Risk Management Reviewer PDF
Document Details
Uploaded by SimplestMagicRealism
Tags
Summary
This document is a review of risk management, focusing on key concepts like risk, managing risk, and risk response strategies. It provides an overview of risk identification and associated considerations within an organizational context.
Full Transcript
RISK MANAGEMENT REVIEWER ORIENTATION: Risk Management.: RISK — coordinated activities to direct and control an - the probability of an outco...
RISK MANAGEMENT REVIEWER ORIENTATION: Risk Management.: RISK — coordinated activities to direct and control an - the probability of an outcome having a organization with regard to risk. negative effect on people, systems, or — It is the identification, evaluation, and assets. prioritization of risks (defined in ISO 31000 - typically depicted as being a function of the as the effect of uncertainty on objectives) combined effects of hazards, the assets or followed by coordinated and economical people exposed to hazard and the application of resources to minimize, vulnerability of those exposed elements. monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities. MANAGING RISK IS… — started on 17th/18th century. Iterative and assists organizations in setting Stakeholder : strategy, achieving objectives and making informed — a party that has an interest in a company and decisions. can either affect or be affected by the business. Part of governance and leadership, and is — The primary stakeholders in a typical fundamental to how the organization is managed at corporation are its investors, employees, all levels. It contributes to the improvement of customers, and suppliers. management systems. Risk sources: Part of all activities associated with an — usual potential reasons and causes risks in organization and includes interaction with the organization. stakeholders. — an element which can be alone or in combination that can potentially give risk. Considers the external and internal context of the organization, including human behaviour and Event : cultural factors. — occurrence or change of a particular set of circumstances. Based on the principles, framework and process outlined in this document, as illustrated in Consequences: figure 1. These components might already exist in — an outcome or an effect of one action. full or in part within the organization, however, they — the term consequence is used negatively or might need to be adapted or improved so that used as a negative reasoning. managing risk is efficient, effective, and consistent. Likelihood: 1. the probability of an event occurring whether PRINCIPLES, FRAMEWORK, AND PROCESS assessed subjectively or objectively, - Leaders qualitatively or quantitatively. - Accountability 2. It can be described using general terms or - Responsibility mathematical measures like probability or frequency within a specified timeframe. Control: TOPIC 1: KEY CONCEPTS IN RISK — something that measure that maintains MANAGEMENT or modifies risk. Key Terms: RISK RESPONSE: Risk : o Risk Avoidance - Avoidance of risk entails — The possibility of something negative to retreating from a risk scenario or choosing happen. not to engage. — Uncertainty of objectives is also known as o Risk Transfer - Sharing risk reduces or risk. makes it more acceptable. — It is something where actual gain is differ o Risk Mitigation - Take steps to reduce risk. from what we expect, and more can affect o Risk Acceptance - Choose to accept the more negatively. risk. — the possibility that something bad or unpleasant (such as an injury or loss) will PRINCIPLES OF RISK MANAGEMENT happen — effect of uncertainty on objectives The purpose of risk management is the — consequences can range from positive to creation and protection of value. It improves negative. performance, encourages innovation and — is an unplanned event with unexpected supports the achievement of objectives. consequences. — the probability or likelihood that harm will Below are the principles of risk management: occur as a result of exposure to hazard, where hazard is defined as anything that has a potential to cause harm. -- May every evil eye in your life go blind. RISK MANAGEMENT REVIEWER — the organization must first define what is "leadership and commitment" — Top management is accountable for managing risk while oversight bodies are accountable for overseeing risk management. 2. INTEGRATION — relies on an understanding of organizational 1. INTEGRATED structural and context. — Always part of the company — dynamic and iterative process. — an integral part of all organizational — Risk management should be a part of, and activities. not separate from, the organizational purpose, governance, leadership and 2. STRUCTURED & COMPREHENSIVE commitment, strategy, objectives and — systematic process operations. — contributes to consistent and comparable results. 3. DESIGN — understanding the organization and its 3. CUSTOMIZED context. — must be customized to the company — When designing the framework for managing — are customized and proportionate to the risk, the organization should examine and organization’s external and internal understand its external and internal context. context related to its objectives. — Articulating risk management commitment — Assigning organizational roles, authorities, 4. INCLUSIVE responsibilities and accountabilities — Appropriate and timely involvement of — Allocating resources stakeholders enables their knowledge, — Establishing communication and views and perceptions to be considered. consultation. — It results in improved awareness and informed risk management. 4. IMPLEMENTATION — create a suitable plan with allocated time and 5. DYNAMIC resources. — flexibility and adaptability — recognize who, when, and how decisions are — anticipates, detects, acknowledges and made throughout the organization. responds to those changes and events in — adjust processes as needed an appropriate and timely manner. — ensure clear understanding and implementation of risk mgmt. protocols. 6. BEST AVAILABLE INFORMATION — engage and inform stakeholders effectively. — gather information — based on historical and current 5. EVALUATION — information, as well as on future — regularly evaluate how well the risk expectations management framework is working — Information should be timely, clear and — determine if it still helps achieve the available to relevant stakeholders. organization’s goals. 