A Bluffers Guide to Risk Management . in just 45 minutes

1
A Bluffers Guide to Risk Management(. in just
45 minutes!)

• John Mitchell
• PhD, MBA, CEng, CITP, FBCS, MBCS, FIIA, MIIA,
  CISA, QiCA, CFE
• LHS Business Control Tel 44 (0)1707 851454
• 47 Grangewood Fax 44 (0)1707 851455
• Potters Bar Cell 44 (0)7774 145638
• Herts EN6 1SL john_at_lhscontrol.com
• England www.lhscontrol.com

2
From Here to There .

• Big lies are better than little lies
• Choose your level (genius or expert)
• Talk the talk (start the bluff)
• Understand the talk (sort of)
• Walk the talk (need a map)
• Stay ahead of the game (anticipate the questions)
• Close the sale

3
Start With The The Big Picture(Holistic Risk
Management)
MB Main Board XC Executive Committee
MB
XC
CRO
CRO (Key Corporate Risks)
(Residual Operational Risks)
Internal Audit audit these processes
How are these key risks managed ?
This is how
Key Operational Risks
Local Risk Management
Internal Audit audit these processes
4
Add Complicated Tree Structures
Risk Identification
Risk Assessment
Risk Analysis
Risk Prioritisation
Risk Management
Risk Reduction
Emergency Planning
Risk Control
Implementation
5
Introduce Some Vocabulary

• Inherent Risk
• The starting point
• Residual risk
• Where you end up after doing something
• Retained Risk
• What you formally decide to live with.
• Often the same as the residual risk.
• Sometimes caled Risk appetite.

6
Define The Vocabulary (Inherent Risk)

• The likelihood and consequence of risk
  crystallisation before mitigating actions have
  been put in place
• (You can always interchange probability with
  likelihood and impact with consequence to
  sound brainy)

7
Use Impressive Pictures
8
Introduce Complications
9
Refine The Vocabulary (Residual Risk)

• The likelihood and consequence of risk
  crystallisation after controls have been put in
  place
• (You can always use mitigating actions instead
  of controls to sound even brainier)

10
Illustrate Residual Risk(Ouch! Not No Risk)
11
Extend Your Vocabulary (Retained Risk)

• The level of risk formally accepted by the
  organisation
• Usually the same as the residual risk
• Sometimes partially reduced (transferred) by
  insurance
• Often defined as risk appetite which sounds
  super foody

12
Introduce Pseudo Mathematical Notation

• Inherent Risk gtlt Control Retained Risk
• Local management are Senior management
• concerned with these are concerned
• (because they get with this
• sacked if they muck (because they go
• it up) to prison if they muck it up)
  

13
. And A Few More Terms
14
Rustle Up a Risk Register
Residual Scores
Root Cause
Inherent Risk Scores
Risk Description
Movement is plotted on a heat diagram
Mitigating Actions
Embedded Monitors
Owner
15
Provide Schematic Stuff
Inherent Risk
Senior Management Attention
Local Management Attention
No Action
Residual Risk
Look No Numbers!
16
The Numbers Game
Inherent Risk
Senior Management Attention
Local Management Attention
No Action
Residual Risk
Look With Numbers!
17
Why Their Numbers Game Is Bad News

• Likelihood x Consequence Risk
• 1 x 5 5
• 5 x 1 5

18
Stun Them!

• Likelihood and consequence are simply
  co-ordinates
• You would not multiply latitude and longitude on
  a map to ascertain your position
• Real men never ask for directions anyway!

19
Produce A Decision Matrix
High
Local Control (Treat?)
Immediate Remedial Action (Terminate?)
Likelihood
Emergency Planning (Transfer?)
No Action (Tolerate?)
High
Low
Consequence
20
Introduce Co-ordinate Geometry
IR
Senior Management Attention
Local Management Attention
Controls
Likelihood Reduction
No Action
RR
Consequence Reduction
21
Expand The Geometry
12) Power Loss
14) 3rd Party Support
15) Loss of Computing
22
Summary

• Bluffing on risk management is easy after all a
  lot of highly paid people are currently doing it

23
Questions and Answers
24
Question 1

• Has there ever been a clear explanation relating
  to the fact that in order to actually move from
  an inherent risk to a residual risk down an
  angular formation you need to have two controls?