Add to collection(s) Add to saved
  1. Business
  2. Management
  3. Project Management

ERM Tools and Techniques v1.7 (Public Disclosure document)

advertisement 
Enterprise Risk Management
Tools & Techniques
January 12, 2011
Cathy Taylor, ADP
Emerissa Babin, OPG
Michelle Reid, TSSA
Today’s Objectives
1. Share
2. Enable
2
Agenda
 Establish context
 Risk identification
 Risk analysis and evaluation
 Risk treatment
 Monitoring and review
 Communication and reporting
3
Establish Context
Define environment within which risk will
be managed
Ensures risk management approach is
appropriate
Considerations include:
Public or private
Publicly traded or nonprofit
Organizational structure
Tone at the top
Organizational culture
How are decisions made?
4
Establish Context
President
& CEO
Chief Financial
Officer
Corporate Risk
Management
(CRM)
Organization
Chief Risk
Officer & SVP
Corporate Bus
Development
Director Project
Risk Management
Project Risk
Management
Director ERM &
CPRM
Enterprise
Risk
Management
(ERM)
Corporate
Portfolio Risk
Management
Oversight of Strategic, Financial, Operational & Transactional Risks
• Risk Reports to Board Committees
• Risks to Business Plan Objectives (BURSA)
• MD&A Risk Management , AIF Risk Factors
5
Establish Context
BOARD / EXECUTIVE
Set Policy
Support
& Set
the Tone
Monitor
Risk
Reporting
RISK MANAGEMENT
TEAM
Build RM
Capability,
Process
&
Tools
ALL
DEPARTMENTS
Risk Ownership
(identification, assessment,
Framework
Performance
Management
Set Risk
Appetite
treatment, monitoring &
reporting)
Advice, Coaching &
Support
Monitor &
report
program
Set
Assurance
Agenda
Assure
Stakeholders
Define ERM &
Governance Expectations
6
Establish Context
Purpose
The Enterprise Risk Management Framework is intended to provide guidance to …….relative to the development
and implementation of an enterprise risk management program.
Scope
The enterprise risk management framework is relevant to all …. activities, its employees and Board of Directors,
and resultant business decisions and is to be applied at every level of the organization.
Commitment and Mandate
…. is committed to maintaining a program that ensures risk management is an integral part of all ….. activities
and a core capability.
….. will identify, assess, manage and monitor its enterprise risks in support of its mission and vision, objectives
and priorities, as set out in the strategic plan.
Policy Statement
Committed to continually improve the
7
Risk Identification
Gather and document risks that could
impact achievement of objectives
Common techniques include:
Surveys
Workshops
Management interviews
Environment scans
SWOT analysis
Results of audits
8
Risk Identification
Risk Assessment Questionnaire
Future discussions on the organization’s risk profile will be framed and will focus on the following questions:
1. What are the key objectives of your department / program area / function?
2. Which business objectives / performance targets do your initiatives specifically support?
3. What could inhibit achievement of your department / program area / function objectives?
4. How does the business system support or inhibit your ability to achieve your objectives?
5. Are there any processes that inhibit your ability to meet your objectives (i.e. process inefficiencies)?
6. How quickly could these factors impact your objectives (e.g. within quarter, fiscal year, forecast period,
strat plan period)?
7. [Using an influence diagram if necessary] how could these factors impact your objectives?
8. What could you do to avoid these factors or minimize their impact on your objective?
9
Risk Identification
Results of Internal Audit of Compliance with Expense Policy
Business Rule
Observations
Reimbursable items are
supported by proper
documentation (i.e.
original, itemized
receipts noting HST).
During the course of our
audit we found evidence
that:
Risk / Impact
Recommendation
Management
Response
10
Risk Identification
Significant
RISKS &
OPPORTUNITIES
impacting achievement
of initiatives
Corporate
Objectives/
Priorities
Key
Initiatives to
Achieve
Objectives
Significant
RISKS &
OPPORTUNITIES
impacting achievement
of objectives
+
Risk
Mitigation &
Opportunity
Optimization
Activities
Targets
KPI’s
KRI’s
Assess & Report
Performance
Against Targets
11
Risk Identification
12
Risk Analysis and Evaluation
Understand the risk, its causes, the
likelihood of occurrence, potential impact,
and the organization’s appetite and/or
tolerance for the risk
Common tools include:
Root cause analysis
Risk assessment criteria
Risk appetite matrix
Risk tolerance
13
Risk Analysis and Evaluation
Risk Statements:
 Important to express a risk in such a way that it can be
effectively understood and addressed
 Components
 Event, Cause & Effect
 Example:
 Financial loss due to default by Clients in funding of processed payroll.
 Inability to obtain adequate (quality/quantity) expat labour supply due to
negative perceptions about project location results in increased construction
costs
 Bad Risk Statements:
 Budget cuts
 Company delays all IT investments
 Fires
14
Risk Analysis and Evaluation
Quantitative assessment
 Probability
 Financial Impact
 Improbable (<10%)
 Minimal (<$5M)
 Unlikely (10% - 30%)
 Minor ($5M - $50M)
 Possible (30% - 70%)
 Notable ($50M - $200M)
 Likely (70% - 90%)
 Substantial ($200M - $500M)
 Probable (>90%)
 Major (>$500M)
15
Risk Analysis and Evaluation
Qualitative Assessment
 Manageability
 The degree to which the outcome of a risk is controllable through the risk
treatment/mitigation actions.
 Stakeholder Sensitivity
 The extent of the reaction of external stakeholders (public, shareholder,
regulator, etc.) to the risk or how tolerant the stakeholders are of the risk;
and
 What their expectations are for managing the risk.
 Urgency
 The promptness needed to implement mitigation for a risk in order for it to be
effective. This criterion refers to how pressing the need is for mitigation as
opposed to the imminence of the risk itself.
16
Risk Analysis and Evaluation
Likelihood
Description
1
The event may occur within the next three to five years or within the strategic planning period
2
The event may occur within the next twenty-four months or within the forecast period
3
The event may occur within twelve months or within the current fiscal year
4
The event may occur within three months or in the current quarter
17
Risk Analysis and Evaluation
Impact
Definition
Description
Example
1
Opportunity
The company will exceed its objectives
and balanced scorecard targets
2
Negligible
3
Moderate
4
Critical
The event will not impede The
company’s ability to meet its business
plan objectives and associated
balanced scorecard targets
Some elements of the business
objectives and associated balanced
scorecard targets will be delayed or not
achieved, as a result of the realization
or occurrence of the event
The company will not meet its business
plan objectives and associated
balanced scorecard targets, as a result
of the realization or occurrence of the
event
The company will exceed its revenue
and net margin objectives. The
company has the opportunity to invest
in and/or reassign employees to critical
risks or areas of the business.
The company will meet its revenue and
net margin objectives.
The company will not meet its revenue
target but may through expense
reduction meet net margin targets
The company will not meet critical or
material elements of its revenue and/or
net margin targets
18
Risk Analysis and Evaluation
19
Risk Analysis and Evaluation
Risk Appetite Level
Definition
High risk appetite (1)
The company is willing to accept risks that may negatively impact achievement of its
strategic priorities, business plan objectives and associated balanced scorecard
targets.
Moderate risk appetite (2)
The company is willing to accept some risks that may negatively impact achievement
of its strategic priorities, business plan objectives and associated balanced scorecard
targets.
Low risk appetite (3)
The company is willing to accept some risks in certain circumstances that may
negatively impact achievement of its strategic priorities, business plan objectives and
associated balanced scorecard targets.
Zero risk appetite(4)
The company is not willing to accept any risks under any circumstances that may
negatively impact achievement of its strategic priorities, business plan objectives and
associated balanced scorecard targets.
20
Break
Please be back in 10 minutes
21
Risk Treatment
Select and implement options to modify
risk
Typical risk treatment concepts include:
Avoid risk (cancel product line, sell business
unit)
Transfer risk (out-source function or enter
contract to transfer risk)
Control risk (change process, training, etc)
Fund risk (insurance)
22
Risk Treatment
23
Risk Treatment
TOO MUCH CONTROL so:
A - removing procedure
B - reduce insurance costs/increase insurance deductible
LIKELIHOOD RATING
RISK MATRIX
E
L
M
H
H
H
D
L
M
M
Risk 1
H
(Inherent)
H
C
L
L
XM
H
H
L
M
M
H
L
M
M
H
2
3
4
5
B
A
A
L 1
Risk
(Residual)
L
1
B
SEVERITY RATING
24
Risk Treatment
Risk
Likelihood
Impact
Risk
Score
Risk
Appetite
Strategy
Lead
Actions
Status
Target
25
Risk Treatment
26
Monitor and Review
Periodic monitoring of risk treatment plans
and influence on risks
Ensure treatment plans exist
Ensure they are effective
Obtain additional info for further assessment
Identify emerging risks
Most common tool or technique is audit
27
Monitor and Review
28
Monitor and Review
Risk based Audit program – which risk to audit?
LIKELIHOOD RATING
RISK MATRIX
E
D
C
B
A
L
M
L
M
L
L
L
H
Risk 1
M
(Inherent)
H
H
H
Risk 2
H
(Inherent)
M
H
H
L
M
M
H
L
Risk 2
(Residual)
L
M
M
H
1
2
3
4
5
Risk 1
(Residual)
SEVERITY RATING
29
Communication and Reporting
Create awareness, facilitate
understanding, foster adoption /
engagement
Governance or legislative requirements
30
Communication and Reporting
Rank the Relative Risk of 30 Activities / Technologies
with "1" being the highest risk & "30" being the lowest risk
Me
Public*
Experts*
Me
Alcoholic Beverages
Mountain Climbing
Bicycles
Nuclear Power
Commercial Aviation
Pesticides
Contraceptives
Electrical Power (non-nuclear)
Police Work
Power Mowers
Firefighting
Prescription Antibiotics
Food Colouring
Private Aviation
Food Preservatives
Railroads
Handguns
Skiing
Highschool/College Football
Smoking
Home Appliances
Spray Cans
Hunting
Surgery
Large Construction
Swimming
Motor Vehicles
Vaccinations
Motorcycles
X-rays
Public*
Experts*
* source - study by Dr. Paul Slovic, Decision Research, Eugene Oregon
31
Communication and Reporting
32
Questions?
Announcements
CE Certificates
RIMS ERM Centre of Excellence
New RIMS logo
Curling bonspeil – February 8, 2011
One-day Conference – March 9, 2011
Volunteer
34
Thank you!
Related documents
Exercise Solutions: Strategic management accounting and the
Exercise Solutions: Strategic management accounting and the
The Top Four Essential Objectives to Auditing ERM
The Top Four Essential Objectives to Auditing ERM
COURSE OUTLINE FOR STRATEGIC PLANNING USING
COURSE OUTLINE FOR STRATEGIC PLANNING USING
Session 2 Leadership in Organizational Change
Session 2 Leadership in Organizational Change
Balanced Scorecard Analysis
Balanced Scorecard Analysis
performance measurement
performance measurement
12-11 Four Types of Strategic Control
12-11 Four Types of Strategic Control
Strategic Control
Strategic Control
Strategy implementation-
Strategy implementation-
Download
advertisement