Managerial Economics - e
Download
Report
Transcript Managerial Economics - e
Introduction to Risk Management
2
The only alternative to risk management is crisis
management --- and crisis management is much more
expensive, time consuming and embarrassing.
JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003
Without good risk management practices, government
cannot manage its resources effectively. Risk management
means more than preparing for the worst; it also means
taking advantage of opportunities to improve services or
lower costs.
Sheila Fraser, Auditor General of Canada
3
Increase risk awareness – What could
affect the achievement of objectives? What
could change? What could go wrong? What
could go right?
Increase understanding of risk –
sensitivities. What makes my risks
increase/decrease/disappear?
Promote a “healthy” risk culture – It’s safe
to talk about risk. Open and transparent.
Develop a common and consistent
approach to risk across the organization.
Not intuition-based.
4
Allows intelligent “informed” risk-taking.
Focuses efforts –helps prioritize. Top 10
list. Or top 3. Or…
Is proactive…. not reactive – Prepare for
risks before they happen. Identify risks
and develop appropriate risk mitigating
strategies.
Improve outcomes – achievement of
objectives (corporate, clinical, etc)
Really comes to down to simple good
management
Enables accountability, transparency and
responsibility
And maybe even mean survival
5
A risk is ANYTHING that may affect the
achievement of an organization’s
objectives.
It is the UNCERTAINTY that surrounds
future events and outcomes.
It is the expression of the likelihood and
impact of an event with the potential to
influence the achievement of an
organization’s objectives.
6
Threat – a risk that may HINDER the achievement of
objectives
Opportunities - a risk that may HELP in the achievement of
objectives
Interest rates
Foreign exchange rates
Supply of service/product/resources
Demand/uptake for service/product/resources
The economy
The weather
The stock market
7
“… a process, effected by an entity's
board of directors, management and other
personnel, applied in strategy setting and
across the enterprise, designed to identify
potential events that may affect the entity,
and manage risks to be within its risk
appetite, to provide reasonable assurance
regarding the achievement of entity
objectives.”
Source: COSO Enterprise Risk Management – Integrated Framework. 2004.
The Committee of Sponsoring Organizations of the Treadway Commission (COSO)
8
Enterprise Risk Management
h
is
bl
ta
Evaluate
Communication
& Learning
Id
e
nti
fy
Division
Level
Es
r
nito
o
M
Assess
Periodic Summary Analysis & Report
Communication
& Learning
Ide
nti
fy
I
d
e
nti
fy
Assess
Assess
h
is
bl
ta
Communication
& Learning
Es
Evaluate
h
is
bl
ta
Assess
r
nito
Mo
Es
Communication
& Learning
Ide
nti
fy
I
d
e
nti
fy
Evaluate
h
is
bl
ta
Evaluate
h
is
bl
ta
Communication
& Learning
r
nito
Mo
Es
r
nito
Mo
Es
Evaluate
Branch
Level
r
nito
Mo
Assess
Periodic Summary Analysis & Report
Es
h
is
bl
ta
Communication
& Learning
Ide
nti
fy
Ide
nti
fy
Evaluate
h
is
bl
ta
Communication
& Learning
Assess
r
nito
Mo
Es
Ide
nti
fy
Evaluate
h
is
bl
ta
Communication
& Learning
Assess
r
nito
Mo
Es
Ide
nti
fy
Evaluate
h
is
bl
ta
Communication
& Learning
Assess
r
nito
Mo
Es
Ide
nti
fy
Evaluate
h
is
bl
ta
Communication
& Learning
Assess
r
nito
Mo
Es
Evaluate
Unit or
Project
Level
r
nito
Mo
Assess
9
Risk (uncertainty) may affect the achievement of
objectives.
Effective mitigation strategies/controls can reduce
negative risks or increase opportunities.
Residual risk is the level of risk after evaluating the
effectiveness of controls.
Acceptance and action should be based on residual risk
levels.
