Business Risk & Control Self-Assessment Workshop Report HAN BE’ER October 18, 2005 Arnhem Confidential

Business Risk & Control Self-Assessment Workshop Report

HAN

BE’ER

October 18, 2005Arnhem

Confidential

2

Table of ContentsMain Report

Page

• Introduction 3

• Vision & Objectives BE’ER 4

• 2005 Workshop – Risk Identification

Results Full Details 6

• 2005 Workshop Results, Main Risks Overview 7

• 2005 Workshop – Risk Assessment:

Impact vs. Likelihood per group 10

Risk Level vs. Control Effort per group 13

• Standard Deviation 17

• Risk Sourcing & Response Development 18

• Conclusions and Follow-Up Recommendations 21

3

Introduction

• The Business Risk & Control Self-Assessment session was conducted to demonstrate how risk management can be used by the BE’ER organization and in other organizations. The group attending the workshop was a reflection of BE’ER’s organization.

• Since the goal of this session was to demonstrate the implementation of risk management, the result can not be considered as complete and final.

• The main objectives of the workshop were to increase the risk awareness of the participants, to become familiar with the “self-assessment” methodology, to gain an insight into the risk prioritization and to determine the preliminary risk profile for BE’ER.

• The brainstorming and subsequent consolidation resulted in an initial identification of 12 risks that were considered to be most relevant by the participants.

• The risks were then assessed on three criteria by the group, in terms of impact on the business objectives, the likelihood of occurrence and the control effort to deal with the risks.

4

BE’ER Vision & Objectives

Visie

• BE’ER wil de komende jaren een stabiele vereniging worden die voorziet in de behoeften die er bestaan bij BE-

afstudeerders, HAN en het bedrijfsleven.

Objectives

• Samenwerking: fungeren als intermediair tussen HAN en het bedrijfsleven. Hiertoe dient er minstens 4x per jaar

een activiteit voor onze leden georganiseerd te worden (waarbij HAN en het bedrijfsleven centraal staan).

• Groei van het aantal leden: we streven om in de komende drie jaar een ledengroei te hebben van tenminste

35% van ons huidige ledenbestand.

• Netwerken: binnen de aangeboden activiteiten moeten er voldoende mogelijkheden zijn voor de leden en het

bestuur tot netwerken. Tenminste 1x per jaar dient er een activiteit georganiseerd te worden die geheel in het

kader staat van netwerken.

• Kennis delen: BE’ER streeft ernaar om als vereniging kennis te delen met elkaar binnen het

bedrijfseconomische vakgebied en de koppeling te leggen met het beroepsleven.

• Profilering/PR: onze vereniging dient bekend te worden binnen de gehele BE opleiding. Hiertoe dient er

ondermeer een nieuwsblad opgericht te worden, zal de website verder uitgebouwd worden, en zullen verdere

promotieactiviteiten ontplooid moeten worden.

5

2005 Workshop Results - Risk Identification

• In order to identify risk scenarios the following definition of risk was provided to the

participants:

Those uncertainties which can impact the achievement of your objectives

These uncertainties are often external to a company/organization’s normal business

operations, but in many cases they represent internal process issues.

• The risk identification took place in a complete and open discussion where each

participant gave their definition of what they believed was a risk scenario that would

obstruct their organization in reaching one or more of the defined objectives.

• The risk scenarios were defined as specifically as possible in order to facilitate their

assessment.

• A total of 12 risk scenarios were defined and documented.

