Presentation 3: Applying Risk: Key

Risk Management Tools

Andrew GrahamSchool of Policy StudiesQueen’s UniversityKingston, Canada

Workshop on Risk and Enterprise Risk

ManagementSouthern Africa

Development CommunityApril, 2014

Gaborone, Botswana

Section 1: Risk Ranking and Risk

Tolerance

Establish the Context

• Consider the outcomes you want to achieve in your activity

• Consider the environment in which your organization operates

• Identify internal and external stakeholders• Develop risk evaluation criteria.

For example, you may decide that one criterion for deciding whether a risk is acceptable or not is that the cost of managing the risk must be less than the financial loss if the risk occurred.

Understand Your Control Environment

• Most organizations already have many controls for risks – know what they are and how they are working for you.

• Remember that existing safeguards and levels of preparedness can deteriorate over time.

• Circumstances can change• People can change, taking valuable expertise with

them• Key role for corporate support functions and

Internal Audit in making an organizations total control framework

Identify Risks

• Select the best methods to identify potential risks

• Examine all sources of possible risks• Identify all potential risks whether they

are random, internal or external to the organization

• Examine each risk from the perspective of both internal and external stakeholders.

Possible Sources of Risks

• human behaviour• technology and technical

issues• occupational health and

safety• legal• political• property and equipment• environmental• financial/market• natural events.

This list is exemplary not definitive – you

have to figure out the label on the ‘elephant in the

room’.

Internal Methods of Identifying Risks

• Establish responsible office for process, e.g., Internal Audit or Risk Group,

• Examine the results of personal, local or international experience.

• Arrange interviews and discussions with stakeholders.

• Distribute surveys and questionnaires to stakeholders.

• Conduct audits and physical inspections.• Directly observe the activity.• Analyze specific scenarios.

External Methods of Identifying Risks

• Employ professional consultants, e.g. lawyers, accounts and workplace health and safety officers.

• Engage external consultations groups• Employ industry specialists, e.g. marketers,

business consultants and risk consultants.• Consult associated professional organizations.• Conduct your own research using industry

publications, newspapers and insurance tables.

Some Good Questions to Ask

• What are the best methods to identify risks which are likely to occur in this activity?

• Who should I consult to assist me in identifying risks?

• What sources of risk are relevant to this activity?• What risks are likely to occur?• Are the risks internal, external or random?• What would be the perspective of both internal

and external stakeholders on these risks?

Analyze the Risks

• Evaluate the likelihood of a risk occurring, according to the ratings you use.

• Evaluate the consequences if the incident occurred, according to the ratings.

• Calculate the level of risk by finding the intersection between the likelihood and the consequences.

Example of a Risk Management Model for Decision-Making

Considerable

management required

Must manage and

monitor risks

Extensive management essential

Risks may be worth accepting

with monitoring

Management effort

worthwhile

Management effort

required

Accept risksAccept, but

monitor risks

Manage and monitor

risksIncreasing

Management

Focus

Consider Risk Velocity as well as Traditional Axes of Impact and Likelihood

Risk Prioritization Matrix Incorporating Risk Velocity

Impact—What is the maximum damage this risk could cause?

Probability—How likely is this risk to materialize?

Speed—At what speed will this risk impact the organization?

RISK A—High Severity and Likelihood but Low Speed of Onset

Increased employee attrition will have a significant impact on the organization and is very likely to happen. The risk is forecast to materialize across the course of the next 18

months.

RISK B—High Severity and Likelihood and High Speed of Onset

A new competitor will have a significant impact on the organization and is very likely to happen. The risk is forecast to materialize within the next two months when the new competitor begins trading.

Source: Deloitte; Risk Integration Strategy Council Research..

Evaluating and Setting Risk Tolerances

You must start be determining: • the importance of the activity you are risk

managing and its outcomes• the degree of control you have over the

risk• the potential and actual losses which may

arise from the risk• the benefits and opportunities presented

by the risk.

