This Slideshare presentation is a partial preview of the full business document. To view and download the full document, please go here:
http://flevy.com/browse/business-document/risk-management-overview-437
This document is a 129-slide PowerPoint presentation that provides a Risk Management Overview based on the M_o_R methodology that has been recognised world-wide as the leading Best Practice framework for successful management of Business Risk
Plenty of graphics are included in order to provide illustration of key points.
The document is easily customisable, content can be removed (or simply skipped over during presentation), and additional slides can be added to provide more subject depth.
2. What is Risk?
Risk is defined asâŚâŚ
âAn uncertain event or set of events
that, should it occur, will have an
effect on the achievement of
objectives. A risk is measured by the
combination of the probability of a
perceived threat or opportunity
occurring and the magnitude of its
impact on objectivesâ
Dartview Consulting Limited
3
3. What is Risk Management?
â˘
For Risk Management to be effective, risks need to be:
ď Identified: Considering uncertainties that would affect the achievement
of objectives within the context of a particular organisational activity,
and then describing/communicating them in order to ensure a common
understanding
ď Assessed: Estimating the probability, impact and proximity of individual
risks so they can be prioritised. Understanding the overall level of risk
(risk exposure) associated with the organisational activity
ď Controlled: Planning appropriate responses to risks, assigning owners
and actionees. Implementing, monitoring and controlling these
responses
Dartview Consulting Limited
5
4. The M_o_R Framework
M_o_R Principals
Embed and Review
ch
roa
pp ter
R A is
o_ Reg
M_ sue
Is
M_
o_
Ris R ap
k R pro
e gi
a
ste ch
r
Implement
Identify
Communicate
M_o_
R
Risk M Approac
h
anag
Strat ement
e gy
ch icy
oa ol
pr nt P
ap e
_R e m
_o nag
M a
M
sk
Ri
Assess
ch
proa nt
e
R ap
_o_ nagem
M
e
a
k M ss Guid
Ris ce
ro
P
Plan
Dartview Consulting Limited
7
5. Organisational Perspectives
â˘
Strategic
ď Concerned with ensuring overall business success, vitality and viability
ď Sets the scene for the management of risk across the entire
organisation
ď Information flows should be established between those with strategic
responsibility and those with operational and programme responsibility
ď Establish information flows with those with project responsibilities if
project outputs are of strategic importance.
Dartview Consulting Limited
9
6. Organisational Perspectives
â˘
Project
ďConcerned with delivering defined outputs to an appropriate
level of quality within agreed scope, time and cost constraints
ďSets the scene for the management of risk within the project
ďInformation flows should be established as required if the project
supports strategic, programme or operational objectives
Dartview Consulting Limited
11
8. Management of Risk Principals
â˘
Aligns with Objectives:
ďConsider the objectives from each of the four organisation
perspectives
ďDetermine Risk Capacity & Risk Appetite for each of the four
organisational perspective
ďRemember that objectives can change, as such Risk Management
is dynamic not static and is therefore a repetitive process
Dartview Consulting Limited
15
9. Management of Risk Principals
â˘
Engages Stakeholders:
ďAdopt an appropriate level and style of communication
ďUnderstand Stakeholder perception of risks
ďEstablish a common language/terminology
ďProactive and timely involvement
ďStakeholder Analysis
ď Influence/Interest matrix
ď RACI diagram
Dartview Consulting Limited
17
10. Management of Risk Principals
â˘
Informs Decision Making:
ďHelp decision-makers understand the relative merits, threats, and
opportunities associated with alternative courses of action
ďEstablish Roles & Responsibilities
ďEstablish Reporting & Escalation arrangement
ďDefine Risk Tolerance
ďEstablish Key Performance Indicators (KPIâs)
Dartview Consulting Limited
19
11. Management of Risk Principals
â˘
Create a Supportive Culture:
ďOrganisation must recognise that managing risk appropriately
means taking calculated chances
ďZero risk is neither possible nor desirable. A tolerable level of risk
that matches the appetite for the organisational activity is
needed
ďEmbedding of Risk Management into everyoneâs day-to-day
activities
ďOpen and honest discussion without fear of retribution
