their control measures be reviewed?
– the effectiveness of the ERM process be reviewed?
Benchmarking and maturity models
Things to consider
![Page 122: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/122.jpg)
Business continuity management
Session 2 Establish the context Risk assessmentCommunication & consultation Risk appetite and tolerance
Risk treatment Business continuity management Monitoring & review
![Page 123: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/123.jpg)
ISO 31000 overview
Mandate and
commitment(4.2)
Design of
framework for
managing risk(4.3)
Implementing
risk
management(4.4)
a) Creates value
b) Integral part of
organisational processes
c) Part of decision making
d) Explicitly addresses
uncertainty
e) Systematic, structured and
timely
f) Based on the best
available information
g) Tailored
h) Takes human and cultural
factors into account
i) Transparent and inclusive
j) Dynamic, iterative and
responsive to change
k) Facilitates continual
improvement and
enhancement of the
organisation
Principles(Clause 3)
Monitoring and
review of the
framework(4.5)
Continual
improvement
of the
framework(4.6)
Establishing the context
(5.3)
Risk identification
(5.4.2)
Risk evaluation
(5.4.4)
Risk analysis
(5.4.3)
Risk treatment
(5.5)
Risk assessment (5.4.2)
Co
mm
un
ica
tio
n a
nd
co
nsu
lta
tio
n (
5.2
)
Mo
nito
rin
g a
nd
re
vie
w (
5.6
)
Framework(Clause 4)
Process(Clause 5)
Reproduced from ISO 31000:2009
![Page 124: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/124.jpg)
What is a risk management framework?
• a system of leadership, commitment and processes
• foundation for a mutual understanding - to communicate effectively
• an opportunity to gain commitment
• provides direction for all levels of management
Mandate and
commitment(4.2)
Design of
framework for
managing risk(4.3)
Implementing
risk
management(4.4)
Monitoring and
review of the
framework(4.5)
Continual
improvement
of the
framework(4.6)
Framework(Clause 4)
![Page 125: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/125.jpg)
Think back to previous case histories discussed -• why did the established controls systems fail?• what do the case studies tell us about the risk culture of the organisation? • what are the critical factors for embedding risk management ?
Group Discussion
Embedding risk management
![Page 126: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/126.jpg)
Embedding risk management
Visible commitment from the top
– articulated and endorsed through a policy and framework for managing risk
– lead through actions – risk-based decision making, aligned with strategic objectives
– clear understanding of the risks to the business. Set risk tolerance and risk appetite
– active support and adequate resource for risk management initiatives
– assurance on status of key risks (KRI’s) and controls (KCI’s) sought and followed through
![Page 127: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/127.jpg)
An organisational framework to ensure
– clearly defined responsibility and accountability
– training for all relevant stakeholder groups to raise
awareness of benefits, establish responsibilities and
improve skills in management of risk
– ownership clearly established for risks and key
controls
– clearly defined lines for reporting and communication
Embedding risk management
![Page 128: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/128.jpg)
Integration into management processes
– ensure the benefits for business and resource planning are clearly established through integration with the ‘normal’ business planning processes
– integrate into performance management system and establish KPI’s
– integrate with reporting and review systems, including internal audit
– include development of risk management skills within leadership and management development programmes
Embedding risk management
![Page 129: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/129.jpg)
• clear and concise outline of the organisation’s
requirements
• providing uniformity and consistency in the risk
management process across all operations
• provides a high level overview and description of
the risk management process
Purpose of a risk management policy
Session 3
![Page 130: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/130.jpg)
• developed and owned at board level
• developed with consideration as to how
compliance with the policy will be monitored
• reviewed regularly
– annual review
The policy should be…
Session 3
![Page 131: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/131.jpg)
• who are your key
stakeholders?
• what do you hope the
ERM process will
deliver to you and to
your key stakeholders?
Group exercise
What will ERM deliver?
![Page 132: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/132.jpg)
5• a framework for control
4• better informed decision making
3 • reduced volatility
2 • improved stakeholder relationships
1• protection of company assets
So what will risk management do for me?
