It provides a general overview of enterprise risk management principles which can help to transform corporate from risk exposure to the risk protected. Consideration for basic steps in Risk Management Process are critically and logically analysed
1. E
M
A
C
ADVANCED RISK MANAGEMENT WORKSHOP
STELLA MARIS HOSTEL
Bagamoyo
9TH -11TH April,2014
www.elsamconsult.com 1
ELSAM MANAGEMENT CONSULTANTS -
EMAC
2. E
M
A
C
These slides contains video clips for enabling a reader
to understand the risk management concepts
To view the slides you must be on slide show mode
and click on the links with underline
The video clips are copyrighted materials and EMAC
has no legal responsibility of any other use than
education dissemination
www.elsamconsult.com 2
Notes
3. E
M
A
C
Who are we?
Elsam Management Consultants (EMAC) is
a pool of professional consultants in
management disciplines established as a
limited liability company since 2006
Core Functions are: Recruitment, Training
and Consultancies
More details: www.elsamconsult.com
www.elsamconsult.com 3
Welcoming Remarks
4. E
M
A
C
Introduction of facilitators
Self introduction to others on your team
Recap- Share something on personal
experience in Risk Management and highly
the expectations of this training
Pick 1-Identify a risk-discuss it as both a
threat and an opportunity
Report to the a large group pick a
spokesperson
www.elsamconsult.com 4
Welcoming Remarks
6. E
M
A
C
Government Collapse; Greece, Turkey, Africa
Global Markets, more complex
Greater product complexity
New businesses (e-banking)
Increasing competition
New players
www.elsamconsult.com 6
Why this training?
8. E
M
A
C
Day 1 – Understanding Risk Management
Principles
Day 2 - Public Sector Risk Management
Theoretical Implication
Practical Implication
Challenges
Day 3 - Fraud Risk Management
Day 3 - Lessons Learned from practice
www.elsamconsult.com 8
Organization of this training
10. E
M
A
C
OVERVIEW OF RISK MANAGEMENT
UNDERSTANDING THE RISK
MANAGEMENT CONCEPTS
AND DIGESTS
10www.elsamconsult.com
11. E
M
A
C
Presentation Plan
Defining and understanding risk
Risk and Risk Management
Objectives of Risk Management
Modeling of Risk Management Process
Risk Management Process
Guidelines for Risk Management
11www.elsamconsult.com
12. E
M
A
C
Presentation Plan cont…
Role of Internal auditor in Risk
Management
Role of Audit Committee in Risk
Management
Examples of Models for Risk
Management
Practical sessions ( continuous)
12www.elsamconsult.com
14. E
M
A
C
Risk
Real or perceived
Risk is the threat or possibility that an
action or event will adversely or
beneficially affect organization's ability
to achieve its objectives
‘A calculation of both probability and
improbability becoming a reality’.
Risk has no religion
This definition is based on three
scenarios:
14www.elsamconsult.com
15. E
M
A
C
Risk Scenarios
Whatever can go wrong, will
go wrong
Whatever cannot go wrong,
will go wrong
When things go wrong, they
go badly wrong.
15www.elsamconsult.com
16. E
M
A
C
WHAT IS RISK?
Something happening that may have an
impact on the achievement of objectives.
It includes risk as an opportunity as well as a
threat.
By managing threats entity will be in a
stronger position to deliver its business plan
priorities. By managing opportunities the
organisation will be in a better position to
provide improved services and better value
for money.
16www.elsamconsult.com
17. E
M
A
C
Probability VS ‘Risk Magnitude’
Improbable Risk
-10; -9; -8; -7; -6; -5; -4; -3; -2; -1; 0 1; 2; 3; 4; 5; 6; 7; 8; 9; 10
Unlikely Risk Likely Risk
High Magnitude Risk Low Magnitude Risk
Probable Risks
17www.elsamconsult.com
click on underlined words to watch video
18. E
M
A
C
Based on the Video Presentation
Can you identify ten risk scenarios?
Do you agree that one risks normally
results into other potential risks?
