Sei sulla pagina 1di 40

Essentials Companion KHS Pickett 2011 Training Slides

Narrative

You will need a copy Essential Guide to Internal Auditing 2nd Edition
of the book as future
reference material
for this presentation. Chapter Three

Managing Risk
Essentials Companion KHS Pickett 2011 Training Slides

Narrative Training Aim


This presentation is To present a brief introduction to risk management that
aimed at increasing will give you an initial understanding of:
your level of
understanding of the 1.The meaning of risk.
following topics.
2.The risk management process.

3.Enterprise risk management.

4.The internal audit role.


Essentials Companion KHS Pickett 2011 Training Slides

Narrative
YOUR CHOICE
Would you chose
one, two or three as
the most appropriate The word risk is taken from the early Italian
response? risicare which means:

1. To dare.

2. To take care.

3. To beware.
Essentials Companion KHS Pickett 2011 Training Slides

Narrative
YOUR CHOICE ANSWERED
The best response is
number 1 to dare,
being related to The word risk is taken from the early Italian
choice rather than risicare which means:
fate.
1. To dare.

2. To take care.

3. To beware.
Essentials Companion KHS Pickett 2011 Training Slides

Narrative
The Turnbull report
The UKs Turnbull The reports from management to the board should, in
report on corporate relation to the areas covered by them, provide a
governance balanced assessment of the significant risks and the
addressed this idea effectiveness of the system of internal control in
of risk management. managing those risks. Any significant control failings or
weaknesses identified should be discussed in the
reports, including the impact that they have had, could
have had, or may have, on the company and the
actions being taken to rectify them. It is essential that
there be openness of communication by management
with the board on matters relating to risk and control.
Essentials Companion KHS Pickett 2011

Narrative
RISKS

We have developed a simple


model to help explain the risk
management process.
Here we start with the idea
that risks create impacts.

The IIA defines risk as: the


uncertainty of an event
occurring that could have an
impact on the achievement of
objectives. Risk is measured
in terms of consequences and
likelihood.
IMPACT
See Figure 3.2.
Essentials Companion KHS Pickett 2011 Training Slides

Narrative Bernstein on Risk


Peter L Bernstein has
made clear the fact
that risk can be dealt
with and addressed as
we constantly seek to
deal with the concept But if men and women were not at the mercy of
of uncertainty. If we impersonal deities and random chance, they could no
can anticipate and longer remain passive in the face of an unknown future.
manage risk we can They had no choice but to begin making decisions over a
affect its impact on far wider range of circumstances and over far longer
our business. See Page periods of time than ever before.
62.
Essentials Companion KHS Pickett 2011 Training Slides

Narrative
RISKS

Our new model


considers risk, in the
context of achieving
objectives. It has Opportunities
Threats OBJECTIVES
both an upside and
an downside that
presents both
threats and
opportunities. This is
explained in the IMPACT
notes to Figure 3.2 of
the book.
Essentials Companion KHS Pickett 2011 Training Slides

Narrative
An Exercise
We are simply asking
for ways that risks be
used to generate
opportunities?

Think of a few examples of risks that have an


upside and create opportunities for a
growing business.
Essentials Companion KHS Pickett 2011 Training Slides

Narrative
USING OPPORTUNITIES
How did you get on
with this exercise? In forming your response you should recall the
words we used earlier in this presentation where
risk means To dare, while the competition stands
back.
Essentials Companion KHS Pickett 2011

Narrative
RISKS

We refer back to the


IIA definition and
add the idea of
likelihood to our Opportunities
Threats OBJECTIVES
model. So risk is
measured in terms of
its impact on a
business and the high
likelihood that it will med
arise as explained in IMPACT low
Figure 3.2 of the low med high
book. LIKELIHOOD
Essentials Companion KHS Pickett 2011 Training Slides

Narrative
Structuring Risk
There are many way of
categorizing risks across strategic risk
an organization and each
executive team will have
their own way of programme risk
defining different types
of risk. The British risk
standard provides the project risk
following categories that
are in general usage. financial risk; and

operational risk.
Essentials Companion KHS Pickett 2011 Training Slides

Narrative Your Choice


Chose the statement
that you feel is least Which is the least appropriate
appropriate.
attributes of effective risk
management?
1.Promotes an assessment of risks to achieving
objectives.
2.Ensures controls will be reviewed in response
to identified risks
3.Allows management to be certain that they
will achieve all their goals.
Essentials Companion KHS Pickett 2011 Training Slides

