Add to collection(s) Add to saved
  1. Business
  2. Management

Class 10 2014 clean

advertisement 
Class 10
Risk Management
.
Goals and Objectives
• Gain an understanding of traditional risk approaches vs.
ERM
• Understand the benefits associated with Risk Management
• Establish a common risk vocabulary
• Examine and experience the use of Risk Management tools
and processes
• Understand the role of the board in risk management
• Perform a risk assessment, identify key risks and how this
impacts strategic decision making
2
Risk
•
•
•
•
•
What is it?
A cost? A reward?
What generates risk? Internal vs. external factors.
How do we deal with it?
Who likes / dislikes it?
–
–
–
–
Executives
Shareholders
Employees
Other stakeholders
• Who was the first risk manager?
3
Key Concepts
• Risk
– The uncertainty that surrounds future events and
outcomes.
• Risk Management
– The systematic application of management policies,
procedures, and practices to the tasks of analyzing,
evaluating, controlling, and communicating about risk
issues. (Canadian Standards Association, 1997)
• Enterprise Risk Management (ERM)
– A process, effected by an entity’s board of directors,
management and other personnel, applied in strategy
setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage
risk to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives.
(COSO)
4
Risk Tolerance vs. Risk Appetite
• Risk tolerance: the financial ability to accept risk.
Alternatively, this can be viewed as an amount of
financial impairment that can be retained without a
material impact on the business.
• Risk appetite: an indication of the organization’s
willingness (high) or reluctance (low) to retain risk.
– level of appetite will be driven by stakeholders’ expectations of both
risk and return.
5
Board Mandate
• The Board explicitly assumes responsibility for:
– Corporate strategy
– Identifying, assessing and evaluating the principal
business risks
– Succession planning
– Communications policy
– Integrity of internal controls and management information
systems
– Developing the organization’s approach to corporate
governance
6
Driving Forces Behind the Evolution of Risk Management
Market and Credit
Analysts/ Rating Agencies
Require that management
strengthen its risk
disclosure capabilities
Investors
Demand increased
financial disclosure and
transparency
Regulators
Increased interest in
compliance and approval
processes
The
Company
Stakeholders
Demand that management
adequately identify all
material risks that impact
cash flow, capital and
mission
Activists
Secular business and
non-business activities –
treatment of people,
animals, …
Auditors
Current protocols require
organizations to report
risks in a forward-looking
context
7
Why have organizations worldwide become
increasingly preoccupied by risk management?
• Stakeholders including shareholders have become more
insistent on the predictability of an organization’s results, in
particular it’s earnings
• Unidentified or poorly managed risks can produce adverse
financial and operational results
• Boards of directors and senior management have become
increasingly aware of their responsibility for effective risk
management
• In today’s global economy, organizations face increasingly
complex, rapidly changing and inter-related risks
8
Industry and regulatory pressures
• Dey Report (Canada) 1994
• Australia / New Zealand Risk Management Standard (1995)
• Risk Management: Guideline for Decision-Makers,
a national standard for Canada issued by the Canadian
Standards Association (1997)
• KonTrag (Germany) became law in 1998
• Cadbury Report (UK) 1999
• Committee of Sponsoring Organizations of the Treadway
Commission (COSO) USA 2004
• NP 58-201 Canadian Securities Administrators’
Corporate Governance Guidelines for Canadian publicly
listed companies (2005)
9
Stakeholder Value
ERM Continuum
Most companies
currently reside here
on the continuum
Value/Risk
Optimization
with ERM
Risk Specialization
RM
IS
Audit
Legal
HR
Ops.
Enterprise Risk
Awareness
Risk Management
Integration
Risk Management Sophistication
10
How is Risk Management administered
•
Smaller and mid-size organizations typically have no formal risk
management processes or structures and rely on their insurers or
brokers for advice and counsel
•
As organizations grow in size and complexity, they increasingly
adopt formal internal risk management processes and risk financing
structures
•
Most Fortune 1000 companies have dedicated in-house risk
management expertise to administer their risk management
processes and sophisticated risk financing structures
11
AS/NZ 4360:2004 The Australia/New Zealand
Standard for Risk Management
Monitor and Review
Assess Risk
Establish
the Context
External Context
Internal Context
Risk Management
Context
Develop Criteria
Define Structure
Identify
Risks
What can
happen?
When,
Where,
How?
Analyze Risks
Determine
Existing Controls
Determine Determine
Consequences Likelihood
Evaluate
Risks
Compare
with criteria?
Set
priorities?
Estimate Level of Risk
Treat Risks
No
Treat?
