House Keeping
 Health & Safety
 Security
 Classroom agreement
 Breaks
 Trainer Introduction
Turn Off Mobile Phones

STRATEGIC PARTNERSHIP FOR INNOVATING THE TRAINING
OF TRAINERS OF THE EUROPEAN AGRI-FOOD COOPERATIVES
Strategic Risk
Management
Unit 9

Programme Overview
1. Programme Introductions
2. Definitions, Principles & Concepts of Risk Management
3. Considering Risk Factors & The Need for RM
4. The Value of Strategic Risk Management
5. Risk Appetite
6. Risk Tolerance
7. Governance & the Role of Directors in ERM

Programme Overview
8. Risk Management
Frameworks
9. Risk Management from an
ISO Perspective
10. Implementing Risk
Management
11. Risk Culture
12. Other Business Risk
a) Operational Risk
b) Reputational Risk
c) Fraud & Improper Conduct
d) Environmental Risk
e) Compliance Risk
f) Market Risk
g) Competition Risk
h) Technology Risk
i) Health & Safety Risk
j) Business Continuity Planning
k) Management Succession
Planning

Risk Management
Ice-Breaker

Programme Introduction

Risk Management
What do you want to get
from today?

Risk Management
Aims:
The aim of this module is to enable learners to
 Understand the Principles of Risk Management as well as the
importance of implementing effective risk management
procedures in business entities.
 Learners will also learn to how to mitigate risks using a variety of
methods.
Objectives: by the end of this module, learners will be able to:
 Be familiar with the principles and elements of risk management
 Understand the meaning of a Risk Framework
 Identify and Assess the Risks
 Conduct a Risk Analysis

A Practical Approach to
Strategic
Risk Management

What is Risk Management All About

Basic Principles, Concepts &
Definitions of
Risk Management

RISK – the possibility that an action, event or set of
circumstances will adversely or beneficially affect
the organisations ability to achieve its business
objectives.
RISK is about the Future and comes from
Uncertainty.
Basic principles, concepts,
definitions

Risk Management involves:
The planned and systematic approach to
identification, evaluation and control of risk.
To manage the probability of specific risks
occurring and the potential impact if they did
occur, taking action to keep exposure to an
acceptable level in a cost-effect way.
Basic principles, concepts,
definitions

A risk is anything that may affect & have an impact
on the Achievement of Organisational Objectives.
Risk Involves Three key factors:
1. Uncertainty
2. Likelihood
Effect
3. Impact
Basic principles, concepts,
definitions

1. A risk is ANYTHING that may affect the
achievement of an organisation’s objectives.
2. It is the UNCERTAINTY that surrounds future
events and outcomes.
3. It is the expression of the likelihood and impact
of an event with the potential to influence the
achievement of an organisation’s objectives.
Basic principles, concepts,
definitions

Uncertainty = Probability
(the probability of something happening)
The chance great or small that an event could
occur.
Generally between 1% and 99%
if 0% chance – there is no risk
if 100% chance – this is a major issue
Uncertainty

Likelihood – the likelihood of the event occurring
Impact – The consequences as a result of the event
occurring
Consequences can range from negative to positive:
1. Risks with negative consequences are called –
THREATS
2. Risks with Positive Consequences are called -
OPPORTUNITIES
Effect – Likelihood & Impact

Threats and opportunities
Threat – a risk that may HINDER the achievement of objectives
Opportunities - a risk that may HELP in the achievement of objectives
Interest rates
Foreign exchange rates
Supply of service/product/resources
Demand/uptake for service/product/resources
 The economy
The weather
The stock market

Introduce yourselves
to others at your table
Pick a risk – discuss it
as both a threat and
an opportunity
Report to the large
group. Pick a
spokesperson.
Group Exercise 1 – 10 minutes