You may decide that a risk is acceptable because:• the risk level is so low that it does not warrant spending time and money to treat it• the risk level is low and the benefits presented by the risk outweigh the cost of treating it• the opportunities presented by the risk are much greater than the threats.

Accepting Risk

Make sure that your list of acceptable risks is confirmed by others. An acceptable risk is omitted from the risk treatment

process but others may feel that a specific risk is unacceptable and therefore, needs to be treated.

Hierarchy of Risk Control Measures

Low Management Effort High Management Effort

Avoid – eliminate

risk

Substitute – change to a less

risky alternative

Isolate – separate risk from impacted

group

Reduce – amount of exposure

Protect – provide controls

17

How Does It Work?Risk

Tolerances Filter

Risk Analysis and Management ToolkitRisk Tolerances

Risk Tolerances

• Setting tolerances involves a mix of qualitative and quantitative measures

•Not always straightforward

•It takes experimentation and time

•Issue of how public they are is important

•Equally important is how politically sensitive they are: is there a tolerable murder rate? Wrong tolerance!

5Worst Case

4Severe

3Major

2Moderat

e

1Minor

TYPCIAL RISK TOLERANCE

GRID

Risk Analysis and Management Toolkit Risk Tolerances

Employee confidence

Widespread departures of key staff with scarce skills or knowledge.

Sharp, sustained drop in employee survey results; departures of key staff with scarce skills or knowledge.

Sharp decline in employee survey results; sharp increase in grievances.

Modest decline in employee survey results; modest increase in grievances.

Less than planned improvements in employee survey results.

SEVERITY RISES

WHEN DO YOU ACT AND HOW?

Section 2: Building an Effective Risk Culture

The Relevance of Culture in Applying Risk

• The culture of a group arises from the repeated behaviour of its members.• The behaviour of the group and its constituent individuals is shaped by their underlying attitudes.• Both behaviour and attitudes are influenced by the prevailing culture of the group.

You cannot understand, identify, analyze, prioritize and effectively manage risk without a

culture than enables it.

What Does an Effective Risk Culture Look Like?

• A distinct and consistent tone from the top from the board and senior management in respect of risk taking and avoidance (and also consideration of tone at all levels).

• A commitment to ethical principles, reflected in a concern with the ethical profile of individuals and the application of ethics and the consideration of wider stakeholder positions in decision making.

What Does an Effective Risk Culture Look Like?

• A common acceptance through the organisation of the importance of continuous management of risk, including clear accountability for and ownership of specific risks and risk areas.

• Transparent and timely risk information flowing up and down the organisation with bad news rapidly communicated without fear of blame.

• Encouragement of risk event reporting and whistle blowing, actively seeking to learn from mistakes and near misses.

What Does an Effective Risk Culture Look Like?

• No process or activity too large or too complex or too obscure for the risks to be readily understood.

• Appropriate risk taking behaviours rewarded and encouraged and inappropriate behaviours challenged and sanctioned.

• Risk management skills and knowledge valued, encouraged and developed, with a properly resourced risk management function and widespread membership of and support for professional bodies.

What Does an Effective Risk Culture Look Like?

• Professional qualifications supported as well as technical training.

• Sufficient diversity of perspectives, values and beliefs to ensure that the status quo is consistently and rigorously challenged.

• Alignment of culture management with employee engagement and people strategy to ensure that people are supportive socially but also strongly focused on the task in hand.

Section 3: Eleven Tough Questions on Risk Control and Management

Risk tolerance and zero tolerance

Risk Assessment and Vulnerability AnalysisOpen Issues and Questions

How accurately can experts estimate the likelihood and consequences of disasters of hurricanes of different magnitudes and intensities?

Can one characterize the types of uncertainties that currently exist in assessing risk, and suggest ways to improve these estimates in the future?

What are the expected costs and benefits of undertaking specific risk-reducing measures in hurricane-prone areas, and can one rank them on the basis of cost effectiveness?

What are the interdependencies in the system (e.g. infrastructure damage affecting supply of electricity, water, telephone/telecommunications, and other services to residences and businesses)?

How do these interdependencies affect the direct and indirect losses that would result from a future natural disaster?

34