Risk Management Is Events with a negative impact represent risks, which can prevent value creation or erode existing value. –ERCM COSO
- –ERCM COSO
081289519008 wi_totok Pamulang University Wiyanto, S.Pd.,M.M. NIDN.0421038903 Manajemen Resiko & Asuransi
MANAJEMEN RESIKO & ASURANSI Modul Wiyanto, S.Pd.,M.M.
Hanya Untuk Kalangan Sendiri Risk Management Is Events with a negative impact represent risks, which can prevent value creation or erode existing value.
UNPAM PRODI MANAJEMEN, FAKULTAS EKONOMI, UNIVERSITAS PAMULANG
081289519008 wi_totok PERKENALAN
081289519008 wi_totok
PENDEKATAN SAINTIFIK
(scientific Approach) MENGAMATI M MENANYA M MENGUMPULKAN DATA M MENGASOSIASI M MENGKOMUNIKASIKAN M 081289519008 wi_totok
081289519008 wi_totok KONSEP 3 IN 1 KULIAH KELAS EKSEKUTIF (SABTU)
BISA MENJAWAB SOAL DI BAWAH INI
1 + 4 = 5 2 + 5 = 12 3 + 6 = 21 5 + 8 = ……..?
INGAT 98% ORANG SALAH MENJAWAB TES INI, BILA ANDA MENJAWAB DENGAN BENAR
BERARTI ANDA JENIUS!!!
081289519008 wi_totok
BISA MENJAWAB SOAL DI BAWAH INI
1 + 4 = 5 √ 2 + 5 =
12 X 3 + 6 =
21 X 5 + 8 =
13 INGAT 98% ORANG SALAH MENJAWAB TES INI, BILA ANDA MENJAWAB DENGAN BENAR BERARTI ANDA JENIUS!!!
081289519008 wi_totok
081289519008 wi_totok OUTLINE PERKULIAHAN Pertemuan 1 : Pengertian Manajemen Risiko & Asuransi Pertemuan 2 : ISO 31000 tentang Manajemen Risiko Pertemuan 3 : Aspek Tata Kelola Manajemen Risiko Pertemuan 4 : Mandat dan Komitmen Manajemen Risiko Pertemuan 5 : Kerangka Kerja Manajemen Risiko Pertemuan 6 : Metode Manajemen Risiko Pertemuan 7 : Jenis Risiko Utama yang Dihadapi Sebuah Bisnis
Ujian Tengah Semester (UTS) Pertemuan 8 : Pengertian, Fungsi, Perencanaan Asuransi Pertemuan 9 : Jenis-Jenis Asuransi Pertemuan 10 : Manfaat Asuransi Pertemuan 11 : Perencanaan Program Asuransi Pertemuan 12 : Menghitung Premi Asuransi Jiwa Pertemuan 13 : Pengertian Asuransi Jiwa Unit Link Pertemuan 14 : Manfaat dan Kerugian Asuransi Unit Link
Ujian Akhir Semester (UAS)
081289519008 wi_totok Manajemen Resiko dan Asuransi PERTEMUAN PERTAMA Manajemen Resiko dan Asuransi
081289519008 wi_totok Gambaran Umum Resiko dan Manajemen Resiko
081289519008 wi_totok
081289519008 wi_totok
081289519008 wi_totok
081289519008 wi_totok
- modul-
081289519008 wi_totok Risiko adalah suatu ketidakpastian akan terjadinya suatu peristiwa yang dapat menimbulkan kerugian.
PENGERTIAN MANAJEMEN RESIKO
Manajemen risiko adalah suatu pendekatan terstruktur/metodologi dalam mengelola ketidakpastian yang berkaitan dengan ancaman; suatu rangkaian aktivitas manusia termasuk: Penilaian risiko, pengembangan strategi untuk mengelolanya dan mitigasi risiko dengan menggunakan pemberdayaan/pengelolaan sumberdaya.