Narrative Your Choice the answer


Item three is least
appropriate because Which is the least appropriate
it is not always
possible to be certain
attributes of effective risk
that objectives will management?
be achieved. Risks by 1.Promotes an assessment of risks to achieving
definition entail objectives.
some degree of 2.Ensures controls will be reviewed in response
uncertainty.
to identified risks.
3.Allows management to be certain that they
will achieve all their goals.
Essentials Companion KHS Pickett 2011 Training Slides

Narrative
Benefits of systematic risk management:
More realistic business and project planning.
Before we go further
Actions implemented in time to be effective.
into our model lets
Greater certainty of achieving business goals and project
look at the benefits
objectives.
related to effective
Appreciation of, and readiness to exploit, all beneficial
risk management. In
opportunities.
this case the benefits
Improved loss control.
relate to business
Improved control of project and business costs.
projects which is
Increased flexibility as a result of understanding all
explained on pages
options and associated risks.
62 to 63.
Fewer costly surprises through effective and transparent
contingency planning.
Essentials Companion KHS Pickett 2011 Board Sponsor

Narrative
RISKS

The new bits to the


model in Figure 3.3 are Identification
very important. That is Review
a systematic process of
identification, OBJECTIVES Strategy &
Threats KPIs
assessment,
management and review Assessment
is fundamental to
effective risk Management
management. We will high
look at each one in turn. med
IMPACT low
low med high
LIKELIHOOD
Essentials Companion KHS Pickett 2011 Training Slides

Narrative

First find out what is out Identification


there that can impact
your objectives.
The risk management process starts with a
method for identifying all risks that face an
organization. This should involve all parties
who have expertise, responsibility and
influence over the area affected by the risks in
question. All imaginable risks should be
identified and recorded and scenario planning
may be used here.
Essentials Companion KHS Pickett 2011 Training Slides

Narrative
Assessment
Then work out how big
the risk is and hoe likely
it is to materialise.
The next stage is to assess the
Management need to be significance of the risks that have been
careful in the way they
assess risk and there has
identified. This should revolve around
been some criticism of the two-dimensional Impact, Likelihood
overly optimistic
positions that has been
considerations that we have already
criticized by some. described earlier.
Essentials Companion KHS Pickett 2011 Training Slides

Narrative
Management Armed with the knowledge of what risks
are significant and which are less so, the process requires
The next two stages are
the development of strategies for managing significant
to manage the big risks
and review your efforts. risks. This ensures that all key risks are tackled and that
resources are channeled into areas of most concern,
which have been identified through a structured
methodology.

Review The entire risk management process and outputs


should be reviewed and revisited on a continual basis. This
should involve updating the risk management strategy and
reviewing the validity of the process that is being applied
across the organization.
Essentials Companion KHS Pickett 2011 Training Slides

Narrative
An Exercise
Have a go at listing
as many measures as
you can think of.

In terms of managing risk. What sort of


measures could you take to mitigate large
levels of unacceptable risk?
Essentials Companion KHS Pickett 2011

Narrative
RISKS

Figure 3,4 of the


Essential Guide contains Identification
the term Risk Strategy Review
and these are the
measures you can use to OBJECTIVES Strategy &
Threats Opportunities
KPIs
take care of risk on the
left - which are TAKING CARE OF RISK: Assessment
explained in the book. 1Terminate 2 Controls
Management
3Transfer 4 Contingency
high
5Take more 6 Communicate
med
7Tolerate 8 Commission
research IMPACT low
low med high
9 Tell 10 Check
someone compliance LIKELIHOOD
Essentials Companion KHS Pickett 2011 Training Slides

Narrative TAKING CARE OF RISK:

Page 66 to 69 deal with


each of these measures.

1 Terminate 2 Controls
3 Transfer 4 Contingency
5 Take more 6 Communicate
7 Tolerate 8 Commission research
9 Tell someone 10 Check compliance
Essentials Companion KHS Pickett 2011

RISK REGISTER (summary)


Narrative
Objectives... RISKS
risk impact % existing risk man owner
Figure 3.5 explains controls strategy

that way risks can be Identification


Review
captured in a Risk RISK BASED
Register which can OBJECTIVES Strategy &
Opportunities
Threats KPIs
then be used to drive
Risk Based Decision TAKING CARE OF RISK: DECISION MAKING
Assessment
Making. 1Terminate 2 Controls
Management
3Transfer 4 Contingency
high
5Take more 6 Communicate
med
7Tolerate 8 Commission
research IMPACT low
low med high
9 Tell 10 Check
someone compliance LIKELIHOOD
Essentials Companion KHS Pickett 2011 Training Slides

