Determining Where Resources Are Most Needed

1
Determining Where Resources Are Most Needed

• The Concept of Risk

2
Achieving Impact in Auditing
3
(No Transcript)
4
The Concept of Risk

• My early audits
• Park chair audit.
• Book of remembrance entries.
• Car park income.

5
What Is Risk?

• Does It Really Matter?

6
WHY DOES IT MATTER?
When anyone asks me how I can describe my
experience of nearly forty years at sea, I
merely say uneventful. Of course there have
been winter gales and storms and fog and the
like, but in all my experience, I have never
been in an accident in any sort worth speaking
about. I have seen but one vessel in distress
in all my years at sea... I never saw a
wreck and have never been wrecked, nor was I
ever in any predicament that threatened to
end in disaster of any sort
from a paper presented by EJ
Smith, 1907
7
On 14 April 1912, HMS Titanic sank with the loss
of 1500 lives..... One of which was its
captain E J SMITH
8
But does any of this really matter NOW?
9
Risk Management Casualties.

• Barings
• BCCI
• Hoover
• Sumitomo Bank
• Enron
• World Com.
• Parmalat

Andersons
10
Pressures

• Greater transparency
• Better governance
• Better ethical standards
• Need for early warning systems
• Demands for higher quality services
• New legislation
• Systems reform/project management

11
What Is Risk?

• Definition of Risk.
•  

• The threat that an event or action will adversely
  affect an organisations ability to achieve its
  business objectives and execute its strategies
  successfully
• Source - The Economist
• Intelligence Unit

12
Business Risk Definition 2

• The chance of something happening that will have
  an impact on business objectives
• Source -Aus/NZ
• Risk Mgt Standard

13
Surprises

• Any organization that has encountered unwelcome
  surprises or unexpected losses will realize that
  most were preventable.
• Such events will almost certainly have been
  caused by risks that were not fully understood,
  or the processes to mitigate those events being
  inadequate.

14
Wrong assumptions about risk

• Risk is just something for finance and insurance
  to worry about
• Risk comes up on the agenda once a year
• Risk management is just another layer of
  unnecessary bureaucracy
• Risk management is about downside not creation of
  value
• Risk is a compliance issue

15
Risk Management
International expectations are now that all
organisations should

• Identify, evaluate and manage their key risks and
  assess how they are controlled
• Ensure that all aspects of internal control and
  risk management are regularly reviewed on an
  appropriate cyclical basis
• Have regular board level reviews of reports on
  risk management and internal control

16
Risk Management
And that Risk management and internal control
should be

• Embedded in the operations of an organisation
• Capable of responding to the changing risks it
  faces
• Include procedures for reporting major weaknesses
  immediately to appropriate levels of management

17
Risk Management
In the UK all public bodies have been told

• it is important that authorities have
  arrangements in place for reviewing both the
  nature and severity of riskssuch a review should
  not just be to obvious tangible risks such as
  arson,vandalism and other damage to
  property..risk management should be an integral
  part of an authoritys overall management
  arrangements.

18
Risk Management
It went on to add In order to be successful it
is likely that the approach will be
cross-departmental and inter-disciplinary and
that senior management will demonstrate
commitment.
19
The AUS/NZ Risk Management Process

• Establish the context
• Identify risks
• Analyse
• Evaluate
• Treat
• Communicate
• Monitor and Review

20
Risk Identification and evaluation
21
Types of Risk

• Strategic
• Operational
• Reputation
• Information
• Financial
• People
• Regulatory

22
Strategic Risks

• Risks that relate to doing the wrong things

23
Operational Risks

• Risks that relate to doing the right things in
  the wrong way

24
Information Risks

• Risks that relate to loss or inaccuracy of data
  ,systems or reported information

25
Financial Risks

• Risks that relate to losing monetary resources or
  incurring unacceptable liabilities

26
People Risks

• The risks associated with Employees and
  Management

27
Regulatory Risk

• The Risks related to the regulatory environment

28
Reputation Risk

• Risks that relate to the organizations brand or
  image

29
Inherent and Residual Risk

• Inherent risk Gross risk before controls/
  mitigation
• Residual risk Risk remaining after applying
  controls

