BFF5902 Lecture week 4.pdf - BFF5902 Introduction to Risk Principles Lecture 4 Risk Context and Identification Learning objectives Discuss the purpose

BFF5902 Lecture week 4.pdf - BFF5902 Introduction to Risk...

This preview shows page 1 out of 57 pages.

You've reached the end of your free preview.

Want to read all 57 pages?

Unformatted text preview: BFF5902 Introduction to Risk Principles Lecture 4 – Risk Context and Identification Learning objectives §  Discuss the purpose of risk management standards and identify commonly used global risk management standards §  Identify the key characteristics of the ISO 31000:2009 Standard §  Identify the elements of the risk process and explain their relationship to each other §  Discuss methods for performing risk identification §  Explain the elements of a risk context statement §  Identify and discuss key elements of a risk register and explain its role in the risk management process §  Explain a risk taxonomy, its design and purpose 2 MONASH BUSINESS SCHOOL Risk Management Standards Risk Management is a Structured Process •  Managing risk in a structured manner: –  encourages an organisation to manage proactively rather than reactively. –  requires responsible thinking –  requires balancing the costs of managing the risk with the benefits to be gained recognising that a risk‑free environment is implausible, uneconomic and unsustainable. –  encourages identifying and taking opportunities to improve performance –  means taking action to avoid or reduce the chances of something going wrong –  improves the accountability in decision making –  requires everyone in a business is required to act in accordance with relevant statutory requirements and corporate policies. 4 Benefits of a Risk Management Standard §  Standards provide a number of benefits. –  They generally have been vetted and benchmarked as best practices for decision-making. –  They help establish reasonable and measurable goals that can be tied to articulated organizational objectives §  To bring some consistency to the risk management process, voluntary industry standards or regulatory guidance, based on a collection of best practices began to appear. 5 Risk Management Standards §  A number of standards have been developed worldwide to help organisations implement risk management systematically and effectively. §  These global standards seek to establish a common view on frameworks, processes and practice, and are generally set by recognised international standards bodies or by industry groups. §  The different standards reflect the different motivations and technical focus of their developers, and are appropriate for different organisations and situations. §  Standards are normally voluntary, although adherence to a standard may be required by regulators or by contract. 6 Commonly used Global Risk Management Standards –  ISO 31000 2009 – Risk Management Principles and Guidelines –  COSO 2004 - Enterprise Risk Management - Integrated Framework –  A Risk Management Standard – IRM/Alarm/AIRMIC 2002 – developed in 2002 by the UK’s 3 main risk organisations. –  ISO/IEC 31010:2009 - Risk Management - Risk Assessment Techniques –  OCEG “Red Book” 2.0: 2009 - a Governance, Risk and Compliance Capability Model 7 Key characteristics of the ISO 31000:2009 Standard §  The Standard effectively integrates principles and practices considered most effective by many experts and researchers. §  It’s strengths are: –  Introduces a consensual definition of risk i.e. the effect of uncertainty on objectives –  Applicable across all industries –  Includes a role for internal an external consultation in the process of identifying risks and their management –  Includes the requirement that risk practices be subject to regular review and improvement (i.e. it is a process and not a single state of –  It strongly encourages a systematic approach to listening to and dialogue with key stakeholders –  It emphasises the need for integration into the regular management of the organisation supported by governance, reporting and senior management commitment. §  If management treats the standard as one-off exercise or as a set of rules to be complied with, then the effectiveness of the standard is diminished. 8 ISO 31000:2009 Links Risk to Objectives Without risk, there is no reward or progress. Unless risk is managed effectively, organizations cannot maximize opportunities and minimize threats. Risk is all about uncertainty, or more importantly, the effect of uncertainty on the achievement of objectives. This is where ISO 31000 is clearly different from existing guidelines in that the emphasis is shifted from something happening – the event – to the effect on objectives. Kevin W. Knight, AM Chair of the ISO 31000 working group & Chair of ISO 31004 project committee ISO Focus, June 2009 AU/NZ ISO 31000:2009 Risk Management Process Where we are §  Up to this lecture you have learnt: –  Risk is defined as uncertainty on business objectives –  Risk is unavoidable and should therefore be managed within a defined risk appetite –  A systematic approach is needed to identify risks as described within a Risk Architecture –  A Risk Architecture comprises the Principles, Framework and Processes suitable for the nature and complexity of the business §  In weeks 4, 5, 6 and 7 you will learn about the process of identifying, analyzing, assessing and treating risks. 