determining where resources are most needed
DESCRIPTION
Determining Where Resources Are Most Needed. The Concept of Risk. Achieving Impact in Auditing. The Concept of Risk. My early audits: Park chair audit. Book of remembrance entries. Car park income. What Is Risk?. Does It Really Matter?. WHY DOES IT MATTER?. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/1.jpg)
Determining Where Resources Are Most Needed
The Concept of Risk
![Page 2: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/2.jpg)
Achieving Impact in Auditing
![Page 3: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/3.jpg)
![Page 4: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/4.jpg)
The Concept of Risk
My early audits:
• Park chair audit.
• Book of remembrance entries.
• Car park income.
![Page 5: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/5.jpg)
What Is Risk?
Does It Really Matter?
![Page 6: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/6.jpg)
“When anyone asks me how I can describe my experience of nearly forty years at sea, I merely say uneventful. Of course there have been winter gales and storms and fog and the like, but in all my experience, I have never been in an accident in any sort worth speaking about. I have seen but one vessel in distress in all my years at sea... I never saw a wreck and have never been wrecked, nor was I ever in any predicament that threatened to end in disaster of any sort” from a paper presented by EJ Smith, 1907
WHY DOES IT MATTER?WHY DOES IT MATTER?
![Page 7: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/7.jpg)
On 14 April 1912, HMS Titanic sank with the loss of 1500 lives.....
One of which was its captain
E J SMITH
IT MATTERS!
![Page 8: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/8.jpg)
But does any of this really matter
NOW?
![Page 9: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/9.jpg)
• Barings• BCCI• Hoover• Sumitomo Bank• Enron• World Com.• Parmalat
Risk Management Casualties.
![Page 10: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/10.jpg)
Pressures
• Greater transparency
• Better governance
• Better ethical standards
• Need for early warning systems
• Demands for higher quality services
• New legislation
• Systems reform/project management
![Page 11: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/11.jpg)
What Is Risk?Definition of Risk. The threat that an event or
action will adversely affect an organisations ability to
achieve its business objectives and execute its
strategies successfully
Source :- The Economist
Intelligence Unit
![Page 12: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/12.jpg)
Business Risk Definition 2
The chance of something happening
that will have an impact on business
objectives
Source :-Aus/NZ
Risk Mgt Standard
![Page 13: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/13.jpg)
Surprises
Any organization that has encountered unwelcome surprises or unexpected losses will realize that most were preventable.
Such events will almost certainly have been caused by risks that were not fully understood, or the processes to mitigate those events being inadequate.
![Page 14: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/14.jpg)
Wrong assumptions about risk
• Risk is just something for finance and insurance to worry about
• Risk comes up on the agenda once a year• Risk management is just another layer of
unnecessary bureaucracy• Risk management is about downside not
creation of value• Risk is a compliance issue
![Page 15: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/15.jpg)
Risk Management
• Identify, evaluate and manage their key risks and assess how they are controlled
• Ensure that all aspects of internal control and risk management are regularly reviewed on an appropriate cyclical basis
• Have regular board level reviews of reports on risk management and internal control
International expectations are now that all organisations should:
![Page 16: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/16.jpg)
Risk Management
• Embedded in the operations of an organisation• Capable of responding to the changing risks it faces • Include procedures for reporting major weaknesses
immediately to appropriate levels of management
And that:Risk management and internal control should be:
![Page 17: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/17.jpg)
Risk Management
• “…it is important that authorities have arrangements in place for reviewing both the nature and severity of risks…such a review should not just be to “obvious tangible” risks such as arson,vandalism and other damage to property..risk management should be an integral part of an authority’s overall management arrangements.”
In the UK all public bodies have been told:
![Page 18: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/18.jpg)
Risk Management
It went on to add:
“In order to be successful it is likely that the approach will be cross-departmental and
inter-disciplinary and that senior management will demonstrate
commitment.”
![Page 19: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/19.jpg)
The AUS/NZ Risk Management Process
• Establish the context
• Identify risks
• Analyse
• Evaluate
• Treat
• Communicate
• Monitor and Review
![Page 20: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/20.jpg)
Risk Identification and evaluation
![Page 21: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/21.jpg)
Types of Risk
• Strategic
• Operational
• Reputation
• Information
• Financial
• People
• Regulatory
![Page 22: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/22.jpg)
Strategic Risks
• Risks that relate to doing the wrong things
![Page 23: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/23.jpg)
Operational Risks
• Risks that relate to doing the right things in the wrong way
![Page 24: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/24.jpg)
Information Risks
• Risks that relate to loss or inaccuracy of data ,systems or reported information
![Page 25: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/25.jpg)
Financial Risks
• Risks that relate to losing monetary resources or incurring unacceptable liabilities
![Page 26: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/26.jpg)
People Risks
• The risks associated with Employees and Management
![Page 27: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/27.jpg)
Regulatory Risk
• The Risks related to the regulatory environment
![Page 28: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/28.jpg)
Reputation Risk
• Risks that relate to the organizations brand or image
![Page 29: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/29.jpg)
Inherent and Residual Risk
• Inherent risk = Gross risk before controls/ mitigation
• Residual risk = Risk remaining after applying controls
![Page 30: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/30.jpg)
Evaluation and Measurement of Risk
• Risk is measured in terms of consequences (or impact) and likelihood (or probability)
![Page 31: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/31.jpg)
Consequences Likelihood
• Monetary (% of income or budget)
• Reputation• Ability to recover• Effect on
Organisation Insignificant,Minor, Moderate,Major Catastrophic
• Rare (less than once in 20 years)
• Unlikely (once in 10-20 years)
• Possible (once in 10 years)
• Likely (once in 3 years)
• Almost Certain (once a year)
![Page 32: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/32.jpg)
Questions you need to answer
• What are the worst things that could happen to us?
