Advanced Risk Management - Elsam Management Consultants

E
M
A
C
ADVANCED RISK MANAGEMENT WORKSHOP
STELLA MARIS HOSTEL
Bagamoyo
9TH -11TH April,2014
www.elsamconsult.com 1
ELSAM MANAGEMENT CONSULTANTS -
EMAC

E
M
A
C
These slides contains video clips for enabling a reader
to understand the risk management concepts
To view the slides you must be on slide show mode
and click on the links with underline
The video clips are copyrighted materials and EMAC
has no legal responsibility of any other use than
education dissemination
Notes

E
M
A
C
Who are we?
Elsam Management Consultants (EMAC) is
a pool of professional consultants in
management disciplines established as a
limited liability company since 2006
Core Functions are: Recruitment, Training
and Consultancies
More details: www.elsamconsult.com
Welcoming Remarks

E
M
A
C
Introduction of facilitators
Self introduction to others on your team
Recap- Share something on personal
experience in Risk Management and highly
the expectations of this training
Pick 1-Identify a risk-discuss it as both a
threat and an opportunity
Report to the a large group pick a
spokesperson
Welcoming Remarks

E
M
A
C
Why this training?

E
M
A
C
Government Collapse; Greece, Turkey, Africa
Global Markets, more complex
Greater product complexity
New businesses (e-banking)
Increasing competition
New players
Why this training?

E
M
A
C
Regulatory imbalances
Technology
Corporate Failures, what about
Tanzania?
Increase in fraud and corruption
Increase in “snake on suits”
Theft and robberies
Why this training?

E
M
A
C
Day 1 – Understanding Risk Management
Principles
Day 2 - Public Sector Risk Management
Theoretical Implication
Practical Implication
Challenges
Day 3 - Fraud Risk Management
Day 3 - Lessons Learned from practice
Organization of this training

E
M
A
C
Part I

E
M
A
C
OVERVIEW OF RISK MANAGEMENT
UNDERSTANDING THE RISK
MANAGEMENT CONCEPTS
AND DIGESTS
10www.elsamconsult.com

E
M
A
C
Presentation Plan
Defining and understanding risk
Risk and Risk Management
Objectives of Risk Management
Modeling of Risk Management Process
Risk Management Process
Guidelines for Risk Management

E
M
A
C
Presentation Plan cont…
Role of Internal auditor in Risk
Management
Role of Audit Committee in Risk
Management
Examples of Models for Risk
Management
Practical sessions ( continuous)

E
M
A
C
What is not risk?
Risk? What is it?

E
M
A
C
Risk
Real or perceived
Risk is the threat or possibility that an
action or event will adversely or
beneficially affect organization's ability
to achieve its objectives
‘A calculation of both probability and
improbability becoming a reality’.
Risk has no religion
This definition is based on three
scenarios:

E
M
A
C
Risk Scenarios
Whatever can go wrong, will
go wrong
Whatever cannot go wrong,
will go wrong
When things go wrong, they
go badly wrong.

E
M
A
C
WHAT IS RISK?
Something happening that may have an
impact on the achievement of objectives.
It includes risk as an opportunity as well as a
threat.
By managing threats entity will be in a
stronger position to deliver its business plan
priorities. By managing opportunities the
organisation will be in a better position to
provide improved services and better value
for money.

E
M
A
C
Probability VS ‘Risk Magnitude’
Improbable Risk
-10; -9; -8; -7; -6; -5; -4; -3; -2; -1; 0 1; 2; 3; 4; 5; 6; 7; 8; 9; 10
Unlikely Risk Likely Risk
High Magnitude Risk Low Magnitude Risk
Probable Risks
click on underlined words to watch video

E
M
A
C
Based on the Video Presentation
Can you identify ten risk scenarios?
Do you agree that one risks normally
results into other potential risks?
Is this a probable or improbable risks
What are major risks in your
organisation which are improbable?
Group study 1

E
M
A
C
EXAMPLES OF RISKS
Resources, Political, economic, Social,
Technological, legislative/Regulatory,
Environmental, competition,
Customer/citizen, Managerial
Professional, Financial, Legal,
Partnership/Contractual, procurement,
Physical, technological……

E
M
A
C
Mention the risk you know in …
Public Sector Service Delivery
Banking Industry
Starting a job or carrier
Transport and travel
Financial management
Attending this workshop
Risk related to your organization