Is this a probable or improbable risks
What are major risks in your
organisation which are improbable?
www.elsamconsult.com 18
Group study 1
19. E
M
A
C
EXAMPLES OF RISKS
Resources, Political, economic, Social,
Technological, legislative/Regulatory,
Environmental, competition,
Customer/citizen, Managerial
Professional, Financial, Legal,
Partnership/Contractual, procurement,
Physical, technological……
19www.elsamconsult.com
20. E
M
A
C
Mention the risk you know in …
Public Sector Service Delivery
Banking Industry
Starting a job or carrier
Transport and travel
Financial management
Attending this workshop
Risk related to your organization
20www.elsamconsult.com
21. Risks:
Risk Category Possible Risks Areas
Strategy Planning
Business Portfolio
Management Activity
New Business/Growth
Opportunities
Strategy Development
Business Performance
Management
Target Setting/Vision/Goals
Investor Relations
Joint Venture Mgt
Rationalisation
Communicaiton of
strategic direction set by
Board
Human
Resources
Workplace Industrial
Relations
Employment Practices
Remuneration and
Entitlements
Succession Planning
Recruitment and Retention
Workers Compensation
Skills availability/Training
and Development
Leadership
Diversity
Employee Safety and
Health
Performance
Incentivisation
Communication
Contractors / 3rd
parties
Information
Technology
Data Management
Data Security
Systems Development /
New systems
Systems Maintenance
Availability
Data Integrity
Service delivery
„e‟ Commerce
Outsourcing management
Interface with 3rd
parties
Sharing of classified
inofrmation
Marketing Competitive Positioning
Market Research
Image
Trademarks
Strategic alliance
networks
Pricing / Costing
Patents
Reputation
Customer Service
New Products
Project management
Research and
Development
Product portfolio
Product Liability
Obsolescence
“e” Commerce
Risk Category Possible Risks Areas
21www.elsamconsult.com
27. E
M
A
C
Basis of Risk Management
Risk management is a part of the wider
corporate governance and internal
control system of an organization
Corporate governance is the system by
which organizations are directed and
controlled and ensures that the
objectives and plans are established and
operations adheres to transparency,
probity and accountability
27www.elsamconsult.com
28. E
M
A
C
Accountability
Ensure that management is accountable to the Board
Ensure that the Board is accountable to the shareholders
Fairness
Protects shareholders rights
Treats all Shareholders including minorities, equitably
Provide effective redress for violation
Transparency
Ensure timely, accurate disclosure on all material matters including
financial situation, performance, ownership and corporate
governance
Independence
Procedures and structures are in place so as to minimize, or avoid
completely conflicts of interest
Independent directors, advisers i.e. free from influence of others
www.elsamconsult.com 28
Risk Management
Pillars of Corporate Governance
29. E
M
A
C
Creates value (Gain should exceed pain)
Be an integral part of organisational processes
Be part of decision making process
Explicitly address uncertainty and assumptions
Be systematic and structured
Be based on best available information
Be customizable to entity needs
Take human factors into account
Be transparent and inclusive
Be dynamic, iterative and responsible to change
Be capable of continual improvement and enhancement
Be continually and periodically re-assessed
Be tailora-ble
www.elsamconsult.com 29
Principles of Risk Management
30. E
M
A
C
Risk management
It is not avoiding risk
It is application of management policies
and procedures and practices to the
task of identifying, analyzing,
assessing, treating and monitoring the
various risks that might prevent an
organization from achieving its
objectives
There is no risk free environment!
30www.elsamconsult.com
31. E
M
A
C
Risk management defined
Risk management is a process, affected by an
entity’s board of directors, management and
other personnel, applied in strategy setting
and across the enterprise, designed to
identify potential events that may affect the
entity, and manage risk to be within its risk
appetite, to provide reasonable assurance
regarding the achievement of entity
objectives.(Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk
Management — Integrated Framework, September 2004, New York, NY).
31www.elsamconsult.com
32. E
M
A
C
RM is a structured, consistent and continuous process
across the whole organization for identifying, assessing,
deciding on responses to and reporting on opportunities
and threats that affect the achievements of its objectives.
IIA
Risk Management is the identification, assessment, and
priotization of Risk (ISO 31000) and subsequent
application of resources to minimize, monitor, and control
the probability and/or impact of downside events or to
maximize the realization of opportunities
It deals with the management of uncertainty, risks and
opportunity towards the achievement of company goals
and objectives.
www.elsamconsult.com 32
Risk Management Defined
33. E
M
A
C
Objectives of Risk Management
Support strategic and business planning
Enhances communication between directors
and departments
Support effective use of resources
Promote continual improvement
Helps focus internal audit programs
Fewer shocks and unwelcome surprises
Reassures stakeholders
Quick grasps of new opportunities
33www.elsamconsult.com
34. E
M
A
C
Objectives and RM
Risk can be describe as The chance of
something happening that will have an
impact on objectives. It is measured in
terms of consequences and likelihood.