Run Break Timer – 15 minutes

Considering Risk Factors &
the Need for
Risk Management

Probability
Expected
Timing
Impact
Frequency
Risk Factors

Risk management is:
“A process which aims to help organisations understand,
evaluate and take action on all their risks with a view to
increasing the probability of success and reducing the
likelihood of failure.”
Institute of Risk Management
“A process, effected by an entity’s board of directors,
management and other personnel, applied in strategy
and across the enterprise, designed to identify potential
events that may affect the entity and manage risks to be
within its risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives”
COSO Enterprise Risk Management – Integrated Framework 2004.
Understanding the concept of RM

Why the Need for Risk Management
“The only alternative to risk management
is crisis management --- and crisis
management is much more expensive,
time consuming and embarrassing.”
James Lam, Enterprise Risk Management,
Whiley Finance © 2003

Why the Need for Risk Management
“Without good risk management practices,
(organisations) cannot manage its resources
effectively. Risk management means more
than preparing for the worst; it also means
taking advantage of opportunities to
improve services or lower costs”
Sheila Fraser, Auditor General of Canada

Risk Management is now an integral part of
business planning in private & public-sector
organisations throughout the world.
Why the Need for Risk Management

 Increase risk awareness – What could affect the
achievement of objectives? What could change?
What could go wrong? What could go right?
 Increase understanding of risk – sensitivities.
What makes my risks
increase/decrease/disappear?
 Promote a “healthy” risk culture – It’s safe to talk
about risk. Open and transparent.
 Develop a common and consistent approach to
risk across the organisation. Not intuition-based.
Why the Need for Risk Management

 Allows intelligent “informed” risk-taking.
 Focuses efforts –helps prioritise.
 Is proactive…. not reactive – Prepare for risks before they
happen. Identify risks and develop appropriate risk mitigating
strategies.
 Improve outcomes – achievement of objectives (corporate,
clinical, etc)
 Really comes to down to simple good management
 Enables accountability, transparency and responsibility
 and maybe even mean survival
Why the Need for Risk Management

Enterprise vs Integrated
Risk Management
Similarities:
 Formal process
 Consistent and systematic
 Includes projects, programs,
operations
 Is embedded in key processes such
as strategic planning, budgeting,
project planning, evaluation, etc.
 Must be driven and supported by
Leadership
 Adds value to decision-making
Differences:
Enterprise-wide:
 Is organisational-centric
 Success is defined as
implementation over the
entire organisation
Integrated:
 Takes a systems-focus
 May actually create risks for
individual organizations

A Siloed Approach to RM

An Enterprise Approach to RM
A Siloed Approach An Enterprise Approach
Financial
Risk
Technolo
gy Risk
Environ
mental
Risk
Market
Risk
Strategi
c Risk
Operation
al Risk
Financial
Risk
Technolog
y Risk Environ
mental
Risk
Market
Risk
Strategi
c Risk
Operationa
l Risk
Enterprise
Risk
Management

The Value of
Strategic Risk Management

The Value of Strategic RM
No Big
Surprises
No Missed
Opportunities
No Big
Mistakes
Early Warning Systems
 Systematically Identify, assess and prioritise risks
 Avoid unrewarded risks
 Promote organisational learning amongst management
 Reduce chance of repeated problems
Operational Resilience
 Provide assurance that key risks are understood and
mitigated
 Prevent & rapidly respond to potential catastrophic failures
 Secure and protect staff, processes and technology
 Align organisational goals with stakeholder requirements
Enhance organisational Value
 Seek growth, ensuring threats are understood and
vulnerabilities are mitigated
 Accelerate ability to respond to change and opportunities
 Identify opportunities to improve performance and reduce
costs

The Value of Strategic RM

Risk Appetite

 Risk appetite can be defined as 'the amount
and type of risk that an organisation is willing
to take in order to meet their strategic
objectives.
 Risk appetite and tolerance need to be high
on any board's agenda and is a core
consideration of an enterprise risk
management approach
Risk Appetite

Risk Appetite influences how risks are assessed
and managed.
 Acceptance
 Tolerated
 Shared
 Reduced (Mitigated)
 Tranfered
 Avoided
Are risk treatments implemented or postponed
Risk Appetite

