using the risk matrix a practical · pdf filepresentation purpose • at the end of this...
TRANSCRIPT
Evans K. Luneta Assistant Director – Enterprise Risk Management, Bank of Zambia
@ the Radisson Blu Hotel, 28 August 2014, EMAIL: [email protected]
1
USING THE RISK MATRIX – A PRACTICAL APPROACH A PRESENTATION
BY
22/08/2014 2
Definition of Key Risk Management
Concepts
Why Risk Management?
The Risk Management
Process
Risk Response Strategies
OUTLINE
Presentation Purpose
• At the end of this presentation, it is anticipated that Participants would:
22/08/2014 3
Know how to use the Risk Matrix (Heat Map) for decision making purposes
Appreciate the risk management process, in general
22 August 2014
This Section
DEFINITION OF KEY RISK MANAGEMENT CONCEPTS
Slide 5
Definition of Key Concepts Appetite, Risk: The amount of risk an entity is willing to
assume in the running of its business (or in pursuit of value) – (AS/NZS
4360:2004). It is determined and affected by Risk Attitude, which in turn is affected by perception.
Attitude, Risk: is a choice made by an individual or corporate
entity in the face of a particular risky situation, and is affected by a range of perceptual factors.
Comprises terms, such as:
Risk Averse: Uncomfortable with uncertainty, desire to avoid or reduce threats and exploit opportunities
to remove uncertainty. Would be unhappy with an uncertain outcome
Risk Seeking/taking: Comfortable with uncertainty, no desire to avoid or reduce threats or to exploit opportunities to remove uncertainty. Would be happy with an uncertain outcome
Risk Tolerant: Tolerant of uncertainty, no strong desire to respond to threats or opportunities in any way. Could tolerate an uncertain outcome if necessary
Risk Neutral: Uncomfortable with uncertainty in the long term so prepared to take whatever short-term actions are necessary to deliver a certain long-term outcome
Definition of Key Concepts
Control: an existing policy, guideline, procedure, manual, process, practice or any other action designed to reduce likelihood and impact of negative risks or enhance positive opportunities.
Risk: “The chance of something happening that will have an impact on
objectives” (AS/NZS 4360:2004). “The effect of uncertainty on objectives”
(ISO 31000:2009).
Always measured in terms of combination of likelihood (probability) and consequence (impact). Can be positive or negative risk. Risk therefore is inevitable in any business activity.
22 August 2014 Slide 7
Definition of Key Concepts (Cont’d).
Negative (Downside) Risk: probability that something bad might happen, e.g. falling ill, pandemic, flooding, terrorist attack, etc. (THREAT)
Positive (Upside) Risk: probability that actual events might turn out better than expected, e.g., sales volumes being higher than planned. (OPPORTUNITY)
Risk Management: the culture, processes and structures that are directed towards realising potential opportunities whilst minimising adverse effects. Risk management, therefore, is about minimising the threats posed by identifiable events, as well as, maximising benefits presented by future events.
Definition of Key Concepts (cont’d).
Risk Management Framework: The totality of the structures, methodology, procedures and definitions that an entity has chosen to use to implement its risk management process.
Risk Management Process: The systematic application of management policies, procedures and practices to the tasks of communicating, identifying, analysing, evaluating, treating, monitoring and reviewing risk.
Enterprise Risk Management (ERM): a structured and continuous process across the whole organisation for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives (IIA, UK, 2004).
This Section
WHY RISK MANAGEMENT?
Strategic Risks
A B
Why Risk Management?
To identify, assess and manage business or strategic risks that could
hinder attainment of the desired Strategic Position B.
Risk Management –Drivers
Corporate Governance
RM Globalisation
Performance Improvement
Regulation
Operational Failures
Technology
Competition
Directing Management Focus
The case for Risk Management
More than ever before, the challenge for entities is to turn risk into reward in order to add value to the company. However, important issues to address include:
How to gather a holistic and accurate view of internal and
external risks impacting a company’s sustainability.
How to identify and treat risk portfolios and ensure that the internal control environment is well dimensioned.
12
The Case for Risk Management
How to accurately recognise threats and opportunities, and take appropriate measures to manage them.
How to embed risk management into business operations and corporate culture to enhance value.
13
This Section
THE RISK MANAGEMENT PROCESS
The Risk Management Process
Communicate and Consult
Monitor and Review
Establish
Context
Identify
the risks
Analyze the
risks
Evaluate
the risks
Treat the
risks
What are we
trying to achieve?
How do we keep them
under control?
Who should be involved in the
process?
