2. The Risk Management Process
• The Drivers
• Risk Analysis
• Risk Identification by Source
• Risk Impact
• Risk Assessment
• Risk Control and Treatment
• Internal Audit
5. Risk Management Strategy
• The first step before starting with all the concepts that
come with risk management such as identification,
analysis, and mitigation, is to decide on the risk
management priorities of the organization.
• Along with the priorities, companies also need to gain
a better understanding of the following:
– Their business objective
– The approach they want to take toward risk management
– The risk governance structure they want to create
– Size and complexity of their business model
6. Risk Ownership
• The person who executes risk responses is often the
one who gets assigned with ownership of the risk. This
is not just about accountability.
• There are two aspects to risk management:
– Head of risk management function:
• His role is to communicate, coordinate, and administer all the risk
management policies and processes of the company. He is also in
charge of identifying and mitigating material risks by the risk
owners
– Risk owner:
• He is the one who is actually in charge of managing risks and
reports to the head responsible for a risk management function in
an organization
• The risk owner should not be held responsible for
monitoring the effectiveness of the risk response. His
job is to make sure the risk response is adjusted within
the risk appetite of the domain he is in charge of.
7. Risk Management Competency
• There are four types of responsibilities that come
with risk management, which are:
– People in charge of risk governance
– People in charge of risk management
– People in charge of risk responses
– People in charge of reporting how effective the risk
responses were
• All four profiles in risk management need to be
trained appropriately so that they have the right
skillset and experience to perform their job roles
effectively.
8. Decision Making
• Making mistakes in the strategy formulation phase
itself can have a big impact on how effective the risk
management process is.
• A lot of risk management efforts are usually focused on
risks during and after the implementation of ERM but
forget the mistakes and risks in the strategic choices
made beforehand.
• Risk management should be applied while the
decision-making stage is underway so that all
employees have a thorough understanding of the risks
that come with each decision they make.
9. Daily Operations
• The risk management platform should be enterprise-
wide. This means it has to include all day-to-day
operations as well to ensure effective and efficient
execution.
• In fact, risk management procedures and policies
should become a part of training for all new employees
so that they join the company with an appropriate risk
culture.
• 66% of executives believe that the biggest priority for
financial institutions with an enterprise risk
management solution is the collaboration between
business units and the risk management function.
10. Continuous Monitoring
• Depending on the size and functions of the business
organizations, there should be processes in place that
are continuously monitoring the performance of the
enterprise risk management system.
• This will make sure reports on risk responses are going
to risk owners and people in charge of risk governance
in a timely manner.
• This is a very important key driver because it ensures
that the company stays within their risk appetite and is
always in line with all the regulatory policies.
11. Periodic Monitoring
• The biggest challenge for companies when it
comes to compliance is “continuing regulatory
change”.
• To ensure compliance with all the policies and
procedures, there needs to be an internal audit
with enough resources and skills that monitors all
processes periodically.
• The internal audit unit needs to have direct
access to the Audit Committee to ensure
everything is done above board.
12. Periodic Monitoring
• There has to be a collaboration between the
internal audit unit and the risk management unit.
• It is very important for the internal audit unit to
understand all key risk areas to improve their
reviews.
• The risk management unit needs to work with
the internal audit department to make sure that
all the necessary actions are being taken on time
and their accuracy.
13. Culture and Board Oversight
• There has to be a proper risk culture created
across the organization to ensure the effective
implementation of risk management.
• The upper management and the board of
directors need to work together to create
different guidelines so that there is a strong
risk culture environment created in the
company.
14. CONCLUSION
Effective risk management can only take
place when all departments of the company
are trained to assess and manage risks. They
need to work together to ensure the
company achieves its business objectives on
time and stays compliant throughout. These
drivers are important pillars of a successful
enterprise risk management
implementation.
16. Continued…
• Risk analysis is the process of assessing the
likelihood of an adverse event occurring within
the corporate, government, or environmental
sector.
• Risk analysis is the study of the underlying
uncertainty of a given course of action and refers
to the uncertainty of forecasted cash flow
streams, the variance of portfolio or stock
returns, the probability of a project's success or
failure, and possible future economic states.
• Risk analysts often work in tandem with
forecasting professionals to minimize future
negative unforeseen effects.
17. Continued…
• Risk analysis is the process of assessing the
likelihood of an adverse event occurring
within the corporate, government, or
environmental sector.
