PROCJENA RIZIKA I MJERE.pdf

8/10/2019 PROCJENA RIZIKA I MJERE.pdf

1/54

1. Risk management in the Customs context

2. Developing an organizational frameworkfor managing risk

3. Embedding risk management as an organizationalculture

4. Conclusion

VOLUME 1


2/542


3/54


4/544 R I S K M A N A G E M E N T I N T H E C U S T O M S C O N T E X T

Compliance management approach

Modern risk-based compliance managementbuilds on several key foundations. These can bebroadly grouped into four main categories a coun-trys legislative framework, and the administrative,risk management and technological frameworksadopted by Customs administrations. Collectivelythese four categories represent the key determi-nants of the manner in which cross-border owsmay be expedited and the way Customs controlmay be exercised over such ows. 5

Risk-based compliance management starts withrobust legislation that incorporates areas such asacknowledgement of the respective responsibili-ties of government and industry, includes regu-

lations for electronic communication, providessanctions for non-compliance and provisions tobreak the nexus between physical movementsand processing, reporting and revenue liability,and, nally, allows for exible and tailored busi-ness solutions.

This approach also requires administrativearrangements that include initiatives such as theintroduction of a client service approach, educa-tion and awareness raising, technical assistanceand advice, consultation and cooperation, thepublishing of formal rulings, and formal appealmechanisms.

The adoption of a risk management frameworkintroduces risk-based decision making andprocedures into the organization that enable abalance between control, facilitation and supplychain security to be maintained. The introductionof risk-based procedures includes activities such

as those associated with the early and accuratelodgement of information for risk assessment,intervention as early as possible in the supplychain for high-risk transactions, self-assessmentand post-entry verication for lower risk, andinvestigative capability where non-compliance orfraud is detected.

The available technology represents an enablerthat serves to signicantly enhance an admin-istrations ability to adopt such an approach 6.

Automation enables vast amounts of informationto be processed in practically no time; it allowsthe effective and efcient screening of informationagainst predetermined risk criteria, and assistswith the making of decisions on both high andlow risks. In the same way, modern non-intrusiveinspection technologies, when used on the basisof risk assessment, can lead to more effectiveinspection activity and reduced delays.

All the above is consistent with the standards andguidelines of the Revised Kyoto Convention, theSAFE Framework of Standards and the Customsin the 21 st Century strategy, which together providethe key building blocks for modern Customsadministration.

According to the Customs in the 21 st Centurystrategy, the expanding responsibilities facingCustoms require a more sophisticated under-standing of the risk continuum and how scarceresources can be better targeted towards thehigher end. Therefore, it is useful to think of therisk continuum as a method to achieve clientsegmentation by risk categorization. Conceptually,Customs clients can be divided into four broad-based categories:

1. those who are voluntarily compliant;2. those that try to be compliant but do not neces-

sarily always succeed in their endeavours;

3. those who will avoid complying if possible; and4. those that deliberately do not comply.

An effective risk-based compliance managementstrategy acknowledges that the client categoriesoutlined require different responses. Incentivesand simplied procedures should be applied to

those who are voluntarily compliant (low risk),assisted compliance to those who try to becompliant but do not necessarily always succeed,directed compliance to those who try to avoidfollowing the letter of law, and enforced compli-ance to those who are deliberately non-compliant(high risk).

The key in relation to risk-based compliancemanagement is to actively steer the client popu-lation towards the low-risk category. This can be

5. Widdowson (2005), p. 93 94.6. Widdowson (2005), p. 94.


5/545R I S K M A N A G E M E N T I N T H E C U S T O M S C O N T E X T

achieved both by providing incentives for tradersand travellers to comply, and by operating a cred-ible enforcement regime which effectively andefciently detects and punishes non-compliance.Affecting client behaviour and actively steering thepopulation towards low risk will allow Customs toconcentrate its control resources on high risks.Diagram 1 illustrates an example of a compliancemanagement model.

In the Customs context, control and risk manage-ment of goods, conveyances or people commencesat the export or departure point and continues withongoing verication actions at the point of importor arrival and, in post-control audit circumstances,beyond. The term multi-layered is used to encap-sulate the entire decision-making and other activ-

ities that may be carried out by Customs alongthis supply chain continuum. A modern compli-ance management approach recognizes that riskmitigation strategies can and should be applied

throughout the supply chain. It also recognizesthat a combination of multiple measures oftenleads to better results and more effective use ofresources. Where appropriate legal, technolog-ical and operational arrangements are in place,a multi-layered approach can also facilitate riskidentication, response coordination and collabo-ration across and between governments.

At the operational level, a modern risk-basedcompliance management approach is increas-ingly enabled by intelligence support. Intelligenceenabled risk management brings together infor-mation and knowledge learned by Customs witha systematic approach for identifying and treatingrisks of greatest consequence. This is a criticalprocess, as high risks identied through the risk

management process will often be greater innumber than Customs resources and ability torespond. This is the point where intelligence hold-ings inform decision makers of a recommended

Diagram 1. Compliance management model

LOW RISK LEVEL HIGHT

Client Categories VoIuntary compliancePeople who want to comply

Assisted compliancePeople who try to comply,but don't always succeed

Directed compliancePeople who willavoid complying ifthey can

Enforced compliancePeople who deliberately donot comply

Client Behaviours VoIuntary complianceInformed clients

Attempting to comply Uninformed clients

Resistance tocompliance

Will avoid ifpossible

Criminal intent Illegal activity

Customs' Competencies Interventions

InformationHigh quality,timely, andaccurate information aboutthe arrivaland departure ofall persons, goods and craft

Advanced cargo/passenger/craft information (in and out).

Monitoring of physicalmovement of all people,goods and craft across (in andout) the border

Patterns of non-compliance by: Industry, product,

location, ethnicity,destination or port oforigin

Type of non compliance(e.g., incorrectdocumentation)

Pro le of individualnon-complianttraders/travellers

Identi cationof speciccomplianceproblem (e.g., badsystems, poor dataentry etc)

Pro le and ongoingintelligence (onand offshore) aboutoffenders/potentialoffenders and theirassociates

AssessmentAssessment of the level ofrisk posed by arriving anddeparting people, goodsand craft

FrontLine Pax/Goods staffintuition

Intelligence pro les Statistically valid random

checks

Complie informationon client behaviours

Identify and monitorcompliance trends/patterns

Problem solvingapproachto speciccomplianceproblems

Investigation

Assess risk andinformation needs inrelation to seriousness ofoffence

Investigation

ActionActions required to mitigateidentied risk(s) withoutunduly disruptinglegitimate trade and travel

Compliance programmes (e.g., FrontLine, Call Centre)

Education and advice Visible deterrence Cargo and baggage screening

Targeted complianceguidance

Punitive sanctions Rolling audit

programme Increased attention

Deter by detectionand surveillance

Comprehensiveaudits

Prosecution

Pre and post clearance interventions

Comprehensive audits Passenger/cargo

searches Prosecution

Direction that Customs wants to move travellers and traders

Increasing levels of intervention by Customs


6/546 R I S K M A N A G E M E N T I N T H E C U S T O M S C O N T E X T

priority order for intervention and assist decisionsabout where Customs resources should be mobi-lized and deployed.The WCO Global Information and IntelligenceStrategy (GIIS) contained in Volume 2 sets outwhat intelligence is, how it is derived, for whom it

is being produced, and why it is needed. GIIS alsosets out the intelligence cycle and fundamentalprinciples and processes that underpin all intel-ligence activity. Customs practitioners shouldbe guided by the GIIS when developing their riskmanagement approach.


7/547DEVELOPING AN ORGANIZATIONAL FRAMEWORK FOR MANAGING RISK

2. DEVELOPING AN ORGANIZATIONAL FRAMEWORKFOR MANAGING RISK

Overview

Arisk-based compliance management approach

demands a more holistic approach to riskmanagement, spanning everyone from the DirectorGeneral to the front line. It is no longer sufcientto manage risk at the individual activity level orin functional silos. A holistic approach to riskmanagement requires an ongoing assessmentof potential risks for an administration at everylevel, and then aggregation of the results at theorganizational level to facilitate priority settingand improved decision making. The identication,assessment and management of risk across anorganization helps reveal the importance of thewhole, the sum of the risks and the interdepend-ence of the parts.

