risk management principles & guidelines dubai – 2010 presented by: george s. dakis nexia asr...
TRANSCRIPT
RISK MANAGEMENT PRINCIPLES & GUIDELINES
Dubai – 2010
Presented by:George S. Dakis Nexia ASR Melbourne
Session Contents
Extension of India 2008 Conference Current Play in Risk Management Enterprise Wide Risk Management Risk Management Process Implementing Risk Management Example of Key Documents and Tools Caseware Risk Tools Other Risk Tools Risk and Current Audit Climate
Singapore Enterprise Risk Management Survey 2010
Conducted by KPMG Singapore
Found at www.kpmg.com under “risk management services”
Singapore Enterprise Risk Management Survey 2010
About the Survey Conducted between October 2009 and early 2010 Assess recent developments within private sector
organisations in Singapore Seeks to understand what organisations see as the role of
ERM moving forward and what its likely focus could be 203 organisation participated Small to medium enterprises as well as major multinational
companies in Singapore More than 52% were part of senior management team 25% were part of the company’s Board of Directors Mix of publicly listed and private companies
24% 25%
26%
5%
10%10%
S$50 million – S$199 million
Less than S$50 million
More than S$2 billion
S$1 – 2 billion
S$500 million – S$999 million
S$200 million – S$499 million
Respondents by global annual revenue
Singapore Enterprise Risk Management Survey 2010
Respondents by industry %
Manufacturing 17
Real estate/Construction 17
Financial Services 15
Transportation/Logistics 7
Retail, recreation & tourism services 7
Trading & distribution 6
Oil & gas 6
Healthcare, pharmaceuticals and biotechnology 5
Information & communications 4
Utilities (Water/Waste/Electricity) 2
Education 1
Agriculture 1
Others 10
Singapore Enterprise Risk Management Survey 2010
Year Respondents who have implemented ERM
2006 35%
2009 51%
2012 78%
More companies are implementing ERM programmes
Size and ownership matters
Of the publicly listed companies surveyed
59% have implemented an ERM programme
43% currently manage their key risks to a large extent
78% communicated their ERM programmes/initiatives to all personnel in the organisation
20% do not have an ERM programme and are not intending to implement one
Singapore Enterprise Risk Management Survey 2010
Current State of ERM
24%
16%
15%
12%
5%
4%
Enterprise risk management drivers
Singapore Enterprise Risk Management Survey 2010
Key ERM objectives
77%
72%
69%
57%
26%
Singapore Enterprise Risk Management Survey 2010
Why companies are not implementing an ERM programme
51%
46%
42%
34%
26%
23%
11%
Note | Respondents were asked to identify three reasons each, so percentages do not sum to 100%
Singapore Enterprise Risk Management Survey 2010
The Risk SuiteResponsibility for risk oversight role
Board of directors
Need to basis
Board risk management committee
Oversight role not clearly defined and attributed within organisation
39%
24%
39%
6%
Singapore Enterprise Risk Management Survey 2010
Risk related roles/committee in your organisation
51%
54%
32%
43%
49%
46%
68%
57%
Yes No
Singapore Enterprise Risk Management Survey 2010
Dedicated risk management resources – appointment of risk managers
79% have appointed management level risk committees
75% have appointed risk owners
Singapore Enterprise Risk Management Survey 2010
Organisations’ ERM priorities in the next 1-2 years
Rank ERM priorities
1 Align our risk management approach with our business objectives
2 Integrate risk management into corporate management processes (e.g. corporate planning, budgeting, forecasting)
3 Improve risk assessment methodology/framework and/or re-asses key risk exposure
4 Review/audit effectiveness of risk management programme
5 Enhance risk culture across the organisation (e.g. through risk trainings
6 Integrate risk management objectives into Key Performance Indicators
7 Perform risk management forecasting, testing and scenario planning
8 Re-define risk management roles and responsibilities
9 Use IT systems and tools to embed ERM
10 Re-articulate and communicate risk appetite
11 Analyse inter-relationships of risks and develop a portfolio view of risks
12 Align and coordinate fragmented risk-related programmes/functions
13 Improve quality and frequency of reporting of risk information to stakeholders
14 Establish or develop a dedicated risk function
Singapore Enterprise Risk Management Survey 2010
Progressing in your ERM Journey
Companies with more mature ERM programmes are more able to manage risks
Respondents who said that they have managed their key risks ‘to a large extent’.
