微信客服:xiaoxionga100
微信客服:ITCS521
ACCT5919-无代写
时间:2024-06-27
ACCT5919 -
Business Risk
Management
Lecture 2 – Risk Management Process
Agenda
COURSE ADMINISTRATION
Group allocations – finalise by Week 5 for Group Video Presentation
Individual assignment
• Overview of requirements
• Tips
Weekly quiz (starts week 3) - overview
LECTURE
Elements for effective risk management
Risk Management Framework (RMF) overview
RMF Activities
BREAK
CLASS DISCUSSION
Corporate Governance and Sustainability
What is Risk?
“The effect of uncertainty on objectives - effect is a deviation from
the expected - may be positive and/or negative – can address,
create or result in opportunities and threats; objectives can have
different aspects and categories and can be applied at different
levels, usually expressed in terms of risk sources, potential events,
their consequences and their likelihood”
Source:AS/NZS ISO 31000:2018
Why Manage Risk?
Purpose of Risk Management
Every organisation faces developments in its internal and external context which present
risk and uncertainty to the achievement of its objectives. Risk management is aimed at
helping the organisation achieve its objectives in an efficient and sustainable way.
All organisations manage risk to some degree, as a minimum, through reacting to events
and remedying the consequences.
A more effective risk management approach aims to be active so to prevent negative
events occurring in a consistent, efficient and coherent way. However, elimination of all
risk is not possible – risk management aims to implement treatments which reduce the
level of inherent risk to an acceptable residual level (appetite.)
What activities can an organisation use to manage risk?
Guidance is provided through standards and other definitional documents published by
educational, professional, regulatory and standards organisations.
International Standards Organisation (ISO) Risk Management 31000:2018 is often the
standard used.
Characteristics of an Effective Risk
Management Framework
Integrated
Customised
Inclusive
Human and
Cultural Factors
Dynamic
Risk Management Framework
Structured and
Comprehensive
Best Available
Information
Continual
Improvement
Risk Management Framework (RMF)
/ Process
Source:AS/NZS ISO 31000:2018
Often the activities are
performed in sequence once a
year across the whole
organisation as a holistic
exercise to provide annual
reporting to governance bodies
like the Board Risk Committee.
However, the activities are inter-
related and subsequent
activities can cause previous
activity results to be
reconsidered.
Some or all the activities can be
performed at any time in
response to internal and
external developments.
Communication and Consultation
Communication and consultation with external and internal stakeholders should occur
regularly during all stages of the risk management process. It is important to plan who is
involved, in what capacity (role) and when as this will define the communication and
consultation activities.
Some stakeholders will provide input (consulted) to the process, others will be primary
participants in performing the process, and others will be informed of the results of the
process and may be required to carry out actions
Communications should ensure everyone is informed as necessary to perform their role
effectively:
• The form and content of the communications need to be tailored so all relevant
information is provided at the right time and the appropriate level of detail, and in a
form that allows it be be understood and used effectively for their role.
• A consistent understanding of information across the organisation – language,
definitions and rules are important to be specified to achieve this.
Consultation process should ensure the relevant input and advice is received and used in
the process at the right time and in a form that is understandable and useful for risk
management process participants.
Communication and Consultation
(Cont.)
This aims of the communication and consultation process are:
• Participants have a clear understanding of the context and other information necessary
to make informed decisions
• The reasoning behind decisions and actions can be explained in a consistent and
understandable manner to recipients
• Required areas of expertise are bought to each relevant activity of the risk
management process
• There is appropriate consideration of alternate views when identifying and evaluating
risks and deciding risk treatments.
• Provide sufficient information to facilitate risk oversight, monitoring and assurance.
• Build inclusiveness and agreement among those managing and affected by the risk
(risk owners)
Scope, Criteria and Context
Establishing the Context
Internal
Context
External
Context
Risk Mgmt
Context
Develop
Criteria
Define the
Structure
Establishing the scope, context,
and criteria is a critical first step
before undertaking a risk
assessment. It is the critical
information that participants need
to understand consistently to
perform their role in the RMF.
The scope will define what the
process needs to cover, and the
criteria will define the concepts
upon which the process is based.
That will provide a common
language and consistent set of
rules for decision-making.
This should assist in providing a
structured, comprehensive and
consistent process and output.
Scope, Criteria and Context (Cont.)