7. HUMAN & CULTURAL FACTORS 6. IMPROVEMENT — Human behavior and culture significantly — Adapting influence all aspects of risk management o Continual monitoring at each level and stage. o Adapting to changes o Improving value 8. CONTINUAL IMPROVEMENT — continually improved through learning — Continually Improving and experience. o Assessing framework effectiveness o Enhancing integration o Developing improvement plans FRAMEWORK OF RISK MANAGEMENT o Contributing to enhancement o The framework is where policy, mandate, organizational commitment, and structure set the scene for the ongoing successful RISK MANAGEMENT PROCESS risk management application. o It should provide guidance to the company. The risk management process involves the o To assist the organization in integrating risk systematic application of policies, procedures, and management into significant activities and practices to the activities of communicating and functions consulting, establishing the context, and assessing, treating, monitoring, reviewing, recording, and 1. LEADERSHIP AND COMMITMENT reporting risk. — center of the framework clause — ensuring risk mgmt. is integrated into all The risk management process should be an organizational activities and should integral part of management and decision-making demonstrate leadership and commitment by and integrated into the structure, operations, and customizing and implementing all processes of the organization. It can be applied at components of the framework strategic, operational, programme or project levels. -- May every evil eye in your life go blind. RISK MANAGEMENT REVIEWER There can be many applications of the risk o resources required, responsibilities and management process within an organization, records to be kept; customized to achieve objectives and to suit the o relationships with other projects, external and internal context in which they are processes, and activities applied. The dynamic and variable nature of human behavior and culture should be considered 4. EXTERNAL & INTERNAL CONTEXT throughout the risk management process. Although the risk management process is often presented as The external and internal context is the sequential, in practice it is iterative. environment in which the organization seeks to define and achieve its objectives. 1. COMMUNICATION & CONSULTATION: The context of the risk management process This is to assist relevant stakeholders in should be established from the understanding of the understanding risk, the basis on which decisions are external and internal environment in which the made and the reasons why particular actions are organization operates and should reflect the specific required. environment of the activity to which the risk management process is to be applied. — Communication seeks to promote awareness and understanding of risk. Understanding the context is important because: — Consultation involves obtaining feedback o risk management takes place in the context of and information to support decision- the objectives and activities of the making. organization; o organizational factors can be a source of risk; Close coordination between the two should o the purpose and scope of the risk management facilitate factual, timely, relevant, accurate and process may be interrelated with the objectives understandable exchange of information, taking into of the organization as a whole account the confidentiality and integrity of information as well as the privacy rights of 3. DEFINING RISK CRITERIA individuals. The organization should specify the amount Communication and consultation with and type of risk that it may or may not take, relative appropriate external and internal stakeholders to objectives. It should also define criteria to evaluate should take place within and throughout all steps of the significance of risk and to support decision- the risk management process. making processes. Risk criteria should be aligned with the risk management framework and Communication and consultation aims to: customized to the specific purpose and scope of the o bring different areas of expertise together for activity under consideration. each step of the risk management process; o ensure that different views are appropriately Risk criteria should reflect the organization’s considered when defining risk criteria and values, objectives, and resources and be consistent when evaluating risks; with policies and statements about risk o provide sufficient information to facilitate risk management. The criteria should be defined taking oversight and decision-making; into consideration the organization’s obligations and o build a sense of inclusiveness and ownership the views of stakeholders. among those affected by risk. While risk criteria should be established at 2. SCOPE, CONTEXT, & CRITERIA: the beginning of the risk assessment process, they are dynamic and should be continually reviewed and This customize the risk management amended, if necessary. process, enabling effective risk assessment and appropriate risk treatment. To set risk criteria, the following should be considered: This involve defining the scope of the o the nature and type of uncertainties that can process, and understanding the external and affect outcomes and objectives (both tangible internal context. and intangible); o how consequences (both positive and negative) 3. DEFINING SCOPE and likelihood will be defined and measured; o time-related factors; It is important to be clear about the scope o consistency in the use of measurements; under consideration, the relevant objectives to be o how the level of risk is to be determined; considered, and their alignment with organizational o how combinations and sequences of multiple objectives. risks will be taken into account; o the organization’s capacity When planning the approach, considerations include: o objectives and decisions that need to be RISK ASSESSMENT made; — revolve around the idea of proactively o outcomes expected from the steps to be identifying and addressing potential risks taken in the process; before they occur. o time, location, specific inclusions and — a systematic approach to understanding and exclusions; managing risks, rather than simply reacting o appropriate