5. Definition - Risk
• A risk is anything that could jeopardize the
achievement of organization’s objective.
• The probability that a particular
threat will exploit a particular vulnerability
• The failure to take advantage of opportunities in
order to best achieve objectives.
• A trigger for strategic direction
6. • Asset= anything has value to the
organization
• Vulnerability= any Weakness of Asset
• Threat= any possible Danger
• Risk= Vulnerability exposed to Threat
Risk= Vulnerability X Threat
• Control= Countermeasure to reduce Risk
Asset, Vulnerability, Threat, Risk & Control
7. RISK is a moving target
What is your risk
tolerance?
Conservative, Moderate,
Aggressive
New threats are
emerging
Be on the look out for new risks
How do you manage
risk?
Adopt to new ways of managing
risk
8.
9. Human
resource is
the most
valuable asset
Threat
• Crocodile is a threat
Risk
• Possibility of falling is
a risk
Vulmerability
• Imbalance is a
weakness
Risk Diagram
20. “Flavors” of
Risk
• Risk includes
– Exposure to losses (hazards)
• Risk managers avoid risks
– Potential for gain (opportunities)
• Risk managers take risks
22. Risk without the expectation of reward is suicide
Attitude to risk:
Where do YOU sit? An old and bold pilot is difficult
to find !
Risk Averse Risk Neutral Risk
Seeking
24. 24
Risk profiles are increasing
• Regulatory/public scrutiny
• Expanding services increases risks
• Business change increases risk
complexity
Risk management not keeping pace
• Need for right kind of risk training
• Need for risk assessment
methodologies/technology tools
• Stakeholders have different risk
needs
• Inconsistent risk language used
Gaps in
Risk
Coverage
Perceptions in
Today’s Risk Environment
25. Risk Assessment
• Inherent Risk
o Strategic
o Operational
o Financial
o Compliance
o Reputational
• Residual Risk
o Risk after accounting for current
internal controls
26. Environmental Risks
• Capital Availability
• Regulatory, Political, and Legal
• Financial Markets and Shareholder Relations
Process Risks
• Operations Risk
• Empowerment Risk
• Information Processing / Technology Risk
• Integrity Risk
• Financial Risk
Information for Decision Making
• Operational Risk
• Financial Risk
• Strategic Risk
Example: Risk Model
27. RM is an ongoing process!
Risk does not respond to the law of gravity!
2
7
30. Risk Assessment is a process to
• Identify significant risks
• Assess risks
– What is the likelihood of occurrence?
– What is the potential impact?
• Manage these risks through
• Avoidance
• Acceptance and Sharing (Insurance)
• Mitigate with Controls
31. Time Zero - Understand the Business?
• What is the business?
• What is the industry?
• What is the strategic plan?
– NOW, WHERE, HOW
• Who owns the business?
• Who runs the business?
• How will risk management „fit‟?
• What is the Risk Appetite for the company
or Project
3
32. Time Zero – Risk Assessment
Questions to be answered
3
• Where do the risks come from?
• How big are they?
• What are the major contributors? (Time, Cost etc)
• What are the risks sensitive to, and how can they be changed?
• What level of risk does the company find intolerable, what is considered
trivial?
• What is it worth doing to reduce the risk?
• Fundamental First steps
33. UNDERSTANDING THE COMPANY
- Company’s History & Background
- Capital Structure & Evolution
- Promoters & Group Companies
- Management & Administration buildup
- Financial Soundness & Debt Structure
- Risk Management & Protection
- Licenses & Approvals
34. •General application of laws
• Sectoral applications
• Industry / Segment applications
• Geographical applications
• Number of Employees
• Transaction applications
IDENTIFICATION PROCESS
35. Risk assessment - determining acceptable
levels of risk for your business
Companies need to pay attention to risks and have robust
processes in place
Busine
ss
risks
Identifyi
ng
Assessi
ng
Correctl
y
evaluati
ng
Exami
ne
cost
Consider
Regulato
ry
regimes
Decide how far to go
with protective and
mitigating measures
Reduce
risk
Manage
risk
Recognis
e
opportuniti
es
Lloyd’s Register
Energy
37. PROBABILITY AGAINST IMPACT OF RISK
Potential impact
of occurrence
Likelihood of
occurrence
HIGH
LOW
LOW HIGH
LOW
LOW
HIGH
HIGH
LIKELI-
HOOD
IMPACT
ASSESS-
MENT
MITIGA-
TION
LOW
HIGH
LOW
HIGH
Mouse
Accept
Shark
Rare catas-
trophe
Rabbit
Externa-
lise
Lion
Probable
disaster
Monitor
Insure
Manage-
ment
challenge
Cancel
38. Identify &
Assess Risks
Document Risk
Acceptance Decision
Acceptable
Organizational
Objectives
Identify Current
Controls
No
Yes
Action
Define Organization’s
Goals and Objectives?
l Define goals and
objectives in relation to
l Mission,
l Activities and
processes,
l Financial reporting
requirements, and
l Compliance issues
Identify & Assess
Residual Risks
39. Identify &
Assess Risks
Document Risk
Acceptance Decision
Acceptable
Organizational
Objectives
Identify Current
Controls
No
Yes
Action
Identify and assess potential
RISKs by asking
What Could Go WRONG ?