Risk Appetite
F
R
E
Q
U
E
N
C
Y
SEVERIT
Y

The following factors influence Risk Appetite:
1. External Environment
2. People
3. Business Systems & Policies
Risk Appetite’s are very specific to individual
organisations
There is no “one size fits all” solution
Risk Appetite

A well defined Risk Appetite should have the
following characteristics:
Risk Appetite Characteristics
1. Reflective of Strategy, including objectives,
Business Plans and Stakeholder Expectations
2. Reflective of ALL aspects of the organisation
3. Acknowledge a willingness and capacity to take
risks
4. Is documented as a formal Risk Appetite
Statement

1. Considers the Skills, Resources and Technology
to monitor and manage the risk exposure in the
context of the risk appetite
2. Is inclusive of a Tolerance for Loss or negative
events that can be reasonable quantified
3. Is periodically reviewed and reconsidered with
reference to evolving industry and market
conditions
4. Has been approved
by the Board
Risk Appetite Characteristics

 At Board level, risk appetite is a driver of
strategic risk decisions.
 At executive level, risk appetite translates
into a set of procedures to ensure that risk
receives adequate attention when making
tactical decisions.
 At operational level, risk appetite dictates
operational constraints for routine activities.
Risk Appetite

Risk Tolerance

What is Risk Tolerance
 The degree of variability in risk, that an
organisation is willing to withstand.
Risk Tolerance

 Business Objectives
 Return on Investments
 Risk Capital
 Time
 Experience / Perseverance
Factors affecting Risk Tolerance

Governance
and the
Role of Directors
in Risk Management

ERM Governance is
about 3 things:
1. Understanding Limits
of Acceptable Risk
2. Providing confidence
and guidance to
management
3. Anticipating events to
position success.
ERM Governance

Directors Requests for RM

Risk Governance Structures
A Typical Risk Management Structure

Risk Management
Officer
Implements &
maintains RM system
Board
Resource and
oversee RM system &
policy
Risk Committee
Optional body which
the RM Officer reports
to
CEO / Manager
Implements internal
controls
Internal Audit
Independent check of
controls
Risk Governance Structures
Key Officers

Individual Roles & Reporting
Officer… Does… Reports…
Risk
Management
Officer
• Risk audit
• Maintains RM Policy
• Consults w/ management
team on risk response
• Training
• Reports findings to
board and manager
Manager • Maintains system of internal
control
• Reports progress to
board
Board • Oversees RM system &
policy
• Performance manages
manager (& RM officer?)
• Decisions on RM
policy and
performance via
Board Report
Internal Audit • Independently audits the
effectiveness of internal
controls
• Reports issues to
the board

Risk Governance Structures

 Governance is the process by which directors oversee the
decisions and actions of executive management in a
constructive manner, consistent with applicable laws and
regulations, as management formulates and executes
strategies to accomplish enterprise objectives.
 Effective governance provides assurance to investors and
other key stakeholders that the enterprise conducts its
affairs with integrity and reports its performance in a fair
and transparent manner
 ERM & Governance are inextricably linked.
RM and the role of Directors

 Good governance facilitates implementation of ERM
because ERM is built on transparency.
 An effective ERM infrastructure will provide greater
confidence to the board and to executive management
that risks and opportunities are being systematically
identified, rigorously analysed and effectively managed
across the organisation as a whole.
RM and the role of Directors

Specific functions include:
 Understand the risks the organisation faces in the
context of business objectives.
 Provide oversight over ERM
 Policy development.
 Ensure appropriate strategies and capabilities are in
place to manage key risks
 Ensure that growth & innovation are encouraged and
rewarded
RM and the role of Directors

Specific functions include:
 Ensure that performance measures and targets do not
encourage excessively risky behaviour
 Ensure that effect internal controls and check are in place
 Ensure that management has in place the appropriate
capabilities to execute approved risk responses.
 Ensure that the risk appetite is inherent in the
organisations opportunity seeking behaviour in
developing new products, and markets and that the
appetite is clearly understood and managed
RM and the role of Directors