‘The elevator pitch’
![Page 133: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/133.jpg)
The greatest risk is to take no risk at all, because if
we don’t take risks there’s no advancement,
there’s no progress and there’s no profitability.
And finally…
Kevin Knight Chairman, ISO working group on risk management standards
![Page 134: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/134.jpg)
ISO 31000 overviewMandate and
commitment(4.2)
Design of
framework for
managing risk(4.3)
Implementing
risk
management(4.4)
a) Creates value
b) Integral part of
organisational processes
c) Part of decision making
d) Explicitly addresses
uncertainty
e) Systematic, structured and
timely
f) Based on the best
available information
g) Tailored
h) Takes human and cultural
factors into account
i) Transparent and inclusive
j) Dynamic, iterative and
responsive to change
k) Facilitates continual
improvement and
enhancement of the
organisation
Principles(Clause 3)
Monitoring and
review of the
framework(4.5)
Continual
improvement
of the
framework(4.6)
Establishing the context
(5.3)
Risk identification
(5.4.2)
Risk evaluation
(5.4.4)
Risk analysis
(5.4.3)
Risk treatment
(5.5)
Risk assessment (5.4.2)
Co
mm
un
ica
tion
an
d c
on
sulta
tion
(5.2
)
Mo
nito
rin
g a
nd
re
vie
w (
5.6
)
Framework(Clause 4)
Process(Clause 5)
Reproduced from ISO 31000:2009
![Page 135: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/135.jpg)
• Fundamentals of Risk Management
• International Certificate in Risk Management– leads to Certificate membership grade
• International Diploma in Risk Management– leads to Member grade of the IRM
– Fellowship of the IRM is achieved through continuing professional development
• Specialist subjects– risk management in financial services
– business continuity and crisis management
– information systems risk
Institute of Risk Management – education
![Page 136: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/136.jpg)
References and further reading• IRM Fundamentals of Risk Management – Paul Hopkin – Kogan Page £35.00
ISBN: 978-0-7494-5942-0
• British Standards BS 31100 (2008) Risk management – code of practice, www.standardsuk.com
• COSO Enterprise Risk Management – Integrated Framework (2004) Executive Summary, www.coso.org
• Financial Reporting Council Internal Control Revised Guidance for Directors on the Combined Code (2005), www.frc.org.uk
• Institute of Risk Management – A Risk Management Standard (2002), www.theirm.org
• International Standard ISO 31000 Risk Management – Principles and guidelines, www.iso.org
• ISO Guide 73(2009) Risk management – Vocabulary – Guidelines for use in standards, www.iso.org
• British Standard BS 25999-1 (2006) Business continuity management Code of practice, www.standardsuk.com
• HM Treasury (2004) Orange Book: Management of risk – principles and concepts, www.hm-treasury.gov.uk
• International Standard IEC/FDIS 31010 (2009) Risk Management – Risk assessment techniques, www.iso.org
• Institute of Internal Audits (2004) The Role of Auditing in Enterprise-wide Risk Management, www.theiaa.org
• Office of Government Commerce (2007) Management of Risk: Guidance for Practioners, www.tsoshop.co.uk
![Page 137: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/137.jpg)
So to recap…
![Page 138: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/138.jpg)
Ongoing monitoringAudit & Report Incidents Re-assess
TreatmentTolerate Treat Transfer Terminate
AssessImpact Likelihood
Set appetiteZero Low Medium High
IdentifyObjectives Tools
The “Standard” is...ISO 31000
![Page 139: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/139.jpg)
Tutor
• John Crawley
• + 353 1 210 4753
• www.TheFinanceExpert.ie
• Tweet: @AFinanceExpert
![Page 140: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/140.jpg)
T H A N K Y O U
Institute of Risk Management
![Page 141: Risk seminar - john crawley & emer mc aneny](https://reader034.fdocuments.us/reader034/viewer/2022042514/55a571211a28ab2c518b4663/html5/thumbnails/141.jpg)
Bow tie analysis
Event
Causes Consequences
Immediate
consequences
Ultimate
consequences
Underlying
threats
Immediate
threats
Control
measures
Recovery
measures