risk management - a journey
TRANSCRIPT
Contents
• Risk Management Concepts
• Risk Organization, Process and Terminology
• Function Wise Risk Summary
• MHC Risk Library
• Review frequency
• Way Forward
Ask most people why cars have brakes and they’ll say, “So you can slow down.”
But the real reason is so you can go faster and still be in control
Organizations that are most effective and efficient in managing risks to both existing assets and to future growth will, in the long run, outperform those that
are less so.
Why do we need risk management?
“Risk is the effect of uncertainty on objectives.” (ISO 31000:2009)
What is Risk?
The threat of bad things(risk as hazard)
The possibility of good things not happening (risk as opportunity)
The potential that actual events will not equal anticipated outcomes (risk as uncertainty)
e.g. Flood or FireMajor AccidentsNatural Disasters
e.g. Changes in laws and regulations,Government Interventions
e.g. New Technologies,New markets,New products
• Company in Eastern India: Fire incident – Regulatory and operational risk can have a significant financial, strategic (and reputational) impact
Case Studies: Snowball effect of risk not assessed and managed effectively
Lack of Internal Controls
• The Fire System was not operational
Company received Memo from Fire Department
• Fire system was still not operational
Fire Broke Out
• 88 Lives Lost• Company sealed• Directors Arrested
Financial/OperationalRevenue loss due to closure of operations
Strategic ? Expansion Plans? Reputation
• Hospital in Noida – Kidney scam happened, after which hospital lost its reputation and has still not been able to compete with current players in market.
• Hospital in Bangalore – Lost licenses to carry out transplants due to non transfer of license to operator’s name.
What are managements asking
· What are our principal business risks?· Are we taking the right amount of risk?· How effective are our processes for identifying, assessing and
managing business risks?· How is risk management coordinated across the organisation ?· How do we integrate risk management with the organization’s
strategic direction and plan?· How do we ensure that the organisation is performing
according to the business plan and within appropriate risk criteria?
· What information about the risks facing the organisation does the Management & Board get to help it fulfil its stewardship and governance responsibilities?
· How do we help establish the "tone at the top" that reinforces organisation’s values and promotes a "risk aware culture"?
What is Enterprise Risk Management(ERM)?
PreventRisk Analysis
PreventRisk Analysis
PreparePractice
PreparePractice
RecuperateSettle
RecuperateSettle
RespondOrganize
RespondOrganize
“COSO* recognizes that many organizations are engaged in some aspects of ERM”
* Committee of Sponsoring Organizations (COSO) of the Treadway Commission, US
Benefits from ERM
· Avoid surprises: Strengthened framework to identify and manage potential issues before they become serious business problems
· Better governance due to clarity in following: · Risk Roles and Responsibilities · Risk Communication· Risk Reporting
· Timely achievement of business objectives without any setback due to lack of effective risk management.
· Enhanced confidence on internal controls for management declaration/ assurance.
· Help in preventing potential revenue leakage and effective cost management.
ERM Standards & Frameworks
• UK – The Institute of Risk Management - A Risk Management Standard
• ISO 31000:2009
• Committee of Sponsoring Organization (COSO) of the Treadway Commission –
‘Enterprise Risk Management – Integrated Framework’
The frameworks provide broadly similar guidance on risk management principles and processes. COSO framework is used across the globe as acommon framework
COSO Framework – Approach and Methodology
People & Technology Risk may have to be
separately managed
The journey to implement an ERM framework
· ERM Champion designated and Functional Risk Owners identified
· Risk identification exercise to identify risks across all the functions and at an enterprise level. Draft Risk registers created.
· Risks identified to be assessed/rated by the functional heads on the basis of their impact, likelihood of occurrence and mitigation plan effectiveness, prioritised and mitigation/action plans implemented.
· Key enterprise level risks to be reviewed by the senior leadership team on a periodic basis.
· Risk Organisation Structure at implementation and governance levels set up.