risk assessment tools and to them when they arise. techniques; -- May every evil eye in your life go blind. RISK MANAGEMENT REVIEWER 1. RISK IDENTIFICATION Risk analysis provides input to risk evaluation, to decisions on whether risk needs to This involves identifying and documenting be treated and how, and on the most appropriate potential risks that could impact the risk treatment strategy and methods. The results organization's objectives. It includes both provide insight into decisions, where choices are internal and external risks, such as operational, being made, and the options involve different financial, strategic, and compliance risks. types and levels of risk. Risk identification is the process of documenting any risks that could keep an 3. RISK EVALUATION organization or program from reaching its objective. It's the first step in the risk The purpose of risk evaluation is to support management process, which is designed to help decisions. Risk evaluation involves comparing companies understand and plan for potential the results of the risk analysis with the risks established risk criteria to determine where additional action is required. This can lead to a There are several situations for which you might decision to: need to identify risks, including: o do nothing further; o To support an investment decision o consider risk treatment options; o To assess cost uncertainty or operational o undertake further analysis to better costs understand the risk; o To analyze multiple alternatives o maintain existing controls; o To test a program before its acquisition o reconsider objectives. Decisions should take account of the wider 2. RISK ANALYSIS context and the actual and perceived consequences to external and internal The purpose of risk analysis is to stakeholders. comprehend the nature of risk and its characteristics including, where appropriate, the level of risk. Risk analysis involves a detailed 4. RISK TREATMENT consideration of uncertainties, risk sources, consequences, likelihood, events, scenarios, The purpose of risk treatment is to select controls and their effectiveness. An event can and implement options for addressing risk. have multiple causes and consequences and can affect multiple objectives. Risk treatment involves an iterative process of: o formulating and selecting risk treatment Risk analysis can be undertaken with varying options; degrees of detail and complexity, depending on o planning and implementing risk the purpose of the analysis, the availability and treatment; reliability of information, and the resources o assessing the effectiveness of that available. Analysis techniques can be treatment; qualitative, quantitative or a combination of o deciding whether the remaining risk is these, depending on the circumstances and acceptable; intended use. o if not acceptable, taking further treatment. Risk analysis should consider factors such as: Selecting the most appropriate risk treatment o the likelihood of events and option(s) involves balancing the potential consequences; benefits derived in relation to the achievement of o the nature and magnitude of the objectives against costs, effort or consequences; disadvantages of implementation. o complexity and connectivity; o time-related factors and volatility; Risk treatment options are not necessarily o the effectiveness of existing controls; mutually exclusive or appropriate in all o sensitivity and confidence levels. circumstances. Options for treating risk may involve one or more of the following: The risk analysis may be influenced by any divergence of opinions, biases, perceptions of o avoiding the risk by deciding not to start risk, and judgments. Additional influences are or continue with the activity that gives the quality of the information used, the rise to the risk; assumptions and exclusions made, any o taking or increasing the risk in order to limitations of the techniques, and how they are pursue an opportunity; executed. These influences should be o removing the risk source; considered, documented, and communicated to o changing the likelihood; decision makers. o changing the consequences; o sharing the risk (e.g. through contracts, Highly uncertain events can be difficult to buying insurance); quantify. This can be an issue when analyzing o retaining the risk by informed decision. events with severe consequences. In such cases, using a combination of techniques The selection of risk treatment options generally provides greater insight. should be made in accordance with the organization’s objectives, risk criteria and available -- May every evil eye in your life go blind. RISK MANAGEMENT REVIEWER resources. The organization should also consider and outcomes. Ongoing monitoring and periodic the values, perceptions and potential involvement of review of the risk management process and its stakeholders and the most appropriate ways to outcomes should be a planned part of the risk communicate and consult with them. Though equally management process, with responsibilities clearly effective, some risk treatments can be more defined. acceptable to some stakeholders than to others. Monitoring and review should take place in Risk treatments, even if carefully designed all stages of the process. Monitoring and review and implemented might not produce the expected includes planning, gathering and analyzing outcomes and could produce unintended information, recording results and providing consequences. Monitoring and review need to be an feedback. The results of monitoring and review integral part of the risk treatment implementation to should be incorporated throughout the give assurance that the different forms of treatment organization’s performance management, become and remain effective. Risk treatment can measurement and reporting activities. also introduce new risks that need to be managed. Monitoring and review is a critical aspect of If there are no treatment options available or the risk management process. It ensures that if treatment options do not sufficiently modify the everything within that process together with the risks risk, the risk should be recorded and kept under that it is seeking to address are working effectively ongoing review. and efficiently. Through monitoring and review, you are able to iterate and improve the risk management Decision makers and other stakeholders process through continual improvement and should be aware of the nature and extent of the iteration on a periodic and ongoing basis through the remaining risk after risk treatment. The remaining activities of planning, gathering, analyzing, recording risk should be documented and subjected to results, and providing feedback on those results. monitoring, review and, where appropriate, further treatment. 