Holistic management of risk requires a solid androbust organizational risk management frame-work empowering ofcers at all levels of theadministration to make risk-based decisions ina structured and systematic manner. The frame-

work allows risk management activities to bealigned with an administrations overall objec-tives, corporate focus, strategic direction, oper-ating practices and internal culture. In order toensure risk management is a consideration inpriority setting and resource allocation, it needs tobe integrated into existing governance and deci-sion-making structures at both operational andstrategic levels. When this is achieved, everyonein the administration becomes involved in the

management of risk7

.There are various ways of going about establishingan organizational risk management framework.In general the framework consists of ve keyelements. These are mandate and commitment,the organizational risk governance arrange-ments (designing the framework), implementingand practising risk management, monitoringand review, and, nally, continuous development.Diagram 2 illustrates these elements and theirinterlinkages.

Diagram 2. Risk management framework

Mandate

andcommitment

Designof frameworkfor managing

risk

Monitoring andreview of theframework

Continualimprovementof the

framework

Implementingrisk

management

Source: ISO 31000:2009 Risk management Principles and guidelines

Mandate and commitment

High-level mandate and commitment are crucialfor effective risk management. Risk managementwill rarely be effective if it is not supported by thehighest level of the organization. The DirectorGeneral and the senior managers must set thepolicy, objectives and authorization to plan, deployresources and make decisions based on risk

management and risk assessment.To promote understanding of, and adherence torisk management, Customs leaders must:

adopt a risk management policy that matchesorganizational strategy and objectives;

clearly articulate and communicate the riskmanagement policy and accountabilities;

develop risk management indicators thatcomplement the organizations performancemeasurement; and

7. AS/NZS 4360/2004, Risk Management, p. v.


8/548 DEVELOPING AN ORGANIZ ATIONAL FRAMEWORK FOR MANAGING RISK

ensure the risk management policy continuesto be valid.

When adopting risk management, there are somegeneral guiding principles to which the approachat all levels of the administration should adhere.These include, but are not limited to, the following 8:

risk management must contribute to betterachievement of organizational objectives.Management of risks should improve perfor-mance in a demonstrable and measurable way;

risk management practices are tailored andaligned with the administrations external andinternal context and role;

risk management should be embedded as anintegral part of all organizational processes

including strategic and business planning as wellas all project and change management activities;

risk management practices will assist deci-sion makers to make informed choices, prior-itize actions and distinguish among alternativecourses of action to ensure risk treatments will beadequate and effective. It is not a magic formulathat will always give the right answers. Riskmanagement is a way of working and thinkingthat will give better answers to better questions.Managing risk is about acknowledging the factthat when you manage risks there is always arisk that something negative may happen;

risk management should be systematic, struc-tured and timely. It needs to follow a prede-termined methodology that contributes toefcient, consistent, comparable and reliableoutcomes;

risk management shall always be based on

best available information derived from intelli-gence and information sources such as histor-ical data, experience, stakeholder feedback,observation, forecasts and expert judgment;

risk management shall be transparent andinclusive. It needs to take into account appro-priate and timely involvement of all relevantstakeholders;

risk management needs to be dynamic, itera-tive and responsive to change. As external andinternal events occur, context and knowledge

change, the monitoring and review of riskstake place, new risks emerge, some change,and others disappear;

risk management facilitates continual improve-ment of the administration. Strategies andplans should be developed and implemented to

improve risk management maturity alongsideall other aspects of the organization; and

risk management should take human andcultural factors into account, recognizing thecapabilities, perceptions and intentions ofexternal and internal people that can facilitate orhinder achievement of an administrations goals.

Senior managers play a crucial role in ensuringthat an administrations organizational culture

is aligned with the risk management policy andthe principles outlined. Effective and efcient riskmanagement practices can be fully materializedonly when management of risks is embedded inthe way we do business around here. Seniormanagers should make clear to staff that theyare expected to follow the risk managementpolicy. Perceived norms and values are impor-tant in inuencing a risk-sensitive and responsiveculture, and senior leaders can inuence organi-

zational culture by shaping and moulding thevalues, basic assumptions and beliefs shared bythe administrations personnel.

Once introduced, risk management requiressustained commitment to the policy and plans.The benets of risk management are often mate-rialized in the medium to long-term. Therefore, itis important that the same level of commitment bemaintained over time. Sustained commitment can

be maintained through continuously reinforcinghigh levels of awareness and reminding employeesabout the importance of managing risk.

Design of framework for managing risk

Understanding the organization and its context

A clear understanding of the operating environ-ment is an important step in developing the organ-izational risk management framework. Throughan environmental scan, an administration can

8. ISO 31000: 2009 Risk management Principles and guidelines. p. 7 8.


9/549DEVELOPING AN ORGANIZATIO NAL FRAMEWORK FOR MANAGING RISK

identify various external and internal factors andrisks that inuence the way it may achieve itsobjectives. External factors to be considered mayinclude various political, economic, social andtechnological considerations. When outlining theinternal risk management context, thought shouldbe given to: the overall management framework;existing governance and accountability structures;stakeholders; values and ethics; operational workenvironment; individual and organizational riskmanagement culture and tolerances; existing riskmanagement expertise and practices; types ofinformation ows and systems used; and local andorganizational policies, procedures and processes.

A thorough environmental scan increases anadministrations awareness of the key character-

istics and attributes of the risks it faces, includingthe type and source of risk, what is at risk, andthe level of ability to control the risk. The scan willassist the administration to establish a strategicdirection for managing risk and reinforce existingmanagement practices supporting the attainmentof overall management excellence.

In many administrations, existing managementpractices and processes include elements of

risk management. Before starting to develop theframework, the administration should criticallyreview and assess those elements that are alreadyin place. In assessing internal risk managementcapacity, it is important to review the mandate,the governance and decision-making structures,the planning processes, the infrastructure, andhuman and nancial resources. The review shoulddeliver a structured appreciation of: 9

the maturity 10, characteristics and effective-

ness of existing business and risk manage-ment culture and systems;

the degree of integration and consistency ofrisk management across the administrationand across different types of risk;

the processes and systems that should bemodied or extended;

constraints that might limit the introduction ofsystematic risk management; and

resource constraints.

As part of understanding the organization andits context for managing risk, it is important toconsider the concept of risk tolerance. The envi-ronmental scan will identify stakeholders affectedby the organizations decisions and actions, andtheir degree of comfort with various levels of risk.Understanding the current state of risk toler-ance of the government, other agencies, citi-zens, parliamentarians, interest groups, etc., willassist in making decisions on what risks must bemanaged, how, and to what extent.

Risk management policy

Each Customs administration will need to estab-lish its unique risk management policy, which willtake into account its strategic goals and objec-

tives with commensurate plans. The risk manage-ment policy statement should clearly outline theadministrations overall intentions and directionregarding risk management. Together, the riskmanagement policy and an organizational riskmanagement plan which species the approach,management components and resources to beapplied to the management of risk, should includeat least the following elements:

linking organizational goals and objectiveswith risks;

rationale and commitment for managing risks(risk strategy);

linking risk management to strategic and busi-ness planning processes;

level and nature of risk that is acceptable (riskappetite/tolerance);

risk management organization and arrange-ments;

information on risk identication and evalua-tion techniques;

list of documentation for analyzing andreporting risk;

risk mitigation requirements and controlmechanisms;

specic accountabilities and responsibilities

for managing risk (i.e. risk owners);

9. AS/NZS 4360:2004, Risk management, p. 25.10. Risk management maturity will be further discussed in Chapter 4.


10/54



for risk management, ensuring at the sametime that the organization meets stakeholderexpectations and requirements.

Senior managers own the risks specic totheir individual areas and are accountable forindividual business unit risk management.

Senior managers provide leadership andsupport to enable risk management objec-tives and principles in their business units.They also make sure that priority areas oftheir business are resourced according toorganizational priorities, and that risk identi-cation, assessment and treatment plans areincorporated in objective-setting and plan-ning processes. Senior managers are alsoresponsible for making sure that sufcient

intelligence capability to effectively assessboth strategic and operational risks is main-tained, and that managers and staff have thetools to manage risks.

Managers are accountable for managingrisks in their respective areas of responsi-bility. They must guarantee that priority areaswithin their span of control are resourced,and that operational systems and proce-

dures are efcient and operating effectively.Managers and staff are expected to recordkey risks and develop a risk picture withintheir areas, by identifying and documentingassessment and treatment details to providean audit trail. They must also guarantee thatreporting systems are contributed to andensure risk documentation is relevant andup-to-date. Managers also have to ensurethat staff are continuously trained, guided

and supported and have the tools to managerisks arising in their area of business.

