Victorian TAFE Governance Program 2006

1
Victorian TAFEGovernance Program 2006

• Risk Management Matters
• Sponsored by Victorian Managed Insurance Authority

2
Risk Management Matters
Key elements of an enterprise risk management
framework
What is Enterprise Risk Management?
Enterprise Risk Management ERM is a Structured,
Systematic method of
Identifying Analysing and managing Risk
We manage risks continuously, sometimes
consciously and sometimes without realising it,
but rarely systematically. ERM has emerged
through the need to balance stability and
innovation
3
Risk Management Matters
Key elements of an enterprise risk management
framework
Background
ERM
Governance
Strategic Planning
S
W
COSO
O
T
4
Risk Management Matters
Key elements of an enterprise risk management
framework
Benefits
Rigorous thinking
Proactive forward thinking
Responsible thinking
Improved accountability
Improved understanding
Better decision making
Balanced thinking
5
Risk Management Matters
Key elements of an enterprise risk management
framework
Holistic

• Comprehensive analysis of all risks
• Risks easily prioritised and easily benchmarked

Integrated

• Incorporated into the Organisations strategic
  plan and control framework
• Fit with existing management reporting systems

Explicit

• Formalises and co-ordinates risk management
  practices
• Easy to use language, able to be understood at
  all levels

6
Risk Management Matters
Key elements of an enterprise risk management
framework
sources of risk
strategic
Harder to identify
risk categories
Risk exposures
external
internal
Easier to identify
operational
sources of risk
7
Risk Management Matters
Key elements of an enterprise risk management
framework
What is Risk?
The chance of something happening that will have
an impact on objectives It is measured in terms
of consequences and likelihood
8
Risk Management Matters
Group Discussion Activity
ACTIVITY 1 Scenario risk analysis of potential
car accident
9
Risk Management Matters
Risk Examples
Risk Examples Self Assessment
Objective Safe Car Travel Paris Risk
Potential accident
Safe car travel
10
Risk Management Matters
Risk Examples Self Assessment
Risk Examples
Objective Safe Car Travel Paris
Risk Potential accident
Causes/ Factors - speed
- weather conditions
- foreign country
- language/ signage
- unfamiliar roads rules
- heavy congested traffic - LHS
drive vehicle
?
Inherent risk
high
sig
med
low
Controls - new vehicle -
wearing seatbelts - road rule
enforcement - driver caution and
expertise - suitable tyres
Safe car travel
?
Assessed risk
high
sig
med
low
11
Risk Management Matters
Risk Examples
Risk Examples Self Assessment
Objective Safe Car Travel Paris
?
Strategies
avoid
accept
reduce
transfer/spread
Risk Appetite Do not drive in a foreign country
Safe car travel
12
Risk Management Matters
Important features of the AS/NSZ 4360 Risk
Management Standard
Overview of the risk management process
13
Risk Management Matters
Important features of the AS/NSZ 4360 Risk
Management Standard
ERM levels of risk assessment

• Determine levels of context
• Identify objectives
• Agree criteria for assessment
• Construct severity levels (including consequence
  likelihood)

Step One
Business wide reviews organisational level
Business Unit/ reviews on a cyclical plan
Significant High Risks
Specialist / specific reviews (e.g safety, fraud)
Assignment/ task level
14
Risk Management Matters
Important features of the AS/NSZ 4360 Risk
Management Standard
Identify Risk Risk Wheel example
Governance
Personnel
Step Two

• Initial presentation/meeting to set the scene
• Build the wheel
• Data collection
• Construct severity levels (including consequence
  likelihood)

Commercial Legal
Strategic/ External
Program Delivery
Systems
Facilities/ Infrastructure
Financial
15
Risk Management Matters
Group Discussion Activity
ACTIVITY 2 Participants to practice developing
a risk wheel for institutes.
16
Risk Management Matters
Important features of the AS/NSZ 4360 Risk
Management Standard
Key Attributes for quantifying risk
The need to consider three key attributes
Step Three
Consequence
Likelihood
Controls
17
Risk Management Matters
Important features of the AS/NSZ 4360 Risk
Management Standard
Risk Quantification AS/NZ 43602004
Step Three
Business Unit/ reviews on a cyclical plan
18
Risk Management Matters
Important features of the AS/NSZ 4360 Risk
Management Standard
Effectiveness of Controls
Effectiveness of existing control environment to
mitigate risk exposures
Step Four
Opportunity for further risk reduction strategies
19
Risk Management Matters
Important features of the AS/NSZ 4360 Risk
Management Standard
Risk Treatment Options
accept
Accept the risk and do nothing
Step Five
reduce
consequence
Reduce either one or both
likelihood
options
spread
Spread the risk to a third party
share
Develop contingency arrangements
transfer
Insure for financial loss
avoid
Do not participate with the activity
20
Risk Management Matters
Important features of the AS/NSZ 4360 Risk
Management Standard
Risk decision process
Step Five
Business Unit/ reviews on a cyclical plan
cut-off
increasing risks
21
Risk Management Matters
Important features of the AS/NSZ 4360 Risk
Management Standard
Setting Risk Appetite Tolerance
Step Five
Setting risk appetite
5
Business Unit/ reviews on a cyclical plan
Risk 1
Risk 2
4
3
level of inherent risk
2
Minimum control requirements
1
ranking
Establish base minimum requirements
22
Risk Management Matters
Important features of the AS/NSZ 4360 Risk
Management Standard
Review Risks and Controls Framework
Additional controls for increasing levels of risk
Step Six
Levels of Inherent risk
high
significant
medium
low
Baseline minimum level of control
23
Risk Management Matters
Important features of the AS/NSZ 4360 Risk
Management Standard
Identify the Risk Champion