Risks:
Risk Category Possible Risks Areas
Strategy Planning
Business Portfolio
Management Activity
New Business/Growth
Opportunities
Strategy Development
Business Performance
Management
Target Setting/Vision/Goals
Investor Relations
Joint Venture Mgt
Rationalisation
Communicaiton of
strategic direction set by
Board
Human
Resources
Workplace Industrial
Relations
Employment Practices
Remuneration and
Entitlements
Succession Planning
Recruitment and Retention
Workers Compensation
Skills availability/Training
and Development
Leadership
Diversity
Employee Safety and
Health
Performance
Incentivisation
Communication
Contractors / 3rd
parties
Information
Technology
Data Management
Data Security
Systems Development /
New systems
Systems Maintenance
Availability
Data Integrity
Service delivery
„e‟ Commerce
Outsourcing management
Interface with 3rd
parties
Sharing of classified
inofrmation
Marketing Competitive Positioning
Market Research
Image
Trademarks
Strategic alliance
networks
Pricing / Costing
Patents
Reputation
Customer Service
New Products
Project management
Research and
Development
Product portfolio
Product Liability
Obsolescence
“e” Commerce

22 CRCA © 2007 Deloitte Touche Tohmatsu
Strategic alliance
networks
Pricing / Costing
Project management Obsolescence
“e” Commerce
Supply Chain /
Distribution
Logistics
Purchasing/procurement
Inventory Management
Contract Management
Import Clearance
Continuity management
Environment Regulatory Compliance
Contamination
Loss of Containment
Complaints Management
Handling Image/ reputation
Community / Government
Relations
Legal Regulatory Compliance
Commercial
Relationships
Acquisitions/Divestments
Intellectual Property
Competition Law
Contractual Obligations
Finance Funding / Treasury
Investments
Taxation
Debt Management
Supplier Payments
Capital Expenditure
Financial Controls and
Reporting
Fraud
Insurance
Physical Assets Security
Natural Disaster
Fire
Explosion
Impact
Capital Expenditure
Operations Manufacturing upscaling
Technical Engineering
Capacity Planning
Costs of upscaling to
Production
Reliability Management
& partners
Safe Operations
Government Sovereignty
Politics
War
Legislative Change
Corruption
Terrorism
Tax law change
Change to party in power
Economics Interest Rates Commodity Currency
Risks:

E
M
A
C
Case study I
Video Practical Session I
Case Analysis I
Meaning of Risks

E
M
A
C
End of Session I

E
M
A
C
Risk Management

E
M
A
C
What is Risk
Management?

E
M
A
C
Basis of Risk Management
Risk management is a part of the wider
corporate governance and internal
control system of an organization
Corporate governance is the system by
which organizations are directed and
controlled and ensures that the
objectives and plans are established and
operations adheres to transparency,
probity and accountability

E
M
A
C
Accountability
Ensure that management is accountable to the Board
Ensure that the Board is accountable to the shareholders
Fairness
Protects shareholders rights
Treats all Shareholders including minorities, equitably
Provide effective redress for violation
Transparency
Ensure timely, accurate disclosure on all material matters including
financial situation, performance, ownership and corporate
governance
Independence
Procedures and structures are in place so as to minimize, or avoid
completely conflicts of interest
Independent directors, advisers i.e. free from influence of others
Risk Management
Pillars of Corporate Governance

E
M
A
C
Creates value (Gain should exceed pain)
Be an integral part of organisational processes
Be part of decision making process
Explicitly address uncertainty and assumptions
Be systematic and structured
Be based on best available information
Be customizable to entity needs
Take human factors into account
Be transparent and inclusive
Be dynamic, iterative and responsible to change
Be capable of continual improvement and enhancement
Be continually and periodically re-assessed
Be tailora-ble
Principles of Risk Management

E
M
A
C
Risk management
It is not avoiding risk
It is application of management policies
and procedures and practices to the
task of identifying, analyzing,
assessing, treating and monitoring the
various risks that might prevent an
organization from achieving its
objectives
There is no risk free environment!

E
M
A
C
Risk management defined
Risk management is a process, affected by an
entity’s board of directors, management and
other personnel, applied in strategy setting
and across the enterprise, designed to
identify potential events that may affect the
entity, and manage risk to be within its risk
appetite, to provide reasonable assurance
regarding the achievement of entity
objectives.(Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk
Management — Integrated Framework, September 2004, New York, NY).