6

2005 Workshop BE’ER - ResultsFull details

7

2005 Workshop, Risk Results, Main Risks Overview Top 10 risks in terms of Risk Level (impact vs. likelihood)

The top 10 risks for BE’ER in terms of impact and likelihood, as assessed by the participants, are:

1. The risk that our members lose interest in our organization due to their personal goals and competing activities. Risk #2

2. The risk that that platform that the organization relies on is too small (# people)/fragile. Risk #11

3. The risk that we fail to attract new members, not achieving critical mass and thereby not improving our reputation as respectable/interesting alumni organization. Risk #3

4. The risk of insufficient communication and promotion (both for members/potential members and sponsors), leading to insufficient funds and critical mass. Risk #7

5. The risk that the board is unable to work together (different vision, focus, interests, ambition, etc.) and falls apart causing BE ER to fall apart. Risk #8

6. The risk of not providing added value to the core sponsors (supporting companies) of the organization due to unclear product deliverables. Risk #12

7. The risk that vision/expectations of "trade and industry" are not met by BE ER leading to reduced activites and possible reduction of members. Risk #6

8. The risk that the cooperation between HAN and "trade and industry" is reduced, leading to HAN giving BE ER less opportunities and subsidies. Risk #5

9. The risk of too much focus on informal activities pushed by the members limiting the focus on business economics knowledge sharing. Risk #1

10. The risk of losing financial support from HAN. Risk #4

8

2005 Workshop, Risk Results, Main Risks OverviewTop 10 risks in terms of Risk Priority (= risk level vs. control effort )

The participants also assessed the identified risks in terms of the perceived control effort in place to deal with

these risks. The top 10 risks resulting from this assessment are:

1. The risk that our members lose interest in our organization due to their personal goals and competing

activities. Risk #2

2. The risk that that platform that the organization relies on is too small (# people)/fragile. Risk #11

3. The risk of not providing added value to the core sponsors (supporting companies) of the organization due to

unclear product deliverables. Risk #12

4. The risk that we fail to attract new members, not achieving critical mass and thereby not improving our

reputation as respectable/interesting alumni organization. Risk #3

5. The risk of insufficient communication and promotion (both for members/potential members and sponsors),

leading to insufficient funds and critical mass. Risk #7

6. The risk that the board is unable to work together (different vision, focus, interests, ambition, etc.) and falls

apart causing BE ER to fall apart. Risk #8

7. The risk that the cooperation between HAN and "trade and industry" is reduced, leading to HAN giving BE ER

less opportunities and subsidies. Risk #5

8. The risk that vision/expectations of "trade and industry" are not met by BE ER leading to reduced activites

and possible reduction of members. Risk #6

9. The risk that the brand name is not properly associated with the activities and quality of the added value and

social activities in the optimal combination. Risk #10

10. The risk that the brand name does not appeal to the vision and ambition of organization. Risk #9

9

2005 Workshop – Risk Assessment

The participants prioritized the identified key risks during a rating session. The risks were prioritized according to the following criteria:

Impact: The risk occurs. What is the most foreseeable impact on the achievement of BE’ER’s business objectives?

Likelihood: What is the likelihood that this event/scenario will occur, say, within the next threeyears (TOP period)?

This prioritization provided valuable insight and a basis for focus of managerial effort, as well as a basis for evaluation of impact of current control levels and use of company resources.

The participants were asked to provide their opinion on the impact and likelihood on a scale from 1 (low) to 9 (high). The result is a classification of the risks according to the average weightings (impact and likelihood) for each risk.

The rating was grouped according to the ‘function’ of the participants (i.e. Board, Alumni).

IMP

AC

T

High

HighLow

LowLIKELIHOOD

Secondary Risks 1

Secondary Risks 2

Primary Risks

Low Risks

The risks were mapped representing the level of risk (impact X likelihood) given to each risk by the participants.