ďRecognition and reward for managing risk proactively
Dartview Consulting Limited
21
12. Management of Risk Approach
â˘
â˘
The way in which Risk Principals are implemented
Centred around a set of key documents
Dartview Consulting Limited
23
13. Management of Risk Approach
â˘
Risk Management Policy
ďStates why and how Risk Management will be implemented
throughout an organisation
ďCommunicates in a common language
ďStrives to establish uniformity across the Risk Management
process and remove ambiguity about the organisationâs overall
risk capacity, appetite and tolerance levels
ďDescribes the format and timing of reporting
ďSubject to review on an annual basis and/or as a reaction to new
legislation or government guidance
Dartview Consulting Limited
25
14. Management of Risk Approach
â˘
Risk Management Strategy
ďDescribes the specific Risk Management activities that will be
taken for a particular organisational activity
ďMultiple strategies are commonly used across an organisation,
reflecting the need to apply risk differently according to the
activity being considered, while still reflecting the overall
organisational Policy and Process Guide
ďOutlines the Risk Appetite for an organisational activity
ďWhere appropriate, may relate to the OGC Gateway Review
process for the public sector or alternative assurance and
approval processes for the private sector
Dartview Consulting Limited
27
15. Management of Risk Approach
â˘
Issue Register
ďPurpose is to capture and maintain information on all of the
identified issues that are happening now and require action
ďIssues may have arisen from risks that had been identified, but
not managed
ďIssues that have been raised, may be causes of new risks
ďImportant to understand issues, and how they are related to, yet
different from, risks
ďTimely transfer of relevant information between the Risk Register
and the Issue Register enhances the effectiveness of
management processes
Dartview Consulting Limited
29
16. Management of Risk Approach
â˘
Risk Communications Plan
ďDescribes how information will be distributed to, and received
from, all relevant stakeholders of a particular organisational
activity.
ďMay form part of a wider communication plan within the
organisation
ďEffective communication between stakeholders is a critical
success factor for Risk Management, ensuring that risks are
identified and assessed, and that suitable responses are planned
and owned
Dartview Consulting Limited
31
17. Management of Risk Approach
â˘
Risk Progress Report
ďProvides regular progress information to management on risk
management within a particular organisational activity
ďComments on the progress of planned actions and their
effectiveness
ďReports trend analysis and reports performance against measures
established to demonstrate the value of risk management
activities
Dartview Consulting Limited
33
18. Management of Risk Approach
â˘
Relationship between Documents
Policy
Risk
Improvement
Plan
Process Guide
The Organisation
For each
Organisational
Activity
Risk
Response Plan
Strategy
Risk
Communications
Plan
Risk Register
Issue Register
Risk
Progress
Report
Dartview Consulting Limited
35
19. Management of Risk Process
â˘
Four primary steps
â˘
â˘
â˘
â˘
â˘
â˘
â˘
â˘
Identify
Assess
Plan
Implement
Carried-out in sequence
Repetitive in nature
Embed & Review embraces each step
Principals permeate each step
Dartview Consulting Limited
37
20. Management of Risk Process
â˘
Communication is vital across the whole process
ďEveryone must understand
ď How the organisationâs Risk Capacity and Risk Appetite is expressed
by Risk Tolerances for the work in question
ď The Risk Policy, Risk Process and Risk Strategy relevant to their role
ď The benefits of effective Risk Management and the potential
implications if it is not done
Dartview Consulting Limited
39
21. Management of Risk Process
â˘
â˘
Identify, Access, Plan and Implement process steps
Described in the following format
ďGoals
ďInputs
ďOutputs
ďTechniques
ďTasks
Dartview Consulting Limited
41
22. Management of Risk Process
â˘
Identify - Context
ďGoal is to obtain information about the planned activity and how
it fits into the wider organisation. This will include understanding:
ď What constraints are relevant to the activity
ď Who the stakeholders are and what their objectives are
ď Where the activity fits in relation to the organisational structure
ď The organisationâs environment (industry, market, etc.)