6. RECORDING & REPORTING Preparing and implementing risk treatment Recording and reporting aims to: plans o communicate risk management activities and outcomes across the organization; The purpose of risk treatment plans is to o provide information for decision-making; specify how the chosen treatment options will be o improve risk management activities; implemented, so that arrangements are understood o assist interaction with stakeholders, by those involved, and progress against the plan can including those with responsibility and be monitored. The treatment plan should clearly accountability for risk management activities identify the order in which risk treatment should be implemented. Decisions concerning the creation, retention and handling of documented information should take Treatment plans should be integrated into into account, but not be limited to: their use, the management plans and processes of the information sensitivity and the external and internal organization, in consultation with appropriate context. stakeholders. Reporting is an integral part of the organization’s governance and should enhance the The information provided in the treatment quality of dialogue with stakeholders and support top plan should include: management and oversight bodies in meeting their o the rationale for selection of the treatment responsibilities. options, including the expected benefits to be gained; Factors to consider for reporting include, but o those who are accountable and responsible are not limited to: for approving and implementing the plan; o differing stakeholders and their specific o the proposed actions; information needs and requirements; o the resources required, including o cost, frequency and timeliness of reporting; contingencies; o method of reporting; o the performance measures; o relevance of information to organizational o the constraints; objectives and decision-making. o the required reporting and monitoring; o when actions are expected to be undertaken and completed. 5. MONITORING & REVIEW Risk management is an ongoing process that requires continuous monitoring and review. This ensures that risks are effectively managed and new risks are identified and addressed in a timely manner. The purpose of monitoring and review is to assure and improve the quality and effectiveness of process design, implementation -- May every evil eye in your life go blind. RISK MANAGEMENT REVIEWER TOPIC 2: STRATEGIC PLANNING FOR ENTERPRISE RISK MANAGEMENT 2. Risk Awareness By promoting a shared SILO OR STOVE-PIPE RISK MANAGEMENT understanding of risks, strategic planning — ‘silo’ means containers used to store grains. helps ensure that all stakeholders are — organizations commonly managed risks by equipped to contribute to ERM efforts and delegating responsibilities to particular make informed decisions that mitigate risks business unit leaders who were tasked to and capitalize on opportunities. oversee risks based on their respective area. 3. Improve Decision-making — each silo leader operates within their By systematically assessing risks respective area to identify and address the and their potential impact on strategic risks. objectives, organizations can make more — They work independently within their own choices that balance risk and reward, leading "silo," where they only focus on their to better outcomes and performance. delegations’ tasks without collaborating with others. 4. Resource allocation By prioritizing risks based on their ENTERPRISE RISK MANAGEMENT (ERM) significance and potential impact, strategic planning ensures that resources are This is a holistic approach employed across allocated to the most critical areas of risk, the entire org to identify, assess, and manage maximizing the effectiveness of ERM efforts various risks that an organization may encounter in and optimizing the use of resources. pursuit of its objectives. 5. Continuous improvement ERM OBJECTIVES: Strategic planning plays a crucial role o Promoting a strong risk culture in ensuring business continuity by identifying o Aligning with organizational strategy and mitigating risks that could disrupt o Establishing risk governance operations or threaten organizational o Safeguarding reputation resilience. By incorporating risk o Ensuring legal compliance management strategies into strategic planning processes, organizations can This risk management helps organizations develop contingency plans, implement risk increase their resilience to potential threats while mitigation measures, and establish also allowing them to pursue opportunities more mechanisms for responding to and confidently. recovering from potential disruptions. The implementation of an effective ERM 6. Enhanced stakeholder confidence framework lies with the Chief Risk Officer (CRO) of the organization. By embedding risk management considerations into strategic planning processes, organizations signal to STRATEGIC PLANNING stakeholders, including investors, customers, regulators, and partners, that The process of defining an organization’s they are proactive in identifying and long-term vision, mission, goals, and objectives as mitigating risks that could impact well as the resources and actions necessary to attain organizational performance and reputation. them. This, in turn, enhances trust, credibility, and long-term relationships with stakeholders, It is crucial to Enterprise Risk Management contributing to organizational resilience and and is a proactive response to risks in the business. sustainable growth. It helps organizations prioritize the most important risks first and address multiple risks simultaneously instead of addressing them one at a time. UNDERSTANDING RISKS IN ERM Additionally, strategic planning helps organizations better understand how different factors interact with TYPE OF BUSINESS RISKS: each other so they can make more informed decisions about how best to allocate resources. 