Scope
Defining the scope provides an understanding of:
▪ What risks are to be covered
▪ What business unit(s) / activities the risk management process are to be covered
▪ Why the risk management process is being undertaken and which activities in the process are to
be performed
▪ What information is to be provided to participants
▪ What objectives and outcomes the business unit(s) / business activities support
▪ Who (groups or individuals) are to be involved in the process (including external stakeholders)
▪ What is not covered by the risk management process
▪ What resources might be required
▪ Who is accountable and responsible for the output (actions) from the risk management process
Scope, Criteria and Context (Cont.)
Criteria
Defining the criteria provides an understanding of the mechanics of the process and how to report the
output for the process including:
▪ Terms and definitions providing a common risk language
▪ Risk classifications and inventory
▪ Basis for identifying new risks or changes in level of risks – what context to consider
▪ Time horizon for assessment
▪ Criteria, scale and rules for risk measurement and assessment – consequence and likelihood
▪ Defined risk appetite - concepts and current appetite
▪ Types of risk treatments to be used
▪ Reporting requirements – organisation structure, levels of detail of reporting, presentation
formats and content
▪ Risk ownership rules
▪ Methods for aggregation of risk measurements
Scope, Criteria and Context (Cont.)
Understanding the internal and external environment (context) within which the
organisation operates is aimed at ensuring all relevant developments and changes that
may affect risk levels or create new risks relevant to the achievement of its objectives
can be identified and assessed.
Strategic Context (external influences – general and industry specific)
• The general (jurisdiction level) environment in which the organisation operates –
political, economic, society, technology, physical environment, legal.
• Industry specific developments –, competitor developments, industry legal and
regulatory developments, industry technology, supply chain, customer preferences
• Involves a determination of changes in what the external stakeholders expect from
the organisation
• Will influence and be influenced by the organisation’s market positioning, strategy
and reputation
These help to shape decisions on what risks are desirable
Scope, Criteria and Context (Cont.)
Organisational Context (internal influences)
• The organisation’s capabilities
• Objectives and strategies in response to stakeholder expectations
• Policies
• The culture of the organisation
• The extent of senior management commitment to the risk management process
These help to shape decisions on what risks are acceptable
The Risk Management Process Context
• The risk culture
• The role of risk management in achieving organisational goals
• The dynamics of the risk-return trade-off - appetite
• The extent to which risk management practices promote value creation
• The extent of the integration of risk management into organisational activities and
staff KPI’s
These help to shape decisions on what risks are manageable
Scope, Criteria and Context (Cont.)
Organisational Context (internal influences)
• The organisation’s capabilities
• Objectives and strategies in response to stakeholder expectations
• Policies
• The culture of the organisation
• The extent of senior management commitment to the risk management process
These help to shape decisions on what risks are acceptable
The Risk Management Process Context
• The risk culture
• The role of risk management in achieving organisational goals
• The dynamics of the risk-return trade-off - appetite
• The extent to which risk management practices promote value creation
• The extent of the integration of risk management into organisational activities and
staff KPI’s
These help to shape decisions on what risks are manageable
Identify Risks
The purpose of the risk identification activity is to highlight threats to objectives and the nature of the
impact of those threats if actions are not being taken to mitigate them. Critical to this activity is:
• an understanding of the objective
• what the sources of threats can be – there may be more than one
• how the threat affects the achievement of the objective – type of impact.
Success depends on developing a well-understood risk description that explains the above factors
and assigning it to the locations (units, departments) in the business where this risk is relevant and a
single risk owner at the appropriate level of the organisation based on the location of the risk.
Effective risk identification and clear risk descriptions will support subsequent activities in the process
– informed decisions on level of risk (assessment) and effective risk treatments.
There are three key steps involved in risk identification:
Identify Risks (Cont.)
Causes – types of
sources (multiple)
Potential Consequences –
stakeholders/types of impact
Risk
Event
Directive and
Preventive
Controls – what
can we do to
prevent the risk
from occurring –
mostly likelihood
Detective and
Corrective
Controls – If a
risk event
occurs - what
can be done to
address the
impact -
consequence
Drivers
Sources
Behaviours
Customers
Schedule/Time
Social
Outcomes
Suppliers
Political
Financial
Reputation
Compliance
Identify Risks (Cont.)
Risk Identification
Tools
Surveys,
Checklists
Results of
Audits
SWOT
analysis
Brainstorming
Loss and
Incident
analysis
Business
Process
Maps
Others’
experience
– case studies /
data bases
Generating
scenarios
Focus groups,
workshops
Judgements
of experts
Challenges in identifying all risks - VUCA
in highly volatile environment, new
business or market or product.
