Confidential
Business Risk & Control Self-Assessment
Workshop Report
HAN
BE’ER
October 18, 2005
Arnhem
Table of Contents
Main Report
Page
• Introduction
3
• Vision & Objectives BE’ER
4
• 2005 Workshop – Risk Identification
Results Full Details
6
• 2005 Workshop Results, Main Risks Overview
7
• 2005 Workshop – Risk Assessment:
Impact vs. Likelihood per group
Risk Level vs. Control Effort per group
10
13
• Standard Deviation
17
• Risk Sourcing & Response Development
18
• Conclusions and Follow-Up Recommendations
21
2
Introduction
• The Business Risk & Control Self-Assessment session was conducted to demonstrate
how risk management can be used by the BE’ER organization and in other
organizations. The group attending the workshop was a reflection of BE’ER’s
organization.
• Since the goal of this session was to demonstrate the implementation of risk
management, the result can not be considered as complete and final.
• The main objectives of the workshop were to increase the risk awareness of the
participants, to become familiar with the “self-assessment” methodology, to gain an
insight into the risk prioritization and to determine the preliminary risk profile for BE’ER.
• The brainstorming and subsequent consolidation resulted in an initial identification of
12 risks that were considered to be most relevant by the participants.
• The risks were then assessed on three criteria by the group, in terms of impact on the
business objectives, the likelihood of occurrence and the control effort to deal with the
risks.
3
BE’ER Vision & Objectives
Visie
•
BE’ER wil de komende jaren een stabiele vereniging worden die voorziet in de behoeften die er bestaan bij BEafstudeerders, HAN en het bedrijfsleven.
Objectives
•
Samenwerking: fungeren als intermediair tussen HAN en het bedrijfsleven. Hiertoe dient er minstens 4x per jaar
een activiteit voor onze leden georganiseerd te worden (waarbij HAN en het bedrijfsleven centraal staan).
•
Groei van het aantal leden: we streven om in de komende drie jaar een ledengroei te hebben van tenminste 35%
van ons huidige ledenbestand.
•
Netwerken: binnen de aangeboden activiteiten moeten er voldoende mogelijkheden zijn voor de leden en het
bestuur tot netwerken. Tenminste 1x per jaar dient er een activiteit georganiseerd te worden die geheel in het
kader staat van netwerken.
•
Kennis delen: BE’ER streeft ernaar om als vereniging kennis te delen met elkaar binnen het bedrijfseconomische
vakgebied en de koppeling te leggen met het beroepsleven.
•
Profilering/PR: onze vereniging dient bekend te worden binnen de gehele BE opleiding. Hiertoe dient er
ondermeer een nieuwsblad opgericht te worden, zal de website verder uitgebouwd worden, en zullen verdere
promotieactiviteiten ontplooid moeten worden.
4
2005 Workshop Results - Risk Identification
• In order to identify risk scenarios the following definition of risk was provided to the
participants:
Those uncertainties which can impact the achievement of your objectives
These uncertainties are often external to a company/organization’s normal business
operations, but in many cases they represent internal process issues.
• The risk identification took place in a complete and open discussion where each
participant gave their definition of what they believed was a risk scenario that would
obstruct their organization in reaching one or more of the defined objectives.
• The risk scenarios were defined as specifically as possible in order to facilitate their
assessment.
• A total of 12 risk scenarios were defined and documented.
5
2005 Workshop BE’ER - Results
Full details
6
2005 Workshop, Risk Results, Main Risks Overview
Top 10 risks in terms of Risk Level (impact vs. likelihood)
The top 10 risks for BE’ER in terms of impact and likelihood, as assessed by the participants, are:
1.
The risk that our members lose interest in our organization due to their personal goals and competing activities.
Risk #2
2.
The risk that that platform that the organization relies on is too small (# people)/fragile. Risk #11
3.
The risk that we fail to attract new members, not achieving critical mass and thereby not improving our
reputation as respectable/interesting alumni organization. Risk #3
4.
The risk of insufficient communication and promotion (both for members/potential members and sponsors),
leading to insufficient funds and critical mass. Risk #7
5.
The risk that the board is unable to work together (different vision, focus, interests, ambition, etc.) and falls apart
causing BE ER to fall apart. Risk #8
6.
