Creating Value Through Enterprise Risk Management Presented by Peter Moore

Risk Point

NATIONAL CONFERENCE & EXHIBITION 2014

Platinum Sponsor

Silver Sponsor Bronze SponsorRisk Manager of the Year

Award Sponsor

Conference and Exhibition Partners

Overview

• Barriers to success in creating value

• Risk management frameworks

• Risk appetite and risk tolerance

• Integrating risk management

• Summary and close

1. Barriers to Success in Creating Value

• Barriers to success in creating value:• Poor/ incorrect use of language

• Poorly designed frameworks

• Poor risk assessment techniques

• Risk versus fact analysis

• Lack of engagement and commitment within the enterprise

• Over complexity in design of risk management frameworks and systems

• Focus on process outcomes rather than decision support and resource allocation

2. Risk Management Frameworks• Keep it simple unless complexity is required due to the nature or size

of the organisation

• Take into consideration how the framework integrates risk management into the business

• Make it intuitive so it “looks like the business”

Risk Area Framework

• Provides focus on the organisation, what it does and how it does it

• Internal processes and externalities (internal and external context)

Area of Business

Service Delivery

Financial

Human Resources

Sales – Marketing/ Business Development

IT/ Technological

Commercial/ Legal

Occupational Health & Safety

Compliance

Management

Political/ Economic

Competition

Risk Area Framework

• If more detailed structure required, sub areas or categories may be appropriate

Area of Business

Financial Payroll

Debtors/ creditors

Treasury

Human Resources Recruitment

Remuneration/ retention

Training and management

IT/ Technological IT assets

Information assets

Information security

Risk Types - Compliance/ BusinessStrategic/ Operational

• Creates distinction between compliance risks and business risks which integrates into risk appetite and risk tolerance and corporate governance

• Provides clarity on strategic risks (involving board) and operational risks which integrate into management processes and business planning

• Allows risks to be considered in context and increases clarity in analysis

Risk Type

Compliance

Business

Risk Type

Strategic

Operational

Align the Framework to the Business

• What business are we in?

• What is it that we do?

• What are our objectives and what are we trying to achieve?

• From a risk management perspective these questions provide alignment with the business and provide one of the keys to integrating risk management and creating value

Risk Identification Techniques

• Risk identification techniques and risk statements

• Root cause analysis technique1

Risk

Cause

Root Cause

1.IEC/ISO 31010:2009 Risk management – Risk assessment techniques

Risk Identification Techniques

• Risk identification techniques and risk statements

• Root cause analysis technique1

Risk

Cause

Root Cause

1,IEC/ISO 31010:2009 Risk management – Risk assessment techniques

Business Objectives

Risk Identification Techniques

• Risk identification techniques and risk statements

• Cause-and-effect analysis technique2

• Not statements of fact

Cause Risk Effect

2. IEC/ISO 31010:2009 Risk management – Risk assessment techniques

Discussion

3. Risk Appetite and Risk Tolerance

• Clarity is required on use of language

• Definitions are not included in AS/NZS ISO 31000 (need to refer to ISO Guide 73)

• Context needs to be applied

• Failure to follow above will lead to confusion

• Allows appropriate decisions to be made with regard to risk

Risk Appetite and Risk Tolerance

Risk appetite

“Amount and type of risk that an organization is willing to pursue or retain”3

Risk tolerance

“Organization’s or stakeholder’s readiness to bear the risk after treatment in order to achieve its objectives” 4

3,4. ISO Guide 73 Risk management - Vocabulary

Risk Appetite –ASX Corporate Governance Principles

Principle 1: Lay solid foundations for management and oversight

Recommendation 1.1 – Commentary

“Usually the board of a listed entity will be responsible for:

• Ensuring that the entity has in place an appropriate risk management framework and setting the risk appetite within which board expects management to operate”5

5. Corporate Governance Principles and Recommendations. 3rd Edition ASX Corporate Governance Council, 2014

Risk Appetite –ASX Corporate Governance Principles

Principle 7: Recognise and manage risk

Commentary

“The board of a listed entity is ultimately responsible for deciding the nature and extent of the risks it is prepared to take to meet its objectives.

To enable the board to do this, the entity must have an appropriate framework to identify and manage risk on an ongoing basis. It is the role of management to design and implement that framework and to ensure that the entity operates within the risk appetite set by the board. It is the role of the board to the risk appetite for the entity,…..”6

6. Corporate Governance Principles and Recommendations. 3rd Edition ASX Corporate Governance Council, 2014

Risk Appetite –Commonwealth Risk Management Policy

Element One – Establishing a risk management policy

“13.1 An entity must establish and maintain an entity specific risk management policy that:

a….

b. defines the entity’s risk appetite and risk tolerance”7

7. Commonwealth Risk Management Policy. Australian Government Department of Finance., 2014

Risk Appetite –Commonwealth Risk Management Policy

Element Three – Defining responsibility for managing risk

“15.1 Within the risk management policy, the accountable authority of an entity mustdefine the responsibility for managing risk by:

a. defining who is responsible for determining an entity’s appetite and tolerance for risk”8

8. Commonwealth Risk Management Policy. Australian Government Department of Finance., 2014

Setting Risk Tolerance• Thresholds for tolerability are established for compliance risk (non negotiable, must manage to defined

levels)

• Policy settings can be used to establish tolerance levels for compliance risk (e.g., risk level “Low” score no greater than 4)

RISK MATRIX

Likelihood Consequence

1

Insignificant

2

Minor

3

Moderate

4

Major

5

Severe

5 Almost Certain M H H VH VH

4 Likely M M H H VH

3 Possible L M H H H

2 Unlikely L L M M H

1 Rare L L M M H

Setting Risk Appetite• Must be established in accordance with preparedness to take commercial, or business risks in order to

achieve objectives

• Is different in different parts of the business (e.g. “High” score 9/ High score 16)

• Provides a feedback loop to strategy setting (are we likely to achieve the positive outcomes and returns for the potential adverse threats in pursuing the strategy?)

RISK MATRIX

Likelihood Consequence

1

Insignificant

2

Minor

3

Moderate

4

Major

5

Severe

5 Almost Certain M H H VH VH

4 Likely M M H H VH

3 Possible L M H H H

2 Unlikely L L M M H

1 Rare L L M M H

Business process or function A

Business process or function B

Setting Risk Appetite and Risk Tolerance

Discussion

4. Integrating Risk Management

• Draws upon a sound risk management framework

• Incorporates risk appetite and risk tolerance settings

• Links risk management to strategic planning

• Links risk management to corporate governance

• Techniques for determining what risk management and risk treatment activities (to manage risks to acceptable levels) are part of the job

• A mechanism for making risk management “part of the business”

• Accountabilities and responsibilities defined

• Establishing Key Risk Indicators (KRI’s)

Risk Management Task Integration

• A method of determining which risk management activities (e.g., development of risk treatment plans) are part of the job

• Assists in determining what’s important, what’s urgent and what’s not

• Assists in resource allocation and decision making

• Creates value through better decision making and better business outcomes

Accountability

• Accountabilities need to be assigned for:• Risks

• Control development and assurance

• Risk treatment actions and plans

• Reporting on risk management activities

Key Risk Indicators (KRI’S)

• Identify what aspect of the business needs to be measured and monitored

• Develop sources of data around activities which influence or impact risks and risk levels

• Develop metrics for measurement

• Assign ownership (as critical as risk ownership)

• Measure movements in KRI’s

• Take action where KRI’s move beyond tolerable levels

Key Risk Indicators (KRI’S)

• Note: These indicators would be used to assist reviewing a business risk such as, “failure to meet sales targets resulting inimpact on revenue objectives”.

• Leading indicators• A predictive indicator which provides insights into the likelihood of a risk materialising:

• Reduced business opportunity pipeline/ sales conversion ratio

• Lagging indicators• An outcome indicator which provides insight into the frequency and impact of a risk materialising:

• Lower sales to date from budget

KRI Monitoring – Qualitative AssessmentRAGAR Model8

Score

Time

Baseline

Out of tolerance –take action

Borderline –may require investigation

Within tolerance- no action required

8. Adapted from Smart, A., and Creelman, J., Risk-Based Performance Management, 2013

Discussion

Summary and Close

• Learnings

• New developments

• Next steps

Thank you.

NATIONAL CONFERENCE & EXHIBITION 2014

Platinum Sponsor

Silver Sponsor Bronze SponsorRisk Manager of the Year

Award Sponsor

Conference and Exhibition Partners