—modul-- 081289519008 wi_totok
081289519008 wi_totok TAHAPAN MENGELOLA RESIKO
MENGIDENTIFIKASI
RESIKO MENGANALISA RESIKO MENGELOLA RESIKOKETIKA RESIKO TERJADI APA
MENGHIDARI
A S U R MENERIMA AMENGALIHKAN N S
I 081289519008 wi_totok
PENGERTIAN MANAJEMEN RESIKO
GABUNGAN DUA KATA DAN MANAJEMEN RESIKO MANAJEMEN RESIKO ADALAH
IMPLEMENTASI DALAM HAL TEORI MANAJEMEN RESIKO
Kemungkinan PLANNING terjadinya
ORGANIZING peristiwa yang
ACTUING membawa
CONTROLLING akibat yang tidak diinginkan 081289519008 wi_totok
081289519008 wi_totok MENGAPA MANAJEMEN RESIKO? TUNTUTAN MASYARAKAT tentang peningkatan Good Governance
Perubahan LINGKUNGAN
Persyaratan investor dan regulator
081289519008 wi_totok MENGAPA MANAJEMEN RESIKO?
Tujuan Manajemen Resiko
a) Melindungi perusahaan dari risiko signifikan yang dapat menghambat pencapaian tujuan perusahaan.
b) Memberikan kerangka kerja manajemen risiko yang konsisten atas risiko yang ada pada proses bisnis dan fungsi-fungsi dalam perusahaan.
c) Mendorong menajemen untuk bertindak proaktif mengurangi risiko
Kerugian, menjadikan pengelolaan risiko sebagai sumber keunggulan
bersaing, dan keunggulan kinerja perusahaan.d) Mendorong setiap insan perusahaan untuk bertindak hati-hati dalam menghadapi risiko perusahaan, sebagai upaya untuk memaksimalkan nilai perusahaan.
e) Membangun kemampuan mensosialisasikan pemahaman mengenai risiko dan pentingnya pengelolaan risiko.
f) Meningkatkan kinerja perusahaan melalui penyediaan informasi tingkat risiko yang dituangkan dalam peta risiko (risk map) yang berguna bagi manajemen dalam pengembangan strategi dan perbaikan proses manajemen risiko secara terus menerus dan berkesinambungan.
081289519008 wi_totok
Fungsi pokok Manajemen Resiko Menemukan kerugian potensial
Mengidentifikasi seluruh risiko yang akan dihadapi oleh
organisasi. Mengevaluasi kerugian potensial Mengenal dan menanggulangi besarnya frekuensi kerugian dan keparahan atau kegawatan kerugian. Menentuka cara penanggulangan risiko Agar suatu organisasi dapat menentukan cara apa yang dapat dilakukan dan tepat untuk menangani sebuah risiko. Apakah itu dengan mengurangi, mencegah, meretensi ( menahan sendiri ), menghindari dan memindahkan kerugian kepada pihak lain081289519008 wi_totok
081289519008 wi_totok PEGERTIAN ASURANSI Asuransi atau pertanggungan adalah
Perjanjian Antara Dua Pihak Atau Lebih , dengan mana pihak
Penanggung mengikatkan diri kepada tertanggung , dengan menerima premi asuransi, untuk memberikan penggantian kepada tertanggung karena kerugian, kerusakan atau kehilangan keuntungan yang diharapkan, atau tanggung jawab hukum kepada pihak ketiga yang mungkin akan diderita tertanggung yang timbul dari suatu peristiwa yang tidak pasti, atau untuk memberikan suatu pembayaran yang didasarkan atas meninggal atau hidupnya seseorang yang dipertanggungkan ‖
081289519008 wi_totok Manajemen Resiko dan Asuransi PERTEMUAN KEDUA
ISO: 31000
Sebelas Prinsip Manajemen Risiko menurut ISO 31000 1) Manajemen risiko menciptakan nilai tambah (creates value),
2) Manajemen risiko adalah bagian integral proses dalam organisasi (an integral part of
organizational processes),3) Manajemen risiko adalah bagian dari pengambilan keputusan (part of decision making),
4) Manajemen risiko secara eksplisit menangani ketidakpastian (explicitly addresses uncertainty,
5) Manajemen risiko bersifat sistematis, terstruktur, dan tepat waktu (systematic, structured and timely),
6) Manajemen risiko berdasarkan informasi terbaik yang tersedia (based on the best available information),
7) Manajemen risiko dibuat sesuai kebutuhan (tailored), 8) Manajemen risiko memperhitungkan faktor manusia dan budaya (takes human and cultural factors into account),
9) Manajemen risiko bersifat transparan dan inklusif (transparent and inclusive), 10) Manajemen risiko bersifat dinamis, iteratif, dan responsif terhadap perubahan (dynamic, iterative and responsive to change), 11) Manajemen risiko memfasilitasi perbaikan dan pengembangan berkelanjutan organisasi (facilitates continual improvement and enhancement of the organization),
081289519008 wi_totok
(Nov. 2009)
ISO 31000 What is it? What’s new? How to Implement?
