Presentation is loading. Please wait.

Presentation is loading. Please wait.

RiskScorecard.net © RiskScorecard.net An Overview of Risk Breakdown Frameworks 416-766-7684.

Similar presentations


Presentation on theme: "RiskScorecard.net © RiskScorecard.net An Overview of Risk Breakdown Frameworks 416-766-7684."— Presentation transcript:

1 RiskScorecard.net © RiskScorecard.net An Overview of Risk Breakdown Frameworks

2 RiskScorecard.net © RiskScorecard.net Establishing your Risk Categories  The Risk Categories will be used by you and your team as a “memory jogger” to surface risk related situations.  There are a number of Risk Category lists – the goal of this step is to find the framework that works best for your organization.

3 RiskScorecard.net © RiskScorecard.net Corporate Risk vs. Regulatory Risks Duration: The time horizon for a corporate risk profile should typically be in the range of three to five years, whereas regulatory filings are usually for a much longer term or in perpetuity. For example, matters for which lawsuits could be brought by investors in the future. Types of Risks: Regulatory filings are usually restricted to those areas that would be of interest to an investors, customers, employees and other stakeholders. By contrast “corporate” (internal) risks also include issues that will impact the organization’s performance success and viability. Purpose: Corporate risk profiles are prepared to assist in better managing the company. Regulatory filings are usually prepared with both promotional and legal protection motives. Although these two types of risk descriptions can and should be reconciled, they have different purposes. Yet arguably, they should remain mutually exclusive. Paraphrased form: Fraser, J.R.S., How to Prepare a Risk Profile, p 171, Chapter 11, Enterprise Risk Management, John Wiley & Son, 2010

4 RiskScorecard.net © RiskScorecard.net Establishing your Risk Categories In this session we will use the COSO* categories used in the CMA MAG “Identifying, Measuring and Managing Organizational Risk for Improved Performance”. * Committee of Sponsoring Organizations of the Treadway Commission

5 RiskScorecard.net © RiskScorecard.net COSO Risk Categories Identifying, Measuring, and Managing Organizational Risks for Improved Performance, Marc J. Epstein, and Adriana Rejc Buhovac, Published by The Society of Management Accountants of Canada, the American Institute of Certified Public Accountants and the Chartered Institute of Management Accountants, Adapted from Committee of Sponsoring Organizations of the Treadway Commission (COSO, 2004)

6 RiskScorecard.net © RiskScorecard.net Strategic Risk Strategic Risk Type Risks Definition Example Economic RisksRisks related to macroeconomicpolicies and economic cycles. Government’s monetary and fiscalpolicy Industry RisksRisks related to competitive positioning, industry profit margins, market structure, and competition laws Changes in supply and demand,industry concentration, or competitive structure; introduction ofnew products and services Strategic Transaction Risks Risks related to activities undertaken to initiate significant change in strategic direction Asset reallocation via mergers and acquisitions, spin-offs, alliances, and joint ventures Social RisksRisks related to changing demographics and social mores Child labor; changes in family structures and work/life priorities(human resource issues that could alter demand for products/services or change buying venues) Technological RisksRisks related to technological progress and technology-driven disruptive forces Engineering success/failure; technological obsolescence of product or product assembly (issues that could give a competitor an advantage) Political RisksRisks related to changes ingovernment, public policy, andfederal oversight, and global risksrelated to political instability Management of government relations; terrorist activities Organizational RisksRisks related to control systems,business policies, and businessculture Alignment between performance measurement and reward systems Identifying, Measuring, and Managing Organizational Risks for Improved Performance, Marc J. Epstein, and Adriana Rejc Buhovac, Published by The Society of Management Accountants of Canada, the American Institute of Certified Public Accountants and the Chartered Institute of Management Accountants, Adapted from Committee of Sponsoring Organizations of the Treadway Commission (COSO, 2004)