· On-going monitoring and inculcating ERM culture in day to day operations.
A sample Risk Organization Structure
To include EC members and
Head – Legal and Head – Internal
Audit
Audit Committee
Risk and Controls Steering
Committee
Chief Risk Officer : Non Medical
Chief Risk Officer : Medical
Risk Champions / Risk Owners
Risk Champions / Risk Owners
Risk Chanpions / Risk Owners
Risk Champions / Risk Owners
Clinical Director will be
CRO Medical
CFO will be CRO Non-Medical
Medical Excellence Committee
Service Excellence Committee
Sample Risk Ranking Mechanism
• Risk Rating = I * P * E • Impact, Probability & Effectiveness are measured on a scale of 1-4
Risk
Rating
Effect
Cause
Control
Function/Business Process/Event
Impact
Probability
Mitigation Plan Effectiveness
Risk Priority
Action Plan
Risk Terminology
Term Explanation
Risk owner Person with the accountability and authority to manage a risk
Risk Category Strategic, People, Technology, Compliance, Operations, Financial & Reporting
Probability Likely-Risks which are almost certain to occurPossible-Risks whose likelihood of occurrence is high Unlikely-Risks with a moderate likelihood of occurrenceRemote-Risks with an extremely low probability of occurrence
Impact Category
Occurrence of the risk could have an impact in the following areas - Financial, Brand, Legal & Regulatory and People
Severity of Impact
Extreme- Loss of ability to sustain ongoing operationsMajor-Significant impact on the achievement of objectivesMaterial- Limited effect on achievement of objectives Minor-Minimal impact on achievement of objectives
Risk Rating Very High, High, Medium & Low
Function
Risk Owner Risk Category
Probability Impact Category
Severity of Impact Risk Rating
Mitigation Plan
S.No. Activity Closure Date
1
2
Risk Description :
Risk Register Template
Risk Responses
Impact
Pro
bab
ilit
yTreat Terminate
TransferTake
Once risks have been identified & assessed, the next step is to manage the risk based on the risk criteria of the organization
19
Frequency of review
Impact Probability
Grid I Grid II Grid III
Grid IV Grid V Grid VI
Grid IXGrid VIIIGrid VII
High impact, Low probability & Medium
effectiveness
Low impact, Low probability & High
effectiveness
Medium impact, Low probability & Medium
effectiveness
High impact, high probability & Low
effectiveness
High impact, Medium probability & Low
effectiveness
Medium impact, Medium probability & Medium
effectiveness
Medium impact, High probability & Medium
effectiveness
Low impact, Medium probability & High
effectiveness
Low impact. High probability & Medium effectiveness
Maybe reviewed every quarter
Maybe reviewed every six month
Maybe reviewed annually
Needs quarterly review with real time monitoring
Maybe reviewed every six month
Maybe reviewed every quarter
Maybe reviewed annuallyMaybe reviewed every
six month
Needs quarterly review with on line monitoring
Possible Roadblocks
· Sub-committee oversight of specific risk areas such as credit risk, market risk, operational risk, and compliance risk.
· Clear expression of risk criteria.· Loose linkage between business strategy and risk criteria.· Lack of documentation on Policies and Procedures, and Roles
and Responsibilities.· Lack of consistent approach followed for identifying and
managing risks across the organization.· Inadequate communication between Risk Takers and Risk
Managers/facilitators.· Inefficient support to the needs of robust Risk Management.
• Final risk registers to be validated by leadership team for probability of occurrence of risks, their impact, adequacy of mitigation plans & timelines and residual risk ratings
• 15 key risks to be identified by leadership team, to be taken up for rigorous risk management. The owners of these risks to co-opt people from other departments and develop elaborate Risk Mitigation Strategy and Plans
• Mitigation progress of the 15 key risks to be reviewed in monthly leadership team meetings. CEO to chair these meetings
• Risk Polarization Survey to be conducted on half yearly basis
Way forward