The risk of not providing added value to the core sponsors (supporting companies) of the organization due to
unclear product deliverables. Risk #12
7.
The risk that vision/expectations of "trade and industry" are not met by BE ER leading to reduced activites and
possible reduction of members. Risk #6
8.
The risk that the cooperation between HAN and "trade and industry" is reduced, leading to HAN giving BE ER
less opportunities and subsidies. Risk #5
9.
The risk of too much focus on informal activities pushed by the members limiting the focus on business
economics knowledge sharing. Risk #1
10. The risk of losing financial support from HAN. Risk #4
7
2005 Workshop, Risk Results, Main Risks Overview
Top 10 risks in terms of Risk Priority (= risk level vs. control effort )
The participants also assessed the identified risks in terms of the perceived control effort in place to deal with these
risks. The top 10 risks resulting from this assessment are:
1. The risk that our members lose interest in our organization due to their personal goals and competing
activities. Risk #2
2. The risk that that platform that the organization relies on is too small (# people)/fragile. Risk #11
3. The risk of not providing added value to the core sponsors (supporting companies) of the organization due to
unclear product deliverables. Risk #12
4. The risk that we fail to attract new members, not achieving critical mass and thereby not improving our
reputation as respectable/interesting alumni organization. Risk #3
5. The risk of insufficient communication and promotion (both for members/potential members and sponsors),
leading to insufficient funds and critical mass. Risk #7
6. The risk that the board is unable to work together (different vision, focus, interests, ambition, etc.) and falls
apart causing BE ER to fall apart. Risk #8
7. The risk that the cooperation between HAN and "trade and industry" is reduced, leading to HAN giving BE ER
less opportunities and subsidies. Risk #5
8. The risk that vision/expectations of "trade and industry" are not met by BE ER leading to reduced activites and
possible reduction of members. Risk #6
9. The risk that the brand name is not properly associated with the activities and quality of the added value and
social activities in the optimal combination. Risk #10
10. The risk that the brand name does not appeal to the vision and ambition of organization. Risk #9
8
2005 Workshop – Risk Assessment
The participants prioritized the identified key risks during a rating session. The risks were prioritized according to
the following criteria:
Impact:
The risk occurs. What is the most foreseeable impact on the achievement of BE’ER’s
business objectives?
Likelihood:
What is the likelihood that this event/scenario will occur, say, within the next three
years (TOP period)?
This prioritization provided valuable insight and a basis for focus of managerial effort, as well as a basis for
evaluation of impact of current control levels and use of company resources.
The participants were asked to provide their opinion on the impact and likelihood on a scale from 1 (low) to 9 (high).
The result is a classification of the risks according to the average weightings (impact and likelihood) for each risk.
The rating was grouped according to the ‘function’ of the participants (i.e. Board, Alumni).
High
Secondary Risks 1
Primary Risks
Low Risks
Secondary Risks 2
IMPACT
The risks were mapped representing the level of risk
(impact X likelihood) given to each risk by the
participants.
Low
Low
9
LIKELIHOOD
High
2005 Workshop – BE’ER’s Risk Profile
Impact versus likelihood map (all participants)
Impact
9
8
4
1. Insuffcient focus knowledge share
2. loss of interest in BEER
3. failing to attract new members
4. financial support from HAN
5. lack of cooperation HAN/industry
6. difference in vision industry/BEER
7. Insufficient communic./promotion
8. co operation board BE ER
9. Brand name appeal
10. Brand name association
11. Platform too small
12. No added value to core sponsors
2
8
3
7
11
6
7
12
5
1
6
5
9
10
4
3
2
1
Likelihood
2
3
4
5
6
7
10
8
9
2005 Workshop – BE’ER’s Risk Profile
Impact versus likelihood map (Board)
Impact
Board
9
8
8
1. Insuffcient focus knowledge share
2. loss of interest in BEER
3. failing to attract new members
4. financial support from HAN
5. lack of cooperation HAN/industry
6. difference in vision industry/BEER
7. Insufficient communic./promotion
8. co operation board BE ER
9. Brand name appeal
10. Brand name association
11. Platform too small
12. No added value to core sponsors
2
11
4
3
7
6
7
1
12
6
5
9
10
5
4
3
2
1
Likelihood
2
3
4
5
6
7
11
8
9
2005 Workshop – BE’ER’s Risk Profile
Impact versus likelihood map (Alumni)
Impact
Alumni
9
4
1. Insuffcient focus knowledge share
2. loss of interest in BEER
3. failing to attract new members
4. financial support from HAN
5. lack of cooperation HAN/industry
6. difference in vision industry/BEER
7. Insufficient communic./promotion
8. co operation board BE ER
9. Brand name appeal
10. Brand name association
11. Platform too small
12. No added value to core sponsors
8
8
3
2
7
6
7
12 11
5
6
1
5
10
4
9
3
2
1
Likelihood
2
3
4
5
6
7 12
8
9
2005 Workshop - Control Effort Assessment
During the workshop the risks, as identified by the participants, were subsequently assessed according to the
definition below:
What is the current level of effort within the organization to deal with/control the identified
risks? In terms of resources, people, procedures, measurements etc.