Worst outcome is to miss a material
threat or risk event
Use internal and external sources:
• Past / known Information – events
• Experts – past experience and future
views
• Open sessions – internal and external
participants – brainstorm – what if
scenarios
• Focused sessions – detailed
business internal analysis
• Checklists of risks
Analyse Risks
Actual Residual
Risk Ranking
Desired Residual
Risk Ranking
Inherent
Risk
Existing
Effective
Control
Existing
Effective
Control
Treatment
Plan
Tolerable
Residual
Risk
Exposure ManagementRisk Exposure
Residual
Risk
Analysis of the likelihood and consequences is performed on an inherent and residual basis.
• Inherent risk is the level of risk without any controls
• Residual risk is the level of risk after existing controls
The level of residual risk then needs to be compared to the risk appetite and further treatments
identified if residual risk exceeds appetite.
Analyse Risks – Likelihood and
Consequence
The overall assessment of risk is a combination of likelihood and consequence. The
criteria and scales are defined by each organisation – need to align with the nature of
the organisation’s activities, its strategy, and appetite (ability to absorb losses).
Likelihood Rating
Need to define frequency against time periods
Consequence Rating
Need to define criteria – financial and non-financial
Need to define scales of impact
Overall Rating
Use matrix to plot the residual risk level against the two dimensions
Compare to desired residual risk level (appetite)
Analyse Risks – Likelihood Rating
Descriptor Description Description of Timing
Almost
certain
The event is expected
to occur
The event is almost certain to occur in most circumstances, say many times a month.:
• There is a high level of recorded incidents and strong anecdotal evidence to support
it
• There is strong likelihood the event will reoccur
Likely
The event will
probably occur.
The event is likely to occur in most circumstances, say once a year.
• There are regular recorded incidents and strong anecdotal evidence to support it
Moderate
The event might
occur at some time.
The event may occur at some time, say once in five years.
• In the past five (5) years there are few, infrequent, random recorded incidents or little
anecdotal evidence identified to support the likelihood
• There are some incidents in other States, associated or comparable organisations,
facilities or communities
Unlikely
The event could
occur.
The event could occur in some circumstances over a ten year timeframe
• In the past 10 years there has been a couple of recorded incidents or anecdotal
evidence to support the likelihood
• There are very few incidents in other States, associated or comparable
organisations, facilities or communities
Rare
The event may occur
in some exceptional
circumstances
The event could occur in rare circumstances, may be once every 10 years.
• In the past 10 years there have been no recorded incidents or anecdotal evidence to
support the likelihood
• There are no recent incidents in other States, associated organisations, facilities or
communities
Analyse Risks – Consequence Rating
Criteria
Financial Regulatory/Legal Reputation & image Health & safety
Environment &
stakeholders
Human Resources
Rating
Extreme 5
Budget blow-out in
excess of 15% of net
cashflow in the next
two years
Significant legal,
regulatory or
internal policy
failure
Ongoing national/regional
media exposure.
Extensive ongoing publicised
attention from numerous or
significant key stakeholders.
Loss of life or
permanent
incapacitation of
staff, agents or
public.
Extreme
environmental harm
likely to be
irreversible.
Stakeholder and/or
community outrage.
Unplanned loss (or
extended absence) of
senior team member/s in
combination.
Major 4
Budget blow-out
between 11 - 15% of
net cashflow in the
next two years
Major legal,
regulatory or
internal policy
failure
Extensive ongoing local media
exposure.
Repeated ongoing publicised
attention from numerous or
significant key stakeholders.
Serious injury or
incident which
requires
hospitalisation;
incomplete
rehabilitation
achieved.
Major environmental
damage that can be
rectified.
High profile
stakeholder concerns
raised.
Unexpected loss (or
extended absence) of a
number of key members
with specialist
knowledge.
Moderate 3
Budget blow-out
between 7 - 10% of
net cashflow in the
next two years.
Limited legal,
regulatory and
internal policy
failure
Isolated local media exposure.
Attention from a limited
number of key stakeholders
with restricted publicity.
Injury or incident
requiring medical
attention with full
rehabilitation
achieved
Moderate
environmental harm
that can be easily
rectified.
.
Unexpected loss (or
extended absence) of a
key member with
specialist knowledge.
Minor 2
Budget blow-out
between 5 - 6% of
net cashflow in the
next two years.
Minor legal,
regulatory and
internal policy
failure
Local media exposure.
Isolated attention from one key
stakeholder or a number of
minor stakeholders with little or
no publicity.
Minor injury or
incident which
requires medical
treatment and loss
time
>1 week.
Immaterial
environmental/
community issue
requiring some action.
Unexpected loss (or
extended absence) of a
single staff member.