RM and the role of Directors

Think about your individual
role in risk management
system, is there anything listed
that is not within your
capability?
Risk Governance Structures

RM and the role of Directors

Run Break Timer – 60 minutes

Welcome Back

In your role there are times when you may need to think outside the
box
9 – DOT Puzzle

In your role there are times when you may need to think outside the
box
9 – DOT Puzzle

Risk Management
Frameworks

A Simple Framework
Evaluate
& Take
Action
Establish
Objectives
Identify
Risks &
Controls
Assess
Risks &
Controls
Monitor
& Report
Step 1 Step 2 Step 3 Step 4 Step 5
Communicate, learn, improve

What is a Risk Framework about?
Establish
Context
•External factors
•Internal factors
Risk
Assessment
 Identification
 Analysis 
Evaluation
Risk Treatment
 Retain  Reduce
 Transfer  Remove
Monitoring &
Review
Communicatio
n &
Consultation

•Risk Treatment
•Avoid
•Transfer
•Control / Contain /
Reduce
•Accept
•Risk Register
•Regular Reviews
•Key Risk Indicators
•Incident Management
•Audit
•Board
•Likelihood
•Impact
•Gross (inherent)
•Net (Residual)
•Target
•Context Setting
•Stakeholders
•Risk Policy
•Sources of Risk
•Internal / External
•Risk Appetite
•Risk Tolerance
identify Assess
Mitigate
Monitor
&
Report
Risk Management Framework

COSO Risk Management
Framework

COSO RM Framework

 four categories of objectives across the top –
strategic, operations, reporting and
compliance
 eight components of enterprise risk
management
 the entity, its divisions and business units are
depicted as the third dimension of the matrix
COSO RM Framework

1. Internal Environment
This component reflects an entity’s enterprise
risk management philosophy, risk appetite,
board oversight, commitment to ethical values,
competence and development of people, and
assignment of authority and responsibility.
It encompasses the “tone at the top” of the
enterprise and influences the organization’s
governance process and the risk and control
consciousness of its people.
The eight components of ERM

2. Objective-Setting
Management sets strategic objectives, which
provide a context for operational, reporting
and compliance objectives.
Objectives are aligned with the entity’s risk
appetite, which drives risk tolerance levels
for the entity, and are a precondition to
event identification, risk assessment and risk
response.
The eight components of ERM

3. Event Identification
Management identifies potential events that
may positively or negatively affect an entity’s
ability to implement its strategy and achieve its
objectives and performance goals.
Potentially negative events represent risks that
provide a context for assessing risk and
alternative risk responses. Potentially positive
events represent opportunities, which
management channels back into the strategy
and objective-setting processes.
The eight components of ERM

4. Risk Assessment
Management considers qualitative and
quantitative methods to evaluate the
likelihood and impact of potential events,
individually or by category, which might
affect the achievement of objectives over a
given time horizon.
The eight components of ERM

5. Risk Response
Management considers alternative risk
response options and their effect on risk
likelihood and impact as well as the resulting
costs versus benefits, with the goal of
reducing residual risk to desired risk
tolerances.
Risk response planning drives policy
development.
The eight components of ERM

6. Control Activities
Management implements policies and
procedures throughout the organization, at
all levels and in all functions, to help ensure
that risk responses are properly executed.
The eight components of ERM

7. Information and Communication
The organisation identifies, captures and
communicates pertinent information from
internal and external sources in a form and
timeframe that enables personnel to carry
out their responsibilities.
Effective communication also flows down,
across and up the organization. Reporting is
vital to risk management and this component
delivers it.
The eight components of ERM

8. Monitoring
Ongoing activities and/or separate evaluations
assess both the presence and functioning of
enterprise risk management components and
the quality of their performance over time. The
thought process underlying the above
framework works in the following manner:
For any given objective, such as operations,
management must evaluate the eight
components of ERM at the appropriate level,
such as the entity or business unit level.
The eight components of ERM

