Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Practical Approach to Strategic Risk Management

Published byLiana Tan Modified over 6 years ago

Similar presentations

Presentation on theme: "A Practical Approach to Strategic Risk Management"— Presentation transcript:

1 A Practical Approach to Strategic Risk Management
Part One A Practical Approach to Strategic Risk Management Part One of a three-part Strategic Risk Management training program Katharine Hullinger, ARM Risk Manager California State University Channel Islands Revised 3/13/2018

2 JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003
The only alternative to risk management is crisis management --- and crisis management is much more expensive, time consuming and embarrassing. JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003 Risk management means more than preparing for the worst; it also means taking advantage of opportunities to improve services or lower costs. Sheila Fraser, Auditor General of Canada

3 Keep it simple

4

5 Outline Objectives of Part One Conversation Starters
A Quick Risk Exercise Principles and Basics Why SRM? The Risk Inventory Tool/template Considerations Back at the Office Q &A

6 A Practical Approach to Strategic Risk Management (SRM)
Training Components Introduction to SRM Participant Outcomes Introduction to the risk management process and terminologies Introduction to the SRM framework Introduction to Risk Assessments Discuss best way to implementation SRM in work area Clarify roles & responsibilities for SRM Understanding of risk management process Understanding of how risk management is already incorporated in day-to-day work Understanding the reasons for SRM SRM roles and responsibilities clearly defined Awareness of SRM tools Commitment to SRM implementation in area of work Commitment to continuous risk communication & learning

7 Conversation Starters
Who is accountable for risks? How do we talk about risk? Do we have a common language in the department, across divisions, across the campus, across the CSU? Are we taking too much risk? Or not enough? Are the right people taking the right risks at the right time? What’s our risk culture? Are we risk-adverse, risk-takers, or somewhere in between?

8 A Quick Risk Exercise Identify risks (threats and opportunities) that a cyclist faces in cycling to campus for work. How would you mitigate the threats? How would you maximize the opportunity? Report back

9 Identifying the risks in cycling
Threats: Injury Death Reputation Financial expense Damage or theft Weather Issues Opportunities: Exercise and good health Fresh air Reputation Financial savings Role model Environmental impact

10 Mitigation strategies for threats associated with cycling
Injury and death – helmet, bright clothes, lights, bell, obey traffic laws, stay alert Reputation – great biking outfit, change of clothes, openly promote alternative transportation Financial – inexpensive transportation, avoid traffic citations Damage or theft – regular maintenance, know the route, avoid obstacles and things that puncture tires, high quality lock Weather issues – carry filled water bottle, warm/waterproof outerwear and gloves

11 The Risk Management Principles
Risk is the uncertainty that surrounds future events and outcomes. Risk is the expression of the likelihood and impact of any event with the potential to influence the achievement of an organization’s objectives.

12 Risk Management Basics
Risk (uncertainty) may affect the achievement of objectives. Effective mitigation strategies and controls can reduce negative risks (threats) or increase opportunities. Residual risk is the level of risk remaining after applying risk controls. Acceptance and action should be based on residual risk levels.

13 Definition of Strategic Risk Management
“… a process, effected by an entity's board of directors, management and other personnel, applied in a strategic setting and across the enterprise, designed to identify potential events that may affect the entity, and manage those events within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO Enterprise Risk Management – Integrated Framework The Committee of Sponsoring Organizations of the Treadway Commission (COSO)

14 Why are we implementing SRM?
SRM removes silo-based decision making SRM becomes embedded in key processes such as strategic, budgeting and project planning Identify and understand risks that positively or negatively impact the achievement of strategic goals Evaluate risk priorities and allocate resources strategically Improve overall risk tolerance

15 Promote a healthy risk culture, where risk is a routine and expected topic of conversation.
Develop a common and consistent approach to addressing risk across the institution Practice proactivity rather than reactivity Identify new risk and develop appropriate strategies for mitigating or profiting from it Establish accountability, transparency and responsibility Realize programmatic success, defined as implementation and practice throughout the entire organization