ď The organisationâs approach to Risk Management
Dartview Consulting Limited
43
23. Management of Risk Process
â˘
Identify - Context
ďTasks
ď Establish activity objectives
ď Establish activity scope
ď Clarify assumptions
ď Discover completeness of information
ď Carry-out Stakeholder Analysis
ď Clarify Risk Management Approach
Dartview Consulting Limited
45
24. Management of Risk Process
Inputs
Activity Analysis
Risk Management Strategy
Stakeholder Map
Lessons Learned
Issues
Identify the Risks
Techniques
Checklists
Prompt list
Cause & Effect Diagrams
Group Techniques
Brainstorming
Nominal Group
Delphi
Individual Interviews
Assumption Analysis
Constraints Analysis
Risk Descriptions
Outputs
Risk Register
Early Warning Indicators
Dartview Consulting Limited
47
25. Management of Risk Process
â˘
Assess can be split into two sub-processes
⢠Assess â Estimate
⢠Assess â Evaluate
Dartview Consulting Limited
49
26. Management of Risk Process
Inputs
Risk Register
Early Warning Indicators
Assess Estimate
Techniques
Probability Assessment
Outputs
Risk Register
Impact Assessment
Proximity Assessment
Earned Value Assessment
Dartview Consulting Limited
51
27. Management of Risk Process
â˘
Assess - Evaluate
ďGoal is to understand the Risk Exposure posed by the net effect
of the identified threats and opportunities when added together
Dartview Consulting Limited
53
28. Management of Risk Process
â˘
Assess - Evaluate
ďTasks
ď Build risk model
âThis involves making an assessment of the relationships between risks.
Are risks correlated or not? If one risks occurs, what impact, if any, does
this have on the probability, impact and proximity of other risks?â
Dartview Consulting Limited
55
29. Management of Risk Process
Inputs
Summary Risk Profile
Relationships &
Interdependencies
Risk Register
Existing Insurance Policies
Lessons Learned
Plan
Techniques
Outputs
Risk Response Planning
Risk Owner
Cost-Benefit Analysis
Risk Actionee
Decision Trees
Risk Register (updated with
responses and secondary risks)
Risk Response Plan
Dartview Consulting Limited
57
30. Management of Risk Process
â˘
Implement
ďGoal is to ensure that the planned responses are implemented
and monitored for their effectiveness, and to ensure that
corrective action is taken where planned responses do not match
expectations
Dartview Consulting Limited
59
31. Management of Risk Process
â˘
Implement
ďTasks
ď Executing, Monitoring & Controlling
ď Update Risk Register
ď Update early warning indictors for KPIâs
ď Close risks
ď Produce and distribute reports
Dartview Consulting Limited
61
32. Embedding & Reviewing
â˘
Embedding the Principals
ďUse the Risk Health Check model to establish a benchmark
ďUse the Risk Maturity model to assess and schedule
improvement over time
Dartview Consulting Limited
63
33. Embedding & Reviewing
â˘
Common Barriers to success
ďLack of organisational culture that appreciates the benefits of
Risk Management
ďImmature Risk Management practices
ďLack of resources and time
ďLack of policies, strategies and plans
ďLack of senior management sponsorship
ďLack of training, knowledge, tools and techniques
ďLack of clear guidance for managers and staff
ďLack of incentives for participation in Risk Management activities
Dartview Consulting Limited
65
34. Embedding & Reviewing
â˘
Securing Senior Management support
ďCommunicate appointment of board level sponsor
ďInclude risk-related objectives in senior management bonus
scheme
ďInclude a review of risks on the agenda of all management
meetings
ďEnsure that roles and responsibilities are clear and that there is a
well-understood path for escalation
ďProvide regular reporting on risks and their potential impact
ďCommunicate successfully planned and implemented risk
responses
Dartview Consulting Limited
67
36. Risk Documents
â˘
Risk Management Policy
ďDescribes why Risk Management is important to the organisation
ďDescribes the specific objectives served by formal
implementation of Risk Management
ďResponsibility of the Senior Management team within the
organisation
Dartview Consulting Limited
71
37. Risk Documents
â˘
Risk Management Process Guide
ďDescribes how an organisation intends to perform Risk
Management
ďDescribes the roles and responsibilities of the people who
perform risk-related tasks
ďResponsibility of a named Senior Manager within the
organisation, who may choose to delegate to a risk specialist
Dartview Consulting Limited
73
38. Risk Documents
â˘
Risk Management Strategy
ďDescribes how the Risk Management Policy and Risk
Management Process Guide will be implemented for a specific
organisational activity
ďResponsibility of the manager of the specific organisational
activity (e.g. Operations Manager, Project Manager)
Dartview Consulting Limited
75
39. Risk Documents
â˘
Risk Register
ďDocuments all of the risks that have been identified as having an
impact of the objectives of the specific organisational activity
ďResponsibility of the manager of the specific organisational
activity (e.g. Operations Manager, Project Manager)
Dartview Consulting Limited
77
40. Risk Documents
â˘
Issue Register
ďDocuments all of the unplanned situations that are happening
now and require management attention
ďIssues can be problems, benefits, queries or change requests
ďThe Issue Register forms the link between the risk management
and issue resolution processes
ďResponsibility of the manager of the specific organisational
activity (e.g. Operations Manager, Project Manager)
Dartview Consulting Limited
79
41. Risk Documents
â˘
Risk Improvement Plan
ďBrings together all of the actions required to improve the way in
which Risk Management is performed within the organisation or
a subset of it
ďAs a minimum it should focus on improving the culture and the
context within which Risk Management can add value
ďResponsibility of the manager of the specific organisational
activity (e.g. Operations Manager, Project Manager)
Dartview Consulting Limited
81
42. Risk Documents
â˘
Risk Communications Plan
ďMay be a separate document, or included as part of a wider
communications plan for the organisational activity in question
ďResponsibility of the manager of the specific organisational
activity (e.g. Operations Manager, Project Manager)
Dartview Consulting Limited
83
43. Risk Documents
â˘
Risk Response Plan
ďIs an extension of the Risk Register that provides more detail on
the planned response.