1. OPERATIONAL RISKS — pertain to day-to-day challenges STRATEGIC ENTERPRISE RISK encountered during business MANAGEMENT (SERM) operations, including internal process inefficiencies, human errors, This is an integrated approach that enables technological breakdowns, and supply organizations to align their risk management chain disruptions. processes with strategic decision-making, thereby — arise from internal processes, human improving overall performance and resiliency. error, technology failures, or external factors like supply chain disruptions. IMPORTANT ASPECTS OF SERM: 2. FINANCIAL RISKS 1. Alignment with objectives — risks related to the overall financial health Organizations can ensure that ERM and stability of the company. efforts contribute directly to achieving long- — include factors like market volatility term success and sustainability. -- May every evil eye in your life go blind. RISK MANAGEMENT REVIEWER — -encompass factors that jeopardize a 5. Proactivity company's financial stability, such as — Traditional risk management predominantly market volatility, credit defaults, liquidity involves reactive approaches to address constraints, and currency fluctuations. problems as they arise. — Effectively managing financial risks is — ERM emphasizes proactive risk identification crucial for maintaining robust financial and mitigation, enabling organizations to health and resilience against economic anticipate and preemptively manage risks uncertainties. before they escalate into critical issues, thereby enhancing resilience and agility. 3. STRATEGIC RISKS — assist interaction with stakeholders, including those with responsibility and ROLES OF STRATEGIC PLANNING IN ERM accountability for risk management activities. 1. Objective Setting — arise from uncertainties surrounding A company must set objectives that support long-term objectives and plans, the mission and goals of a company. These stemming from changes in the market objectives must then be aligned with a landscape, competitive pressures, company's risk appetite. regulatory dynamics, and shifting It involves establishing the strategic and consumer preferences. operational goals of the organization. These — Managing strategic risks entails adaptive objectives provide context for identifying and strategies to seize opportunities and assessing potential risks that could hinder the mitigate threats in a rapidly evolving achievement of these goals. business environment. 2. Event Identification Involves identifying potential events that Difference Of Traditional Risk Management might impact an organization; includes and Enterprise Risk Management identifying factors - internal and external - that influence how potential events may affect 1. Use of Data strategy implementation and achievement of — Traditional risk management relies objectives. predominantly on historical data to identify Could be positive or negative; explore the and address potential risks. opportunities as well as the risks. — In contrast, ERM adopts a holistic approach, leveraging advanced analytics and diverse 3. Risk Assessment information sources to anticipate and It is essential to determine the likelihood, mitigate a broader spectrum of risks, severity and your ability to respond to the risk. including emerging threats. It involves the evaluation of potential risks in terms of likelihood and potential impact. It 2. Leadership helps prioritize risks and allocate resources — Traditional risk management often operates effectively. within siloed departments, managing risks independently. 4. Risk Response — ERM necessitates top-level leadership and Risk response strategies involve the strategic alignment across the organization, development and implementation of actions fostering a culture of risk awareness and to mitigate or respond to identified risks. This accountability to integrate risk management component aims to reduce or eliminate into strategic decision-making processes exposures to risk and enhance the effectively. organization's ability to seize opportunities. 3. Risk Appetite Ways on how a company can respond to risk — Traditional risk management tends to adopt include the following: a conservative risk mitigation approach o Reduce – reduce the risks to minimize within departmental boundaries, potentially its impact. limiting innovation and growth opportunities. o Accept – accept the impact if it’s — ERM considers the organization's overall risk negligent or minimal. appetite and tolerance levels, enabling a o Avoid – eliminate or forego the risk. balanced approach to risk management that o Transfer – assign the mitigation to a facilitates strategic growth while mitigating competent third party. potential threats. 5. Control Activities 4. Scope These are the actions taken by a company to — Traditional risk management focuses on create policies and procedures to ensure addressing risks within specific departments, management carries out operations while overlooking interconnections between risks mitigating risk. across the organization. Determining appropriate internal controls to — ERM takes a comprehensive view of monitor and test your approach. This series of organizational risks, identifying and checks and balances is designed to identify addressing interconnected risks proactively any out-of-tolerance activity or results. to prevent escalation into significant threats. 6. Information and Communication Information systems should be able to capture data useful to management to better -- May every evil eye in your life go blind. RISK MANAGEMENT REVIEWER understand a company's risk profile and organization's risk culture, risk appetite, management of risk. Meanwhile, ethical values, and governance framework. communication is the essence of any business. 2. Objective Setting This process will ensure that no risk is As a company determines its overlooked. purpose, it must set objectives that support Enterprise risk management requires a the mission and goals of a company. These continual process of obtaining and sharing objectives must then be aligned with a necessary information from both internal and company's risk appetite. external sources, which flows up, down, and across the organization. 