16 CSUCI has established its Strategic Objectives
Establish Objectives CSUCI has established its Strategic Objectives

17 CSUCI 2015-2020 STRATEGIC OBJECTIVES
Facilitate Student Success • Provide University access to students who bring diverse perspectives • Provide a mission-driven education that prepares students for individual success • Provide support for degree completion Provide High Quality Education • Hire and support quality faculty and staff who are committed to the mission of the University • Infuse integrative approaches, community engagement, multicultural learning, and international perspectives into all aspects of learning • Engage undergraduate and graduate students in research and creative activities Realize Our Future • Build infrastructure capacity • Leverage the use of technology • Seek, cultivate, and steward resources, both public and private • Implement collaborative planning and accountability processes

18 The Risk Inventory Tool

19 Risk Inventory Identification Assess and Prioritize
Take Action – Mitigate or Accept Risk Number Risk Short Name Risk Description Existing Risk Controls/Measures in Place Outcome Impact Likelihood Impact Score Likeli- hood Score Net Score Risk Mitigation Actions Responsibility Cost Estimate Resources Needed Target Date for Completion Mitigation Complete EXAMPLE Access To High Hazard Areas The risk of unauthorized access to hazardous areas outside of normal business hours *Perimeter doors have mechanical locks that are randomly spot checked by police after normal business hours. *Some buildings with high hazard areas are open to the public, increasing the chances of unauthorized or accidental access to high hazard areas *Random spot checks not adequate considering the life/safety risks in some areas. Serious Likely 4 3 12 *Installation of electronic door locks (proxy cards) will allow 24/7 security control as only authorized users will have access to the area. John Doe $3,000 3/14/2015 1 #N/A 2 5 6 7 8 9

20 Identification of Risk
Identify Risks Identification of Risk Financial Risk - unplanned losses or expenses Service Delivery/Operational Risk - lapses in continuity of operations HR Risk – Employment practices; retention Strategic Risk – untapped opportunities Reputational Risk – damage to relationship with community at large (loss of revenue) Legal/Compliance Risk – noncompliance with statutory or regulatory obligations Technology/Privacy Risk – threats to and breaches in IT security Governance Risk – wide-spread non-compliance with policies and standards Physical Security/or Hazard Risk – harm or damage to people, property or environment 1. Financial Risk - The risk of financial losses, overspending, or the inability to meet budgets and plans. 2. Service Delivery or Operational Risk - The risk that products or services will not get completed or delivered in a timely manner as expected. This also includes risks to business continuity. 3. People / HR Risk - The risk that capable & motivated staff will not be available to get the job done. This could be the result of resignations, turnovers, inability to hire, lack of skills, strikes, injury etc. 4. Information Risk- The risk that information produced, or used, is incomplete, out-of-date, inaccurate, irrelevant, or inappropriately disclosed 5. Strategic / Policy Risk -The risk that strategies and policies fail to achieve required results 6. Stakeholder Satisfaction / Public Perception Risk - The risk of failure to meet expectations of the public, other governments or other stakeholders 7. Legal / Compliance Risk- The risk that a government initiative, or action, will be in breach of a statute, regulation, contract, MOU, or that the government will face litigation 8. Technology Risks- Risk that information technology infrastructure does not align with business requirements, and does not support availability, access, integrity, relevance, and security of data. This also includes risks to business continuity 9. Governance / Organizational Risk- Risk that the organization structure, accountabilities, or responsibilities are not designed, communicated, or implemented to meet the organization’s objectives, and the risk that business culture and management commitment does not support the formal structures 10. Privacy Risk- Risk that associated with the collection, use and disclosure of personal information and personal health information. 11. Security Risk- Risk that is associated with the protection of confidentiality, integrity, availability and value of assets (tangible and intangible) and people.

