Transcript Slayt 1

Bölgesel Rekabet Edebilirlik Operasyonel Programı’nın
Uygulanması için Kurumsal Kapasitenin Oluşturulmasına
Yönelik Teknik Yardım
This project is co-financed by the European
Union and the Republic of Turkey
Technical Assistance on Institutional Building for the
Implementation of RCOP in Turkey
Risk management stages
– Risk assessment, Risk
response, Reporting and
Monitoring
Todor Yankulov,
[email protected]
1
This project is co-financed by the European
Union and the Republic of Turkey
Risk assessment
• Risk - The possibility of an event occurring that will
have an impact on the achievement of objectives.
Risk is measured in terms of impact and likelihood.
• Risks are assessed on an inherent and a residual
basis.
• Purpose - to determine the significant risks and to
choose the correct response (prioritization)
2
This project is co-financed by the European
Union and the Republic of Turkey
Risk assessment
• Impact – Result or effect of an event. There may be a
range of possible impacts associated with an event.
The impact of an event can be positive or negative
relative to the entity’s related objectives.
• Likelihood – The possibility that a given event will
occur
• Purpose - to determine the significant risks and to
choose the correct response (prioritization)
3
This project is co-financed by the European
Union and the Republic of Turkey
Risk assessment
• The assessment has inherent limitation – it is
subjective
• The assessment differs from positive and from
negative perspective
4
This project is co-financed by the European
Union and the Republic of Turkey
Risk assessment
• A sure gain of $5000,
or
• a 25% chance to gain $20,000 and a 75%
chance to gain nothing.
5
This project is co-financed by the European
Union and the Republic of Turkey
Risk assessment
• A sure loss of $ 15000,
or
• a 75% chance to lose $ 20,000 and a 25%
chance to lose nothing.
6
This project is co-financed by the European
Union and the Republic of Turkey
Risk assessment
• Different techniques to reduce the subjective
estimation
• Past experience (in personal and institutional
aspect)
• Use of historical data
• Benchmarking (preceded by historical data)
• Use of indicators (units and measures) – it is
easier when the objectives are S.M.A.R.T
• If more than one indicators are applicable – the
higher is selected
7
This project is co-financed by the European
Union and the Republic of Turkey
Risk assessment
• Different techniques to reduce the subjective
estimation
• Use of standards and guidelines (EC guidelines
for financial corrections)
• About likelihood – it could be defined in a specific
time frame – daily, monthly, in a project life etc.
• About impact – financial thresholds, percentage of
financial or physical indicators, level of
dissemination of the impact (at project, measure
or priority axes level)
8
This project is co-financed by the European
Union and the Republic of Turkey
Risk assessment
• Assessment techniques
• Qualitative assessment techniques
• risks do not lend themselves to quantification
• no sufficient credible data
• Quantitative assessment techniques
• require a higher degree of knowledge and effort
• mathematical and statistical methods - value at
risk, cash flow at risk, stress tests, and scenario
analyses
9
This project is co-financed by the European
Union and the Republic of Turkey
Risk assessment
• Likelihood - loss of financial resources cause delay on
the project implementation / Internal staff use IT
resources for personal messaging (ineffectiveness)
• High – the risk could arise on a daily basis/ the risk
is more likely to appear during the project lifecycle
• Medium – the risk could arise monthly/ there is a
possibility of risk occurrence
• Low – the risk could appear yearly / risk is not
possible to occur within the life cycle
10
This project is co-financed by the European
Union and the Republic of Turkey
Risk assessment
• Impact - irregularity with selection criteria in tendering /
loss of data cause delays in recovery of funds
• High – 100% financial correction/ delay at
programme level
• Medium – 25% financial correction/ delay at
measure level
• Low – 5 % of financial correction / delay at project
level
11
This project is co-financed by the European
Union and the Republic of Turkey
Risk assessment
• Techniques for organizing the risk assessment
• Brainstorming
• Nominal group technique
• Delphi method
12
This project is co-financed by the European
Union and the Republic of Turkey
Risk assessment
• Nominal group technique
• Participants gather in group, but not talk to each other.