Objective must be defined before
defining risks which may affect the
objectives.
Risk management must be linked to
objectives/ strategies/ project
34www.elsamconsult.com
35. E
M
A
C
Aligns risk profile and strategy
Broadens risk awareness
Minimizes surprise and losses
Rationalizes capital requirements
Improves the shareholders value
Assures regulatory compliance
www.elsamconsult.com 35
Benefits of Risk Management
36. E
M
A
C
Hard Side Soft Side
Measures and Reporting Risk Awareness
Risk Oversight Committees People
Policies and Procedures Skills
Risk Assessment Integrity
Risk Limits Incentives
Audit Process Culture and Values
Systems Trust and Communication
www.elsamconsult.com 36
Hard and Soft side of Risk
Management
42. E
M
A
C
Modeling of Risk Management
&
Risk Management Standards
www.elsamconsult.com 42
Risk Management Frameworks
43. E
M
A
C
Risk Management Standard (IRM, ALARM and AIRMIC) of UK
ISO 31000 Risk Management – Guidelines on principles and
implementation of risk management
ISO Guide 73 – Risk Management Vocabulary
BS 31100 Cod of best practice for Risk Management
AZ/ANS 4360:2004 Risk Management Standard
COSO Enterprise Risk Management
Canadian Government Sector Standard
Basel II/III
Solvency II (ICAAP)
Kings Report
www.elsamconsult.com 43
Common Risk Management Standards
45. Many Models To Chose Among
COSO
COCO
Cadbury Report
Deming Award
TQM
12 Attributes
Deep Learning Framework
Baldrige Award
ISO 31000
Westinghouse Award
Northrop Award
www.elsamconsult.com 45
46. E
M
A
C
Who Developed Models?
COSO: The major accounting and audit
professional organizations issued COSO in 1992.
12 Criteria: The Canadian Comprehensive Auditing
Foundation published Effectiveness Reporting
and Auditing in the Public Sector in 1987.
COCO: In November 1995, The Canadian Institute
of Chartered Accountants (CICA) published
Guidance on Control.
www.elsamconsult.com 46
47. E
M
A
C
Who Developed Models? (Continued)
ISO 31000 developed by the International
Organization for Standardization (ISO)
Deep Learning Framework: In 1990, Peter Senge
published the now classic The Fifth Discipline and
then in 1995 published The Fifth Discipline
Fieldbook.
www.elsamconsult.com 47
48. E
M
A
C
Different Frameworks: Same Goals
Frameworks provide a way of understanding
our organizations.
By having different groupings, each highlights
some aspects of control more than others.
The criteria in the frameworks provide a basis
for understanding control in an organization
and for making judgment about the
effectiveness of control.
www.elsamconsult.com 48
49. E
M
A
C
Different Frameworks: Same Goals
Frameworks provide a systematic step by step
method of evaluating and addressing the
adequacy of controls in multiple dimensions of a
business.
Frameworks provide a standard review process.
Frameworks provide a tool that helps
management and auditors evaluate the adequacy
of controls in multiple dimensions of the business.
It helps give a picture of how well all of the
controls in all of the dimensions are working.
www.elsamconsult.com 49
55. Risk Management Process
Establish Context
Identify Risks
Analyse Risks
Evaluate Risks
Treat risks
Assess Risks and Controls
Context:
Strategic, internal, external context
Identification:
What can go wrong? Missed opportunities?
Analysis/Measurement:
Assess risk likelihood and
consequence, review
Evaluate:
Compare risks, set risk priorities
Treatment Options:
Reduce, avoid, transfer or retain
CommunicationandConsultation
Establish Context
Identify Risks
Analyse Risks
Evaluate Risks
Treat risks
Risk Assessment
MonitorandReview
55www.elsamconsult.com
56. Risk Management Process
COSO Framework
COSO stands for Committee
of Sponsoring Organizations
of the Treadway Commission
It is the US Private Sector
organization,
Dedicated to providing
guidance to executives,
management and
governance entities on
critical aspects of
governance, Business Ethics
Guidance on Internal
Control, ERM, Fraud, and
financial reporting
COSO has established a
common internal control
model against which
companies and
organizations may assess
their control systems.
www.elsamconsult.com 56
57. COSO AND ISO 31000
COSO defines ERM as a process;
Effected by an entity’s board of
directors, management and
other personnel;
Applied in strategy setting and
across enterprise;
Designed to identify potential
events that may affect the
entity;
Manage risks within its risk
appetite;
Provides reasonable assurance
regarding the achievement of
entity objectives.