E
M
A
C
RM is a structured, consistent and continuous process
across the whole organization for identifying, assessing,
deciding on responses to and reporting on opportunities
and threats that affect the achievements of its objectives.
IIA
Risk Management is the identification, assessment, and
priotization of Risk (ISO 31000) and subsequent
application of resources to minimize, monitor, and control
the probability and/or impact of downside events or to
maximize the realization of opportunities
It deals with the management of uncertainty, risks and
opportunity towards the achievement of company goals
and objectives.
Risk Management Defined

E
M
A
C
Objectives of Risk Management
Support strategic and business planning
Enhances communication between directors
and departments
Support effective use of resources
Promote continual improvement
Helps focus internal audit programs
Fewer shocks and unwelcome surprises
Reassures stakeholders
Quick grasps of new opportunities

E
M
A
C
Objectives and RM
Risk can be describe as The chance of
something happening that will have an
impact on objectives. It is measured in
terms of consequences and likelihood.
Objective must be defined before
defining risks which may affect the
objectives.
Risk management must be linked to
objectives/ strategies/ project

E
M
A
C
Aligns risk profile and strategy
Broadens risk awareness
Minimizes surprise and losses
Rationalizes capital requirements
Improves the shareholders value
Assures regulatory compliance
Benefits of Risk Management

E
M
A
C
Hard Side Soft Side
Measures and Reporting Risk Awareness
Risk Oversight Committees People
Policies and Procedures Skills
Risk Assessment Integrity
Risk Limits Incentives
Audit Process Culture and Values
Systems Trust and Communication
Hard and Soft side of Risk
Management

E
M
A
C
Drivers for Risk Management

E
M
A
C
Video Presentation
Case study 2
What are real objectives of RM?

39
STRATEGIC OPERATIONAL
RISK
Situation
analysis
Mission and Vision
Objectives
Targets
Overview of SP
Activities
Inputs and costing39www.elsamconsult.com

What do you See?

End of Session II

E
M
A
C
Modeling of Risk Management
&
Risk Management Standards
Risk Management Frameworks

E
M
A
C
Risk Management Standard (IRM, ALARM and AIRMIC) of UK
ISO 31000 Risk Management – Guidelines on principles and
implementation of risk management
ISO Guide 73 – Risk Management Vocabulary
BS 31100 Cod of best practice for Risk Management
AZ/ANS 4360:2004 Risk Management Standard
COSO Enterprise Risk Management
Canadian Government Sector Standard
Basel II/III
Solvency II (ICAAP)
Kings Report
Common Risk Management Standards

Cadbury
Basel II

Many Models To Chose Among
COSO
COCO
Cadbury Report
Deming Award
TQM
12 Attributes
Deep Learning Framework
Baldrige Award
ISO 31000
Westinghouse Award
Northrop Award

E
M
A
C
Who Developed Models?
COSO: The major accounting and audit
professional organizations issued COSO in 1992.
12 Criteria: The Canadian Comprehensive Auditing
Foundation published Effectiveness Reporting
and Auditing in the Public Sector in 1987.
COCO: In November 1995, The Canadian Institute
of Chartered Accountants (CICA) published
Guidance on Control.

E
M
A
C
Who Developed Models? (Continued)
ISO 31000 developed by the International
Organization for Standardization (ISO)
Deep Learning Framework: In 1990, Peter Senge
published the now classic The Fifth Discipline and
then in 1995 published The Fifth Discipline
Fieldbook.

E
M
A
C
Different Frameworks: Same Goals
Frameworks provide a way of understanding
our organizations.
By having different groupings, each highlights
some aspects of control more than others.
The criteria in the frameworks provide a basis
for understanding control in an organization
and for making judgment about the
effectiveness of control.

E
M
A
C
Different Frameworks: Same Goals
Frameworks provide a systematic step by step
method of evaluating and addressing the
adequacy of controls in multiple dimensions of a
business.
Frameworks provide a standard review process.
Frameworks provide a tool that helps
management and auditors evaluate the adequacy
of controls in multiple dimensions of the business.
It helps give a picture of how well all of the
controls in all of the dimensions are working.