7 RiskScorecard.net © RiskScorecard.net Operational Risk Risk Type Risks Definition Example Environmental Risks Risks related to the natural environment that could result in damage to buildings, restricted access to raw materials, or loss of human capital Weather conditions, such as earthquake, fire, or flood; environmental pollution Financial RisksRisks related to credit, interest rates, the stock market, currency, and collateral Foreign exchange rates; strategic equity; asset liquidity; employee stock option program; commodity risks Business Continuity Risks Risks related to conditions that could result in work stoppage or adversely affect production, delivery, marketing, supplier and customer management, outsourcing, or compliance with industry and other standards and codes Reliability within the supply chain; supplier integrity; quality of goods; price of external supply Innovation Risks Risks related to the transformation of some aspect of the business in an effort to improve operating performance Under performance in new product development and in Research &Development (R&D) investment Commercial Risks Risks related to the expected performance of products or services Quality of engineering, marketing, communication, and sales; product liability in the event of failure Project RisksRisks related to the completion of a projectTechnical difficulties; commercial obstacles Human Resource Risks Risks related to the adequacy and execution of human resource standards, policies, and practices Ethical/unethical conduct by management and employees; availability of assistance to employees for career planning and personal development; issues that could result in work stoppage, loss of personnel, or monetary or reputational damage Health and Safety Risks Risks related to employee health and safety in the workplace Unsafe equipment or environment; workplace stress; potential for injury from repetitive strain or falls from heights Property RisksRisks related to the security of both tangible and intangible assets Inventory protection against spoilage or theft; intellectual property rights; potential for enforcement action Reputational Risks Risks related to the perception of the organization by its stakeholders, the media, and the general public that could impact liquidity, capital, or credit rating Publicity regarding production methods, business practices, or internal controls Identifying, Measuring, and Managing Organizational Risks for Improved Performance, Marc J. Epstein, and Adriana Rejc Buhovac, Published by The Society of Management Accountants of Canada, the American Institute of Certified Public Accountants and the Chartered Institute of Management Accountants, Adapted from Committee of Sponsoring Organizations of the Treadway Commission (COSO, 2004)

8 RiskScorecard.net © RiskScorecard.net Reporting Risks Risk TypeDefinitionExample Information RisksRisks related to the quality and accessibility of information Data accuracy, relevance, reliability, and completeness; security of information; integration of information systems Reporting RisksRisks related to the process of capturing, analyzing, and submitting data in a meaningful format to managers and external stakeholders for decision- making purposes Reliability and completeness of financial information; efficiency of the process for internal decision-making and for external reporting Identifying, Measuring, and Managing Organizational Risks for Improved Performance, Marc J. Epstein, and Adriana Rejc Buhovac, Published by The Society of Management Accountants of Canada, the American Institute of Certified Public Accountants and the Chartered Institute of Management Accountants, Adapted from Committee of Sponsoring Organizations of the Treadway Commission (COSO, 2004)

9 RiskScorecard.net © RiskScorecard.net Compliance Risks Risk TypeDefinitionExample Legal and Regulatory Risks Risks related to meeting legal and regulatory requirements with respect to corporate governance, labor relations, industry standards, the environment, etc. Employee compliance with the organization's code of conduct and Non- Governmental Organization standards; human rights violations(e.g., child labor) Control RisksRisks related to the internal control systems and security policies that could result in system downtime, backlogs, fraud, and the inability to continue business operations Data integrity; data and system availability; potential for malpractice by employees or outsiders (e.g., theft, deception, forgery, false accounting);potential for operational errors (e.g. Clerical, record-keeping, and those resulting from faulty IT systems) Professional Risks Risks related to organizational liability and the personal liability of directors and managers Misrepresentation; defamation; corporate insolvency Identifying, Measuring, and Managing Organizational Risks for Improved Performance, Marc J. Epstein, and Adriana Rejc Buhovac, Published by The Society of Management Accountants of Canada, the American Institute of Certified Public Accountants and the Chartered Institute of Management Accountants, Adapted from Committee of Sponsoring Organizations of the Treadway Commission (COSO, 2004)

