one report
carolina125673
BRM-Week2-FullSlides.pdf
Australian School of Business Australian School of Business
Business Risk Management Week 2
The Risk Management Process Risk
Australian School of Business
• Key Elements for Effective Risk Management Systems
• The Risk Management Cycle
• Establishing the Risk Context
• Risk Identification
• Analysing risk
Outline of this Week’s Session
Australian School of Business An Integrated Risk Management Process
• Drives an understanding of what risks the business can handle and how to handle then
• Provides a disciplined and structured approach and facilitates a coordinated response to risk management
• Encourages all staff to think about business risks and respond to it quickly
• Assist in promoting and developing a risk aware culture within the organisation
Australian School of Business
Integrated Risk Management
• Involves building a set of risk management activities which aim to align: – strategy – processes – people – technology and know-how
• With the dynamic environment in which the firm is operating enabling the firm to evaluate and manage the uncertainties faced by it.
Australian School of Business Key Elements for Effective Risk Management
To achieve effective Risk Management a robust Risk Management Framework is required.
Key Elements
Integrated
Customised
Inclusive
Human and Cultural Factors
Dynamic
Risk Management Framework
Structured and Comprehensive
Best Available Information
Continual Improvement
Australian School of Business
What is Risk?
“ The effect of uncertainty on objectives - effect is a deviation from the expected - may be positive and/or negative – can
address, create or result in opportunities and threats; objectives can have different
aspects and categories and can be applied at different levels, usually
expressed in terms of risk sources, potential events, their consequences and
their likelihood”
Source:AS/NZS ISO 31000:2018
Australian School of Business
What is Risk? (Cont.)
• Risk is: • INHERENT in everything we
do • It is about UNCERTAINTY
• Risk is expressed as a combination of:
• The likelihood (probability) of something happening, and
• The impact (consequences) if it does happens
• Choices and actions that we take today will impact on future outcomes
• A balance is required between Risk and Reward
Because elimination of all risk is impossible, we must use the most cost effective approach and implement the most appropriate controls to decrease risk to an acceptable level.
It is not always possible to decrease the amount of risk we face.
Risk taken
B e n e fit
Too little
Optimal
Too much
Australian School of Business
What is Risk? (Cont.)
The dichotomy between the roles of rewarded and unrewarded risk
As organisations move from right to left – they move from managing risks that ensure they are compliant to the risks that make them successful as an organisation
Australian School of Business
Why do we need to Manage Risk?
Every organisation faces internal and external factors which present risk and uncertainty.
Organisations manage risk to some degree, as a minimum, through reacting to events and remedying the consequences.
An effective risk management approach aims to prevent negative events occurring in a consistent, efficient and coherent way
Effective risk management is aimed at helping us achieve our objectives.
Establishing the Context Risk management will only be effective if the organisation considers risk in its own context. Particularly regarding: • The key drivers which impact the ability
of the organisation to achieve its objectives
• The complexity and capability of the organisation
• The needs, objectives and goals for risk management in the organisation
• The culture, systems and existing processes of the organisation
• Impacts of relationships and perceptions of stakeholders
Australian School of Business
The Risk Management Cycle
Australian School of Business
Establishing the Risk Context
Australian School of Business Risk Management - Establishing the Context
During this step of the Risk Management process the following needs to be established:
Establishing the Context Internal Context
External Context
Risk Mgmt Context
Develop Criteria
Define the Structure
Australian School of Business
The Risk Management Context
• Strategic Context (external influences) – The environment in which the organisation operates – Involves a determination of what the stakeholders demand from the organisation – Affected by legal, cultural, political and social factors – Will influence and be influenced by the organisation’s reputation
• These help to shape decision’s on what risks are desirable
• Organisational Context (internal influences) – The organisation’s capabilities – Objectives and strategies in response to stakeholder demands – Policies and goals – The risk culture of the organisation – The extent of senior management commitment to the risk management process
• These help to shape decision’s on what risks are acceptable
Australian School of Business The Risk Management Context (Cont)
• The Risk Management Process Context – The role of risk management in achieving organisational goals – The dynamics of the risk return trade off – The extent to which risk management practices promote value
creation – The extent of the integration of risk management into organisational
and staff KPI’s • These help to shape decision’s on what risks are manageable
Australian School of Business
Establishing the Risk Context in a Project
• Some Key Questions that might help in this process – What are the major outcomes expected? – What are the major threats and opportunities? – What are the major strengths and weaknesses? – Who are the major stakeholders? – What are the significant factors in the external and internal
environment? – What is the best way of establishing the risk identification process?
