kevin w knight chairman iso working group - risk management terminology member standards australia /...
TRANSCRIPT
Kevin W KnightCHAIRMAN
ISO WORKING GROUP - RISK MANAGEMENT TERMINOLOGY
MEMBER
STANDARDS AUSTRALIA / STANDARDS NEW ZEALAND
JOINT TECHNICAL COMMITTEE OB/7 - RISK MANAGEMENT
&
RISK MANAGEMENT COORDINATOR
EDUCATION QUEENSLAND
P0 BOX 226, NUNDAH QLD 4012
Tel: + 617 3235 4447 Fax: + 617 3235 4491
E-mail: [email protected]
0801
AN INTRODUCTION TO THE AUSTRALIAN & NEW ZEALAND RISK MANAGEMENT STANDARD - AS/NZS
4360:1999
WHAT IS RISK ?WHAT IS RISK ?
Risk is the chance of something happening that will have an impact upon objectives.
It is measured in terms of consequences and likelihood.
WHAT IS RISK?WHAT IS RISK?
Uncertainty as to the amount of benefits.
The term includes both
• potential for gain and
• exposure to loss
Taking a risk: it isn’t all Taking a risk: it isn’t all badbad
• Taking risks is a normal unavoidable everyday necessity
• Taking controlled, informed risks is a sensible and everyday essential part of life
• Taking uninformed, uncontrolled risks is patently dumb
• We take risks not to avoid harm, but to achieve benefits and gains
• Risk taking is positive, not implicitly negative.
Risk = RealityRisk = Reality
• PRACTICAL STANDARDS
• INFORMATION & EDUCATION
• FINANCIAL INCENTIVES & DISINCENTIVES
• ENFORCEMENT & PROSECUTION
• COMMUNICATION & CONSULTATION.
COMMUNICATE & CONSULTCOMMUNICATE & CONSULT
• ANY TWO-WAY DIALOGUE BETWEEN STAKEHOLDERS
• DEVELOP COMMUNICATION STRATERGY AT THE CONTEXT STAGE
• ENSURE STAKEHOLDERS PERCEPTATION OF RISK IS ADDRESSED
COMMUNICATE & CONSULTCOMMUNICATE & CONSULT
Communicating risk successfully is neither a public relations nor a crisis communications exercise.
Its aim is not to avoid all conflict or to diffuse all concerns.
Risk communication seeks to improve performance based on informed, mutual decisions with respect to … risk.
Jean Mulligan, Elaine McCoy and Angela Griffiths, Principles of Communicating Risks,
The Macleod Institute for Environmental Analysis, University of Calgary, Calgary, Alberta 1998
RM is everybody’s RM is everybody’s businessbusiness
• RM is not just the responsibility of management
• For RM to be effective it must be implemented by every person in the organisation
• RM must become an integral part of the organisational culture
• The risk makers and risk takers must be the risk managers.
MANAGING RISKMANAGING RISK• We all manage risk consciously or
unconsciously - but rarely systematically
• Managing risk means forward thinking
• Managing risk means responsible thinking
• Managing risk means balanced thinking
• RM provides a framework to facilitate more effective decision making
• RM is all about maximising opportunity by managing risk.
Risk Management is Risk Management is notnot
• just accounting controls
• another name for insurance
• about creating risk averse management
• a label to hide inadequate analysis when something goes wrong
• a green light to careless enthusiasts
• opening the door to “risky management.”
THE CHANGING APPROACH THE CHANGING APPROACH TO MANAGEMENT TO MANAGEMENT
• Increased pressure on CEO accountability
• Board pressures on Corporate Governance
• Board interest in Risk Management
• Risk Management emergence as a discipline
Corporate GovernanceThe way in which an organisation is governed and controlled in order to achieve its objectives. The control environment makes an organisation reliable in achieving these objectives within an acceptable degree of risk.
It is the glue which holds the organisation together in pursuit of its objectives while risk management provides the resilience.
Risk: Chance, unpredictability, opportunity.
