1
Enterprise Risk ManagementTools & Techniques
January 12, 2011
Cathy Taylor, ADP
Emerissa Babin, OPG
Michelle Reid, TSSA
3
Agenda
Establish context
Risk identification
Risk analysis and evaluation
Risk treatment
Monitoring and review
Communication and reporting
4
Establish Context
Define environment within which risk will be managed
Ensures risk management approach is appropriate
Considerations include:Public or privatePublicly traded or nonprofitOrganizational structureTone at the topOrganizational cultureHow are decisions made?
5
Establish Context
President & CEO
Oversight of Strategic, Financial, Operational & Transactional Risks • Risk Reports to Board Committees
• Risks to Business Plan Objectives (BURSA)• MD&A Risk Management , AIF Risk Factors
Corporate Risk Management
(CRM) Organization
6
Establish Context
ALL ALL
DEPARTMENTSDEPARTMENTS
Risk Ownership
(identification, assessment,
treatment, monitoring & reporting)
BOARD / EXECUTIVEBOARD / EXECUTIVE
RISK MANAGEMENT TEAM
AssureStakeholders
Set RiskAppetite
Define ERM & Governance Expectations
Set Policy
Build RM Capability, Process
& Tools
Framework
Monitor & report
program
Support & Set
the Tone
SetAssurance
Agenda
Monitor Risk
Reporting
Advice, Coaching & SupportPerformance
Management
7
Establish Context
Purpose The Enterprise Risk Management Framework is intended to provide guidance to …….relative to the development and implementation of an enterprise risk management program.
Scope The enterprise risk management framework is relevant to all …. activities, its employees and Board of Directors, and resultant business decisions and is to be applied at every level of the organization.
Commitment and Mandate …. is committed to maintaining a program that ensures risk management is an integral part of all ….. activities and a core capability. ….. will identify, assess, manage and monitor its enterprise risks in support of its mission and vision, objectives and priorities, as set out in the strategic plan.
Policy Statement Committed to continually improve the
8
Risk Identification
Gather and document risks that could impact achievement of objectives
Common techniques include:SurveysWorkshopsManagement interviewsEnvironment scansSWOT analysisResults of audits
9
Risk Identification
Risk Assessment Questionnaire Future discussions on the organization’s risk profile will be framed and will focus on the following questions:
1. What are the key objectives of your department / program area / function?
2. Which business objectives / performance targets do your initiatives specifically support?
3. What could inhibit achievement of your department / program area / function objectives?
4. How does the business system support or inhibit your ability to achieve your objectives?
5. Are there any processes that inhibit your ability to meet your objectives (i.e. process inefficiencies)?
6. How quickly could these factors impact your objectives (e.g. within quarter, fiscal year, forecast period, strat plan period)?
7. [Using an influence diagram if necessary] how could these factors impact your objectives?
8. What could you do to avoid these factors or minimize their impact on your objective?
10
Risk Identification
Results of Internal Audit of Compliance with Expense Policy
Business Rule Observations Risk / Impact Recommendation Management
Response
Reimbursable items are supported by proper documentation (i.e. original, itemized receipts noting HST).
During the course of our audit we found evidence that:
11
Risk Identification
CorporateObjectives/Priorities
KeyInitiatives to
Achieve Objectives
RiskMitigation & OpportunityOptimization
Activities
Significant RISKS &
OPPORTUNITIES impacting achievement
of objectives
Significant RISKS &
OPPORTUNITIES impacting achievement
of initiatives
+
Assess & ReportPerformance
Against Targets
TargetsKPI’sKRI’s
info
rm
shap
e
13
Risk Analysis and Evaluation
Understand the risk, its causes, the likelihood of occurrence, potential impact, and the organization’s appetite and/or tolerance for the risk
Common tools include:Root cause analysisRisk assessment criteriaRisk appetite matrixRisk tolerance
14
Risk Analysis and Evaluation
Risk Statements: Important to express a risk in such a way that it can be
effectively understood and addressed Components
Event, Cause & Effect Example:
Financial loss due to default by Clients in funding of processed payroll. Inability to obtain adequate (quality/quantity) expat labour supply due to
negative perceptions about project location results in increased construction costs
Bad Risk Statements: Budget cuts Company delays all IT investments Fires
15
Risk Analysis and Evaluation
Probability Improbable (<10%)
Unlikely (10% - 30%)
Possible (30% - 70%)
Likely (70% - 90%)
Probable (>90%)
Financial Impact Minimal (<$5M)
Minor ($5M - $50M)
Notable ($50M - $200M)
Substantial ($200M - $500M)
Major (>$500M)
Quantitative assessment
16
Risk Analysis and Evaluation
Qualitative Assessment
Manageability The degree to which the outcome of a risk is controllable through the risk
treatment/mitigation actions.