Australian School of Business
The Risk Identification Process
Australian School of Business
Concept Discussion
The Process of Risk Identification • The task of identifying risks is a never ending task. Why? • Who do you consider should be responsible for identifying
risk and why? The Importance of Identifying Risks • Risk Treatment is only effective if the underlying risk has
been properly identified in the first place • Many risk treatments may be unnecessary - identify internal
or natural hedges – Eg Hedging an FX risk if we already have the required amount of
foreign currency – Eg Insurance against defective product (say warranty claims) may be
unnecessary if our supplier contracts adequately cover this risk.
Australian School of Business
Identifying a Risk Event – Key Questions
What is the outcome we are expecting?
� What can go right or wrong ?
� What could be the impact on our plans or targets?
� When, Where, Why and How is the risk(s) likely to occur?
� Who might be involved or impacted, and who needs to be informed or consulted?
� What actions are required?
� What could cause actions to be ineffective ?
Australian School of Business
Identify Risk
The identification of risk can be separated into two distinct phases:
The risk identification
process needs to be an
integral part of decision
making as well as be
linked to the overall
business strategy,
planning and change
management processes of
an organisation.
Initial Risk Identification
Continuous Risk Identification
Australian School of Business
Identify Risk (Cont.)
What is causing the risk Potential Consequences
Risk Event
Preventation Controls – What
can we do to prevent
the risk from occurring
Recovery Controls – If a
risk does occur what can
be done to address
the risk event
Drivers
Sources
Behaviours
Safety
Schedule/Time
Social Outcomes
Performance
Political
Cost
Reputation
Compliance
Australian School of Business
Identify Risks – Sources and Categories
Risks
Legal/Regulatory
Environmental
Human Resources
Program/Project Reputation
Strategic
Operations
Financial
Australian School of Business
Risk Identification Tools
Risk Identification Tools
Surveys Audit or
inspection
SWOT analysis
Brainstorming
Incident analysis
Process maps
Local & overseas
experience
Generating scenarios
Focus groups, workshops
Judgements of experts
Formal Approaches to Identifying Risk – Vaughan
• Based on Past Losses – Once a loss is incurred procedures
are established to prevent a recurrence
• at best post the event and ad hoc
• Safety Systems Approach – A systematic approach to the
review of processes designed to identify what could go wrong
• designed to be proactive
Australian School of Business Capturing Risk Information – Risk Register
• A risk register is a useful tool to capture risk information (e.g. identified risks, risk assessments as well as the assumptions identified during the establish the context phase)
• Typically, the following information is captured in a risk register:
Risk Description
Risk Likelihood
Rating
Risk Consequence
Rating
Link to Strategic
Objectives
Treatment Plan(s) Risk Owner
Contributing Factors
Internal & External Context
Existing Mitigating Controls
Risk Register
Australian School of Business
Next Steps in the Risk Management Process
Once we identify the risks that we face we need to: • Measure the potential effects or impacts of those risks • Assess whether the risks are tolerable or acceptable • Implement risk management action or treatment if risks are not tolerable
• Monitor the outcome of risk management actions in the light of our intended position, identifying:
– whether the risks have been effectively managed – whether new risks have been created in the process
Australian School of Business
Analysing Risk
Australian School of Business
Analyse Risks
After identifying the wide range of risks that exist, they need to be analysed.
Depending on the type of risk, sources of information to support risk analysis may include:
• Past records and experiences
• Industry information and experience (local and overseas)
• Relevant published literature such as journals and research
• Market research
• Specialist and expert insights
Australian School of Business
Analyse Risks (Cont.)
Two methods for risk analysis
Qualitative risk analysis - expressed in terms of degrees of exposure and likelihood, and seriousness of consequence
Quantitative risk analysis – based on hard data suitable for statistical and probability analysis
Australian School of Business
Analyse Risk – Techniques
Qualitative Analysis Quantitative Analysis
• Analysis based on records of the operation
• Checklist and questionnaires
• Stakeholder feedback
• Event trees
• Flowcharts
• Physical inspections
• SWOT analysis
• Computer modelling
• Event tree and fault tree analysis
• Hazard and operability (HAZOP) studies
• Hazard indices
• Consequence and likelihood analysis (this is a combination of both qualitative and quantitative methods)
• Statistical analysis.
Australian School of Business
Analyse Risks – Inherent or Residual?
Inherent Risk - "the risk without considering internal controls" or alternatively "a raw risk that has no mitigation factors or treatments applied to it".
Residual Risk - "the level of risk remaining after the relevant controls have been applied".
Australian School of Business
• It can be difficult to assess inherent risk, as there are always some pre-existing controls in place.
• These pre-existing controls are often referred to as "base-line" controls.
• Base-line controls are those controls where it would be reasonable to expect that they would exist in the inherent environment without any specific action being undertaken by the organization.
• In contrast a control is "a specific action taken by the organisation with the objective of reducing the risk". Leading to residual risk position. This will be covered in Week 8
Analyse Risks – Inherent Risk and Controls
Australian School of Business
Actual Residual Risk Ranking
Desired Residual Risk Ranking
Inherent Risk
Existing Effective Control
Existing Effective Control
Treatment Plan
Tolerable Residual
Risk
Exposure ManagementRisk Exposure
Residual Risk
Analyse Risks – Inherent & Residual Risk
Australian School of Business
Analyse Risk - Consequence Rating
The simplest approach to capturing consequence is to use a consequence scale.
It’s important to realise that there is no ‘one size which fits all’.
Consequence can be captured utilising the following methods: • Financial
• Regulatory / Legal
• Reputation & Image
• Health & Safety
• Environment & stakeholders
• Human Resources
Australian School of Business
Analyse Risk – Consequence Rating (Cont.)
Criteria
Financial Regulatory/Legal Reputation & image Health & safety Environment & stakeholders
Human Resources
Rating
Extreme 5
Budget blow-out in excess of 15% of net cashflow in the next two years
Significant legal, regulatory or internal policy failure
Ongoing national/regional m edia exposure.
Extensive ongoing publicised attention from numerous or significant key stakeholders.
Loss of life or perm anent incapacitation of staff, agents or public.
Extrem e environm ental harm likely to be irreversible.
Stakeholder and/or com m unity outrage.
Unplanned loss (or extended absence) of senior team m ember/s in com bination.
Major 4
Budget blow-out between 11 - 15% of net cashflow in the next two years
Major legal, regulatory or internal policy failure
Extensive ongoing local m edia exposure.
Repeated ongoing publicised attention from numerous or significant key stakeholders.
Serious injury or incident which requires hospitalisation; incomplete rehabilitation achieved.
Major environmental damage that can be rectified.
High profile stakeholder concerns raised.
Unexpected loss (or extended absence) of a num ber of key m em bers with specialist knowledge.
Moderate 3
Budget blow-out between 7 - 10% of net cashflow in the next two years.
Lim ited legal, regulatory and internal policy failure
Isolated local m edia exposure.
Attention from a lim ited num ber of key stakeholders with restricted publicity.
Injury or incident requiring m edical attention with full rehabilitation achieved
Moderate environm ental harm that can be easily rectified.
.
Unexpected loss (or extended absence) of a key m em ber with specialist knowledge.
Minor 2
Budget blow-out between 5 - 6% of net cashflow in the next two years.
Minor legal, regulatory and internal policy failure
Local m edia exposure.
Isolated attention from one key stakeholder or a num ber of m inor stakeholders with little or no publicity.
Minor injury or incident which requires m edical treatm ent and loss tim e >1 week.
Im material environm ental/ com m unity issue requiring som e action.
Unexpected loss (or extended absence) of a single staff m em ber.
Notable 1
Negligible im pact to cashflow.
Insignificant legal, regulatory or internal policy failure.
No m edia exposure.
Isolated attention from a minor stakeholder with no publicity.
Minor incident requiring m edical attention.
Incident that is notified to m anagement but does not require action.
Short-term loss of resources to the project
Australian School of Business
Analyse Risk - Likelihood Rating
• Likelihood might be expressed as a:
• Percentage
• Using a timing factor; or
• Using a qualitative scale (i.e. almost certain, likely, possible, etc.).
Australian School of Business
Analyse Risk - Likelihood Rating
Descriptor Description Description of Timing
Almost certain The event is expected to occur
The event is almost certain to occur in most circumstances, say many times a month.:
• There is a high level of recorded incidents and strong anecdotal evidence to support it
• There is strong likelihood the event will reoccur
Likely The event will probably occur. The event is likely to occur in most circumstances, say once a year.