Please interrupt, thank you FILE DI ADOPSI DARI 081289519008 wi_totok
Proposed AGENDA
- – OK?
- Risk is “effect of uncertainty on objectives”
- Discussion of Adopt 31000 - PHB Bilton and KISS
- Overview of 31000; introduction, scope, principles,
framework, process
- How to “sell” ERM to senior management?
- The role of risk appetite risk tolerance and the ubiquitous risk
matrix/map/profile to deal with existing silos
- How will ERM help improve existing risk management?
- Next steps? How to measure success?
- Monitor, communications and consultation, and risk ownership.
- Role of CRO? (Ans- Minimal)
- What did we learn today?
28 081289519008 wi_totok
(ISO 31000) Risk - “effect of uncertainty on objectives”
- NOTE 1 An effect is a deviation from the expected — positive
(wrt achieving objectives) and/or negative.
- NOTE 2 Objectives can have different aspects (such as financial,
health and safety, and environmental goals) and can apply at different levels (such as strategic, organization-wide, project, product and process).
(i.e. named, e.g. credit risk) by
- NOTE 3 Risk is often characterized
reference to potential events (2.17) and consequences (2.18), or a combination of these.
- NOTE 4 Risk is often expressed in terms of a combination of the
consequences of an event (including changes in circumstances) and the associated likelihood (2.19) of occurrence.
29 081289519008 wi_totok
There are two ways a risk can have an effect on objectives.
1. the effect of a risk when and if it should occur, or 2. the very existence of a risk whether it happens or not. (2.) is the acceptance, or not, of being in risky situations - a friend of mine says he can not sleep at night if his money is invested in stocks, even knowing they provide better returns. So he invests in government bonds. It is the uncertainty that he can not stand. Related to risk appetite. (1.) is the traditional risk and where risk management seeks to increase the good and decrease the bad consequences (as translated into objectives) The "uncertainty" or ambiguity, is the essence of risk, and can be part of:
a. the risk identification (source, associated event(s) & consequence(s) )
b. the event effect or consequence as estimated by analysis methods
c. the probability itself (in addition to uncertainty of identification (a), event (b),
and effect (d)) [probability of a probability drives mathematicians mad]
d. the objectives themselves and the link between consequences andobjectives (either measurement or how objectives reflect values or how
attitudes might bias selection and metrics of objectives)Discussion from last week
30 081289519008 wi_totok
- – rigorous substitution rule
- – insert risk treatment, control (?) and risk
081289519008 wi_totok
31 (Aside)
ISO Definitions are nested
(2.18) Consequence - outcome of an event (2.17) affecting objectives and since Event - occurrence or change of a particular set of circumstances, then (2.18) Consequence - outcome of an occurrence or change of a particular set of circumstances affecting objectives
(2.26 )control - measure that is modifying risk (2.1) (2.26 )control - measure that is modifying effect of uncertainty on objectives
Try residual risk (2.27)
Discussion of “YES Adopt 31000 “- PHB Bilton and KISS
- survey question – which framework is right?)
- Answer - ISO 31000 should be adopted immediately and that existing COSO, PMI, and other frameworks and processes integrated with 31000 in the short term and in the longer term modified to better reflect, not so much 31000, as the “ERM risk framework” in the organization.
