Upload
briana-hensley
View
220
Download
0
Embed Size (px)
Citation preview
Business Risk & Control Self-Assessment Workshop Report
HAN
BE’ER
October 18, 2005Arnhem
Confidential
2
Table of ContentsMain Report
Page
• Introduction 3
• Vision & Objectives BE’ER 4
• 2005 Workshop – Risk Identification
Results Full Details 6
• 2005 Workshop Results, Main Risks Overview 7
• 2005 Workshop – Risk Assessment:
Impact vs. Likelihood per group 10
Risk Level vs. Control Effort per group 13
• Standard Deviation 17
• Risk Sourcing & Response Development 18
• Conclusions and Follow-Up Recommendations 21
3
Introduction
• The Business Risk & Control Self-Assessment session was conducted to demonstrate how risk management can be used by the BE’ER organization and in other organizations. The group attending the workshop was a reflection of BE’ER’s organization.
• Since the goal of this session was to demonstrate the implementation of risk management, the result can not be considered as complete and final.
• The main objectives of the workshop were to increase the risk awareness of the participants, to become familiar with the “self-assessment” methodology, to gain an insight into the risk prioritization and to determine the preliminary risk profile for BE’ER.
• The brainstorming and subsequent consolidation resulted in an initial identification of 12 risks that were considered to be most relevant by the participants.
• The risks were then assessed on three criteria by the group, in terms of impact on the business objectives, the likelihood of occurrence and the control effort to deal with the risks.
4
BE’ER Vision & Objectives
Visie
• BE’ER wil de komende jaren een stabiele vereniging worden die voorziet in de behoeften die er bestaan bij BE-
afstudeerders, HAN en het bedrijfsleven.
Objectives
• Samenwerking: fungeren als intermediair tussen HAN en het bedrijfsleven. Hiertoe dient er minstens 4x per jaar
een activiteit voor onze leden georganiseerd te worden (waarbij HAN en het bedrijfsleven centraal staan).
• Groei van het aantal leden: we streven om in de komende drie jaar een ledengroei te hebben van tenminste
35% van ons huidige ledenbestand.
• Netwerken: binnen de aangeboden activiteiten moeten er voldoende mogelijkheden zijn voor de leden en het
bestuur tot netwerken. Tenminste 1x per jaar dient er een activiteit georganiseerd te worden die geheel in het
kader staat van netwerken.
• Kennis delen: BE’ER streeft ernaar om als vereniging kennis te delen met elkaar binnen het
bedrijfseconomische vakgebied en de koppeling te leggen met het beroepsleven.
• Profilering/PR: onze vereniging dient bekend te worden binnen de gehele BE opleiding. Hiertoe dient er
ondermeer een nieuwsblad opgericht te worden, zal de website verder uitgebouwd worden, en zullen verdere
promotieactiviteiten ontplooid moeten worden.
5
2005 Workshop Results - Risk Identification
• In order to identify risk scenarios the following definition of risk was provided to the
participants:
Those uncertainties which can impact the achievement of your objectives
These uncertainties are often external to a company/organization’s normal business
operations, but in many cases they represent internal process issues.
• The risk identification took place in a complete and open discussion where each
participant gave their definition of what they believed was a risk scenario that would
obstruct their organization in reaching one or more of the defined objectives.
• The risk scenarios were defined as specifically as possible in order to facilitate their
assessment.
• A total of 12 risk scenarios were defined and documented.
