The Business Case of Integrated Risk Management

Download Report

Transcript The Business Case of Integrated Risk Management

Presentation 2: Managing Risk at the
Enterprise Level: The Business Case
Andrew Graham
Workshop on Risk and
Enterprise Risk Management
School of Policy Studies Southern
Africa Development
Queen’s University
Community
April, 2014
Kingston, Canada
Gaborone, Botswana
Some Questions…to which we will return
• What does risk have to do with strategy?
• How does risk-resiliency go beyond conventional risk
management?
• What are the best way to manage risk in an increasingly
interconnected world?
Risk about playing to win not just
playing not to lose.
Factors that are changing the risk conversation
• Greater economic and environmental uncertainty,
• Interconnectedness of things
• Proliferation of information, Internet and communication
tools
• Global economy and complex instabilities
• Growing concern for sustainability
• Growing concern for ability to survive increasing number
of shocks – resilience
• Increased velocity of risk
Resilience is Key
• A risk resilient organization can:
– Assess, mitigate and continuously monitor its risk
environment,
– Recognize and take risks to meet its objectives,
– Rapidly adapt to changes, and
– Ensure the sustainability of the organization as it
adapts and changes.
Resilience is Key
• A non risk resilient organization will:
– Operate in a culture of surprise and accidents happen,
– See risks as threats requiring full defensive posture,
– Ignore warning signs and not read the environment,
– Place the organization itself in danger as railed
response lead to profound and existential questions
about the organization itself.
Those organisations that
are risk-resilient will prosper and thrive.
The cautious ones will die over time. The
careless ones will die quickly.
So, Why Risk Management
“Failing to prepare is
preparing to fail.”
Attributed to Benjamin Franklin,
but so are a lot of other aphorisms
as well.
IRM/ERM Mature Idea, New Relevance
• Has gained renewed focus and relevance
• Unprecedented levels of risk
• Pace of change and speed of information flow have
challenged older, slower methodologies, but not the
objective
• Pressure from stakeholders for organizations to identify
their risks sooner, link them as never before and manage
them
• Pressure on as well for organizations to be much more
brutally honest with themselves and their stakeholders
about their risks
What are the Harms that Come from Not
Managing Risks
•
•
•
•
•
Decline in credibility
Inability to influence other
Reputational loss
Missed opportunity
Failure to meet objectives
The only alternative to risk management is crisis
management --- and crisis management is much
more expensive, time consuming and embarrassing.
JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003
IRM/ERM is….
A Risk
Management
Culture
A Risk
Management
Process
A Corporate
Governance
Process
ERM/IRM
What Effective IRM gives you
The Ability to……….
Anticipate and
adapt to change
Seize
opportunities
Absorb and
recover from
risk events
Five Questions about whether you are
managing your risks in a resilient way.
• Who Owns Risk?
– If not those driving the strategy of the organization,
you are in trouble.
– If senior managers do not then ensure that risks are
managed throughout the organization, more trouble.
Five Questions about whether you are
managing your risks in a resilient way.
• How Effective is the Executive or Board in Overseeing
Risk Management?
– Is there timely, reliable and meaningful information?
– Does it ensure that alternative views are heard?
– Is what it uses useful, not excessive and focused?
– Does senior management develop guidance – formal or
informal – on risk acceptance or rejection?
Five Questions about whether you are
managing your risks in a resilient way.
• How Actively is Risk Managed?
– If risks are only assessed after a problem, then there is a
problem.
– Are risk updates built into the planning and control
process?
– Is awareness of knowable risks supplemented with
analysis about possible future scenarios relevant to the
objectives of the organization?
– Are resilience and sustainability part of the risk
analysis?
Five Questions about whether you are
managing your risks in a resilient way.
• Can the Organization Rise to Rare and Major Events?
– What is the level of resilient capacity to respond to the
atypical event or shift?
– Does the organization have redundancies in its key
systems and dependencies?
– Can the organization re-adapt and respond quickly?
Five Questions about whether you are
managing your risks in a resilient way.
