310 likes | 568 Views
An Overview of Risk Breakdown Frameworks. Brett.Knowles@RiskScorecard.net 416-766-7684. Establishing your Risk Categories. The Risk Categories will be used by you and your team as a “memory jogger” to surface risk related situations.
E N D
An Overview of Risk Breakdown Frameworks Brett.Knowles@RiskScorecard.net 416-766-7684
Establishing your Risk Categories • The Risk Categories will be used by you and your team as a “memory jogger” to surface risk related situations. • There are a number of Risk Category lists – the goal of this step is to find the framework that works best for your organization.
Corporate Risk vs. Regulatory Risks Duration: The time horizon for a corporate risk profile should typically be in the range of three to five years, whereas regulatory filings are usually for a much longer term or in perpetuity. For example, matters for which lawsuits could be brought by investors in the future. Types of Risks: Regulatory filings are usually restricted to those areas that would be of interest to an investors, customers, employees and other stakeholders. By contrast “corporate” (internal) risks also include issues that will impact the organization’s performance success and viability. Purpose: Corporate risk profiles are prepared to assist in better managing the company. Regulatory filings are usually prepared with both promotional and legal protection motives. Although these two types of risk descriptions can and should be reconciled, they have different purposes. Yet arguably, they should remain mutually exclusive. Paraphrased form: Fraser, J.R.S., How to Prepare a Risk Profile , p 171, Chapter 11, Enterprise Risk Management, John Wiley & Son, 2010
Establishing your Risk Categories In this session we will use the COSO* categories used in the CMA MAG “Identifying, Measuring and Managing Organizational Risk for Improved Performance”. * Committee of Sponsoring Organizations of the Treadway Commission
COSO Risk Categories Identifying, Measuring, and Managing Organizational Risks for Improved Performance, Marc J. Epstein, and Adriana RejcBuhovac, Published by The Society of Management Accountants of Canada, the American Institute of Certified Public Accountants and the Chartered Institute of Management Accountants, 2005. Adapted from Committee of Sponsoring Organizations of the TreadwayCommission (COSO, 2004)
Strategic Risk Identifying, Measuring, and Managing Organizational Risks for Improved Performance, Marc J. Epstein, and Adriana RejcBuhovac, Published by The Society of Management Accountants of Canada, the American Institute of Certified Public Accountants and the Chartered Institute of Management Accountants, 2005. Adapted from Committee of Sponsoring Organizations of the TreadwayCommission (COSO, 2004)
Operational Risk Identifying, Measuring, and Managing Organizational Risks for Improved Performance, Marc J. Epstein, and Adriana RejcBuhovac, Published by The Society of Management Accountants of Canada, the American Institute of Certified Public Accountants and the Chartered Institute of Management Accountants, 2005. Adapted from Committee of Sponsoring Organizations of the TreadwayCommission (COSO, 2004)
Reporting Risks Identifying, Measuring, and Managing Organizational Risks for Improved Performance, Marc J. Epstein, and Adriana RejcBuhovac, Published by The Society of Management Accountants of Canada, the American Institute of Certified Public Accountants and the Chartered Institute of Management Accountants, 2005. Adapted from Committee of Sponsoring Organizations of the TreadwayCommission (COSO, 2004)
Compliance Risks Identifying, Measuring, and Managing Organizational Risks for Improved Performance, Marc J. Epstein, and Adriana RejcBuhovac, Published by The Society of Management Accountants of Canada, the American Institute of Certified Public Accountants and the Chartered Institute of Management Accountants, 2005. Adapted from Committee of Sponsoring Organizations of the TreadwayCommission (COSO, 2004)
RISKS OPERATIONAL - INTERNALLY CONTROLLED CUSTOMER RELATED ENVIRONMENTAL FINANCIAL RISKS Human Capital Facilities & Machine Methods & Systems Materials & Suppliers Demand Relationship Customer's Success Regulatory & Political Natural Costs Financing External Financial Risks 13 categories vs. COSO’s 22 categories
RISKS OPERATIONAL - INTERNALLY CONTROLLED CUSTOMER RELATED ENVIRONMENTAL FINANCIAL RISKS Human Capital Facilities & Machine Methods & Systems Materials & Suppliers Demand Relationship Customer's Success Regulatory & Political Natural Costs Financing External Financial Risks 13 categories vs. COSO’s 22 categories