10 RiskScorecard.net © RiskScorecard.net SIMPLER, PROCESS BASED FRAMEWORK

11 RiskScorecard.net © RiskScorecard.net OPERATIONAL - INTERNALLY CONTROLLED FINANCIAL RISKSENVIRONMENTALCUSTOMER RELATED Human Capital Facilities & Machine Methods & Systems Materials & Suppliers Demand Relationship Customer's Success Regulatory & Political Natural Costs Financing External Financial Risks RISKS 13 categories vs. COSO’s 22 categories

12 RiskScorecard.net © RiskScorecard.net OPERATIONAL - INTERNALLY CONTROLLED FINANCIAL RISKSENVIRONMENTALCUSTOMER RELATED Human Capital Facilities & Machine Methods & Systems Materials & Suppliers Demand Relationship Customer's Success Regulatory & Political Natural Costs Financing External Financial Risks RISKS 13 categories vs. COSO’s 22 categories

13 RiskScorecard.net © RiskScorecard.net Process Based Risk Category OPERATIONAL - INTERNALLY CONTROLLED Human CapitalEmployee Engagement, skills, retention, capacity, agility Facilities & MachineCapacity, capabilities, quality Methods & SystemsValue Chain, Fraud, unauthorized, illegal, unethical, incorrect, or inappropriate actions Materials & SuppliersSupply Chain, material quality issues, quality of supply, CUSTOMER RELATED DemandMarket Risk - not enough volume at the price we must charge RelationshipRelationship Risk - We are not able to build or maintain our target relationships Customer's SuccessCustomer Risk - customer's profitability, viability, growth ENVIRON- MENTAL Regulatory & PoliticalChanges in our regulatory, legal and liability environment, political disasters and major macroeconomic shifts NaturalWeather, floods, acts of God. FINANCIAL RISKS CostsUnanticipated / planned cost shifts FinancingInvestor Risk, Insufficient Funding, Rate Issues, External Financial RisksValuation Risk

14 RiskScorecard.net © RiskScorecard.net The Institute of Risk Management’s Risk Categories Strategic/commercial Under-performance to specification Management will under-performance to expectations Collapse of contractors Insolvency of promoter Failure of suppliers to meet contractual commitments (e.g. quality, quantity, timescales or own risk exposure) Insufficient capital revenues Market fluctuations Fraud/theft Partnerships failing to deliver the desired outcome Situation non-insurable (or cost of insurance outweighs the benefit) Lack of capital investment availability. Economic/financial/market Exchange rate fluctuation Interest rate instability Inflation Shortage of working capital Failure to meet projected revenue targets Market developments adversely affect plans. Legal and regulatory New or changed legislation invalidates assumptions upon which the activity is based Failure to obtain appropriate approval (e.g. planning, consent) Unforeseen inclusion of contingent liabilities Loss of intellectual property rights Failure to achieve satisfactory contractual arrangements Unexpected regulatory controls or licensing requirements Changes in tax or tariff structure. Environmental Natural disasters Storms, flooding, tempests Pollution incidents Transport problems, including aircraft/vehicle collisions. The Institute of Risk Management, 6 Lloyd’s Avenue, London EC3N 3AX, Organizational /management/human factors Management incompetence Inadequate corporate policies Inadequate adoption of management practices Poor leadership Inadequate authority of key personnel to fulfill roles Poor staff selection procedures Lack of clarity over roles and responsibilities Vested interests creating conflict and compromising the overall aims Individual or group interests given unwarranted priority Personality clashes Indecision or inappropriate decision making Lack of operational support Inadequate or inaccurate information Health and safety constraints. Political Change of government policy, national or international (e.g. approach to nationalization) Change of government War and disorder Adverse public opinion/media intervention. Technical/operational/infrastructure Inadequate design Professional negligence Human error/incompetence Infrastructure failure Operation lifetime lower than expected Residual value of assets lower than expected Increased dismantling/decommissioning costs Safety being compromised Performance failure Residual maintenance problems Scope 'creep' Unclear expectations Breaches in security/information security Lack or inadequacy of business continuity.

