MakeITWork Consulting Event Explores Enterprise Risk Management

MakeITWork.Consulting ME
Business Management © 2015 MakeItWork This document its confidential and could not be reproduced or distributed without prior written authorization of MakeItWork Consulting ME
1
Business Management
Enterprise Risk
Management
Ramallah, Palestine
25th May, 2015
A MakeITWork Consulting ME event in cooperation with Palestinian Banking Institute

2
MakeITWork Presentation
MakeITWork Consulting is a Consulting and Training company,
now also based in the Middle-East, specialized in Project and Risk
Management, Business Strategy and Resource and Outsourcing services.
Founded by a group of professionals with extensive experience and
knowledge of the international market, MakeITWork Consulting
features an integrated range of services, tailored to the needs of each
Company.
From the professional experience of its founders, it stands out the
success stories in companies and organizations from different sectors of
activities, including Banking and Insurance, Information Technology and
Telecommunications, Software Industry, Government and overall Public
Sector.

3
Speaker Presentation
Dr. Jorge Vaz Girão, PMP, CISA, PMDPro
Jorge Vaz Girão has more than 30 years of experience in the fields of Program,
Project and Risk Management, Business Analysis and Change Management for
the IT, Banking, Insurance, Telecom, Transportation and Aviation industries.
His career path was developed in various business domains both in the private and
in the public sectors, having assumed many challenging different projects,
especially relating to the areas of international management and consulting,
across Europe, Africa and Middle East. He has managed and consulted on more
than 35 local and international major projects, being its project and risk
manager, for companies like Temenos, Misys, Capgemini, IBM, Altran, Axa
Insurance, Sony, Shell and Bertelsmann.
Project and Risk management, as well the coaching are his passion. For the past 5
years he has developed and taught over 20 different Project and Risk
Management & related training courses.
His vast experience and training methodology has received excellent feedback
from his students and many domestic and international clients.

4
1. STRATEGIC RISK MANAGEMENT
• What Is a Risk?
• The Importance of Risk Management
• Enterprise Risk Management As A Factor Of Success for Organizations
• A simple strategy for ERM
• How can an ERM, programme enable organizations achieve strategic
objectives more effectively?
• How to Benefit from Basel III recommendations to develop Risk Management
Practices?
2. A RISK MANAGEMENT STANDARD
• Enterprise Risk Management Framework
• Risk Identification
• Risk Assessment
• Risk Treatment / Response
• Risk Reporting and Communication
• Monitoring and Review of the Risk Management Process
• The Structure and Administration of Risk Management
Agenda

5
• What Is a Risk?
Practices?
Workshop Agenda

6
Strategic Risk Management
What is a Risk ?

7
What is a Risk ?
Dangerous Profession Irresponsible Behaviour Dangerous Car Driving
Plane Crash DisasterNatural Tsunami Disaster Fire Accident
Banking Robbery Stock Exchange CrashPickpocket Robbery

8
What is a Risk ?
A risk is ANYTHING that may affect and have an impact
on the achievement of the objectives
(your organization’s objectives, your project, your personal life, etc…)
Risk involves two key dimensions:
1) the UNCERTAINTY that surrounds future events and
outcomes
and
2) the expression of the LIKELIHOOD and IMPACT of an
event with the potential to influence the achievement of
the objectives.

9
What is a Risk ? Uncertainty
Uncertainty (probability)
This means there is a probability between 1-99% that the event
could occur …
1) If there is a 0% chance of an event occurring, there is no risk (example;
there is a 0% chance your project will be adequately funded, this is not
a risk, it is a reality)
2) If there is a 100% chance of an event occurring, this would be an issue,
not a risk;

10
What is a Risk ? Effect
Effect (likelihood, impact)
This means there may affect and have an impact, consequences
on the achievement of the objectives…
Consequences can range from negative to positive:
1) Risks with negative consequences are called THREATS
2) Risks with positive consequences are called OPPORTUNITIES
(Yes, risk can be good! Stop thinking of risk as bad, and start thinking of it in terms of
probabilities!)