3. Event Identification 7. Monitoring ERM guidance recommends that This may include reviewing what is actually companies identify important areas of the performed compared to what policy business and associated events that may documents suggest. have dire outcomes. We live in the age of market volatility, and the fast-paced, changing trends put forth a 4. Risk Assessment plethora of risks. These changing trends also One of the essential components of change the nature of the risks you are about corporate risk management. You need to to encounter. determine their likelihood, severity and your ability to respond. There are three distinct points where ERM and the strategic planning process can support one 5. Risk Response another to detect and manage different types of Risk response strategies involve the strategic risk: development and implementation of actions to mitigate or respond to identified risks. 1. Risks that inform development of the strategic plan 6. Control Activities Control activities are the actions In this point, the focus is on taken by a company to create policies and understanding the environment. These are the procedures to ensure management carries risks from internal and external environment out operations while mitigating risk. that help determine which goals and objectives to choose in the first place. 7. Information and Communication Information systems should be able 2. Risks to implementation of the strategic to capture data useful to management to plan better understand a company's risk profile and management of risk. This points out the risks in building the plan. These kinds of risk may prevent the 8. Monitoring organization from achieving the goals and This may include reviewing what is objectives defined in their plan. actually performed compared to what policy documents suggest. 3. Risks generated from implementing the strategic plan TOOLS & TECHNIQUES FOR STRATEGIC These risks are encountered during ERM the execution of the plan. These are the new risks created by implementing the strategy 1. Key Risk Indicators itself, or the unintended consequences of A Key Risk Indicator or a KRI is a successfully executing the plan. measurable data that businesses use to provide an immediate indication of potential risks to accomplishing the objectives they have set. KRIs Benefits of Integrating ERM into Strategic are unique to each company and are designed to Planning: track and assess factors that are directly related to - Businesses can enhance performance, the occurrence or development of risks. These reduce costs, and increase profits. - assist organizations in proactively identifying, Businesses can identify potential risks and monitoring, and managing potential risks. Once they devise strategies to mitigate them to have discovered developing risks before they maximize their success. escalate into major difficulties, it allows them to take - Enables organizations to align their risk proactive action to reduce or manage these risks management processes with strategic successfully. decision-making, thereby improving overall performance and resiliency. This differs from KPIs, or key performance indicators, which are performance measurements COMPONENTS INVOLVED IN STRATEGIC used by organizations to assess how effectively they PLANNING FOR ERM are reaching their objectives and goals and primarily focus on positive outcomes, such as revenue 1. Internal Environment growth, customer happiness, and operational The internal environment sets the efficiency. As opposed to KRIs, which are risk- tone for how risk is viewed and addressed focused indicators designed to detect and monitor within the organization. It includes the -- May every evil eye in your life go blind. RISK MANAGEMENT REVIEWER potential risks and vulnerabilities that may impact an Usually, the risk register is divided into organization's operations and objectives. multiple significant sections which are the following: a) Identification - A unique identification is Key risk indicators can be positive or given to every risk in order to make negative, indicating both increased risk and the monitoring and reference easier during the effectiveness of the risk mitigation measures of the risk management process. company. Although important risk indicators can b) Description - A thorough risk description is show negative outcomes in an organization, they given, outlining the characteristics, origin, should not be interpreted as loss; rather, they and possible consequences of the risk demonstrate the transparency and efficiency of the occurrence. company's risk management performance. c) Type - The risks may be more easily analyzed and prioritized since they are Key risk indicators come in two types which grouped according to their nature or source, are the lagging and leading key risk indicators. such as financial, operational, technical, or Leading Key Risk Indicators can be used to strategic concerns. anticipate future outcomes. This is comparable to d) Impact and Probability - The assessments forecasting, except that a forecast of this kind simply of each risk's impact and probability are documents the risks associated with the company included in the risk register, which aids reaching its goal, but a Lagging Key Risk Indicator stakeholders in understanding the possibility measures the real performance or records the actual of a risk occurring as well as the possible and current risks of the organization. outcomes should it materialize. e) Risk Allocation - The risks are allocated to To determine the appropriate course of designated owners who bear the task of action to mitigate the risks, it is essential to overseeing, controlling, and minimizing understand the distinctions between these major risk them, guaranteeing accountability and well- indicators. While lagging indicators support reactive defined reporting channels. response to risks that have already occurred or by f) Status - The risk register gives stakeholders collecting historical data that may be used as a insight into the advancement of risk reference for possible risks, leading indicators often management initiatives by listing each risk's need proactive response and concentrate on the current state, including whether it is open, components that can foresee future occurrences. closed, mitigated, or ongoing. g) Contingency Plans - The risk register may Before a company can start building their also contain information regarding