IRM (New COSO) defines Risk
Management as
The process whereby the
organizations methodically
address the risks attaching to
their activities
With a goal of achieving
sustained benefits within each
activity and across the portfolio
of all activities
Generally it is a decision-making
discipline that reduces
uncertainty and managers
potential variations from
expected outcomes in achieving
company goals (RIMS)
www.elsamconsult.com 57
58. COSO AND ISO 31000
ISO 31000 defines risk
Management as
Integral part of all
organization processes
It is not a stand alone activity
that is separate from main
activities and processes of
the organization
It is part of responsibilities of
management and
An integral part of all
organizational processes
including strategic planning
and all project and change
management processes
In practical insight the whole
of the business is just like risk
management, why?
Buffet Defines
Risk Management
as
www.elsamconsult.com 58
59. Analysis of Warren Case
What is risk Management
What are consequences of
dedicating risk
management activities to
a unit in a organisation?
Who is supposed to
manage risk in an
organization
What is the status of Risk
Management today?
Summary of Risk
Management
Models
www.elsamconsult.com 59
Case study of risk in Hospitality industry
Case Study II – Risk Management
62. E
M
A
C
COSO - Framework (Control
Framework)
62www.elsamconsult.com
A Car internal
control
exemplification
63. E
M
A
C
Effective Risk Management
Organizations should come out with risk
management strategy in order to ensure that
the organizations Achieves their goals and
objectives
When management of risk goes well it often
remains unnoticed. When it fails, the
consequences can be significant and high-
profile. Any responsible organisation needs
to avoid this – hence the need for effective
risk management.
63www.elsamconsult.com
64. E
M
A
C
Effective Risk Management
Risk management strategy describes
the processes that will be put in place to
link, identify, assess, address, review
and report risks, and describes the
principles that will be used to underpin
this approach.
The Diagram below summarizes the
process risk management within the
organisation.
64www.elsamconsult.com
68. E
M
A
C
ELEMENTS OF RISK MANAGEMENT
Identifying risks;
Assessing risks;
Addressing risks;
Reviewing and reporting
risks.
68www.elsamconsult.com
69. Entity should ensure that it has…
have a robust approach to risk management -
aiming to identify, assess, address and review and
report risk in a way that can stand audit scrutiny,
building on best practice and protecting the
interests of our stakeholders.
be accountable - processes and data will be open
to review by our auditors and will respond to the
improvements they suggest.
We will encourage appropriate risk-taking, with a
view to fostering an innovative approach to policy
making and service delivery.
69www.elsamconsult.com
70. E
M
A
C
Identifying risk
A ‘risk’ is something that may have an impact on
the achievement of our priorities. It may come
from outside the organisation, or may arise from
shortcomings of its own systems and procedures
Identification can be done through staff
workshops or work groups
Consideration should be given to categories of
risk
The issues should be prepared and presented in
the form of risk scenarios
70www.elsamconsult.com
71. Identifying risk
Risk category Possible risks
Compliance risk the risk of failing to comply with statutory
requirements
External risk risks from changing public or government
attitudes.
Financial risk risks arising from spending, fraud or
impropriety, or insufficient resources
Operational risk risks associated with the delivery of examination
papers to the regional centres– arising, for
example, from logistic difficulties, diversion
of staff to other duties, or IT failures
Project risk risks of specific projects missing deadlines or
failing to meet stakeholder expectations
71www.elsamconsult.com
72. IDENTIFYING RISK
Risk type Possible risks
Reputation risk risks from damage to the organisation’s credibility
and reputation
Risks facing banking Sector Risk to our stakeholders that need to be taken into
account in our planning and service
provision – for example, fraud
Strategic risk risks arising from policy decisions or major
decisions affecting organisational priorities;
risks arising from senior-level decisions on
priorities
Technology risk Risk arising from outdated technology, inadequate
data processing and the software
malfunctioning
Human resource risk It is impossible to recruit staff with the required
skills or Key staff are ill and are unavailable
at critical times or required training for staff
is not available
72www.elsamconsult.com
73. E
M
A
C
Identifying Risk, What To Do?