Inherent Risk
(Potential)
Controls (Assessment of the
adequacy & effectiveness)
HE
ME
IE
Likelih
oo
d
and
Co
nse
qu
en
ce
Re
sidu
al Risk Exp
osu
re
Risk Action plans to improve controls in
order to reduce likelihood and consequence of risk.
=
AC
VL
P
UL
R
C
M
S
M
N
The Risk Assessment Process
L
M H VH VH
L M
H VH VH
VL
L M
H H
VL
VL
L M
M
VL
VL
L L M
17
The Risk Matrix – Allocation of risk control resources
Likelihood
(Probability)
Consequence (Impact)
Negligible Minor Significant Major Catastrophic
Almost certain L
M H VH VH
Very likely L M
H VH VH
Probable VL L M
H H
Unlikely VL VL L M
M
Rare VL VL L L M
1
2 5
4
3
18
The Risk Matrix POSITION 1: Rare & Negligible – Very Low Risks
Low likelihood of occurrence and low impact – No big deal!!! Requires minimal resources, since there is little or no ROI in controls (i.e. low
losses not worth of devoting huge resources to mitigate them)
POSITION 2: Almost Certain & Negligible – Low Risks
Interesting!! While the likelihood of occurrence is high (almost certain) the associated impact is low (negligible). If we assume a high likelihood is equivalent to frequent occurrences, the ‘low’ losses for individual risk events can over time add up to become ‘high’. If this is the case, BOX 2 can be a candidate for process improvement to find a way of reducing the frequency of occurrences.
The frequency of occurrence therefore should be taken into consideration in the
risk management decision making process in order to strengthen the risk control environment in the concerned business area.
The Risk Matrix POSITION 3: Probable & Significant – Medium Risks Type A
This should be addressed in any risk treatment programme The combined potential cost and likelihood of occurrence while not ‘high’, are still
significant enough that they should be addressed through allocation of adequate control resources to improve the process or operations.
POSITION 4: Rare & Catastrophic – Medium Risks Type B
Cause sleepless nights – ‘unknown-unknowns’!! Extreme/’black swans’/’long Tail’ events that are difficult to predict but are
capable of threatening the survival of a company. Present a huge challenge in deciding on proper allocation of control resources. Scenario planning Candidate for BCM Programme
The Risk Matrix
POSITION 5: Almost Certain & Catastrophic – High & Very High Risks
Don’t worry about these….. You are already out of business!! Departure Lounge! Requires most of the control resources (i.e., Establish a BCM Programme,
including Disaster Recovery (DR) mechanisms)
Practicality of a Risk Matrix
A risk matrix can be used to:
- determine whether or not a risk event needs treatment;
- determine priorities for risk treatment;
- link the risk rating with the level of management attention required;
- determine whether an activity should be undertaken, at all;
- determine whether an activity needs treatment;
- determine direction of risks;
- determine composite risk assessments for each activity and the overall institution; and
- assess the adequacy and effectiveness of the RM Framework.
The Risk Response Strategies Strategies for negative risks (threats):
Avoid. Discontinuing the activity, which gives rise to the risk (where this is practical);
Transfer. Instituting arrangements, such as, insurance, outsourcing, warranties, guarantees, BOOT, etc., that are aimed at shifting the burden of the risk to another party at a premium; and
Mitigate. Instituting corrective measures that are aimed at either adjusting the likelihood or the consequence so as to reduce the chances or the adverse impact of such negative outcomes.
The Risk Response Strategies
Strategies for positive risks (opportunities):
Exploit. Taking advantage of the prevailing conditions, resources,
and opportunities available in the operating environment;
Share. Sharing the risk by more than one stakeholder through mutual consent. Mechanisms include use of contracts, service level agreements, etc.; and
Enhance. Adjusting the likelihood of the opportunity to increase the chances of realising the beneficial outcomes and/or adjusting the consequences to increase the beneficial impact.
The Risk Response Strategies
Strategies for both threats and opportunities:
Accept. This strategy can either be passive or active. The most common active acceptance strategy is to establish a contingency reserve fund, including amounts of time, money, or resources to handle known or unknown threats or opportunities; and
Contingency planning. Develop contingency plans that would only be executed under certain predefined conditions, such as emergencies/disasters.
CONCLUSION
Conclusion
It is generally accepted that it is not possible to create a business that does not take risk. However, not all risks are desirable, as they may not generate returns, or those returns may be inadequate, or the risk simply does not fit in the corporate strategy.
Accordingly, the risk matrix is a simple yet powerful tool, which every manager should use to make appropriate and effective risk management decisions.
To this end, a risk matrix is a practical tool which every manager must know how to use and have in their decision making tool kit.
THANK YOU!
22/08/2014 27