11 MONASH BUSINESS SCHOOL Objectives of the Risk Management Process In order to manage risk effectively, the organization must achieve the following outcomes: (a) Have a current, comprehensive and correct understanding of its risks. (b) Ensure that those risks are within its risk criteria. §  To achieve this consistently, a systematic process is needed to reveal and understand risks, and to modify them where necessary. This is the purpose of the Risk Management Process within the organization's Risk Architecture 12 MONASH BUSINESS SCHOOL AU/NZ ISO 31000 Risk Management Process The risk management process is defined as: The systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk 13 MONASH BUSINESS SCHOOL Background – AU/NZ ISO310000 Architecture 14 MONASH BUSINESS SCHOOL AU/NZ ISO 31000 Risk Management Process Step 1 : Establish Your Context • scope • organisational • environmental • outputs and business objectives • risk criteria (i.e. threshold levels) • linkage to other plans Step 6 : Monitor and Review Your Risks • process • environment • organisation • strategy • stakeholders Accept/Retain • based on judgement or documented procedures/policy Avoid • consider discontinuing or avoiding activity • consult • risk treatment preferable to risk aversion Step 2 : Identify Your Risks • identify key processes, tasks, activities • recognise risk areas • define risks • categorise risk Communicate and consult - at all steps Step 5 : Treat Your Risks Reduce consequence • contingency planning • contractual arrangements • public relations 15 Step 3 : Analyse Your Risks • identify controls • determine likelihood • determine consequence/impact • rate risks Step 4 : Evaluate and Prioritise Your Risks • identify acceptable/unacceptable risks (referring risk rating against risk criteria) • prioritise risks for treatment Transfer • insurance • outsourcing Reduce likelihood • controls • process improvement • training • policies and communication • audit and compliance MONASH BUSINESS SCHOOL Establishing the Context MONASH BUSINESS SCHOOL 17 MONASH BUSINESS SCHOOL The Aim of Setting the Risk Context §  The aim of the ‘establish the context’ step in the risk management process is to identify the organization’s objectives, and those external and internal factors that could be a source of uncertainty, so that risks can be identified. §  Because risk arises from an organization pursuing its objectives against the uncertainties created by its internal and external environment, a very clear understanding is needed from the outset of both the organization's objectives and these environments. §  It is therefore a necessary first step prior to risk identification. Subsequent analyses may prompt revision. §  If not executed properly, we may miss a significant source of risk or develop risk management strategies that are inconsistent with the organization's goals, culture or operating environment (including regulation and laws). §  It should be regularly reviewed due to the potential for organizational goals and internal and external environments to change. 18 MONASH BUSINESS SCHOOL AU/NZ ISO 31000 Process for Establishing the Context By establishing the context, the organization articulates its objectives, defines the external and internal parameters to be taken into account when managing risk, and sets the scope and risk criteria for the remaining process. 19 MONASH BUSINESS SCHOOL Articulating the Organization’s Objectives §  The highest expression of organization’s intent and purpose §  Objectives typically reflect the organization’s explicit and implicit goals, values and imperatives §  Individual to every organization and will vary in more detail by function within an organization (sales, financing, human resources) §  Available from published information (including corporate responsibility reporting, annual reports, exchange listing reporting and detailed shareholder reporting) and through communication with key stakeholders §  Often more than one objective to be considered. Not all are public due to confidentiality/competitive concerns §  Usually includes regulatory compliance and any other statutory obligation §  In order to assess risks, objectives need to be expressed clearly and unambiguously 20 MONASH BUSINESS SCHOOL Example – Qantas Strategic Objectives 21 MONASH BUSINESS SCHOOL Example – External Context Identified and Influencing Strategy 22 MONASH BUSINESS SCHOOL Example – The External Context Facing Qantas Factor How Geopolitical changes For airlines today, the dominant geopolitical trend shaping the future is the rise of Asia. Asia-Pacific is already the world's biggest aviation market. By 2035, it will be bigger than Europe