Notable 1
Negligible impact to
cashflow.
Insignificant legal,
regulatory or
internal policy
failure.
No media exposure.
Isolated attention from a minor
stakeholder with no publicity.
Minor incident
requiring medical
attention.
Incident that is notified
to management but
does not require
action.
Short-term loss of
resources to the project
Identify Controls
A control is any internal action taken to reduce the consequence and/or likelihood of a risk
in pursuit of achieving the objectives. It is intended to manage risk by preventing or
reducing the likelihood of the risk from occurring, or reducing the level of impact if the risk
does occur.
To determine the residual risk level, we need to determine the relevant and effective
controls currently operating. A common classification methodology of control types is used
to help identify a sufficient level of controls:
• Directive - to cause or encourage a desirable event to occur. For example, policies and
procedures that set out what tasks needs to be performed, safety signs.
• Preventive - to deter undesirable events from occurring. For example, an automated
check in the leave system prevents employees from applying for more leave than is
available, passwords to prevent unauthorised access to technology systems, and a
barrier at a lookout.
• Detective - to detect undesirable events that have happened. For example, follow up of
exceptions identified in systems-based reports.
• Corrective (recovery) controls - to minimise and fix the financial impact, disruption
and recovery times when undesirable events happen. For example, insurance,
Business Continuity Plans.
Evaluate Risks - Risk Matrix
Notable Minor Moderate Major Extreme
1 2 3 4 5
A ( almost certain ) M H H E E
B ( likely ) M M H H E
C ( moderate ) L M M H H
D ( unlikely ) L L M M H
E ( rare ) L L L M M
Consequences
Likelihood
Plot the residual risk level of each risk in the matrix – this will allow a comparison
against appetite and prioritisation of further actions to bring risks within appetite.
Colour coding can be used to indicate appetite and increasing level of urgency to
address risks – eg red = most urgent.
Treat Risks
The evaluation process determines whether the current residual risk level risk should be
accepted or whether additional actions are required to treat the risk and lower the
residual risk rating. Three approaches are possible:
• Accept - a conscious decision to accept the current residual risk level and not put
further treatments in place, other than ongoing monitoring. This is a decision usually
reached for risks that are within appetite or maybe used as a temporary decision for a
risk that is out of appetite but expected to return to appetite within a defined period.
• Treat - reduce the likelihood or consequences of the risk to meet appetite through
implementing additional processes and controls to prevent or detect errors, or other
treatments such as insurance, business continuity plans, and disaster recovery plans.
• Avoid - not to proceed with the activity likely to create the risk – this is a strategic
level of decision as it may require a business or product to cease operation, or a
change to the business operating model.
The purpose of risk treatment is to take action to reduce the likelihood of a risk event
arising and/or reduce the consequences of the risk should it occur to an acceptable
level.
Monitoring and Review
Monitoring and review needs to be performed in a number of respects:
• Review the appropriateness of the design of the risk management framework and
the effectiveness of its performance
• Monitor the organisation’s context for developments that require re-assessment of
the level of risk or new risks to be managed
• Monitor the effectiveness of design and performance of controls and treatments – to
be confident residual risk levels are being achieved
Recording and Reporting Risks
Recording
A Risk Register is a common tool to capture information on all the risks:
• risk description
• causes/sources and types impacts
• treatments and controls
• assessment of likelihood and consequence – inherent and residual
• additional required treatments.
The register is not a static document and needs to be updated as changes occur, and the
risk management activities are performed in part on a continuous basis and holistically
often annually.
The register may record hundreds of risk events – the level of specificity of identification
and analysis of risk events is a judgement that needs to be made by the organisation
based on its own circumstances.
Recording and Reporting Risks (Cont.)
Risk Category Description
Strategic Risks Strategic risks are defined by business structure and design choices and
how these interact with external environmental factors
Financial Risks Financial risks involve the management of capital and cash, including
external factors that affect the variability and predictability of revenue
and cash flows
Operational Risks Operational risks arise from the tactical aspects of running the
operations of a business
Legal/Regulatory
Risks
Legal/Regulatory risks arise from potential non-compliance with
applicable legal and regulatory requirements and the risk of a change
in regulations and/or laws that might affect the industry in which the
business operates or the business specifically
Reporting
Organisations need to report the outcomes of the RMF internally and externally. Reports
should focus on out of appetite risks and actions needed to bring risks into appetite. In
addition, the overall risk profile of the organisation may be reported - there is a need to
provide summary information to achieve this – often the organisation will define risk
categories to achieve this – the number and type of categories is for the organisation to
decide based on its nature and structure - an example of a simple set of categories is
set out below:
Business Risk
Management
Lecture 2 – Risk Management Process
Agenda
COURSE ADMINISTRATION
Group allocations – finalise by Week 5 for Group Video Presentation
Individual assignment
• Overview of requirements
• Tips
Weekly quiz (starts week 3) - overview
LECTURE
Elements for effective risk management
Risk Management Framework (RMF) overview
RMF Activities
BREAK
CLASS DISCUSSION
Corporate Governance and Sustainability
What is Risk?
