Super Strategies 2014 Risk Strategy Presentation

Enterprise Risk Management

Session B8 Thursday, May 1st , 2014

11:30 – 12:45David FernandesIncorporating a

Risk Management Strategy Throughout the Organization

YOUR EXPECTATIONS

Incorporating a Risk Management Strategy Throughout the Organization

2Session B8 Slide #

How many in Audit Department ? <5 < 10

What do you want to get out of this presentation?

Is there any Risk Management program currently in place?

Who owns “Risk” in your company? Board? Management? Legal?

When do you want to have a ERM solution in place ?

Incorporating a

Risk Management Strategy Throughout the Organization

3Session B8 Slide #

• Developing a Risk Management Strategy.

• Integrated Approach to Risk Management.

• Establishing of a Risk Management Committee.

• Managing Risk

• Creating an Enterprise Risk Assessment.

• Setting up Control Monitoring process.

• Risk Management and Internal Audit

TOPICS


4Session B8 Slide #

TOPICS• Developing a Risk Management Strategy.



• Managing Risk





5Session B8 Slide #

Management - the act or skill of controlling and making decisions about a business, department

Strategy - a careful plan or method for achieving a particular goal usually over a long period of time

Risk - The chance of loss or the perils to the subject matter of an insurance contract; also : the degree of probability of such loss

Developing a Risk Management Strategy


6Session B8 Slide #

• Risk Identification:– Identify foreseeable risks which could affect objectives, their cause(s) and possible effect(s).

• Risk Assessment: – Establish the Likelihood of occurrence and Impact for each identified risk and prioritizing risks for

further attention, grouping risks into categories to identify hotspots of risk exposure or common causes, and analyzing the combined effect of risks on corporate Goals and Objectives.

• Risk Management: – Defining the scope and objectives of the risk process, describing the techniques and tools to be used,

stating the thresholds of acceptable risk to various stakeholders, detailing roles and responsibilities etc .

• Risk Response: – Consideration of response to each risk and selecting a strategy which is appropriate, achievable and

affordable, delegating each task or activity to an owner.• Risk Monitoring:

– Ensuring that agreed actions are implemented effectively, monitoring the effect on risk exposure, and communicating risk information to stakeholders with appropriate detail and frequency.

• Risk Review: – Updating the risk process to assess the status of existing risks, determine the effectiveness of agreed

responses, identify emerging risks, and review the Risk Management Strategy


7Session B8 Slide #

Risk Management Strategy (RMS) provides a structured and coherent approach to identifying, assessing and managing risk. It builds in a process for regularly updating and reviewing the assessment based on new developments or actions taken.

The process of identifying and reviewing the risks that a business faces is known as Enterprise Risk Assessment (ERA).

The assessment of potential risks enables the company to : Be aware of where uncertainty surrounding events or outcomes exists and Identifies the necessary steps that should be taken to protect the company.

Risk Management Strategy can be developed and implemented by even the smallest of groups or projects or built into a complex strategy for a multi-site international organization.


8Session B8 Slide #


9Session B8 Slide #




• Managing Risk



• Risk Management and Internal Audit.


10Session B8 Slide #

Analyze key risks and current capabilitiesMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performance

Integrated Approach to Risk Management.

Integrative Risk Management starts with the premise that no measure of exposure can be taken in isolation. It is a view that is well established in a corporate context, with stress being placed on a more holistic understanding of Integrated Risk Management.

Integrated Risk Management is different from traditional management as it allows us to examine what is missing in normal business process, and why those missing elements expose us to risk.

Integrated Risk Management encourages better up-front planning and allows us to determine if our polices and capabilities are well aligned to the strategy we desire to executive.


Analyze key risks and current capabilitiesMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performanceIntegrated Approach to Risk Management.




Risk UpdatesAssessment

Risk resources across different functions and

business processes

Red flags, Mitigating controls, and Detection procedures

Risk and Controls Become aware of function-specific risks and implement adequate risk controls

Learn About the Business

Save time and quickly create customized control questionnaires on key business risks.

Control environments include: General IT Operational Finance Human Resources Business


Right Sized Technology Adds More Business ValueReduces Complexity and Increases Adoption & Usage

Step 1: Risk Identification

Step 2: Risk Assessment Step 3: Risk Management

List of Possible Risks LikelihoodH/M/L

ImpactH/M/L

What are we already doing about it?

(mitigating factors)

What more can we do about it? Timescale Person

ResponsibleReviewed

Level of Risk



Develop connected, transparent action plans with measurable metrics

Enable mitigation through triggers and focused reporting

Analyze key risks and current capabilitiesAnalyze key risks and current capabilitiesAnalyze key risks and current capabilitiesAnalyze key risks and current capabilitiesAnalyze key risks and current capabilities

Simplify managementstrategies to vital risks.