KRIs, they need to understand their company's contingency plans, continuous monitoring mission, vision and objectives and brainstorm on the and review procedures, and risk mitigation important and main risks that are common in the measures, allowing stakeholders to assess operations of the company. For the company's main the efficacy of risk responses and modify risk indicator to be useful in strategic enterprise risk their plans as necessary. management, it should possess the following qualities: The difference of a risk register to a risk Measurable: KRIs can be expressed as matrix is that a risk register is more like a percentages, figures, etc. document while a risk matrix is a visual tool to Relevant: Since KRIs are used to influence help map out the risks. The risk matrix measures decision-making, they should be significant to the likelihood of the risk occurring, from rare to the company and its objectives. almost certain, and its severity, from insignificant to Comparable: KRIs should be comparable to severe. It’s also color-coded to show the priority of trends over time and can be compared both each of the risks charted on the matrix. This is also internally and to the existing industry commonly known as a risk map. standards. The figure below is a risk matrix. It can vary Aside from having key risk indicators that are depending on the company but it usually contains effective, the company should also have an efficient the probability of the risk happening compared to the way of tracking KRIs. Companies usually use a impact of it once it occurs. measure similar to that of a stop sign with green, yellow and red indicators which means the following: The impact is divided into 5 different rating levels Green KRIs fall within reasonable risk which are as follows: thresholds. Insignificant – This won’t cause any serious Yellow KRIs indicate elevated risk that needs injuries or illnesses. to be monitored. Minor – This can cause injuries or illnesses, Red KRIs indicate that the company's risk only to a mild extent. tolerance has been exceeded and that quick Significant – This can cause injuries or action is required. illnesses that may require medical attention but limited treatment. 2. Risk Register and Risk Matrix Major – This can cause irreversible injuries or illnesses that require constant medical Organizations use risk registers, which are attention. documents or files, to track and manage risks related Severe – This can result in fatality. to their initiatives, operations, and projects. It acts as an overview for tracking, evaluating, prioritizing, and The probability is divided into 5 different recognizing risks at any point in a project's or rating levels which are the following: organization's history. a) Rare - It is unlikely to happen and/or have minor or negligible consequences. -- May every evil eye in your life go blind. RISK MANAGEMENT REVIEWER b) Unlikely - It is possible to happen and/or to their controls, and actions. It's also often difficult to have moderate consequences. map and interpret interdependencies and c) Moderate - It is likely to happen and/or to commonalities, and any effort to create a risk map is have serious consequences. entirely manual and prone to human error so using d) Likely - It is almost sure to happen and/or to a software can help companies greatly. have major consequences. e) Almost certain - It is sure to happen and/or have major consequences. Creating a risk matrix helps the top management and their teams to identify the risks that could threaten the organization and rank their possible impact and likelihood. The exercise can clarify priorities for enterprise leaders and help them get ahead of issues before they threaten the organization's operations. The risk matrix is used by assigning a numeric value from 1 being the lowest and 5 being the highest to the risk under the categories probability and impact to determine the risk level of each risk. The value of the impact multiplied to the value of the probability is the risk level for the specific risk. The meaning behind each risk level is determined below: 1-4: Acceptable - no further action may be needed and maintaining control measures is encouraged. 5-9: Adequate - may be considered for further analysis. 10-16: Tolerable - must be reviewed in a timely manner to carry out improvement strategies. 17-25: Unacceptable - must implement cease in activities and endorse for immediate action. 3. Scenario Analysis Scenario Analysis is an assessment technique that is used to identify and measure the potential occurrence of operational risk events. Scenario Analysis is designed to derive reasoned assessments of the likelihood and impact of plausible operational losses from business and risk management experts. It is often used to identify and measure events with low frequency but high severity losses. This is a tool that generates forward-looking “what- if'' simulations for specified changes in market factors. There are different scenarios that can be used in scenario analysis which are as follows: o Base case scenario – It is the average scenario, based on management assumptions. o Worst case scenario – Considers the most serious or severe outcome that may happen in a given situation. o Best case scenario – It is the ideal projected scenario and is almost always put into action by management to achieve their objectives. 4. Risk Management Software Companies can use risk management software like resolver, oracle or sas to make their risk management easier and standardized. Strategic risk information is often held in Excel spreadsheets making it difficult to identify, understand, and draw relationships between causes, consequences and -- May every evil eye in your life go blind. RISK MANAGEMENT REVIEWER Topic 3: KEY CONCEPT IN RISK MANAGEMENT Population or society being affected by one risk is listed under this. RISK CULTURE Cost Benefit Criteria - It is not a direct risk criteria The purpose of establishing the scope, but yet is part of the risk criteria such that it allows context, and criteria is to customize the risk the organization to determine the cost benefit in management process, enabling effective risk terms of risk reduction. This aims to show the assessment and appropriate risk treatment. acceptable cost for one risk management process to impose