“The effect of uncertainty on objectives - effect is a deviation from
the expected - may be positive and/or negative – can address,
create or result in opportunities and threats; objectives can have
different aspects and categories and can be applied at different
levels, usually expressed in terms of risk sources, potential events,
their consequences and their likelihood”
Source:AS/NZS ISO 31000:2018
Why Manage Risk?
Purpose of Risk Management
Every organisation faces developments in its internal and external context which present
risk and uncertainty to the achievement of its objectives. Risk management is aimed at
helping the organisation achieve its objectives in an efficient and sustainable way.
All organisations manage risk to some degree, as a minimum, through reacting to events
and remedying the consequences.
A more effective risk management approach aims to be active so to prevent negative
events occurring in a consistent, efficient and coherent way. However, elimination of all
risk is not possible – risk management aims to implement treatments which reduce the
level of inherent risk to an acceptable residual level (appetite.)
What activities can an organisation use to manage risk?
Guidance is provided through standards and other definitional documents published by
educational, professional, regulatory and standards organisations.
International Standards Organisation (ISO) Risk Management 31000:2018 is often the
standard used.
Characteristics of an Effective Risk
Management Framework
Integrated
Customised
Inclusive
Human and
Cultural Factors
Dynamic
Risk Management Framework
Structured and
Comprehensive
Best Available
Information
Continual
Improvement
Risk Management Framework (RMF)
/ Process
Source:AS/NZS ISO 31000:2018
Often the activities are
performed in sequence once a
year across the whole
organisation as a holistic
exercise to provide annual
reporting to governance bodies
like the Board Risk Committee.
However, the activities are inter-
related and subsequent
activities can cause previous
activity results to be
reconsidered.
Some or all the activities can be
performed at any time in
response to internal and
external developments.
Communication and Consultation
Communication and consultation with external and internal stakeholders should occur
regularly during all stages of the risk management process. It is important to plan who is
involved, in what capacity (role) and when as this will define the communication and
consultation activities.
Some stakeholders will provide input (consulted) to the process, others will be primary
participants in performing the process, and others will be informed of the results of the
process and may be required to carry out actions
Communications should ensure everyone is informed as necessary to perform their role
effectively:
• The form and content of the communications need to be tailored so all relevant
information is provided at the right time and the appropriate level of detail, and in a
form that allows it be be understood and used effectively for their role.
• A consistent understanding of information across the organisation – language,
definitions and rules are important to be specified to achieve this.
Consultation process should ensure the relevant input and advice is received and used in
the process at the right time and in a form that is understandable and useful for risk
management process participants.
Communication and Consultation
(Cont.)
This aims of the communication and consultation process are:
• Participants have a clear understanding of the context and other information necessary
to make informed decisions
• The reasoning behind decisions and actions can be explained in a consistent and
understandable manner to recipients
• Required areas of expertise are bought to each relevant activity of the risk
management process
• There is appropriate consideration of alternate views when identifying and evaluating
risks and deciding risk treatments.
• Provide sufficient information to facilitate risk oversight, monitoring and assurance.
• Build inclusiveness and agreement among those managing and affected by the risk
(risk owners)
Scope, Criteria and Context
Establishing the Context
Internal
Context
External
Context
Risk Mgmt
Context
Develop
Criteria
Define the
Structure
Establishing the scope, context,
and criteria is a critical first step
before undertaking a risk
assessment. It is the critical
information that participants need
to understand consistently to
perform their role in the RMF.
The scope will define what the
process needs to cover, and the
criteria will define the concepts
upon which the process is based.
That will provide a common
language and consistent set of
rules for decision-making.
This should assist in providing a
structured, comprehensive and
consistent process and output.
Scope, Criteria and Context (Cont.)
Scope
Defining the scope provides an understanding of:
▪ What risks are to be covered
▪ What business unit(s) / activities the risk management process are to be covered
▪ Why the risk management process is being undertaken and which activities in the process are to
be performed
▪ What information is to be provided to participants
▪ What objectives and outcomes the business unit(s) / business activities support
▪ Who (groups or individuals) are to be involved in the process (including external stakeholders)
▪ What is not covered by the risk management process
▪ What resources might be required
▪ Who is accountable and responsible for the output (actions) from the risk management process
Scope, Criteria and Context (Cont.)
