1 / 28

School Board Audit Committee Training Module 2 Assessing Risk and Risk Management

School Board Audit Committee Training Module 2 Assessing Risk and Risk Management. Session objectives. After completing this session you will:. Understand the Audit Committee’s responsibilities related to risk management. Identify and assess the various types of risks Governance

trish
Download Presentation

School Board Audit Committee Training Module 2 Assessing Risk and Risk Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. School Board Audit Committee TrainingModule 2Assessing Risk and Risk Management

  2. Session objectives After completing this session you will: Understand the Audit Committee’s responsibilities related to risk management • Identify and assess the various types of risks • Governance • Service Delivery / Operational • Stakeholder Satisfaction / Public Perception • Human Resources • Financial • Legal & Compliance • Information Management • Technology Assess risk against likelihood and significance Understand the assessment of risk within the School Board Audit Universe Understand standard risk management techniques

  3. Risk terminology Definition of risk1 Risk is defined as “anything of variable uncertainty and significance that interferes with the achievement of organizational strategies and objectives”. . 1 Source: COSO

  4. Audit Committee duties related to Risk Management[ON Regulation 361/10 9(6)] • To inquire about significant risks • To review the School Board’s policies for risk assessment and risk management and to assess the steps taken to manage such risks (i.e. Internal controls, the adequacy of insurance). • To perform other activities related to the oversight of the School Board’s risk management issues or financial matters, as requested. • To initiate and oversee investigations, as appropriate.

  5. Risk categories • Collectively, Ontario’s 72 District School Boards (DSBs) have the responsibility for education over two million students. School boards are faced with a wide range of risks that must be managed in order to achieve the educational outcomes demanded by stakeholders. • These risks may be categorized to better facilitate the risk identification and management process. • It is the responsibility of the Audit Committee to oversee the process used to assess risk and be comfortable that significant risks are identified and emerging risks considered. • Information Management An integrated approach to risk management is critical

  6. Governance Risk type: Governance Operational • The risk that the organization structure, accountabilities, or responsibilities are not designed, communicated or implemented to meet the organization's objectives, and the risk that culture and management commitment do not support the formal structures. • Example of a governance risk that could potentially impact a DSB: • Accountability and Oversight • The risk that ineffective or undefined lines of authority may cause managers or employees to do things they should not do or fail to do things they should.

  7. Operational Risk type: Service Delivery / Operational • The risk that ineffective and/or inefficient operations or interruptions to service delivery will impact the school board's ability to meet its goals and objectives. • Examples of operational risks that could potentially impact a DSB: • Outcome achievement: • The risk that academic outcomes will not be achieved due to an inability to effectively deliver the academic curriculum to the student population. • Student experience • The risk of failing to deliver quality programs to students to allow them to develop the skills of lifelong learning. • Personal security • The risk of failing to provide a safe and secure environment for students, educators, parents and other members of the school community.

  8. Risk type: Stakeholder Satisfaction/Public Perception Public Perception • The risk the school board will not meet the expectations of the public, the Ministry of Education and other external stakeholders and that the school board's actions will affect its public image. • Example of stakeholder satisfaction/ public perception risks that could potentially impact a DSB: • Stakeholder Engagement: • The risk that stakeholders are not sufficiently engaged or provide the necessary oversight required to monitor and assess the organization.

  9. Human Resources Risk type: Human Resources • The risk that insufficient, inappropriate or unqualified staff are hired/retained and that the turnover ratio of qualified staff is high. • Examples of potential people risks in the context of a DSB include: • Recruiting and retention • The risk of failing to attract and retain personnel with the requisite knowledge, skills and experience to allow the DSB to effectively achieve its educational outcomes and business objectives. • Attendance management • The risk of impacting curriculum delivery and incurring additional teaching costs due to unplanned or excessive educator absences. • Succession planning • The risk of the DSB failing to appropriately anticipate and plan for the succession and renewal of key personnel resulting in the ability to perform critical functions or the loss of organizational knowledge capital.

  10. Financial Risk type: Financial • The risk of financial loss caused by theft, incorrect financial reporting, fraud and/or the inability to meet budget requirements. Examples of financial risks facing a DSB include: • Budgeting and forecasting • The risk that unrealistic, irrelevant or unreliable budget and planning information or inadequate Ministry funding knowledge may cause inappropriate financial conclusions and operational decisions. • Accounting and financial reporting • The risk that transactions are not properly processed, reviewed, reported and disclosed resulting in errors or omissions in financial reporting. • Cash Handling • The risk that cash is misappropriated, is not accounted for, or is not adequately safeguarded. • Fraud • The risk of fraudulent activities (such as the misappropriation of assets) perpetrated by management, administrative employees, teachers or students, causing loss.

  11. Legal & Compliance Risk type: Legal & Compliance Operational • The risk the school board will not be in compliance with legislation, regulations, contracts, guidelines and policy direction. • Examples of legal & compliance risks in the context of a DSB include: • Compliance risk • The risk of the organization failing to comply with Ministry requirements or guidelines, resulting in corrective action and/or negative publicity. • Legal risk • The risk of the organization failing to meet or adhere to legal obligations and/or violating statutory requirements.