Front-line staff are largely responsible forintervention. Therefore, all staff are expectedto know and understand the legislation,delegated authorities and powers they have.They are also expected to follow instructions, policies and procedures and to identify risksand opportunities in their area of activity,including assessing the likely consequencesand taking appropriate actions to mitigaterisks. The feedback from staff and front-lineinterventions is a critical aspect of keeping

the risk management framework continu-ally up-to-date with the operating and riskenvironment.

Depending on organizational structures andarrangements, there may be some specic enti-ties that have collective risk management respon-

sibilities. These may include a risk managementcommittee, a central risk management unit, and/or a risk assessment/targeting centre.

A risk management committee is generally estab-lished and responsible for ensuring oversight andreporting to the senior management team andthe Director General. The committee reportson whether the risk management framework iseffective and is being followed by the organizationin accordance with its policy. Typically, the func-tions of the risk management committee shouldinclude:

preparation and advice on risk appetite, toler-ance and strategy for the senior managementteam and the Director General;

review of risk management reports for high-level risks, in particular those strategic riskswhich inform long-term decision making;

analysis of the risk management process andits effectiveness; and

review of organizational internal controls andtheir effectiveness.

Depending on the level of risk managementmaturity, some administrations are reorganizingbusiness unit arrangements associated withrisk assessment and/or intelligence activities.A central risk management unit and/or a risk

assessment/targeting centre is often responsiblefor information collation and analysis, and for theassessment of raw information. The resultingevaluation in an operational context provides riskindicators and proles for goods, people, meansof transport and economic operators. The func-tions of risk assessment/targeting centres arefurther explored in Annex 4.

Resources

It is important to ensure that sufcient resourcesare allocated to the management of risk.Administrations should analyze what kinds of



people, skills, experience and competencies arerequired for stafng risk management related func-tions. Managers and staff should be provided withadequate training to ensure they are competent inall aspects of risk management. Automation is anincreasingly important component of the collec-tion, collation and analysis of data and information.Administrations need to evaluate their ICT capa-bility and ensure that appropriate tools are availableto conduct appropriate risk assessment, in order toprovide the organization at all levels with good riskmanagement products that identify organizationalrisks and recommend necessary treatments.

Integrating risk managementinto organizational processes

Effective risk management cannot be practised inisolation, but needs to be built into existing deci-sion-making structures and processes. As riskmanagement is an essential component of goodmanagement, integrating it into existing strategicmanagement and operational processes willensure that risk management is an integral partof the day-to-day activities of the administration.

While each administration will nd its own way tointegrate risk management into existing decision-making structures, the following are some of thefactors that may be considered:

aligning risk management with objectives at alllevels of the organization;

introducing risk management into existingstrategic planning and operational processes;

communicating organizational directives on

acceptable levels of risk; and improving control and accountability systems

and processes to take into account riskmanagement and its results.

The integration of risk management into decisionmaking is supported by an organizational philos-ophy and culture that encourages the manage-ment of risk. This can be achieved in numerousways, such as:

seeking excellence in management practices,including risk management;

encouraging managers and staff to developskills in risk management;

including risk management as part of perfor-mance measurement at all levels of theorganization;

introducing incentives and rewards; recruiting risk management expertise and

capability; and encouraging innovation, while providing guid-

ance and support in situations where some-thing goes wrong.



Communication and reporting

Good communication is an essential part of goodrisk management. Effective and efcient commu-nication includes both internal and externalaspects. Internal communication lines andreporting mechanisms support and encourageaccountability and ownership of risk and enablerisk related information to ow within theorganization. Good internal communication andreporting should ensure that:

all staff know and understand what riskmanagement is, and what their role in theprocess is;

modications to the risk governance arrange-ments and framework are communicated toeveryone;

outcomes of risk management are properlycommunicated;

relevant information on risk managementpractices is available at appropriate levels in atimely manner; and

internal consultation and feedback mecha-nisms exist between different levels and func-tions of the organization (eld operations, riskanalysts, investigators, regional staff, post-clearance auditors, etc.).

External communication and reporting mecha-nisms should be established to inform externalaudiences about the risk management strategyand to engage them in the process. Good externalcommunication and reporting should include thefollowing aspects:

how to involve and engage appropriate externalstakeholders and give effect to their expecta-tions and requirements, and how they aretaken into account in the approach;

how to ensure that external risk reporting willcomply with national legal, regulatory andgovernance requirements;

how to use communication to build condencein the organization in order to support its riskmanagement approach, including the reportingof results; and

how to communicate with relevant stake-holders in the event of crisis or contingency.

Implementing risk management

When implementing the framework, it is importantto have a thorough plan and implementation strategyin place. This plan should describe the implementa-tion of the organizational arrangements and denethe timing and strategy for this. Implementation ofthe framework includes applying the risk manage-ment policy to organizational activities.

Adopting a common, continuous and systematicrisk management process provides a standardmethodology for implementing risk managementin practice. The process is a cyclic methodologywith well-dened steps that support better deci-sion making by providing insight into risks andtheir impact, outlining a common foundation for

management decisions regarding the allocationof resources and prioritizing treatment actions. Itis important that the risk management processbe applied at all levels of the administration. Thesteps of the process are described in Diagram 3.

Diagram 3. Risk management process

1. Establishing the context

2.2. Risk Analysis

2.3. Risk evaluation &

Prioritization

3. Risk treatment 5 .

D o c u m e n

t a t i o n ,

c o m m u n

i c a

t i o n a n

d c o n s u

l t a

t i o n

4 .

M o n

i t o r i n g a n

d r e v i e w

2. Risk Assessment

Likelihood Consequence

2.1. Risk identification

Source: adapted from Revised Kyoto Convention General AnnexGuideline 6 and ISO Standard 31000:2009 Risk management Principlesand guidelines

Establishing the contextAny effort to manage risk must begin by rstestablishing what needs to be managed. This



stage denes the context in which risk manage-ment will take place, and aims at clearly artic-ulating and clarifying the objectives and whatrisks are being examined 11. Determining whatneeds to be managed helps set the parametersfor the rest of the risk management process.The following questions can be used to estab-lish context, outlining both the internal and theexternal aspects:

What are the objectives in the context wherethe risk management process takes place?

What is the operating environment?

What capabilities and resources are availablefor managing risk?

What criteria are used to assess risks and todetermine if additional control is needed?

What are the scope and limits of risk manage-ment?

What are the expectations of stakeholders suchas the government, affected communities,traders and other private sector groups? and

What other details are known about the processor activity?

An outcome of this phase should be a statementof the environmental operating context whichincludes a clear indication of the objectives(risk to what) and the risk areas, and denesthe criteria and parameters for the risk assess-ment phase.

Risk identication

Risks cannot be analyzed or managed until theyare identied and described in an understandableway. The risk identication phase identies andrecords all potential risks by using a systematicprocess to identify what risks could arise, why,and how, thus forming the basis for further anal-ysis. Some of the questions asked in this phasecould include:

What are the sources of risk?

What risks could occur, why, and how?

What controls may detect or prevent risks?

What accountability mechanisms andcontrolsinternal and externalare in place?

What, and how much, research is needed aboutspecic risks?

How reliable is the information?Risk identication activities at various levels ofthe organization must be closely linked to eachother. Once an administrations strategic riskshave been identied they are handed down tomanagers, who then further rene the broad stra-tegic risks and determine priority areas for actionwithin their areas of inuence. Once these deci-sions have been taken and priorities assigned,operational line management can begin theprocess of identifying specic cases from withintheir areas of inuence for further action. At eachstep in the process, the extent of the risk beingmanaged is progressively reduced and the riskis managed at an appropriate level within theorganization.

The outcome of the risk identication process is aregister of risks, which documents the risks andensures that the entire risk spectrum is consid-ered. There are many different ways to constructa risk register. Annex 1 outlines examples of risk

register templates.

Example

In a hypothetical example the Director Generalof Country X Customs service calls the heads ofhis administrations four organizational divisions(Head of Revenue Collection and InternationalTrade Head of Community Protection and SecurityHead of Operations and Head of Administration)and their deputies to a risk management work-shop. The aim of the workshop is to conduct astrategic review and identify risks that may preventthe service from achieving its goals. The mainobjectives of the organization relate to revenuecollection ensuring community protection andsecurity and ensuring compliance with the lawsand regulations administered by Customs in away that guarantees facilitation of trade.

