微信客服:xiaoxionga100
微信客服:ITCS521
ACCT5919-Acct5919代写
时间:2023-06-11
ACCT5919 -
Business Risk
Management
Lecture 2 – Risk Management Process
1
What is Risk?
“ The effect of uncertainty on objectives - effect is a deviation from
the expected - may be positive and/or negative – can address,
create or result in opportunities and threats; objectives can have
different aspects and categories and can be applied at different
levels, usually expressed in terms of risk sources, potential events,
their consequences and their likelihood”
Source:AS/NZS ISO 31000:2018
2
Key Elements for Effective
Risk Management
To achieve effective Risk Management a robust Risk
Management Framework is required.
Key Elements
Integrated
Customised
Inclusive
Human and
Cultural Factors
Dynamic
Risk Management Framework
Structured and
Comprehensive
Best Available
Information
Continual
Improvement
3
The Risk Management Process
4
Communication and Consultation
Communication and consultation with external and internal stakeholders should
occur regularly during all stages of the risk management process. This ensures
those involved in the management of risks have a clear understanding of the
business context and the reasoning behind decisions and actions. It also serves as
an effective communication platform to inform stakeholders.
Communication and consultation is important to:
• Bring together different areas of expertise for each part of the risk management
process
• Ensure appropriate consideration of alternate views when identifying and
evaluating risks
• Provide sufficient information to facilitate risk oversight and decision-making, and
• Build inclusiveness and ownership among those managing and affected by the
risk.
When assessing a new risk or managing an existing risk, it is important to involve
relevant stakeholders whose operations may be impacted by the particular risk.
5
The Risk Management Context
Establishing the Context
Internal
Context
External
Context
Risk Mgmt
Context
Develop
Criteria
Define the
Structure
Establishing the scope, context,
and criteria is a critical first step
before undertaking a risk
assessment. It involves identifying
and articulating what the business
wants to achieve and looking at the
external and internal factors that
may impact operations and
objectives.
Developing a shared understanding
of the key objectives and operating
environment with key stakeholders
is a good starting point to
determine what could go wrong
and prevent the business from
achieving its objectives. This
understanding could also identify
opportunities for the business.
6
The Risk Management Context
(Cont.)
Establish the scope
An essential part of the process is to determine the scope. This requires an
understanding of:
Why the function, activity, or project is being undertaken?
What objectives or outcomes the business unit supports, and what objectives are being
hindered by the proposed risk?
Who (groups or individuals) are involved or affected (including external stakeholders)?
What is (and is not) covered by the risk assessment, and what is the time horizon?
How the risks might be managed and/or mitigated?
What resources might be required, and who is accountable and responsible for risk
management activities?
7
The Risk Management Context
(Cont.)
In risk management, it is important to consider the internal and external environment
within which the business or program operates and how objectives could potentially be
impacted.
Strategic Context (external influences)
• The environment in which the organisation operates
• Involves a determination of what the stakeholders demand from the organisation
• Affected by legal, cultural, political and social factors
• Will influence and be influenced by the organisation’s reputation
These help to shape decisions on what risks are desirable
8
The Risk Management Context
(Cont.)
Organisational Context (internal influences)
• The organisation’s capabilities
• Objectives and strategies in response to stakeholder demands
• Policies and goals
• The risk culture of the organisation
• The extent of senior management commitment to the risk management process
These help to shape decisions on what risks are acceptable
The Risk Management Process Context
• The role of risk management in achieving organisational goals
• The dynamics of the risk-return trade-off
• The extent to which risk management practices promote value creation
• The extent of the integration of risk management into organisational and staff KPI’s
These help to shape decisions on what risks are manageable
9
Common Risk Categories
Description Risk Category
Strategic risks are defined by business structure and design
choices and how these interact with external environmental
factors
Strategic Risks
Financial risks involve the management of capital and cash,
including external factors that affect the variability and
predictability of revenue and cash flows
Financial Risks
Operational risks arise from the tactical aspects of running the
operations of a business
Operational Risks
Legal/Regulatory risks arise from potential non-compliance with
applicable legal and regulatory requirements and the risk of a
change in regulations and/or laws that might affect the industry in
which the business operates or the business specifically
Legal/Regulatory Risks
10
Identifying Risks (Cont.)
The purpose of risk identification is to highlight threats to objectives and the impact of those
threats if actions are not being taken to mitigate them. Risk identification is a critical and
continual process. Success depends on developing a well-understood risk description and
assigning it to a location in the business and a single risk owner.