• Risk can be analysed using several approaches
including those that fall under the categories
of quantitative and qualitative.
• Risk analysis is still more of an art than a
science.
18. Understanding Risk Analysis
• A risk analyst starts by identifying what could
go wrong.
• The negative events that could occur are then
weighed against a probability metric to
measure the likelihood of the event occurring
• Finally, risk analysis attempts to estimate the
extent of the impact that will be made if the
event happens.
19. Quantitative Risk Analysis
• Risk analysis can be quantitative or qualitative.
• Under quantitative risk analysis, a risk model is built
using simulation or deterministic statistics to assign
numerical values to risk.
• Inputs that are mostly assumptions and random
variables are fed into a risk model.
• For any given range of input, the model generates a
range of output or outcome.
• The model is analyzed using graphs, scenario analysis,
and/or sensitivity analysis by risk managers to make
decisions to mitigate and deal with the risks.
20. Quantitative Risk Analysis
Continued ..
• A Monte Carlo simulation can be used to generate a range of
possible outcomes of a decision made or action taken.
• The simulation is a quantitative technique that calculates results for
the random input variables repeatedly, using a different set of input
values each time.
• The resulting outcome from each input is recorded, and the final
result of the model is a probability distribution of all possible
outcomes.
• The outcomes can be summarized on a distribution graph showing
some measures of central tendency such as the mean and median,
and assessing the variability of the data through standard deviation
and variance.
• The outcomes can also be assessed using risk management tools
such as scenario analysis and sensitivity tables.
• A scenario analysis shows the best, middle, and worst outcome of
any event.
• Separating the different outcomes from best to worst provides a
reasonable spread of insight for a risk manager.
21. Qualitative Risk Analysis
• Qualitative risk analysis is an analytical method that
does not identify and evaluate risks with numerical and
quantitative ratings.
• Qualitative analysis involves a written definition of the
uncertainties, an evaluation of the extent of the impact
(if the risk ensues), and countermeasure plans in the
case of a negative event occurring.
• Examples of qualitative risk tools include SWOT
Analysis, Cause and Effect diagrams, Decision Matrix,
Game Theory, etc.
• A firm that wants to measure the impact of a security
breach on its servers may use a qualitative risk
technique to help prepare it for any lost income that
may occur from a data breach.
23. Identifying risks is a key step in a proactive
risk management process.
Source Description
Risk registers
and risk reports
Provide a foundation for evaluating existing risks and their potential
risk to an objective.
Issues log Record of issues faced and the actions taken to resolve them. Any
issues that were formally
identified as risks should be analysed.
Audit reports Independent view of adherence to regulatory guidelines including a
review of compliance
preparations, security policies, access controls and management of
risks.
Business Impact
Analysis (BIA)
Detailed risk analysis that examines the nature and extent of
disruptions and the likelihood of the resulting consequences.
Internal &
external reviews
Reviews undertaken to evaluate the suitability, adequacy and
effectiveness of the department’s systems, and to look for
improvement opportunities.
24. Continued…
SWOT analysis:
(Strength,
Weakness,
Opportunity
Threats)
Commonly used as a planning tool for analysing a business, its
resources and its environment by looking at internal strengths and
weaknesses; and opportunities and threats in the external
environment
PESTLE
(Political, Economic,
Sociological,
Technological, Legal,
Environmental)
Commonly used as a planning tool to identify and categorise threats
in the external environment (political, economic, social,
technological, legal, environmental)
Brainstorming Creative technique to gather risks spontaneously by group members.
Group members verbally identify risks in a ‘no wrong answer’
environment. This technique provides the
opportunity for group members to build on each other’s ideas
Scenario analysis Uses possible (often extreme) future events to anticipate how
threats and opportunities
might develop.
Surveys/Questionna
ires Gather data on
risks.
Surveys rely on the questions asked.
25. Continued…
One-on-one
interviews
Discussions with stakeholders to identify/explore risk areas and detailed
or sensitive information about the risk.
Stakeholder
analysis
Process of identifying individuals or groups who have a vested interest in
the objectives and ascertaining how to engage with them to better
understand the objective and its associated
uncertainties
Working
groups
Useful to surface detailed information about the risks i.e. source, causes,
consequences, stakeholder impacted, existing controls
Corporate
knowledge
History of risks provide insight into future threats or opportunities
through:
• Experiential knowledge
– collection of information that a person has obtained through their
experience.