Yes
Identify options
Assess options
Prepare and
implement plans
Analyze and
evaluate residual
risk
Communicate and Consult
12
The COSO ERM Framework and Sarbanes-Oxley Section 404
Sarbanes-Oxley Section 404
Source: COSO proposed ERM Framework
13
The Risk Management Process:
5 Key Steps for Board Oversight
Measure results
Identify risks
Manage risks
Analyze risks
Design
Strategy
to deal
with risk
14
Establish the Context
• Define the objectives of the
organization against which the
risks are to be measured
• Determine which stakeholders’
concerns need taken into account
• Summarize the stakeholders’ key
objectives of the assessment
• Outline the goals, objectives,
strategies, scope and parameters
of the assessment
• Organizational and external
environments need to be
considered
To be able to identify
a risk, it is important
to identify and
understand what is
at risk
15
Identify the Risks
• Identification of risks is critical as those not considered at
the outset may be excluded from further analysis
• Identification should include all risks
– What, Where, When and How often?
› This should generate the risks and events impacting the objectives
– Why and How?
› After identifying what might happen, causes and scenarios should be
evaluated
16
Risk Identification
• Types of Events
– Risks are future events with a potentially negative impact,
adversely affecting the achievement of objectives
– Opportunities are events with a potentially positive impact
that can be channelled back to management’s strategy or
objective-setting processes, so that actions can be
formulated to seize the opportunities
– All types of events stem from external and internal factors,
which can in turn affect an organization’s strategy
implementation and achievement of objectives
– Identifying the influencing factors is useful to event
identification
17
Event Identification
• Sample event categories: Influencing Factors – External
Economic
Business
Technological
• Capital availability
• Brand/trademark
• Credit
– Insurance
– Default
– Concentration
• Reputational
• Electronic
commerce
• Competition
• External data
• Consumer
behavior
• Emerging
technology
• Emissions,
effluents and
waste
• Liquidity
• Counterparty
Social
• Energy
• Demographics
• Fire
• Corporate
citizenship
• Natural disaster
(earthquake, flood,
etc.)
–
Market
– Funding
– Cash flow
• Market
–
Commodity prices
– Interest rate
– Unemployment
– Indices
– Exchange rate
– Equity valuation
– Real estate values
• Fraud
• Industry standards
• Ownership
structure
• Publicity
• Environmental
stewardship
• Product relevance
• Privacy
Political
Natural
Environment
• Biodiversity
• Sustainable
development
• Transport
• Water
• Governmental
changes
• Legislation
• Public policy
• Regulation
18
Event Identification
• Sample event categories: Influencing Factors – Internal
Infrastructure
Personnel
Process
Technology
• Availability of
assets
• Employee
capability
• Capacity
• Capability of
assets
• Fraudulent
activity
• Execution
• Access to capital
• Health and
safety
• Data
– Acquisition
– Maintenance
– Distribution
– Confidentiality
– Integrity
• Complexity
• Mergers/
Acquisitions
• Judgment
• Malfeasance
• Security
practices
• Sales
practices
• Design
• Suppliers/
dependencies
• Data and system
availability
• Capacity
• System
– Selection
– Development
– Deployment
– Reliability
19
Risk Identification Tools
• Financial Statements, balance sheet, P/L statement,
general ledger
• Legal department , loss history, litigation records
• Human resources
• Internal & external auditors
• Personal knowledge of the organization and its business
(MBWA)
• Surveys, checklist
• Networking and Benchmarking - internal & external
• Risk mapping, RMIS
• Risk assessment workshops
• External consultants
20
Analyze the Risks
• Sources, consequences and likelihood of risk that may
occur should be taken into account
• Risk is analyzed using the determined consequences,
likelihood and time-to-impact
– Existing Controls
› Processes, devices or practices with negative or positive impacts should
be identified
– Types of Analysis
› Risk analysis may be completed under different degrees of detail
– Consequences and Likelihood
› Consequences and likelihood are combined to produce a level of risk
› Estimates using individual or group perceptions can be used if data is
lacking
› Relevant information and techniques to be used in analyzing
consequence and likelihood
21
Choosing a Risk Response
• Evaluate the effect on each dimension of likelihood,
impact and time-to-impact separately
• Individual groups or units will generate composite
assessments of risks and responses, creating risk profiles
relative to the objectives of the overall organization
• The risk profiles from each of the groups can be combined
to reveal offsetting risks, or show how an aggregated risk
might exceed the risk appetite of the organization
• Assess the cost versus benefit of risk response
alternatives, including risk sharing between groups
22
Managers Can Choose from
Alternative RM Strategies to treat the Risks
Determine Risk Strategies
Exploit
Avoid
•
•
•
•
•
•
Divest
Prohibit
Stop
Target
Screen
Eliminate
•
•
•
•
•
•
•
•
Allocate
Diversify
Expand
Create
Redesign
Arbitrage
Renegotiate
Influence
Reduce
•
•
•
•
Disperse
Control
Reorganize
Re-engineer
Retain
• Accept
• Re-price
• Selfassumption
• Offset
• Plan
Transfer
•
•
•
•
•
•
•
Insure
Reinsure
Hedge
Securities
Share
Outsource
Indemnity
23
Monitor and Review
• Risks and applied treatment
measures need to be monitored
ensuring risk management plans
remain relevant
– Likelihood and consequences may
change
– Suitability or cost of treatment may
change
• Progress made on implemented
risk treatment(s) provide important
performance measures
• Lessons learned also need to be
considered
“It is necessary to
monitor the
effectiveness of all
steps of the risk
management
process. This is
required for
continuous
improvement.”
