1 / 48

Determining Where Resources Are Most Needed

Determining Where Resources Are Most Needed. The Concept of Risk. Achieving Impact in Auditing. The Concept of Risk. My early audits: Park chair audit. Book of remembrance entries. Car park income. What Is Risk?. Does It Really Matter?. WHY DOES IT MATTER?.

stash
Download Presentation

Determining Where Resources Are Most Needed

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Determining Where Resources Are Most Needed The Concept of Risk

  2. Achieving Impact in Auditing

  3. The Concept of Risk My early audits: • Park chair audit. • Book of remembrance entries. • Car park income.

  4. What Is Risk? Does It Really Matter?

  5. WHY DOES IT MATTER? “When anyone asks me how I can describe my experience of nearly forty years at sea, I merely say uneventful. Of course there have been winter gales and storms and fog and the like, but in all my experience, I have never been in an accident in any sort worth speaking about. I have seen but one vessel in distress in all my years at sea... I never saw a wreck and have never been wrecked, nor was I ever in any predicament that threatened to end in disaster of any sort” from a paper presented by EJ Smith, 1907

  6. IT MATTERS! On 14 April 1912, HMS Titanic sank with the loss of 1500 lives..... One of which was its captain E J SMITH

  7. But does any of this really matter NOW?

  8. Risk Management Casualties. • Barings • BCCI • Hoover • Sumitomo Bank • Enron • World Com. • Parmalat Andersons

  9. Pressures • Greater transparency • Better governance • Better ethical standards • Need for early warning systems • Demands for higher quality services • New legislation • Systems reform/project management

  10. What Is Risk? Definition of Risk. The threat that an event or action will adversely affect an organisations ability to achieve its business objectives and execute its strategies successfully • Source :- The Economist Intelligence Unit

  11. The chance of something happening that will have an impact on business objectives Source :-Aus/NZ Risk Mgt Standard Business Risk Definition 2

  12. Surprises Any organization that has encountered unwelcome surprises or unexpected losses will realize that most were preventable. Such events will almost certainly have been caused by risks that were not fully understood, or the processes to mitigate those events being inadequate.

  13. Wrong assumptions about risk • Risk is just something for finance and insurance to worry about • Risk comes up on the agenda once ayear • Risk management is just another layer of unnecessary bureaucracy • Risk management is about downside not creation of value • Risk is a compliance issue

  14. Risk Management • Identify, evaluate and manage their key risks and assess how they are controlled • Ensure that all aspects of internal control and risk management are regularly reviewed on an appropriate cyclical basis • Have regular board level reviews of reports on risk management and internal control International expectations are now that allorganisations should:

  15. Risk Management • Embedded in the operations of an organisation • Capable of responding to the changing risks it faces • Include procedures for reporting major weaknesses immediately to appropriate levels of management And that: Risk management and internal control should be:

  16. Risk Management In the UK all public bodies have been told: • “…it is important that authorities have arrangements in place for reviewing both the nature and severity of risks…such a review should not just be to “obvious tangible” risks such as arson,vandalism and other damage to property..risk management should be an integral part of an authority’s overall management arrangements.”

  17. Risk Management It went on to add: “In order to be successful it is likely that the approach will be cross-departmental and inter-disciplinary and that senior management will demonstrate commitment.”

  18. The AUS/NZ Risk Management Process • Establish the context • Identify risks • Analyse • Evaluate • Treat • Communicate • Monitor and Review

  19. Risk Identification and evaluation

  20. Types of Risk • Strategic • Operational • Reputation • Information • Financial • People • Regulatory

  21. Strategic Risks • Risks that relate to doing the wrong things

  22. Operational Risks • Risks that relate to doing the right things in the wrong way

  23. Information Risks • Risks that relate to loss or inaccuracy of data ,systems or reported information

  24. Financial Risks • Risks that relate to losing monetary resources or incurring unacceptable liabilities

  25. People Risks • The risks associated with Employees and Management

  26. Regulatory Risk • The Risks related to the regulatory environment

  27. Reputation Risk • Risks that relate to the organizations brand or image

  28. Inherent and Residual Risk • Inherent risk = Gross risk before controls/ mitigation • Residual risk = Risk remaining after applying controls

  29. Evaluation and Measurement of Risk • Risk is measured in terms of consequences (or impact) and likelihood (or probability)

  30. Monetary (% of income or budget) Reputation Ability to recover Effect on Organisation Insignificant,Minor, Moderate,Major Catastrophic Rare (less than once in 20 years) Unlikely (once in 10-20 years) Possible (once in 10 years) Likely (once in 3 years) Almost Certain (once a year) Consequences Likelihood

  31. Questions you need to answer • What are the worst things that could happen to us? • How likely are they to happen? • Are we taking sufficient steps to prevent them?

  32. Risk Matrix Likelihood Impac t

  33. Measurement of Risk:-Risk Matrix HIGH Impact Of Risk LOW Unlikely Likely Likelihood of Occurrence

  34. RISK MATRIX High 15 16 18 19 1 2 4 3 17 20 21 5 6 7 8 22 23 25 9 10 11 IMPACT 12 13 14 28 26 27 24 Low LOW HIGH LIKELIHOOD

  35. Risk Matrix Over £5 million OR Questions raised in Parliament £2million-£5 million OR Reported in National Press £500,000 - £2 Million OR Reported in Local Paper £100,000 - £500,000 OR Unacceptable levels of Complaints Under £100,000 OR Some complaints from individuals. Unlikely-Once in 10-20 years Possible- Once in 10 years Likely-Once in 3years Certain- Once a year Rare- once in 20 years

  36. Treatment of Risks How are we going to manage the risks that we have identified down to a level that we can live with.

  37. Risk Treatment Risk Transfer Exposure Insure Outsource Determine Evaluate Recover Cost Reduce Control Loss reduction Contingency Plans BCP Measure, Manage, Monitor, Report Action Plans

  38. RISK MAP High 15 16 18 19 1 2 4 3 17 20 21 5 6 7 8 22 23 25 9 10 11 IMPACT 12 13 14 28 26 27 24 Low LOW HIGH LIKELIHOOD

  39. The Risk Management Process

  40. Risk Management Framework • Embrace the issue of risk • Manage not tolerate • Make it a top down process • Ensure a positive slant • Make it the pulse of your organisation

  41. The Risk Management Cycle Risk Identification Monitoring & Review Risk Analysis Risk Control

  42. Risk Identification Process • Clarification of Strategic Business Objectives • Consideration of threats to achievement • Identification of key risks and opportunities • Sifting and clustering of output • Evaluation of risks (by impact and likelihood of occurrence) • Use of Workshops

  43. Use of Workshops

  44. ACCURATE ASSESSMENT Workshop Ingredients FACILITATOR CHALLENGER FRAMEWORK And CONTROL RISK And CONTROL EXPERTISE PARTICIPANTS BUSINESS And PRACTICAL EXPERIENCE

  45. Typical Agenda for a Workshop • Introduction • Discussion of objectives/processes • Brainstorming of risks • Categorisation • Assessment of risks

  46. Risk Mitigation Process • Evaluation of actions in place to reduce risks • Identification of risk exposures and latent opportunities • Assessment of the effect of mitigation • Development of focussed action plans • Preparation of a Risk Register

More Related