6
2005 Workshop BE’ER - ResultsFull details
7
2005 Workshop, Risk Results, Main Risks Overview Top 10 risks in terms of Risk Level (impact vs. likelihood)
The top 10 risks for BE’ER in terms of impact and likelihood, as assessed by the participants, are:
1. The risk that our members lose interest in our organization due to their personal goals and competing activities. Risk #2
2. The risk that that platform that the organization relies on is too small (# people)/fragile. Risk #11
3. The risk that we fail to attract new members, not achieving critical mass and thereby not improving our reputation as respectable/interesting alumni organization. Risk #3
4. The risk of insufficient communication and promotion (both for members/potential members and sponsors), leading to insufficient funds and critical mass. Risk #7
5. The risk that the board is unable to work together (different vision, focus, interests, ambition, etc.) and falls apart causing BE ER to fall apart. Risk #8
6. The risk of not providing added value to the core sponsors (supporting companies) of the organization due to unclear product deliverables. Risk #12
7. The risk that vision/expectations of "trade and industry" are not met by BE ER leading to reduced activites and possible reduction of members. Risk #6
8. The risk that the cooperation between HAN and "trade and industry" is reduced, leading to HAN giving BE ER less opportunities and subsidies. Risk #5
9. The risk of too much focus on informal activities pushed by the members limiting the focus on business economics knowledge sharing. Risk #1
10. The risk of losing financial support from HAN. Risk #4
8
2005 Workshop, Risk Results, Main Risks OverviewTop 10 risks in terms of Risk Priority (= risk level vs. control effort )
The participants also assessed the identified risks in terms of the perceived control effort in place to deal with
these risks. The top 10 risks resulting from this assessment are:
1. The risk that our members lose interest in our organization due to their personal goals and competing
activities. Risk #2
2. The risk that that platform that the organization relies on is too small (# people)/fragile. Risk #11
3. The risk of not providing added value to the core sponsors (supporting companies) of the organization due to
unclear product deliverables. Risk #12
4. The risk that we fail to attract new members, not achieving critical mass and thereby not improving our
reputation as respectable/interesting alumni organization. Risk #3
5. The risk of insufficient communication and promotion (both for members/potential members and sponsors),
leading to insufficient funds and critical mass. Risk #7
6. The risk that the board is unable to work together (different vision, focus, interests, ambition, etc.) and falls
apart causing BE ER to fall apart. Risk #8
7. The risk that the cooperation between HAN and "trade and industry" is reduced, leading to HAN giving BE ER
less opportunities and subsidies. Risk #5
8. The risk that vision/expectations of "trade and industry" are not met by BE ER leading to reduced activites
and possible reduction of members. Risk #6
9. The risk that the brand name is not properly associated with the activities and quality of the added value and
social activities in the optimal combination. Risk #10
10. The risk that the brand name does not appeal to the vision and ambition of organization. Risk #9
9
2005 Workshop – Risk Assessment
The participants prioritized the identified key risks during a rating session. The risks were prioritized according to the following criteria:
Impact: The risk occurs. What is the most foreseeable impact on the achievement of BE’ER’s business objectives?
Likelihood: What is the likelihood that this event/scenario will occur, say, within the next threeyears (TOP period)?
This prioritization provided valuable insight and a basis for focus of managerial effort, as well as a basis for evaluation of impact of current control levels and use of company resources.
The participants were asked to provide their opinion on the impact and likelihood on a scale from 1 (low) to 9 (high). The result is a classification of the risks according to the average weightings (impact and likelihood) for each risk.
The rating was grouped according to the ‘function’ of the participants (i.e. Board, Alumni).
IMP
AC
T
High
HighLow
LowLIKELIHOOD
Secondary Risks 1
Secondary Risks 2
Primary Risks
Low Risks
The risks were mapped representing the level of risk (impact X likelihood) given to each risk by the participants.
10
2005 Workshop – BE’ER’s Risk ProfileImpact versus likelihood map (all participants)
Likelihood
Impact
1 2 3 4 5 6 7 8 9
2
3
4
5
6
7
8
9 1. Insuffcient focus knowledge share2. loss of interest in BEER3. failing to attract new members4. financial support from HAN5. lack of cooperation HAN/industry6. difference in vision industry/BEER7. Insufficient communic./promotion8. co operation board BE ER9. Brand name appeal10. Brand name association11. Platform too small12. No added value to core sponsors
1
2
3
4
5
6
7
8
910
11
12
11
2005 Workshop – BE’ER’s Risk ProfileImpact versus likelihood map (Board)
Likelihood
Impact
1 2 3 4 5 6 7 8 9
2
3
4
5
6
7
8
9Board
1. Insuffcient focus knowledge share2. loss of interest in BEER3. failing to attract new members4. financial support from HAN5. lack of cooperation HAN/industry6. difference in vision industry/BEER7. Insufficient communic./promotion8. co operation board BE ER9. Brand name appeal10. Brand name association11. Platform too small12. No added value to core sponsors
1
2
34
5
6
7
8
9
10
11
12
12
2005 Workshop – BE’ER’s Risk ProfileImpact versus likelihood map (Alumni)
Likelihood
Impact
1 2 3 4 5 6 7 8 9
2
3
4
5
6
7
8
9Alumni
1. Insuffcient focus knowledge share2. loss of interest in BEER3. failing to attract new members4. financial support from HAN5. lack of cooperation HAN/industry6. difference in vision industry/BEER7. Insufficient communic./promotion8. co operation board BE ER9. Brand name appeal10. Brand name association11. Platform too small12. No added value to core sponsors
1
23
4
5
6
7
8
9
10
1112
13
2005 Workshop - Control Effort Assessment
During the workshop the risks, as identified by the participants, were subsequently assessed according to the
definition below:
Control effort: What is the current level of effort within the organization to deal with/control the identified risks? In terms of resources, people, procedures, measurements etc.
