690 likes | 1.17k Views
Session. Organisational Processes Risk. Session Outline. Risk Profile Operations Risk IT Risk Financial Risk Integrity Risk Risk Appetite Empowerment Risk. This Week. Weekly Activity: Disaster Recovery Plan
E N D
Session Organisational Processes Risk
Session Outline • Risk Profile • Operations Risk • IT Risk • Financial Risk • Integrity Risk • Risk Appetite • Empowerment Risk
This Week • Weekly Activity: Disaster Recovery Plan • Thinking about your own workplace, comment on the effectiveness of their risk analysis. Consider also such questions as: • What else should be included? • Do you think that they could recover from a serious IT disaster? • Choose two of the threats or risks that you identified in the above activity. Develop a disaster recovery plan for those risks addressing the RM Framework elements.
Black Swan Events • Rareoutside the boundsof known likelihoods • Unpredictableunable to anticipate • Severeunprecedented impact • Eventgood or bad * Taleb, N. (2007), The Black Swan.
Black Swan Disasters • Challenger (7) / Columbia (7) • Deepwater Horizon (11) • Texas City (15) • Chernobyl (>56) • United 232 (108) • Kansas City Hyatt (114) • Piper Alpha (167) • Herald of Free Enterprise (186) • Tenerife (583) • Bhopal (>2200) * Numbers in parentheses denote number of fatalities on each occasion.
Topic Example Video • The following video is a documentary on the Piper Alpha disaster in the North Sea. What were the organisational risks that contributed to the disaster? What could have done to avoid this? • Take note of the key points. • http://www.youtube.com/watch?v=7VXHiQ0bViU
Organization “Human Performance is its goal and its test.” --Peter Drucker “Management: Tasks, Responsibilities, Practices” ManagementSystems LeadershipPractices Local Factors(drivers) “We cannot change the human condition, but we can change the conditions under which people work.” --James Reason “Managing the Risks of Organizational Accidents” HumanPerformance
Organisational Risk • The most risky aspects of an organisation often lie within its culture (behaviour, power, motivation, etc). • Despite all the efforts to produce fully harmonized, culture-sensitive 'learning organizations' (e.g. through TQM, business process re-engineering and culture change programmes), there often remains a significant gap between recognising risk issues and implementing changes. • Such a gap is maintained by power and cultural factors which usually go unnoticed within the organisation.
Process Risk • Process risk is the risk that the processes within a company do not perform efficiently or effectively in meeting business objectives or do not protect the physical, financial, intellectual, or information assets they use or consume. • The five subsets of process risk are as follows: • Operations Risk • Empowerment Risk • Information Processing/Technology Risk • Integrity Risk • Financial Risk
Operations Risk • Operations risk is an unexpected flaw in the value chain that prevents it from functioning as planned. • Examples include customer satisfaction, human resources, product development, efficiency, etc.
Empowerment Risk • Empowerment risk is the risk that company personnel will have insufficient authority, responsibility, training, or incentive to execute the value chain process. This type of risk affects the value chain process by affecting human productivity. • Examples include leadership, authority, outsourcing, performance incentives, etc.
Information Technology Risk • Information processing or technology risk is the risk that a company will not completely, accurately, and promptly capture, process, and record all the data needed to monitor its economic transactions and related performance. • Examples include access, integrity, relevance, availability, and infrastructure.
Integrity Risk • Integrity risk is the risk that employee or manager fraud, illegal acts, or a breakdown of the value chain will negatively affect the company’s performance or its reputation. • Examples include management fraud, employee fraud, illegal acts, unauthorized use, and reputation.
Financial Risks • Financial risks are the uncertainties businesses face in managing commodity price changes, cash flows, collection of receivables, and repayment of debts. • Examples include price (interest rate, currency equity commodity, financial instrument), liquidity (cash flow, opportunity cost, concentration), and credit risk (default, settlement, collateral).