Narrative Risk Appetite


The key to effective
risk management is
defining what is and
what is not
acceptable and that
depends on the risk What is acceptable risk?
appetite. What is
your understanding
on this concept? I.e. what is your understanding of
the concept of risk appetite?
Essentials Companion KHS Pickett 2011 Training Slides

Narrative
Lets go for the simple INHERENT RISK
answer in Figure 3.5. The
risk appetite defines how
inherent risk is perceived RISK MANAGEMENT STRATEGY AND
and whether there is an CONTROLS
aggressive or more passive
growth strategy in place.
RESIDUAL RISK
Risk tolerance is what is
acceptable after
appropriate controls have
been put in place to MORE RISK ACCEPT RISK MORE CONTROLS
mitigate risk, through an
appropriate risk
management strategy.
Essentials Companion KHS Pickett 2011 Board Sponsor

RISK REGISTER (summary)


Narrative Risk
Objectives... RISKS
risk impact % existing risk man owner Policy
Lets get back to out controls strategy CRO
People
risk management Identification Buy-In
Review
model, this time with RISK BASED
the risk policy added OBJECTIVES Strategy &
Opportunities
Threats KPIs
into Figure 3.7.
TAKING CARE OF RISK: DECISION MAKING
Assessment
The board sponsor, 1Terminate 2 Controls
Management
CRO and people buy- 3Transfer 4 Contingency
high
in are explained in 5Take more 6 Communicate
med
pages 75 to 77. 7Tolerate 8 Commission
IMPACT
research low
low med high
9 Tell 10 Check
someone compliance LIKELIHOOD
Essentials Companion KHS Pickett 2011 Training Slides

Narrative
An Exercise
Make a list and
explain why you
have included the
item in your risk
policy.
What would you include in your Risk Policy?
Essentials Companion KHS Pickett 2011 Training Slides

Narrative
The organizations risk management policy may include:
governance, outlining how risk management is governed;
Each risk policy will policy scope, describing the purpose of the policy and who it is aimed at;
describing the high level principles and the benefits of implementing risk
be different and one management; setting out the objectives, including legal and regulatory
version appears requirements, and what it intends to achieve; and providing an explanation of the
here. Pages 74 to 79 relationship with other policies;
Policy applicability, setting out to whom and to what the policy applies;
cover this topic. Risk management process, providing a high level overview and description of the
risk management process adopted by the organization;
Risk appetite, outlining the organizations risk appetite, thresholds and escalation
procedure;
Reporting, describing the purpose, frequency and scope of reporting;
Roles, accountabilities and responsibilities, describing the high level roles,
accountabilities and responsibilities in respect of risk management; and
Variations and dispensations, stating whether variations or dispensations from the
policy are allowed and, if they are allowed, describing the process for requests for
this.
Essentials Companion KHS Pickett 2011 Board Sponsor
S.I.C. ERM Process

RISK REGISTER (summary)


Narrative Risk
Objectives... RISKS
risk impact % existing risk man owner Policy
We can complete our controls strategy CRO
People
risk management Identification Buy-In
Review
model by adding in RISK BASED
The ERM (enterprise OBJECTIVES Strategy &
Opportunities
Threats KPIs
risk management)
Process and S.I.C. TAKING CARE OF RISK: DECISION MAKING
Assessment
(statement on 1Terminate 2 Controls
Management
internal control. This 3Transfer 4 Contingency
high
appears as Figure 3.8 5Take more 6 Communicate
med
in the book. We will 7Tolerate 8 Commission
IMPACT
research low
deal with ERM next. 9 Tell 10 Check
low med high
someone compliance LIKELIHOOD
Essentials Companion KHS Pickett 2011 Training Slides

Narrative
COSO ERM
ERM is fully defined
by the Committee of A process, effected by an entitys board of
Sponsoring
directors, management and other personnel,
Organzations (COSO)
in their ERM applied in strategy setting and across the
framework that was enterprise, designed to identify potential events
published in that may affect the entity, and manage risk to
September 2004, be within its risk appetite, to provide reasonable
which can be viewed assurance regarding the achievement of entity
in full at objectives.
www.coso.org.
Essentials Companion KHS Pickett 2011 Training Slides

Narrative What is ERM?