The Institute of Risk Management’s Risk Categories • Strategic/commercial • Under-performance to specification • Management will under-performance to expectations • Collapse of contractors • Insolvency of promoter • Failure of suppliers to meet contractual commitments (e.g. quality, quantity, timescales or own risk exposure) • Insufficient capital revenues • Market fluctuations • Fraud/theft • Partnerships failing to deliver the desired outcome • Situation non-insurable (or cost of insurance outweighs the benefit) • Lack of capital investment availability. • Economic/financial/market • Exchange rate fluctuation • Interest rate instability • Inflation • Shortage of working capital • Failure to meet projected revenue targets • Market developments adversely affect plans. • Legal and regulatory • New or changed legislation invalidates assumptions upon which the activity is based • Failure to obtain appropriate approval (e.g. planning, consent) • Unforeseen inclusion of contingent liabilities • Loss of intellectual property rights • Failure to achieve satisfactory contractual arrangements • Unexpected regulatory controls or licensing requirements • Changes in tax or tariff structure. • Environmental • Natural disasters • Storms, flooding, tempests • Pollution incidents • Transport problems, including aircraft/vehicle collisions. • Organizational /management/human factors • Management incompetence • Inadequate corporate policies • Inadequate adoption of management practices • Poor leadership • Inadequate authority of key personnel to fulfill roles • Poor staff selection procedures • Lack of clarity over roles and responsibilities • Vested interests creating conflict and compromising the overall aims • Individual or group interests given unwarranted priority • Personality clashes • Indecision or inappropriate decision making • Lack of operational support • Inadequate or inaccurate information • Health and safety constraints. • Political • Change of government policy, national or international (e.g. approach to nationalization) • Change of government • War and disorder • Adverse public opinion/media intervention. • Technical/operational/infrastructure • Inadequate design • Professional negligence • Human error/incompetence • Infrastructure failure • Operation lifetime lower than expected • Residual value of assets lower than expected • Increased dismantling/decommissioning costs • Safety being compromised • Performance failure • Residual maintenance problems • Scope 'creep' • Unclear expectations • Breaches in security/information security • Lack or inadequacy of business continuity. The Institute of Risk Management, 6 Lloyd’s Avenue, London EC3N 3AX, http://theirm.org/publications/documents/ARMS_2002_IRM.pdf
Common Types of Risk The Institute of Risk Management, 6 Lloyd’s Avenue, London EC3N 3AX, http://theirm.org/publications/documents/ARMS_2002_IRM.pdf
Common Types of Risk http://theirm.org/publications/documents/ARMS_2002_IRM.pdf EXTERNAL DRIVEN RISKS FINANCIAL RISKS INTEREST RATES FOREIGN EXCHANGE CREDIT STRATEGIC RISKS COMPETITION CUSTOMER CHANGES INDUSTRY CHANGES CUSTOMER DEMAND M& A INTGRATION RESEARCH & DEVELOPMENT INTELECTUAL CAPITAL LIQUIDITY & CASH FLOW INERNALLY DRIVEN RISKS CULTURE BOARD COMPOSITION • REGULATIONS • OPERATIONAL RISKS NATURAL EVENTS SUPPLIERS • CONTRACTS ENVIRONMENT • HAZARD RISKS PRODUCTS & SERVICES ACCOUNTING & CONTROLS INFORMATION SYSTEMS PUBLIC ACESS RECRUITMENT EMPLOYEES SUPPLY CHAIN PROPERTIES
Kaplan & Mikes Framework Managing Risks: A New Framework, Robert S. Kaplan, Anette Mikes, Harvard Business Review, June 2012
Kaplan & Mikes Framework Managing Risks: A New Framework, Robert S. Kaplan, Anette Mikes, Harvard Business Review, June 2012
3 types of risk Category I: Preventable risks. These are internal risks, arising from within the organization, that are controllable and ought to be eliminated or avoided. Examples are the risks from employees’ and managers’ unauthorized, illegal, unethical, incorrect, or inappropriate actions and the risks from breakdowns in routine operational processes. This risk category is best managed through active prevention: monitoring operational processes and guiding people’s behaviors and decisions toward desired norms. Category II: Strategy risks. A company voluntarily accepts some risk in order to generate superior returns from its strategy. A bank assumes credit risk, for example, when it lends money; many companies take on risks through their research and development activities. Strategy risks are quite different from preventable risks because they are not inherently undesirable. A strategy with high expected returns generally requires the company to take on significant risks, and managing those risks is a key driver in capturing the potential gains. Strategy risks cannot be managed through a rules-based control model. Instead, you need a risk-management system designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain the risk events should they occur. Such a system would not stop companies from undertaking risky ventures; to the contrary, it would enable companies to take on higher-risk, higher-reward ventures than could competitors with less effective risk management. Category III: External risks. Some risks arise from events outside the company and are beyond its influence or control. Sources of these risks include natural and political disasters and major macroeconomic shifts. External risks require yet another approach. Because companies cannot prevent such events from occurring, their management must focus on identification (they tend to be obvious in hindsight) and mitigation of their impact. Managing Risks: A New Framework, Robert S. Kaplan, Anette Mikes, Harvard Business Review, June 2012
http://www.ey.com/GL/en/Services/Advisory/IT-Risk-and-Assurance/Business-risks-fuse-with-IT-risks---The-IT-megatrendshttp://www.ey.com/GL/en/Services/Advisory/IT-Risk-and-Assurance/Business-risks-fuse-with-IT-risks---The-IT-megatrends http://www.rmsolutions.ca/