through cost-benefit analysis (CBA). Scope, context and criteria involve defining Qualitative Risk Criteria - shows the conditions in the scope of the process, and understanding the an accepted risk of an organization such as external and internal context. protocols, mitigations, standards and other conditions an organization shall consider. SCOPE Setting Risk Criteria - This criteria is objectively Consideration in determining the scope of Risk: decided by the people of the organization. They set Expected Outcome of the Risk Process – all the the risk on a numerical basis whether it needs possible outcomes a risk may cause. immediate action or not. In this criteria, the Time and Location – contains the risks which can organization is the one to select risks that are occur timely or on a specific location only. acceptable shall have proper and strategized risk Inclusions and Exclusions – the personal choices management. and decisions of an organization to include or Risk assessment exclude on the Risk Management process in - is the process of identifying what hazards exist, or response to one risk. may appear in the workplace, how they may cause Risk Assessment Tools and Techniques – refers harm and to take steps to minimize harm. to the tools and techniques which the organization - tells us the likelihood and severity of a harmful can utilize in terms of assessing the risks presented event. within the organization. The primary objectives of risk assessment are as Resources, Responsibilities, and Records - follows: Organizations must know their resources, their Identification of Risks responsibilities, and important records which will Analysis of Risks help in assessing the risk and properly select the Prioritization of Risks most reliable risk management process. Mitigation and Control Intersection with other Projects, Process, and Decision-Making Activities - In this case, each risk management Resource Allocation scope shall always consider other external things Compliance and Regulation despite it not having any effects on the new strategy. Continuous Improvement Communication CONTEXT Transparency - is the environment in which the organization seeks Loss Prevention to define and achieve its objectives. Strategic Planning Risk Management is the process of identifying, External context includes but is not limited to social, assessing, and controlling potential threats to an cultural, environmental (including natural hazards organization. It's a proactive approach to managing and climate change), political, legal, financial, uncertainty by anticipating and planning for future technological, security and economic factors. events. Risk analysis is the process of identifying and Internal context includes strategic objectives, analyzing potential issues that could negatively values, standards, resources available, business impact key business initiatives or projects. processes, organizational culture, relationships with Types of Risk Analysis internal stakeholders, capacities, etc. Risk-benefit analysis - Typically used for decision-making in the RISK CRITERIA healthcare and environmental sectors The amount and type of risk an organization may or - weighs the prospective benefits and risks of a may not take choice or course of action. Obligations and views of stakeholders - to make rational decisions by determining whether The nature and type of uncertainties that can affect the potential benefits of a decision outweigh the outcomes and objectives potential risks, or vice versa. How you will define positive and negative Business impact analysis (BIA) consequences and likelihood of risk occurrences Needs assessment analysis The role and influence of time in response to the risk Root cause analysis Consistency on your choice of how the risk is to be measured Criteria in determining the level of risk Combination or sequence of multiply occurring risks Capacity to respond to the risk TYPES OF RISK CRITERIA Risk Matrix Criteria – a matrix for risk to determine the frequency and effects of a risk in an organization. Individual Risk Criteria - allows the organization to know the consequences of the risk to an individual such as the severity of its effect on the overall being of an individual. Societal Risk Criteria - holistically view the risk including the internal and external effects of it. -- May every evil eye in your life go blind. RISK MANAGEMENT REVIEWER TOPIC 4: “MANAGING, MONITORING AND REPORTING RISKS” Type 1 - are uncertainties where a lot of historical data is available, mostly work-related accidents. Type 2 uncertainties are where little or very little historical data is available (e.g., internal domino effects). Type 3 are uncertainties where no historical data is available (i.e., loss of lives, economic devastation, natural disasters). Risk Appetite – refers to the level of risk Key Aspects of Risk Appetite 1. Strategic Alignment 2. Risk Tolerance Levels 3. Decision-making framework 4. Communication and alignment 5. Monitoring and review Relationship of Risk Culture and Risk Appetite Risk Culture 10 most important values 1. acts as an influential values STRATEGIES TO IMPROVE RISK CULTURE 1. Start from the top power 2. Employee Risk Awareness Training 3. Increase Risk Visibility 4. Align risk performance metrics with incentive system 5. Evaluate and Report Progress with Quantitative and Qualitative metrics RISK APPETITE AND ITS IMPORTANT RISK APPETITE – amount and type of risk that the org is willing to take to achieve their goal Type of RA of Org 1. Risk appetite – “risk seekers” they believe that the higher the risk, the hgher the rewards/ greater the success. 2. Low risk appetite – “risk comers(?)” ex: utilities companies 3. Risk Neutral – seeking risk or avoiding it ex: insurance companies FACTORS AFFECTING RISK APPETITE 1. INDUSTRY – 2. COMPANY CULTURE – 3. COMPETITORS – can provide insights to companies… 4. NATURE OF OBJECTIVES – related to no. 2. 5. FINANCIAL STRENGTH How to write a Risk Appetite? 1. Build a diverse team 2. Start with strategy 3. Include an executive summary 4. Define metrics in easily quantifiable terms. 5. Keep it fresh. RISK APPETITE SCALE - A tool that helps identify the level of risks that the business is going to assume that they may encounter in achieving their primary targets. -- May every evil eye in your life go blind.