10

2005 Workshop – BE’ER’s Risk ProfileImpact versus likelihood map (all participants)

Likelihood

Impact

1 2 3 4 5 6 7 8 9

2

3

4

5

6

7

8

9 1. Insuffcient focus knowledge share2. loss of interest in BEER3. failing to attract new members4. financial support from HAN5. lack of cooperation HAN/industry6. difference in vision industry/BEER7. Insufficient communic./promotion8. co operation board BE ER9. Brand name appeal10. Brand name association11. Platform too small12. No added value to core sponsors

1

2

3

4

5

6

7

8

910

11

12

11

2005 Workshop – BE’ER’s Risk ProfileImpact versus likelihood map (Board)

Likelihood

Impact

1 2 3 4 5 6 7 8 9

2

3

4

5

6

7

8

9Board

1. Insuffcient focus knowledge share2. loss of interest in BEER3. failing to attract new members4. financial support from HAN5. lack of cooperation HAN/industry6. difference in vision industry/BEER7. Insufficient communic./promotion8. co operation board BE ER9. Brand name appeal10. Brand name association11. Platform too small12. No added value to core sponsors

1

2

34

5

6

7

8

9

10

11

12

12

2005 Workshop – BE’ER’s Risk ProfileImpact versus likelihood map (Alumni)

Likelihood

Impact

1 2 3 4 5 6 7 8 9

2

3

4

5

6

7

8

9Alumni


1

23

4

5

6

7

8

9

10

1112

13

2005 Workshop - Control Effort Assessment

During the workshop the risks, as identified by the participants, were subsequently assessed according to the

definition below:

Control effort: What is the current level of effort within the organization to deal with/control the identified risks? In terms of resources, people, procedures, measurements etc.

* Please note: the acceptability of the control effort comfort zone (green) is to be decided upon by the responsible manager!

CONTROL EFFORTHighLow

Low

High

Risks may be Under-

controlled

Risks may be over-

controlled

Ris

k L

evel

Moderate

Acceptable le

vel o

f contro

l effo

rt

for the ris

k

14

Low > Moderate < High

2005 Workshop Results – BE’ER’s Risk ProfileRisk Level versus Control Effort map (all participants)

The map to the left represents the combined assessment on the totalrisk level of a particular risk and the control effort that is put on the specific risk to control it. The given colors do not represent the organization’s acceptability level

For details on the acceptability level please see note* on page 13

Control effort

Risk Level

1 2 3 4 5 6 7 8 91

11

21

31

41

51

61

71

81 1. Insuffcient focus knowledge share2. loss of interest in BEER3. failing to attract new members4. financial support from HAN5. lack of cooperation HAN/industry6. difference in vision industry/BEER7. Insufficient communic./promotion8. co operation board BE ER9. Brand name appeal10. Brand name association11. Platform too small12. No added value to core sponsors

1

2

3

45

6

7

8

910

11

12

15


2005 Workshop Results – BE’ER’s Risk ProfileRisk Level versus Control Effort map (Board)


For details on the acceptability level please see note* on age 13

Control effort

Risk Level

1 2 3 4 5 6 7 8 91

11

21

31

41

51

61

71

81Board


1

2

3

4

5

67

8

9

10

11

12

16


2005 Workshop Results – BE’ER’s Risk ProfileRisk Level versus Control Effort map (Alumni)


For details on the acceptability level please see note* on page 13

Control effort

Risk Level

1 2 3 4 5 6 7 8 91

11

21

31

41

51

61

71

81Alumni


1

2

3

4

5

6

7

8

9

10

1112

17

2005 Workshop Results – BE’ER’s Risk VotingStandard Deviation on Impact, Likelihood and Control Effort

The critical threshold regarding the standard deviation is 2. All those risks with a standard deviation for Impact and/or Control above this threshold should be reviewed. In particular when the score on Impact and/or Likelihood is relatively high or when the score for Control Effort is low. The knowledge about the effects of the risk on the organization and/or about the existing mechanisms to manage the risk may needs to be communicated more explicitly during the review of these risks.

Spread in Voting

0

0,5

1

1,5

2

2,5

3

3,5

1 2 3 4 5 6 7 8 9 10 11 12

Risk Item Number

Sta

nd

ard

Dev

iati

on

SD impact SD likelihood SD control

18

Risk Sourcing & Response Development What is your response to the identified risks?

• Risk sourcing is identifying the root cause of a certain risk.