Once risks have been identified,
essential information about them
will be gathered in the form of a risk
register (see appendix 1). There will
be a central register of its most
important risks, built up from
information provided from each
department.
73www.elsamconsult.com
74. E
M
A
C
IDENTIFYING RISK, WHAT TO DO?
The identification of risks is a continuous
process and all staff have a part to play - it is
not the sole domain of managers.
Systematically identifying risks will enable
risks to be assessed and dealt with.
It will also help to identify new opportunities
for policy direction and business planning, by
showing what the future risks to management
of .................................
74www.elsamconsult.com
75. E
M
A
C
ASSESSING RISK
To assess risks adequately entity will
identify the consequences of a risk
occurring and give each risk a score or
risk rating.
Whoever identifies the risk should be
responsible for assessing the risk.
75www.elsamconsult.com
76. E
M
A
C
ASSESSING RISK
This initial assessment will then be refined
with the help of colleagues and managers
and a ‘risk owner’ will be identified who will
be responsible for reviewing and accepting
the assessment that will be entered onto the
risk register.
The consequences of the identified risks will
be grouped into one or more of the
categories outlined earlier. Using these
categories will allow similar risks to be
grouped and will help to identify cross-
cutting risks
76www.elsamconsult.com
77. E
M
A
C
RISK RATING
A means of comparing risks is needed so that
efforts can be concentrated on addressing
those that are most important.
Each risk will be given a score, depending on
both its likelihood and its impact, as shown in
Figure 1 below.
Any risks which are both very likely to occur and
will have a high impact are the ones that
demand immediate attention.77www.elsamconsult.com
78. RISK RATING
Risk Assessment
Likelih
o
o
d
Very High (4) 4 8 12 16*
High (3) 3 6 9 12
Medium (2) 2 4 6 8
Low (1) 1 2 3 4
Low (1) Medium (2) High (3)
Very High
(4)
Impact 78www.elsamconsult.com
79. E
M
A
C
RISK RATING - LIKELIHOOD
Likelihood
The probability of the threat being realised will be
expressed in terms of
Very High (VH), High (H), Medium (M) or Low (L)
using the definitions below:
L: Rare (the risk may occur in exceptional
circumstances);
M: Possible (the risk may occur in the next three
years);
H: Likely (the risk is likely to occur more than once
in the next three years); and,
VH: Almost certain (the risk is likely to occur this
year or at frequent intervals).
79www.elsamconsult.com
80. E
M
A
C
RISK RATING -IMPACT
The effect of the risk being realised will be
expressed in terms of Very High (VH), High (H),
Medium (M) or Low (L) using the definitions
below:
L: minimal financial losses; service delivery
unaffected; no legal implications; unlikely to
affect the core business; unlikely to damage
reputation.
M: medium financial losses; reprioritising of
services required; minor legal concerns raised;
minor impact on the health sector and facilities;
short-term reputation damage.
80www.elsamconsult.com
81. E
M
A
C
RISK RATING -IMPACT
The effect of the risk being realised will be
expressed in terms of Very High (VH), High (H),
Medium (M) or Low (L) using the definitions
below:
L: minimal financial losses; service delivery
unaffected; no legal implications; unlikely to
affect the core business; unlikely to damage
reputation.
M: medium financial losses; reprioritising of
services required; minor legal concerns raised;
minor impact on the health sector and facilities;
short-term reputation damage.
81www.elsamconsult.com
82. E
M
A
C
RISK RATING -IMPACT
The effect of the risk being realised will be expressed in
terms of Very High (VH), High (H), Medium (M) or Low
(L) using the definitions below:
H: major financial loss; need to renegotiate business
plan priorities; potentially serious legal implications
(e.g. risk of successful legal challenge); significant
impact on the ..............; longer-term damage to
reputation.
VH: huge financial loss; key deadlines missed or
priorities unmet; very serious legal concerns (e.g. high
risk of successful legal challenge, with substantial
implications for entity); major impact on core business;
loss of stakeholder public confidence.
82www.elsamconsult.com
83. Requires Active Management where
Consequence is rated 5 else Periodic
Monitoring.