and North America combined. To convert that potential into profitable growth, airlines need to build the right network links, attract the best people, and begin to forge strong partnerships across the region. Digital The rise of digital connectivity and big data has been called a new industrial revolution. For airlines, it's already reshaping everything from flight planning systems to customer service and distribution channels - with the most profound changes still to come. Consumer needs As Generations Y and Z become a majority of the global workforce, their spending power and influence will grow, and the choices they make will increasingly be determined by a company's values and social impact as much as its products and services. Corporate Responsibility Human-induced climate change and resource scarcity is impacting natural environments and communities around the world, influencing consumer behaviour, and reshaping government policies and regulation at a global and local level. 23 MONASH BUSINESS SCHOOL Question: How Do Organizational Objectives vary by Size of Firm? Small Business (Family Owned) Global Company To provide income and wealth Shareholder value growth for the owner and family Dividend payments (security of lifestyle) Debt payments Meet tax and other legal commitments Meet tax and other legal commitments Provide a safe work environment for many staff Corporate responsibility and sustainability targets Reputational integrity (public disclosure) Compliance with regional laws and stakeholder expectations Increasing number of stakeholders and complexity of business model Community/industry leadership 24 MONASH BUSINESS SCHOOL Identifying Stakeholders and their Objectives §  Establishing the context involves identifying key stakeholders who might be affected by a decision, both external and internal to the organization, and developing an understanding of their objectives, perceptions, values and relationship to the organization. §  Stakeholders are normally identified using a systematic method, within a communications plan, that employs the experience and knowledge of a small group of people (ie. discussion with experts internal and external). §  Stakeholders help clarify objectives and risk criteria, and their support may be needed for successful implementation (sponsorship). INTERNAL EXTERNAL •  Board and Senior •  Shareholders/ Committees Debtholders •  Divisional Heads •  Analysts/Rating •  Operation Owners Agencies •  Creditors •  Suppliers •  Government •  Community Groups •  Unions •  Customers •  Media Who has accountability? Who approves/ oversees? Who operates/ implements? 25 Who is affected? Who mandates? Who has interest? MONASH BUSINESS SCHOOL Identifying Internal and External Factors §  The internal and external environments are described by the factors within and outside the organization that might influence the organization achieving its objectives. §  The process for identifying is similar to identifying objectives. Systematic approaches that draw on the experience and knowledge of a group of internal (and sometimes external) stakeholders. Therefore, this step follows the identification and discussion with key stakeholders. §  To help guide identification the following simple questions can be asked: • What will constrain us? • What will enable us? • What will we be relying on? • What will we encounter? • What might change? 26 MONASH BUSINESS SCHOOL Understanding the Internal Environment and Context §  The internal environment is the way the organization is structured and operates, including the resources it has available and the people in it. It is a source of risk despite being within control of the organization. §  The internal context is the internal environment in which the organization seeks to achieve its objectives. –  It is anything within the organization that can influence the way in which an organization will manage risk. §  Internal context should be established because –  risk management takes place in the context of the objectives of the organization –  objectives and criteria of a particular project, process or activity should be considered in the light of objectives of the organization as a whole –  some organizations fail to recognize opportunities to achieve their strategic, project or business objectives, and this affects ongoing organizational commitment, credibility, trust and value. 