Presentation on theme: "Presentation 2: Managing Risk at the Enterprise Level: The Business Case Andrew Graham School of Policy Studies Queen’s University Kingston, Canada Workshop."— Presentation transcript:
Presentation 2: Managing Risk at the Enterprise Level: The Business Case Andrew Graham School of Policy Studies Queen’s University Kingston, Canada Workshop on Risk and Enterprise Risk Management Southern Africa Development Community April, 2014 Gaborone, Botswana
Some Questions…to which we will return What does risk have to do with strategy? How does risk-resiliency go beyond conventional risk management? What are the best way to manage risk in an increasingly interconnected world?
Risk about playing to win not just playing not to lose.
Factors that are changing the risk conversation Greater economic and environmental uncertainty, Interconnectedness of things Proliferation of information, Internet and communication tools Global economy and complex instabilities Growing concern for sustainability Growing concern for ability to survive increasing number of shocks – resilience Increased velocity of risk
Resilience is Key A risk resilient organization can: – Assess, mitigate and continuously monitor its risk environment, – Recognize and take risks to meet its objectives, – Rapidly adapt to changes, and – Ensure the sustainability of the organization as it adapts and changes.
Resilience is Key A non risk resilient organization will: – Operate in a culture of surprise and accidents happen, – See risks as threats requiring full defensive posture, – Ignore warning signs and not read the environment, – Place the organization itself in danger as railed response lead to profound and existential questions about the organization itself.
Those organisations that are risk-resilient will prosper and thrive. The cautious ones will die over time. The careless ones will die quickly.
So, Why Risk Management “Failing to prepare is preparing to fail.” Attributed to Benjamin Franklin, but so are a lot of other aphorisms as well.
IRM/ERM Mature Idea, New Relevance Has gained renewed focus and relevance Unprecedented levels of risk Pace of change and speed of information flow have challenged older, slower methodologies, but not the objective Pressure from stakeholders for organizations to identify their risks sooner, link them as never before and manage them Pressure on as well for organizations to be much more brutally honest with themselves and their stakeholders about their risks
IRM/ERM is…. ERM/IRM A Risk Management Process A Risk Management Culture A Corporate Governance Process
What Effective IRM gives you Anticipate and adapt to change Absorb and recover from risk events Seize opportunities The Ability to……….
Five Questions about whether you are managing your risks in a resilient way. Who Owns Risk? – If not those driving the strategy of the organization, you are in trouble. – If senior managers do not then ensure that risks are managed throughout the organization, more trouble.
Five Questions about whether you are managing your risks in a resilient way. How Effective is the Executive or Board in Overseeing Risk Management? – Is there timely, reliable and meaningful information? – Does it ensure that alternative views are heard? – Is what it uses useful, not excessive and focused? – Does senior management develop guidance – formal or informal – on risk acceptance or rejection?
Five Questions about whether you are managing your risks in a resilient way. How Actively is Risk Managed? – If risks are only assessed after a problem, then there is a problem. – Are risk updates built into the planning and control process? – Is awareness of knowable risks supplemented with analysis about possible future scenarios relevant to the objectives of the organization? – Are resilience and sustainability part of the risk analysis?
Five Questions about whether you are managing your risks in a resilient way. Can the Organization Rise to Rare and Major Events? – What is the level of resilient capacity to respond to the atypical event or shift? – Does the organization have redundancies in its key systems and dependencies? – Can the organization re-adapt and respond quickly?
Five Questions about whether you are managing your risks in a resilient way. Is the Organization Getting a Return on its Investment in Risk Management? – Do efforts to integrate risk in planning and operations pay off in terms of greater assurance, capacity to respond and stakeholder confidence? – Is there a sense that forms are just being filled out but not very useful in doing business? – Is there a healthy use of risk language and calibration within the culture?
What is Integrated Risk Management? A continuous and systematic process to understand, manage and communicate risk from an organization- wide perspective. It is about making strategic decisions that contribute to the achievement of an organization ’ s overall corporate objectives. It integrates the risk management process into the planning and decision-making of business processes and aggregates all types of risk across the organization, and monitors and manages risk on a comprehensive basis. An inherent part of sound corporate management.
CAS Definition of ERM “ ERM is the discipline by which an organization in any industry assesses, controls, exploits, finances and monitors risks from all sources for the purpose of increasing the organization ’ s short- and long-term value to its stakeholders ” Casualty Actuarial Society: “Overview of Enterprise Risk Management” – May 2003
The Four Dimensions of an integrated Risk Management Approach 1.Managing all types of risk and understanding interrelationships 2.Uniform process 3.Coherent and integrated vision involving the whole financial group 4.Integration into management practices and decision systems
Evolution of Risk Management in an Organization
Benefits of An Integrated Approach to Risk Management Alignment of all levels with objectives, priorities and tolerances for risks Reassures stakeholders that the organization is well managed Enables stakeholders and funders/policy setters to better understand needs of the organization Helps meet emerging national and international risk management standards, such as ISO 3100 Allocates resources based on risk priorities Avoids surprises and helps ensure operating stability
The New ISO ERM Standard - 31000 The New Global Standard for Integrated Risk Management: ISO 31000 - Risk management — Guidelines on principles and implementation of risk management 23
ISO: IRM in the Global Context ISO standard (‘Guideline’) for all size organizations for all risks: Intended as management guidance in designing and implementing an organization-wide risk management approach Not a certifiable ISO Standard Publication expected Summer 2009 Most countries/industries represented: 75 or so (multi-disciplinary, multi-sectoral) Currently 15 pages in total Effectively a check list for best practise for both risk management framework for an organization and a risk management process for individual decision makers Incorporates best practise for ERM framework Stresses integration of risk management in organizational structure for management and decision making For the first time states principles and guidelines for excellence 24
ISO 31000 At A Glance: Overview 25
26 ISO 31000 At A Glance: Closer View Clause 6.0 26
27 ISO 31000 At A Glance: Common Risk Process
Noteworthy Differences in the new ISO 31000 Risk has been defined in a neutral way, centred on organizational objectives Risk is the effect of uncertainty on objectives. Managing it leads to realising opportunities as well as limiting losses. Clarified relationship between process and framework a common risk process is now situated in the risk management context of an organization Guidance to help an organization make sense of all of its various risk activities and terms Continuous Improvement The new Standard follows the ‘Plan-Do-Check-Act’ management approach focused on iterative improvement in the way an organization manages risk 28
ISO - Guidance on Excellence in Managing Risk Continuous Improvement in RM Accountability for risks, controls and treatment tasks Risk Management processes are ‘embedded’ Risk in decision making Communication and Reporting Risk Management is a Core organisational process 29 Guidance on Principles are minimum ISO expectations Guidance on Excellence is the ideal ISO expectation
ERM can go really wrong when…. It is not integrated and silos are reinforced The organization takes a simplified view of reality People deceive themselves and others Key indicators deliberately or (even worse) ignorantly ignored Poor analytics Different meanings to words, processes and definitions In consistent application: do not start unless you are going to finish