Prior to the meeting the Heads of the three opera-tional divisions were required to circulate relevant

11. The context can be, for example, the whole organization, one of its key functions, a process, a project, a specic location, a group of bordertransactions, etc.



reports from their divisions. Thus the Head ofOperations was tasked with circulating a summaryreport of seizures investigations and court cases.The Head of Revenue Collection and InternationalTrade provided an update on AEO applications andcompliance as well as trade statistics. The Head

of Community Protection & Security provided areport on examinations and on statistics reportedby other border control agencies and the police.The Intelligence Unit assisted with the prepa-ration of all summary reports by the Head ofAdministration.

After setting the parameters and context for theprocess the group uses historical data and aware-ness of the various programmes to identify themajor organizational risks utilizing brainstormingtechniques.

The major risks are divided into Risk Areas and thekey risks under each area are identied as follows:

Objective Risks

1 Effectiveand efcientcollection ofrevenue

1.1 Fraud

1.2 Lack of staff competence

1.3 Integrity

2 Communityprotection andsecurity

2.1 Narcotics

2.2 WMDs

2.3 IPR

3 Tradefacilitation

3.1 Ineffective procedures

3.2 Lack of coordination withother agencies

3.3 IT Failure

Risk analysis

Risk analysis is principally about quantifyingrisk, and requires consideration of the sources ofidentied risks, an assessment of their potential

consequences in terms of achieving objec-tives, and judgment as to the likelihood that theconsequences will occur (in the absence of anyspecic treatment with the existing controls inplace). It relies upon the use of data and infor-mation to substantiate the consequences thatare likely to be incurred if the risk occurs and/or remains unaddressed. Even though riskanalysis should be evidence-based to the extentpossible, it needs to be remembered that itis not an exact science. Knowledge about thebusiness environment, expert judgment andcommon sense should never be overlooked whenanalyzing risks.

In short, the analysis considers:

how likely is an event to happen; and what are the potential consequences and their

magnitude.

Combining these elements produces an estimatedlevel of risk. Risk estimation can be quantitative orqualitative, or a combination of the two.

Based on tolerance judgments using a 3x3 matrix(high, medium, low), Diagram 4 suggests possibledescriptions and indicators for estimating thelikelihood of a risk occurring.

Based on tolerance judgments using a 3x3 matrix(high, medium, low), Diagram 5 suggests possibledescriptions and indicators for estimating theconsequences of a risk occurring.

Repeating this exercise on a regular basis(annually in the organizational and businessunit context) is required, and normally resultsin changes to the estimated level of risk. Thesechanges occur because of the treatments andpreventative measures put in place. For example,

Diagram 4. Example description and indicators for determining likelihood

Likelihood Description Indicators

High (Probable) Likely to occur or more than a 20% chanceof occurring

Has occurred in the last 12 months

Medium (Possible) Could occur, but less than 20% chanceof occurring

Has occurred between 1 year and 3 years agoHas occurred in another country within the

last 2 yearsLow (Remote) Not likely to occur and less than 5% chance

of occurringHas not occurred in the last 3 years or moreHas not occurred in another Member countryin the last 2 years



the amendment of ambiguous legislation wouldleave less room for interpretation and there-fore decrease the likelihood of an adverse eventoccurring. This in turn would lead to a lower risklevel compared to the time before the preventa-tive measure was implemented, etc.

Example

In the context of the previous example, Workshopparticipants analyze (using a suitable technique,see Annex 1) each of the individual risks underthe risk categories in terms of their likelihood

and consequence, using a high (H), medium (M),and low (L) scale. They jointly come up with thefollowing ratings:

Objective Risks Likeli-hood

Conse-quence

1

Effectiveand efcientcollection ofrevenue

1.1 Fraud H H

1.2 Lack of staffcompetence

L M

1.3 Integrity L L

2

Communityprotectionand security

2.1 Narcotics H M

2.2 WMDs L H

2.3 IPR M L

3

Trade facili-tation

3.1 Ineffectiveprocedures

L H

3.2 Lack ofcoordination withother agencies

H H

3.3 IT failure L H

Risk evaluation and prioritization

This step entails comparing the assessed risksagainst a pre-determined signicance criterion.

By considering the risk level of each of the risksas described by the relevant management teamin the matrix, it is possible to evaluate and prior-itize the key risks that need to be analyzed in moredetail. This will then lead to the deployment ofproportionate resources in order to prepare for,prevent or respond to the risk.

For illustrative purposes, Diagram 6 representsan example of a simple 3x3 risk signicancematrix 12.

The evaluation enables Customs to better under-stand the risks. The process consists of deciding

Diagram 5. Example description and indicators for determining signicance of consequences

Consequence / Impact Description Indicators

High (Serious) If adverse risk occurs then there couldbe a severe community, economic or politicalcrisis

Long-term rami cations for governmentor organization

Medium (Manageable) An adverse risk occurring would obstruct

workows and harm community or business

Damage to ability to meet organizational

goals and commitments to government,community and business

Low (Treatment withinexisting workows)

An adverse risk would cause minor delays toservice delivery

Adverse risk event can be absorbedwithin existing standard operatingprocedures

12. Some Members may decide that there is a need for more detailed tolerance estimation beyond high, medium or low. There are examplesin the Capacity Building Compendium of a 4x4 matrix and a 5x5 matrix. In the case of a 5x5 matrix the tolerances may be expressed as minor,acceptable, tolerable, major and unacceptable. Another method of expressing risks is to use trafc-lights, i.e. red for high, amber for mediumand green for low. An IT based system may apply a numeric value, such as a range from 1 to 100.

Diagram 6. An example of a Risk SignicanceMatrix (3x3)

Medium High High

HighLow Medium

Low Low Medium

LikelihoodLow High

Low

High

Consequence



whether the risk is tolerable (acceptable), andassists in determining how imminently the riskevent may occur. Decisions about which risks torespond to and which to monitor will potentiallybe impacted by many different issues, including:

internal capability;

internal capacity;

is there an effective capability to implement thetreatment;

risk rating/level;

return of treatment;

effects to reputation; and

the cost/bene ts of proposed treatments (thisis a feedback loop from the next step).

These issues form the basis on which the effec-tiveness of treatment strategies will ultimately beevaluated. Note that in the example at Diagram 6it may be necessary to group a tolerability resultand add specic response criteria for differentcategories.

Diagram 7. An example of a Risk SignicanceMatrix with response criteria

LikelihoodLow High

Low

High

Consequence

Considerablemanagement

required

Must manageand monitor

risks

Managementeffort

worthwhile

Extensivemanagement

required

Managementeffort

required

Risk maybe worth

accepting withmonitoring

Acceptrisks

Manage andmonitor risks

Accept,but monitor

risks

The outcome of the risk evaluation and prior-itization process should be a risk register thathas been quantied and prioritized according tothe risk level, linking risks with the risk ownersresponsible for their mitigation and monitoring.

ExampleThis stage would see the Workshop partici-pants evaluating and prioritizing the identiedand analyzed risks for response. The process isrecorded in a prioritized risk register which linksthe risks to the respective risk owners. The register

would form part of the organizational risk manage-ment plan and serve as a guide for an administra-tions risk management activities. The prioritizedrisk register would allow senior managers toconvene meetings with their relevant managersand supervisors to consider control strategies.


Conse-quence

Signi-cance

Risk Owner

1

Effective and efcientcollection of revenue

1.1 Fraud H H High Head of Operations

1.2 Lack of staffcompetence M M Medium Head of Revenue Collectionand International Trade

1.3 Integrity L L Low Head of Administration

2

Community protectionand security

2.1 Narcotics H M High Head of Community Protectionand Security

2.2 Illegal importation ofweapons and ammunition

L M Low Head of Community Protectionand Security

2.3 IPR M L Low Head of Community Protectionand Security

3

Trade facilitation 3.1 Ineffective procedures L H Medium Head of Revenue Collectionand International Trade

3.2 Lack of coordinationwith other agencies H H High Head of Operations

3.3 IT failure L H Medium Head of Administration


18/54



Monitoring and review

Monitoring and review should include all aspectsof the risk management process, including theperformance of the risk management system, the

changes that might affect it and whether the orig-inal risks remain static. Some of the questionsasked at this stage could include:

Are assumptions about risks still valid?

Are there any new or emerging risks?

Are treatments for minimizing risks effectiveand efcient?

Are the treatments cost-effective?