We are saying here
that ERM fits into the The idea is that the risk management process is
business and is not spread across the entire organization and
added on a a stand follows a structured approach that is integrated
alone process. within the way the business operates.
Essentials Companion KHS Pickett 2011

Narrative
We need to outline the
Linking risk management,
link between
corporate governance
governance and control
codes, risk
management and
internal control. Have
a look at the next slide Risk Internal
for our approach to Management
this task.
Controls
Essentials Companion KHS Pickett 2011

Narrative
Corporate Governance Codes
Corporate governance codes,
corporate structures and disclosure
arrangements will help promote
good accountability. Within the
Internal Corporate Structures
context of the control framework,
the organization should employ a
Control
process for identifying, assessing
and managing risk. After having Framework Disclosure Arrangements
assessed key risk, they will need to
be managed in line with a defined
risk management strategy. Internal
controls will seek to mitigate
unacceptable levels of risk. The
Risk Internal
strategy for managing risk and
ensuring controls do the job in hand Management Controls
should then be incorporated into an
overall strategy that drives the Corporate
organization towards the Strategies & Review
achievement of its objectives.
Essentials Companion KHS Pickett 2011 Training Slides

Narrative
Where does Internal Auditing fit into
To answer this the risk management equation?
question we need to
return to the
definition of internal Internal auditing is an independent, objective
auditing. The final assurance and consulting activity designed to add
part makes clear we value and improve an organizations operations. It
are concerned with helps an organization accomplish its objectives by
risk management, bringing a systematic, disciplined approach to
control and evaluate and improve the effectiveness of risk
governance management, control and governance processes.
processes.
Essentials Companion KHS Pickett 2011 Training Slides

Narrative
Where does Internal Auditing fit into the risk
Before we go further management equation?
lets issue a warning
about some of the Internal auditors must be alert to the significant risks that
limitations of the might affect objectives, operations, or resources. However,
internal audit review assurance procedures alone, even when performed with
process per IIA due professional care, do not guarantee that all significant
Attribute standard risks will be identified.
1220.A3. Note that
pages 82 to 85 deal
with the audit role.
Essentials Companion KHS Pickett 2011 Training Slides

Narrative
Where does Internal Auditing fit into the risk
IIA Performance management equation?
Standard 2120
makes clear the
audit role in risk The internal audit activity must evaluate the effectiveness
management. and contribute to the improvement of risk management
processes.
Essentials Companion KHS Pickett 2011 Training Slides

Narrative
Where does Internal Auditing fit into
IIA Practice Advisory the risk management equation?
2120-1 on Assessing
the Adequacy of Risk Determining whether risk management processes are effective is a
judgment resulting from internal auditors assessment that:
Management Organizational objectives support and align with the organizations
Processes gives an mission.
interpretation of Significant risks are identified and assessed.
Appropriate risk responses are selected that align risks with the
standard 2120. organizations risk appetite.
Relevant risk information is captured and communicated in a timely
manner across the organization,
Enabling staff, management, and the board to carry out their
responsibilities.
Risk management processes are monitored through ongoing
management activities, separate evaluations, or both.
Essentials Companion KHS Pickett 2011 Training Slides

Narrative
Risk Management Practices
To close note that the
2009 Walker review of
The report should provide a brief description of how risk is
corporate governance in managed in the business, ideally using examples of material
the UK made clear that risks that arose in the previous reporting period. In
risk management should particular this should focus on the role of the Committee in
assume a higher profile the management of that risk. In addition the report should
in the wake of the 2008 provide a brief statement on the number of meetings in the
reporting period, an attendance record and whether any
Credit Crunch. And
votes were taken. The report should cover the key
internal audits role will responsibilities of the board risk committee and whether
be crucial to this move. these have changed in the reporting period. Finally the
report should briefly record the key areas that the
committee has considered in the reporting period.
Essentials Companion KHS Pickett 2011 Training Slides

Narrative Training Aim


We hope that this To present a brief introduction to risk management that
presentation has will give you an initial understanding of:
increased your level
of understanding of 1.The meaning of risk.
the following topics.
2.The risk management process.

3.Enterprise risk management.

4.The internal audit role.


Essentials Companion KHS Pickett 2011 Training Slides

Narrative

You will need a copy Essential Guide to Internal Auditing 2nd Edition
of the book as future
reference material
for this presentation. Chapter Three

Managing Risk