Stakeholder Sensitivity The extent of the reaction of external stakeholders (public, shareholder,
regulator, etc.) to the risk or how tolerant the stakeholders are of the risk; and What their expectations are for managing the risk.
Urgency The promptness needed to implement mitigation for a risk in order for it to be
effective. This criterion refers to how pressing the need is for mitigation as opposed to the imminence of the risk itself.
17
Risk Analysis and Evaluation
Likelihood Description
1 The event may occur within the next three to five years or within the strategic planning period
2 The event may occur within the next twenty-four months or within the forecast period
3 The event may occur within twelve months or within the current fiscal year
4 The event may occur within three months or in the current quarter
18
Risk Analysis and Evaluation
Impact Definition Description Example
1 Opportunity The company will exceed its objectives and balanced scorecard targets
The company will exceed its revenue and net margin objectives. The company has the opportunity to invest in and/or reassign employees to critical risks or areas of the business.
2 Negligible The event will not impede The company’s ability to meet its business plan objectives and associated balanced scorecard targets
The company will meet its revenue and net margin objectives.
3 Moderate Some elements of the business objectives and associated balanced scorecard targets will be delayed or not achieved, as a result of the realization or occurrence of the event
The company will not meet its revenue target but may through expense reduction meet net margin targets
4 Critical The company will not meet its business plan objectives and associated balanced scorecard targets, as a result of the realization or occurrence of the event
The company will not meet critical or material elements of its revenue and/or net margin targets
20
Risk Analysis and Evaluation
Risk Appetite Level Definition
High risk appetite (1)
The company is willing to accept risks that may negatively impact achievement of its strategic priorities, business plan objectives and associated balanced scorecard targets.
Moderate risk appetite (2)
The company is willing to accept some risks that may negatively impact achievement of its strategic priorities, business plan objectives and associated balanced scorecard targets.
Low risk appetite (3)
The company is willing to accept some risks in certain circumstances that may negatively impact achievement of its strategic priorities, business plan objectives and associated balanced scorecard targets.
Zero risk appetite(4)
The company is not willing to accept any risks under any circumstances that may negatively impact achievement of its strategic priorities, business plan objectives and associated balanced scorecard targets.
22
Risk Treatment
Select and implement options to modify risk
Typical risk treatment concepts include:Avoid risk (cancel product line, sell business
unit)Transfer risk (out-source function or enter
contract to transfer risk)Control risk (change process, training, etc)Fund risk (insurance)
24
Risk Treatment
RISK MATRIX E L M H H H
D L M M H H
C L L M H H
B L L M M H
A L L M M H
1 2 3 4 5
SEVERITY RATING
LIK
EL
IHO
OD
RA
TIN
G
X
Risk 1(Inherent)
TOO MUCH CONTROL so:A - removing procedure B - reduce insurance costs/increase insurance deductible
AB
Risk 1(Residual)
25
Risk Treatment
Risk Likelihood Impact Risk
Score Risk
Appetite Strategy Lead Actions Status Target
27
Monitor and Review
Periodic monitoring of risk treatment plans and influence on risksEnsure treatment plans existEnsure they are effectiveObtain additional info for further assessmentIdentify emerging risks
Most common tool or technique is audit
29
Monitor and Review
SEVERITY RATING
54321
HMMLLA
HMMLLB
HHMLLC
HHMMLD
HHHMLE RISK MATRIX
LIK
EL
IHO
OD
RA
TIN
G
Risk 2(Inherent)
Risk 1(Residual)
Risk 1(Inherent)
Risk based Audit program – which risk to audit?
Risk 2(Residual)
30
Communication and Reporting
Create awareness, facilitate understanding, foster adoption / engagement
Governance or legislative requirements
31
Communication and Reporting
Rank the Relative Risk of 30 Activities / Technologies with "1" being the highest risk & "30" being the lowest risk
Me Public* Experts* Me Public* Experts*
Alcoholic Beverages Mountain Climbing
Bicycles Nuclear Power
Commercial Aviation Pesticides
Contraceptives Police WorkElectrical Power (non-nuclear) Power Mowers
Firefighting Prescription Antibiotics
Food Colouring Private Aviation
Food Preservatives Railroads
Handguns Skiing
Highschool/College Football Smoking
Home Appliances Spray Cans
Hunting Surgery
Large Construction Swimming
Motor Vehicles Vaccinations
Motorcycles X-rays
* source - study by Dr. Paul Slovic, Decision Research, Eugene Oregon
34
Announcements
CE CertificatesRIMS ERM Centre of ExcellenceNew RIMS logoCurling bonspeil – February 8, 2011One-day Conference – March 9, 2011Volunteer
Top Related