19% Among companies without an ERM programme
31% Among companies with a one year old ERM programme
53% Among companies that have implemented an ERM programme for more than three years
Singapore Enterprise Risk Management Survey 2010
A riskier business environment
76% Respondents said that risks had increased over the past three to five years
13% Felt that risks had increased ‘significantly’
26% Said they do not continuously flag, monitor and report on new and emerging risks
Singapore Enterprise Risk Management Survey 2010
Key existing and emerging risks
Rank Existing Emerging
1 Competition (e.g. new competitors/non-traditional entrants)
Prolonged economic downturn
2 Prolonged economic downturn Legal and regulatory risks (e.g. contracts, intellectual capital issues, labour and safety
3 Product risk (e.g. product liability, changes in consumer demand)
People (e.g. key man risk, recruitment, retention and grooming)
4 People (e.ge. Key man risk, recruitment, retention and grooming)
Competition (e.g. new competitors/non traditional entrants
5 Market risks (e.g. interest rate, foreign exchange)
Increasing operating costs
Singapore Enterprise Risk Management Survey 2010
Do you plan to increase resources to strengthen risk management capabilities within the next one to two years?
Yes, plan for a moderate increase
Yes, plan for a significant increase
No, no change to resources
40% 56%
2%2%
No, plan to reduce resources
Singapore Enterprise Risk Management Survey 2010
Moving Towards Risk Management Excellence
Singapore Enterprise Risk Management Survey 2010
Singapore Enterprise Risk Management Survey 2010
Enterprise Wide Risk Management
Risk Categories
StrategicStrategic
StakeholderStakeholder Market StructureMarket
StructureGovernanceGovernance
InformationInformation
IT SystemsIT Systems Intellectual Property
Intellectual Property
Information ManagementInformation Management
FinancialFinancial
Liquidity & Credit
Liquidity & Credit
Capital Structure
Capital StructureMarketMarket ReportingReporting
OperationsOperations
ProcessProcess Physical AssetPhysical Asset People & CulturePeople
& Culture LegalLegal
Enterprise Wide Risk Management
Risk Management Process
AS / NZS ISO 31000:2009 Risk Management – Principles and guidelines
Standards Australia
Risk Management Institute of Australasia
Risk Management Process
Definitions
Risk – effect of uncertainty on objectives Risk Management – coordinated activities to direct
and control an organisation with regard to risk Consequence – outcome of an event affecting
objectives Likelihood – chance of something happening Risk Treatment – process to modify risk Residual Risk – risk remaining after risk treatment
Risk Management Process
Communication and Consultation
Communication and Consultation
During all stages of risk management Develop communication and consultation plans early Help establish context Ensure interests of stakeholders are understood Identify expertise in organisation Secure endorsement and support for a treatment
plan Develop an appropriate external and internal
communication and consultation plan Facilitate truthful, relevant, accurate and
understandable exchanges of information
Establishing the Context
Establishing the Context
General Articulates objectives Defines internal and external parameters Sets the scope and risk criteria
External Context External environment in which the organisation seeks to achieve its
objectives Based on organisation wide context Social and cultural, political, legal, regulatory, financial, technological,
economic, natural, whether international, national or regional. Key drivers and trends impacting organisation Relationships with, perceptions and value of external stakeholders
Internal Context Internal context in which the organisation seeks to achieve it’s objectives Risk management takes place in the context of the objectives of the
organisation
Establishing the Context (cont’d)
The context of the risk management process will vary according to the needs of an organisation. It can involve, but is not limited to:
defining the goals and objectives of the risk management activities;
defining responsibilities for and within the risk management process;
defining the scope, including specific inclusions and exclusions;
defining the activity, process, function, project, product, service or asset in terms of time and location;
defining the relationships between a particular project, process or activity and other projects, processes or activities of the organisation;
defining the risk assessment methodologies;
defining the way performance and effectiveness is evaluated in the management of risk;
identifying and specifying the decisions that have to be made; and
identifying, scoping or framing studies needed, their extent and objectives, and the resources required for such studies.
Establishing the Context (cont’d)
Defining risk criteria
When defining risk criteria, factors to be considered should include the following: the nature and types of causes and consequences that can occur
and how they will be measured; how likelihood will be defined; the timeframe(s) of the likelihood and/or consequence(s); how the level of risk is to be determined; the views of stakeholders; the level at which risk becomes acceptable or tolerable; and whether combinations of multiple risks should be taken into
account and, if so, how and which combinations should be considered.