Are management and accounting controlsadequate?

Do the treatments comply with legal require-ments and government and organizationalpolicies?

How can the system be improved?

To monitor and review the results and progresswith the treatments implemented, a robustevaluation framework is needed, with criteria

against which the outcomes are compared. The

framework may include various measures aimedat outlining the direct and related results andeffects of the chosen actions, enabling compar-ison of the pre- and post-treatment results.Different compliance measurement 14 activitiessuch as campaigns, random checks or othertypes of statistically valid analysis methods orsurveys can all be potential tools for measure-ment in the operational context.

Documentation, communicationand consultation

Communication and consultation with internaland external stakeholders should be conducted

as appropriate at each stage of the risk manage-ment process, and for the process as a whole.Communication and consultation should beplanned and ongoing activities addressing not justthe process, but any issues that may arise.Good governance requires decision making that isaccountable and transparent. To ensure account-ability it is important that the documentationindicate why decisions were made and actionswere taken. Therefore, risk management activi-

ties at all different stages of the process need to

14. More detailed information on compliance measurement can be found in Annex 2.


Conse-quence

Signi-cance

Risk Owner Treatment

2

Communityprotection andsecurity

2.1 Narcotics H M High Head of CommunityProtection andSecurity

Treat: A thoroughmitigation strategy andplan needed

2.2 Illegalimportation of

weapons andammunition

L M Low Head of CommunityProtection and

Security

Tolerate: Monitorcontinuously through SOPs.

2.3 IPR M L Low Head of CommunityProtection andSecurity

Tolerate after raisingawareness among public.Monitor through SOPs

3

Tradefacilitation

3.1 Ineffectiveprocedures

L H Medium Head of RevenueCollection andInternational Trade

Tolerate after a thoroughreview and alignmentagainst international bestpractices.

3.2 Lack ofcoordinationwith otheragencies

H H High Head of Operations Treat: A thoroughcoordination andstakeholder engagementstrategy and plan needed

3.3 IT failure L H Medium Head ofAdministration

Transfer to a third partyservice provider. Create acontingency plan.



be well recorded and stored in a way that enablestheir retrieval:

assumptions; methods used; data sources; logic and analysis; results; and decisions made and the reasoning behind

them.

Monitoring and reviewof the framework

The development of evaluation and reportingmechanisms provides feedback to manage-

ment and other interested parties in the admin-istration and government-wide. Making sure thatrisk management activities are monitored andreviewed and that results are fed back to the policylevel assists in ensuring that risk managementremains effective in the long term.

Some of the monitoring and review functions couldfall to functional groups in the administrationresponsible for review and audit. Responsibilitymay also be assigned to managers and staff to

ensure that information affecting risk is collectedand effectively reported. Reporting could takeplace through regular management proceduresand channels (performance reporting, ongoingmonitoring, etc.) as part of the advisory func-tions associated with risk management (e.g. riskmanagement committee).

Reporting facilitates learning and improved decisionmaking by assessing both successes and failures,

monitoring the use of resources, and disseminatinginformation on best practices and lessons learned.When monitoring and reviewing the risk manage-ment framework, attention should be paid to:

risk management performance against identi-ed indicators;

continuing condence in risk ratings andindicators;

suitability of the accountabilities assigned torisk owners;

reviewing the risk management framework,policy and plan against current contexts;

reporting on treatment of risks and subse-quent utilization of plans;

assessing the ongoing relevance of risk treat-ments 15; and

communicating feedback throughout theorganization and to external stakeholders, ifappropriate, on progress, benets and resultsof risk management.

Continual improvement

of the frameworkContinual learning is fundamental to moreinformed and proactive decision making. It contrib-utes to better risk management, strengthens anadministrations capacity to manage risks andfacilitates the integration of risk management intoorganizational structures and culture. Customsadministrations should continually develop theirrisk management maturity (see Chapter 4) and

ensure that information accumulated throughrisk mitigation activities and from the front lineis utilized to keep the framework up-to-date.Based on the ndings through the monitoring andreview processes, decisions should be taken onhow to improve the framework, risk managementpolicy, and the strategic and operational level riskmanagement plans.

Summary

This chapter introduced the different componentsof an organizational risk management frameworkand outlined a common methodology and processfor managing risk. Diagram 8 summarizes theaspects outlined in this chapter and illustratesthe relationship between the components of theframework.

15. This is important since if treatments are effective, they could well have an impact on the pattern of risk and become less important or evenredundant. For example, if a risk treatment involves recruiting experienced auditors into the organization to combat a particular type of fraud, itcan be expected that ongoing recruitment would not be necessary but an alternate method of maintaining competence levels (e.g. supplementarytraining or on-the-job mentoring for less experienced employees) may be more relevant.


21/54


22/5422 EMBEDDI NG RISK MANAGEMEN T AS AN ORGANIZATI ONAL CULTURE

3. EMBEDDING RISK MANAGEMENTAS AN ORGANIZATIONAL CULTURE

Risk management maturity

Embedding risk management as an organiza-tional culture is not always straightforward.Anecdotal experience provided by Members indi-cates that it may take several years, and requiresstrong ongoing commitment from managersand staff at all levels. Risk management matu-rity, a term often used to describe organizationalrisk management capacity and agility, can helpadministrations to continuously develop their riskmanagement practices.

Risk management maturity can be assessed inmany different ways. It is suggested that admin-istrations create a tailored measurement frame-work allowing them to review and develop theirmaturity in a structured and systematic way.Setting up such a framework involves agreeinga maturity model structure, determining meas-urement parameters and choosing tools forconducting the measurement.Establishing a risk maturity model is importantas it allows a common baseline to be established

against which risk management practices can bebenchmarked. Administrations should dene anddesign a model that ts their unique context. Nextsub-section provides an example of one potentialmodel and Annex 3 incorporates another templatefor this purpose (APEC risk management processself-assessment model).

When selecting a maturity model, administrationsshould design measurement indicators for the keyattributes used in the model. The measurement

process itself can be either qualitative or quanti-tative, or can mix aspects of both. If quantitativemeasurements are used, it is important to makesure that adequate data is available to supportmeasurement, and that the required analysistools exist.

Measurement tools depend on the indicators theadministration wishes to use. Indicators allowingquantitative measurement can often be supportedby data analysis and manipulation, includingstatistical analysis, etc. For qualitative analysis,tools such as interviews, questionnaires, surveys,audits, etc. can be used.


23/5423EMBEDDING RISK MANAGEMENT AS AN ORGANIZATIONAL CUL TURE

Example of a risk managementmaturity model

The risk management maturity model displayedin this section (diagram 9) builds on vedifferent levels of risk management maturity(nave, aware, dened, managed, enabled) andmeasures maturity on several key attributes(culture, process, infrastructure). The followingsub-sections briey explain the different matu-rity stages 16 and describe some of the actionsneeded when developing organizational riskmanagement capacity.

Nave

At this initial stage, there is growing organiza-

tional understanding of a mismatch betweenavailable resources and demand. There may notbe a clear understanding of a formal risk manage-ment process, procedures and techniques eventhough the language and terminology may beknown. At this point, there generally is a lack ofa high-level mandate for risk management. Thisleads to risk being managed on an ad hoc basiswhere risk management is not applied to organi-zational programmes and business processes ina systematic way.In order to move to the next level of risk manage-ment maturity, a number of actions must take

place. Some of these actions may include thefollowing:

obtaining highest organizational mandate andcommitment to risk management;

objectives of risk management implementa-tion need to be established, to enable the riskprocess to be tailored and scoped accordingly;

dening key accountabilities and risk ownership;

adequate training and support for the key riskowners;

undertaking awareness briengs to sell thevision of risk management and its potentialbenets to the entire organization, from seniormanagement to front-line employees. These

awareness briengs should also include keystakeholders;

nominate pilot applications for risk manage-ment, carefully selected to maximize the chancesof early success;

communication of successes. Seek to developmomentum in the risk process and to encourageother projects and individuals to apply riskmanagement to their areas as they see that

clear benets have been articulated clearly; planning for the long term, recognizing that

effective implementation of risk management

Diagram 9. An example of a risk management maturity model

Risk Management Maturity

Risk nave Initial Ad-hoc Undefined Reliance on

key people

Risk aware Repeatable Intuitive Defined tasks Initial

infrastructure

Risk defined Standardised Rigorous Defined policies,

processes &appetite

Uniformity

Risk managed Embedded Comprehensive Widely adopted Measured Increased

competency

Risk enabled Optimised Continuous Integral Competitive

advantage Core competency

Source: Netherlands Customs 2010

16. The interpretation of the model has been performed by the Secretariat.


24/5424 EMBEDDING RISK MANAGEMENT AS AN ORGANIZATIONAL CULTURE

will not be achieved overnight. Count the costof the implementation project, and ensurecommitment of the necessary resources beforestarting;

building effective controls into the process fromthe outset, with breakpoints to enable progress

to be monitored and reviewed at key intervals.Collect and trend appropriate metrics; and

consider producing draft risk procedures withtemplates for key inputs and outputs.