Managed by: Predicting, analysing, caring, preparing, preventing,Understood through: Communicating
Leading to:
Confidence Performance Value
CHANGING TO A CULTURE OF MANAGING STRATEGIC AS WELL AS OPERATIONAL
RISKS
“STRATEGIC MANAGEMENT OF RISK”
“Managing risk is a way of confidentlytaking the right risks
and then managing the outcomes for success”
RisksOpportunities
Processes
Strategic Planning
Review& Change
MonitorPerformance
• Performance• Capability• External Environment
Execution/Integration
• Manage Tactics• Manage Tasks• Manage Risks
Planning
• Future State/ End Vision• SWOT, Opportunities and Risks• Strategy & Tactics
• Strategic Learning• Strategic Alignment• Strategic Intelligence
An integrated management system to ensure An integrated management system to ensure progress inprogress in
strategy implementationstrategy implementation
Review EffectivenessBoard ReviewManagement ReviewIndividual Team performance (review & reward)External auditRisk management
MeasurementAuditClient feedbackBenchmarkingManagement informationRisk management
ImplementationPeople; Information Technology;Process & Infrastructure;Policies & Procedures;Change & Project management;Risk management
ActionChange managementContinuous improvement Service developmentSystems developmentRisk management
Business Strategies/PlansUnderpinned by:AS/NZS ISO 14000: Environmental managementAS/NZS ISO 9000: Quality managementAS/NZS 4360: Risk managementAS 4390: Records managementAS 3806: Compliance programAS 4269: Complaint handling
Responsibility and LeadershipPolicy
Management CommitmentStakeholder Analysis and Communication
PlanRisk ManagementIdentify NeedsObjectives and TargetsDefine resourcesDefine strategiesCommunication
ImplementationRisk ManagementSystems developmentDefine and implement proceduresDefine performance measuresDocumentationCommunication
MeasureMonitoringAuditClient FeedbackBenchmarkingPerformance Measurement Risk Management Communication
Review and ImproveExternal AuditBoard ReviewRisk ManagementCommunication
QualitySafety
Environment & Other Risks
StrategicAnalysis
RiskTreatmentOptions
Issues;Risks
Outsource?NO
YES
M O N I T O R
&
R E V I EW
Transition/Planning
Policies;Risks
SpecificHazards
RiskTreatmentOptions
YES
NO
RiskTreatmentOptions
StrategicContext
Apply THESTANDARD
SpecificRisks
SpecificHazards
Implementation
Apply THESTANDARD
Apply THESTANDARD
Continue Outsourcing?
Source: HB240:2000
34
RISK MANAGEMENT RISK MANAGEMENT BENEFITS BENEFITS
• More effective strategic planning• Better cost control• Increased knowledge & understanding of
your exposure to risk• More systematic & thorough method of
decision making• Greater transparency in decision making• Prevention rather than reaction to risk• Better preparedness for external review.
The sequence of steps involved in the decision-making process:
• Classifying the problem – generic vs exceptional/unique or totally new
• Defining the problem
• Specifying the answer to the problem
• Deciding what is right before any compromises are made
• Building into the decision the action to carry it out
• Testing the validity & effectiveness of the decision against the actual course of events
The risk management process:
CONTEXT
IDENTIFY RISKS & CONSEQUENCES/IMPLICATIONS
IDENTIFY CURRENT POSITION & DECISION OPTIONS
SELECT OPTIMAL SOLUTION
ACTION
MONITOR & REVIEW
Peter Drucker
Risk Management as Defined in AS/NZS 4360:1999
“THE CULTURE, PROCESSES AND STRUCTURES THAT ARE DIRECTED
TOWARDS THE EFFECTIVE MANAGEMENT OF POTENTIAL OPPORTUNITIES
AND ADVERSE EFFECTS.”
Structure Direction
MONITOR
&
REVIEW
COMMUNICATE
CONSULT
1. Strategic Ct
2. Identify Threats
7. Manage the Risk
ASSESS
3. Analyze 4. Assess
5. Assess/
ProcessesCulture Communication RisksOpportunities
Risk Management Culture
This means that all our business behaviours relating to our individual performance encompass informed decisions to do or not to do things based on a reasonable analysis of foreseeable risks, opportunities and their associated impacts on the corporate objectives.