Measure, monitor, & report risk management performanceMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performanceIdentify, assess, and prioritize business risks

Identify, assess, and prioritize business risks

Summarize results & integrate with Risk Mitigation processes

R Business Goals, Objectives & Strategists & integrate with decision – making processes

Analyze key risks and current capabilities


Integrated Approach to Risk Management

Some Challenges

Building blocks of processes, roles and technologies were not properly established.

Management does not fully understand or accept their critical role and responsibilities.

Risks that the project will not achieve the desired outcomes.

Business owners fail to see the value of the process and terminate the audit program.

Obtaining a complete and controlled population of data required to support a specific test.

Companies Face A Wide Array of Risks A Common Challenge:

How can you identify and prepare for major risks to your business?



.

Most executi

ves focus their risk

assessment and

management efforts primarily on

financial and compliance

risks.

Risk Management Strategy that fails to simultaneously

identify and address the entire

range of major risks types, put the company in

danger

Incorporating a Risk Management Strategy






• Managing Risk






Establishing of a Risk Management Steering Committee

Risk Management is the responsibility of every employee of the University. Different stakeholders have different objectives and levels of accountability with respect to risk management. An effective risk management framework includes a comprehensive and defined accountability for risks, controls and risk treatment tasks. The risk management framework documents the roles and responsibilities of the various components ofa risk management process.



Develop a framework for assessing different levels of audit analytic techniques and associated benefits.

Define progressive levels to evolve its use of Data / Business Analytics.

Identify the building blocks: People, Process and Technology that must be in place to optimize benefits.

Understand, plan and communicate what needs to be done to achieve and increase benefits.

Establish a proactive and comprehensive view for effective ERA and ERM.

Establishing of a risk management steering committee

Risk Management Committee


Make up of the committee?

o Member from the Senior Management Team: (Board of Directors, Audit Committee, C Suite)

What are the committee’s core responsibilities?

The committee has three primary responsibilities: Establish a risk management program, Implement an annual risk assessment, Identify the organization’s exposures and Develop a risk control program.

What are main steps in creating a risk management program?

Identify and analyze risks (exposures). Prioritize risk and communicate the appropriate risk management plan, Implement the risk management plan and Monitor and update the plan as needed.


Establishing of a risk management steering committee

.





• Managing Risk







Risk AvoidanceAn organization decides to avoid the risk altogether by not entering into the activity or providing the service.This may be possible for some types of activities carried out by the organization but usually not core activities.

Risk ControlAn organization decides to continue the activity which creates the risk, but to manage it so that it will be less likely to occur and less damaging if it does occur. If an activity is central for an organization then it will need to identify what standards of staff and volunteer training are needed to carry out the activity, what good practice policies must be adhered to. There must be clear record keeping in order to ensure that it is clear that the organization met the good practice requirements laid down in its policy. Good governance is important here too as the Management Committee will need to understand the risks and the control strategies in place. Having a skilled board with an under standing of accounting law, management etc is part of a good risk control strategy.

Risk TransferAn organization decides to have a third party perform the risky activity or to transfer the consequences of the risk to another person or organization. This can be through insurance, indemnity, exemption from liability or through transferring the activity to another organization.

Mitigating Factors: These are the things which are done to reduce risk. Some of these are internal i.e. within the control of the organization and some are external i.e. they may be regulatory or imposed by funders. Some of these are in place already and it is important to take account of these in planning risk management

Managing Risk





• Managing Risk






Creating an Enterprise Risk Assessment

Risk AreasBusiness RiskOrganizationalStrategic RisksFinancial RisksOperational RisksLegal & Compliance RisksIT & Systems Risks

Risk Catalog

Design a web- based, risk assessment survey that requires s participants to assess each risk using critical criteria:Impact – How significant is this risk to the business?Likelihood – How likely is this risk to come to pass?

Web-based Risk Survey

Trending and Velocity

If the risk comes to pass, how quickly will it impact the company?

Risk Committee

Guidance on Risk Selection and Participants

• Consolidate and analyze the responses of your survey .

• Prepare a detailed and comprehensive report.

• Include heat maps

Board Presentation

Present Graphs for Top 5 risks by impact, likelihood and velocity Top 5 risks for each category e.g. Business, Financial, Operational etc



Risk & Definition# Ref

1 B1

Business Interruption / Service Failure - • The company's capability to continue critical operations and processes are dependent on availability of energy, information technologies, skilled labor, etc.• Critical resources are not available, causing the company to experience difficulty in continuing profitable operations.• A major disaster, such as fires, earthquakes, explosions, floods or terrorism, threatens the company's ability to sustain operations, provide essential products and services or recover operating costs i.e. a disaster impacts the ability to support customers.• Physical Risks : a disaster or extreme weather conditions impact the ability to support customers e.g. tsunamis, fires, earthquakes, explosions, floods.• Regulatory / Legal : changes in government laws e.g. nationalization, import taxes / bans, energy supply impact the company's ability to sustain production.