• It creates a clear picture of where and how significant business risks originate

• It focuses attention on the specific areas that have the highest influence on the respective risks

• It assist in developing effective risk responses (action plans)

Take

Intentionally pursue

Fully accept

Finance the consequences

Build in contingencies

Transfer

Insure

Share (JV, alliance, partnership

Contract out (outsource, assign)

Diversify / spread

Hedge

Terminate

Cease activity

Pull out of market

Divest

Change objectives

Reduce scale

Treat

Dealing with risk requires adaptation:

• Organization

• People & Relationships

• Direction

• Operational

• Monitoring

Take

Intentionally pursue

Fully accept

Finance the consequences

Build in contingencies

Transfer

Insure

Share (JV, alliance, partnership

Contract out (outsource, assign)

Diversify / spread

Hedge

Terminate

Cease activity

Pull out of market

Divest

Change objectives

Reduce scale

Treat

Dealing with risk requires adaptation:

• Organization

• People & Relationships

• Direction

• Operational

• Monitoring

Due dateResponsibleActionSourceRisk Due dateResponsibleActionSourceRisk

plant reliability

dependency on single source

catastrophic accidents

No back-up capacity

political/legislation

Business interruption

inherent hazardproduct

process

maintenance risk

inaccessibility

Lack of preventive maintenance

Having chosen to have one supplier

No other suppliers known

No other suppliers available

terrorism

Natural catastrophe

human error

Accident at neighbour

Site infrastructure and utility restriction

Logistics related accidents

sabotage

Lack of knowledge

Investment too high

no back-up plan

Previous experience

public opinion

permit issues

HSE legislation

Create a Contingency plan

Analysis opportunity cost vs worsecase scenario

Review and update maintenance programs

19

Risk Sourcing & Response Development

The comparison between the highest ranked risks of 2005, sorted on risk level (= impact vs. likelihood) and risk priority (= risk level vs. control effort) for BE’ER, demonstrates that risks #2, 11, 3, 7, 12, 8, 6, 5, 1 and 4 (top 10 risk level) require your first and foremost attention. The first step is to decide for the top 10 risk level (preferably for the top 12) if currently enough actions are in place to manage the risk scenarios (yes or no), then decide if actions are effectively implemented (yes or no) and formulate new actions if required (SMART, due date) with the responsible person.

Please note this template is part of the full assessment results (separate attachment – excel file)

20

Risk Sourcing & Response Development

• To further analyze the highest ranked risks, we advise you to use the following process:

- Identify the root causes per risk scenario (what can cause this scenario?)

- Group these root causes (external causes, internal causes, other relations)

- Prioritize based on the influence the root cause has on the risk scenario

- Take a decision on how to act (Take, Treat, Terminate or Transfer)

- Develop an action plan to execute the decision. Action plans should be S.M.A.R.T.

(Specific, Measurable, Achievable, Relevant, Time based) which means that they

must include the relevant KPIs, timeframe and responsible person (owner).

• Once you establish and/or implement an action plan on the main risk scenarios and

sources, the monitoring and evaluation should be done by the Board.

21

Conclusions and Follow-Up Recommendations

• BE’ER achieved the goals of the workshop, which were specifically: (1) demonstrate

how risk management can be used by the organization (2) increase risk awareness, (3)

familiarize the participants with the self-assessment methodology, (4) gain structured

insight into the risks, (5) share risk knowledge & experiences, and (6) develop an initial

risk profile for BE’ER.

• The awareness of the risks and the assessment from the participants showed a fairly

consistent view on the importance of the most significant risks. This is demonstrated by

the standard deviation graph on page 17. However, we recommend that the group

reviews the need to achieve further cohesion regarding risks #1, 4, 5, 9 and 10, where

the standard deviation on impact was slightly higher than the acceptable deviation

threshold.

FACILITATORS - Akzo Nobel Risk Management:

Dick Oude Alink & Adolfo Moreno

Documents

Business Risk & Control Self-Assessment Workshop Report HAN BE’ER October 18, 2005 Arnhem Confidential