Risk Culture
RisksOpportunities
COMMUNICATE
&
CONSULT
MONITOR
&
REVIEW
ESTABLISH THE CONTEXT
IDENTIFY RISKS
ANALYSE RISKS
EVALUATE RISKS
TREAT RISKS
The Strategic ContextThe Organisational ContextThe Risk Management ContextDevelop CriteriaDecide the Structure
What can happen? How can it happen?
Identify treatment optionsEvaluate treatment optionsSelect treatment optionsPrepare treatment plansImplement plan
Determine existing controls
DetermineLikelihood
DetermineConsequences
Estimate Level of Risk
Compare against criteria?Set risk priorities
ASSESS
RISKS
Accept RisksYes
No
• World First
• Designed to complement ISO 9000 activities
• Team approach often best
• Iterative
• Integral part of management
• Adequate records should be kept to satisfy independent audit.
The Risk Management The Risk Management StandardStandard
Overview
The Risk Management The Risk Management StandardStandard
Overview
THE RISK MANAGEMENT PROCESS
COMMUNICATE
&
CONSULT
MONITOR
&
REVIEW
ESTABLISH THE CONTEXT
IDENTIFY RISKS
ANALYSE RISKS
EVALUATE RISKS
ASSESS RISKS
TREAT RISKS
The Strategic ContextThe Organisational ContextThe Risk Management ContextDevelop CriteriaDecide the Structure
THE CONTEXTTHE CONTEXT
• Relevant Legislation
• Government Policy
• Corporate Policy
• Management Structures
• Community Expectations
• Level of support from Chief Executive
• Existence of senior executive “Champion”
• Level of managerial commitment.
Adapted from Johnson & Scholes, 1993, p.61
An Organisation’s
Paradigm
Symbols
PowerStructures
OrganisationalStructures
ControlSystems
Rituals &Routines
Stories(business
experiences)
Debtmanagement
Interest rates
Services
Treasury
Securities
Data
Physical damage
Consequential
Personnel
Criminal
War
Terrorism
State & FederalLegislation
Regulations
Contracts
Duty of care
Product liabilityStatutory liability
Business Risks
Hazard Risks
HOLISTIC HOLISTIC RISK RISK MANAGEMENMANAGEMENTTOutsourcing
Outsourcing
Controls
Financing
Controls
THE RISK MANAGEMENT PROCESSCOMMUNICATE
&
CONSULT
MONITOR
&
REVIEW
ESTABLISH THE CONTEXT
IDENTIFY RISKS
ANALYSE RISKS
EVALUATE RISKS
ASSESS RISKS
TREAT RISKS
What can happen?How can it happen?
IdentificationIdentificationIdentificationIdentification
• The risk management context• Identify studies needed,
• scope, objectives, resources• generic sources of risk and areas of impact as
guide
• Identify Risks– What can happen
– How it can happen
A well structured systematic process is critical
THE RISK MANAGEMENT PROCESSCOMMUNICATE
&
CONSULT
MONITOR
&
REVIEW
ESTABLISH THE CONTEXT
IDENTIFY RISKS
ANALYSE RISKS
EVALUATE RISKS
A S R S I E S S K S S
TREAT RISKS
Determine Likelihood
DetermineConsequences
Estimate Level of Risk
Determine existing controls
AnalysisAnalysis
• Purpose– Separate minor risks from major
– Provide data to assist in evaluation and treatment
• Preliminary Analysis– Excluded Risks where possible should be listed
Where possible confidence limits placed on
estimates
Best available information sources used
THE RISK MANAGEMENT PROCESSCOMMUNICATE
&
CONSULT
MONITOR
&
REVIEW
ESTABLISH THE CONTEXT
IDENTIFY RISKS
ANALYSE RISKS
EVALUATE RISKS
A S R S I E S S K S S
TREAT RISKS
AcceptCompare against criteria?Set risk priorities
EvaluationEvaluationEvaluationEvaluation
• Comparing levels of risk found in analysis with previously established criteria
• Deciding whether risk can be accepted
• Producing prioritised list for action
Consider
• Objectives of project and opportunities
• Tolerability of risks to others
Accepted risks should be monitored
Almost Certain
Likely
Rare
Extreme
SEVERITY/IMPACT/CONSEQUENCES
FREQUENCY/
LIKELIHOOD
Acceptableor
Tolerable Level of Risk
Reduce Consequences
AvoidRisks
0 Insignificant
Minor Major Critical
Evaluate & Prioritise Evaluate & Prioritise RisksRisks
Reduce
Reduce Likelihood
Moderate
Unlikely
ACCEPTACCEPT• Acceptable level of risk
established• Risk Financing programme
developed.