* Please note: the acceptability of the control effort comfort zone (green) is to be decided upon by the responsible manager!
CONTROL EFFORTHighLow
Low
High
Risks may be Under-
controlled
Risks may be over-
controlled
Ris
k L
evel
Moderate
Acceptable le
vel o
f contro
l effo
rt
for the ris
k
14
Low > Moderate < High
2005 Workshop Results – BE’ER’s Risk ProfileRisk Level versus Control Effort map (all participants)
The map to the left represents the combined assessment on the totalrisk level of a particular risk and the control effort that is put on the specific risk to control it. The given colors do not represent the organization’s acceptability level
For details on the acceptability level please see note* on page 13
Control effort
Risk Level
1 2 3 4 5 6 7 8 91
11
21
31
41
51
61
71
81 1. Insuffcient focus knowledge share2. loss of interest in BEER3. failing to attract new members4. financial support from HAN5. lack of cooperation HAN/industry6. difference in vision industry/BEER7. Insufficient communic./promotion8. co operation board BE ER9. Brand name appeal10. Brand name association11. Platform too small12. No added value to core sponsors
1
2
3
45
6
7
8
910
11
12
15
Low > Moderate < High
2005 Workshop Results – BE’ER’s Risk ProfileRisk Level versus Control Effort map (Board)
The map to the left represents the combined assessment on the totalrisk level of a particular risk and the control effort that is put on the specific risk to control it. The given colors do not represent the organization’s acceptability level
For details on the acceptability level please see note* on age 13
Control effort
Risk Level
1 2 3 4 5 6 7 8 91
11
21
31
41
51
61
71
81Board
1. Insuffcient focus knowledge share2. loss of interest in BEER3. failing to attract new members4. financial support from HAN5. lack of cooperation HAN/industry6. difference in vision industry/BEER7. Insufficient communic./promotion8. co operation board BE ER9. Brand name appeal10. Brand name association11. Platform too small12. No added value to core sponsors
1
2
3
4
5
67
8
9
10
11
12
16
Low > Moderate < High
2005 Workshop Results – BE’ER’s Risk ProfileRisk Level versus Control Effort map (Alumni)
The map to the left represents the combined assessment on the totalrisk level of a particular risk and the control effort that is put on the specific risk to control it. The given colors do not represent the organization’s acceptability level
For details on the acceptability level please see note* on page 13
Control effort
Risk Level
1 2 3 4 5 6 7 8 91
11
21
31
41
51
61
71
81Alumni
1. Insuffcient focus knowledge share2. loss of interest in BEER3. failing to attract new members4. financial support from HAN5. lack of cooperation HAN/industry6. difference in vision industry/BEER7. Insufficient communic./promotion8. co operation board BE ER9. Brand name appeal10. Brand name association11. Platform too small12. No added value to core sponsors
1
2
3
4
5
6
7
8
9
10
1112
17
2005 Workshop Results – BE’ER’s Risk VotingStandard Deviation on Impact, Likelihood and Control Effort
The critical threshold regarding the standard deviation is 2. All those risks with a standard deviation for Impact and/or Control above this threshold should be reviewed. In particular when the score on Impact and/or Likelihood is relatively high or when the score for Control Effort is low. The knowledge about the effects of the risk on the organization and/or about the existing mechanisms to manage the risk may needs to be communicated more explicitly during the review of these risks.
