Determining Where Resources Are Most Needed

The Concept of Risk

Achieving Impact in Auditing

The Concept of Risk

My early audits:

• Park chair audit.

• Book of remembrance entries.

• Car park income.

What Is Risk?

Does It Really Matter?

“When anyone asks me how I can describe my experience of nearly forty years at sea, I merely say uneventful. Of course there have been winter gales and storms and fog and the like, but in all my experience, I have never been in an accident in any sort worth speaking about. I have seen but one vessel in distress in all my years at sea... I never saw a wreck and have never been wrecked, nor was I ever in any predicament that threatened to end in disaster of any sort” from a paper presented by EJ Smith, 1907

WHY DOES IT MATTER?WHY DOES IT MATTER?

On 14 April 1912, HMS Titanic sank with the loss of 1500 lives.....

One of which was its captain

E J SMITH

IT MATTERS!

But does any of this really matter

NOW?

• Barings• BCCI• Hoover• Sumitomo Bank• Enron• World Com.• Parmalat

Risk Management Casualties.

Pressures

• Greater transparency

• Better governance

• Better ethical standards

• Need for early warning systems

• Demands for higher quality services

• New legislation

• Systems reform/project management

What Is Risk?Definition of Risk.  The threat that an event or

action will adversely affect an organisations ability to

achieve its business objectives and execute its

strategies successfully

Source :- The Economist

Intelligence Unit

Business Risk Definition 2

The chance of something happening

that will have an impact on business

objectives

Source :-Aus/NZ

Risk Mgt Standard

Surprises

Any organization that has encountered unwelcome surprises or unexpected losses will realize that most were preventable.

Such events will almost certainly have been caused by risks that were not fully understood, or the processes to mitigate those events being inadequate.

Wrong assumptions about risk

• Risk is just something for finance and insurance to worry about

• Risk comes up on the agenda once a year• Risk management is just another layer of

unnecessary bureaucracy• Risk management is about downside not

creation of value• Risk is a compliance issue

Risk Management

• Identify, evaluate and manage their key risks and assess how they are controlled

• Ensure that all aspects of internal control and risk management are regularly reviewed on an appropriate cyclical basis

• Have regular board level reviews of reports on risk management and internal control

International expectations are now that all organisations should:

Risk Management

• Embedded in the operations of an organisation• Capable of responding to the changing risks it faces • Include procedures for reporting major weaknesses

immediately to appropriate levels of management

And that:Risk management and internal control should be:

Risk Management

• “…it is important that authorities have arrangements in place for reviewing both the nature and severity of risks…such a review should not just be to “obvious tangible” risks such as arson,vandalism and other damage to property..risk management should be an integral part of an authority’s overall management arrangements.”

In the UK all public bodies have been told:

Risk Management

It went on to add:

“In order to be successful it is likely that the approach will be cross-departmental and

inter-disciplinary and that senior management will demonstrate

commitment.”

The AUS/NZ Risk Management Process

• Establish the context

• Identify risks

• Analyse

• Evaluate

• Treat

• Communicate

• Monitor and Review

Risk Identification and evaluation

Types of Risk

• Strategic

• Operational

• Reputation

• Information

• Financial

• People

• Regulatory

Strategic Risks

• Risks that relate to doing the wrong things

Operational Risks

• Risks that relate to doing the right things in the wrong way

Information Risks

• Risks that relate to loss or inaccuracy of data ,systems or reported information

Financial Risks

• Risks that relate to losing monetary resources or incurring unacceptable liabilities

People Risks

• The risks associated with Employees and Management

Regulatory Risk

• The Risks related to the regulatory environment

Reputation Risk

• Risks that relate to the organizations brand or image

Inherent and Residual Risk

• Inherent risk = Gross risk before controls/ mitigation

• Residual risk = Risk remaining after applying controls

Evaluation and Measurement of Risk

• Risk is measured in terms of consequences (or impact) and likelihood (or probability)

Consequences Likelihood

• Monetary (% of income or budget)

• Reputation• Ability to recover• Effect on

Organisation Insignificant,Minor, Moderate,Major Catastrophic

• Rare (less than once in 20 years)

• Unlikely (once in 10-20 years)

• Possible (once in 10 years)

• Likely (once in 3 years)

• Almost Certain (once a year)

Questions you need to answer

• What are the worst things that could happen to us?

• How likely are they to happen?

• Are we taking sufficient steps to prevent them?

Most Severe

Major

Moderate

Minor

Insignificant

Rare Unlikely Possible Likely Almost Certain

Likelihood

Impac

t

Risk Matrix

Measurement of Risk:-Risk Matrix

6 8 9

3 5 7

1 2 4

HIGH

Impact

Of

Risk

LOW

Unlikely Likelihood of Occurrence Likely

1 21519 16

51721

3 4

20

18

14

11

12 13

23

6 7 8

22 9 1025

2428 26 27

RISK MATRIXHigh

Low

IMPACT

HIGHLOWLIKELIHOOD

Risk MatrixImportant risks –

might potentially affect provision of key

services or duties

Key risk- may potentially affect

provision of key services or duties

Immediate action needed - serious

threat to provision and/or achievement of key services or

duties

Monitor as necessary - less important but still could have a serious

effect on the

provision of key services or duties

Monitor as necessary - less

important but still could have a serious

effect on the provision of key

services or duties

Key risks - may potentially affect

provision of key services or duties

No action necessary

Monitor as necessary - ensure

being properly managed

Monitor as necessary

- less important but still could have a

serious effect on the provision of key

services or duties

Over £5 millionOR

Questions raised in Parliament

£2million-£5 million OR

Reported in National Press

£500,000 - £2 Million

OR

Reported in Local Paper

£100,000 - £500,000 OR

Unacceptable levels of Complaints

Under £100,000 OR

Some complaints from individuals.

Rare- once in 20 years

Unlikely-Once in 10-20 years

Possible- Once in 10

years

Likely-Once in 3years

Certain- Once a

year

Treatment of Risks

How are we going to manage the risks that we have identified down to a level that we can

live with.

Risk TreatmentRisk

Transfer

Reduce Recover

Exposure

Insure Outsource

ControlLoss

reductionContingency

PlansBCP

Determine

Cost

Evaluate

Measure, Manage, Monitor, Report

Action Plans

1 21519 16

51721

3 4

20

18

14

11

12 13

23

6 7 8

22 9 1025

2428 26 27

RISK MAPHigh

Low

IMPACT

HIGHLOWLIKELIHOOD

The Risk Management Process

Risk Management Framework

• Embrace the issue of risk

• Manage not tolerate • Make it a top down

process• Ensure a positive slant• Make it the pulse of

your organisation

The Risk Management Cycle

Risk Identification

Risk Analysis

Risk Control

Monitoring & Review

Risk Identification Process

• Clarification of Strategic Business Objectives

• Consideration of threats to achievement• Identification of key risks and

opportunities• Sifting and clustering of output• Evaluation of risks (by impact and

likelihood of occurrence)• Use of Workshops

Use of Workshops

Workshop Ingredients

ACCURATEASSESSMENT

RISK And CONTROLEXPERTISE

BUSINESS AndPRACTICAL EXPERIENCE

FRAMEWORKAnd CONTROL

FACILITATOR CHALLENGER

PARTICIPANTS

Typical Agenda for a Workshop

Introduction Discussion of objectives/processes Brainstorming of risks Categorisation Assessment of risks

Risk Mitigation Process

• Evaluation of actions in place to reduce risks

• Identification of risk exposures and latent opportunities

• Assessment of the effect of mitigation• Development of focussed action plans• Preparation of a Risk Register

RISK REGISTER

Area of Risk Inherent Risk Mitigation Residual Exposures / Actions Planned KRI

Risk per Procedures/Controls Risk per Opportunities

matrix in place matrix identified

(1-9)