presentation 3: applying risk: key risk management tools
DESCRIPTION
Presentation 3: Applying Risk: Key Risk Management Tools. Andrew Graham School of Policy Studies Queen’s University Kingston, Canada. Workshop on Risk and Enterprise Risk Management Southern Africa Development Community April, 2014 Gaborone, Botswana. - PowerPoint PPT PresentationTRANSCRIPT
Presentation 3: Applying Risk: Key Risk Management ToolsAndrew GrahamSchool of Policy StudiesQueen’s UniversityKingston, Canada
Workshop on Risk and Enterprise Risk
ManagementSouthern Africa
Development CommunityApril, 2014
Gaborone, Botswana
Section 1: Risk Ranking and Risk Tolerance
Establish the Context
• Consider the outcomes you want to achieve in your activity
• Consider the environment in which your organization operates
• Identify internal and external stakeholders• Develop risk evaluation criteria.
For example, you may decide that one criterion for deciding whether a risk is acceptable or not is that the cost of managing the risk must be less than the financial loss if the risk occurred.
Understand Your Control Environment
• Most organizations already have many controls for risks – know what they are and how they are working for you.
• Remember that existing safeguards and levels of preparedness can deteriorate over time.
• Circumstances can change• People can change, taking valuable expertise with
them• Key role for corporate support functions and
Internal Audit in making an organizations total control framework
Identify Risks
• Select the best methods to identify potential risks
• Examine all sources of possible risks• Identify all potential risks whether they
are random, internal or external to the organization
• Examine each risk from the perspective of both internal and external stakeholders.
Possible Sources of Risks
• human behaviour• technology and technical
issues• occupational health and
safety• legal• political• property and equipment• environmental• financial/market• natural events.
This list is exemplary not definitive – you
have to figure out the label on the ‘elephant in the
room’.
Internal Methods of Identifying Risks
• Establish responsible office for process, e.g., Internal Audit or Risk Group,
• Examine the results of personal, local or international experience.
• Arrange interviews and discussions with stakeholders.
• Distribute surveys and questionnaires to stakeholders.
• Conduct audits and physical inspections.• Directly observe the activity.• Analyze specific scenarios.
External Methods of Identifying Risks
• Employ professional consultants, e.g. lawyers, accounts and workplace health and safety officers.
• Engage external consultations groups• Employ industry specialists, e.g. marketers,
business consultants and risk consultants.• Consult associated professional organizations.• Conduct your own research using industry
publications, newspapers and insurance tables.
Some Good Questions to Ask
• What are the best methods to identify risks which are likely to occur in this activity?
• Who should I consult to assist me in identifying risks?
• What sources of risk are relevant to this activity?• What risks are likely to occur?• Are the risks internal, external or random?• What would be the perspective of both internal
and external stakeholders on these risks?
Analyze the Risks
• Evaluate the likelihood of a risk occurring, according to the ratings you use.
• Evaluate the consequences if the incident occurred, according to the ratings.
• Calculate the level of risk by finding the intersection between the likelihood and the consequences.
Example of a Risk Management Model for Decision-Making
Considerable
management required
Must manage and
monitor risks
Extensive management essential
Risks may be worth accepting
with monitoring
Management effort
worthwhile
Management effort
required
Accept risksAccept, but
monitor risks
Manage and monitor
risksIncreasing
Management
Focus
Consider Risk Velocity as well as Traditional Axes of Impact and Likelihood
Risk Prioritization Matrix Incorporating Risk Velocity
Impact—What is the maximum damage this risk could cause?
Probability—How likely is this risk to materialize?
Speed—At what speed will this risk impact the organization?
RISK A—High Severity and Likelihood but Low Speed of Onset
Increased employee attrition will have a significant impact on the organization and is very likely to happen. The risk is forecast to materialize across the course of the next 18
months.
RISK B—High Severity and Likelihood and High Speed of Onset
A new competitor will have a significant impact on the organization and is very likely to happen. The risk is forecast to materialize within the next two months when the new competitor begins trading.
Source: Deloitte; Risk Integration Strategy Council Research..
Evaluating and Setting Risk Tolerances
You must start be determining: • the importance of the activity you are risk
managing and its outcomes• the degree of control you have over the
risk• the potential and actual losses which may
arise from the risk• the benefits and opportunities presented
by the risk.