COSO – A Framework for Risk Management

Run Break Timer – 15 minutes

Risk Management
from an
ISO Perspective

Managing risk from ISO
31000 perspective
Internal &
External
Factors
Risk
Assessment
Risk
Treatment
Monitor &
Review
O
B
J
E
C
T
I
V
E
S
• Identify
• Analyze
• Evaluate

Managing risk from ISO
31000 perspective

Implementing
Risk Management

The most important phase of the risk
management process includes:
 Risk Identification
 Risk Analysis
 Risk Response
Implementing Risk Management

The aim of risk identification is to get an
overview of all risks facing an organisation
 Scan the environment
 Capture both cause and effect
 Involve stakeholders
 Determine risk ownership
 Scan the horizon
Implementing Risk Management
OPPORTUNI
TY
THREAT
remember that risks are uncertainties that can represent not only a threat but also an
opportunity.

Evaluating the Risk (Risk Analysis)
 Review of the existing controls and the
implementation of any necessary additional
controls.
 Identify a Treatment Strategy
Implementing Risk Management

Categorizing Risk –
Comprehensive Political or Reputational Risk
 Financial Risk
 Service Delivery or Operational Risk
 People / HR Risk
 Information/Knowledge Risk
 Strategic / Policy Risk
 Stakeholder Satisfaction / Public Perception Risk
 Legal / Compliance Risk
 Technology Risk
 Governance / Organizational Risk
 Equity Risk
 Privacy Risk
 Security Risk

Risk Response or Risk Treatment
Implementing Risk Management

Acting on Risks

 Auditable actions
 must be completed within a defined
timescale
 Task allocated to identified individuals.
Acting on Risks

Monitor & Review
Risk Register
 should be viewed as a risk action plan that
includes details of the current controls and
details of any further actions that are
planned.
 Is a compliance requirement
Implementing Risk Management

Risk Register
Contents
1. The Risk
2. Root Cause
3. Mitigating Controls
4. Corrective Action Plan
5. Responsible Persons
6. Target Date (timeframe)
7. Impact & Probability Assessment
Implementing Risk Management

 People
 Organisation
 Process
 Systems
 Change Management
Implementation Challenges

People
 Lack of commitment / buy-in from board,
senior management and staff
 No in-house expertise or experience on
establishing / implementing risk management
 Risk Management Culture no established
Implementation Challenges

Organisation
 No Appropriate Risk Management Structures
in place
 Not aligned with Organisational Objectives /
Strategy
 Not aligned with Business Units
 No clear strategy on Risk Appetite and Risk
Tolerance
Implementation Challenges

Process
 No funding or dedicated budget for Risk
Management
 No clear understanding of policies and
procedures to establish a risk management
architecture
 Failure to prioritise implementation activities
Implementation Challenges

Systems
 Lack of adequate technological systems to
measure risks
 Inadequate system to communicate and
capture risk management information
 Systems not fully integrated – traditional ways
of doing things
Implementation Challenges

Change Management
 Articulating and measuring the potential
benefits of ERM
 Integrating ERM into Organisational Strategy
 Understanding of Industry specific risks and
risk management standards / solutions
Implementation Challenges

Remember………
Establish
Context
•External factors
•Internal factors
Risk
Assessment
 Identification
 Analysis 
Evaluation
Risk Treatment
 Retain  Reduce
 Transfer  Remove
Monitoring &
Review
Communicatio
n &
Consultation

Risk Culture

Is system of values and behaviours present in
an organisation that shapes risk decisions of
management and employees.
Risk Culture

An effective risk culture is one:
 that enables and rewards individuals and
groups for taking the right risks in an
informed manner.
 Where inappropriate behaviours are
challenged and sanctioned
 Risk management skills and knowledge
valued, encouraged and developed, with a
properly resourced risk management
function
Risk Culture

An effective risk culture is one:
 Where the Culture of a group arises from the
repeated Behaviour of its members
 The Behaviour of the group and its
constituent individuals is shaped by their
underlying attitudes
 Both Behaviour and Attitudes are influenced
by the prevailing Culture of the group
Risk Culture