2 B2

Business Portfolio / Mergers / Acquisitions - • The "due diligence" process is flawed and underlying business performance is not as presented by the buyer.• The company does not negotiate appropriate risk mitigation processes in the deal document.• Merger or acquisition activity results in inconsistent financial processes, lacks operational synergies or has a fragmented IT structure.• Non-delivery of expected synergy benefits / cost savings, loss of market / customer focus during integration process and loss of key employees during integration process.

Business RiskCorporate Average -

Significance

Corporate Average -

Likelihood

3.7 2.0

3.0 2.4

Trending








1.0 2.0 3.0 4.0 5.01.0

2.0

3.0

4.0

5.0Total Company Responses

Business Technology Manufacturing Information Technology Finance Organizational Sales & Marketing

Likelihood

Sign

ifica

nce

SM1SM2SM4

T3M5


Analyze key risks and current capabilitiesMeasure, monitor, & report risk management performanceMeasure, monitor, & report risk management performanceCreating an Enterprise Risk Assessment





• Managing Risk


• Setting up Control Monitoring Process.




Setting up Control Monitoring Process.

• Do not over-react to the initial wave of responses to your risk assessment – these will probably have some ‘white noise.”

• Establish the facts..Interview.

• Effective leadership is to create an environment where people are encouraged to identify risks and possible solutions.

• Pay Attention to the Detail: not getting lost in the weeds, but being able to sift the wheat from the chaff.

• Evaluate all outcomes and alternatives.

• Revisit the directives given to make sure they were executed .

Ownership: ERM belongs to the leadership team not consultants.

Fact: ERM only works when the bad news is faced up and dealt with not punished nor rationalized. D E E P E R

31Session B8 Slide #Responsibility: belongs to everyone.


Setting up Control Monitoring Process.

Assigning responsibilities is an integral part of monitoring risk

• Role of the executive committee• Risk Champion / Sponsor• Unit responsible for risk mitigation

Risk assessment and monitoring techniques

Methods for assessing and monitoring risks assist managers in identifying where they should focus their energies and resources• Workshops• Questionnaires.• Control self-assessment• Identification templates.• “Bottom up" risk assessments.




When anyone asks me how I can best describe my experience in nearly forty years at sea, I merely say, uneventful.

Of course there have been winter gales, and storms and fog and the like, but in all my experience, I have never been in any accident of any sort worth speakingabout.

I never saw a wreck and never have been wrecked, nor was I ever in any predicament that threatened to end in disaster of any sort.

You see, I am not very good material for a story.

Edward J. Smith, Captain, RMS Titanic© 2005 Christie's Images

Checklist





• Managing Risk







Risk Management and Internal Audit


NoTolerance

SeriousConcern s

ModerateConcern

GeneralTolerance

HighestTolerance

FinancialStability

Oversightconcern forfinancialintegrityBudgetovershotCredit ratingsdowngraded

Financialstatementssubject tostrong auditcommentNot withinbudgetThreats tocredit rating

Auditcomments onfinancialreportsBudgetpressuresappearing

FinancialReportingSoundPositive auditreportsWithin budget

Sound BalanceSheetWithin BudgetStrong creditrating

StaffEngagement

Major staffmoral andcommitmentnow apersistentpattern.Attrition is sogreat thatreplacementscannot befound and turnaway offers.Grievancespreoccupy theorganizationand threatento move intoarbitration

Staff moralshowing astrongdownwardtrend overmany monthsAttritiongenerallyacross theorganizationcreatingoperationalpressureGrievancesare increasingand morepervasive.

Staff surveysreport staffconcern abouttheiralignment toorganizationalgoalsAttritionincreasing, butin isolatedareas.Grievancesshow anincreasing pattern.

StaffcommitmentreportedpositiveAttritionwithinacceptable andreplaceablerangeGrievancesoccurring butnot in large numbers

Staff reporthigh level ofcommitmentto work –multi-yearpatternVery low levelof attritionLow level ofinternalgrievances



• Tone from the Top: present risks to the Risk Committee for their consideration.

• Acceptance: Risk Committee formally accept the risks to the organization.

• Clarification: Review the organizations core values and identify adverse risks.

• Training: Address challenging issues associated with risk perceptions. • Identification: Clarify the Company’s core values for the organization and

• Communication: include appropriate sharing of information and of concerns.

• Assessment: Assign priorities to top risks, integrate these into existing operational plans.

• Leadership: Demonstrate ability to innovate and motivate your partners.



Documents

Super Strategies 2014 Risk Strategy Presentation