Add to collection(s) Add to saved
  1. Business
  2. Finance

What makes for good risk management?

What makes for good risk management?
April 2015
www.bakertilly.co.uk
….fingers crossed….
Why establish an enterprise risk management
framework?
What makes for effective risk management? – the
differentiator.
How you can establish an effective enterprise risk
management framework?
Sets out a view on 28
global risks in the report’s
traditional categories economic, environmental,
societal, geopolitical and
technological.
Also considers the drivers
of those risks in the form
of 13 trends.
“There is a significant failure of some kind that was within our control
or we could have prevented, but didn’t.
As a result of the failure there could be any or all of the following harm, injury or death to an individual, a significant financial loss or
waste of resources.
Then there will be the investigation, blame, reputation damage and
embarrassment, rectification time and costs….some of this could result
in irrecoverable damage at a corporate and personal level.
All this, as a minimum, distracts us…and at worse de-rails us from our
main mission….”
A client non executive director
(January 2014 – Board Discussion regards Risk Management & Assurance)
We manage risk all the time!
• Patchy risk management processes leading to an
“Incomplete picture”
• Lack of accountability amongst individuals responsible for
managing risks
• Risk management inertia
• Lack of engagement with the organisation’s risk
management
• Of course one of the main symptoms is untoward and/or
unwanted “stuff” happening
Let’s be honest….
Value adding
What are the risks?
• A risk that is managed
through existing control
framework and
corporate processes.
• Corrected through the
rectification of an
existing
control.
• Monitoring focuses on
assurances in place.
Managed through the
assurance framework.
Business as Usual Risks
Exceptional Risks
• Have a finite life.
• Require the establishment
of a new or enhanced risk
mitigation/control.
• Upon mitigation becomes
business as usual.
• Managed at appropriate
level through either
strategic or operational risk
registers.
Example - Group Risk Capture Hierarchy
Group Business
Objectives
The Baker Tilly 4Risk Risk
Management & Assurance
System: This system can be used
to enable efficient and effective risk
and controls capture, assessment,
reporting and monitoring at
individual establishment level
through to Group and Board level.
Strategic Risks: These risks will have a fundamental effect on
the achievement of the Group business objectives. They will be
material in nature. They will be both determined by the Board as
well as very high areas of risk that might emerge from operations
across the Group.
High Group Risks: Areas of high risk exposure will be escalated
into the Group risk register to enable specific monitoring. It may be
the case that there are common areas of high risk being escalated
across the Group. In this case it may be appropriate for a Group
level action to be agreed, rather than action by each
Establishment.
Operational level Risks: A risk and controls profile will be
established for each establishment in the Group. Action
required to address risks or issues will be determined by the
establishment and progress monitored at Group level. Areas
of high risk will be escalated within the Group.
Individual Establishment Risk Assessments: On a cyclical basis, each
establishment undertakes a self-evaluation of risk exposure and risk mitigation /
controls effectiveness against a set of standard criteria, both financial and nonfinancial. This will assist with ensuring a consistent approach across the group.
10
Does this sound familiar?