Risk Management Basics • Risk (uncertainty) may affect the achievement of objectives. • Effective mitigation strategies/controls can reduce negative risks or increase opportunities. • Residual risk is the level of risk after evaluating the effectiveness of controls. • Acceptance and action should be based on residual risk levels. INHERENT Slide 19
Key Risk Indicators (KRIs) Strategy & objectives Risk Cause Consequence KRI Performance KRIs need to be linked to strategy, objectives and target performance levels, with a good understanding of the drivers to risk.
Step 1 Step 2 Step 3 Step 4 Step 5 Establish Objectives Identify Risks & Controls Assess Risks & Controls Evaluate & Take Action Monitor & Report A Simple Framework Communicate, learn, improve
Embedding risk at all levels • Risk management should not be a matter for strategic level, but should cut across at all levels of management from strategic to tactical to operational; • All employees in whatever area of operation and in whatever activity, their processes and procedures should embody risk management
Embedding risk at strategic level • The Board should champion the process of risk management; • Corporate and Business strategies must be aligned to management processes; articulating and communicating organisation’s risk management attitude and philosophy in mission statement and strategic objectives • An enterprise wide approach should be implemented
Embedding at strategic level • A Board committee, usually the Risk Committee should have an oversight over the risk processes; • A facilitating executive, Chief Risk Officer, should coordinate the risk management function; • Risk Register should continually be reviewed and made relevant to environmental changes and organisation’s risk appetite;
Embedding at strategic level • Decision making at Board level should embrace risk management e.g. the Board papers should discuss risk implications for proposal made to Board for its decisions. Risk management should be part of the way business is done in the organisation; • Board induction should include risk management training and awareness of all risks including those specific to the industry and the organisation;
Embedding at strategic level • Board performance evaluation should include attitude towards risk; • Internal Review and External Audit should analyse the implementation of risk management strategy
Embedding at Tactical level • The implementation and review of functional plans should embody risk management e.g. identification and management of technological risks by I.T department; H.R department checking compliance with labour laws in recruitment and termination of jobs etc; • Complying with risk policies e.g. insurance of insurable assets;
Embedding at tactical level • Employment of internal and external benchmarking and assessing feedback information; • Assessment of performance against set targets and analysis of variances; • Ongoing training of departmental heads on risk management; • Departmental reporting which includes risk reporting.
Embedding at operational level • Ensure that all procedures cover issues on reporting exceptional issues; • Ensure that tasks and procedures cover risk issues such as safety and health; • Ensure that job descriptions include risk issues • Make sure that risk warnings and disclaimers are made at all areas where there is potential risk • Execute ongoing training programmes to all staff on risk management and risk processes in place
Refreezing embedded risk culture • Culture clarifies the kind of behaviour acceptable in an organisation. • Single-handedly elevating ethics, corporate governance to the top board’s agenda is not sufficient if the desired culture is not part of the air people breathe in the organisation e.g. Enron, Worldcom etc • Risk management should not be mere ‘box ticking’ but the Board should put processes in place to ensure that risk management ethos permeate at all levels • New signs, new warning colours, new myths/stories, new reports emphasizing risk (culture web) etc should be the order of the new day
Chronic Sense of Uneasiness An attitude of mindfulnessregarding one’s capacity to err and the presence of hidden threats; preoccupationwith failure --how you perceive, think, feel, and behave toward hazards-- “When you stop being scared, you start making mistakes.” -- unknown
Efficiency/Thoroughness Trade-Off • People routinely make a choice between being efficient (productive / less effort) and being thorough (safe / reliable), since it is rarely possible to be both at the same time. • If demands for productivity arehigh, thoroughness is reduceduntil productivity goals are met. • If demands for safety are high,efficiency is reduced until thesafety goals are met. * Hollnagel. E. (2009), The ETTO Principle, Efficiency-Thoroughness Trade-Off.