THE RISK MANAGEMENT PROCESSCOMMUNICATE
&
CONSULT
MONITOR
&
REVIEW
ESTABLISH THE CONTEXT
IDENTIFY RISKS
ANALYSE RISKS
EVALUATE RISKS
ASSESS RISKS
TREAT RISKS
Identify treatment optionsEvaluate treatment optionsSelect treatment optionsPrepare treatment plansImplement plan
Risk magnitude
Intolerable Region
As Low As
Reasonably
Achievable
Risk cannot be justified except in extraordinarycircumstances
Tolerable only if risk reduction is impracticable or if its cost is greatlydisproportionate to the improvement gained
Broadly acceptable region “de minimus” risk
Necessary to maintain assurancethat the risk remains at this level
AsLowAsReasonablyPracticable
Tolerable if cost of reductionwould exceed the improvementsgained
LEVEL OF
RISK
COST OF REDUCING RISK ($)
LE
VE
L O
F R
ISK
(R
ISK
VA
LU
E)
}
} }
}}
SATISFACTORY
MOST COST EFFECTIVE
ACCEPTED PRACTICE
ABSOLUTE
MINIMUM
BEST ACHIEVABLE
THE TRADE-OFF BETWEEN LEVEL OF RISK AND COST OF REDUCING RISK B.F.Hough 1985
TreatmentTreatment• reduce
– likelihood– consequences
• transfer in full or in part (this creates a new risk)
• avoid (but not because of aversion)
• retain residual (but not by default)
Treatment Treatment OptionsOptions
Treatment Treatment OptionsOptions
• Consider• Cost of implementation vs benefits • Extent of risk reduction vs benefits• Criteria of acceptability• Rare but severe risks• Opportunities created by risk• Risk perception and communication.
In general
Costs of managing risk commensurate with benefits
Adverse impacts As Low As Reasonably Achievable
Treatment PlansTreatment PlansTreatment PlansTreatment PlansDocument how options implemented
Responsibilities
Schedules
Expected outcomes
Budgeting
Performance measures
Review processes
THE RISK MANAGEMENT PROCESSCOMMUNICATE
&
CONSULT
MONITOR
&
REVIEW
ESTABLISH THE CONTEXT
IDENTIFY RISKS
ANALYSE RISKS
EVALUATE RISKS
ASSESS RISKS
TREAT RISKS
MONITOR & MONITOR & REVIEWREVIEW
• RM is a journey not a destination
• What may be of minor significance today may be the disaster of tomorrow
• Review is an integral part of the risk management process
DOCUMENTATIONDOCUMENTATION• demonstrates process conducted
properly
• provides a record of risks
• provides decision makers with plan for approval and implementation
• provides accountability tool
• facilitates monitoring and review
• provides an audit trail
• enables sharing and communication of information.
RISK MANAGEMENT RISK MANAGEMENT OUTCOMESOUTCOMES
RM leads to• more informed decision making
• business continuity planning
• minimising disruptions
• better utilisation of resources
• strengthening of the culture of continuous improvement
• best practice
• a quality organisation
WHERE TO FROM WHERE TO FROM HERE?HERE?
WE DO NOT HAVE TO DO IT!!
SURVIVAL IS NOT
COMPULSORY
Rather than have the carpet pulled out from under you
Visit www.riskmanagement.com.au to learn how to dance on a moving surface.
The greatest risk of all
is to take no risk at all!
The Journey Continues
RisksOpportunities
Structure Direction
MONITOR
&
REVIEW
COMMUNICATE
CONSULT
1. Strategic Ct
2. Identify Threats
7. Manage the Risk
ASSESS
3. Analyze 4. Assess
5. Assess/
Processes Culture Communication
In pursuit of performanceA raceA journey ………. Building Value