Risks where treatment options require
preparation, active review and
management.
Control is adequate, continued
monitoring of controls to confirm this.
Control is not strong but risk impact is
not high. Options include improving
control or monitoring risk impact to
ensure the residual risk rating does
not increase over time.
Risks where systems and processes
managing the risks are adequate and
subject to minimal monitoring.
Mitigating Practices /
Control Rating
InherentRiskRating
Active Management
Periodic Monitoring
Control Critical
No Major
Concern
0 1 2 3 4 5 6 7 8 9 10
10
9
8
7
6
5
4
3
2
1
0
Adequate Inadequate
Very High
High
Low
Moderate
83www.elsamconsult.com
84. Residual risk ratings
This is an alternative risk
heat map preferred by
some as it shows that
there is no absolute risk
boundaries, but rather a
gradual change in risk
Unsatisfactory
Mitigating Practices /
Control Rating
InherentRiskRating
Periodic
Review
Active
Management
Continuous
Review
No Major
Concern
High
Excellent
Low
84www.elsamconsult.com
85. E
M
A
C
Risk Appetite
Risk appetite is the amount of risk —on a broad level
—an entity is willing to accept in pursuit of value.
Use quantitative or qualitative terms (e.g. earnings at
risk vs. reputation risk), and consider risk tolerance
(range of acceptable variation).
The primary objective of Managing operational risk is
risk reduction/ proactive prevention
Risk cut across all financial institution operation
and function
85www.elsamconsult.com
88. E
M
A
C
Risk Assessment Process
To make an initial assessment of risk, a ‘bottom-
up and top-down’ approach will be adopted.
This will mean identifying and assessing risks
both at an operational level, using the
departmental Performance Teams, directorates’
team meetings and by Management Team
identifying the major risks affecting the
organisation
88www.elsamconsult.com
89. E
M
A
C
Risk Assessment Process
The bottom-up process of identifying
risks through involving staff should be
as exhaustive as possible, identifying
all potential risks no matter how small
(and including health and safety risks
for staff).
89www.elsamconsult.com
90. E
M
A
C
Risk Assessment Process
These will then be reviewed by the departmental
Performance Team, comprising a nominated departmental
risk co-ordinator from each department and the Risk
Coordinator.
The group will identify the more significant risks that will
need to be placed on the corporate risk register. This process
will be overseen by the Risk Coordinator, who will ensure
consistency in the way risks are assessed and categorised.
For every risk to be identified as important enough to be
placed on the corporate risk register, a ‘risk owner’ will be
identified (who will be responsible for overseeing the
management of the risk, and making sure appropriate
resources are available to do this) and a ‘risk coordinator’
(who will be responsible for day-to-day management of the
risk, implementing countermeasures and monitoring their
effectiveness).
90www.elsamconsult.com
91. E
M
A
C
Risk Assessment Process
Management Team will also identify the major
corporate risks to the organisation, with the
Director responsible identifying in particular major
financial risks. For such major corporate risks,
directors are likely to be both the risk owner and
risk coordinator.
Management Team will then take a strategic view
of all risks identified as needing to be placed on the
corporate risk register, assessing them against the
entity’s business plan priorities. They will identify
the most critical risks, and report these to key
Board of Directors through the audit committee.
91www.elsamconsult.com
92. E
M
A
C
Risk Assessment Process
This process will identify a set of significant
risks that need to be addressed, and placed
on the corporate risk register, which will
then be maintained by the organisation’s risk
co-ordinator. Other risks identified by staff
through risk identification workshops, team
meetings etc. should be recorded within the
originating department and kept under
review by the department risk co-ordinator.
92www.elsamconsult.com
93. E
M
A
C
Addressing Risks
Having identified significant risks and
placed them on the corporate risk
register, a process will be undertaken to
decide what to do about each risk,
through the departmental Performance
Team and the Management Team.
93www.elsamconsult.com
94. E
M
A
C
Addressing Risk
Assessing current risk controls
The first step is to look what mechanisms are already in
place to deal with the identified risks. For many risks, for
example examination leakage risk, action may have
already been taken to treat or eliminate the risk under all
circumstances under which it could arise.
Where such mechanisms are in place, the Departmental
Performance Teams should examine them to judge
whether they are adequate or whether any ‘residual risk’
remains, or whether the risk might ‘slip through’ these
existing mechanisms under some circumstances. In some
cases, risks may be deemed to be ‘over-controlled’ –
action in this case may be to ease such controls and allow
the risk to be taken.