• Documented knowledge
– collection of information or data that has been documented
about a particular subject.
• Lessons learned
– knowledge that has been organised into information that may be
relevant to the different areas within the organisation.
26. Continuation…
Process
analysis
An approach that helps improve the
performance of business activities by analysing
current processes and making decisions on new
improvements.
Other
jurisdictions
Issues experienced and risks identified by other
jurisdictions should be identified and evaluated.
If it can happen to them, it can happen here.
27. What information should we collect
during the risk identification step?
• Identifying risks involves
considering what, when, why,
where and how things can
happen. More specifically:
28. What are the
sources of risk or
threat
the things which have the inherent potential to harm or facilitate harm.
What could happen events or incidents that could occur whereby the source of risk or threat
has an impact on the achievement of objectives.
Where the physical locations/assets where the event could occur or where the
direct or indirect consequences may be experienced.
When specific times or time periods when the event is likely to occur and/or the
consequences realised.
How the manner or method in which the risk event or incident could occur.
Causes what are the direct and indirect factors that create the source of risk or
threat.
Business
consequences
what would be the impact on objectives if the risk was realised.
Business
areas/stakeholders
affected
what parts of the organisation and what stakeholders
might be involved or impacted?
Existing controls a preliminary review of existing controls should be undertaken to identify
o What controls currently exist to minimise the likelihood and
consequences of each risk?
o What vulnerabilities exist that could undermine the effectiveness
of the controls?
29. Risk Impact
• Health and Safety
• Quality of Life
• Sustainability
• Financial
• Time
• Reputation
30.
31. Basic form of the Risk Impact/Probability Chart
Low
impact/low
probability
Risks in the bottom left corner are low level, and you can often
ignore them.
Low
impact/high
probability
Risks in the top left corner are of moderate importance – if these
things happen, you can cope with them and move on. However,
you should try to reduce the likelihood that they'll occur.
High
impact/low
probability
Risks in the bottom right corner are of high importance if they do
occur, but they're very unlikely to happen. For these, however,
you should do what you can to reduce the impact they'll have if
they do occur, and you should have contingency plans in place
just in case they do.
High
impact/high
probability
Risks towards the top right corner are of critical importance.
These are your top priorities, and are risks that you must pay close
attention to.
33. Risk Controls
• Risk control is a plan-based business
strategy that aims to identify, assess,
and prepare for any dangers, hazards,
and other potentials for disaster—both
physical and figurative—that may
interfere with an organization's
operations and objectives.
34. Risk Controls
• There are three main types of internal controls:
– detective,
– preventative, and
– corrective.
• Controls are typically policies and procedures or technical
safeguards that are implemented to prevent problems and protect
the assets of an organization.
• All organizations are subject to threats occurring that unfavourably
impact the organization and affect asset loss. From innocent but
costly mistakes, to fraudulent manipulation, risks are present in
every business. Regardless of why it transpires, controls need to be
established to avoid or minimize loss to the organization.
• There are also limitations to these controls to consider, making it
essential to have on-going reviews and monitoring of your system.
35. Detective internal controls
• Detective internal controls are those controls that are
used after the fact of a discretionary event. Think of Sherlock
Holmes, walking onto the scene of an event, trying to piece together what happened.
• What caused the event to occur?
• What process failed that allowed the event to occur?
• Is there a policy that can be implemented to keep the
event from happening again in the future?
• Some examples of detective controls are internal
audits, reviews, reconciliations, financial reporting,
financial statements, and physical inventories.
36. Preventative internal controls
• Preventative internal controls are those controls put in place to avert a
negative event from occurring. For example, most applications have
checks and balances built-in to avoid or minimize entering incorrect
information. There are also physical controls or administrative preventive
controls, such as segregation of duties that are routinely performed by
companies.
• Assigning one person to write checks, and another staff member to
authorize the payments, are segregation of duties that fall under the
umbrella of preventative controls from an administrative standpoint.
Others, like video surveillance or posting security guards at entry points
verifying ID credentials and restricting access, are illustrative of physical
safeguards.
• Training programs, drug testing, firewalls, computer and server backups
are all types of preventative internal controls that avoid asset loss and
undesirable events from occurring.
37. Corrective internal controls
• Corrective internal controls are typically those
controls put in place after the detective
internal controls discover a problem. These
controls could include disciplinary action,
reports filed, software patches or
modifications, and new policies prohibiting
practices such as employee tailgating. They
are usually put into place after discovering the
reasons why they occurred in the first place.
38. Limitations of internal controls
• Unfortunately, processes and control activities are not
perfect, and mistakes and problems will be found. An on-
going review and analysis of the internal controls should be
part of any organization’s regular processes.
• When a problem occurs, it should be documented and
reviewed by those who can take the corrective actions
discussed above and improve the system.
• There will always be limitations with humans involved.
• People make mistakes and will often find weaknesses in the
control procedures, whether by accident or with intent.
• It’s important to keep this in mind when considering
internal controls.
41. Residual Risk The residual risk is the amount of risk or danger associated
with an action or event remaining after natural or inherent
risks have been reduced by risk controls.
The general formula to calculate residual risk is where the
general concept of risk is or, alternatively.
residual risks are
not particularly
worrying,
organizations
cannot completely
ignore them and
should address
them through:
Identification of relevant governance, risk, and compliance
requirements.
• Recognition of existing risks.
• Determination of the strengths and weaknesses of the
organization’s control framework.
• Planning for appropriate contingencies.
Secondary Risk A secondary risk can be defined as a risk created by the
response to another risk.
In other words, the secondary risk is a consequence of dealing
with the original risk.
42. What is the difference between
secondary and residual risks?
• Secondary risks are those that occur as a direct result of
implementing a risk response.
• On the other hand, it is expected that the residual risks will remain
after the expected risk response.
• The emergency plan is used to manage primary or secondary risks.
• The backup plan is used to manage residual risks. Note that if an
identified risk occurs, the emergency plan is implemented and, if it
becomes ineffective, the reserve plan is implemented.
• If residual risks and secondary risks do not require a response plan,
they will be monitored as they occur.
44. What is an Internal Audit?
• Internal audits evaluate a company’s internal
controls, including its corporate governance and
accounting processes.
• These audits ensure compliance with laws and
regulations and help to maintain accurate and
timely financial reporting and data collection.
• Internal audits also provide management with
the tools necessary to attain operational
efficiency by identifying problems and correcting
lapses before they are discovered in an external
audit.
45. Continuation..
• An internal audit offers risk management and evaluates
the effectiveness of a company’s internal controls,
corporate governance, and accounting processes.
• Internal audits provide Management and Board of
Directors with a value-added service where flaws in a
process may be caught and corrected prior to external
audits.
• The tax/governance rules holds management
responsible for their financial statements by requiring
senior corporate officers to certify in writing that the
financials are accurately presented
46. Internal Audit Process
• Internal auditors generally identify a
department, gather an understanding of the
current internal control process, conduct
fieldwork testing, follow up with department
staff about identified issues, prepare an
official audit report, review the audit report
with management, and follow up with
management and the board of directors as
needed to ensure recommendations have
been implemented.
47. Assessment Techniques
• Assessment techniques ensure an internal auditor
gathers a full understanding of the internal control
procedures and whether employees are complying
with internal control directives.
• To avoid disrupting the daily workflow, auditors begin
with indirect assessment techniques, such as reviewing
flowcharts, manuals, departmental control policies or
other existing documentation.
• If documented procedures are not being followed,
direct discussion with department staff may be
necessary.
48. Analysis Techniques
• Auditing fieldwork procedures can include
transaction matching, physical inventory
count, audit trail calculations, and account
reconciliation as is required by law.
• Analysis techniques may test random data or
target specific data, if an auditor believes an
internal control process needs to be improved.
49. Reporting Procedures
• Internal audit reporting includes a formal report and may include
a preliminary or memo-style interim report.
• An interim report typically includes sensitive or significant results
the auditor thinks the board of directors needs to know right
away.
• The final report includes a summary of the procedures and
techniques used for completing the audit, a description of audit
findings, and suggestions for improvements to internal controls
and control procedures.
• The formal report is reviewed with management and
recommendations for improvement are discussed.
• Follow up after a period of time is necessary to ensure the new
recommendations have been implemented and have improved
operating efficiency.
Companies should also have an assessment of all the required roles that need to be assigned for effective risk management. This will help in giving out responsibility both in-house and when outsourced.