What can the board do about culture?
 Boards of organisations should understand and
address their risk cultures.
 The board has a responsibility to set,
communicate and enforce a risk culture that
consistently influences, directs and aligns with
the strategy and objectives of the business and
thereby supports the embedding of its risk
management frameworks and processes.
Risk Culture

The board needs to ask:
 what is the current risk culture in our
organisation and how do we improve risk
management within that culture?
 how do we want to change that culture?
 how do we move from where we are to where
we want to be?
Risk Culture

This starts with the risk behaviours, attitudes and
culture of the board itself and reaches down
through the organisation.
 Tone at the top
 risk leadership - clarity of direction
 how the organisation responds to bad news
 Governance
 the clarity of accountability for managing
risk
 the transparency and timeliness of risk
information
Risk Culture

 Competency
 the status, resources and empowerment
of the risk function
 risk skills - the embedding of risk
management skills across the organisation
 Decision making
 well informed risk decisions
 appropriate risk taking rewarded and
performance management linked to risk
taking.
Risk Culture

Risk Culture

 Crucial to set tone from the top – Leadership
& Consistency
 Promote Risk Management as a day-to-day
management tool – to ensure the
achievement of strategic objectives and
enhance service delivery
 Senior Management should establish clear
risk roles and responsibilities
Institutionalising Risk Management

 Staff should have the capacity to perform risk
management roles
(skills, training, knowledge, information and resources)
 Integrated with Strategic Planning (new initiatives
& Projects)
 Every person has a role to play
(Performance Management)
Institutionalising Risk Management

Other Business related
Risks

Remember………

Operational Risk is the risk of loss resulting from
inadequate or failed internal processes, people,
and systems, or from external events.
It is better viewed as the risks related to an
organisation's core processes.
Examples of operational risk include risks arising
from catastrophic events (e.g., hurricanes),
computer hacking, internal and external fraud, the
failure to adhere to internal policies, and others.
Operational Risk

 frequency – how often
the event occurs
 impact – the amount of
the losses resulting
from the event
Operational Risk
Operational risk events are classified by two
factors:

Categorising Operational Loss

 There are four fundamental steps to
managing operational risk.
 Each leads to improvements in
management and control quality and
greater economic profit.
Managing Operational Risk
Framework
 Risk Strategy,
Tolerance
 Roles &
Responsibilities
 Policies &
Procedures
 Risk definition &
categorisation
Processes
 Loss Data
collection
 Risk Indicator Data
collection
 Control Self-
Assessment
 Risk Assessment &
Analysis
 Workflow
 Automatic
Notification
 Follow-up action
Measurement
 Estimation of
Annual Losses –
Cost of
operational
Failure
 Estimation of VaR
– Risk Capital
 Estimation of
scores
representing
quality of internal
controls
Reporting
 Integrated MIS
Reporting
 Awareness of
exposure
 Knowledge of
controls quality
 Cost benefit
analysis
 Improved risk
mitigation and
transfer strategy

Operational Risk

Operational Risk Framework - ORM

Operational Risk Governance

 A threat or danger to the good name or
standing of a business or entity
 “a risk of loss resulting from damages to a
firm's reputation, in lost revenue; increased
operating, capital or regulatory costs; or
destruction of shareholder value, consequent
to an adverse or potentially criminal event
even if the company is not found guilty.”
 reputational risk may not always be the
company's fault
Reputational Risk

 Industrial accident
 Revelation of unethical or criminal
practices.
 Product recall.
 Extended service outage.
Reputational Risk
Examples of Reputational Risk

 The biggest problem
with reputational risk is
that it can literally erupt
out of nowhere
 reputational risk can be
mitigated through
prompt damage control
measures
Reputational Risk
Risk Treatment

Mitigating Reputational Risk

1. Reputational damage stems from a breakdown
of trust. It challenges the perceived strength of
a company and its management, and
undermines relationships with key
stakeholders.
2. Companies are exposed to reputational
damage even when they have done little
wrong. Conversely, a strong market position or
brand may mitigate impacts even when a
company is at fault.
Reputational Risk – Ten Takeaways