Review of Risk Processes • Annually the risk processes need review with the view that it continues to: • Cover all the important areas of business risks; • Be simple and understandable to all involved; • Be aligned to strategic changes; • Be in line with recommendations of auditors; • Be embracing development in corporate governance (practice, laws, regulations etc); • Promote rather than inhibit business and competitive advantage; • Encompass the lessons learnt from post implementation
Review of Risk Processes • Risk appetite and policies will need regular review • The risk management system must be in line with the speed of development of the people. If the people feel that risk processes are not helping them to stretch their abilities and business acumen, they will ignore the system; • A common language of risk management must be developed and communicated effectively across the organisation.
Key Success Factors • Support of Board and senior management team; • Risk awareness cuts across all levels and is part of the culture of the organisation; • There are structures to support risk management e.g. Risk Department; • All departments own risk management processes; • Risk management processes are well understood and accepted by all (simplicity).
Risk Profile • The risk profile is a snapshot of the organisation's operating environment and its capacity to deal with key high-level risks and opportunities linked to the achievement of corporate objectives and results. There are three outcomes as a result of developing the risk profile: • Threats and Opportunities are identified. • Current status of risk management within the organisation is assessed and recognised in order to plan risk management strategies. • The organisations risk profile is defined – key risk areas, risk tolerance, ability and capacity to mitigate as well as learning needs
Risk Profile • Organisations take stock of their operating environment, identify key risks, and review the organisation's capacity to deal with these risks. • The International Standard in Risk Management ISO31000 best represents this process. • The stages of Risk Identification, Risk Analysis, Risk Evaluation and Treatment of that standard describe the processes that lead to describing the Risk Profile of an organisation.
What is Risk Appetite? • Risk appetite can be defined as the amount of risk that an organisation broadly is prepared to accept in pursuit of value. • In other words, for an organisation to achieve it’s strategic objectives, it’s not only the risk it is prepared to accept in this pursuit but also the total impact of that risk on the organisation. • Risk appetite goes to the very core of how the organisation does and will do business. • Consequently, how it is perceived by its key stakeholders is a function of the organisation’s risk appetite.
What is Risk Appetite? • Risk appetite is not just defined by a statement that outlines the decision making factors of a business, but rather it effectively communicates how it relates to the established components and elements of the organisational as well as how it is to be understood throughout the organisation.
Risk Appetite Characteristics • Reflective of strategy (objectives, plans expectations) • Reflective of key business aspects • Willingness & capacity to take on risk acknowledged • Documented as a formal risk appetite statement • Considers the skills, resources and technology required to manage and monitor risk exposures in the context of risk appetite • Is inclusive of a tolerance for loss or negative events that can be reasonably quantified • Periodically reviewed as part of evolving market and industry conditions
Determining Risk Appetite Key questions: • What risks will the organization not accept? (e.g. environmental or quality compromises) • What risks will the organization take on new initiatives? (e.g. new product lines) • What risks will the organization accept for competing objectives?(e.g. gross profit vs. market share?)
RM – Organisational Questions • Do we understand our major risks? Do we know what is causing our risks to increase, decrease or stay the same? • Have we assessed the likelihood and impact of our risks? • Have we identified the sources and causes of our risks? • How well are we managing our risks? • Are we trying to prevent the downside risks from happening? Or are we trying to simply recover from them?
RM – Organisational Questions • Who is accountable for these risks? • How do we talk about risk? Do we have a common language across branches, across divisions, across the ministry, across the OPS, across the health care system? • Are we taking too much risk? Or not enough risk? • Are the right people taking the right risks at the right time? • What’s our culture? Are we risk adverse or are we risk-takers? Or are we somewhere in between?
Risk Appetite Management Tools Note: To find a listing of the risk management tools appropriate for dealing with a potential loss, see the box corresponding to the severity and frequency of the potential loss.
Effort vs. Importance Importance Effort Expended Latent System Weaknesses Human Failure Equipment Failure Currently? Actual? * Adapted from Kletz, T. (2001), An Engineer’s View of Human Error (3rd ed.); p.127..
Be Vigilant! The causes oftomorrow’s events exist today! Latent SystemWeaknessesAccumulate!