Effective risk identification and clear risk descriptions will support good decision-making and
effective risk treatment.
There are three key steps involved in risk identification
11
Identifying Risks (Cont.)
What is causing the risk Potential Consequences
Risk
Event
Prevention
Controls – What
can
we do to prevent
the risk
from occurring
Recovery
Controls – If a
risk does
occur what can
be done
to address
the risk event
Drivers
Sources
Behaviours
Safety
Schedule/Time
Social
Outcomes
Performance
Political
Cost
Reputation
Compliance
12
Analyse Risks – Inherent and
Residual Risk
In determining the importance of a risk – the likelihood and consequence of the
risk must be considered.
13
Analyse Risks – Inherent and
Residual Risk (Cont.)
Actual Residual
Risk Ranking
Desired Residual
Risk Ranking
Inherent
Risk
Existing
Effective
Control
Existing
Effective
Control
Treatment
Plan
Tolerable
Residual
Risk
Exposure ManagementRisk Exposure
Residual
Risk
14
Identify Controls
A control is any management action taken to reduce the consequence and/or
likelihood of a risk in pursuit of achieving the objectives. A control is actually in place
and operating. It is intended to manage risk by preventing the risk from occurring,
reducing the likelihood of the risk occurring, or reducing the impact if the risk does
occur. Controls can be classified in many ways. These include:
Preventive - to deter undesirable events from occurring.
For example: The leave system prevents employees from applying for more leave
than is available in the leave bank, passwords, and a barrier or gate at a lookout.
Detective - to detect and correct undesirable events that have happened.
For example: Systems-based exception reports.
15
Identify Controls (Cont.)
Directive - to cause or encourage a desirable event to occur.
For example: Policies, procedures, or signs.
Recovery controls - to minimise disruption and recovery times when undesirable
events happen.
For example: Insurance; Business Continuity Plans.
16
Analyse Risks – Consequence
Rating
Criteria
Financial Regulatory/Legal Reputation & image Health & safety Environment & stakeholders Human Resources
Rating
Extreme 5
Budget blow-out in
excess of 15% of net
cashflow in the next
two years
Significant legal,
regulatory or
internal policy
failure
Ongoing national/regional
media exposure.
Extensive ongoing publicised
attention from numerous or
significant key stakeholders.
Loss of life or
permanent
incapacitation of
staff, agents or
public.
Extreme
environmental harm
likely to be
irreversible.
Stakeholder and/or
community outrage.
Unplanned loss (or
extended absence) of
senior team member/s in
combination.
Major 4
Budget blow-out
between 11 - 15% of
net cashflow in the
next two years
Major legal,
regulatory or
internal policy
failure
Extensive ongoing local media
exposure.
Repeated ongoing publicised
attention from numerous or
significant key stakeholders.
Serious injury or
incident which
requires
hospitalisation;
incomplete
rehabilitation
achieved.
Major environmental
damage that can be
rectified.
High profile
stakeholder concerns
raised.
Unexpected loss (or
extended absence) of a
number of key members
with specialist
knowledge.
Moderate 3
Budget blow-out
between 7 - 10% of
net cashflow in the
next two years.
Limited legal,
regulatory and
internal policy
failure
Isolated local media exposure.
Attention from a limited
number of key stakeholders
with restricted publicity.
Injury or incident
requiring medical
attention with full
rehabilitation
achieved
Moderate
environmental harm
that can be easily
rectified.
.
Unexpected loss (or
extended absence) of a
key member with
specialist knowledge.
Minor 2
Budget blow-out
between 5 - 6% of
net cashflow in the
next two years.
Minor legal,
regulatory and
internal policy
failure
Local media exposure.
Isolated attention from one key
stakeholder or a number of
minor stakeholders with little or
no publicity.
Minor injury or
incident which
requires medical
treatment and loss
time
>1 week.
Immaterial
environmental/
community issue
requiring some action.
Unexpected loss (or
extended absence) of a
single staff member.
Notable 1
Negligible impact to
cashflow.
Insignificant legal,
regulatory or
internal policy
failure.
No media exposure.
Isolated attention from a minor
stakeholder with no publicity.
Minor incident
requiring medical
attention.
Incident that is notified
to management but
does not require
action.