INHERENT
Slide 10
10
Step 1
Establish
Objectives
Step 2
Identify
Risks &
Controls
Step 3
Assess
Risks &
Controls
Step 4
Evaluate
& Take
Action
Step 5
Monitor
&
Report
Communicate, learn, improve
11
UNCERTAINTY
Strategic Decisions
Stra
tegic
Decisions transferring
strategy into action
Prog
ramm
e
Stra
tegic
m
gra
Pr o
me
Decisions required for
implementation
Pr o
ject
&O
per
a
tion
al
ject
Pr o
al
tion
a
r
pe
&O
The HM Treasury’s The Orange Book
Decisions can be categorized into three types. The amount of risk (uncertainty) varies
with the type of decisions. Most decisions are concerned with implementation.
12
1.
Political or Reputational Risk
2.
Financial Risk
3.
Service Delivery or Operational Risk
4.
People / HR Risk
5.
Information/Knowledge Risk
6.
Strategic / Policy Risk
7.
Stakeholder Satisfaction / Public Perception Risk
8.
Legal / Compliance Risk
9.
Technology Risk
10.
Governance / Organizational Risk
11.
Privacy Risk
12.
Security Risk
13.
Equity Risk
14. Patient Safety
Slide 13
13
Likelihood of a risk event
occurring
Very High: Is almost certain to
occur
High: Is likely to occur
Medium: Is as likely as not to
occur
Risk Impact: Level of damage
that can occur when a risk
event occurs
Low: May occur occasionally
Very Low: Unlikely to occur
Slide 14
Very High: Threatens the success
of the project
High: Substantial impact on time,
cost or quality
Medium: Notable impact on time,
cost or quality
Low: Minor impact on time, cost or
quality
Very Low: Negligible impact
14
Immediate – now
Less than 6 months
Between 6-12
months
Between 12 – 24
months
Between 24 – 36
months
More than 36 months
15
RISK PRIORITIZATION MATRIX
5
RISK
IxL
IMPACT
4
RISK
IxL
3
2
RISK
IxL
1
1
2
3
4
5
LIKELIHOOD
Slide 16
16
Risk Level
Critical Risk
High Risk
Moderate Risk
Low Risk
Action and Level of Involvement Required
Inform Chief Executive Officer and Board of Directors
Immediate action required
Inform Chief Executive Officer
Strategy Team involvement/attention is essential to manage risks
– provide report to Board as appropriate
Management mitigation and ongoing monitoring required
Inform relevant Strategy Team members
Accept, but monitor risks
Manage by routine procedures within the program and site
17
18
Strategy & objectives
Risk
Cause
Consequence
KRI
Performance
KRIs need to be linked to strategy, objectives and target performance
levels, with a good understanding of the drivers to risk.
19
Human resources
• Average time to fill vacant
positions
• Staff absenteeism /sickness
rates
• Percentage of staff appraisals
below “satisfactory”
Age demographics of key
managers
Information Technology
• Systems usage versus
capacity
• Number of system upgrades/
version releases
• Number of help desk calls
Finance
• Daily P&L
• Reporting deadlines missed
• Incomplete P&L sign-offs
Legal/compliance
• Outstanding litigation cases
• Compliance investigations
• Customer complaints
Audit
• Outstanding high risk issues
• Audit findings
• Revised management action
target dates
Risk management
• Management overrides
• Limit breaches
20
• Advanced capabilities to identify, measure, manage all risk exposures within
tolerances
Excellent
Strong
• Advanced implementation, development and execution of ERM parameters
• Consistently optimizes risk adjusted returns throughout the organization
•
•
•
•
•
•
Adequate
•
•
Weak
Clear vision of risk tolerance and overall risk profile
Risk control exceeds adequate for most major risks
Has robust processes to identify and prepare for emerging risks
Incorporates risk management and decision making to optimize risk adjusted
returns
Has fully functioning control systems in place for all of their major risks
May lack a robust process for identifying and preparing for emerging risks
Performing good classical “silo” based risk management
Not fully developed process to optimize risk adjusted returns
• Incomplete control process for one or more major risks
• Inconsistent or limited capabilities to identify, measure or manage major risk
exposures
21
Source: Standard & Poor
Establish centralized support
Develop a standardized framework
Provide education and coaching
Ensure company-wide implementation
Embed RM into all major processes
including strategic planning and resource
allocations decisions
22
Incorporates risk information into the
strategic direction-setting, making
decisions that consider established risk
tolerance levels.
