audit committee risk management training september 2010 john allsop marcus richards
TRANSCRIPT
Audit Committee Risk Management Training
September 2010
John Allsop
Marcus Richards
Introduction
• Definition of Risk Management
• Risk Management Principles & Practice
• Benefits of Risk Management
• Current Developments
• Anecdote
What do we mean by Risk?
• Contemporary Definition – Risk is the
“effect of uncertainty on objectives’’. (ISO
31000 - Risk Management Principles and Guidelines (2009)
• Uncertainty can be positive or negative.
Towards a balance view of risk
Traditional view
All about threats
Risk averse
‘Can’t Do’
Contemporary View
About opportunities
Risk enabling/managing
‘Can Do’
What is Risk Management
• The culture, processes and structures directed towards realising opportunities whilst managing adverse effects.
• Its purpose is not to eliminate risk, but to understand it so as to take advantage of the upside and minimise the downside.
Risk Management is not
• A new responsibility
• About eliminating risk
• An add-on
• A one-off exercise
• The universal answer
Why is risk management important?
• Good management practice• Achievement of objectives• Opportunities• Assurance to stakeholders
What if we don’t manage our risks?
• Corporate failures (private sector)
• Step-in (local government)
• Project failures
• Missed opportunities
The Risk Model
• Strategic Risks– High level– Owned at board level– Cross cutting
• Operational Risks– Departmental/business unit level– Any risk which is not strategic
Risk Management Process
Risk Identification
What could happen?How could it happen?
Risk Assessment
Likelihood? Impact?
Risk Mitigation & Management
Accept? Avoid?Reduce? Transfer?
Risk Profiling
Prioritisation
Risk Monitoring & Review
Ongoing process
Reporting
Step 1 - Risk Identification
Tools available to identify risk:
• PESTLE/SWOT Analysis
• Brainstorming/Challenge sessions
• Scenario Planning
• Audit reports
Step 2 - Risk Assessment
Assess each risk in terms of:
• Likelihood (frequency/probability)
• Impact (Severity)
Level of Risk
Risk Score (L x I)
11 – 16
5 – 10
1 - 4
Risk Rating
High
Medium
Low
Step 3 - Risk Profiling Impact
1Minor
2Significant
3Serious
4Major
4 – Very Likely
L
M
H
H
3 - Likely
L
M
M
H
2 - Unlikely
L
L
M
M
1 - Remote
L
L
L
L
Step 4 - Risk Mitigation & Management
• Tolerate the risk– Within Ealing’s risk appetite (need to monitor)
• Terminate the risk– Quit the operation (often not a real option)
• Treat the risk– Reduce likelihood (put in extra controls)– Reduce impact (PR, recovery/continuity plans etc.)
• Transfer the risk– Transfer exposure through insurance or to partner
organisation
Step 5 – Risk Monitoring & Reporting
• Quarterly reporting to Corporate Board and Audit Committee.
• Quarterly Corporate Risk Management Forum.
• Committee Report template
Risk Registers
• Used to document the risk management process
• Strategic Risk Register
• Operational Risk Register
• Project Risk Logs
Benefits of Risk Management
• Increased ownership and understanding of risk
• Consistent, shared view
• Fewer surprises – issues highlighted earlier
• Improved and informed decision-making
• Visibility and evidence
Current Developments
• ISO 31000 - Risk Management Principles and Guidelines (2009)
• Enterprise Risk Management
• UK Corporate Governnance Code (2010)
And Finally
Black Swan Theory – The disproportionate role of high-impact, hard to predict and rare events that are beyond the realm of normal expectations (Taleb 2007)
Any Questions?