* Please note: the acceptability of the control effort comfort zone (green) is to be
decided upon by the responsible manager!
High
Risks may be
Undercontrolled
Risk Level
Control effort:
Risks may be
overcontrolled
Low
Low
Moderate
High
CONTROL EFFORT
13
2005 Workshop Results – BE’ER’s Risk Profile
Risk Level versus Control Effort map (all participants)
Risk Level
81
1. Insuffcient focus knowledge share
2. loss of interest in BEER
3. failing to attract new members
4. financial support from HAN
5. lack of cooperation HAN/industry
6. difference in vision industry/BEER
7. Insufficient communic./promotion
8. co operation board BE ER
9. Brand name appeal
10. Brand name association
11. Platform too small
12. No added value to core sponsors
71
61
2
51
41
11
7
31
3
12 8
6
21
5
1
4
10
9
For details on
the acceptability
level please see
note* on page 13
11
Low >
1
1
Moderate
2
Control effort
3
4
5
< High
6
7
14
8
9
The map to
the left
represents
the combined
assessment
on the total
risk level of a
particular risk
and the
control effort
that is put on
the specific
risk to control
it. The given
colors do not
represent the
organization’s
acceptability
level
2005 Workshop Results – BE’ER’s Risk Profile
Risk Level versus Control Effort map (Board)
Risk Level
Board
81
1. Insuffcient focus knowledge share
2. loss of interest in BEER
3. failing to attract new members
4. financial support from HAN
5. lack of cooperation HAN/industry
6. difference in vision industry/BEER
7. Insufficient communic./promotion
8. co operation board BE ER
9. Brand name appeal
10. Brand name association
11. Platform too small
12. No added value to core sponsors
71
61
51
2
11
41
8
6
31
7
3
12
21
1
9
4
10
5
For details on
the acceptability
level please see
note* on age 13
11
Low >
1
1
Moderate
2
Control effort
3
4
5
< High
6
7
15
8
9
The map to
the left
represents
the combined
assessment
on the total
risk level of a
particular risk
and the
control effort
that is put on
the specific
risk to control
it. The given
colors do not
represent the
organization’s
acceptability
level
2005 Workshop Results – BE’ER’s Risk Profile
Risk Level versus Control Effort map (Alumni)
Risk Level
Alumni
81
1. Insuffcient focus knowledge share
2. loss of interest in BEER
3. failing to attract new members
4. financial support from HAN
5. lack of cooperation HAN/industry
6. difference in vision industry/BEER
7. Insufficient communic./promotion
8. co operation board BE ER
9. Brand name appeal
10. Brand name association
11. Platform too small
12. No added value to core sponsors
71
61
2
51
41
3
11
12
7
31
8
6
21
5
4
10
11
Low >
1
1
For details on
the acceptability
level please see
note* on page 13
9
1
Moderate
2
Control effort
3
4
5
< High
6
7
16
8
9
The map to
the left
represents
the combined
assessment
on the total
risk level of a
particular risk
and the
control effort
that is put on
the specific
risk to control
it. The given
colors do not
represent the
organization’s
acceptability
level
2005 Workshop Results – BE’ER’s Risk Voting
Standard Deviation on Impact, Likelihood and Control Effort
Spread in Voting
3,5
3
Standard Deviation
2,5
2
1,5
1
0,5
0
1
2
3
4
5
6
7
8
9
10
11
12
Risk Item Number
SD impact
SD likelihood
SD control
The critical threshold regarding the standard deviation is 2. All those risks with a standard deviation for Impact and/or
Control above this threshold should be reviewed. In particular when the score on Impact and/or Likelihood is relatively high or
when the score for Control Effort is low. The knowledge about the effects of the risk on the organization and/or about the
existing mechanisms to manage the risk may needs to be communicated more explicitly during the review of these risks.