15 RiskScorecard.net © RiskScorecard.net Common Types of Risk The Institute of Risk Management, 6 Lloyd’s Avenue, London EC3N 3AX,

16 RiskScorecard.net © RiskScorecard.net EXTERNAL DRIVEN RISKS FINANCIAL RISKS INTEREST RATES FOREIGN EXCHANGE CREDIT FINANCIAL RISKS INTEREST RATES FOREIGN EXCHANGE CREDIT STRATEGIC RISKS COMPETITION CUSTOMER CHANGES INDUSTRY CHANGES CUSTOMER DEMAND STRATEGIC RISKS COMPETITION CUSTOMER CHANGES INDUSTRY CHANGES CUSTOMER DEMAND NATURAL EVENTS SUPPLIERS CONTRACTS ENVIRONMENT HAZARD RISKS NATURAL EVENTS SUPPLIERS CONTRACTS ENVIRONMENT HAZARD RISKS CULTURE BOARD COMPOSITION REGULATIONS OPERATIONAL RISKS CULTURE BOARD COMPOSITION REGULATIONS OPERATIONAL RISKS INERNALLY DRIVEN RISKS Common Types of Risk LIQUIDITY & CASH FLOW ACCOUNTING & CONTROLS INFORMATION SYSTEMS RECRUITMENT SUPPLY CHAIN PUBLIC ACESS EMPLOYEES PROPERTIES PRODUCTS & SERVICES RESEARCH & DEVELOPMENT INTELECTUAL CAPITAL M & A INTGRATION

17 RiskScorecard.net © RiskScorecard.net Kaplan & Mikes Framework Managing Risks: A New Framework, Robert S. Kaplan, Anette Mikes, Harvard Business Review, June 2012

18 RiskScorecard.net © RiskScorecard.net Kaplan & Mikes Framework Managing Risks: A New Framework, Robert S. Kaplan, Anette Mikes, Harvard Business Review, June 2012

19 RiskScorecard.net © RiskScorecard.net 3 types of risk Category I: Preventable risks. These are internal risks, arising from within the organization, that are controllable and ought to be eliminated or avoided. Examples are the risks from employees’ and managers’ unauthorized, illegal, unethical, incorrect, or inappropriate actions and the risks from breakdowns in routine operational processes. This risk category is best managed through active prevention: monitoring operational processes and guiding people’s behaviors and decisions toward desired norms. Category II: Strategy risks. A company voluntarily accepts some risk in order to generate superior returns from its strategy. A bank assumes credit risk, for example, when it lends money; many companies take on risks through their research and development activities. Strategy risks are quite different from preventable risks because they are not inherently undesirable. A strategy with high expected returns generally requires the company to take on significant risks, and managing those risks is a key driver in capturing the potential gains. Strategy risks cannot be managed through a rules-based control model. Instead, you need a risk-management system designed to reduce the probability that the assumed risks actually materialize and to improve the company’s ability to manage or contain the risk events should they occur. Such a system would not stop companies from undertaking risky ventures; to the contrary, it would enable companies to take on higher-risk, higher-reward ventures than could competitors with less effective risk management. Category III: External risks. Some risks arise from events outside the company and are beyond its influence or control. Sources of these risks include natural and political disasters and major macroeconomic shifts. External risks require yet another approach. Because companies cannot prevent such events from occurring, their management must focus on identification (they tend to be obvious in hindsight) and mitigation of their impact. Managing Risks: A New Framework, Robert S. Kaplan, Anette Mikes, Harvard Business Review, June 2012

20 RiskScorecard.net © RiskScorecard.net -Risk-and-Assurance/Business-risks-fuse- with-IT-risks---The-IT-megatrends

21 RiskScorecard.net © RiskScorecard.net

22 RiskScorecard.net © RiskScorecard.net To learn more, join us at RiskScorecard.net


Download ppt "RiskScorecard.net © RiskScorecard.net An Overview of Risk Breakdown Frameworks 416-766-7684."

Similar presentations


Ads by Google