The Board to focus on strategy

Rigorously & energetically plan for the future

Recognise that you are part of a wider system

Build trust and confidence

Don’t be driven by events

Reflect on fitness for purpose

A need for thinking time

Seek out best practice – be innovative
Definition of a strategic risk
“Those risks that if realised could fundamentally affect the
way in which the organisation exists or provides services
in the next one to three years.
These risks should they occur will have a detrimental
effect on the achievement of one, some or all of the
organisation’s strategic objectives.
The risk realisation will lead to material failure, loss or lost
opportunity.”
What does the future hold?
1. What would be the worst thing that could happen at the
organisation? (right now / tomorrow)?
2. What is your greatest fear for the organisation? (in the
next 12 – 36 months)?
3. What is the greatest challenge the organisation faces (in
the next 12 – 36 months)?
4. What is the greatest opportunity the organisation has (in
the next 12 – 36 months)?
13
Example Risk Scoring
Impact
5
1
1
4
Risk
Classification
Description
Primary
Primary risks should require immediate
attention. The risk should be regularly
monitored for change and also to ensure
prescribed actions are being completed
4
Contingency
5
3
Monitor and obtain assurance over
existing controls and look to introduce
cost effective mitigation.
2
House Keeping
Action should be taken to introduce or
improve controls to reduce the likelihood
of the risk. Assurance should be
obtained over any mitigations in place.
Low
Activity should concentrate on obtaining
assurance on those controls and
mitigations in place that are reducing the
risk.
2
Likelihood
Key
Inherent Risk
Residual Risk
Application of
Controls & Mitigations
Highlights
Good Practice Risk Register Template
Risk, Cause, Effect, Controls, Assurance and Actions………….?
Risk
Owner /
Lead
Review
and
updates
Risk,
Cause,
Effect
Controls +
Assurance
Full
Action
Plan
Example Correlation map
Strategic objectives vs. 2014/15 strategic risks
Strategic risks with
assurance strength
A) Quality, safety,
outcome &
experience
5
3
4
12
B) Cultural change
5
4
4
13
C) Engagement with
the estates strategy
5
2
3
10
D) Transformation of
Services
4
3
5
12
E) Sustainable local
economy with partners
3
2
3
8
F) Leadership and
workforce capacity and
capability
2
5
5
12
G) Define and
capitalise on our
USPs
2
5
2
9
H) Balance financial
sustainability with
quality & affordability
5
4
4
13
The correlation map demonstrates the linkage and strength of the relationship between each risk and each strategic objective.
This is demonstrated on a 1-5 scale, with 1 indicating a weaker relationship with the strategic objective in question and 5
indicating a stronger relationship.
16
Example Risk radar
Proximity of strategic risk impact with assurance strengths
H) Balance
financial
sustainability with
quality
E) Sustainable local
economy with
partners
F) Leadership and
workforce capacity
and capability
24 – 36
months
12 – 24
months
Now –
12 months
A) Quality &,
safety, outcome &
experience
Now
D) Transformation of
Services
B) Cultural change
C) Estates strategy
Key:
G) Define and
capitalise on our
USPs
High assurance
strength
Medium assurance
strength
Low assurance
strength
17
The three ‘lines of assurance’
Risk Controls & Assurance Dashboard (RCAD)
Case study - National Treatment Agency
Objectives of the RCAD:
• Using a systematic approach provide for an overall understanding of the NTA
risk exposure and level of assurance over the effectiveness of the control
environment in the NTA key activities / functions;
• to provide a basis for early warnings, particularly during the transition
period; and
• to identify actions for improvement (above and beyond those already
identified / being pursued) and / or confirm progress of actions.
This provides the NTA with a snap-shot of its risk, controls and assurance profile at
intervals through out the year across a number of defined activities and processes
falling under 4 dimensions: key services, performance, compliance and governance
(covering 29 pre-determined activities).
The RCAD is updated quarterly, usually at a mid-way point in the period, therefore
providing for both a retrospective and forwards look to form a view as to the expected
risk profile and effectiveness of controls across the NTA.
19
Risk Controls & Assurance Dashboard (RCAD)
Case study - National Treatment Agency
Board
Executive
Key
Services
Performance
Compliance
Governance
Management Responsible for NTA activities, functions and
processes.
Risk Controls & Assurance Dashboard (RCAD)
Case study - National Treatment Agency
RCAD Extract:
Area of activity /
Responsibility
2. Compliance
Framework
2.1 Information
Governance / data
confidentiality and
access
(Disclosure in the
public domain)
IT Manager
Risk Profile
Controls
Evaluation
