Risk Management, Culture & Governance
Agenda
 What is risk management?
 A framework for risk management
 Establishing a good risk culture
 Getting risk a seat at the table
 Providing the right risk information to stakeholders
 ERM – what does the “E” stand for?
What is a risk?
“The effect of uncertainty on objectives”.
ISO 31000: 2009 Risk Management
“Those things that may stop you meeting
your objectives”.
Susan Crago
What is risk management?
Risk Management = Objectives and Outcomes Management
What risk management is not!
LIKELIHOOD
(The probability of the risk materialising in the next 12 months)
LEVEL
PROBABILITY RANGE
Almost Certain (Level 5)
80% - 100%
Low
Low
Medium
High
High
Likely (Level 4)
60% - 80%
Low
Low
Medium
High
High
Possible (Level 3)
40% - 60%
Low
Low
Medium
Medium
High
Unlikely (Level 2)
20% – 40%
Low
Low
Medium
Medium
Medium
Rare (Level 1)
0% – 20%
Low
Low
Low
Medium
Medium
(Level 3)
(Level 4)
(Level 5)
(Level 1)
(Level 2)
CONSEQUENCE
(assess as once off or accumulation of risks)
A framework for risk management
Escalate, Communicate and Consult
Establish
Context
Identify
Assess
Monitor and Review
Action
A framework for risk management
Establish
Context
Identify
Assess
•What is our strategy and objectives?
•What issues have we experienced?
•What risks are we currently managing?
•What is going on in the external environment?
•What are the risks that could stop us meet objectives?
•What would cause those risks to occur?
•What controls do we currently have in place?
•How likely is it that this risk will occur?
•If it does occur what will be the consequence?
•How effective are the controls to manage this risk?
A framework for risk management
Action
•Prioritisation
•What will we do about the risk? Nothing or something?
•If something what is the best action to take?
Escalate, Communicate and Consult
•Who needs to make the decision about this risk?
•Who needs to take any actions on this risk?
•Who needs to be aware of this risk?
Monitor and Review
•Are we on track with managing this risk?
•Has something changed so we need to review this risk?
The sales pitch
Value Proposition….
1. Making informed decisions
•supports prioritisation and transparency of decision making
2. Meeting business unit objectives
•alignment to the business strategy and objectives
•highlights areas of potential focus
3. Preparing for the unexpected
•identifying uncertainties
•fewer shocks and unwelcome surprises
Good risk culture ??
Impacts of poor risk culture
Establishing a good risk culture
Establishing a good risk culture
‘Values and culture drive people to do the right thing
even when no one is looking … Although value and
culture cannot always be measured quantitatively,
they impact governance in powerful ways.’
John F Laker - APRA Chairman (27 February 2013)
Getting risk a seat at the table
Business Units
(including Executive,
Managers and All Staff)
First Line of Defence
Independent Risk
Function
Second Line of Defence
Internal Audit
Third Line of Defence
• Own and manage risks
• Risk management embedded in processes
• Promote a strong risk culture
3 lines of defence
• Independent advice, oversight and monitoring
• Advocate a risk culture and raise awareness of Risk
• Establishment of Risk Management Framework
• Independent appraisal of the control infrastructure
• Oversight of the Risk Management Framework
Getting risk a seat at the table
Getting risk a seat at the table
Bendigo & Adelaide Bank Group’s Vision:
“We aim to be Australia’s leading customerconnected banking group.”
Providing the right risk information to stakeholders
“... integral to the effectiveness of risk governance,
concerns the flow of information to the board. The
lack of timely, relevant and comprehensive risk
information [is] often a critical weakness.”
John F Laker - APRA Chairman (27 February 2013)
Providing the right risk information to stakeholders
Clear risk appetite
and tolerances
Escalation of new key risks
Monitoring of actions for
key risks
Monitoring of testing of key
controls
Consistent across risk types
Good risk
governance
ERM – what does the “E” stand for?
 Effective?
 Efficient?
 Engaging?
 Enterprise?
Questions?