Title: A Bluffers Guide to Risk Management . in just 45 minutes
1A Bluffers Guide to Risk Management(. in just
45 minutes!)
- John Mitchell
- PhD, MBA, CEng, CITP, FBCS, MBCS, FIIA, MIIA,
CISA, QiCA, CFE - LHS Business Control Tel 44 (0)1707 851454
- 47 Grangewood Fax 44 (0)1707 851455
- Potters Bar Cell 44 (0)7774 145638
- Herts EN6 1SL john_at_lhscontrol.com
- England www.lhscontrol.com
2From Here to There .
- Big lies are better than little lies
- Choose your level (genius or expert)
- Talk the talk (start the bluff)
- Understand the talk (sort of)
- Walk the talk (need a map)
- Stay ahead of the game (anticipate the questions)
- Close the sale
3Start With The The Big Picture(Holistic Risk
Management)
MB Main Board XC Executive Committee
MB
XC
CRO
CRO (Key Corporate Risks)
(Residual Operational Risks)
Internal Audit audit these processes
How are these key risks managed ?
This is how
Key Operational Risks
Local Risk Management
Internal Audit audit these processes
4Add Complicated Tree Structures
Risk Identification
Risk Assessment
Risk Analysis
Risk Prioritisation
Risk Management
Risk Reduction
Emergency Planning
Risk Control
Implementation
5Introduce Some Vocabulary
- Inherent Risk
- The starting point
- Residual risk
- Where you end up after doing something
- Retained Risk
- What you formally decide to live with.
- Often the same as the residual risk.
- Sometimes caled Risk appetite.
6Define The Vocabulary (Inherent Risk)
- The likelihood and consequence of risk
crystallisation before mitigating actions have
been put in place - (You can always interchange probability with
likelihood and impact with consequence to
sound brainy)
7Use Impressive Pictures
8Introduce Complications
9Refine The Vocabulary (Residual Risk)
- The likelihood and consequence of risk
crystallisation after controls have been put in
place - (You can always use mitigating actions instead
of controls to sound even brainier)
10Illustrate Residual Risk(Ouch! Not No Risk)
11Extend Your Vocabulary (Retained Risk)
- The level of risk formally accepted by the
organisation - Usually the same as the residual risk
- Sometimes partially reduced (transferred) by
insurance - Often defined as risk appetite which sounds
super foody
12Introduce Pseudo Mathematical Notation
- Inherent Risk gtlt Control Retained Risk
- Local management are Senior management
- concerned with these are concerned
- (because they get with this
- sacked if they muck (because they go
- it up) to prison if they muck it up)
-
13. And A Few More Terms
14Rustle Up a Risk Register
Residual Scores
Root Cause
Inherent Risk Scores
Risk Description
Movement is plotted on a heat diagram
Mitigating Actions
Embedded Monitors
Owner
15Provide Schematic Stuff
Inherent Risk
Senior Management Attention
Local Management Attention
No Action
Residual Risk
Look No Numbers!
16The Numbers Game
Inherent Risk
Senior Management Attention
Local Management Attention
No Action
Residual Risk
Look With Numbers!
17Why Their Numbers Game Is Bad News
- Likelihood x Consequence Risk
- 1 x 5 5
- 5 x 1 5
18Stun Them!
- Likelihood and consequence are simply
co-ordinates - You would not multiply latitude and longitude on
a map to ascertain your position - Real men never ask for directions anyway!
19Produce A Decision Matrix
High
Local Control (Treat?)
Immediate Remedial Action (Terminate?)
Likelihood
Emergency Planning (Transfer?)
No Action (Tolerate?)
High
Low
Consequence
20Introduce Co-ordinate Geometry
IR
Senior Management Attention
Local Management Attention
Controls
Likelihood Reduction
No Action
RR
Consequence Reduction
21Expand The Geometry
12) Power Loss
14) 3rd Party Support
15) Loss of Computing
22Summary
- Bluffing on risk management is easy after all a
lot of highly paid people are currently doing it
23Questions and Answers
24Question 1
- Has there ever been a clear explanation relating
to the fact that in order to actually move from
an inherent risk to a residual risk down an
angular formation you need to have two controls?