Rachel Bowden - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

Rachel Bowden

Description:

The scale is based on the risk maturity matrix set out in ... Risks and controls that are ambiguously worded or vague, which could lead to ... – PowerPoint PPT presentation

Number of Views:207
Avg rating:3.0/5.0
Slides: 24
Provided by: m136
Category:
Tags: bowden | rachel | worded

less

Transcript and Presenter's Notes

Title: Rachel Bowden


1
Risk MaturityCIPFA in the Midlands20 November
2009
  • Rachel Bowden Matt Humphrey

2
What we will cover
  • What is risk maturity?
  • Why audit risk maturity?
  • How we reviewed risk maturity?
  • What were our findings?
  • What does a risk mature organisation look like?
  • Whats hot in risk management?
  • A risk management structure aligned with best
    objectives / outcomes
  • Use of risk appetite getting the Board focussed

3
What we will cover
NAÏVE
AWARE
DEFINED
MANAGED
ENABLED
PUTTING A FRAMEWORK IN PLACE
APPLICATION CHALLENGE
The scale is based on the risk maturity matrix
set out in An Approach to Implementing Risk
Based Internal Auditing Institute of Internal
Auditors UK Ireland
4
Naïve
Enabled
Managed
Defined
Aware
Has not yet developed an approach for risk
management.
Risks taken on an informed basis. Risk
management is used to help manage the
organisation.
Risk management strategy and policies in place
and communicated across the organisation.
Scattered silo based approach to risk management.
Enterprise wide risk management approach
considering risk at highest level but could be
further embedded in decision making
5
Risk Maturity Reviews
  • What is in place?
  • Do people understand it?
  • Who is involved?
  • Do people use it?
  • Does it stack up?
  • Communication?
  • Challenge?
  • Define and use risk appetite?
  • Ticking the box or using risk management as part
    of the organisations performance management?
  • Linked to improvement plans?
  • Use to drive IA plans?

6
Risk Maturity Reviews
  • Outputs
  • Report for each organisation that participated
    with feedback
  • Thematic reports across each sector
  • Each organisation is benchmarked against its
    sector
  • Presentations to Audit Committee
  • Benefits
  • Raising the profile of risk management makes the
    Execs think
  • Helping non-executives understand the link
    between assurance and risk
  • A recognised measurement a platform for driving
    improvement

7
Some of Our Findings
8
Difference in Opinion?
9
Risk Managed
  • Of 139 orgs that self assess as risk managed
  • 1 enabled
  • 78 managed
  • 53 defined
  • 7 aware

10
Risk Enabled
  • Of 23 orgs that self assess as risk enabled
  • 7 enabled
  • 14 managed
  • 2 defined

11
Some Statistics
12
Building the Framework
13
Building the Framework
14
Application and Challenge
15
Application and Challenge
16
Application and Challenge
15 of organisations do not routinely take the
risk register / profile to the Audit Committee
(or equivalent)
17
Common Barriers to Risk Maturity
  • Instances where members of senior management were
    aware of major issues or significant risks but
    these had not been formally captured to make sure
    that they are on the organisations risk radar.
  • Lack of challenge by the Audit Committee or Board
    regarding the organisations risk profile,
    assurance framework or corporate risk registers,
    including little challenge regarding how risks
    are being managed or how the organisation knows
    that risks are being managed as well as they
    could be.
  • Inconsistent approaches to recording and
    assessing risks, therefore having a patchy
    framework in place.
  • Risk appetite seen as a statement in a policy
    instead of asking for challenge regarding
    acceptable risk levels.
  • Risks and controls that are ambiguously worded or
    vague, which could lead to different people
    having a different understanding of what that
    risk is.
  • Limited levels of follow up to ensure that
    actions are implemented, often linked to
    organisations that need to strengthen their
    performance management arrangements.

18
Improving Risk Maturity
  • The following were visible in those organisations
    that are most risk mature
  • The profile of risk management
  • A risk management strategy that delivers value
  • Risk management directly informing and being
    linked to business planning
  • Use of risk management information systems linked
    to Performance
  • Non-performance is treated as a serious
    management failing
  • Internal audit and other assurance work is driven
    by the risk profile of the organisation
  • See www.rsmbentleyjennison.com for the full
    report Why Manage Risk? Because Stuff Happens

19
Risk management structure aligned with objectives
/ outcomes
Risk Management
Board Assurance


Those business risks that, if realised, could
fundamentally affect the way in which the
organisation exists or conducts its business.
These risks will have a detrimental effect on the
organisations achievement of its key business
objectives. The risk realisation will lead to
material failure, loss or lost opportunity
  • BAF is a direct output from the risk management
    process
  • Assurance provided that controls are effective
    in the case where inherently high / extreme risks
    are mitigated to a lower residual classification.
  • Assurance provided that actions are progressing
    where risk is both inherently and residually high
    / extreme.
  • our risk appetite I.e. risks associated with key
    business drivers or values where our appetite is
    low assurance that these risks are being
    mitigated.

Strategic Aims
Strategic Risk
The main operational risks associated with the
key business processes that if realised would
increase the likelihood of a strategic risk
realising.
Operational Risks
Operational Risks
Operational Risks
Operational Risks
Operational Risks
Operational Risks
Operational Risks
Operational Risks
Operational Risks
Key business processes that flow through the
organisation reliant on the involvement of both
delivery and support staff.
Key Business Processes that deliver Strategic Aims
20
Strategic and operational risk linkage
Macro mitigation
Micro controls
Key Business Process
Risk associated with the key business processes
of the organisation
Strategic Risk 1
Mitigation
Key internal controls
Mitigation
Manage Causes that are not operational risks
Control
Operational Risk 1.1
Control
Risks aligned with the organisations key business
objectives.
Control
Operational risks that are a Causes of the
strategic risk
Operational Risk 1.2
Control
Control
Operational Risk 1.3
Control
Mitigation assurance from specialist reviews
Assurance from Internal Audit risk based reviews.
21
Risk Appetite
Risk Appetite The amount of risk that the
organisation deems to be acceptable.
  • BS 311002008 Risk Appetite
  • Statement approved by the Board
  • Boundaries on the risk that can be accepted
  • consider the value and understanding of
    controls
  • recognises the balance of risk across the
    organisation
  • risk escalation process
  • specific risks that are not acceptable
  • aggregation and monitoring mechanisms

22
Strategic Risk Appetite an example
23
Thank You
matthew.humphrey_at_rsmbentleyjennison.com 0776
4688248rachel.bowden_at_rsmbentleyjennison.com
0796 6090171
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Rachel Bowden" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!