E
M
A
C
Risk Management Principles,
Frameworks and Processes

E
M
A
C

Establish Context
Identify Risks
Analyse Risks
Evaluate Risks
Treat risks
Assess Risks and Controls
Context:
Strategic, internal, external context
Identification:
What can go wrong? Missed opportunities?
Analysis/Measurement:
Assess risk likelihood and
consequence, review
Evaluate:
Compare risks, set risk priorities
Treatment Options:
Reduce, avoid, transfer or retain
CommunicationandConsultation
Establish Context
Identify Risks
Analyse Risks
Evaluate Risks
Treat risks
Risk Assessment
MonitorandReview

COSO Framework
COSO stands for Committee
of Sponsoring Organizations
of the Treadway Commission
It is the US Private Sector
organization,
Dedicated to providing
guidance to executives,
management and
governance entities on
critical aspects of
governance, Business Ethics
Guidance on Internal
Control, ERM, Fraud, and
financial reporting
COSO has established a
common internal control
model against which
companies and
organizations may assess
their control systems.

COSO AND ISO 31000
COSO defines ERM as a process;
Effected by an entity’s board of
directors, management and
other personnel;
Applied in strategy setting and
across enterprise;
Designed to identify potential
events that may affect the
entity;
Manage risks within its risk
appetite;
Provides reasonable assurance
regarding the achievement of
entity objectives.
IRM (New COSO) defines Risk
Management as
The process whereby the
organizations methodically
address the risks attaching to
their activities
With a goal of achieving
sustained benefits within each
activity and across the portfolio
of all activities
Generally it is a decision-making
discipline that reduces
uncertainty and managers
potential variations from
expected outcomes in achieving
company goals (RIMS)

COSO AND ISO 31000
ISO 31000 defines risk
Management as
Integral part of all
organization processes
It is not a stand alone activity
that is separate from main
activities and processes of
the organization
It is part of responsibilities of
management and
An integral part of all
organizational processes
including strategic planning
and all project and change
management processes
In practical insight the whole
of the business is just like risk
management, why?
Buffet Defines
Risk Management
as

Analysis of Warren Case
What is risk Management
What are consequences of
dedicating risk
management activities to
a unit in a organisation?
Who is supposed to
manage risk in an
organization
What is the status of Risk
Management today?
Summary of Risk
Management
Models
Case study of risk in Hospitality industry
Case Study II – Risk Management

End of Session III

E
M
A
C
COSO ERM Framework
Understanding the cube
Objectives
Internal
Environment
Event
Identification
Risk Assessment
Risk Response
Control Activities
Risk Monitoring

E
M
A
C
COSO - Framework (Control
Framework)
A Car internal
control
exemplification

E
M
A
C
Effective Risk Management
Organizations should come out with risk
management strategy in order to ensure that
the organizations Achieves their goals and
objectives
When management of risk goes well it often
remains unnoticed. When it fails, the
consequences can be significant and high-
profile. Any responsible organisation needs
to avoid this – hence the need for effective
risk management.

E
M
A
C
Effective Risk Management
Risk management strategy describes
the processes that will be put in place to
link, identify, assess, address, review
and report risks, and describes the
principles that will be used to underpin
this approach.
The Diagram below summarizes the
process risk management within the
organisation.

E
M
A
C

E
M
A
C
End of Session IV

E
M
A
C
Who manages risks?

E
M
A
C
ELEMENTS OF RISK MANAGEMENT
Identifying risks;
Assessing risks;
Addressing risks;
Reviewing and reporting
risks.

Entity should ensure that it has…
have a robust approach to risk management -
aiming to identify, assess, address and review and
report risk in a way that can stand audit scrutiny,
building on best practice and protecting the
interests of our stakeholders.
be accountable - processes and data will be open
to review by our auditors and will respond to the
improvements they suggest.
We will encourage appropriate risk-taking, with a
view to fostering an innovative approach to policy
making and service delivery.

E
M
A
C
Identifying risk
A ‘risk’ is something that may have an impact on
the achievement of our priorities. It may come
from outside the organisation, or may arise from
shortcomings of its own systems and procedures
Identification can be done through staff
workshops or work groups
Consideration should be given to categories of
risk
The issues should be prepared and presented in
the form of risk scenarios

Identifying risk
Risk category Possible risks
Compliance risk the risk of failing to comply with statutory
requirements
External risk risks from changing public or government
attitudes.
Financial risk risks arising from spending, fraud or
impropriety, or insufficient resources
Operational risk risks associated with the delivery of examination
papers to the regional centres– arising, for
example, from logistic difficulties, diversion
of staff to other duties, or IT failures
Project risk risks of specific projects missing deadlines or
failing to meet stakeholder expectations