Aware

At this second maturity level, the organizationis aware of its mission, objectives and relatedrisks. It knows its stakeholders and their needs.

A high-level mandate for, and commitment to riskmanagement exists. The concept and benets ofrisk management are understood at all levels ofthe organization. Accountabilities for risks aredened and an initial organizational infrastruc-ture for risk management is being developed.However, the overall approach to managing riskis still characterized by being somewhat intuitive.

The actions for moving to the next level of riskmaturity may include some of the following:

reinforcing and strengthening corporate backingfor the implementation of the risk manage-ment process. Strong and visible commitmentfrom senior management is essential to give thenecessary credibility;

developing and promulgating an organizationalpolicy on the use of risk management;

formalizing the risk management process,

with clear denition of the scope and objectivesof risk management, as well as agreed uponprocedures and properly selected tools;

providing formal risk training to managers andstaff and encouraging them to attend ongoingrisk management training courses, confer-ences and seminars, workshops, etc;

allocating adequate resources to the riskmanagement implementation process, withassignment or recruitment of sufcient staff,and assigned budgets for risk managementtraining, risk assessment tools and otherrequired risk management activities;

selecting key projects to demonstrate thebenets of risk management in all areas of theorganizations business;

communicating success and encouragingwider application of risk management in otherareas as benets become clear;

ensuring managers use risk management aspart of their routine management of projectsand business processes. Include regular riskreporting as an important part of managementreviews;

assembling metrics from the risk process; iden-tication of generic risks, effective responses,the cost of risk reduction, etc; and

creating checklists to facilitate risk identi-cation and assessment processes, based onactual experience of risk management withinthe organization.

Dened

At the third level risks are well dened, and therisk management approach is standardizedand rigorous. The risk management infrastruc-ture is well established, and includes dened

policy, procedures, accountabilities and culture.Operational plans including well identied risksand their management strategies are also dened.The various resources and tools for effective anal-ysis are identied and developed, and trainingand awareness-raising on risk management takeplace continually. Operational activities are oftensupported by a specic risk management func-tion or facilities, which guarantee uniformity inthe application of risk management.

The actions that assist an administration toprogress from the third maturity level to the fourthmay include some of the following:

ensuring effective learning from experi-ence. Undertaking regular reviews of the riskmanagement process, with value engineeringof the process to ensure that it remains fullyeffective;

amending and strengthening the risk manage-ment process where necessary, includinginvestment in new tools, new methods,personnel training, etc;


25/5425EMBEDDING RISK MANAGEMENT AS AN ORGANIZATIONAL CUL TURE

investigating novel applications of the riskmanagement process beyond those alreadycovered. Seeking to modify and apply riskmanagement to every activity within theorganization;

using every means possible to develop a true

risk management culture, encouraging allpersonnel to think risk, be aware of uncertaintyand use risk techniques to assess and managepotential threats;

ensuring that risk is included as a routinecriterion in all decision making;

identifying and countering incidences ofrisk fatigue, where staff are losing interestin the process or there is a potential loss of

momentum. Using regular re-launch promo-tions to renew the process, celebratingsuccesses, publicizing improvement metrics,and rewarding effective risk management; and

organizing regular risk management trainingto ensure that skills remain current.

Managed

At the fourth maturity level risks are effectively

and efciently managed. Risk management isembedded in all organizational processes. Riskmanagement practices are comprehensive and ahealthy risk management culture exists. Effectivetwo-way communication about managing riskexists, where objectives and resources cascadedownwards and effective feedback travels upwards.Risk management practices and outcomes aremeasured and monitored, and the approach isdeveloped continuously.

Moving from the fourth maturity level to the fthrequires:

ensuring continued commitment of seniormanagement;

using audit and review techniques to keep theapplication of risk management techniques atthe required quality and standard;

taking full advantage of the competitive edge thatresults from proactive management of uncer-tainty (including both risks and opportunities);

extending risk management beyond the usualapplications, pioneering its use in all areas ofthe business;

continually investing in improving the risk process,tools, techniques, personnel skills, etc; and

continuing involvement and consultation withstakeholders of the risk management process.

Enabled

The fourth and fth stages are quite similar toeach other and represent a very high maturity ofrisk management. The key difference betweenthese two levels is that at the fth maturity level,risks are not only managed in terms of mitigating

negative outcomes, but also risk managementactively seeks to exploit positive risks and oppor-tunities. Risk management practices are optimizedand integrated into all organizational processes,effectively contributing to organizational objec-tives. High-quality intelligence and knowledgeexists for decision making and decisions are basedon a comprehensive understanding of risk. Riskmanagement is an integral part of the daily work ofemployees at all levels of the organization.


26/5426 EMBEDDING RISK MANAGEMENT AS AN ORGANIZATIONAL CULTURE


27/5427C O N C L U S I O N

4. CONCLUSION

The changing operating environment hasaffected the way Customs administrations goabout their business. The sheer volume of cross-border transactions, together with the new func-tions that Customs administrations all over theworld have been assuming, have made old oper-ating models largely redundant and required anew approach. As a result Customs administra-tions are required to achieve a reasonable andequitable balance between ensuring complianceand minimizing disruption and cost to legitimatetrade and the public. This can be achieved increas-ingly through the adoption of a holistic risk-basedcompliance management approach.

Intelligence-enabled risk management is acrucial building block for an effective risk-basedcompliance management approach. TraditionallyCustoms risk management has been seenthrough operational selectivity/targeting prac -tices. However, this Compendium proposes a moreholistic compliance management approach goingbeyond selectivity and aiming at actively managingand improving compliance (affecting client behav-

iour) through a bundle of different strategiesmixing incentivized voluntary and enforced meas-ures. Through this approach administrationsare better able to achieve sustainable compli-ance outcomes that enable them to facilitate lowrisks and target the bulk of their scarce controlresources towards high risks or unknown areas.

The adoption of a risk-based compliance manage-ment approach requires the creation of a robustorganizational risk management frameworkwhich provides the foundation and organizationalarrangements allowing individual risks to be iden-tied, assessed and managed across the organi-zation and empowers ofcers at all levels to make

risk-based decisions in a structured and system-atic manner. This Volume of the Compendium hasoutlined the key aspects of such a framework.

For risk management to be effective, it needs to

be aligned with an administrations overall objec-tives, corporate focus, strategic direction, oper-ating practices and internal culture. In order toensure that risk management is a considerationin priority setting and resource allocation, it hasto be part of existing governance and decision-making structures at both the operational andstrategic levels.

The ultimate success of risk management activi-ties often comes down to the question of howwell risk management can be embedded as anorganizational culture. Effective organizationalrisk management practices often will not beestablished overnight, and in fact may requireseveral years and strong ongoing commitmentfrom managers and staff at all levels of theadministration.

Many of the skills and resources needed tomanage risk effectively already exist within

Customs. Sometimes these resources may needto be better organized in order to deliver a morestructured approach to managing risks. Customsadministrations are encouraged to monitor,review and assess their risk management prac-tices and continuously develop their risk manage-ment capacity based on the guidance outlined inthis Volume.

The annexes to this Volume introduce a numberof practical tools that can be used to facilitatethe implementation of risk management. One ofthe annexes (Annex 5) also includes case studiesby Members, providing useful information ondifferent aspects of risk management.


28/5428 C O N C L U S I O N


29/5429B I B L I O G R A P H Y

5. BIBLIOGRAPHY

AS/NZS 4360:2004. Risk management StandardsAustralia/Standards New Zealand.

International Convention on the Simplication andHarmonization of Customs Procedures (Revised

Kyoto Convention), WCO, Brussels.ISO/IEC Standard 73:2009 Vocabulary

ISO/IEC Standard 31000:2009 Risk management Principles and guidelines

ISO/IEC Standard 31010:2009 Risk management Risk assessment techniques

Widdowson, David and Holloway, Stephen (2010)Core border management disciplines: risk basedcompliance management pp.95-113 in: McLinden,Gerard; Fanta, Enrique; Widdowson, David andDoyle, Tom Border Management Modernization,The World Bank, Washington, DC.