Criteria
Defining the criteria provides an understanding of the mechanics of the process and how to report the
output for the process including:
▪ Terms and definitions providing a common risk language
▪ Risk classifications and inventory
▪ Basis for identifying new risks or changes in level of risks – what context to consider
▪ Time horizon for assessment
▪ Criteria, scale and rules for risk measurement and assessment – consequence and likelihood
▪ Defined risk appetite - concepts and current appetite
▪ Types of risk treatments to be used
▪ Reporting requirements – organisation structure, levels of detail of reporting, presentation
formats and content
▪ Risk ownership rules
▪ Methods for aggregation of risk measurements
Scope, Criteria and Context (Cont.)
Understanding the internal and external environment (context) within which the
organisation operates is aimed at ensuring all relevant developments and changes that
may affect risk levels or create new risks relevant to the achievement of its objectives
can be identified and assessed.
Strategic Context (external influences – general and industry specific)
• The general (jurisdiction level) environment in which the organisation operates –
political, economic, society, technology, physical environment, legal.
• Industry specific developments –, competitor developments, industry legal and
regulatory developments, industry technology, supply chain, customer preferences
• Involves a determination of changes in what the external stakeholders expect from
the organisation
• Will influence and be influenced by the organisation’s market positioning, strategy
and reputation
These help to shape decisions on what risks are desirable
Scope, Criteria and Context (Cont.)
Organisational Context (internal influences)
• The organisation’s capabilities
• Objectives and strategies in response to stakeholder expectations
• Policies
• The culture of the organisation
• The extent of senior management commitment to the risk management process
These help to shape decisions on what risks are acceptable
The Risk Management Process Context
• The risk culture
• The role of risk management in achieving organisational goals
• The dynamics of the risk-return trade-off - appetite
• The extent to which risk management practices promote value creation
• The extent of the integration of risk management into organisational activities and
staff KPI’s
These help to shape decisions on what risks are manageable
Scope, Criteria and Context (Cont.)
Organisational Context (internal influences)
• The organisation’s capabilities
• Objectives and strategies in response to stakeholder expectations
• Policies
• The culture of the organisation
• The extent of senior management commitment to the risk management process
These help to shape decisions on what risks are acceptable
The Risk Management Process Context
• The risk culture
• The role of risk management in achieving organisational goals
• The dynamics of the risk-return trade-off - appetite
• The extent to which risk management practices promote value creation
• The extent of the integration of risk management into organisational activities and
staff KPI’s
These help to shape decisions on what risks are manageable
Identify Risks
The purpose of the risk identification activity is to highlight threats to objectives and the nature of the
impact of those threats if actions are not being taken to mitigate them. Critical to this activity is:
• an understanding of the objective
• what the sources of threats can be – there may be more than one
• how the threat affects the achievement of the objective – type of impact.
Success depends on developing a well-understood risk description that explains the above factors
and assigning it to the locations (units, departments) in the business where this risk is relevant and a
single risk owner at the appropriate level of the organisation based on the location of the risk.
Effective risk identification and clear risk descriptions will support subsequent activities in the process
– informed decisions on level of risk (assessment) and effective risk treatments.
There are three key steps involved in risk identification:
Identify Risks (Cont.)
Causes – types of
sources (multiple)
Potential Consequences –
stakeholders/types of impact
Risk
Event
Directive and
Preventive
Controls – what
can we do to
prevent the risk
from occurring –
mostly likelihood
Detective and
Corrective
Controls – If a
risk event
occurs - what
can be done to
address the
impact -
consequence
Drivers
Sources
Behaviours
Customers
Schedule/Time
Social
Outcomes
Suppliers
Political
Financial
Reputation
Compliance
Identify Risks (Cont.)
Risk Identification
Tools
Surveys,
Checklists
Results of
Audits
SWOT
analysis
Brainstorming
Loss and
Incident
analysis
Business
Process
Maps
Others’
experience
– case studies /
data bases
Generating
scenarios
Focus groups,
workshops
Judgements
of experts
Challenges in identifying all risks - VUCA
in highly volatile environment, new
business or market or product.