Short-term loss of
resources to the project
17
Analyse Risks – Likelihood Rating
Description of TimingDescription Descriptor
The event is almost certain to occur in most circumstances, say many times a month.:
• There is a high level of recorded incidents and strong anecdotal evidence to support it
• There is strong likelihood the event will reoccurThe event is expected to occurAlmost certain
The event is likely to occur in most circumstances, say once a year.
• There are regular recorded incidents and strong anecdotal evidence to support itThe event will probably occur. Likely
The event may occur at some time, say once in five years.
• In the past five (5) years there are few, infrequent, random recorded incidents or little
anecdotal evidence identified to support the likelihood
• There are some incidents in other States, associated or comparable organisations,
facilities or communities
The event might occur at some
time. Moderate
The event could occur in some circumstances over a ten year timeframe
• In the past 10 years there has been a couple of recorded incidents or anecdotal
evidence to support the likelihood
• There are very few incidents in other States, associated or comparable organisations,
facilities or communities
The event could occur. Unlikely
The event is could occur in rare circumstances, may be once every 10 years.
• In the past 10 years there have been no recorded incidents or anecdotal evidence to
support the likelihood
• There are no recent incidents in other States, associated organisations, facilities or
communities
The event may occur in some
exceptional circumstancesRare
18
Risk Matrix
Notable Minor Moderate Major Extreme
1 2 3 4 5
A ( almost certain ) M H H E E
B ( likely ) M M H H E
C ( moderate ) L M M H H
D ( unlikely ) L L M M H
E ( rare ) L L L M M
Consequences
Likelihood
19
Evaluate the Risk – Risk Treatment
The evaluation process helps determine whether the risk should be accepted or
whether additional actions are required to treat the risk and lower the residual risk
rating. Evaluating a risk includes a decision by the risk manager to:
• Treat - changing the likelihood of the risk to reduce the likelihood of negative
outcomes or changing the consequences to reduce the losses. This may include
insurance, business continuity plans, and disaster recovery plans.
• Accept - a conscious decision to accept the risk and not put treatments in place
other than ongoing monitoring.
• Avoid - not to proceed with the activity likely to create risk (e.g., a risk with a
detrimental consequence).
The purpose of risk treatment is to take action to minimise the likelihood of a risk
event arising and/or reduce the consequences of the risk should it occur.
Business Risk
Management
Lecture 2 – Risk Management Process
1
What is Risk?
“ The effect of uncertainty on objectives - effect is a deviation from
the expected - may be positive and/or negative – can address,
create or result in opportunities and threats; objectives can have
different aspects and categories and can be applied at different
levels, usually expressed in terms of risk sources, potential events,
their consequences and their likelihood”
Source:AS/NZS ISO 31000:2018
2
Key Elements for Effective
Risk Management
To achieve effective Risk Management a robust Risk
Management Framework is required.
Key Elements
Integrated
Customised
Inclusive
Human and
Cultural Factors
Dynamic
Risk Management Framework
Structured and
Comprehensive
Best Available
Information
Continual
Improvement
3
The Risk Management Process
4
Communication and Consultation
Communication and consultation with external and internal stakeholders should
occur regularly during all stages of the risk management process. This ensures
those involved in the management of risks have a clear understanding of the
business context and the reasoning behind decisions and actions. It also serves as
an effective communication platform to inform stakeholders.
Communication and consultation is important to:
• Bring together different areas of expertise for each part of the risk management
process
• Ensure appropriate consideration of alternate views when identifying and
evaluating risks
• Provide sufficient information to facilitate risk oversight and decision-making, and
• Build inclusiveness and ownership among those managing and affected by the
risk.
When assessing a new risk or managing an existing risk, it is important to involve
relevant stakeholders whose operations may be impacted by the particular risk.
5
The Risk Management Context
Establishing the Context
Internal
Context
External
Context
Risk Mgmt
Context
Develop
Criteria
Define the
Structure
Establishing the scope, context,
and criteria is a critical first step
before undertaking a risk
assessment. It involves identifying
and articulating what the business
wants to achieve and looking at the
external and internal factors that
may impact operations and
objectives.
Developing a shared understanding
of the key objectives and operating
environment with key stakeholders
is a good starting point to
determine what could go wrong
and prevent the business from
achieving its objectives. This
understanding could also identify
opportunities for the business.
6
The Risk Management Context
(Cont.)