Takes a systems approach to managing
risk at the strategic, operational and
project levels which is continuous,
proactive and systematic.
Fosters a working culture that values
learning, innovation, responsible risktaking and continuous improvement.
23
IRM RISKS AND CONTROLS
The following table describes the risks and mitigating controls and related information. As controls are implemented or changed, their status will be updated.
Risk Rating Impact = significant, moderate or minor (S, M, m) and Likelihood = high, medium or low (H, M, or L)
Responsible Org &
Name (Implement /
ID Number Operate)
Risk
Category: Financial
None in this category
Category: Equity
None in this category
Category: Service Delivery or Operational
064
Person A
055 – Insufficient knowledge transfer
102 – Conflicting management
instructions
065
Person B
056 – Lack of communication (Serious
service delivery issues)
352 – Different business and IT
processes (incident management)
Control
Risk
Rating
(Impact)
Risk
Rating
(likelihood) Date Required Status
Update impacted policies and procedures M
for integration into knowledge support tools.
Harmonizing policies and procedures (e.g.,
access procedures – X has one and Y has
one – there needs to be one
process/policy/procedure).
M
31-Mar-09
Refer to Privacy
Action Plan Work on
Ongoing Operations
Commitments
Report
(a) IT incident and Triage (harmonization M
between IT and Business).
(b) X and Y need to develop an incident
management process/service to deal with
issues that arise during service delivery.
Roles and responsibilities need to be
defined in both organizations: from a
stewardship perspective on the ministry
side, and from a service delivery/reporting
perspective on the agency side. The
process/service ensures that incident/issues
are communicated as per agreement
requirements; well tracked and reported.
M
31-Mar-09
(a, b) Refer to
ongoing Operations
IRM document
24
25
26
27
.
28
.
29
Threats:
Death
Head Injury
Injury
Reputation
Financial
Damage to the bike
Sunburn/frost bite
Opportunities:
Exercise
Sunlight
Reputation
Financial
Role model
Environment
30
Death, head injury, other injury – helmet, bright clothes,
lights, bell, CANbike course, obeying traffic laws, positive
attitude, anger management course
Reputation – great outfit, change of wrinkle-free clothes,
shower, time management
Financial – high quality locks, “beater”, stopping at stop
signs
Damage to the bike – regular maintenance, avoiding pot
holes
Sunburn/frost bite – sunscreen, mittens, hats,
token/change
Dehydration- filled water bottle
31
32
33
Why is the organization interested in RM? What are they
hoping will be achieved with its implementation?
Who is doing what? Roles & responsibilities must be
clearly defined. Make sure Leadership supports RM and
uses RM results to make decisions. Everyone is a risk
manager. Make sure that all risks have owners and the
responsibilities for mitigation are assigned
How will it be implemented? What is your framework?
What is the common language? How will risks be
measured and reported?
Where will you start? Choices could be where you can
most easily succeed or where it is needed the most or
where interest is high.
When will it be implemented? It is a journey not a
destination; 3-5 years for complete roll-out; how often
will risks be assessed; when will mitigation plans be
implemented and monitored; when will risks be reported.
34
Do we understand our major risks? Do we know what is
causing our risks to increase, decrease or stay the same?
Have we assessed the likelihood and impact of our risks?
Have we identified the sources and causes of our risks?
How well are we managing our risks?
Are we trying to prevent the downside risks from
happening? Or are we trying to simply recover from them?
Who is accountable for these risks?
How do we talk about risk? Do we have a common
language across branches, across divisions, across the
ministry, across the OPS, across the health care system?
Are we taking too much risk? Or not enough risk?
Are the right people taking the right risks at the right
time?
What’s our culture? Are we risk adverse or are we risktakers? Or are we somewhere in between?
35
3
6
37