IDENTIFYING RISK
Risk type Possible risks
Reputation risk risks from damage to the organisation’s credibility
and reputation
Risks facing banking Sector Risk to our stakeholders that need to be taken into
account in our planning and service
provision – for example, fraud
Strategic risk risks arising from policy decisions or major
decisions affecting organisational priorities;
risks arising from senior-level decisions on
priorities
Technology risk Risk arising from outdated technology, inadequate
data processing and the software
malfunctioning
Human resource risk It is impossible to recruit staff with the required
skills or Key staff are ill and are unavailable
at critical times or required training for staff
is not available

E
M
A
C
Identifying Risk, What To Do?
Once risks have been identified,
essential information about them
will be gathered in the form of a risk
register (see appendix 1). There will
be a central register of its most
important risks, built up from
information provided from each
department.

E
M
A
C
IDENTIFYING RISK, WHAT TO DO?
The identification of risks is a continuous
process and all staff have a part to play - it is
not the sole domain of managers.
Systematically identifying risks will enable
risks to be assessed and dealt with.
It will also help to identify new opportunities
for policy direction and business planning, by
showing what the future risks to management
of .................................

E
M
A
C
ASSESSING RISK
To assess risks adequately entity will
identify the consequences of a risk
occurring and give each risk a score or
risk rating.
Whoever identifies the risk should be
responsible for assessing the risk.

E
M
A
C
ASSESSING RISK
This initial assessment will then be refined
with the help of colleagues and managers
and a ‘risk owner’ will be identified who will
be responsible for reviewing and accepting
the assessment that will be entered onto the
risk register.
The consequences of the identified risks will
be grouped into one or more of the
categories outlined earlier. Using these
categories will allow similar risks to be
grouped and will help to identify cross-
cutting risks

E
M
A
C
RISK RATING
A means of comparing risks is needed so that
efforts can be concentrated on addressing
those that are most important.
Each risk will be given a score, depending on
both its likelihood and its impact, as shown in
Figure 1 below.
Any risks which are both very likely to occur and
will have a high impact are the ones that
demand immediate attention.77www.elsamconsult.com

RISK RATING
Risk Assessment
Likelih
o
o
d
Very High (4) 4 8 12 16*
High (3) 3 6 9 12
Medium (2) 2 4 6 8
Low (1) 1 2 3 4
Low (1) Medium (2) High (3)
Very High
(4)
Impact 78www.elsamconsult.com

E
M
A
C
RISK RATING - LIKELIHOOD
Likelihood
The probability of the threat being realised will be
expressed in terms of
Very High (VH), High (H), Medium (M) or Low (L)
using the definitions below:
L: Rare (the risk may occur in exceptional
circumstances);
M: Possible (the risk may occur in the next three
years);
H: Likely (the risk is likely to occur more than once
in the next three years); and,
VH: Almost certain (the risk is likely to occur this
year or at frequent intervals).

E
M
A
C
RISK RATING -IMPACT
The effect of the risk being realised will be
expressed in terms of Very High (VH), High (H),
Medium (M) or Low (L) using the definitions
below:
L: minimal financial losses; service delivery
unaffected; no legal implications; unlikely to
affect the core business; unlikely to damage
reputation.
M: medium financial losses; reprioritising of
services required; minor legal concerns raised;
minor impact on the health sector and facilities;
short-term reputation damage.

E
M
A
C
RISK RATING -IMPACT
The effect of the risk being realised will be expressed in
terms of Very High (VH), High (H), Medium (M) or Low
(L) using the definitions below:
H: major financial loss; need to renegotiate business
plan priorities; potentially serious legal implications
(e.g. risk of successful legal challenge); significant
impact on the ..............; longer-term damage to
reputation.
VH: huge financial loss; key deadlines missed or
priorities unmet; very serious legal concerns (e.g. high
risk of successful legal challenge, with substantial
implications for entity); major impact on core business;
loss of stakeholder public confidence.