Risk Assessment
Risk Identification
Risk Analysis
Risk Evaluation
Risk Management Process
Risk Identification
Identify sources of risk, areas of impact, their causes and potential consequences
Identify risks associated with not pursuing an opportunity
Identify risks, whether or not their source is under the organisations control
Consider knock-on effects of particular consequences, including once-off and cumulative effects
All significant causes and consequences should be considered
Risk Analysis
Risk Analysis
Process to comprehend the nature of risk and to determine the level of risk
Consider causes and sources of risk, positive and negative consequences and likelihood
Level of risk means the magnitude of a risk or combination of risk, expressed in terms of the combination of consequences and their likelihood
Consequence means outcome of an event affecting objectives Likelihood means chance of something happening Involves developing an understanding of the risk The way in which consequences and likelihood are expressed
should reflect the type of risk, the information available and the purpose for which the risk assessment output is to be used
Risk Evaluation
Risk Evaluation
Process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable
Decisions on priority for treatment Compare to risk criteria Consider tolerance for risk May lead to further analysis
Risk Treatment
Risk Treatment
General
Process to modify risk
Risk treatment involves a cyclical process of: assessing a risk treatment; deciding whether residual risk levels are tolerable; if not tolerable, generating a new risk treatment;
and assessing the effectiveness of that treatment.
Risk Treatment
Risk treatment options are not necessarily mutually exclusive or appropriate in all circumstances. The options can include the following: avoiding the risk by deciding not to start or continue with the activity
that gives rise to the risk; taking or increasing the risk in order to pursue an opportunity; removing the risk source; changing the likelihood; changes the consequences; sharing the risk with another party or parties (including contracts and
risk financing); and retaining the risk by informed decision.
Risk Treatment
Selection of Risk Treatment Options
Cost vs effort vs benefit
Legal or other regulatory requirement
Consequences and likelihood
Consider values and perception of stakeholders
Priority order
Risk treatment plan may introduce new risks
Risk Treatment
Preparing and Implementing Risk Treatment Plans
The purpose of risk treatment plans is to document how the chosen treatment options will be implemented. The information provided in treatment plans should include: the reasons for selection of treatment options, including expected
benefits to be gained; those who are accountable for approving the plan and those
responsible for implementing the plan; proposed actions; resource requirements including contingencies; performance measures and constraints; reporting and monitoring requirements; and timing and schedule.
Monitoring and Review
Monitoring and Review
Continual checking, supervising, critically observing status in order to identify change from the performance level required or expected
Activity undertaken to determine the suitability, accuracy and effectiveness of the subject matter to achieve established objectives
The organisation’s monitoring and review processes should encompass all aspects of the risk management process for the purposes of: ensuring that controls are effective and efficient in both design and
operation; obtaining further information to improve risk assessment; analysing and learning lessons from events (including near-misses),
changes, trends, successes and failures; detecting changes in the external and internal context, including
changes to risk criteria and the risk itself which can require revision of risk treatments and priorities; and
identifying emerging risks.
Implementing Risk Management
Leadership from the top Champions through the organisation Share success stories Continual improvement and culture of open reporting Centre for excellence Training
Full accountability for risks
Application of risk management in all decision making
Full integration in the organisations’ governance structure
Support tools
Examples of Key Documents & Tools
Appendix A - Generic sources of risk and their areas of impact
Appendix B - Examples of risk definition and classification
Appendix C - Examples of quantitative risk expressions
Appendix D - Events Port Stephens Appendix E - Cunningham Construction
Australia Pty Ltd Appendix F - ACT Insurance Authority
Caseware Risk Tools
www.caseware.com
www.riskspace.com
Caseware Audit Tool
Caseware Audit Tool
Refer Appendix G For detailed audit program for Risk Assessment;
Refer Appendix H For detailed Risk Report
Risk Space
Risk Space
Risk Space
Risk Space
Risk Space
Risk Space
Risk Space
Other Risk Tools
Combined Risk Assessment – refer Appendix I
Risk Matrix – refer Appendix J
ORIM – refer Appendix K (www.orim.com.au)
ORIM Features
Risk and Current Audit Climate
Insolvent Trading
– RG217 Duty to Prevent Insolvent Trading
– Keep themselves informed about company’s affairs
– Regularly assess the company’s solvency and investigate financial difficulties
– Obtain appropriate
Subsequent events Impairment of assets Goodwill and intangibles Receivables
Risk and Current Audit Climate
Loan impairments Inventories Deferred tax assets Pension plan obligations Contingencies and guarantees Fair value measurements and accounting estimates Fraud Off balance sheet arrangements
Questions
Nexia ASRt: 03 9608 0100
www.nexiaasr.com.au