OPERATIONAL RISK MANAGEMENT IMPLEMENTATION – Best practices and experience
Risk • The chance of something happening that will have an impacton objectives. • A risk is often specified in terms of an event or circumstance and the consequences that may flow from it. • Risk is measured in terms of a combination of the consequences of an event and their likelihood. • Risk may have a positive or negative impact.
Why implement risk management? • Success = Vision Achievement + Associated Strategic Objectives. • Ultimately, must know the risks faced in achieving these goals, manage the risks effectively and ensure that effective risk treatments are, and continue to be in place as the environment changes over time. • Risk management is importance for EPF. Alternative is risky management which will not ensure desired outcomes.
Benefits of risk management Increase risk awareness at all level of staffin order for them to effectively manage their risks. No unexpected surprises! Staff personal wellbeing Accountability, assurance and governance - Maintain integrity and confidence amongst stakeholders and the public in general. Strengthening competitive strategic and operational efficiency to increase long term stakeholder’s value. Safeguarding assets and resources. Exploitation of opportunities Improved planning, performance and effectiveness Improved information for decision making Minimise unexpected impact to earnings and returns to members. • . 5
Enterprise Risk Framework Strategic Risk Market Risk Investment Risk Credit Risk Liquidity Risk Operational Risk Regulatory Risk Project Risk Reputational Risk
Risk Management • Risk management is the culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects within the organisation environment. • It is an enterprise wide process multifaceted in dimension. • It is best achieved by a multidisciplinary team. • Risks must be appropriately communicated and shared.
Risk Management Process • Establish the Context: for strategic, organisational and risk management and the criteria against which busineess risks will be evaluated. • Identify Risk: that could ‘prevent, degrade, delay or enhance’ the achievement of an organisation’s business and strategic objectives. • Analyse Risk: consider the range of potential consequences and the likelihood that those consequences could occur. • Evaluate Risks: compare risks against the firm’s pre-established criteria and consider the balance between potential benefits and adverse outcomes. • Treat Risks: develop and implement plans for increasing potential benefits and reducing potential costs of those risks identified as requiring to be ‘treated’. • Monitor and Review: the performance and cost effectiveness of the entire risk management system and the progress of risk treatment plans with a view to continuous improvement through learning from performance failures and deficiencies. • Communicate and Consult: with internal and external ‘stakeholders’ at each stage of the risk management process. Note that: Identify, Analyse and Evaluate Risks are collectively grouped as ‘Risk Assessment’.
Sample Risk Scorecard Gross risk Nett risk Target risk
For every risk • Identify Causes and Consequences. • Rate gross risk in term of possibility and impact (without controls or controls totally ineffective). • Identify Primary Controls (preventive, detective and corrective) and Secondary Controls • Rate control effectiveness (to reduce possibility and impact). • Risk software calculate: Nett Risk Rating = Gross Risk – Control Effectiveness. • Set Risk Targets • Identify management actions to mitigate the risks.
Assurance Framework Ministry of Finance Investment Panel Board of Directors Investment Panel Risk Committee Board Risk Management Committee Board Audit Committee Management Risk Committee Risk Management Department Management Operations Risk Committee Internal Audit External Audit Investment Risk Management Section Operational Risk Management Section
Key Success Factors • Full support from the Board, Investment Panel, CEO and Management. • Committed Risk Champions. • Competence and committed consultant. • Effective Project Management. • Risk Awareness Training and Facilitation Workshops. • Computerised System. • Organisation culture