17
Risk Sourcing & Response Development
What is your response to the identified risks?
•
Previous experience
Risk sourcing is identifying the root cause of
a certain risk.
political/legislation
permit issues
Having chosen to have one supplier
•
public opinion
No other suppliers known
It creates a clear picture of where and how
significant business risks originate
HSE legislation
dependency
on single
source
No other suppliers available
product
inherent hazard
process
inaccessibility
•
•
It focuses attention on the specific areas
that have the highest influence on the
respective risks
plant reliability
terrorism
Business interruption
Natural catastrophe
Accident at neighbour
catastrophic
accidents
Lack of preventive maintenance
Site infrastructure and utility restriction
Logistics related accidents
sabotage
It assist in developing effective risk
responses (action plans)
Take
Intentionally pursue
Fully accept
Finance the consequences
Build in contingencies
Terminate
Cease activity
Pull out of market
Divest
Change objectives
Reduce scale
Review and update maintenance
programs
maintenance risk
human error
Lack of knowledge
No back-up capacity
Analysis opportunity cost vs worse
case scenario
Investment too high
no back-up plan
Create a Contingency plan
Transfer
Insure
Share (JV, alliance, partnership
Contract out (outsource, assign)
Diversify / spread
Hedge
Risk
Treat
Dealing with risk requires adaptation:
• Organization
• People & Relationships
• Direction
• Operational
• Monitoring
18
Source
Action
Responsible
Due date
Risk Sourcing & Response Development
The comparison between the highest ranked risks of 2005, sorted on risk level (= impact vs. likelihood) and risk
priority (= risk level vs. control effort) for BE’ER, demonstrates that risks #2, 11, 3, 7, 12, 8, 6, 5, 1 and 4 (top 10
risk level) require your first and foremost attention.
The first step is to decide for the top 10 risk level (preferably for the top 12) if currently enough actions are in place
to manage the risk scenarios (yes or no), then decide if actions are effectively implemented (yes or no) and
formulate new actions if required (SMART, due date) with the responsible person.
Please note this template is part of the full assessment results (separate attachment – excel file)
19
Risk Sourcing & Response Development
• To further analyze the highest ranked risks, we advise you to use the following process:
- Identify the root causes per risk scenario (what can cause this scenario?)
- Group these root causes (external causes, internal causes, other relations)
- Prioritize based on the influence the root cause has on the risk scenario
- Take a decision on how to act (Take, Treat, Terminate or Transfer)
- Develop an action plan to execute the decision. Action plans should be S.M.A.R.T.
(Specific, Measurable, Achievable, Relevant, Time based) which means that they
must include the relevant KPIs, timeframe and responsible person (owner).
• Once you establish and/or implement an action plan on the main risk scenarios and
sources, the monitoring and evaluation should be done by the Board.
20
Conclusions and Follow-Up Recommendations
• BE’ER achieved the goals of the workshop, which were specifically: (1) demonstrate
how risk management can be used by the organization (2) increase risk awareness, (3)
familiarize the participants with the self-assessment methodology, (4) gain structured
insight into the risks, (5) share risk knowledge & experiences, and (6) develop an initial
risk profile for BE’ER.
• The awareness of the risks and the assessment from the participants showed a fairly
consistent view on the importance of the most significant risks. This is demonstrated by
the standard deviation graph on page 17. However, we recommend that the group
reviews the need to achieve further cohesion regarding risks #1, 4, 5, 9 and 10, where
the standard deviation on impact was slightly higher than the acceptable deviation
threshold.
FACILITATORS - Akzo Nobel Risk Management:
Dick Oude Alink & Adolfo Moreno
21