ERM - Prez
ERM - Prez
ERM - Prez
Agenda
| Why
| How
| ERM Process
| Key Outcome
b) Risk mitigation measures are robust and integrity of financial information is ensured; and
c) Appropriate extent of disclosure of company’s risk framework and internal control system
in Directors report.
Drivers
• BOD Responsibilities
• Objectives---Aggressive
• Strategy—Expansion, Fast growth
• Environment---Volatile, Integrated
• Culture---goal-oriented, innovation, taking calculated
business risk
• Industry Regulations---Compliance Issues
• Corporate Governance Laws---Future impact
Risk, Risk Management & ERM
Definition of Risk
Interest rates
Supply of service/product/resources
9
Objectives & Risk Levels
Markets, Diversification,
Overseas Expansion, Strategic Long Term
Competitive Strategies Level
Short Term
Routine Activities
Operational Level
Example
Selection of a new IT system- Strategic Level Risk
Level 5: Comprehensive
Risk Management is
used to base both
Level 4: Managed individual decisions and
Risk Management strategic planning of
Standard and defined quantified values
Level 3: Repeatable processes used across
Risk Management organization.
Implemented into Quantitative Risk
Level 2: Initial routine business Analysis.
Risk awareness but no processes. Use of Risk
precedence or structure Registers, Real Options
Level 1: Ad Hoc for consistence etc.
Individual Dependent application
Enterprise Risk Management
Enterprise risk management is a process
- designed to identify potential events that may affect the entity, and
Customers Financial
Integrity
Risk Identification
“process of finding, recognizing and describing risks”
(ISO 31000:2009)
• Risk identification involves the identification of risk
sources, events, their causes and their potential
consequences
• Risk identification can involve historical data,
theoretical analysis, informed and expert opinions, and
stakeholder’s needs
Risk Identification
When identifying risks, it is important to consider the
following:
– Event: it is the factor, certainty or uncertainty that may have
consequences on our objectives
» Event can be one or more occurrences, and can have several causes
» Event can consist of something not happening
– Cause: Single of multiple reason that precipitates the event to
occur
– Consequence: Single or multiple effect that the event has on our
objectives when it occurs (may be defined in terms of the worst
case or the best case)
Risk Identification
• The organization should identify sources of risk, areas of impacts,
events (including changes in circumstances) and their causes and
their potential consequences.
• Generate a comprehensive list of risks (events that might create,
enhance, prevent, degrade, accelerate or delay the achievement of
objectives).
• It is important to identify the risks associated with not pursuing an
opportunity.
• Comprehensive identification is critical, because a risk that is not
identified at this stage will not be included in further analysis.
Risk Identification
• Choose suitable risk identification tools and
techniques.
• Select suitable people to identify your
organization’s risks.
• Use your tools and techniques to identify the
risks that could affect the achievement of your
organization’s objectives.
Risk Identification Tools &Techniques
• Questionnaires and Checklists
• Workshops and brainstorming
• Inspection and audits
• Flowcharts and dependency analysis
• HAZOP (Hazard and Operability Studies)
• FMEA (Failure Modes Effects Analysis)
• SWOT & PESTLE analysis
Risk Identification
When identifying risks, review of the following can help:
– Objectives
– Functional Responsibilities
– KPI’s
– Deliverables
– Stakeholder needs analysis
– Performance drivers
– Risk drivers
– Factors most likely to impact objectives
– Past Experiences
– Projects
– Industry Benchmarks
– Risk Categories/Groups
Risk Categories-Examples
– Political or Reputational Risk
– Financial Risk
– Service Delivery or Operational Risk
– People / HR Risk
– Information/Knowledge Risk
– Strategic / Policy Risk
– Stakeholder Satisfaction / Public Perception Risk
– Legal / Compliance Risk
– Technology Risk
– Governance / Organizational Risk
– Privacy Risk
– Security Risk
– Equity Risk
– Patient Safety Slide 41 41
EXAMPLES OF RISK
Human resource Information Technology Finance
• Key employees leaving • Systems usage versus • Increase in Financial Cost
• Turnover increasing capacity • Exchange rate hike
• Low employee engagement • IT Licensing • Inaccurate reports
score • Virus attacks • Receivables default
• Data leakage/Hacking • Regulatory Compliance
Issues
42
Risk Identification Template
Ref# Objective/ Risk (Event Category Source Key Risk Consequences Upside
Deliverable Occurring-Not Driver/ Risk/Down
Occurring) Cause Side Risk
RISK ANALYSIS
Risk Analysis
“process to comprehend the nature of risk and to
determine the level of risk”
(ISO 31000:2009)
• Risk analysis provides the basis for risk evaluation
and decisions about risk treatment
• Risk identification can involve historical data,
theoretical analysis, informed and expert
opinions, and stakeholder’s needs analysis.
Risk Analysis
When analyzing risks, it is important to consider the following:
– Consequence (Impact): outcome of an event affecting objectives
» An event can lead to a range of consequences
» A consequence can be certain or uncertain and can have positive or negative
effects on objectives
» Consequences can be expressed qualitatively or quantitatively
» Initial consequences can escalate through knock-on effects
– Likelihood (Probability): Chances of something happening
» Can be defined, measured or determined objectively or subjectively, qualitatively
or quantitatively
– Level of Risk: Magnitude of a risk or combination of risks, expressed
in terms of the combination of consequences and their likelihood
Risk Analysis
Risk Equation:
Risk
Impact Probability
Level
RISK EVALUATION
Risk Evaluation
“process of comparing the results of risk analysis with risk
criteria to determine whether the risk and/or its
magnitude is acceptable or tolerable”
(ISO 31000:2009)
• Risk evaluation assists in the decision about risk
treatment
– Risk criteria: terms of reference against which the
significance of a risk is evaluated
» Risk criteria are based on organizational objectives, and external and internal context
» Risk criteria can be derived from standards, laws, policies and other requirements
Risk Evaluation
• Base Level (Without referring to existing Controls)
• After Accounting for Existing controls
– Also involves evaluation on existing Controls in
terms of their quantity and effectiveness
Impact vs. Probability
High Medium Risk High Risk
I
M Share Mitigate & Control
P
A Low Risk Medium Risk
C
T
Accept Control
RISK
4 IxL
IMPACT RISK
3 IxL
RISK
1 IxL
1 2 3 4 5
LIKELIHOOD
Slide 52 52
54
RISK TREATMENT
Risk Treatment
“process to modify risk”
(ISO 31000:2009)
• Risk treatment can involve
– Avoiding the risk be deciding not to start or continue the activity that gives rise to the
risk
– Taking risk in order to pursue an opportunity
– Removing the risk sources
– Changing the likelihood
– Changing the consequence
– Sharing the risk with another party or parties
• Risk treatments is also termed as risk mitigation, risk
elimination, risk prevention and risk reduction
Risk Treatment
Risk treatment is the process of developing, selecting and implementing controls. The purpose of risk
treatment is to modify the risk into an acceptable risk.
68
Key Players & Responsibilities
Risk management means more than preparing for the worst; it also means
taking advantage of opportunities to improve services or lower costs.
Sheila Fraser, Auditor General of Canada
74