- The rational is that ISO incorporates these other approaches [with gaps], is principle and performance based and is simple enough and flexible enough to be used by any organization.
32 081289519008 wi_totok
Entity objectives can be viewed in the context of four categories: Strategic • Operations • Reporting • Compliance • The COSO ERM Framework only negative risk! (a common problem)
33 081289519008 wi_totok BHP Billiton RISK MANAGEMENT POLICY Risk is inherent in our business. The identification and management of risk is central to delivering on the Corporate Objective.
- By understanding and managing risk we provide greater certainty and confidence for our shareholders, employees, customers and suppliers, and for the communities in which we operate.
- Successful risk management can be a source of competitive advantage.
- Risks faced by the Group shall be managed on an enterprise-wide basis.
- Risk Management will be embedded into our critical business activities, functions and processes. Risk understanding and our tolerance for risk will be key considerations in our decision making.
- Risk issues will be identified, analysed and ranked in a consistent manner. Common systems and methodologies will be used. (cont.)
34 081289519008 wi_totok
- Risk controls will be designed and implemented to reasonably assure the
achievement of our Corporate Objective. The effectiveness of these controls will be systematically reviewed and, where necessary, improved.
- Risk management performance will be monitored, reviewed and reported. Oversight of the effectiveness of our risk management processes will provide assurance to executive management, the Board and shareholders.
- The effective management of risk is vital to the continued growth and success of our Group.
- signed Chip Goodyear •Chief Executive Officer (see web site for all the BHP good stuff) Done by 3 people (lead Grant Purdy) in 4 years for all 200,000 employees, with 80,000 risk owners identified Over 12,000 risk assessments on file (open), and then Risk management department eliminated.
IT CAN BE DONE – Keep It Sweet and Simple Senior Management leads the charge
35 081289519008 wi_totok
- Policy Statement •Standards
- Guidelines
- RM Plan and RM Process •Assurance Plan
- Stakeholder analysis
- Training needs analysis
- Communication strategy
- Training strategy
- Roles and Reporting
- Control assurance
- RM Plan progress
- RM Maturity Evaluation •RM KPIs
- Benchmarking
- Governance reporting
- Board RM Committee •Executive RM Group •RM Working Group •Facilitator for Risk Management •RM Champions •Risk and Control Owners
- -Risk Registers -Treatment Plans
- Assurance Plan -Reporting templates
081289519008 wi_totok Commit and Mandate
Communicate & Train
Structure & Accountability
Review & Improve
Framework Continuous Improvement Cycle Management Information System
Framework Implementation Establish context Identify risks Analyse risks Evaluate risks
Treat risks Co m m u n ic a te a n d c o n su lt
M o n it o r a n d re vie w
Risk assessment Process for Managing Risk
F ra m e w o rk Im p le m e n ta ti o n
F ra m e w o rk Co n ti n u o u s
Im p ro ve m e n t Cy cl e
a) Creates value
b) Integral part of Mandate organizational processes and
4.2 ISO Overview
3 main clauses
c) Part of decision making commitment d) Explicitly addresses plus terminology from uncertainty
e) Systematic, structured
4.3 ISO Guide 73 and timely Design of
f) Based on the best framework available information for managing risk g) Tailored
h) Takes human and
4.6
4.4 cultural factors into Continual Implementing account improvement risk i) Transparent and inclusive of the management j) Dynamic, iterative and framework responsive to change k) Facilitates continual improvement and enhancement of the
4.5 organization
Monitoring
and review of the frameworkProcess for managing Principles for Framework for risk managing risk managing risk (Clause 5) (Clause 3)
(Clause 4)
37 081289519008 wi_totok
- increase the likelihood of achieving objectives;
- encourage proactive management;
- be aware of the need to identify and treat risk throughout the organization;
- improve the identification of opportunities and threats;
- comply with relevant legal and regulatory requirements and international norms;
- improve mandatory and voluntary reporting;
- improve governance;
- improve stakeholder confidence and trust;
- establish a reliable basis for decision making and planning;
- improve controls;
- effectively allocate and use resources for risk treatment;
- improve operational effectiveness and efficiency;
- enhance health and safety performance, as well as environmental protection;
- improve loss prevention and incident management;
- minimize losses;
- improve organizational learning; and
- improve organizational resilience.