  12. Risk type: Information Management InformationManagement • The risk that school board information is incomplete, out-of-date, irrelevant or inappropriately disclosed. Examples include: • IM/IT strategy • The risk of a DSB failing to develop and implement an effective information management and technology strategy in order to meet the needs and requirements of multiple stakeholders.

  13. Technology Risk type: Technology • The risk that IT does not align with business and does not support availability, access, integrity, relevance and security of data. • Examples include: • IT reliability and availability • The risk of information technology systems, business applications and telecommunications systems being unavailable to support operations. • Data privacy, quality and integrity • The risk that there are inadequate controls in place to ensure the privacy, quality, integrity and accuracy of a DSB’s electronic information. • IT security • The risk of failing to appropriately secure a DSB’s networks, systems, applications.

  14. Discussion - Risk Categories • Identify other examples of risks affecting a DSB under the following categories: • Governance • Service Delivery / Operational • Stakeholder Satisfaction / Public Perception • Human Resources • Financial • Legal & Compliance • Information Management • Technology • How would these risks impact the Board? • What can be done to prevent these risks from impacting the organization?

  15. Assessing risk: likelihood and significance • Risk has two dimensions — likelihood and significance • Likelihood: • The probability that the risk will occur and impact the organization • Significance: • The potential impact that the risk will have (should it occur) on the organization • Significance can be rated using various criteria. For the purposes of the DSB risk assessments the following criteria are used: • Reputational – How would the occurrence of the risk impact the school / DSB / Ministry's reputation? • Financial – What would be the financial impact/ consequences of the occurrence of the risk?

  16. Assessing risk: likelihood and significance High Damage Significance of risk High Likelihood Likelihood of occurrence

  17. Exercise – Assessing Risk • In your groups, identify 8-10 risks that might prevent the workmen from meeting their objective (having lunch on top of the tall building) • Using a flipchart, draw a risk map and map the risks to the appropriate quadrant.

  18. Exercise – Assessing Risk Significance vs. Likelihood High Building falling down Losing balance Strong wind Significance Dropping lunch Small birds hitting workmen Losing hard hat Low High Likelihood

  19. Assessing risk: inherent vs. residual • Risk can be assessed on two levels, Inherent and Residual. • Inherent risk is the assessed level of risk in the absence of internal controls. • Residual risk is the assessed level of risk once internal controls are taken into account. • Internal controls can aid in the reduction of both the likelihood and significance of risk.

  20. Why should we assess risks? • Executing an organizational risk assessment is the first step in determining the focus of the internal audit function. It is completed to: • Understand the risks within the environment in which the DSB operates • Assess the potential likelihood and significance of the impact of these risks on the various processes undertaken by the DSB • Identify the DSB’s higher risk processes

  21. How is risk assessed? • As part of the risk assessment process, the population of risks the DSB faces needs to be identified to understand how and where they could impact the organization. • Using the risk categories as a guide, relevant sub risks in each category can be identified and assessed for applicability. • As risks impact the organization in different areas, a top-down process view of the organization is required. • This top-down, process view of the organization is referred to as the process universe.

  22. EXAMPLE ONLY

  23. Executing a risk assessment Define Process Universe Create Risk Framework Assess Process Risk

  24. Risk Assessment Results EXAMPLE ONLY

  25. What to do with the Risk Assessment Results? • Internal Audit should focus efforts and resources on areas of highest perceived risk • Process reviews of higher risk areas should be performed to: • Identify and evaluate the internal controls currently in place within the DSB’s current processes • Find and remediate existing internal control gaps • Promote the achievement of the DSB’s objectives by strengthening processes and controls

  26. Risk Management Techniques Risk Management Techniques Avoidance • Eliminate a service or an activity it considers too risky. • Prevention or modification Reduce the likelihood of a risk (and related losses) occurring, by changing the activity so that internal controls reduce the probability of risk occurrence. • Mitigation • Accept the risk but lessen the impact of losses should they occur through existing or additional internal controls. • Retention • Accept the risk (and its consequences) as is. Some risk is inherent in the activities of your operation. • Transfer either the actual risk or the financial consequences of a loss to another party. • Transfer (sharing)

  27. Leading risk management practices • Applying risk management to manage transformation issues • Aligning strategic planning with risk management • Focus on integration of risk management with existing business process/initiatives • Integrating dispersed risk management roles through clear governance structure • Developing key risk indicators to link risk management with performance measurement • Performing controls reviews/audits to assess financial risks and controls • Performing operational reviews • Information technology risk assessments and reviews • Instilling “ethical”, open culture by promoting risk management and enhancing linkage to incident reporting Some risk management techniques exist in the absence of an internal control.

  28. Discussion - Risk • In groups, select a business process within the organization that your group members are familiar with. • Identify the most important risks impacting this area. • If these risks weren’t managed, assess the likelihood of risk occurrence and significance to the organization.

More Related