• The participants file their proposals in predefined forms
• The final results could be taken as average or decided by
brainstorming
13
This project is co-financed by the European
Union and the Republic of Turkey
Risk assessment
• Nominal group technique
• Independence of each member of the Working Group
• Each member of the Working Group has the
opportunity to participate
• No one can dominate the discussion
• Control over time spent
14
This project is co-financed by the European
Union and the Republic of Turkey
Risk assessment
• Delphi method
• The procedure has three stages
• Two kind of participants – working group and mentor/s
• First stage – the WG members filed in predefined
forms
• Second stage – the mentors aggregate the information
and return it to the Working Group
• Third stage – the WG members maintain or change
their position and justify their choice
• Benefit - objectivity
15
This project is co-financed by the European
Union and the Republic of Turkey
Risk assessment
IMPACT OF THE
RISK
Delayed transactions,
errors and diffuculty on
adoption
IM LIKE CON
PA LIHO TRO
CT OD
LS
4
3
2
PRIO
RITY
6
16
This project is co-financed by the European
Union and the Republic of Turkey
Risk assessment
• Next - risks have to be assessed on a residual basis.
• Controls/ mitigation measures could be at place
• Residual Risk – The remaining risk after
management has taken action to alter the risk’s
likelihood or impact.
17
This project is co-financed by the European
Union and the Republic of Turkey
Risk assessment
• The exciting controls/mitigation measures have to be
described/listed
• For each risk – description of controls
• When a mitigation measure covers more than one
risk – should be described for each risk separately
18
This project is co-financed by the European
Union and the Republic of Turkey
Risk assessment
• Different techniques for assessment at residual basis
• Assessment of controls effectiveness and adequacy
• Combination with the risk ranking combination
(medium risk and high control = low residual risk)
• Calculation (risk 6 / control 3 = residual risk 3)
19
This project is co-financed by the European
Union and the Republic of Turkey
Risk assessment
• Different techniques for assessment at residual basis
• Evaluating the effect of control over the likelihood and
the impact and than…
• …assessment of the likelihood and the impact of the
residual risk (the methods are as described above)
20
This project is co-financed by the European
Union and the Republic of Turkey
Risk prioritization
• Based on the scores the residual risks are distributed
in categories
• The stage is a link between the risk assessment and
the mitigation planning
• The result – a list (register) of the prioritized risks
21
This project is co-financed by the European
Union and the Republic of Turkey
Risk prioritization
22
This project is co-financed by the European
Union and the Republic of Turkey
Risk response
• Risk appetite - the amount of risk, on a broad level,
an organization is willing to accept in pursuit of value.
• It reflects the organization’s risk management
philosophy, and in turn influences the entity’s culture
and operating style
• Risk appetite is directly related to the organization’s
strategy.
23
This project is co-financed by the European
Union and the Republic of Turkey
Risk response
• A specific risk limit should be set for each objective
• The materiality level is an appropriate tool
• The Board/ the Top management set the risk appetite
and cascade / communicate it down
• The risk could be reassessed in relation with the risk
strategy
24
This project is co-financed by the European
Union and the Republic of Turkey
Risk response
25
This project is co-financed by the European
Union and the Republic of Turkey
Risk response
• Before implementing mitigation measures the existing
controls and the risk appetite were considered
• They are four main categories of risk response –
avoidance, reduction, sharing, acceptance
26
This project is co-financed by the European
Union and the Republic of Turkey
Risk response
• Avoidance – exiting the activities giving rise to risk.
Risk avoidance may involve exiting a project, a
measure, a geographical location
• The avoidance response suggests that no response
option was identified that would reduce the impact
and likelihood to an acceptable level.
27
This project is co-financed by the European
Union and the Republic of Turkey
Risk response
• Reduction – action is taken to reduce risk likelihood
or impact or both. This is the most common
approach.
• Reduction reduce residual risk to a level aligned with
desired risk tolerances.
