demystifying risk management€¦ · 2019-03-01  · demystifying risk management governance, risk...

Demystifying

Risk ManagementGovernance, Risk & Compliance Conference, Crowne Plaza, Santy.26th February 2019

Jason Dowling CPA

Partner Whelan Dowling & Associates and CEO Red Flare

A little bit about me!!

• Jason Dowling CPA

• Partner – Whelan Dowling & Associates

• Director & Co-Founder Red Flare

• Specialise in G.R.C. and I.A.

• >25 Years Practice

• Married – 3 Kids

• Twin

• Nearly became a fireman

Approach for today

GRC – Three Lines of Defence

Risk Terminology

Operational Risk Framework

Risk Appetite, Tolerance & Capacity

Risk appetite setting

Risk monitoring & reporting

Regulators View

Risk Management Systems

GRC Framework

Risk Terminology

Risk framework

Risk appetite

Risk tolerance

Risk capacity

Risk universe

Risk indicators / Key Risk Indicator’s

Loss events / incidents

Risk reporting and documentation

Quantitative and Qualitative risk analysis

Risk Terminology

Risk causes

Risk consequences

Risk mitigation

Risk controls

Risk assessment

Risk root cause analysis

Inherent Risk & Residual Risk

Impact & Probability - Matrix

Emerging risks

Risk Management

Risk Framework

Operational Risk Framework

Risk Appetite & Capacity is Set By the Board!!

Risk Structure for Directors Meetings

Top of the Pyramid

- Risk Appetite

Would you ever take up hang gliding? What about base jumping?

Would you drive a car if the seat belt was broken? To get to an important

meeting maybe?

If you were down to your last €100, would you bet €10 on a horse after a

hot tip? €20? Your whole €100?

At age 65, would you invest 25 per cent of your pension fund in the share

market? 50 per cent? 100 per cent? Or none at all?

Would you cross the top of Santry Avenue to save a minute walking to the

pedestrian crossing?

Risk Framework

Top of the Pyramid - Risk AppetiteHow Long Is O’Connell Bridge ?

Understanding Risk Capacity

Top of the Pyramid

- Risk Appetite

The UK’s Financial Services Authority (FSA) states:

❑ “Risk appetite is the amount of risk that one is prepared to

accept, tolerate, or be exposed to at any point in time.”

Understanding Risk Capacity

Risk Capacity - The maximum amount of risk an entity is able to

support within its available financial resources

❖ Versus

Risk Tolerance - The maximum amount or type of risk the entity is

prepared to tolerate above risk appetite.

Understanding Risk Capacity

Risk Examples – Category Event Appetite Capacity

School – Insurance – Accidents – Zero (2)– Medium (13)

Nursing Home – Conduct – HIQA – Zero (2)- Low (7)

Rugby / Football Club – Liquidity – Relegation – Low(2) – Medium (13)

Airline – Environmental – Terrorism – Zero – Low

Cruise Line – Operational – Loss of Life – Zero – Low

Farming – Insurance – Weather – Low - Medium

Construction – Capital – Cashflow – Medium (13) – High (17)

Semi State Transport – Strategy – Strike – Low - High

High Street Retailer – Market – Online Retail – Medium - Medium

Xmas Tree Sales – Business Model – Seasonal – Low – Medium

Funeral Home – Market – Cure Cancer – High (17) - Extreme (22)

Matching Score to Appetite

Mapping Risk Appetite to Scoring Matrix

You Need To Define Individual Scores and

relate back to appetite.

Objectives of an Effective Risk

Appetite Statement

Another way of thinking: RAF is an enabler to take accepted levels of risks inthe pursuit of its strategy. Hence it needs to be within the DNA of all staff asthey all have a role in ensuring the strategy is achieved.

A RAS allows staff to answer:

❑ How much risk can I take on to deliver on this objective?

❑ Can I pursue this new business opportunity?

❑ What is the guide on pricing for a particular type of product / customer / market?

Risk appetite formulation is a key element of overall strategy

Risk capacity – a company’s ability to take on risk – is compared against a company’s planned risk profile in the self-assessment process

Risk monitoring is included in the broader KPI’s that support strategy

As with strategy, risk appetite needs to be dynamic and periodically reviewed

Failures In Governance & Risk Management can

Lead To …

Thou Shalt Obey

Your Prescribed

Legislation

Not Maybe or

Might!!

What Does the Regulator Think?

Risk Reporting

Risk Reporting

Risk Reporting

Risk Reporting For CU’s – Charities Could Adopt

Reports should cover the following at a minimum:

• significant risks and the effectiveness of systems and controls;

• any risk events that have occurred and the actions taken or proposed to mitigate

the risk;

• likely or actual deviations from risk tolerance levels or established systems and

controls and should include the timeframe and status of any activities that are

proposed to address these;

• any negative trends in higher risk areas and any recommended changes to risk

management activities;

• any new risks including their risk assessment, risk rating and systems and controls;

• any material emerging risks and recommended course of action;

• updates on risk management actions arising from previous reports that have been

approved by the board of directors (or risk committee where one exists); and

• any recommended remedial action required.

What is Strategy

What is Strategy – Thompson and Strickland

Everybody is required to face the three central

questions

❑ What is our present situation?

❑ Where do we want to go from here?

❑ How are we going to get there?

Strategic Delivery Formulating an effective strategy is not enough unless its successful

execution is enabled by the right business model with properly

embedded risk management and governance framework.

➢ Achievable Goals

➢ Clearly defined targets

➢ KPIS

➢ Strong Reporting

Framework

➢ Biggest Risk if Failure

of Strategy

Risk Management & Technology

Considerations Risk Systems

Excel Spreadsheets – Size, Version Control, Embedding

Integrated API’s in Risk Systems

Automatic Notifications

Audit Trail

Realtime Reporting – Filters, Historic Reporting

Internal Control Framework

Cloud vs Prem

Cost vs Benefit

Loss events / incidents / leading indicators

Bow Tie Risk Management – Cause & Consequences

Risk reporting and documentation

Value Add – Makes Life Easier

Shameless Plug – Buy Red Flare

Questions??

Contact details

Jason Dowling CPA

jdowling@wda.ie

01-6771411

Thank you for your time!