You may decide that a risk is acceptable because:• the risk level is so low that it does not warrant spending time and money to treat it• the risk level is low and the benefits presented by the risk outweigh the cost of treating it• the opportunities presented by the risk are much greater than the threats.
Accepting Risk
Make sure that your list of acceptable risks is confirmed by others. An acceptable risk is omitted from the risk treatment
process but others may feel that a specific risk is unacceptable and therefore, needs to be treated.
Hierarchy of Risk Control Measures
Low Management Effort High Management Effort
Avoid – eliminate
risk
Substitute – change to a less
risky alternative
Isolate – separate risk from impacted
group
Reduce – amount of exposure
Protect – provide controls
17
How Does It Work?Risk
Tolerances Filter
Risk Analysis and Management ToolkitRisk Tolerances
Risk Tolerances• Setting tolerances involves a mix of qualitative and quantitative measures•Not always straightforward•It takes experimentation and time•Issue of how public they are is important•Equally important is how politically sensitive they are: is there a tolerable murder rate? Wrong tolerance!
5Worst Case
4Severe
3Major
2Moderat
e
1Minor
TYPCIAL RISK TOLERANCE
GRID
Risk Analysis and Management Toolkit Risk Tolerances
Employee confidence
Widespread departures of key staff with scarce skills or knowledge.
Sharp, sustained drop in employee survey results; departures of key staff with scarce skills or knowledge.
Sharp decline in employee survey results; sharp increase in grievances.
Modest decline in employee survey results; modest increase in grievances.
Less than planned improvements in employee survey results.
SEVERITY RISES
WHEN DO YOU ACT AND HOW?
Section 2: Building an Effective Risk Culture
The Relevance of Culture in Applying Risk
• The culture of a group arises from the repeated behaviour of its members.• The behaviour of the group and its constituent individuals is shaped by their underlying attitudes.• Both behaviour and attitudes are influenced by the prevailing culture of the group.
You cannot understand, identify, analyze, prioritize and effectively manage risk without a
culture than enables it.
What Does an Effective Risk Culture Look Like?
• A distinct and consistent tone from the top from the board and senior management in respect of risk taking and avoidance (and also consideration of tone at all levels).
• A commitment to ethical principles, reflected in a concern with the ethical profile of individuals and the application of ethics and the consideration of wider stakeholder positions in decision making.
What Does an Effective Risk Culture Look Like?
• A common acceptance through the organisation of the importance of continuous management of risk, including clear accountability for and ownership of specific risks and risk areas.
• Transparent and timely risk information flowing up and down the organisation with bad news rapidly communicated without fear of blame.
• Encouragement of risk event reporting and whistle blowing, actively seeking to learn from mistakes and near misses.
What Does an Effective Risk Culture Look Like?
• No process or activity too large or too complex or too obscure for the risks to be readily understood.
• Appropriate risk taking behaviours rewarded and encouraged and inappropriate behaviours challenged and sanctioned.
• Risk management skills and knowledge valued, encouraged and developed, with a properly resourced risk management function and widespread membership of and support for professional bodies.
What Does an Effective Risk Culture Look Like?
• Professional qualifications supported as well as technical training.
• Sufficient diversity of perspectives, values and beliefs to ensure that the status quo is consistently and rigorously challenged.
• Alignment of culture management with employee engagement and people strategy to ensure that people are supportive socially but also strongly focused on the task in hand.
Section 3: Eleven Tough Questions on Risk Control and Management
Risk tolerance and zero tolerance
Risk Assessment and Vulnerability AnalysisOpen Issues and Questions
How accurately can experts estimate the likelihood and consequences of disasters of hurricanes of different magnitudes and intensities?
Can one characterize the types of uncertainties that currently exist in assessing risk, and suggest ways to improve these estimates in the future?
What are the expected costs and benefits of undertaking specific risk-reducing measures in hurricane-prone areas, and can one rank them on the basis of cost effectiveness?
What are the interdependencies in the system (e.g. infrastructure damage affecting supply of electricity, water, telephone/telecommunications, and other services to residences and businesses)?
How do these interdependencies affect the direct and indirect losses that would result from a future natural disaster?
34