What must go RIGHT?
How likely is it that the risk will
happen?
What will be the impact) if it
happens?
Identify & Assess
Residual Risks
40. Identify & Assess
Residual Risks
Identify &
Assess Risks
Document Risk
Acceptance Decision
Acceptable
Organizational
Objectives
Identify Current
Control s
No
Yes
Action
What controls are in place
to achieve your objectives ?
l Control Environment
l Tone at Top
l Competence
l Roles &
Responsibilities
l Information &
Communication
l Control Activities
41. Identify &
Assess Risks
Document Risk
Acceptance Decision
Acceptable
Organizational
Objectives
Identify Current
Controls
No
Yes
Action
What could still go wrong
given existing controls ?
l Look at your risks, and your
existing controls to identify any
gaps.
Identify & Assess
Residual Risks
42. Fiscal Officer
Development Series
Identify &
Assess Risks
Document Risk
Acceptance Decision
Acceptable
Organizational
Objectives
Identify Current
Controls
No
Yes
Action
Can you live with the
Residual Risk ?
l Do your existing controls,
provide reasonable assurance that
you will get achieve your
objectives?
l Something's you can’t control
(changes in government
regulations, weather)
l Risk acceptance decision will
depend on the culture of the
organization
Identify & Assess
Residual Risks
43. Fiscal Officer
Development Series
Identify &
Assess Risks
Document Risk
Acceptance Decision
Acceptable
Organizational
Objectives
Identify Current
Controls
No
Yes
Action
Action Planning
l If the level of uncontrolled risk is
too high/unacceptable then action
plans are developed to reduce the
residual risk to an acceptable
level.
Identify & Assess
Residual Risks
44. COSO Component - Risk
Assessment
Internal sources of risk
• Changes in management
responsibilities
• Changes in internal
information technology
• Poorly conceived business
model
External sources of risks
• Economic recessions
decrease product or service
demand
• Increase in competition
• Changes in regulation that
make the business model
unsustainable
• Changes in the reliability of
source goods that reduce
profitability
49. 51
COSO cube – 5 Integrated Components
Risk Strategies
Avoidance
Do not proceed!
Mitigation
Improve controls to
reduce
likelihood/impact
Transfer
Shift responsibility to an
external party
Acceptance
Accept the risk!
Creation
Seek risk activities
strategically to
maximize opportunities
51. Definition:
Certification or confirmation that the doer of
an action meets the requirements of:
• accepted practices
• Legislation
• prescribed rules and regulations
• specified standards
• the terms of a contract.
What is compliance?
52. • Establishes its compliance responsibilities;
• Ensures that responsibilities for meeting legal
requirements and internal policies are
incorporated into business processes;
• Reviews operations to ensure responsibilities
are carried out and legal requirements are met
• Takes corrective action
Compliance Management System: how a company
53.
54.
55. 2. Developing effective
control measures
•y
t
o
o
n
e
3. Monitoring and reviewing the
effectiveness of your risk
management procedures
1. Identifying and assessing
compliance risks
Compliance Risks
60. Periodic Risk Assessments
• Efficiency
• “Buy-in” and Ownership
• Coordination
• Keep the risk management process simple.
–Build into existing business processes
–Complex processes feel like red tape
• Start small and build over time.
–Don’t overload administrators with too many
projects
–Additional projects and processes can be
added over time
61. Compliance Risk Analysis
1. Organizational Context
2. Risk Identification
3. Risk Assessment:
4. Risk Evaluation
5. Risk Treatment
6. Monitoring, Review and Corrective
Action,
7. Communication: Throughout the
Organization
62. Risk Identification
• Process Flow Analysis
o Regulatory analysis
o Responsible Officers
• Event Inventories
o Organizational History
o External Context (Stakeholder
expectations)
o Events Common to Industry
• Interviews, Questionnaires, Surveys
• Facilitated Workshops
• Leading events and escalation triggers
64.
Establishing Controls & Standard
Delegation of Responsibility
Analysis & Assessment
Compliance Reporting
CREATION OF COMPLIANCE STRUCTURE
65. 67
Risk Increases the
More You Don’t Know
All The Potential Outcomes
The Probability of Occurrence
Cost of a Undesirable Outcome
66. 68
All The Potential Outcomes
The Probability of Each Outcome Occurring
Cost of Undesirable Outcomes
Said Another Way:
The more you do know and understand about
the better long term risk manager you will be.
67.
68. Failure to manage your knowledge will involve serious risk
Compliance / Risk
Management
Knowledge
Management