081289519008 wi_totok
38 How to “sell” ERM to senior management? Up to Organization not you When implemented and maintained in accordance with this International Standard, the management of risk enables an organization to, for example:
The role of risk appetite & risk attitude risk that an organization is willing to
―amount and type of pursue or retain‖ ―organization's approach to assess and eventually pursue, risk retain, take or turn away from
“
- Vague term that is still evolving, can be bottom up (from typical decisions) or top down from basics of survival and comfort of board and senior management
- In conceptual terms
- – Identify all risks (events and consequences ) [high level]
- – Estimate plausible worst case and best case scenarios – may be expressed as a risk profile
- – Examine the robustness of the organization wrt plausible cases
- – Balance opportunities and threats against the organization’s
- – capabilities/resources and select a risk appetite or risk attitude how risk adverse?
39 081289519008 wi_totok Risk Tolerance is the practical step between risk (risk evaluation) appetite and risk criteria
(also deals with silos)
- for specific consequence categories
(reputation, credit, compliance, country, etc.)
- for predetermined categories of likelihood
- find equivalent effects on objectives
- done by senior management (workshops)
- using risk matrix results as a check and perhaps involving voting, delphi, etc.
40 081289519008 wi_totok
Likelihood Scale for Tolerance (Simple Rating Scale) (Hydro 1 Harvard Business School case study 9-109-001)
1. Remote 5% probability that the event will occur in the next 36 months
2. Unlikely 25% probability that the event will occur in the next 36 months
3. Even Odds 50% probability that the event will occur in the next 36 months
4. Very Likely 75% probability that the event will occur in the next 36 months
5. Virtually Certain 95% probability that the event will occur in the next 36 months
41 081289519008 wi_totok
(Fraser, 2009) Hydro 1 Risk Tolerances for 3 Silos
Business Conse-
5
4
3
2
1 Objective quence
Moderate Worst Case Severe Major Minor Financial Net income >$150 $75- $25- $5-$25 <$5 (shortfall) million $150 $75 million million million million Internation National Provin Local Letters Reputa Negative al Media- cial To Govt tion Opinion
& Hydro Leaders and Everyone Most Several Public System Outages reliability >100,000 40-100k 10-40k 1-10k <1,000 Customers, r # o MW for >1000 400-1000 100-400 10-100 <10 7days, or Warning NERC Fail
Near many YES Some Near few
42 081289519008 wi_totok
081289519008 wi_totok
43 Standard sort of Risk Matrix be careful, extremely careful, with risk matrices works well at the understanding/communications level, BUT
Very Likely (>.45) Likely (.45 - .19)
Medium (.19 - .05) Unlikely (.05 - .011)
Remote (< .011) Mi no r Mo de rat e Ma jor S ev ere
Cat as tr op hi c
Lik el ihoo d Consequences High Medium Low
Risk levels plotted in structured Workshop with Experts, voting, Delphi…
2. Vegetation Mgmt
3. IT Upgrade
1. Refurbish
Dx SAIDI
KPI -
High KPI - Unsupplied Energy d
o KPI - Tx/Dx Reliability VL o
Medium
lih d L High ke Low Li hoo
Medium li M
High
ke d UL Low o
Li
Medium
r r . o d re o jo VU e ta
No Impact n lih v a r e Mo L
C jor Mi Ma
Low a
Se no ke Ma ever at Consequences Mi S Mod C Li
Consequences KPI - Dx SAIFI
.2 -1 -5
KPI - SFI
- 10
1
1 .2 < 5 > VL
Consequences d L High
High
d o hoo
Medium li M o
Medium
ke lih
Low Li UL ke Low VU L no r e Mi S C Mod jor Ma ever a at Li r . r d re o
Consequences jo ta e n v a Mo
C Ma Mi Se
Consequences VL KPI - Unavailability d L High hoo
Medium li M ke UL Low VU Li L r Mi S C no Mod Ma jor e ever at a Example of use of Risk Matrix
Consequences to set priorities KPI - Worst Served Cust. VL
What might be wrong with this? d L High hoo
Medium li M ke UL Low
No Impact Li VU L Mi S no r Mod Ma jor ever at e C a
44 Consequences 081289519008 wi_totok
How will ERM help improve existing risk management? Basic and overarching in 31000
- – Integration
ISO 31000 ― recommends that ; organizations develop, implement and continuously improve a framework whose purpose is to the process for integrate managing risk (RMP) into the organization's overall governance, strategy and planning, management, reporting processes, policies, values and culture.