Establish the scope
An essential part of the process is to determine the scope. This requires an
understanding of:
Why the function, activity, or project is being undertaken?
What objectives or outcomes the business unit supports, and what objectives are being
hindered by the proposed risk?
Who (groups or individuals) are involved or affected (including external stakeholders)?
What is (and is not) covered by the risk assessment, and what is the time horizon?
How the risks might be managed and/or mitigated?
What resources might be required, and who is accountable and responsible for risk
management activities?
7
The Risk Management Context
(Cont.)
In risk management, it is important to consider the internal and external environment
within which the business or program operates and how objectives could potentially be
impacted.
Strategic Context (external influences)
• The environment in which the organisation operates
• Involves a determination of what the stakeholders demand from the organisation
• Affected by legal, cultural, political and social factors
• Will influence and be influenced by the organisation’s reputation
These help to shape decisions on what risks are desirable
8
The Risk Management Context
(Cont.)
Organisational Context (internal influences)
• The organisation’s capabilities
• Objectives and strategies in response to stakeholder demands
• Policies and goals
• The risk culture of the organisation
• The extent of senior management commitment to the risk management process
These help to shape decisions on what risks are acceptable
The Risk Management Process Context
• The role of risk management in achieving organisational goals
• The dynamics of the risk-return trade-off
• The extent to which risk management practices promote value creation
• The extent of the integration of risk management into organisational and staff KPI’s
These help to shape decisions on what risks are manageable
9
Common Risk Categories
Description Risk Category
Strategic risks are defined by business structure and design
choices and how these interact with external environmental
factors
Strategic Risks
Financial risks involve the management of capital and cash,
including external factors that affect the variability and
predictability of revenue and cash flows
Financial Risks
Operational risks arise from the tactical aspects of running the
operations of a business
Operational Risks
Legal/Regulatory risks arise from potential non-compliance with
applicable legal and regulatory requirements and the risk of a
change in regulations and/or laws that might affect the industry in
which the business operates or the business specifically
Legal/Regulatory Risks
10
Identifying Risks (Cont.)
The purpose of risk identification is to highlight threats to objectives and the impact of those
threats if actions are not being taken to mitigate them. Risk identification is a critical and
continual process. Success depends on developing a well-understood risk description and
assigning it to a location in the business and a single risk owner.
Effective risk identification and clear risk descriptions will support good decision-making and
effective risk treatment.
There are three key steps involved in risk identification
11
Identifying Risks (Cont.)
What is causing the risk Potential Consequences
Risk
Event
Prevention
Controls – What
can
we do to prevent
the risk
from occurring
Recovery
Controls – If a
risk does
occur what can
be done
to address
the risk event
Drivers
Sources
Behaviours
Safety
Schedule/Time
Social
Outcomes
Performance
Political
Cost
Reputation
Compliance
12
Analyse Risks – Inherent and
Residual Risk
In determining the importance of a risk – the likelihood and consequence of the
risk must be considered.
13
Analyse Risks – Inherent and
Residual Risk (Cont.)
Actual Residual
Risk Ranking
Desired Residual
Risk Ranking
Inherent
Risk
Existing
Effective
Control
Existing
Effective
Control
Treatment
Plan
Tolerable
Residual
Risk
Exposure ManagementRisk Exposure
Residual
Risk
14
Identify Controls
A control is any management action taken to reduce the consequence and/or
likelihood of a risk in pursuit of achieving the objectives. A control is actually in place
and operating. It is intended to manage risk by preventing the risk from occurring,
reducing the likelihood of the risk occurring, or reducing the impact if the risk does
occur. Controls can be classified in many ways. These include:
Preventive - to deter undesirable events from occurring.
For example: The leave system prevents employees from applying for more leave
than is available in the leave bank, passwords, and a barrier or gate at a lookout.
Detective - to detect and correct undesirable events that have happened.
For example: Systems-based exception reports.
15
Identify Controls (Cont.)
Directive - to cause or encourage a desirable event to occur.
For example: Policies, procedures, or signs.
Recovery controls - to minimise disruption and recovery times when undesirable
events happen.
For example: Insurance; Business Continuity Plans.
16
Analyse Risks – Consequence
Rating
Criteria
Financial Regulatory/Legal Reputation & image Health & safety Environment & stakeholders Human Resources
Rating
Extreme 5
Budget blow-out in
excess of 15% of net
cashflow in the next
two years
Significant legal,
regulatory or
internal policy
failure
Ongoing national/regional
media exposure.