Widdowson, D. (2006). Raising the Portcullis.Paper presented at the WCO Conference ondeveloping the Relationship between WCO,Universities and Research Establishments,Brussels.

Widdowson, D. (2005). Managing risk in theCustoms context in De Wulf, L. and Sokol, J.B.(2005), Customs Modernization Handbook, TheWorld Bank, Washington D.C.

World Customs Organization (2008) Customs in the21st Century: Enhancing Growth and Developmentthrough Trade Facilitation and Border Security,WCO, Brussels

World Customs Organization (2005) The SAFEFramework of Standards to secure and facilitateglobal trade, WCO, Brussels.


30/5430 B I B L I O G R A P H Y


31/5431A N N E X E S

ANNEXES

ANNEX 1: RISK MANAGEMENT TECHNIQUES AND TOOLS

There are many different tools and techniques toassist the various steps of the risk assessment

process. More detailed information on these toolscan be found in ISO Standard 31010:2009 Riskmanagement Risk assessment techniques.

Risk identication

Techniques

The above-mentioned ISO Standard 31010:2009lists the following techniques that can be used inthe identication of risks 17:

Brainstorming;

The Delphi technique;

Structured or semi-structured interviews;

Use of check-lists;

Primary hazard analysis;

Hazard and Operability Studies (HAZOP);

Hazard Analysis and Critical Control (HACCP);

Environmental risk assessment;

Scenario analysis;

Structure What if? (SWIFT);

Failure mode effect analysis;

Cause-and-effect analysis;

Human reliability analysis;

Reliability centred maintenance;

Consequence/probability matrix; and

Fault tree analysis.

Instead of using only one technique, a combina-

tion of different tools should be used where appro-priate. It is also important to combine aspects ofqualitative and quantitative analysis in order toreach the best outcomes.

Tools

As previously shown, a risk register is an essen-tial documentation tool for risk management. Therisk register is like an index of an administra-tions risks, from which each functional area candevelop its respective risk plans. The registershould be tailored to meet the requirementsof the organization and may be set out in manydifferent ways. Three examples of risk registersappear below.

Example #1 of 3 RISK MANAGEMENT REGISTER: ORGANIZATIONAL ELEMENTS

The Risk Likelihood

Rating

Consequence

Rating

Tolerance Risk

Priority

Risk

Treatment1 Strategic Management

2 Resources

3 Legal Framework

4 Customs Systems and Procedures

5 Information Technology and Com-munication

6 External Cooperation, Communica-tion and Partnership

7 Good Governance

17. ISO Standard 31010:2009 Risk management Risk assessment techniques includes additional details on the above-mentioned techniques.


32/5432 A N N E X E S

Risk analysis

Techniques

Various techniques and tools for the risk anal-ysis process are recognized by ISO Standard31010:2009 Risk management Risk assessment

techniques. These tools can be categorized withreference to their usability for analyzing conse-quences, likelihood or the level of risk.

Example #2of 3 RISK MANAGEMENT REGISTER: ORGANIZATIONAL PRIORITY

The Risk LikelihoodRating

ConsequenceRating

Tolerance RiskPriority

RiskTreatment

1 Revenue Collection

1.1 e.g. Duty

1.2 e.g. Excise

2 National Security

3 Community Protection

3.1 e.g. Narcotics

3.2 e.g. IPR

4 Trade Facilitation

5 Collecting Trade Data

Example #3 of 3 -RISK MANAGEMENT REGISTER: ORGANIZATIONAL STRUCTURE

The Risk LikelihoodRating

ConsequenceRating

Tolerance RiskPriority

RiskTreatment

1 Head Of ce / Corporate

e.g. Personnel

e.g. Legislation

e.g. Finance

2 Maritime

e.g. Wharf / Port of ces

e.g. Sea Cargo

e.g. Sea Passengers / Crew

e.g. Vessels

3 Aviation

e.g. Airports

e.g. Air Cargo

e.g. Air Passengers / Crew

e.g. Aircraft

4 Land

e.g. Border control points

e.g. Conveyances


33/5433A N N E X E S

Box 2: Risk analysis techniques

Technique Consequence Likelihood Level of risk

Bayesian statistics and Bayes nets

Bow tie analysis

Cause-and-consequence analysis

Cause-and-effect analysis

Consequence/probability matrix

Cost/bene t analysis

Decision tree

Environmental risk assessment

Event tree analysis

Failure mode effect analysis

Fault tree analysis FN curves

Hazard Analysis and Critical Control (HACCP)

Hazard and Operability Studies (HAZOP)

Human reliability analysis

Layer protection analysis

Markov analysis

Multi-criteria decision analysis

Reliability centered maintenance

Risk Indices

Root cause analysis

Scenario analysis

Structure What if? (SWIFT)


34/5434 A N N E X E S

Tools

The previous chapter presented some simple 3x3examples of consequence and likelihood matrices.

The following tables provide additional examplesof 5x5 scales and their attributes.

EXAMPLE OF A 5x5 LIKELIHOOD SCALE

Example of QualitativeMeasure Examples of Quantitative Measures

OtherMeasures

AlmostCertain

The event is expected tooccur in most circumstances

Once perweek or morefrequently

10 chances ayear

> 1 in 10 9 to 10 timesout of 10occurrences

If thesescales donot matchyour cir-cumstance,then youshould de-velop yourown scale

Likely The event will probably occurin most circumstances

On averageonce permonth

Once a yearor more

1 in10-100

7 to 8 timesout of 10occurrences

Possible The event might occur atsome time

On averageonce per year

Once in tenchances ayear

1 in 100 1,000


Unlikely The event is not expected tooccur in most circumstances Typically onceevery ten years One in 100chances ayear

1 in 1,000 10,000 2 to 3 timesout of 10occurrences

Rare The event may occur only inexceptional circumstances

Typically onceevery hundredyears

One in 1,000chances ayear

1 in10,000 100,000


New Zealand Customs Service Example of A 5x5 LIKELIHOOD scale

Rating How likely Description / Example *

5AlmostCertain

De nite probability, or No Controls, or Has happened in the past and no compensating controls have been implemented , or

Without additional controls the event is expected to occur in most circumstances, or Has happened within the last 3 months

4 Likely The event will probably occur in most circumstances , or Weak Controls e.g. Limited QAPs, no internal audits performed , or With existing controls in place this event will probably still occur with some certainty, or Has happened in the last 6 months

3 Possible

The event should occur in some circumstances , or Minimal controls , e.g. Some QAPs, some internal audits performed, or The event has occurred in other customs agencies with similar levels of controls in place,

i.e. substandard control assurance, or

Has happened in the last 12 months

2 Unlikely

The event could occur in some circumstances, however more likely through human errorfor not following the control environment, or

Effective Controls in place, e.g. Timely QAPs, internal & external audits, or The event hasnt occurred in Customs recently but it could occur in some circumstances, or Has happened in the last 2 years

1 Rare

The event may occur in some exceptional circumstances , i.e. deliberate fraud / attack outsideof existing deterrents, or from activity beyond the control of Customs actions, or

Strong Controls. Despite effective controls an external event or uncontrollable event couldoccur, or

Improbable: A very small chance of an event occurring that would be caused by stressed eco-nomic, market and operating conditions or events not previously seen in similar agencies , or

Has not happened in the last 3 years


35/5435A N N E X E S

Risk evaluation and prioritization

TechniquesThere are a number of risk analysis models inbusiness literature for use when evaluating andprioritizing tolerance for risk. These include:

Threat analysis;

SWOT analysis (Strengths, Weaknesses, Oppor-tunities, Threats);

Fault tree analysis;

FMEA (Failure Mode & Effect Analysis); BPEST (Business, Political, Economic, Social,

Technological) analysis;

PESTLE (Political Economic Social TechnicalLegal Environmental);

Dependency modeling and Real OptionModeling; and

Statistical Modelling.

Tools

Risk criteria are terms of reference againstwhich the signicance of a risk is evaluated. Theyare dened when establishing the context for therisk management process, and before risk iden-tication takes place. Risk criteria often take theform of a risk signicance or tolerance matrix.It is important to note here that risk criteria

EXAMPLE OF A 5x5 CONSEQUENCE SCALE

SEVERITY OF RISK

Risk* Insignicant Minor Moderate Major Severe

Cargo/Passengers

Rare for passengerclearance targetsnot to be met. Few

clients are affectedby delays.Air and sea cargodelays are causinginsignicant nan-cial and communityimpact.

