2013 ipsc qld - presenter greg saunders - developing excellence in risk management frameworks
TRANSCRIPT
Developing excellence in risk management frameworks
Greg Saunders
today’s presentation
• a catalyst on the horizon in the federal arena
• what is enterprise risk management (erm)
• fundamental concepts of erm
• why implement an erm framework
• erm vision
• risk ownership
• building a framework – the erm roadmap
• drivers of change
• early warnings
• key lessons
• a parting thought
“there are risk and costs to a programme of action but they are far less
than the long range risks and costs of comfortable inaction”
John F. Kennedy
cfar position paper november 2012
• engaging with risk is a necessary step in improving performance
• an overarching framework for handling risk across the commonwealth
would underpin the earned autonomy model
• ceo’s and directors as well as decision makers at different levels
should be made explicitly accountable in legislation for oversight and
management of risk
• legislative change would send an important signal that risk
management is a key responsibility and requires a commitment of
resources
a catalyst on the horizon
what is enterprise risk management?
“a process effected by an entity’s board of directors, management and
other personnel, applied in strategy setting across the enterprise,
designed to identify potential events that may affect the entity, and
manage risk to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives”
coso definition
fundamental concepts of effective erm
• a process, ongoing and flowing through an entity
• effected by people at every level of an organisation
• applied in strategy setting
•applied across an enterprise, at every level and unit and includes
taking an entity-level portfolio view of risk
• designed to identify potential events affecting the entity and manage
risk within it risk appetite
• able to provide reasonable assurance to an entity’s management and
board
•geared to the achievement of objectives – it is a means to an end , not
the end in itself
why implement erm in your organisation?
• reduce unacceptable performance variability
• align and integrate varying views of risk management
• enhance governance arrangements
• successfully respond to a changing business environment
• align strategy and corporate culture
erm vision
• management define capabilities needed to implement erm
infrastructure
• organisations have different strategies, structure culture and appetite
for risk so no two approaches to managing risk are alike
• therefore the various capabilities supporting erm infrastructure may
differ
Building an erm framework• set the foundation
adopt common risk language
establish oversight and governance
• build capabilities
assess risk and develop responses
design / implement capabilities
Continuously improve capabilities
• enhance capabilities
quantify risk enterprise wide
improve enterprise performance
establish sustainable erm approach
erm framework components
• internal environment
• objective setting
• risk identification
• risk assessment
• risk response
• control activities
• information and communication
• monitoring
how it all fits together
Component of ERMFramework
Set Foundation Build Capabilities Enhance CapabilitiesAdopt Common Language
Establish Oversight and Governance
Assess risk and develop responses
Design/
Implement capabilities
Continuously improve capabilities
Quantify risk enterprise wide
Improve enterprise performance
Establish sustainable ERM approach
Internal environment
x x x x x x x x
Objective - setting
x x x x x x
Risk Identification
x x x x x x x
Risk Assessment
x x x x
Risk Response x x x x x x x
Control Activities
x x x x x x
Information and Communication
x x x x x x x x
Monitoring x x x x x x
The ERM Roadmap
Drivers of changeChange Enablement Priority Consequence if Unaddressed
Top management commitment and support No leadership or role models
Compelling business case for change No Action
Clear shared vision No direction or focus
Realistic goals No credibility or impact
Well defined action plan for change No roadmap
Stakeholder engagement and support No commitment or momentum
Accountability for results No ownership
Manage the “human side” and effective communications
No endorsement of change or consistency in execution
Process view of implementing change No systematic approach
Align performance measures No achievement of objectives or realisation of benefits
Align process with culture No success
Permanent Change Nothing Happens
risk ownership
• implementation of effective erm requires the identification of individual
risk owners
• ownership of process ownership for critical risks is one of the most
important tasks in implementing erm
• executive management ensures responsibility, authority and
accountability are defined and clearly articulated
• the risk owner has the responsibility, authority and accountability to
manage the risk
• risk owners may elect to outsource the responsibility, however if they
do that does not compromise their ownership of risk
early warnings
• visibility is the key
• well aggregated risk information across an organisation
• low and medium risk across a large part of an organisation is
something to worry about
• emerging risk – how do you know what might be coming
• are organisational reporting lines a barrier or an advantage
• denial is a potential indicator of something being broken
key lessons
• effective erm processes can assist with key decisions
• you can choose where to invest and what the implications are
• justifying a business cased based on risk will improve decision making
• effective erm will crystallise decision making
• erm must exist at all levels to know where to invest, how much to
invest and what will happen if you don’t
a parting thought
“Risk is good. The point of risk management is not to eliminate it, that
would eliminate reward. The point is to manage it, that is, to choose
where to place bets and where to avoid betting altogether”
Th. A Stewart – Managing Risk in the 21st Century
questions