Extensive ongoing publicised
attention from numerous or
significant key stakeholders.
Loss of life or
permanent
incapacitation of
staff, agents or
public.
Extreme
environmental harm
likely to be
irreversible.
Stakeholder and/or
community outrage.
Unplanned loss (or
extended absence) of
senior team member/s in
combination.
Major 4
Budget blow-out
between 11 - 15% of
net cashflow in the
next two years
Major legal,
regulatory or
internal policy
failure
Extensive ongoing local media
exposure.
Repeated ongoing publicised
attention from numerous or
significant key stakeholders.
Serious injury or
incident which
requires
hospitalisation;
incomplete
rehabilitation
achieved.
Major environmental
damage that can be
rectified.
High profile
stakeholder concerns
raised.
Unexpected loss (or
extended absence) of a
number of key members
with specialist
knowledge.
Moderate 3
Budget blow-out
between 7 - 10% of
net cashflow in the
next two years.
Limited legal,
regulatory and
internal policy
failure
Isolated local media exposure.
Attention from a limited
number of key stakeholders
with restricted publicity.
Injury or incident
requiring medical
attention with full
rehabilitation
achieved
Moderate
environmental harm
that can be easily
rectified.
.
Unexpected loss (or
extended absence) of a
key member with
specialist knowledge.
Minor 2
Budget blow-out
between 5 - 6% of
net cashflow in the
next two years.
Minor legal,
regulatory and
internal policy
failure
Local media exposure.
Isolated attention from one key
stakeholder or a number of
minor stakeholders with little or
no publicity.
Minor injury or
incident which
requires medical
treatment and loss
time
>1 week.
Immaterial
environmental/
community issue
requiring some action.
Unexpected loss (or
extended absence) of a
single staff member.
Notable 1
Negligible impact to
cashflow.
Insignificant legal,
regulatory or
internal policy
failure.
No media exposure.
Isolated attention from a minor
stakeholder with no publicity.
Minor incident
requiring medical
attention.
Incident that is notified
to management but
does not require
action.
Short-term loss of
resources to the project
17
Analyse Risks – Likelihood Rating
Description of TimingDescription Descriptor
The event is almost certain to occur in most circumstances, say many times a month.:
• There is a high level of recorded incidents and strong anecdotal evidence to support it
• There is strong likelihood the event will reoccurThe event is expected to occurAlmost certain
The event is likely to occur in most circumstances, say once a year.
• There are regular recorded incidents and strong anecdotal evidence to support itThe event will probably occur. Likely
The event may occur at some time, say once in five years.
• In the past five (5) years there are few, infrequent, random recorded incidents or little
anecdotal evidence identified to support the likelihood
• There are some incidents in other States, associated or comparable organisations,
facilities or communities
The event might occur at some
time. Moderate
The event could occur in some circumstances over a ten year timeframe
• In the past 10 years there has been a couple of recorded incidents or anecdotal
evidence to support the likelihood
• There are very few incidents in other States, associated or comparable organisations,
facilities or communities
The event could occur. Unlikely
The event is could occur in rare circumstances, may be once every 10 years.
• In the past 10 years there have been no recorded incidents or anecdotal evidence to
support the likelihood
• There are no recent incidents in other States, associated organisations, facilities or
communities
The event may occur in some
exceptional circumstancesRare
18
Risk Matrix
Notable Minor Moderate Major Extreme
1 2 3 4 5
A ( almost certain ) M H H E E
B ( likely ) M M H H E
C ( moderate ) L M M H H
D ( unlikely ) L L M M H
E ( rare ) L L L M M
Consequences
Likelihood
19
Evaluate the Risk – Risk Treatment
The evaluation process helps determine whether the risk should be accepted or
whether additional actions are required to treat the risk and lower the residual risk
rating. Evaluating a risk includes a decision by the risk manager to:
• Treat - changing the likelihood of the risk to reduce the likelihood of negative
outcomes or changing the consequences to reduce the losses. This may include
insurance, business continuity plans, and disaster recovery plans.
• Accept - a conscious decision to accept the risk and not put treatments in place
other than ongoing monitoring.
• Avoid - not to proceed with the activity likely to create risk (e.g., a risk with a
detrimental consequence).
The purpose of risk treatment is to take action to minimise the likelihood of a risk
event arising and/or reduce the consequences of the risk should it occur.