3. An impaired reputation can affect companies
in different ways over different time horizons.
Assessments of potential damage should
distinguish between visible effects such as
share price, earnings, and balance sheet
consequences, and the less measurable impact
of continuous brand degradation.
4. Attempts to quantify reputational risk
rigorously are fraught with difficulty. The use
of scenarios can help companies gauge the
potential magnitude of incidents and identify
mitigation opportunities.
Reputational Risk – Ten Takeaways

5. Reputation risk management involves more
than just effective communication. In addition
to external relations activities, it requires the
integration of enterprise risk management
practices, a strong operating culture, and
corporate preparedness.
6. Good corporate behaviour is the best
safeguard against reputational challenges.
Establishing a culture that is ethical and
mindful of risk requires committed leadership,
as well as processes and structures that allow
less tangible values to flourish.
Reputational Risk – Ten Takeaways

7. Chief Executives should set the tone from the
top in building corporate resilience to
reputation risk. They must also show visible
leadership in a crisis and commit the company
to putting things right.
8. A mishandled response to a crisis can generate
more reputational damage, and spur greater
financial consequences, than the incident
itself. This is especially true when the response
appears to undermine the company’s core
values.
Reputational Risk – Ten Takeaways

9. As they recover from a reputational crisis,
companies need to find an astute balance
between ongoing sensitivity to stakeholders
and hard-edged commercial decisions, to avoid
underestimating or overestimating the scale of
the predicament.
10. Brand development work can strengthen
corporate resilience to reputation risk or
recovery from an incident only when
communication efforts are underpinned by
tangible strategic, governance, and operational
commitments.
Reputational Risk – Ten Takeaways

Abusing your position of Responsibility for
inappropriate reasons:
 Monetary Gain:
× Embezzlements
× Fraudulent Claims
 Conflicts of Interests
 Ensure proper Controls / Governance procedures
 Accounting systems
 Procurement
Fraud & Improper Behaviour

Environmental Risk can be broken in to two
sub-categories:
 Business Environment
 Green Environment
Environmental Risk

 Competitors
 Technology
 Logistics
 Sensitivity
 Shareholder
Expectations
 Capital
Business Environment
 Political
 Legal
 Industry
 Financial Markets
 Human Capital

 Environmental Risk can be defined as the “actual
or potential threat of adverse effects on living
organisms and the environment by effluents,
emissions, wastes, resource depletion, etc.,
arising out of an organization's activities.”
 Environmental risk management involves the
search for a 'best route‘ between social benefit
and environmental risk. It is a balancing or
trading-off process in which various combinations
of risks are compared and evaluated against
particular social or economic gains.
Green Environment

Compliance risk is the potential for losses and
legal penalties due to failure to comply with laws
or regulations.
Compliance risk is the threat posed to an
organisation’s financial, organisational, or
reputational standing resulting from violations of
laws, regulations, codes of conduct, or
organisational standards of practice.
Compliance

 A compliance Risk
Assessment aims to
specifically identify
legal or regulatory
compliance risks
 Is closely linked with
the enterprise or
internal audit risk
processes
Compliance

Compliance

Compliance
Figure 1: Enterprise ethics and compliance program and risk exposure framework – An
illustrative example (© Deloitte Development LLC)

Market risk is the risk of losses in positions arising
from movements in the market
Two main considerations:
 Financial Markets
 Product / Commodities
Markets

Finance
 Volatility
 Equities
 Stock Prices
 Interest Rates
These will be discussed in more detail
in the Financial Risk Module
Markets
Product / Commodities
 Competition
 Quality
 Trade
 Consumers
 Business Processes

The potential for losses due to competitive
pressures.
The potential for reduced revenue or declining
margins due to the price, product, promotion or
distribution actions of a competitor.
Competition

Technology risks threaten assets and processes
vital to your business and may prevent compliance
with regulations, impact profitability, and damage
your company's reputation in the marketplace.
 Information technology (IT) risk can result from
human error, malicious intent, or even
compliance regulations.
Technology Risk