Worst outcome is to miss a material
threat or risk event
Use internal and external sources:
• Past / known Information – events
• Experts – past experience and future
views
• Open sessions – internal and external
participants – brainstorm – what if
scenarios
• Focused sessions – detailed
business internal analysis
• Checklists of risks
Analyse Risks
Actual Residual
Risk Ranking
Desired Residual
Risk Ranking
Inherent
Risk
Existing
Effective
Control
Existing
Effective
Control
Treatment
Plan
Tolerable
Residual
Risk
Exposure ManagementRisk Exposure
Residual
Risk
Analysis of the likelihood and consequences is performed on an inherent and residual basis.
• Inherent risk is the level of risk without any controls
• Residual risk is the level of risk after existing controls
The level of residual risk then needs to be compared to the risk appetite and further treatments
identified if residual risk exceeds appetite.
Analyse Risks – Likelihood and
Consequence
The overall assessment of risk is a combination of likelihood and consequence. The
criteria and scales are defined by each organisation – need to align with the nature of
the organisation’s activities, its strategy, and appetite (ability to absorb losses).
Likelihood Rating
Need to define frequency against time periods
Consequence Rating
Need to define criteria – financial and non-financial
Need to define scales of impact
Overall Rating
Use matrix to plot the residual risk level against the two dimensions
Compare to desired residual risk level (appetite)
Analyse Risks – Likelihood Rating
Descriptor Description Description of Timing
Almost
certain
The event is expected
to occur
The event is almost certain to occur in most circumstances, say many times a month.:
• There is a high level of recorded incidents and strong anecdotal evidence to support
it
• There is strong likelihood the event will reoccur
Likely
The event will
probably occur.
The event is likely to occur in most circumstances, say once a year.
• There are regular recorded incidents and strong anecdotal evidence to support it
Moderate
The event might
occur at some time.
The event may occur at some time, say once in five years.
• In the past five (5) years there are few, infrequent, random recorded incidents or little
anecdotal evidence identified to support the likelihood
• There are some incidents in other States, associated or comparable organisations,
facilities or communities
Unlikely
The event could
occur.
The event could occur in some circumstances over a ten year timeframe
• In the past 10 years there has been a couple of recorded incidents or anecdotal
evidence to support the likelihood
• There are very few incidents in other States, associated or comparable
organisations, facilities or communities
Rare
The event may occur
in some exceptional
circumstances
The event could occur in rare circumstances, may be once every 10 years.
• In the past 10 years there have been no recorded incidents or anecdotal evidence to
support the likelihood
• There are no recent incidents in other States, associated organisations, facilities or
communities
Analyse Risks – Consequence Rating
Criteria
Financial Regulatory/Legal Reputation & image Health & safety
Environment &
stakeholders
Human Resources
Rating
Extreme 5
Budget blow-out in
excess of 15% of net
cashflow in the next
two years
Significant legal,
regulatory or
internal policy
failure
Ongoing national/regional
media exposure.
Extensive ongoing publicised
attention from numerous or
significant key stakeholders.
Loss of life or
permanent
incapacitation of
staff, agents or
public.
Extreme
environmental harm
likely to be
irreversible.
Stakeholder and/or
community outrage.
Unplanned loss (or
extended absence) of
senior team member/s in
combination.
Major 4
Budget blow-out
between 11 - 15% of
net cashflow in the
next two years
Major legal,
regulatory or
internal policy
failure
Extensive ongoing local media
exposure.
Repeated ongoing publicised
attention from numerous or
significant key stakeholders.
Serious injury or
incident which
requires
hospitalisation;
incomplete
rehabilitation
achieved.
Major environmental
damage that can be
rectified.
High profile
stakeholder concerns
raised.
Unexpected loss (or
extended absence) of a
number of key members
with specialist
knowledge.
Moderate 3
Budget blow-out
between 7 - 10% of
net cashflow in the
next two years.
Limited legal,
regulatory and
internal policy
failure
Isolated local media exposure.
Attention from a limited
number of key stakeholders
with restricted publicity.
Injury or incident
requiring medical
attention with full
rehabilitation
achieved
Moderate
environmental harm
that can be easily
rectified.
.
Unexpected loss (or
extended absence) of a
key member with
specialist knowledge.
Minor 2
Budget blow-out
between 5 - 6% of
net cashflow in the
next two years.
Minor legal,
regulatory and
internal policy
failure
Local media exposure.
Isolated attention from one key
stakeholder or a number of
minor stakeholders with little or
no publicity.
Minor injury or
incident which
requires medical
treatment and loss
time
>1 week.
Immaterial
environmental/
community issue
requiring some action.
Unexpected loss (or
extended absence) of a
single staff member.
Notable 1
Negligible impact to
cashflow.