• Needs to have
• Credibility
• Clarity and understanding of Risk Methodology
• Facilitation and influencing skills
• Thorough understanding of the business specific
  areas for assessment
• Key person to co-ordinate and communication is
  essential to successful outcomes

Step Seven
24
Risk Management Matters
Key elements of an enterprise risk management
framework
Key elements for a successful ERM program
?
Executive Commitment
Policy Procedures accountabilities
?
Operational Framework Roles responsibilities -
approach - methodology - structure
?
?
Training Education
?
Monitor Review
25
Risk Management Matters
Risk Management Matters Part Two
26
Risk Management Matters
Audit Committee Role

• The audit committee has become a committee of
  review on a wide range of matters prior to them
  being considered by the board. Todays audit
  committee has three key areas of responsibility
• Assessment of risk and control environment
• Overseeing financial reporting
• Evaluating the audit process.
• To meet these requirements there should be a
  strong and effective risk and control framework
  to provide assurance to the committee and board
  members
• Source Audit Committee Toolkit The essential
  guide, KPMG 2002

27
Audit Committee

Key areas of concern for Audit Committees

• Financial accuracy
• Risk Management
• Control Assessment
• External Auditor oversight
• Effective use of Internal Auditing

28
Risk Management Matters
Audit Committee
Directors Needs

• Understand business risk and exposures
• Protection from significant risk is essential
• Risk information should be analysed within a risk
  profile report rather than a register of issues
• Adequate measurement, monitoring and
  management of risk is necessary

29
Risk Management Matters
Audit Committee Governance Framework
Governance Framework
Enabling Processes
Overarching arrangements
ENTERPRISE LEVEL
30
Risk Management Matters
Summary
Governance Framework Overview Audit Committee
focus
ENABLING GOVERNANCE ELEMENTS
KEY FOCUS
Direct

• Strategic Planning
• Policy framework

• Policy framework- ensure there is a formal
  process for developing, approving, maintaining
  policy

Control and Manage

• Primary Processes
• Enabling Processes

• Examine risk profile so that key controls
  mitigate high and significant risks
• Ensure that these processes have effective
  control points
• Examine and track risk strategies and actions

• Determine the level of assurance required
• Internal audit plan needs to show how it is risk
  based (tip use risk wheel categories)

Assurance

• Internal Audit
• External Audit
• Consultancy reviews
• Self Assessment Processes

31
Risk Management Matters
Risks and Controls
Monitor Review - Assurance Strategic Internal
Audit Approach

• Risk Assessment Process
• Organisational Objectives
• Risk Identification
• Management Strategies
• Control

• Audit Process
• Effectiveness of controls
• including compliance

32
Risk Management Matters
Assurance Planning-Developing the internal audit
plan
Key Risk Issues
PotentialInternal Audit Activity
Other Assurance
33
Risk Management Matters
Risk Reporting for better Governance
Importance of tailoring reporting according to
the level within the Organisation
34
Risk Management Matters
Risk Reporting for better Governance
High Level Risk Profiles
Traffic light systems are effective
35
Risk Management Matters
Risk Reporting for better Governance
Example risk profile reporting
POTENTIAL RISK FACTORS
CONTROLS
FUTURE STRATEGIES
ISSUE
POTENTIAL EFFECTS

• Potential litigation fines or penalties
• Damage to reputation

Compliance The risk of non compliance with
environmental laws / regulations

• Many sites decentralised, wide spread
  organisation
• Complexity of requirements e.g. environmental
  laws
• No framework for assuring compliance up front or
  at the entity level
• Limited awareness of changes of environmental
  laws

• Monitoring by the Board and Audit Committee
• Various internal/external compliance reviews
  undertaken

• Implement recommendations from compliance reviews
• Develop self assessment compliance framework
• Appoint central coordinator
• Risk Owner Peter OC

36
Risk Management Matters
Conclusion
Where change is constant and can be
unpredictable, sound systems of risk management
and control are critical pre-requisites Sourc
e Risk Management, Audit Faculty, The Institute
of Chartered Accountants in England and Wales