94www.elsamconsult.com
95. E
M
A
C
Addressing Risk
In this way, risks can be addressed
through ‘gap analysis’, focussing only on
those risks that are not adequately
treated, or are not treated at all.
The next stage is to look at how such
risks may be dealt with.
95www.elsamconsult.com
96. E
M
A
C
How to deal with risk
Transfer the risk
conventional insurance or by asking a
third party to take on the risk in another
way.
Contracting out services, for example,
transfers some, but not all, risks (but can
introduce a new set of risks to be
managed);
96www.elsamconsult.com
97. E
M
A
C
How to deal with risk
Tolerate the risk:
the ability to take effective action against some
risks may be limited, or
the cost of taking action may be
disproportionate to the potential benefit gained.
In this instance, the only management action
required is to ‘watch’ the risk to ensure that its
likelihood or impact does not change. If new
management options arise, it may become
appropriate to treat this risk in the future;
97www.elsamconsult.com
98. E
M
A
C
How to deal with risk
Treat the risk:
by far the greater number of risks will be
in this category.
The purpose of ‘treatment’ is not
necessarily to terminate the risk but,
more likely, to establish a planned series
of mitigating actions to contain the risk
to an acceptable level; and,
98www.elsamconsult.com
99. E
M
A
C
How to deal with risk
Terminate the risk:
this is a variation of the ‘treat’ approach,
and involves quick and decisive action to
eliminate a risk altogether.
For example, terminating risks arising from
outdated .............. systems by buying new
ones (although new systems, in
themselves, may introduce new risks).
99www.elsamconsult.com
100. Risk Treatment
Is Risk
Acceptable?
Accept
Treatment Strategy
(1) Recommend
(2) Choose
(3) Implement
Retain
Monitor
and
Review
Is Residual
Risk
Acceptable?
Part Retained
Yes
NoUnacceptable
residual risk
No Yes
Reduce Likelihood
Reduce Consequence
Transfer
Avoid
START
HERE
100www.elsamconsult.com
111. E
M
A
C
Role of internal auditor in RM
Giving assurance on risk management
processes.
Giving assurance that risks are correctly
evaluated.
Evaluating risk management processes.
Evaluating the reporting of key risks.
Reviewing the management of key
risks.
111www.elsamconsult.com
112. E
M
A
C
Role of internal auditor (with safeguard)
Facilitating identification and evaluation of risks.
Coaching management in responding to risks.
Coordinating ERM activities.
Consolidating the reporting on risks.
Maintaining and developing the ERM
framework.
Championing establishment of ERM.
Developing risk management strategy for
board approval.
112www.elsamconsult.com
113. E
M
A
C
What the IA should not do
Setting the risk appetite.
Imposing risk management processes.
Management assurance on risks.
Taking decisions on risk responses.
Implementing risk responses on
management's behalf.
Accountability for risk management.
113www.elsamconsult.com
115. E
M
A
C
Role of Audit committee in RM
Critical role in ERM by establishing the right
environment or tone-at-the-top
Vital role in overseeing management’s approach to
ERM
Without their oversight, ERM may not be embraced
by senior management
Discuss policies with respect to risk assessment and
risk management
Better risk intelligence means both audit
committees and the full board are better informed
115www.elsamconsult.com
116. E
M
A
C
Conclusion
Risk management is a process and therefore
put in place a strategy for introducing risk
management
Develop a risk management strategy
Develop a risk management framework
tailored to your activities ( avoid copying and
pasting)
Develop risk management policy and
guidelines
Develop a risk management capacity building
program
116www.elsamconsult.com
118. E
M
A
C
Risk management in public
institutions
It is now recognized that risk management is an
essential part of securing the health of any
organization including public sector institutions
Risks are inherent in the public institutions as well as
in private sector. It entails the whole of Public
Sector.
It is new in public organization but the concept of
risk is not new
Government internal auditors have special mandate
to champion its establishment and monitoring
118www.elsamconsult.com
119. E
M
A
C
RISK MANAGEMENT IN PUBLIC SECTOR
The public sector is currently undergoing radical
changes through reforms
There are new risks related to human rights,
unemployment, corporate governance.
Risk management should be a vital part of functions
and activities provided by public institutions.