Examples of Technology risks
 An ecommerce website crashes
resulting in lost revenue.
 A technology project goes over
budget and fails to meet goals
set out in its business case.
 A security incident results in
theft of customer data resulting
in legal liability, reputational
damage and compliance issues.
Technology Risk
Risk Treatment

Health & Safety legislation > Why important?
Where?
 Safety, Health & Welfare At Work Act (2005)
 Codes of Practice
What does it say?
 Secure & Improve the Health, Safety & Welfare of
People at Work
What does it do?
 Identifies “Undertakings”, “Persons in control” and
“Directors”
 Duties
 Offences
 Health & Safety Authority / Regulator
Health & Safety

Safety, Health & Welfare At Work Act
 Duties for Undertakings
Management of Co-Op
Director responsibility
Duties include:
 Safety Statement – the “How” document (s.20)
 Hazard Identification (s.19)
 Risk Assessment (s.19)
 Implement necessary improvements (s. 19.4)
 Written statement - Risks & Hazards
Measures & Resources
Plans & Procedures – “Who” and “When”
Co-operation of staff
Health & Safety

Who is Covered by the Act?
The Health & Safety at Work etc Act applies to:
 Employers, self employed and employees
 Casual employees, (including part-time) and trainees
 Sub-contractors
 Anyone who uses the workplace (premises)
 Anyone using equipment
 Visitors/customers (paying or otherwise) to the workplace
(premises)
 Suppliers
 Those who control premises
 Those affected by the work
 Users of the end product
 Anyone who uses the professional services of the company
 Anyone on the premises unlawfully

Employers’ Responsibilities Under the Act
Employers must provide:
 A safe workplace and safe systems
of work
 Safe access and egress
 Training for employees
 A written safety policy
 Safe machinery, plant and
equipment

Health & Safety
 More specific duties
 What must a Co-operative and its Management ensure?
 HSA Guidance documents
Directors
Safe
Machinery,
Plant &
Equipment
Safe
Facility
Training
Safe
Systems

Health & Safety Legislation – Offences & Penalties
Example
Impeding an Order of High Court
Powers of HSA to seek injunctions from Court
Site “should be restricted or immediately prohibited until
specified measures have been taken to reduce the risk to a
reasonable level” (s.71)
If you kept the Site open it would “contravene” an “order”
and be an offence (s. 77.5)
Liability for offences – applies to Directors (s.80)
Penalties (s.78 (2))
Summary - €3,000 and/or 6 months
Indictment - €3m and/or 2 years
Health & Safety

Business continuity planning (or BCP) is the
process of creating systems of prevention and
recovery to deal with potential threats to an
organisation.
Business Continuity Planning - BCP

 Continuation of Critical Business Processes in
the event of significant business interruption or
disaster.
Business Continuity Planning - BCP
http://www.disasterrecoveryplantemplate.org/business-continuity-checklist/
 Five Stage Process
1. Analysis
2. Solution Design
3. Implementation
4. Testing
5. Maintaining

Business Continuity Planning - BCP

 Is a critical factor in sustaining the success of
their organisations.
Management Succession Planning - MSP
 Proactive succession planning efforts reduce the
risk of hiring and promotion mistakes, loss of
institutional knowledge, and the negative impact
of turnover in key roles.

Succession Planning is a Continuous Process
Some of the critical steps include:
 Identifying key business challenges facing the
organization
 Creating a leadership success profile
 Assessing identified candidates for key roles
 Creating transition plans for new leaders
 Developing internal talent
 Tracking, documenting, and monitoring the
process
Management Succession Planning - MSP

Management Succession Planning - MSP

 Succession planning is an important strategic
business initiative for all organizations.
 By (1) starting early, (2) embracing succession
planning as a process, not a one-time event, (3)
objectively assessing candidates for key positions,
and (4) developing talent,
you can:
 ensure that your organisation has effective leaders
prepared to fill key roles to meet the business
challenges of today and tomorrow.
Management Succession Planning - MSP

Questions
Strategic Risk Management