21 Existing Risk Controls/Measures in Place
Identification of Risks – Creating a Risk Inventory A B C D E Risk Number Risk Short Name Risk Description Existing Risk Controls/Measures in Place Outcome 1 Access To High Hazard Areas The risk of unauthorized access to hazardous areas outside of normal business hours Perimeter doors have mechanical locks that are randomly spot checked by police after normal business hours. *Some buildings with high hazard areas are open to the public, increasing the chances of unauthorized or accidental access to high hazard areas *Random spot checks not adequate considering the life/safety risks in some areas. 2 Risk #2 3 Risk #3 4 Risk #4 5 Risk #5 6 Risk #6 7 Risk #7 8 Risk #8 9 Risk #9

22 Risk Assessment – Consider Impact and Likelihood to Prioritize Risks
Impact - level of damage sustained when a risk event occurs 5 Critical: Threatens the success of the project 4 Serious: Substantial impact on time, cost or quality 3 Moderate: Notable impact on time, cost or quality 2 Minor: Minor impact on time, cost or quality 1 Insignificant: Negligible impact Likelihood of a risk event occurring 5 Expected: Is almost certain to occur 4 Highly Likely: Is likely to occur 3 Likely: Is as likely as not to occur 2 Not Likely: May occur occasionally 1 None/Slight: Unlikely to occur Slide 22

23 Scoring risks Assessing Risks – Considering the Likelihood and Impact
F G H I J Impact Likelihood Impact Score Likeli- hood Score Net Score Serious Likely 4 3 12 #N/A Scoring risks Impact: Critical Serious Moderate Minor Insignificant - 1 Likelihood: Expected Highly Likely - 4 Likely Not Likely None/Slight

24 Mitigating or Treating Risks – Accept? Alter? Transfer? Decline?
Take Action Mitigating or Treating Risks – Accept? Alter? Transfer? Decline? K L M N O

25 Risk Inventory Identification Assessment Mitigation or Treatment
Risk Number Risk Short Name Risk Description Existing Risk Controls/Measures in Place Outcome Impact Likelihood Impact Score Likeli- hood Score Net Score Risk Mitigation Actions Responsibility Cost Estimate Resources Needed Target Date for Completion Mitigation Complete EXAMPLE Access To High Hazard Areas The risk of unauthorized access to hazardous areas outside of normal business hours *Perimeter doors have mechanical locks that are randomly spot checked by police after normal business hours. *Some buildings with high hazard areas are open to the public, increasing the chances of unauthorized or accidental access to high hazard areas *Random spot checks not adequate considering the life/safety risks in some areas. Serious Likely 4 3 12 *Installation of electronic door locks (proxy cards) will allow 24/7 security control as only authorized users will have access to the area. John Doe $3,000 3/14/2015 1 #N/A 2 5 6 7 8 9

26 Risk Heat Map

27 Risk reporting and communications

28 Monitoring and Reassessing – Examples of Key Risk Indicators
Monitor and Reassess Monitoring and Reassessing – Examples of Key Risk Indicators Personnel Resources Average time to fill vacant positions Staff absenteeism /sick time rates Percentage of staff appraisals below “satisfactory” Age demographics of key managers Finance • Reporting deadlines missed (#) • Incomplete P&L sign-offs (#, aged) Legal/Compliance • Number and cost of litigated cases • Compliance investigations (#) • Customer complaints (#) Information Technology • Systems usage versus capacity • Number of system upgrades/version releases • Number of help desk calls Audit • Outstanding high risk issues (no., aged) • Audit findings (no., severity) • Revised target dates for clearing findings (no.) Risk management • Risk Management overrides • Limit Breaches (#, amounts)

29 Monitor, Measure and Report SRM Implementation Progress
Excellent Advanced capabilities to identify, measure, manage all risk exposures within tolerances Advanced implementation, development and execution of SRM parameters Consistently optimizing risk adjusted returns throughout the organization Strong Clear vision of risk tolerance and overall risk profile Risk controls in place for most major risks Robust processes to identify and prepare for emerging risks Incorporates risk management and decision making to optimize risk Adequate Risk controls in place for some of identified major risks May lack a robust process for identifying and preparing for emerging risks Performing solid classical “silo” based risk management No fully developed process to optimize risk opportunities Weak Incomplete control process for at least major risk Inconsistent or limited capabilities to identify, measure or manage major risk exposures

30

31 Ask questions and develop your approach
Do we understand our major risks? Do we know what is causing our risks to increase, decrease or stay the same? Have we assessed the likelihood and impact of our risks? Have we identified the sources and causes of our risks? How well are we managing our risks? Are we trying to prevent the downside of risk, or are we seemingly trying to recover from them?