Contingency
Very
Effective /
• Assurance #1 (3rd Line) - Positive
Substantial
Evidence
• Assurance #2 (3rd line) - Positive
Impact = 5
Likelihood =
3
Risk, Controls & Assurance: Governance
Commentary
• Assurance #3 (2nd Line) - Positive
Previously
Impact = 5
Likelihood =
2
• Assurance #4 (1st Line) - Positive
Overview Commentary:
Reviews by IA / ALB / DH have provided
positive outcomes.
As the civil service requirements are more
stringent this means the NTA is not…..This
is currently being progressed.
Disclosure required
/ Actions Required
Escalation into
Strategic Risk
Register
Transition:
The current
disclaimer
regards data
gathering will no
longer be valid on
the transfer …..
This may
have…… It is
expected that by
….. a legal
judgment will
have been
reached on this
matter.
Monitor, but
no
escalation to
the strategic
risk register.
Increasing risk profile due to above.
21
Risk Controls & Assurance Dashboard (RCAD)
Case study - National Treatment Agency
NTA – Risk Profile: Period to 30th September xxxx
1.4
Previous profile
1.6a
5
2.1
3.1
2.1
Current profile
3.2 1.5
Impact
4
3.4
4.5 4.14
4.8
4.1
3
2
1.3
1.3
1.5
3.4
Transition related
1.6b
4.6 4.7
4.12 4.10
4.4
4.11
4.2
4.3
2.5
4.13 2.2
3.3
2.4
2.3
1.2
4.9
1
1
2
3
4
Likelihood
5
Risk Controls & Assurance Dashboard (RCAD)
Case study - National Treatment Agency
NTA – Internal Control Evaluation: Period to 30th September xxxx
1.6a
Control
Very Effective
5
3.1
4.6
3.4 2.5 3.3 2.1 4.9 4.84.13 4.14
1.5
4.11 4.2 1.4
4.1
4.12 4.4
1.2
4.5 4.7 2.4 1.6b 4.3
2.3
4
4.10
2.2
3.2 1.3
1.1
3
2
Ineffective
1
1
Limited
2
3
4
Assurance
5
Substantial
Risk Controls & Assurance Dashboard (RCAD)
Case study - National Treatment Agency
Extract - Overall Summary of disclosures / action required:
Key Services:
Performance:
1. Executive / Strategic risk:…..NTA in this
final phase.
1. Transition: The Head of Communications
will….
2. Transition: Transition risk management has
now become the main focus of the NTA in
this final phase…...
2. Transition: Corporate services
resilience…
3. Transition: Ineffective….of drug treatment.
4. Human Resources: There remains…..
Compliance Framework:
1. Transition: The current disclaimer…..
reached on this matter.
Corporate Governance:
1. Transition: Move towards….the
transition process with representation
from all …..
24
Risk Register Extract - Example
25
Risk Management Action Plan Extract - Example
26
Risk Controls Assurance Report Extract - Example
27
Key ERM Components
 Ensuring the profile of risk management in the business
 A risk management strategy that delivers value
 Risk management directly informs business planning &
activities
 Use of risk management information systems (MIS)
 Risk assurance direction is driven by the business risk profile
Your thoughts, comments, questions?
Matt Humphrey
Partner
Risk & Governance Consulting
matthew.humphrey@bakertilly.co.uk
07764 688248
www.bakertilly.co.uk
www.insight4grc.com/demo
Baker Tilly Corporate Finance LLP, Baker Tilly Restructuring and Recovery LLP, Baker Tilly Risk Advisory Services LLP, Baker Tilly Tax and Advisory Services LLP,
Baker Tilly UK Audit LLP and Baker Tilly Tax and Accounting Limited are not authorised under the Financial Services and Markets Act 2000 but we are able in certain
circumstances to offer a limited range of investment services because we are members of the Institute of Chartered Accountants in England and Wales. We can
provide these investment services if they are an incidental part of the professional services we have been engaged to provide. Baker Tilly Creditor Services LLP is
authorised and regulated by the Financial Conduct Authority for credit-related regulated activities. Baker Tilly & Co Limited is authorised and regulated by the Financial
Conduct Authority to conduct a range of investment business activities.© 2015 Baker Tilly UK Group LLP, all rights reserved
This communication is intended to provide general guidance on matters of interest and you should not act or refrain from acting upon any information contained in it
without seeking appropriate professional advice
Related documents
Quality Review and Assurance Committee Terms of Reference
Quality Review and Assurance Committee Terms of Reference
975 Senior Director Quality – Global, MA
975 Senior Director Quality – Global, MA
Kursguide - Course Syllabus
Kursguide - Course Syllabus
Chapter 16 – Multiple Choice Type Questions
Chapter 16 – Multiple Choice Type Questions
November-Section 2012
November-Section 2012
QUALITY ASSURANCE FINAL PROJECT – CASE STUDY
QUALITY ASSURANCE FINAL PROJECT – CASE STUDY
Sr. Quality Engineer Posting
Sr. Quality Engineer Posting
Role Name QA Executive- maternity leave cover 9 months fixed term
Role Name QA Executive- maternity leave cover 9 months fixed term
Code of practice for the assurance of academic quality and
Code of practice for the assurance of academic quality and
Download