Without risk management it will not be possible to
achieve good corporate governance and the aims
and intentions of many legislation and rules
119www.elsamconsult.com
120. E
M
A
C
RISK MANAGEMENT IN PUBLIC SECTOR
Failure to pay proper attention to likelihood and potential
consequences of risk can cause public institutions serious
problems
These includes high employee absenteeism, financial costs,
service disruption, bad publicity, low staff morale, threat to
public health, high staff turnover, violent demonstrations
and claims for compensation.
What to do then? Public sector institutions should recognize
risk management as a critical achievement of its goals and
governance responsibilities. It should establish a risk
management processes that is clearly defined and
documented and continuously apply risk management
practices in the decision making.
120www.elsamconsult.com
125. E
M
A
C
Pillars of Operational Risk Management
Losses
EXECUTIVE MANAGEMENT
CSA
Issues
Indicators
Qualitative/Quantitative Analyses
Common Operational Risk Classification Scheme
127. E
M
A
C
Control Self Assessment
Control-Self Assessment Definition
Control-Self Assessment Objectives
Enterprise wide Control Self Assessment Framework
Balanced Scorecard
CSA Methodology
Results
Corporate Governance
CSA Rollout - Project Time Line
Outline
128. E
M
A
C
Control Self Assessment
Control-Self Assessment is a risk management
tool used by business managers to transparently
assess risk and control strengths and weaknesses
against a Control Framework. The “self”
assessment refers to the involvement of
management and staff in the assessment process.
Definition
129. E
M
A
C
Control Self Assessment
Communication
To ensure better communication of DG‟s objectives and strategies to all business lines
To ensure business line managers communicate their risks and controls more
effectively
Education
To ensure business line managers have a better comprehension of effective risk
control
To ensure business line managers have a better comprehension of risk management
Proactive Management
To ensure business line managers align their objectives and strategies with the DG's
objectives and strategies
To ensure business line managers assume greater responsibility and accountability for
their risks and controls
To ensure business line managers monitor their risk effectively and timely
To ensure business line managers utilize and allocate their resources effectively
Objectives
132. E
M
A
C
Step 1: Objective Setting
Balanced Scorecard *
A tool that translates a firm‟s mission and strategy into a comprehensive
set of performance measures that provides the framework for a strategic
measurement and management system
Objectives
Ensures linkage between the objective of senior management and the
businesses
Increased focus on the appropriateness of the objectives
Reinforced as the central “top down” articulation of goals
Provides a framework within which the oversight functions, risk
management and the business lines operate
133. E
M
A
C
Step 2: CSA Methodology
ORCA Framework
Objectives
Risk Assessment of Key Processes
Controls
Action Plans
The ORCA framework components fit logically together to form a
comprehensive relationship between firm-wide objectives,
processes and risks, and controls. This relationship may be viewed
as the core of a firm‟s internal control.
134. E
M
A
C
Step 2: CSA Methodology
ORCA Framework
To find equilibrium, the business managers must carefully
assess the risks inherent within their key processes and
apply controls that will work at a reasonable cost.
136. E
M
A
C
Step 2: CSA Methodology
Key Indicators
Metrics to measure the effectiveness of controls in the
mitigating
or managing risks
TO measure operational problems
TO monitor the quality of the services provided
TO provide early warning for problems
TO aid in the containment of losses
TO determine trends
TO set limits for risk or escalation criteria
TO facilitate everyday decisions.
137. E
M
A
C
General Approaches for CSA
Facilitated meetings – group
workshops
Questionnaires – yes/no answers
Management analysis – self
studies
137
138. E
M
A
C
Corporate Governance
The enterprise-wide CSA framework
presented here is a key component of a
robust corporate governance structure. It
enables the organization to inform
executive management of the current state
of the firm‟s risk environment on an
ongoing basis
141. E
M
A
C
Advantages of CSA
The presented enterprise-wide control self-assessment
framework:
Provides flexibility and dynamism to evolve
with the changing firm
Allows a firm to manage risks from both the
“top-down” and “bottom-up” perspectives
Is an integral component of a strong
corporate governance structure
142. E
M
A
C
Way Forward
CRSA is an important management tools
We have matured in risk management and
therefore it is time to move a step further
through CRSA
We have a new issues in place, a need for
control review is imperative
There a critical need for organisations to
prepare CRSA for efficiency and effectiness of
operations
142