28
This project is co-financed by the European
Union and the Republic of Turkey
Risk response
• Sharing – Reducing risk likelihood or impact by
transferring or otherwise sharing a portion of the risk.
Common techniques insurance products, hedging
transactions, outsourcing of an activity.
• Sharing reduce residual risk to a level aligned with
desired risk tolerances.
29
This project is co-financed by the European
Union and the Republic of Turkey
Risk response
• Acceptance – No action is taken to affect risk
likelihood or impact.
• An acceptance response suggests that inherent risk
already is within risk tolerances – they have to be
monitored for changes
30
This project is co-financed by the European
Union and the Republic of Turkey
Risk response
• Combination of measures could be used for one risk
• The measures have to be considered in relation with
the likelihood and the impact
• Business continuity plan reduce the impact of
natural disasters
• Security checks reduce the likelihood of
unauthorized access
31
This project is co-financed by the European
Union and the Republic of Turkey
Risk response
• Cost of controls versus benefits should be assessed
• Initial costs and the costs of maintaining the
response
• Direct costs and if possible the indirect costs (the
cost of slowing down a process because of new
control)
• The benefits should be considered not only in
financial aspect (measures and indicators for
objectives and risks could be used)
32
This project is co-financed by the European
Union and the Republic of Turkey
Risk response
• The selected risk mitigation measures are described in
a Risk mitigation plan
• The mitigation plan should include - the risk, the
category of the risk response, the measure description,
responsible persons, deadlines, prognostic budget.
• The measures could be preventive, detective, manual,
computer, and management controls
33
Risk management reporting
This project is co-financed by the European
Union and the Republic of Turkey
• Reporting means communication and information - the
reporting makes the RM alive
• All personnel receive a clear message from top
management that risk management must be taken
seriously
• Management provides a clear statement of the
organization’s risk management philosophy and approach
and clear delegation of authority
34
Risk management reporting
This project is co-financed by the European
Union and the Republic of Turkey
• There are open channels of communication and a
willingness to listen
• Communications channels outside normal reporting lines
exist, and personnel understand there will be no reprisals
for reporting relevant information
• Open external communications channels exist –
communication and coordination with third parties
35
Risk management reporting
This project is co-financed by the European
Union and the Republic of Turkey
• Source data and information are reliable, and provided on
time at the right place to enable effective decision making
• Historical and present data are captured and used
• Precise procedures are at place organizing a formal
approach of risk reporting
36
This project is co-financed by the European
Union and the Republic of Turkey
Monitoring
• Risk management is dynamic, ongoing process and his
effectiveness, results and directions have to be monitored
• Monitoring cold be:
• Ongoing
• Separate evaluation
• Combination
37
This project is co-financed by the European
Union and the Republic of Turkey
Monitoring
• Ongoing Monitoring Activities
• Built into the organization’s normal, recurring
operations (indicators, deadlines)
• Performed in the ordinary course of running the
activities
• They are performed on a real-time basis and react
dynamically to changing conditions
38
This project is co-financed by the European
Union and the Republic of Turkey
Monitoring
• Separate evaluation
• Conducted periodically or because of a change
• Performed by the management, internal auditors,
external specialists or combination
• It helps also to consider the effectiveness of the
ongoing monitoring activities
39
This project is co-financed by the European
Union and the Republic of Turkey
Monitoring
• Monitoring tools
• Process flowcharting
• Risk and control matrices
• Benchmarking using internal, external, or peer
information
• Computer assisted audit techniques
• Risk and control self-assessment workshops
• Questionnaires
40
This project is co-financed by the European
Union and the Republic of Turkey
Monitoring
• Monitoring could result in:
•
•
•
•
•
•
Organization's objective update
New risks identified
Risk reassessment
Risk appetite changes
Controls and mitigation measures reassessment
Controls and mitigation measures re-design / nwe
measures implementation
41
This project is co-financed by the European
Union and the Republic of Turkey
Questions/Discussions
Thank you for your attention!
42