AS/NZS 4360:2004
24
Control Activities
• Types of control activities include
preventative, detective, manual,
computer, and management
• Historical data can be used to track
performance against targets
• Current data allows an entity to
determine its risk profile at a
certain point in time and remain
within risk tolerances and appetite
• RMIS with dashboard capabilities a
great tool to this end
The Control Activities
are the policies and
procedures within an
organization that help
ensure risk responses
are carried out and
are specific to the
entity’s objectives
Having the right
information at the
right place, and the
right time, is essential
to risk management
and control.
25
Risk Mapping
• In a risk map, an organization’s risk are plotted along
two dimensions, risk frequency and risk severity. This
permits the capture of a visual image of the key risks
facing the firm. The resulting risk map will help in the
development and prioritization of the available risk
mitigation and financing strategies.
26
Tools for Business Risk Assessment
High
Key Risks
Lower likelihood, but could
have significant adverse
impact on organization
objectives
•
Critical risks that potentially
threaten the achievement of
organization’s objectives
•
Significant monitoring not
necessary unless change in
classification
•
Lesser significance, but more
likely to occur
•
Consider cost/benefit trade-off
•
Periodically reassess
•
Reassess often to ensure
changing conditions (move to
high significance)
Impact
•
Low
Rare
Likelihood
Almost
Certain
27
Risk Assessment Case Study
28
IMPACT
Medium High
Low
Low
Medium
High
LIKELIHOOD
29
Total Cost of Risk
The Concept
30
Risk Management Communication
• Develop communication strategy
at the context stage
• Ensure stakeholders’ perception of
risk is addressed, these will differ
based on values, needs, concepts
and concerns
• Risk communication seeks to
improve performance based on
informed, mutual decisions with
respect to risk
• Communication and consultation
are important for each stage
• Dialogue should involve all
stakeholders
“All internal and
external stakeholders
should be consulted
and communicated to
effectively as deemed
appropriate at each
stage of the risk
management
process.”
AS/NZS 4360:2004
31
Risk Management is everybody’s business
• It is not just the responsibility of management
• To be effective it must be implemented by every person in
the organization
• It must become an integral part of the organizational culture
• RM is a journey not a destination
• What may be of minor significance today may be the
disaster of tomorrow
• Monitoring is an integral part of the risk management
process
• Requires a senior executive “Champion”
32
COSO Suggests…
• Board members should discuss with senior management
the state of the entity’s ERM processes and provide
oversight as needed
• The Board should ensure that the entity’s ERM
mechanisms provide it with an assessment of the most
significant risks relative to strategy and objectives,
including what actions management is taking and how it
is engaged in monitoring the ERM framework
33
ERM Benefits
• ERM transparency for investors, rating agencies and
other stakeholders
• Develops framework for meeting financial disclosure
requirements
• Promotes better decision-making
• Enhances capital allocation process
• Supports regulatory and compliance initiatives
• Creates a formal link between operational, financial and
strategic decision-making within the organization
34
Preparation for Class 11
• Sabia & Goodfellow – Ch. 6 (pgs. 65-76
• MI 51-109
35
Related documents
concept note on change management and risk management
concept note on change management and risk management
Risk Assessment Frameworks
Risk Assessment Frameworks
Tamer Saka - International Istanbul Insurance Conference
Tamer Saka - International Istanbul Insurance Conference
ENTERPRISE RISK MANAGEMENT, Implementation challenges
ENTERPRISE RISK MANAGEMENT, Implementation challenges
ERM process cycle
ERM process cycle
Comcover Fact Sheet - Department of Finance
Comcover Fact Sheet - Department of Finance
WCMSRiskManagement
WCMSRiskManagement
Risk Management for Cooperatives
Risk Management for Cooperatives
Risk Management - University of Connecticut
Risk Management - University of Connecticut
Risk
Risk
Presentation PPT
Presentation PPT
Risk Assessment in Practice
Risk Assessment in Practice
COSO: The Com mittee of Sponsoring Org anizations of
COSO: The Com mittee of Sponsoring Org anizations of
Business Strategy & Risk Management - Study Text (2018-2022)
Business Strategy & Risk Management - Study Text (2018-2022)
Download
advertisement