Passenger clear-ance targets some-times not met.

Air and sea cargodelays are causingminor nancial andcommunity impact.

Passenger clear-ance delays areoccurring, causing

moderate disrup-tion to the client.Air and sea cargodelays are causingmoderate nancialand communityimpact.

Passenger clear-ance delays areoccurring, causing

major disruption tothe client.Air and sea cargodelays are causingmajor nancial andcommunity impact.

Passenger clearancedelays are occurring,causing severe dis-

ruption to the client.Air and sea cargodelays are causingsevere nancial andcommunity impact.

BorderEnforcement

Rare for non-compliers to avoiddetection andaction.This applies

particularly forserious offencesunder Customs Actand other agencyslegislation enforcedby Customs.

Unlikely that non-compliers willavoid detection andaction.This applies


Possible thatnon-compliers willavoid detection andaction.This applies


Highly likely thatnon-compliers willavoid detection andaction.This applies


Almost certain thatnon-compliers willavoid detectionand action. Thisapplies particularly

for serious offencesunder Customs Actand other agencyslegislation enforcedby Customs.

Revenuecollection

Collections againstrevenue forecastare under targetand it could be jus-tied by statisticalerror.

Collections againstrevenue forecastare under targetbut only by a smallamount.

Collections againstrevenue forecastare under target,and the shortfallis not linked togeneral economic

conditions.

Collections againstrevenue forecastare unexpectedlyand/or signi cantlyunder target. Theshortfall can-

not be linked togeneral economicconditions. Anexplanation may berequired for Parlia-ment and Govern-ment.

Collections againstrevenue forecast areunexpectedly and/orsignicantly undertarget. The shortfallcannot be linked to

general economicconditions. It is pos-sible that Parliamentand/or Govern -ment will initiatean enquiry into theshortfall.


36/5436 A N N E X E S

must be based on organizational objectives, andthe external and internal context. They can bederived from standards, laws, policies and other

requirements. The following diagram presents apotential example of a 5x5 risk tolerance/signi -cance matrix.

EXAMPLES OF A 5x5 RISK TOLERANCE MATRIX

Minimal1

Minor2

Moderate3

Major4

Severe5

Almost Certain5 5 10 15 20 25

Likely4 4 8 12 16 20

Possible3 3 6 9 12 15

Unlikely2 2 4 6 8 10

Rare1 1 2 3 4 5

Minimal Minor Moderate Major Severe

Almost Certain MEDIUM HIGH HIGH EXTREME EXTREME

Likely LOW MEDIUM HIGH EXTREME EXTREME

Possible LOW MEDIUM MEDIUM HIGH HIGH

Unlikely LOW LOW MEDIUM MEDIUM HIGH

Rare LOW LOW LOW LOW MEDIUM


37/5437A N N E X E S


38/5438 A N N E X E S

ANNEX 2: COMPLIANCE MEASUREMENT

Overview

For any risk management process to be successfuland effective, it will have to be constantly moni-tored and evaluated. One method for this is theuse of compliance measurement. Compliancemeasurement is a phrase used when statisticallyvalid random sampling techniques are employedto determine the degree to which traders, carriers,imported goods, etc. conform to Customs rulesand procedures. When designed in a systematicand appropriate manner, compliance measure-ment methodologies provide objective and statis-tically valid results. Compliance measurementcan be used as a diagnostic tool to identify areasof non-compliance.

Compliance measurement as a diagnostic toolfor Customs administrations should be usedin conjunction with risk assessment, prolingand other targeting procedures. Used strategi-cally, compliance measurement and targetingcan provide the necessary balance to helpfocus resources effectively in areas of concern

to Customs. In addition, the results of initialcompliance measurements can provide impor-tant information to enhance risk assessmentmethodologies.

A compliance management programme alsoprovides a basis for Customs to assess its ownperformance in revenue protection and enforce-ment of laws, improve its efciency and effec-tiveness, and develop strategies to improvecompliance.

Compliance Measurement Areas

One approach to compliance measurement isto consider that in some countries or economicunions, as few as 10% of traders account forover 80% of imports and exports. By focusingon the top 5-10% of these highest volumemanufacturers, importers, exporters andcommodities, Customs can ensure that thosewhich have the most signicant impact on thenational economy are being reviewed moreeffectively.

Compliance measurement areas may include:

Documentary issues:

proper tariff classication by traders;

proper valuation by traders; and

country of origin.

Procedural issues:

importation and exportation (from the goodsdeclaration through revenue collection);

transit operations; and

warehousing, free trade zones, processing.

Revenue issues: timely and accurate revenue payments; and

proper posting of securities.

Transport issues:

accurate reporting of the quantity of goods;

accurate description of goods on the manifestand/or transport document;

accuracy of container quantities and identica-tion numbers; and

transporter compliance.

Specic concerns:

compliance by tariff number or range of tariffnumbers;

public health and safety issues;

Intellectual property rights and copyrightissues;

compliance with trade agreements;

proper country of origin marking on goods;

high revenue commodities; and

selected traders.

Measurement Process

Customs gathers data from a variety of sources,both internal and external, and by both manualand automated means. With the data (importand export records), the tools (statistical anal-ysis) and the methodology (systematic analysis


39/5439A N N E X E S

of large traders or commodities), Customs canarrive at reasonable, informed conclusions aboutthe compliance rates of many entities. Theserates can be determined for each step of a trans-action process, e.g. for imports, from the mani-fest to the goods declaration to the collection

of duty and taxes. The automated systems thatCustoms uses to evaluate high-risk shipmentscan support the compliance review require-ments for a scientic approach to accurate datacollection and analysis and projections, althoughcompliance rates can also be measured effec-tively without automation.

Customs should determine a designated universeof transactions and, using a statistically validsampling methodology, select specic transac-tions or entities from this universe for reviewor verication. Depending upon the results, theuniverse may be modied in many ways.

Customs must also determine what level ofcompliance is acceptable. For example, a compli-ance rate of 95% of the transactions or entitiesreviewed in a given area may be the acceptablelevel for an administration. This may also becalled the level of tolerance.

Some of the transaction processes for complianceverications would be :

goods declaration compliance;

trader compliance;

transit compliance;

free trade zone or warehouse compliance;

manifest and transport document compliance ; and

transporter compliance.

Below are a few factors that should be consideredduring a verication review for a selected exampleof these processes.

Goods Declaration Compliance

a) Is there evidence of documentation to supportan accurate goods declaration?

b) Do the quantities declared match what is

contained in the consignment?c) Does the declared country of origin match the

country of origin marking on the goods?

d) Does the declared description of the goodsmatch the actual goods?

Thus, a typical compliance measurement reviewrelating to intellectual property rights for aselected commodity, at a tolerance level of 95%,might progress as follows :

a) Conduct a statistically valid random samplingof goods declarations for the selected HSnumber.

b) If the resulting compliance rate is less than95%, conduct another measurement of thesame HS number, but stratied by selectedcountries of origin.

c) For countries of origin found to have a compli-ance rate of less than 95%, conduct a meas-urement for each of the major importers.

d) For importers found to have a compliance rateof less than 95%, Customs should seek to:

inform the importer (informed compliance);

establish pro les/targets for the identi edareas of non-compliance;

conduct subsequent measurements to ensurethat the importer has corrected the problem;

conduct more reviews and/or examinations;and

issue nes or penalties, if appropriate, in casesof continued non-compliance.

Use of Compliance Measurement Resultswithin the Control Programme

Statistically valid compliance measurementprocedures can be used in various ways, e.g. to:

dene any revenue gap;

prevent widespread commercial fraud;

assess performance by major key industries;

assess performance by major importers andexporters;

increase commercial compliance; and

accurately measure international trade.The results of these measurements can helpdirect resources effectively. In determining


40/5440 A N N E X E S

compliance rates for individual importers, thosefound to have high compliance rates may havetheir goods examined less frequently, while thosehaving low compliance rates may have their goodsexamined more frequently.

The ndings of compliance reviews for commodi-

ties, traders and industries provide informationfor updating existing selectivity criteria used

to

PROCJENA RIZIKA I MJERE.pdf

Documents

Transcript of PROCJENA RIZIKA I MJERE.pdf