‖
45 081289519008 wi_totok Overarching in 31000
- – Integration
(continued)
4.3.4 Integration into organizational processes
- Risk management (RM) should be embedded in all the organization's practices and processes in a way that it is relevant, effective and efficient.
- The risk management process should become part of, and not separate from, those organizational processes
- When you make any decision/choice then part, and only a part, of the
decision process is the Risk Management Process (RMP)
46 081289519008 wi_totok
(continued) Overarching in 31000
- – Integration
“2.7 risk owner - person or entity with the accountability and authority to manage a risk ‖
- Every risk (effect of uncertainty on objectives) is
owned
- Risk owners are listed in risk register
- Ownership has its privileges – get to monitor: risk,
(may be responsibility of others), risk controls cost of controls,
(risk effectiveness of controls, value of RMP management process
); and continuously improve all
- your annual evaluation includes how well you
(part of the standard!) manage your owned risks
47 081289519008 wi_totok Ironically, 48.7% of respondents describe the sophistication of their risk oversight processes as immature to minimally mature. Forty-seven percent do not have their business functions establishing or updating assessments of risk exposures on any formal basis. Almost 70% noted that management does not report the entity’s top risk exposures to the board of directors. These trends are relatively unchanged from those
(NCU ERM center 2010 noted in the 2009 report. report)
48 081289519008 wi_totok
“risk management framework – set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization NOTE 1 The foundations include the policy, objectives, mandate and commitment to manage risk NOTE 2 The organizational arrangements include plans, relationships, accountabilities, resources, processes and activities NOTE 3 The risk management framework is embedded within the organization's overall strategic and operational policies and practices
― (ISO 31000)
49 081289519008 wi_totok
1. Mandate and commitment to the framework (step 1)
- a. Risk ownership and risk register
- b. Managers’ performance evaluation
a. Responsibility for maintaining and improving framework b. Risk Maturity and continuous improvement of framework
7. Monitoring, Review and Continuous improvement
6. Accountability
5. Communications and Reporting
4. Risk Management Process
3. Integration into the Organization
a. Policies for the framework, its processes and procedures b. Policies for risk management decisions;
2. Risk management policy
e. Implementation plan
d. Design of framework
c. Context for framework
b. Gap analysis
a. Agreement in principle to proceed
- – i. Risk Appetite – ii. Risk Criteria – iii. Internal Risk Reporting
50 7 components to the ERM Framework
081289519008 wi_totok
- Policy Statement •Standards
- Guidelines
- RM Plan and RM Process •Assurance Plan
- Stakeholder analysis
- Training needs analysis
- Communication strategy
- Training strategy
- Roles and Reporting
- Control assurance
- RM Plan progress
- RM Maturity Evaluation •RM KPIs
- Benchmarking
- Governance reporting
- Board RM Committee •Executive RM Group •RM Working Group •Facilitator for Risk Management •RM Champions •Risk and Control Owners
- -Risk Registers -Treatment Plans
- Assurance Plan -Reporting templates
081289519008 wi_totok Commit and Mandate
Communicate & Train
Structure & Accountability
Review & Improve
Framework Continuous Improvement Cycle Management Information System
Framework Implementation Establish context Identify risks Analyse risks Evaluate risks
Treat risks Co m m u n ic a te a n d c o n su lt
M o n it o r a n d re v ie w
Risk assessment Process for Managing Risk
F ra m e w o rk Im p le m e n ta ti o n
F ra m e w o rk Co n ti n u o u s
Im p ro ve m e n t Cy cl e
The risk management process Used by every manager for every decision
Mo Co
Establish the context mmun ni to r an Identify risks ic a d te rev an
Analyse risks iew d co ns
Evaluate risks ul t
Treat risks
52 081289519008 wi_totok Risk Assessment
- Identify the risks
- Analyze the risks (Note: when numerical estimates of likelihood, consequences not available then subjective risk matrix methods may be used)
- Evaluate the risks against Risk Criteria • Result of Evaluation is to (or not to) Accept Risk- ‖informed decision to take a particular risk
”
- Not Acceptable, go to Risk Treatment
53 081289519008 wi_totok Risk Treatment- “process to modify risk ”
―NOTE 1 Risk treatment can involve: avoiding the risk — —increasing risk in order to pursue an opportunity; — removing the risk source — changing the likelihood — changing the consequences — sharing the risk with another party or parties [including risk financing]
— retaining the risk by informed decision NOTE 3 Risk treatment can create new risks or modify existing risks.