• Is the Organization Getting a Return on its Investment
in Risk Management?
– Do efforts to integrate risk in planning and operations
pay off in terms of greater assurance, capacity to
respond and stakeholder confidence?
– Is there a sense that forms are just being filled out but
not very useful in doing business?
– Is there a healthy use of risk language and calibration
within the culture?
What is Integrated Risk Management?
• A continuous and systematic process to understand,
manage and communicate risk from an organizationwide perspective.
• It is about making strategic decisions that contribute to
the achievement of an organization’s overall corporate
objectives.
• It integrates the risk management process into the
planning and decision-making of business processes
and aggregates all types of risk across the organization,
and monitors and manages risk on a comprehensive
basis.
• An inherent part of sound corporate management.
CAS Definition of ERM
“ERM is the discipline by which an organization in any
industry assesses, controls, exploits, finances and
monitors risks from all sources for the purpose of
increasing the organization’s short- and long-term
value to its stakeholders”
Casualty Actuarial Society: “Overview of Enterprise Risk Management” – May 2003
The Four Dimensions of an integrated Risk
Management Approach
1.Managing all types of risk and understanding
interrelationships
2.Uniform process
3.Coherent and integrated vision involving
the whole financial group
4.Integration into management practices and
decision systems
Evolution of Risk Management in an Organization
Benefits of An Integrated Approach
to Risk Management
 Alignment of all levels with objectives, priorities and
tolerances for risks
 Reassures stakeholders that the organization is well
managed
 Enables stakeholders and funders/policy setters to better
understand needs of the organization
 Helps meet emerging national and international risk
management standards, such as ISO 3100
 Allocates resources based on risk priorities
 Avoids surprises and helps ensure operating stability
The New Global Standard for
Integrated
Management:
The New ISORisk
ERM Standard
- 31000
ISO 31000 - Risk management —
Guidelines on principles and
implementation of risk management
23
ISO: IRM in the Global Context
• ISO standard (‘Guideline’) for all size organizations for all risks: Intended as
management guidance in designing and implementing an organization-wide risk
management approach
• Not a certifiable ISO Standard
• Publication expected Summer 2009
• Most countries/industries represented: 75 or so (multi-disciplinary, multi-sectoral)
• Currently 15 pages in total
• Effectively a check list for best practise for both risk management framework for an
organization and a risk management process for individual decision makers
• Incorporates best practise for ERM framework
• Stresses integration of risk management in organizational structure for management
and decision making
• For the first time states principles and guidelines for excellence
24
ISO 31000 At A Glance: Overview
25
ISO 31000 At A Glance: Closer View
Clause 6.0
26
26
ISO 31000 At A Glance: Common Risk Process
27
Noteworthy Differences in the new ISO 31000
• Risk has been defined in a neutral way, centred on
organizational objectives
• Risk is the effect of uncertainty on objectives. Managing it leads
to realising opportunities as well as limiting losses.
• Clarified relationship between process and framework
• a common risk process is now situated in the risk management
context of an organization
• Guidance
• to help an organization make sense of all of its various risk
activities and terms
• Continuous Improvement
• The new Standard follows the ‘Plan-Do-Check-Act’ management
approach focused on iterative improvement in the way an
organization manages risk
28
ISO - Guidance on Excellence in Managing Risk
•
•
•
•
•
•
Continuous Improvement in RM
Accountability for risks, controls and treatment tasks
Risk Management processes are ‘embedded’
Risk in decision making
Communication and Reporting
Risk Management is a Core organisational process
Guidance on Principles are minimum ISO expectations
Guidance on Excellence is the ideal ISO expectation
29
ERM can go really wrong when….
•
•
•
•
It is not integrated and silos are reinforced
The organization takes a simplified view of reality
People deceive themselves and others
Key indicators deliberately or (even worse) ignorantly
ignored
• Poor analytics
• Different meanings to words, processes and definitions
• In consistent application: do not start unless you are
going to finish