ďIt is vital that version control between the Risk Response Plan and
the Risk Register is maintained at all times
ďRisk Response Plans should be created and maintained by Risk
Owners
Dartview Consulting Limited
85
44. Risk Documents
â˘
Risk Progress Report
ďMay be a separate document or form part of a wider progress
report for the organisational activity in question
ďResponsibility of the manager of the specific organisational
activity (e.g. Operations Manager, Project Manager)
Dartview Consulting Limited
87
47. High
Medium
Low
Potential impact of the organisational activity on the
stakeholders
to
ed
ne s
ho ve
w cti
rs je
de ob
ol e
eh th
ak pt
st cce
a
High
y
Ke
be n
to tio
ed ple
ne om
ho c
w ne
rs to
de es
ol il
eh if m
ak d
St ifie
t
no
e
th s
e tie
re ivi
ag ct
to a
to
ed in
ne
es
ss
ho tiv
re
w ec
og
rs bj
pr s
de f o
of ive
ol o
ed ect
eh n
io
ak at
rm bj
St nsl
fo o
in he
tra
pt e t
ke iev
be ch
to to a
ed n
ne ake
ho t
w ies
rs ed
de m
ol re
eh d
ak an
St
Medium
Stakeholder Analysis â Influence/Interest Matrix
â˘
Low
Risk Techniques
Importance of Stakeholders to the organisational
activity
93
Dartview Consulting Limited
48. Risk Techniques
â˘
Stakeholder Analysis â RACI Chart
Stakeholder 1 Stakeholder 2 Stakeholder 3 Stakeholder 4 Stakeholder 5
Activity A
R
A
C
C
C
C
A
I
C
R
A
R
C
I
I
I
R
C
A
C
R
I
A
C
C
Activity B
Activity C
Activity D
Activity E
Dartview Consulting Limited
95
49. Risk Techniques
â˘
PESTLE Analysis
Political
Government Policy, Funding, Grants, Trade
Restrictions, Labour Laws
Economic
Interest Rate, Exchange Rate, Inflation Rate, Labour,
Energy & Property Costs. Competitor Activity
Sociological
Population, Education, Unemployment, Corporate
Social Responsibility
Technological
Emerging trends, Cloud, SAAS, BYOD
Legal
Employment Law, Operating Sector Legislation,
Health & Safety Laws
Environmental
Weather, Green & Ethical Issues, Carbon Footprint,
Waste & Recycling
Dartview Consulting Limited
97
53. Risk Techniques
Summary Risk Profile
VH
H
M
Probability
â˘
L
Risk
Tolerance
Threshold
VL
VL
L
M
H
VH
Impact
Dartview Consulting Limited
105
54. Risk Techniques
â˘
Risk Response Planning
ďEnables a range of response options to be considered from a
documented list
ďA response should be chosen that provides the maximum
possible change to the risk exposure for the least investment
ďResponse plans are recorded in the Risk Register
ďImportant to document any residual risk remaining after the
implementation of the chosen response
ďImportant to identify and describe any secondary risks that may
be caused by the implementation of the chosen response
Dartview Consulting Limited
107
55. Risk Techniques
â˘
Risk Response Planning
ďResponse Types - Avoid a Threat / Exploit an Opportunity
ď This option is about making the uncertain situation certain by
removing the risk, often by removing the cause of the threat or
implementing the cause of the opportunity
ď In most cases, costs will be incurred in removing the risk the
completely, these costs must be therefore be justified
Dartview Consulting Limited
109
56. Risk Techniques
â˘
Risk Response Planning
ďResponse Types â Transfer a Risk
ď This option is about transferring part of the risk to a third-party (taking
out an insurance policy is an example of this)
ď Used mainly as a response to Threats rather than Opportunities
ď Important to understand that only part of the risk is being transferred
(e.g. an insurance policy would cover the cost should the threat actually
occur, but the organisation would still be impacted in other areas such as
time delay)
ď In most cases, costs will be incurred when taking such actions. These
costs must therefore be justified against the expected change to the
residual risk
Dartview Consulting Limited
111
57. Risk Techniques
â˘
Risk Response Planning
ďResponse Types â Prepare Contingency Plans