Insignificant legal,
regulatory or
internal policy
failure.
No media exposure.
Isolated attention from a minor
stakeholder with no publicity.
Minor incident
requiring medical
attention.
Incident that is notified
to management but
does not require
action.
Short-term loss of
resources to the project
Identify Controls
A control is any internal action taken to reduce the consequence and/or likelihood of a risk
in pursuit of achieving the objectives. It is intended to manage risk by preventing or
reducing the likelihood of the risk from occurring, or reducing the level of impact if the risk
does occur.
To determine the residual risk level, we need to determine the relevant and effective
controls currently operating. A common classification methodology of control types is used
to help identify a sufficient level of controls:
• Directive - to cause or encourage a desirable event to occur. For example, policies and
procedures that set out what tasks needs to be performed, safety signs.
• Preventive - to deter undesirable events from occurring. For example, an automated
check in the leave system prevents employees from applying for more leave than is
available, passwords to prevent unauthorised access to technology systems, and a
barrier at a lookout.
• Detective - to detect undesirable events that have happened. For example, follow up of
exceptions identified in systems-based reports.
• Corrective (recovery) controls - to minimise and fix the financial impact, disruption
and recovery times when undesirable events happen. For example, insurance,
Business Continuity Plans.
Evaluate Risks - Risk Matrix
Notable Minor Moderate Major Extreme
1 2 3 4 5
A ( almost certain ) M H H E E
B ( likely ) M M H H E
C ( moderate ) L M M H H
D ( unlikely ) L L M M H
E ( rare ) L L L M M
Consequences
Likelihood
Plot the residual risk level of each risk in the matrix – this will allow a comparison
against appetite and prioritisation of further actions to bring risks within appetite.
Colour coding can be used to indicate appetite and increasing level of urgency to
address risks – eg red = most urgent.
Treat Risks
The evaluation process determines whether the current residual risk level risk should be
accepted or whether additional actions are required to treat the risk and lower the
residual risk rating. Three approaches are possible:
• Accept - a conscious decision to accept the current residual risk level and not put
further treatments in place, other than ongoing monitoring. This is a decision usually
reached for risks that are within appetite or maybe used as a temporary decision for a
risk that is out of appetite but expected to return to appetite within a defined period.
• Treat - reduce the likelihood or consequences of the risk to meet appetite through
implementing additional processes and controls to prevent or detect errors, or other
treatments such as insurance, business continuity plans, and disaster recovery plans.
• Avoid - not to proceed with the activity likely to create the risk – this is a strategic
level of decision as it may require a business or product to cease operation, or a
change to the business operating model.
The purpose of risk treatment is to take action to reduce the likelihood of a risk event
arising and/or reduce the consequences of the risk should it occur to an acceptable
level.
Monitoring and Review
Monitoring and review needs to be performed in a number of respects:
• Review the appropriateness of the design of the risk management framework and
the effectiveness of its performance
• Monitor the organisation’s context for developments that require re-assessment of
the level of risk or new risks to be managed
• Monitor the effectiveness of design and performance of controls and treatments – to
be confident residual risk levels are being achieved
Recording and Reporting Risks
Recording
A Risk Register is a common tool to capture information on all the risks:
• risk description
• causes/sources and types impacts
• treatments and controls
• assessment of likelihood and consequence – inherent and residual
• additional required treatments.
The register is not a static document and needs to be updated as changes occur, and the
risk management activities are performed in part on a continuous basis and holistically
often annually.
The register may record hundreds of risk events – the level of specificity of identification
and analysis of risk events is a judgement that needs to be made by the organisation
based on its own circumstances.
Recording and Reporting Risks (Cont.)
Risk Category Description
Strategic Risks Strategic risks are defined by business structure and design choices and
how these interact with external environmental factors
Financial Risks Financial risks involve the management of capital and cash, including
external factors that affect the variability and predictability of revenue
and cash flows
Operational Risks Operational risks arise from the tactical aspects of running the
operations of a business
Legal/Regulatory
Risks
Legal/Regulatory risks arise from potential non-compliance with
applicable legal and regulatory requirements and the risk of a change
in regulations and/or laws that might affect the industry in which the
business operates or the business specifically
Reporting
Organisations need to report the outcomes of the RMF internally and externally. Reports
should focus on out of appetite risks and actions needed to bring risks into appetite. In
addition, the overall risk profile of the organisation may be reported - there is a need to
provide summary information to achieve this – often the organisation will define risk
categories to achieve this – the number and type of categories is for the organisation to
decide based on its nature and structure - an example of a simple set of categories is
set out below:
