Risk management and
Investigation
Peter Roberts
peroberts@csu.edu.au
1
Session Overview
1 What is risk management?
2 How to do risk management
3 How CSU staff can use risk management
2
What is Risk Management
Contents
• The notion of risk
• Defining risk management
• The objectives of risk management
• Organisational responsibilities and
obligations in risk management
3
What is risk?
• Common language understanding
• Formal ‘The chance of something
happening that will have an impact upon
objectives’
• Represents a rational response to dealing
with an unknowable future
• Can be measured in terms of likelihood and
4
consequence
Risk management
Definition ‘The culture, processes and
structures that are directed towards the
effective management of potential
opportunities and adverse effects”
• Treadway, COSO and Cadbury
• Australian /New Zealand Risk Management
Standard 4360:1999.
5
Risk Management
Objective ‘To enable business operations to be
conducted within an environment of acceptable
loss’
Process ‘The systematic application of management
policies,procedures and practices to the tasks of
establishing the context, identifying analysing,
evaluating, treating monitoring and
communicating risk’
6
Professional/Organisational overview
Professional reasons
• common language
• rationality, consistency
Organisational reasons
• legal, ethical, business responsibilities
• safety, fraud control, insurance, disaster recovery
7
Professional reasons for
risk management
• Standard 4360:1999 imposes a
common language on key terms which
is universally accepted in public and
private enterprise
• encourages to think rationally
• promotes consistency in decisions
• assists in defending key decisions
8
Organisational reasons for risk
management
• Organisational Legal Obligations
– contracted
– legislated
• Other Organisational Responsibilities
– ethical
– self-regulated agreements
9
Organisational Legal Obligations
• Contractual
– employment agreements
• Legislated
– OH&S & EEO
– environmental
– Myriad of other regulatory statutes
• Use words like ‘reasonable’
10
Corporate Ethical Responsibilities
Includes a range of socially based
expectations, including:
• fairness
• internal self regulation
• industry self regulation
• maintaining industry standards
11
The result
Risk management provides a proactive
contribution to:
• contracted, legislated and ethical compliance
• increased revenue
• reduced costs
• positive ethical climate within the organisation
12
The ‘how’ of risk management
13
Australian /New Zealand Risk
Management Standard 4360:1999
1) establish the context
2) identify risks
3) analyse risks
4) evaluate and prioritise risks
5) treat (or recommend treatments) for risks
– Consult and communicate at each stage
– Monitor and Evaluate at each Stage and loop
back to earlier stages if necessary
14
Establishing the context
• strategic context
• organisational context
• risk management context
15
Establishing the context (cont)
• Start with objectives
• ‘The chance of something
happening that will have an
impact upon objectives’
16
Establishing the context (cont)
To define the objective, consider:
•
•
•
•
•
what do we do?
how do we do it?
who are our customers/stakeholders?
what do they want?
what does all this mean to us?
17
Establishing the context (cont)
Three key elements:
1 what is/are our objectives?
2 what activities need to be completed to
achieve the objectives
3 what resources are available for use to
perform the activities which will lead to the
successful achievement of the objectives?
18
Establishing the context (cont)
• Develop risk evaluation criteria based upon
policy, goals, objectives, stakeholder
interests
–
–
–
–
–
operational
technical
financial
legal
social humanitarian
19
Identifying risks/threats
Link all customers/stakeholders to:
• objectives
• activities
• resources
20
Identifying risks/threats (cont)
• Identify what can happen to
threaten the the process or system
being analysed and how that threat
may occur
• Then list all those risks/threats
21
Assessing risks/threats
• Quantitatively
– historical data
– statistical information on incidents
– surveys
• Qualitatively
– determine likelihood
– determine consequence
22
Assessing risks - rating the impact
• Disastrous - achieving the objective may not be
attainable. May be forced to discontinue or
transfer function
• Critical - Will produce difficulties beyond the
capacity of existing resources. May require
additional resources or funding to restore/achieve
minimum function
• Serious - Will produce difficulties to function that
can be readily absorbed by current resources
• Minor - Anything less than above
23
Assessing risks - rating likelihood
• Definite - almost certain to occur
• Probable - distinct possibility of occurring
in the time given
• Possible - likely to occur over an extended
period of time
• Remote - more likely not to occur
• Improbable - very unlikely to occur
24
Presenting the risks
• Can use a matrix - one provided in papers
• Can develop different kinds of ratings for
different circumstances
• Can apply numerical values to the ratings this helps when prioritising a large number
of risks
• Can use a risk register
25
Treating risks
•
•
•
•
•
Identify treatment options
Evaluate treatment options
Recommend treatment options
Prepare treatment plan
Implement treatment plan
26
Developing/implementing a
risk management program
Appendix B of the Standard
•
•
•
•
•
•
Step 1- Support of senior management
Step 2 - Develop organisational policy
Step 3 - Communicate policy
Step 4 - Manage risks organisationally
Step 5 - Manage risks at work unit level
Step 6 - Monitor and review
27
Who should be involved
• horizontal spread - as many different
functions as necessary
• vertical spread - as many levels of the
organisation as possible
• skill spread
• external stakeholders
• consultants?
28
Revisit key elements of
Standard
1) establish the context
2) identify risks
3) analyse risks
4) evaluate and prioritise risks
5) treat (or recommend treatments) for risks
– Consult and communicate at each stage
– Monitor and Evaluate at each Stage and loop
back to earlier stages if necessary
29
Establishing CSU context
Three key elements:
1 what is/are our objectives?
2 what activities need to be completed to
achieve the objectives
3 what resources are available for use to
perform the activities which will lead to the
successful achievement of the objectives?
30
CSU context (cont)
Develop risk evaluation criteria based upon
policy, goals, objectives, stakeholder
interests
• amount lost
• damage to reputation of organisation
• threat to health, safety, security
These criteria feed into the risk assessment
process
31
Identifying risks
• Identify what can happen to
threaten the the process or system
being analysed and how that risk
may occur
• Then list all those risks
32
Assessing risks
• Quantitatively
– historical data, internal audit reports
– files
– statistical information on incidents
• Qualitatively
– determine likelihood
– determine consequence
33
Treating risks
• Identify treatment options
• Evaluate treatment options (cost,
effectiveness)
• Recommend treatment options
• Prepare treatment plan
• Implement treatment plan
34
Other governance processes
• Cross linkage with other governance processes.
Each of these organisational policies need to be
integrated with each other:eg
–
–
–
–
–
–
Corporate planning
Physical security
Computer security
Internal audit
Organisational ethics
Anti-corruption activity
35
Any comments?
36