‖ Risk Treatment is often a cycle of: Control options, Assessment of Residual Risk, Accept?, Treat risk?, Control options, Assessment…
54 081289519008 wi_totok
“communication and consultation” ―continual and iterative processes that an organization conducts to provide, share or obtain information, and to engage in dialogue with stakeholders regarding the management of risk
- NOTE 1 The information can relate to the existence, nature, form, likelihood, significance, evaluation, acceptability, treatment aspects
- NOTE 2 Consultation is a two-way process of informed communication between an organization and its stakeholders on an issue prior to making a decision or determining a direction on that issue. Consultation is:
- – a process which impacts on a decision through influence rather than power; and .
―
- – an input to decision making, not joint decision making
55 081289519008 wi_totok Example risk register for a specific Strategic Objective
- – illustration only
Courtesy of the Food Company
6. Management Team evaluates the probability of success in achieving this initiative’s overall objectives
1. Identify initiatives and their associated descriptions with measurable objectives
2. Prioritize order of the key initiatives Risk based on their High
- contribution to
Objective xx “Ready-to-Heat”
Profile achieving the overall
Aggressively grow and build the ready-to-heat business by expanding the financial and strategic yes objectives within the product line (15% NSV growth & maintain shares above 30%) and
- Priority
- OP
Joe Owner broaden the availability of the product. Risks (uncertainties re Obj) Control Activities
1 1,2,3
Increase of aggressive competition Accelerate innovation
Conduct competitor analysis
1 from Rice Master and Fast Rice
3. Document the Aggressive year for growth target session individual in charge of
2 for the segment & brand the given initiative
Achieve new product growth targets
5. List of planned activities that will modify the
3 risks – match the treatment strategies to risk through the reference numbers Action Plan
7. Document the Jane to develop 2-3 innovation immediate next steps
4. List of risks that could hinder the ability to
for effective initiative meet the initiative’s objectives schemes within 2 months execution
Joe to do market analysis
56 081289519008 wi_totok
© Broadleaf Capital International, 2006
- - Bow Tie Risk Treatment Tool Bow - Tie Risk Treatment Tool
2. Causes
3. Impacts 1.
1.
2.
2.
3.
3.
4.
4.
5.
5.
4. Existing Controls
4. Existing Controls
5. Existing Controls
5. Existing Controls 6.
6. Preventative Reactive
- – Post Event 7.
7.
8.
8.
9.
9.
10.
10. Control Owner Existing Preventative Controls Control Owner Existing Reactive Controls 1.
1.
2.
2.
3.
3.
Example of an integrated tool for RM Process 4.
4.
5.
5.
6.
6.
Task (future controls) Task Owner Due Date Task (future controls) Task Owner Due Date 1.
1.
2.
2.
3.
3.