Requires Active Management where
Consequence is rated 5 else Periodic
Monitoring.
Risks where treatment options require
preparation, active review and
management.
Control is adequate, continued
monitoring of controls to confirm this.
Control is not strong but risk impact is
not high. Options include improving
control or monitoring risk impact to
ensure the residual risk rating does
not increase over time.
Risks where systems and processes
managing the risks are adequate and
subject to minimal monitoring.
Mitigating Practices /
Control Rating
InherentRiskRating
Active Management
Periodic Monitoring
Control Critical
No Major
Concern
0 1 2 3 4 5 6 7 8 9 10
10
9
8
7
6
5
4
3
2
1
0
Adequate Inadequate
Very High
High
Low
Moderate

Residual risk ratings
This is an alternative risk
heat map preferred by
some as it shows that
there is no absolute risk
boundaries, but rather a
gradual change in risk
Unsatisfactory
Mitigating Practices /
Control Rating
InherentRiskRating
Periodic
Review
Active
Management
Continuous
Review
No Major
Concern
High
Excellent
Low

E
M
A
C
Risk Appetite
Risk appetite is the amount of risk —on a broad level
—an entity is willing to accept in pursuit of value.
Use quantitative or qualitative terms (e.g. earnings at
risk vs. reputation risk), and consider risk tolerance
(range of acceptable variation).
The primary objective of Managing operational risk is
risk reduction/ proactive prevention
Risk cut across all financial institution operation
and function

E
M
A
C
Risk Appetite Best Practices

E
M
A
C
Determining Risk Appetite

E
M
A
C
Risk Assessment Process
To make an initial assessment of risk, a ‘bottom-
up and top-down’ approach will be adopted.
This will mean identifying and assessing risks
both at an operational level, using the
departmental Performance Teams, directorates’
team meetings and by Management Team
identifying the major risks affecting the
organisation

E
M
A
C
The bottom-up process of identifying
risks through involving staff should be
as exhaustive as possible, identifying
all potential risks no matter how small
(and including health and safety risks
for staff).

E
M
A
C
These will then be reviewed by the departmental
Performance Team, comprising a nominated departmental
risk co-ordinator from each department and the Risk
Coordinator.
The group will identify the more significant risks that will
need to be placed on the corporate risk register. This process
will be overseen by the Risk Coordinator, who will ensure
consistency in the way risks are assessed and categorised.
For every risk to be identified as important enough to be
placed on the corporate risk register, a ‘risk owner’ will be
identified (who will be responsible for overseeing the
management of the risk, and making sure appropriate
resources are available to do this) and a ‘risk coordinator’
(who will be responsible for day-to-day management of the
risk, implementing countermeasures and monitoring their
effectiveness).

E
M
A
C
Management Team will also identify the major
corporate risks to the organisation, with the
Director responsible identifying in particular major
financial risks. For such major corporate risks,
directors are likely to be both the risk owner and
risk coordinator.
Management Team will then take a strategic view
of all risks identified as needing to be placed on the
corporate risk register, assessing them against the
entity’s business plan priorities. They will identify
the most critical risks, and report these to key
Board of Directors through the audit committee.

E
M
A
C
This process will identify a set of significant
risks that need to be addressed, and placed
on the corporate risk register, which will
then be maintained by the organisation’s risk
co-ordinator. Other risks identified by staff
through risk identification workshops, team
meetings etc. should be recorded within the
originating department and kept under
review by the department risk co-ordinator.

E
M
A
C
Addressing Risks
Having identified significant risks and
placed them on the corporate risk
register, a process will be undertaken to
decide what to do about each risk,
through the departmental Performance
Team and the Management Team.

E
M
A
C
Addressing Risk
Assessing current risk controls
The first step is to look what mechanisms are already in
place to deal with the identified risks. For many risks, for
example examination leakage risk, action may have
already been taken to treat or eliminate the risk under all
circumstances under which it could arise.
Where such mechanisms are in place, the Departmental
Performance Teams should examine them to judge
whether they are adequate or whether any ‘residual risk’
remains, or whether the risk might ‘slip through’ these
existing mechanisms under some circumstances. In some
cases, risks may be deemed to be ‘over-controlled’ –
action in this case may be to ease such controls and allow
the risk to be taken.

E
M
A
C
Addressing Risk
In this way, risks can be addressed
through ‘gap analysis’, focussing only on
those risks that are not adequately
treated, or are not treated at all.
The next stage is to look at how such
risks may be dealt with.