27 MONASH BUSINESS SCHOOL Understanding the External Environment and Context §  Unlike many features of the internal environment, those in the external environment can often not be controlled by the organization §  The external context is the external environment in which the organization seeks to achieve its objectives §  Understanding the external context is important in order to ensure that the objectives and concerns of external stakeholders are considered when developing risk criteria 28 MONASH BUSINESS SCHOOL Internal and External Context External Key drivers and trends that will have an impact on your organization External Relationships with and perceptions & values of external stakeholders Internal •  Governance, organizational structure, roles & accountabilities •  Policies, objectives & strategy •  Capabilities & resources •  Information systems •  Organizational culture •  Contractual relationships •  Relationships with, perceptions & values of internal stakeholders 29 External Social, cultural, political, legal, regulatory, financial, technological, economic, natural and competitive environment MONASH BUSINESS SCHOOL Choosing a Risk Taxonomy §  An essential part of the communication strategy supporting the risk identification step, is to adopt, at the outset, a common language of risk that is tailored to the business practice of the organization that can be applied across all activities. This is necessary to avoid confusion when it comes to identifying risks. §  The taxonomy describes what risks and how they are defined. §  In general, there are two methods:Root Cause Method Impact Method Risks are classified by root cause Risks are classified by impact on the business / financial statements Pro: Assists management identify and treat the risk Pro: May be required for regulatory reporting and capital measurement (eg. Basel II) Con: Competing root causes Con: Does not assist root cause identification 30 MONASH BUSINESS SCHOOL The Risk Universe – A General Taxonomy of Risks 31 MONASH BUSINESS SCHOOL Class Question: §  Consider the following: §  How would you classify by root cause? §  How would you classify by impact? –  A bank incurs a lending loss on a housing loan due to failure to execute guarantee documentation correctly –  A bank fails to comply with anti-money laundering statutory reporting due to implementing a new cash deposit ATM –  A bank changes strategy as a result of poor profits and divests a subsidiary at a loss to a competitor 32 MONASH BUSINESS SCHOOL Structuring the Risk Management Activities §  As we have seen risk evaluation and treatment can be very broad across the organization and vertically deep at all levels of an organization §  It is less likely that risks will be overlooked and the process will prove more practicable if whatever is being examined is considered logically in smaller parts §  Chunk the risk process into manageable elements, eg. –  Risk type –  Organizational Division or Activity (ie. Responsibility) –  Geography –  Logical steps in a process defined by flow chart §  An advantage of structuring the risk process is that it permits tailored analysis and decisions and specialized knowledge of the risk 33 MONASH BUSINESS SCHOOL Scoping the Context of the Risk Management Process There are three elements to this part of establishing the context, these determine the following: (a) The purpose, scope and circumstances of the risk management activity. (b) A structure and approach for the risk management activity. (c) The resources, techniques and tools needed for the risk management activity. •  The risk management process might be applied to decisions of the organization as a whole, to those of particular sections or in relation to particular projects or activities. It can also apply to all processes affecting the organization’s objectives or to just those of particular interest at the time. •  It is important to define the scope of the risk process activity before seeking resources and funding 34 MONASH BUSINESS SCHOOL The Taxonomy of Risks Must be Structured to the Organization Creating a hierarchy of risks should reflect the nature of the business and be meaningful for management: §  A diversified business may choose initial business line segmentation §  A single industry business may elect an initial risk-type segmentation. In some cases the risk type taxonomy is regulated (Basel II) COSO, Thought Leadership in ERM, Risk Assessment in Practice, 2012 35 MONASH BUSINESS SCHOOL What do you Consider in the Context of the Risk Management Process? The context of the risk management process will vary according to the needs of an organization. It can involve, but is not limited to— §  defining the goals and objectives of the risk management activities; §  defining responsibilities for and within the risk management process; §  defining the scope, as well as the depth and breadth of the risk management activities to be carried out, including specific inclusions and exclusions; §  defining the activity, process, function, project, product, service or asset in terms of time and location; §  defining the relationships between a particular project, process or activity and other projects, processes or activities of the organization; §  defining the risk assessment methodologies; §  defining the way performance and effectiveness is evaluated in the management of risk; §  identifying and specifying the decisions that have to be made; and §  identifying, scoping or framing studies needed, their extent and objectives, and the resources required for such studies. 36 MONASH BUSINESS SCHOOL Contextualizing Risk...
View Full Document

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture