230 likes | 466 Views
Audit Committee Risk Management Training September 2010. John Allsop Marcus Richards. Introduction. Definition of Risk Management Risk Management Principles & Practice Benefits of Risk Management Current Developments Anecdote. What do we mean by Risk?.
E N D
Audit Committee Risk Management TrainingSeptember 2010 John Allsop Marcus Richards
Introduction • Definition of Risk Management • Risk Management Principles & Practice • Benefits of Risk Management • Current Developments • Anecdote
What do we mean by Risk? • Contemporary Definition – Risk is the “effect of uncertainty on objectives’’. (ISO 31000 - Risk Management Principles and Guidelines (2009) • Uncertainty can be positive or negative.
Traditional view All about threats Risk averse ‘Can’t Do’ Contemporary View About opportunities Risk enabling/managing ‘Can Do’ Towards a balance view of risk
What is Risk Management • The culture, processes and structures directed towards realising opportunities whilst managing adverse effects. • Its purpose is not to eliminate risk, but to understand it so as to take advantage of the upside and minimise the downside.
Risk Management is not • A new responsibility • About eliminating risk • An add-on • A one-off exercise • The universal answer
Why is risk management important? • Good management practice • Achievement of objectives • Opportunities • Assurance to stakeholders
What if we don’t manage our risks? • Corporate failures (private sector) • Step-in (local government) • Project failures • Missed opportunities
The Risk Model • Strategic Risks • High level • Owned at board level • Cross cutting • Operational Risks • Departmental/business unit level • Any risk which is not strategic
Risk Management Process Risk Identification What could happen? How could it happen? Risk Monitoring & Review Ongoing process Reporting Risk Assessment Likelihood? Impact? Risk Profiling Prioritisation Risk Mitigation & Management Accept? Avoid? Reduce? Transfer?
Step 1 - Risk Identification Tools available to identify risk: • PESTLE/SWOT Analysis • Brainstorming/Challenge sessions • Scenario Planning • Audit reports
Step 2 - Risk Assessment Assess each risk in terms of: • Likelihood (frequency/probability) • Impact (Severity)
Risk Score (L x I) 11 – 16 5 – 10 1 - 4 Risk Rating High Medium Low Level of Risk
Impact 1 Minor 2 Significant 3 Serious 4 Major 4 – Very Likely L M H H 3 - Likely L M M H 2 - Unlikely L L M M 1 - Remote L L L L Step 3 - Risk Profiling
Step 4 - Risk Mitigation & Management • Tolerate the risk • Within Ealing’s risk appetite (need to monitor) • Terminate the risk • Quit the operation (often not a real option) • Treat the risk • Reduce likelihood (put in extra controls) • Reduce impact (PR, recovery/continuity plans etc.) • Transfer the risk • Transfer exposure through insurance or to partner organisation
Step 5 – Risk Monitoring & Reporting • Quarterly reporting to Corporate Board and Audit Committee. • Quarterly Corporate Risk Management Forum. • Committee Report template
Risk Registers • Used to document the risk management process • Strategic Risk Register • Operational Risk Register • Project Risk Logs
Benefits of Risk Management • Increased ownership and understanding of risk • Consistent, shared view • Fewer surprises – issues highlighted earlier • Improved and informed decision-making • Visibility and evidence
Current Developments • ISO 31000 - Risk Management Principles and Guidelines (2009) • Enterprise Risk Management • UK Corporate Governnance Code (2010)
And Finally Black Swan Theory – The disproportionate role of high-impact, hard to predict and rare events that are beyond the realm of normal expectations (Taleb 2007)