Audit Committee Risk Management Training

September 2010

John Allsop

Marcus Richards

Introduction

• Definition of Risk Management

• Risk Management Principles & Practice

• Benefits of Risk Management

• Current Developments

• Anecdote

What do we mean by Risk?

• Contemporary Definition – Risk is the

“effect of uncertainty on objectives’’. (ISO

31000 - Risk Management Principles and Guidelines (2009)

• Uncertainty can be positive or negative.

Towards a balance view of risk

Traditional view

All about threats

Risk averse

‘Can’t Do’

Contemporary View

About opportunities

Risk enabling/managing

‘Can Do’

What is Risk Management

• The culture, processes and structures directed towards realising opportunities whilst managing adverse effects.

• Its purpose is not to eliminate risk, but to understand it so as to take advantage of the upside and minimise the downside.

Risk Management is not

• A new responsibility

• About eliminating risk

• An add-on

• A one-off exercise

• The universal answer

Why is risk management important?

• Good management practice• Achievement of objectives• Opportunities• Assurance to stakeholders

What if we don’t manage our risks?

• Corporate failures (private sector)

• Step-in (local government)

• Project failures

• Missed opportunities

The Risk Model

• Strategic Risks– High level– Owned at board level– Cross cutting

• Operational Risks– Departmental/business unit level– Any risk which is not strategic

Risk Management Process

Risk Identification

What could happen?How could it happen?

Risk Assessment

Likelihood? Impact?

Risk Mitigation & Management

Accept? Avoid?Reduce? Transfer?

Risk Profiling

Prioritisation

Risk Monitoring & Review

Ongoing process

Reporting

Step 1 - Risk Identification

Tools available to identify risk:

• PESTLE/SWOT Analysis

• Brainstorming/Challenge sessions

• Scenario Planning

• Audit reports

Step 2 - Risk Assessment

Assess each risk in terms of:

• Likelihood (frequency/probability)

• Impact (Severity)

Level of Risk

Risk Score (L x I)

11 – 16

5 – 10

1 - 4

Risk Rating

High

Medium

Low

Step 3 - Risk Profiling  Impact

1Minor

2Significant

3Serious

4Major

 4 – Very Likely 

 L

 M

 H

 H

 3 - Likely 

 L

 M

 M

 H

 2 - Unlikely 

 L

 L

 M

 M

 1 - Remote 

 L

 L

 L

 L 

Step 4 - Risk Mitigation & Management

• Tolerate the risk– Within Ealing’s risk appetite (need to monitor)

• Terminate the risk– Quit the operation (often not a real option)

• Treat the risk– Reduce likelihood (put in extra controls)– Reduce impact (PR, recovery/continuity plans etc.)

• Transfer the risk– Transfer exposure through insurance or to partner

organisation

Step 5 – Risk Monitoring & Reporting

• Quarterly reporting to Corporate Board and Audit Committee.

• Quarterly Corporate Risk Management Forum.

• Committee Report template

Risk Registers

• Used to document the risk management process

• Strategic Risk Register

• Operational Risk Register

• Project Risk Logs

Benefits of Risk Management

• Increased ownership and understanding of risk

• Consistent, shared view

• Fewer surprises – issues highlighted earlier

• Improved and informed decision-making

• Visibility and evidence

Current Developments

• ISO 31000 - Risk Management Principles and Guidelines (2009)

• Enterprise Risk Management

• UK Corporate Governnance Code (2010)

And Finally

Black Swan Theory – The disproportionate role of high-impact, hard to predict and rare events that are beyond the realm of normal expectations (Taleb 2007)

Any Questions?