Spread in Voting
0
0,5
1
1,5
2
2,5
3
3,5
1 2 3 4 5 6 7 8 9 10 11 12
Risk Item Number
Sta
nd
ard
Dev
iati
on
SD impact SD likelihood SD control
18
Risk Sourcing & Response Development What is your response to the identified risks?
• Risk sourcing is identifying the root cause of a certain risk.
• It creates a clear picture of where and how significant business risks originate
• It focuses attention on the specific areas that have the highest influence on the respective risks
• It assist in developing effective risk responses (action plans)
Take
Intentionally pursue
Fully accept
Finance the consequences
Build in contingencies
Transfer
Insure
Share (JV, alliance, partnership
Contract out (outsource, assign)
Diversify / spread
Hedge
Terminate
Cease activity
Pull out of market
Divest
Change objectives
Reduce scale
Treat
Dealing with risk requires adaptation:
• Organization
• People & Relationships
• Direction
• Operational
• Monitoring
Take
Intentionally pursue
Fully accept
Finance the consequences
Build in contingencies
Transfer
Insure
Share (JV, alliance, partnership
Contract out (outsource, assign)
Diversify / spread
Hedge
Terminate
Cease activity
Pull out of market
Divest
Change objectives
Reduce scale
Treat
Dealing with risk requires adaptation:
• Organization
• People & Relationships
• Direction
• Operational
• Monitoring
Due dateResponsibleActionSourceRisk Due dateResponsibleActionSourceRisk
plant reliability
dependency on single source
catastrophic accidents
No back-up capacity
political/legislation
Business interruption
inherent hazardproduct
process
maintenance risk
inaccessibility
Lack of preventive maintenance
Having chosen to have one supplier
No other suppliers known
No other suppliers available
terrorism
Natural catastrophe
human error
Accident at neighbour
Site infrastructure and utility restriction
Logistics related accidents
sabotage
Lack of knowledge
Investment too high
no back-up plan
Previous experience
public opinion
permit issues
HSE legislation
Create a Contingency plan
Analysis opportunity cost vs worsecase scenario
Review and update maintenance programs
19
Risk Sourcing & Response Development
The comparison between the highest ranked risks of 2005, sorted on risk level (= impact vs. likelihood) and risk priority (= risk level vs. control effort) for BE’ER, demonstrates that risks #2, 11, 3, 7, 12, 8, 6, 5, 1 and 4 (top 10 risk level) require your first and foremost attention. The first step is to decide for the top 10 risk level (preferably for the top 12) if currently enough actions are in place to manage the risk scenarios (yes or no), then decide if actions are effectively implemented (yes or no) and formulate new actions if required (SMART, due date) with the responsible person.
Please note this template is part of the full assessment results (separate attachment – excel file)
20
Risk Sourcing & Response Development
• To further analyze the highest ranked risks, we advise you to use the following process:
- Identify the root causes per risk scenario (what can cause this scenario?)
- Group these root causes (external causes, internal causes, other relations)
- Prioritize based on the influence the root cause has on the risk scenario
- Take a decision on how to act (Take, Treat, Terminate or Transfer)
- Develop an action plan to execute the decision. Action plans should be S.M.A.R.T.
(Specific, Measurable, Achievable, Relevant, Time based) which means that they
must include the relevant KPIs, timeframe and responsible person (owner).
• Once you establish and/or implement an action plan on the main risk scenarios and
sources, the monitoring and evaluation should be done by the Board.
21
Conclusions and Follow-Up Recommendations
• BE’ER achieved the goals of the workshop, which were specifically: (1) demonstrate
how risk management can be used by the organization (2) increase risk awareness, (3)
familiarize the participants with the self-assessment methodology, (4) gain structured
insight into the risks, (5) share risk knowledge & experiences, and (6) develop an initial
risk profile for BE’ER.
• The awareness of the risks and the assessment from the participants showed a fairly
consistent view on the importance of the most significant risks. This is demonstrated by
the standard deviation graph on page 17. However, we recommend that the group
reviews the need to achieve further cohesion regarding risks #1, 4, 5, 9 and 10, where
the standard deviation on impact was slightly higher than the acceptable deviation
threshold.
FACILITATORS - Akzo Nobel Risk Management:
Dick Oude Alink & Adolfo Moreno