• How likely are they to happen?
• Are we taking sufficient steps to prevent them?
![Page 33: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/33.jpg)
Most Severe
Major
Moderate
Minor
Insignificant
Rare Unlikely Possible Likely Almost Certain
Likelihood
Impac
t
Risk Matrix
![Page 34: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/34.jpg)
Measurement of Risk:-Risk Matrix
6 8 9
3 5 7
1 2 4
HIGH
Impact
Of
Risk
LOW
Unlikely Likelihood of Occurrence Likely
![Page 35: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/35.jpg)
1 21519 16
51721
3 4
20
18
14
11
12 13
23
6 7 8
22 9 1025
2428 26 27
RISK MATRIXHigh
Low
IMPACT
HIGHLOWLIKELIHOOD
![Page 36: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/36.jpg)
Risk MatrixImportant risks –
might potentially affect provision of key
services or duties
Key risk- may potentially affect
provision of key services or duties
Immediate action needed - serious
threat to provision and/or achievement of key services or
duties
Monitor as necessary - less important but still could have a serious
effect on the
provision of key services or duties
Monitor as necessary - less
important but still could have a serious
effect on the provision of key
services or duties
Key risks - may potentially affect
provision of key services or duties
No action necessary
Monitor as necessary - ensure
being properly managed
Monitor as necessary
- less important but still could have a
serious effect on the provision of key
services or duties
Over £5 millionOR
Questions raised in Parliament
£2million-£5 million OR
Reported in National Press
£500,000 - £2 Million
OR
Reported in Local Paper
£100,000 - £500,000 OR
Unacceptable levels of Complaints
Under £100,000 OR
Some complaints from individuals.
Rare- once in 20 years
Unlikely-Once in 10-20 years
Possible- Once in 10
years
Likely-Once in 3years
Certain- Once a
year
![Page 37: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/37.jpg)
Treatment of Risks
How are we going to manage the risks that we have identified down to a level that we can
live with.
![Page 38: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/38.jpg)
Risk TreatmentRisk
Transfer
Reduce Recover
Exposure
Insure Outsource
ControlLoss
reductionContingency
PlansBCP
Determine
Cost
Evaluate
Measure, Manage, Monitor, Report
Action Plans
![Page 39: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/39.jpg)
1 21519 16
51721
3 4
20
18
14
11
12 13
23
6 7 8
22 9 1025
2428 26 27
RISK MAPHigh
Low
IMPACT
HIGHLOWLIKELIHOOD
![Page 40: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/40.jpg)
The Risk Management Process
![Page 41: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/41.jpg)
Risk Management Framework
• Embrace the issue of risk
• Manage not tolerate • Make it a top down
process• Ensure a positive slant• Make it the pulse of
your organisation
![Page 42: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/42.jpg)
The Risk Management Cycle
Risk Identification
Risk Analysis
Risk Control
Monitoring & Review
![Page 43: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/43.jpg)
Risk Identification Process
• Clarification of Strategic Business Objectives
• Consideration of threats to achievement• Identification of key risks and
opportunities• Sifting and clustering of output• Evaluation of risks (by impact and
likelihood of occurrence)• Use of Workshops
![Page 44: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/44.jpg)
Use of Workshops
![Page 45: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/45.jpg)
Workshop Ingredients
ACCURATEASSESSMENT
RISK And CONTROLEXPERTISE
BUSINESS AndPRACTICAL EXPERIENCE
FRAMEWORKAnd CONTROL
FACILITATOR CHALLENGER
PARTICIPANTS
![Page 46: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/46.jpg)
Typical Agenda for a Workshop
Introduction Discussion of objectives/processes Brainstorming of risks Categorisation Assessment of risks
![Page 47: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/47.jpg)
Risk Mitigation Process
• Evaluation of actions in place to reduce risks
• Identification of risk exposures and latent opportunities
• Assessment of the effect of mitigation• Development of focussed action plans• Preparation of a Risk Register
![Page 48: Determining Where Resources Are Most Needed](https://reader035.vdocuments.us/reader035/viewer/2022062322/568151e0550346895dc018cc/html5/thumbnails/48.jpg)
RISK REGISTER
Area of Risk Inherent Risk Mitigation Residual Exposures / Actions Planned KRI
Risk per Procedures/Controls Risk per Opportunities
matrix in place matrix identified
(1-9)