Local government FM networkRisk Management Ian Falconer and David McIntyre 12 December 2006
Agenda • Context • Being risk intelligent • What is the role of management? • Setting the culture • Reporting • Appetite • Assurance
Context : What is risk management? Taking actions to reduce the uncertainty, prepare for the consequences and to make sure that the organisation can leverage risk to its best advantage
Context : Maintaining a sound system of internal control • in determining its policies with regard to internal control and thereby what constitutes a sound system of control, a well managed organisation should consider: • nature and extent of the risks facing the organisation • extent of risk which it regards as acceptable for the organisation to bear (risk appetite) • the ability of the organisation to reduce the likelihood and impact of risks that do occur (mitigation) • cost/benefit of the control framework Financial Reporting Council Internal Control: Revised Guidance for Directors on the Combined Code (aka Turnbull )
Context: Increasing focus on risk management • Greater focus by Audit Commission on corporate governance and risk management • Risk management a specific KLoE within use of resources reviews (within theme 4 ‘internal control’) • low scoring KLoE in 2005
Being risk intelligent • What you should do • Deal with risk systemically • Throughout area of responsibility • With internal/external partners • Be nimble with new issues • Lever risks to your advantage • What this can achieve • Taking more, better managed risks • Being hit by fewer surprises • Living by established principles • Expecting excellent performance The prerequisites • Top level buy-in • Links risk management to strategic and operational management • Aims for simplicity and action, not bureaucracy • Constantly conscious of risk management performance
The risk management process Risk identification Risk management Risk assessment Risk monitoring Risk mitigation
Strategic Objectives Risk management Performance measurement Managing the business “What do we want to achieve?” “What risks could affect the outcome and what can we do to affect the outcome?” “What assurance is there that we are on track?”
Some questions for management • What is the risk culture of your department? • Does your risk reporting focus on change? • What is your risk appetite? • Are you being assured?
Question 1: What is the risk culture of your department? Achieving objectives depends on 4 risk attributes: Managed risk taking risk of taking on too much risk which becomes unmanageable Avoiding unnecessary pitfalls risk of avoiding everything, resulting in total inaction Setting demanding performance culture risk of over-stretching targets resulting in burn-out Setting appropriate values and behaviours risk of sclerosis as every potential stakeholder of every decision is consulted
performance zone dead zone dead zone The impact of risk on performance High Long term performance Low Low High Attributes of risk
Performance Zone Avoiding Pitfalls Managing performance through the risk culture Performance Culture Dead Zones More Managed Risk Corporate Values
Performance Culture More Managed Risk Avoiding Pitfalls Corporate Values Enron risk culture?
Performance Culture More Managed Risk Avoiding Pitfalls Corporate Values UK public sector risk culture?
Performance Culture More Managed Risk Avoiding Pitfalls Corporate Values What is your target risk culture?
Question 2: Does your risk reporting focus on change? • Are impending changes highlighted? • Are management and staff widely consulted on their views on emerging risks within the department? • Are the impact of changes monitored?
Risk identification Capturing risk: moving to a more dynamic process • Assume that if OK today, it will probably be OK tomorrow • Need to consider what might change dynamically • Enhance the static register by analysing the impact of change
Examine changes in detail Inside the organisation Projects, Products, Processes & People Outside the organisation Legal changes Reported events and incidents Results of investigations Market Competitors Economy And at the interface Looking for new risks Changes to current risks Up Down Capturing risk: what is changing?
Question 3: What is your risk appetite? “The aim of the Risk Strategy is not to remove all risk but to recognise that some level of risk will always exist. Indeed it is recognised that taking risks is fundamental to innovation and the building of a “can do” culture. Risk appetite is the amount of risk that you are prepared to accept, tolerate, or be exposed to at any point of time.”
Gross risk 5 Risk appetite Controls to reduce likelihood 4 Likelihood 3 2 Controls to reduce impact 1 Net risk 1 2 3 4 5 Impact What are we trying to achieve?
Question 4: Are you being assured? • Not just a cosy feeling • A real understanding of the strengths and weaknesses which exist regarding risk Understanding what the concept of overall assurance means:
Principles of assurance • Planning to gain assurance • Making explicit the scope of assurance boundaries • Evidence • Evaluation • Reviewing and reporting HM Treasury – The Orange Book
Why seek assurance? • Assurance tells you: • When risk is being appropriately managed • When risk is being over controlled • When risk is under controlled • Where you have a knowledge gap and lack evidence to assess control over risk
Management needs assuranceonoperation of controls & further controlsimprovement Management needs assurance on operation of controls Dependence on controls Management needs further controls improvement Amount of residual risk What are the responsibilities for management?
Summary To become risk intelligent, you must: • Create a risk culture • Monitor and report upon risks effectively • Understand your risk appetite • Receive adequate assurances