1 / 34

Presentation 3: Applying Risk: Key Risk Management Tools

Presentation 3: Applying Risk: Key Risk Management Tools. Andrew Graham School of Policy Studies Queen’s University Kingston, Canada. Workshop on Risk and Enterprise Risk Management Southern Africa Development Community April, 2014 Gaborone, Botswana.

jariah
Download Presentation

Presentation 3: Applying Risk: Key Risk Management Tools

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Presentation 3: Applying Risk: Key Risk Management Tools Andrew Graham School of Policy Studies Queen’s University Kingston, Canada Workshop on Risk and Enterprise Risk Management Southern Africa Development Community April, 2014 Gaborone, Botswana

  2. Section 1: Risk Ranking and Risk Tolerance

  3. Establish the Context • Consider the outcomes you want to achieve in your activity • Consider the environment in which your organization operates • Identify internal and external stakeholders • Develop risk evaluation criteria. For example, you may decide that one criterion for deciding whether a risk is acceptable or not is that the cost of managing the risk must be less than the financial loss if the risk occurred.

  4. Understand Your Control Environment • Most organizations already have many controls for risks – know what they are and how they are working for you. • Remember that existing safeguards and levels of preparedness can deteriorate over time. • Circumstances can change • People can change, taking valuable expertise with them • Key role for corporate support functions and Internal Audit in making an organizations total control framework

  5. Identify Risks • Select the best methods to identify potential risks • Examine all sources of possible risks • Identify all potential risks whether they are random, internal or external to the organization • Examine each risk from the perspective of both internal and external stakeholders.

  6. Possible Sources of Risks • human behaviour • technology and technical issues • occupational health and safety • legal • political • property and equipment • environmental • financial/market • natural events. This list is exemplary not definitive – you have to figure out the label on the ‘elephant in the room’.

  7. Internal Methods of Identifying Risks • Establish responsible office for process, e.g., Internal Audit or Risk Group, • Examine the results of personal, local or international experience. • Arrange interviews and discussions with stakeholders. • Distribute surveys and questionnaires to stakeholders. • Conduct audits and physical inspections. • Directly observe the activity. • Analyze specific scenarios.

  8. External Methods of Identifying Risks • Employ professional consultants, e.g. lawyers, accounts and workplace health and safety officers. • Engage external consultations groups • Employ industry specialists, e.g. marketers, business consultants and risk consultants. • Consult associated professional organizations. • Conduct your own research using industry publications, newspapers and insurance tables.

  9. Some Good Questions to Ask • What are the best methods to identify risks which are likely to occur in this activity? • Who should I consult to assist me in identifying risks? • What sources of risk are relevant to this activity? • What risks are likely to occur? • Are the risks internal, external or random? • What would be the perspective of both internal and external stakeholders on these risks?

  10. Analyze the Risks • Evaluate the likelihood of a risk occurring, according to the ratings you use. • Evaluate the consequences if the incident occurred, according to the ratings. • Calculate the level of risk by finding the intersection between the likelihood and the consequences.

  11. Example of a Risk Management Model for Decision-Making Increasing Management Focus

  12. Consider Risk Velocity as well as Traditional Axes of Impact and Likelihood Impact—What is the maximum damage this risk could cause? Probability—How likely is this risk to materialize? Speed—At what speed will this risk impact the organization? Risk Prioritization Matrix Incorporating Risk Velocity Source: Deloitte; Risk Integration Strategy Council Research.. RISK B—High Severity and Likelihood and High Speed of Onset A new competitor will have a significant impact on the organization and is very likely to happen. The risk is forecast to materialize within the next two months when the new competitor begins trading. RISK A—High Severity and Likelihood but Low Speed of Onset Increased employee attrition will have a significant impact on the organization and is very likely to happen. The risk is forecast to materialize across the course of the next 18 months.

  13. Evaluating and Setting Risk Tolerances You must start be determining: • the importance of the activity you are risk managing and its outcomes • the degree of control you have over the risk • the potential and actual losses which may arise from the risk • the benefits and opportunities presented by the risk.

  14. Accepting Risk You may decide that a risk is acceptable because: • the risk level is so low that it does not warrant spending time and money to treat it • the risk level is low and the benefits presented by the risk outweigh the cost of treating it • the opportunities presented by the risk are much greater than the threats. Make sure that your list of acceptable risks is confirmed by others. An acceptable risk is omitted from the risk treatment process but others may feel that a specific risk is unacceptable and therefore, needs to be treated.

  15. Hierarchy of Risk Control Measures

  16. How Does It Work? Risk Tolerances Filter

  17. Risk Analysis and Management ToolkitRisk Tolerances • Setting tolerances involves a mix of qualitative and quantitative measures • Not always straightforward • It takes experimentation and time • Issue of how public they are is important • Equally important is how politically sensitive they are: is there a tolerable murder rate? Wrong tolerance! Risk Tolerances TYPCIAL RISK TOLERANCE GRID

  18. Risk Analysis and Management Toolkit Risk Tolerances WHEN DO YOU ACT AND HOW? SEVERITY RISES

  19. Section 2: Building an Effective Risk Culture

  20. The Relevance of Culture in Applying Risk • The culture of a group arises from the repeated behaviour of its members. • The behaviour of the group and its constituent individuals is shaped by their underlying attitudes. • Both behaviour and attitudes are influenced by the prevailing culture of the group. You cannot understand, identify, analyze, prioritize and effectively manage risk without a culture than enables it.

  21. What Does an Effective Risk Culture Look Like? • A distinct and consistent tone from the top from the board and senior management in respect of risk taking and avoidance (and also consideration of tone at all levels). • A commitment to ethical principles, reflected in a concern with the ethical profile of individuals and the application of ethics and the consideration of wider stakeholder positions in decision making.

  22. What Does an Effective Risk Culture Look Like? • A common acceptance through the organisation of the importance of continuous management of risk, including clear accountability for and ownership of specific risks and risk areas. • Transparent and timely risk information flowing up and down the organisation with bad news rapidly communicated without fear of blame. • Encouragement of risk event reporting and whistle blowing, actively seeking to learn from mistakes and near misses.

  23. What Does an Effective Risk Culture Look Like? • No process or activity too large or too complex or too obscure for the risks to be readily understood. • Appropriate risk taking behaviours rewarded and encouraged and inappropriate behaviours challenged and sanctioned. • Risk management skills and knowledge valued, encouraged and developed, with a properly resourced risk management function and widespread membership of and support for professional bodies.

  24. What Does an Effective Risk Culture Look Like? • Professional qualifications supported as well as technical training. • Sufficient diversity of perspectives, values and beliefs to ensure that the status quo is consistently and rigorously challenged. • Alignment of culture management with employee engagement and people strategy to ensure that people are supportive socially but also strongly focused on the task in hand.

  25. Section 3: Eleven Tough Questions on Risk Control and Management

  26. Risk tolerance and zero tolerance

  27. Risk Assessment and Vulnerability AnalysisOpen Issues and Questions How accurately can experts estimate the likelihood and consequences of disasters of hurricanes of different magnitudes and intensities? Can one characterize the types of uncertainties that currently exist in assessing risk, and suggest ways to improve these estimates in the future? What are the expected costs and benefits of undertaking specific risk-reducing measures in hurricane-prone areas, and can one rank them on the basis of cost effectiveness? What are the interdependencies in the system (e.g. infrastructure damage affecting supply of electricity, water, telephone/telecommunications, and other services to residences and businesses)? How do these interdependencies affect the direct and indirect losses that would result from a future natural disaster?

More Related