30
Evaluation and Measurement of Risk

• Risk is measured in terms of consequences (or
  impact) and likelihood (or probability)

31
Consequences Likelihood

• Monetary ( of income or budget)
• Reputation
• Ability to recover
• Effect on Organisation
• Insignificant,Minor,
• Moderate,Major
• Catastrophic

• Rare (less than once in 20 years)
• Unlikely (once in 10-20 years)
• Possible (once in 10 years)
• Likely (once in 3 years)
• Almost Certain (once a year)

32
Questions you need to answer

• What are the worst things that could happen to
  us?
• How likely are they to happen?
• Are we taking sufficient steps to prevent them?

33
Risk Matrix
Likelihood
Most Severe
Major
Moderate
Minor
Insignificant
Rare Unlikely Possible Likely Almost Certain
Impac t
34
Measurement of Risk-Risk Matrix
6 8 9
3 5 7
1 2 4
HIGH
Impact Of Risk
LOW
Unlikely
Likely
Likelihood of Occurrence
35
RISK MATRIX



High
15
16
1
2
19
18
4
3
17
21
20
5
6
7
8
23
22
11
9
10
25
IMPACT
14
12
13
28
26
27
24
Low
HIGH
LOW
LIKELIHOOD
36
Risk Matrix
Important risks might potentially affect provision of key services or duties Key risk- may potentially affect provision of key services or duties Immediate action needed - serious threat to provision and/or achievement of key services or duties
Monitor as necessary - less important but still could have a serious effect on the provision of key services or duties Monitor as necessary - less important but still could have a serious effect on the provision of key services or duties Key risks - may potentially affect provision of key services or duties
No action necessary Monitor as necessary - ensure being properly managed Monitor as necessary - less important but still could have a serious effect on the provision of key services or duties
Over 5 million OR Questions raised in Parliament
2million-5 million OR Reported in National
Press
500,000 - 2 Million OR Reported in Local Paper
100,000 - 500,000 OR Unacceptable levels of
Complaints
Under 100,000 OR Some complaints from
individuals.
Unlikely-Once in 10-20 years
Possible- Once in 10 years
Likely-Once in 3years
Certain- Once a year
Rare- once in 20 years
37
Treatment of Risks

• How are we going to manage the risks that we have
  identified down to a level that we can live with.

38
Risk Treatment
Risk
Transfer
Exposure
Insure
Outsource
Determine
Evaluate
Recover
Cost
Reduce
Control
Loss reduction
Contingency Plans
BCP
Measure, Manage, Monitor, Report
Action Plans
39
RISK MAP



High
15
16
1
2
19
18
4
3
17
21
20
5
6
7
8
23
22
11
9
10
25
IMPACT
14
12
13
28
26
27
24
Low
HIGH
LOW
LIKELIHOOD
40
The Risk Management Process
41
Risk Management Framework

• Embrace the issue of risk
• Manage not tolerate
• Make it a top down process
• Ensure a positive slant
• Make it the pulse of your organisation

42
The Risk Management Cycle
Risk Identification
Monitoring Review
Risk Analysis
Risk Control
43
Risk Identification Process

• Clarification of Strategic Business Objectives
• Consideration of threats to achievement
• Identification of key risks and opportunities
• Sifting and clustering of output
• Evaluation of risks (by impact and likelihood of
  occurrence)
• Use of Workshops

44
Use of Workshops
45
Workshop Ingredients
FACILITATOR
CHALLENGER
RISK And CONTROL EXPERTISE
FRAMEWORK And CONTROL
PARTICIPANTS
BUSINESS And PRACTICAL EXPERIENCE
46
Typical Agenda for a Workshop

• Introduction
• Discussion of objectives/processes
• Brainstorming of risks
• Categorisation
• Assessment of risks

47
Risk Mitigation Process

• Evaluation of actions in place to reduce risks
• Identification of risk exposures and latent
  opportunities
• Assessment of the effect of mitigation
• Development of focussed action plans
• Preparation of a Risk Register

48
(No Transcript)