• There are regular recorded incidents and strong anecdotal evidence to support it
Moderate The event might occur at some time.
The event may occur at some time, say once in five years.
• In the past five (5) years there are few, infrequent, random recorded incidents or little anecdotal evidence identified to support the likelihood
• There are some incidents in other States, associated or comparable organisations, facilities or communities
Unlikely The event could occur.
The event could occur in some circumstances over a ten year timeframe • In the past 10 years there has been a couple of recorded incidents or anecdotal
evidence to support the likelihood
• There are very few incidents in other States, associated or comparable organisations, facilities or communities
Rare The event may occur in some exceptional circumstances
The event is could occur in rare circumstances, may be once every 10 years.
• In the past 10 years there have been no recorded incidents or anecdotal evidence to support the likelihood
• There are no recent incidents in other States, associated organisations, facilities or communities
Australian School of Business
Evaluate Risks
• This step of the Risk Management process focusses on risk prioritisation
• Prioritisation of risks is critical given organisation’s have a limited amount of resources available to commit to managing risks
• Two tools are used to evaluate risks:
• Risk Matrix
• Risk Appetite
Australian School of Business
Risk Matrix
Notable Minor Moderate Major Extreme 1 2 3 4 5
A ( almost certain ) M H H E E
B ( likely ) M M H H E
C ( moderate ) L M M H H
D ( unlikely ) L L M M H
E ( rare ) L L L M M
Consequences Likelihood
Australian School of Business
Extreme Risk
Risk Committee/Executive/Senior Management need to be informed and involved in the decision-making to accept/mitigate the risk.
High Risk Senior executive management attention needed and management responsibility specified.
Medium Risk
Manage by specific monitoring or response procedures.
Low Risk Manage by routine procedures, unlikely to need specific application of resources.
Risk Level Descriptors
38
• Using the Risk Matrix, the level of risk can be established
• Each risk level will have specific actions required to be undertaken
• Using the risk level definitions, the appropriate action to manage the risk can be undertaken
Australian School of Business
Evaluate Risks – Risk Appetite
• The level of risk identified can be used to take appropriate action based on an organisation’s risk appetite
• It is important to align the risk level attributed to an identified risk against an organisation’s risk appetite to ensure alignment
• In general, if there is an inconsistency, the risk appetite associated for that identified risk’s risk class will prevail over the risk level
Australian School of Business
Risk Treatment
• The next step in the process is to determine the appropriate treatments for dealing with different types of risk.
• This involves deciding the general strategy or strategies to be adopted, then devising treatment plans to implement the chosen strategy(ies)
• Treatment plans chosen need to be checked against the organisation’s risk appetite to ensure appropriateness
• Factors involved in deciding treatment options include:
• Cost effectiveness • Administrative simplicity • Interaction with existing risk treatment controls
Australian School of Business
Monitoring & Review
• Programs and processes change, as may the political, social and legal environment
• Regular monitoring and review will identify potential trouble spots.
• Monitoring and review of an organisation’s risk framework includes both the risks identified, and the effectiveness of your framework.
• It also includes the identification of emerging or looming risks as well as any changes to existing risks
Australian School of Business
Monitoring & Review (Cont.)
There are 5 key questions to ask when monitoring and reviewing your risks:
1. Are the risk mitigating strategies effective in minimising the risks and how might improvements be made?
2. Are the risk mitigating strategies comparatively efficient/cost effective?
3. Do the performance indicators address the key elements for risk mitigating strategies?
4. Are the assumptions you made about the environment, technology and resources still valid?
5. Do risk mitigating strategies comply with legal requirements, government and organisation policies, including access, equity, ethics and accountability?
Australian School of Business
1. Ensures that everybody understands, what the organisation’s risk strategy is, what the risk priorities are, and how their particular responsibilities in an organisation fit into that framework.
2. Ensures that transferable lessons are learned and communicated
3. Ensures that each level of management receives appropriate and regular assurance about the management of risk.
4. Communication should also include consideration of external stakeholders. This will ensure all relevant and appropriate information is shared with key stakeholders.
Communication
Australian School of Business
Communication Methods
• Training of staff managed and recorded according to an established system. Training may include:
• induction
• formal training
• in-house training
• coaching or mentoring
• information sessions provided by external consultants.
• Ongoing discussions at staff meetings
• Policies and procedures
• Reporting