E
M
A
C
How to deal with risk
Transfer the risk
conventional insurance or by asking a
third party to take on the risk in another
way.
Contracting out services, for example,
transfers some, but not all, risks (but can
introduce a new set of risks to be
managed);

E
M
A
C
Tolerate the risk:
the ability to take effective action against some
risks may be limited, or
the cost of taking action may be
disproportionate to the potential benefit gained.
In this instance, the only management action
required is to ‘watch’ the risk to ensure that its
likelihood or impact does not change. If new
management options arise, it may become
appropriate to treat this risk in the future;

E
M
A
C
Treat the risk:
by far the greater number of risks will be
in this category.
The purpose of ‘treatment’ is not
necessarily to terminate the risk but,
more likely, to establish a planned series
of mitigating actions to contain the risk
to an acceptable level; and,

E
M
A
C
Terminate the risk:
this is a variation of the ‘treat’ approach,
and involves quick and decisive action to
eliminate a risk altogether.
For example, terminating risks arising from
outdated .............. systems by buying new
ones (although new systems, in
themselves, may introduce new risks).

Risk Treatment
Is Risk
Acceptable?
Accept
Treatment Strategy
(1) Recommend
(2) Choose
(3) Implement
Retain
Monitor
and
Review
Is Residual
Risk
Acceptable?
Part Retained
Yes
NoUnacceptable
residual risk
No Yes
Reduce Likelihood
Reduce Consequence
Transfer
Avoid
START
HERE

E
M
A
C
RISK IDENTIFICATION AND
ANALYSIS TEMPLATE (see
attachment)

E
M
A
C
Risk Reporting

E
M
A
C
Key Risk Indicators

E
M
A
C
Developing KRI’s

E
M
A
C
Examples of Risk Indicators

E
M
A
C
Risk Control Self Assessment (RCSA)

E
M
A
C
Risk IT Extends Val IT and COBIT

E
M
A
C
COBIT 5 Principles

E
M
A
C
COBIT 5 Enterprise Enablers

E
M
A
C
Role of internal auditor in RM
Giving assurance on risk management
processes.
Giving assurance that risks are correctly
evaluated.
Evaluating risk management processes.
Evaluating the reporting of key risks.
Reviewing the management of key
risks.

E
M
A
C
Role of internal auditor (with safeguard)
 Facilitating identification and evaluation of risks.
 Coaching management in responding to risks.
 Coordinating ERM activities.
 Consolidating the reporting on risks.
 Maintaining and developing the ERM
framework.
 Championing establishment of ERM.
 Developing risk management strategy for
board approval.

E
M
A
C
What the IA should not do
Setting the risk appetite.
Imposing risk management processes.
Management assurance on risks.
Taking decisions on risk responses.
Implementing risk responses on
management's behalf.
Accountability for risk management.

E
M
A
C
Internal Audit Approach

E
M
A
C
Role of Audit committee in RM
Critical role in ERM by establishing the right
environment or tone-at-the-top
Vital role in overseeing management’s approach to
ERM
Without their oversight, ERM may not be embraced
by senior management
Discuss policies with respect to risk assessment and
risk management
Better risk intelligence means both audit
committees and the full board are better informed

E
M
A
C
Conclusion
Risk management is a process and therefore
put in place a strategy for introducing risk
management
Develop a risk management strategy
Develop a risk management framework
tailored to your activities ( avoid copying and
pasting)
Develop risk management policy and
guidelines
Develop a risk management capacity building
program

E
M
A
C
End Session V
&
Final Case Study

E
M
A
C
Risk management in public
institutions
It is now recognized that risk management is an
essential part of securing the health of any
organization including public sector institutions
Risks are inherent in the public institutions as well as
in private sector. It entails the whole of Public
Sector.
It is new in public organization but the concept of
risk is not new
Government internal auditors have special mandate
to champion its establishment and monitoring

E
M
A
C
RISK MANAGEMENT IN PUBLIC SECTOR
The public sector is currently undergoing radical
changes through reforms
There are new risks related to human rights,
unemployment, corporate governance.
Risk management should be a vital part of functions
and activities provided by public institutions.
Without risk management it will not be possible to
achieve good corporate governance and the aims
and intentions of many legislation and rules

E
M
A
C
RISK MANAGEMENT IN PUBLIC SECTOR
 Failure to pay proper attention to likelihood and potential
consequences of risk can cause public institutions serious
problems
 These includes high employee absenteeism, financial costs,
service disruption, bad publicity, low staff morale, threat to
public health, high staff turnover, violent demonstrations
and claims for compensation.
 What to do then? Public sector institutions should recognize
risk management as a critical achievement of its goals and
governance responsibilities. It should establish a risk
management processes that is clearly defined and
documented and continuously apply risk management
practices in the decision making.