ď This option means that the organisation decides to accept that a risk may
occur, and decides to take no immediate action, but puts in place a series
of contingencies to deal with the impact should it occur
ď Sometimes called the âfall-back planâ option as it can be used as a
secondary response when the response chosen initially has not resulted
in the desired outcome
Dartview Consulting Limited
113
58. Risk Health Check
â˘
â˘
â˘
â˘
Used to check the health of current Risk Management
practices and identify areas for improvement
Can be a self-assessment, performed internally, or
carried-out by a specialist third-party (e.g. auditors)
Can be targeted at specific organisational activities and
adapted to the nature of the business
Should be formally administered and follow a four step
process of:
ďPreparation, Data Collection, Data Analysis, Review & Report
Dartview Consulting Limited
115
59. Risk Health Check
â˘
Data Collection
ďReview available documentation and record individual findings
ďCarry-out interviews and record in detail
â˘
Data Analysis
ďIdentify and patterns and trends
ďIdentify strengths and weaknesses
ďFocus on key items that need to be addressed
ďConduct intermediate interview with the sponsor
ďIdentify recommendations
Dartview Consulting Limited
117
60. Risk Health Check
â˘
Questions to be asked
ďShould be structured into 8 sections, on for each of the Risk
Management Principals
ďQuestions can be quite detailed, but should solicit a simply âyesâ
or ânoâ answer in order to make analysis possible.
ďAlternative scoring methods can be used (e.g. 1 to 5, or
Poor/Average/Good)
ďQuestions should be asked and answered in an honest, open, and
blame-free environment in order to capture the most realistic
overall picture
Dartview Consulting Limited
119
61. Risk Maturity Model
â˘
â˘
â˘
Establishes a benchmark for moving forward
Provides the basis for an organisation to measurement
the level to which Risk Management has been
successfully embedded against a globally used and
accepted model (CMM)
Forms the platform for continual incremental
improvement over time
Dartview Consulting Limited
121
62. Risk Maturity Model
â˘
Sample matrix before organisational specific
competencies are added
Criteria
Level 1
(Initial)
Level 2
(Repeatable)
Level 3
(Defined)
Level 4
(Managed)
Level 5
(Optimising)
Aligns with Objectives
Fits the Context
Engages Stakeholders
Provides Clear Guidance
Informs Decision Making
Facilitates Continual Improvement
Creates a Supportive Culture
Achieves Measurable Value
Dartview Consulting Limited
123
63. Risk Maturity Model
â˘
1st Level of Maturity â Initial
ďThe organisation undertakes the minimum risk identification and
assessment required to satisfy compliance requirements
ďRisks are examined only annually
ďNo definition in place for Risk Tolerance or Risk Appetite
ďNo formal risk process in place
ďRisks that occur are dealt with only in a reactive manner
Dartview Consulting Limited
125
64. Risk Maturity Model
â˘
3rd Level of Maturity â Defined
ďProcesses have been further developed and refined
ďA dedicated risk management function has been created, coordinating effort and ensuring a consistent approach
ďEarly Warning Indicators are developed
ďResponse Planning is starting to take shape
ďHigh-level risks are reviewed on a regular basis at board level
Dartview Consulting Limited
127
65. Risk Maturity Model
â˘
5th Level of Maturity â Optimising
ďThe highest level of maturity
ďThere is now a culture of continual improvement filtered down
into all layers of the organisation
ďRisk Management policies, processes and resources are fully
aligned
ďA training and education programme is in place
ďRisk Management responsibilities are included in Job
Descriptions, Staff Inductions and Staff Appraisals
Dartview Consulting Limited
129