32 Considerations back at the office
Why is the organization interested in SRM? What are we hoping will be achieved with its implementation? Who is doing what? Roles and responsibilities must be clearly defined. Leadership must support SRM and use SRM results to when making decisions. Everyone is a risk manager. Make sure that all risks have owners and the responsibilities for mitigation are assigned. How will it be implemented? What is your framework? How will risks be measured and reported? Who is your champion? Where will you start? Where you can most easily succeed, or where it is needed the most? When will it be implemented? SRM is a journey, not a destination; risks should be continually assessed and mitigation methods re-considered. Change is inevitable; recognize new risks and opportunities.

33 Thank you for participating!
Questions? Thank you for participating!

Download ppt "A Practical Approach to Strategic Risk Management"

Similar presentations

AASHTO Internal Audit Conference 2012 – Phoenix Daniel Fodera, CMQ/OE Program Management Improvement Team Federal Highway Administration.

AASHTO Internal Audit Conference 2012 – Phoenix Daniel Fodera, CMQ/OE Program Management Improvement Team Federal Highway Administration.
Risk Management at Harvard – Panel Discussion Harvard IT Summit

Risk Management at Harvard – Panel Discussion Harvard IT Summit
Lisanne Sison Director ERM Bickmore

Lisanne Sison Director ERM Bickmore
IMFO Audit & Risk Indaba June 2012

IMFO Audit & Risk Indaba June 2012
Risk Management and Internal Controls ASSAL 20 November 2014 Annick Teubner Chair, IAIS Governance Working Group.

Risk Management and Internal Controls ASSAL 20 November 2014 Annick Teubner Chair, IAIS Governance Working Group.
Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.

Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Risk Assessment Frameworks

Risk Assessment Frameworks
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Privileged and Confidential Strategic Approach to Asset Management Presented to October 2004 2004 Urban Water Council Regional Seminar.

Privileged and Confidential Strategic Approach to Asset Management Presented to October Urban Water Council Regional Seminar.
Amanda Bennett FairPlay Enterprises Ltd Workshop 3 Standards, Systems and Controls.

Amanda Bennett FairPlay Enterprises Ltd Workshop 3 Standards, Systems and Controls.
1 Bölgesel Rekabet Edebilirlik Operasyonel Programı’nın Uygulanması için Kurumsal Kapasitenin Oluşturulmasına Yönelik Teknik Yardım Technical Assistance.

1 Bölgesel Rekabet Edebilirlik Operasyonel Programı’nın Uygulanması için Kurumsal Kapasitenin Oluşturulmasına Yönelik Teknik Yardım Technical Assistance.
RISK ASSESSMENT 2010/2011 M.J Ramakgolo. THE PURPOSE The aim of the risk assessment session is to develop the Strategic Risk Profile for the municipality.

RISK ASSESSMENT 2010/2011 M.J Ramakgolo. THE PURPOSE The aim of the risk assessment session is to develop the Strategic Risk Profile for the municipality.
IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253

IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253
CDS Operational Risk Management - October 28, 2005 Existing Methodologies for Operational Risk Mitigation - CDS’s ERM Program ACSDA Seminar - October 26.

CDS Operational Risk Management - October 28, 2005 Existing Methodologies for Operational Risk Mitigation - CDS’s ERM Program ACSDA Seminar - October 26.
Risk Management For the Board of The Law Society 16 February 2005.

Risk Management For the Board of The Law Society 16 February 2005.
An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.

An Integrated Control Framework & Control Objectives for Information Technology – An IT Governance Framework COSO and COBIT 4.0.
Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the Preface to the Standards on Internal.

Private & Confidential1 (SIA) 13 Enterprise Risk Management The Standard should be read in the conjunction with the "Preface to the Standards on Internal.
Corporate Governance and Risk Management. Introduction Corporate Governance What does it mean? and Why does it matter? Risk Management Challenges of growth.

Corporate Governance and Risk Management. Introduction Corporate Governance What does it mean? and Why does it matter? Risk Management Challenges of growth.

Similar presentations

Ads by Google