E
M
A
C
Can you assess your Risk Maturity

E
M
A
C

E
M
A
C
Risk Management
PART II
CONTROL SELF ASSESSMENT
By Sako Mayrick
ELSAM MANAGEMENT CONSULTANTS

E
M
A
C
Operational Risk Management Framework
and
Control Self Assessment

E
M
A
C
Pillars of Operational Risk Management
Losses
EXECUTIVE MANAGEMENT
CSA
Issues
Indicators
Qualitative/Quantitative Analyses
Common Operational Risk Classification Scheme

Control Self Assessment Framework

E
M
A
C
Control-Self Assessment Definition
Control-Self Assessment Objectives
Enterprise wide Control Self Assessment Framework
 Balanced Scorecard
 CSA Methodology
 Results
Corporate Governance
CSA Rollout - Project Time Line
Outline

E
M
A
C
Control-Self Assessment is a risk management
tool used by business managers to transparently
assess risk and control strengths and weaknesses
against a Control Framework. The “self”
assessment refers to the involvement of
management and staff in the assessment process.
Definition

E
M
A
C
Communication
 To ensure better communication of DG‟s objectives and strategies to all business lines
 To ensure business line managers communicate their risks and controls more
effectively
Education
 To ensure business line managers have a better comprehension of effective risk
control
 To ensure business line managers have a better comprehension of risk management
Proactive Management
 To ensure business line managers align their objectives and strategies with the DG's
objectives and strategies
 To ensure business line managers assume greater responsibility and accountability for
their risks and controls
 To ensure business line managers monitor their risk effectively and timely
 To ensure business line managers utilize and allocate their resources effectively
Objectives

E
M
A
C
Enterprise-wide CSA Framework
To foster a proactive management
framework which is pervasive
throughout organisation
Goal

E
M
A
C
Enterprise-wide CSA Framework
XXXX
OBJECTIVES

E
M
A
C
Step 1: Objective Setting
Balanced Scorecard *
A tool that translates a firm‟s mission and strategy into a comprehensive
set of performance measures that provides the framework for a strategic
measurement and management system
Objectives
Ensures linkage between the objective of senior management and the
businesses
Increased focus on the appropriateness of the objectives
Reinforced as the central “top down” articulation of goals
Provides a framework within which the oversight functions, risk
management and the business lines operate

E
M
A
C
Step 2: CSA Methodology
ORCA Framework
Objectives
Risk Assessment of Key Processes
Controls
Action Plans
The ORCA framework components fit logically together to form a
comprehensive relationship between firm-wide objectives,
processes and risks, and controls. This relationship may be viewed
as the core of a firm‟s internal control.

E
M
A
C
ORCA Framework
To find equilibrium, the business managers must carefully
assess the risks inherent within their key processes and
apply controls that will work at a reasonable cost.

E
M
A
C
ORCA Framework

E
M
A
C
Key Indicators
Metrics to measure the effectiveness of controls in the
mitigating
or managing risks
 TO measure operational problems
 TO monitor the quality of the services provided
 TO provide early warning for problems
 TO aid in the containment of losses
 TO determine trends
 TO set limits for risk or escalation criteria
 TO facilitate everyday decisions.

E
M
A
C
General Approaches for CSA
Facilitated meetings – group
workshops
Questionnaires – yes/no answers
Management analysis – self
studies
137

E
M
A
C
Corporate Governance
The enterprise-wide CSA framework
presented here is a key component of a
robust corporate governance structure. It
enables the organization to inform
executive management of the current state
of the firm‟s risk environment on an
ongoing basis

E
M
A
C
Advantages of CSA
The presented enterprise-wide control self-assessment
framework:
Provides flexibility and dynamism to evolve
with the changing firm
Allows a firm to manage risks from both the
“top-down” and “bottom-up” perspectives
Is an integral component of a strong
corporate governance structure

E
M
A
C
Way Forward
CRSA is an important management tools
We have matured in risk management and
therefore it is time to move a step further
through CRSA
We have a new issues in place, a need for
control review is imperative
There a critical need for organisations to
prepare CRSA for efficiency and effectiness of
operations
142

Advanced Risk Management - Elsam Management Consultants

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Advanced Risk Management - Elsam Management Consultants

Ähnlich wie Advanced Risk Management - Elsam Management Consultants (20)

Mehr von EMAC Consulting Group

Mehr von EMAC Consulting Group (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Advanced Risk Management - Elsam Management Consultants

Hinweis der Redaktion