9. RISK
6. Risk Control
7. Consequence
8. Likelihood
11. Risk Owner 10, Comments RATING Effectiveness rating rating
57 081289519008 wi_totok
How to measure success? – Risk Maturity? Standard and Poor’s ERM perspective (still too negative)
Companies that are considered "strong" demonstrate an enterprise- wide view of risks, but are still focused on loss control. These companies have control processes for major risks, thus giving them advantages due to lower expected losses in adverse times, as such companies can consistently identify, measure, and manage risk exposures and losses in predetermined tolerance guidelines. Strong ERM firms are unlikely to experience unexpected losses outside of tolerance levels. Risk and risk management are usually important considerations in such firms' corporate judgment. Companies that are considered "excellent" possess all of the characteristics of those scored "strong" and will also demonstrate risk/reward optimization. Such companies have very well-developed capabilities to consistently identify, measure, and manage risk exposures and losses in predetermined tolerance guidelines. Risk and risk management are always important considerations in such firms' corporate judgment. It is highly unlikely that these firms will experience losses outside of their risk tolerance.
58 081289519008 wi_totok Risk Maturity Score
- – Fraser Valley Health
Level of ERM Maturity
1
2
3
4
5 Elements of ERM Initial Repeatable Defined Managed Optimized Organization Philosophy & Culture Leadership Commitment RM Capabilities RM Process Monitoring & Review Reporting & Control Integration with other Management Systems
59 081289519008 wi_totok
081289519008 wi_totok
RM is done proactively to anticipate risks and develop mitigation plans. Emerging risks are considered. Focus is on opportunities, not just risk avoidance. Risk implications are considered in all major decisions.
RM is embedded in individual behaviour. Individuals are empowered to manage risks. Responsibility for RM is an integral part of goal setting and performance planning.
Roles and responsibilities for RM are clear, well communicated and understood throughout the organization.
Responsibilities for managing risk have been established (job descriptions, terms of reference, etc.), but are not understood or consistently followed. Risk is managed intuitively, on an ad hoc basis.
Roles and responsibilities are not documented and are unclear. No individual accountability for managing risk. RM is viewed as a department rather than a process.
2. Roles and responsibilities for managing risk
RM is done at every level in the organization, and is strongly integrated with management practices. Individual and organization expectations for RM are synchronized.
Risks are consistently managed. Staff are encouraged to be innovative. The organization fosters a culture of continuous learning and participation. Staff are highly committed to organization success.
People tend to be risk averse. Risks are identified primarily at operational and project levels. RM concepts are intuitively understood and practised on ad hoc basis. A cautious approach is taken to RM overall.
60 Organization Philosophy & Culture Level of Maturity
The focus is primarily on responding to crises and tends to be reactive rather than proactive.
1. Risk management culture
5 Optimized
4 Managed
3 Defined
2 Repeatable
1 Initial
Individual accountability for RM is firmly embedded in organization culture. Roles and responsibilities for RM is aligned with overall organization accountability framework.
081289519008 wi_totok
Ethics and values principles and legal/political considerations are well understood by staff, and applied consistently throughout the organization. RM approach is closely aligned with ethics and values.
Recognition and rewards programs encourage staff to manage risks and take advantage of opportunities. Management is committed to continuous RM learning. Sanctions in place for knowingly ignoring risks. Staff development is a major organization priority.
The working environment supports a proactive approach to managing risks. Information on risk is shared openly. Strong sense of teamwork exists across the organization.
People are consulted and given opportunity to participate in RM. Staff contribution to managing risk is recognized on ad hoc basis. Performance in managing risks is considered in recognition and rewards programs.
High level of scepticism exists within organization. Mixed messages are given to staff. RM is not considered in assessing and rewarding performance. Staff contribution to managing risk is not recognized or valued.
4. Valuing risk management behaviour
Ethics, values and sensitivity to legal/political considerations are consistently reflected in organization practices and RM approach. Atmosphere of mutual trust exists at all levels of organization. Few infractions or incidents occur.
Ethics and values help managers take a balanced approach to RM, and reconcile competing external forces. Ethics and values surveys consider risk, and are carried out regularly. Improvements are made.
Organization has an ethics and values statement. RM philosophy is reflected in written code of ethics and values. Philosophy is attuned to legal and political considerations. Policies are communicated across the organization but applied inconsistently.
61 Organization Philosophy & Culture cont’d Level of Maturity