11
What is a Risk ? Risk Factors
Risk factors
1.
The probability
that it will occur
2.
The range of
possible
outcome
(impact)
3.
Expected
timing (when)
4.
The anticipated
frequency of
risk event
(how often)

12
• What Is a Risk?
Practices?
Workshop Agenda

13
The Importance of Risk Management. Why do we need it?
Why do we need Risk Management?
 The only alternative to risk management is crisis management --- and crisis
management is much more expensive, time consuming and embarrassing.
(JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003)
 Without good risk management practices, government cannot manage its resources
effectively. Risk management means more than preparing for the worst; it also
means taking advantage of opportunities to improve services or lower costs.
(SHEILA FRASER, Auditor General of Canada)

14
The Importance of Risk Management. What is Risk Management ?
What is Risk Management?
 Process which aims to help organizations understand, evaluate and take action on all
their risks with a view to increasing the probability of success and reducing the
likelihood of failure.
(THE INSTITUTE OF RISK MANAGEMENT)
 A process, designed to identify potential events that may affect the entity, and
manage risks to be within its risk appetite, to provide reasonable assurance regarding
the achievement of entity objectives
(COSO Enterprise Risk Management)
 Coordinated activities to direct and control an organization with regard to risks…
 Performed way who helps prevent many problems and helps make other problems
less likely…

15
The Importance of Risk Management.
 Increase risk awareness (What could affect the achievement of objectives? What could change? What
could go wrong? What could go right?)
 Increase understanding of risk sensitivities (What makes my risks increase / decrease /
disappear?)
 Promote a “healthy” risk culture (It’s safe to talk about risk. Open and transparent)
 Develop a common and consistent approach to risk across the organization (Not
intuition-based)
 Allows intelligent “informed” risk-taking.
 Focuses efforts – helps prioritize (Top 10 list. Or top 3. Or…)
 Is proactive…. not reactive (Prepare for risks before they happen. Identify risks and develop
appropriate risk mitigating strategies)
 Improve outcomes – achievement of objectives (corporate, departmental, project, etc.)
 Really comes to down to simple good management
 Enables accountability, transparency and responsibility
 And maybe even mean survival

16
• What Is a Risk?
Practices?
Workshop Agenda

17
Regulatory
 Organizations typically undertake some risk management activities but may
lack an integrated and disciplined process
ERM As A Factor Of Success for Organizations. A Siloes Approach
Financial
Reputational Human
Resource
IT
Political
Environmental
Insurance
Strategic
Business
Interruption
Operational

18
ERM As A Factor Of Success for Organizations. Enterprise Approach
Operation
Risk
Financial
Risk
HR
Risk
Strategic
Risk
Technology
Risk
Environment
Risk
Enterprise Risk
Management
An Enterprise Approach
Enterprise Risk Management: A rigorous approach to identifying, assessing and addressing risks from
all sources that threaten the achievement of an organizations strategic, operational and financial
objectives and/or represent an opportunity or competitive advantage.”
Jerry Miccolis, Tillinghast-Towers Perrin
Operation
Risk
Financial
Risk
HR
Risk
Strategic
Risk
Technology
Risk
Environment
Risk
A Silo Approach

19
ERM As A Factor Of Success for Organizations. ERM Governance
ERM Governance is about
three things:
1. Understanding limits of
acceptable risk
2. Providing confidence and
guidance to management
3. Anticipating events to
position firm for success
(National Association of Corporate Directors Blue
Ribbon Commission on Risk Governance, 2009)

20
ERM As A Factor Of Success for Organizations. A Value Proposition
No Big
Surprises
Early Warning Systems
 Systematically identify, assess and prioritize risks
 Avoid unrewarded risks
 Promote organizational learning among management
 Reduce chance of repeat problems
Operational Resilience
 Provide assurance that key risks are understood and mitigated
 Prevent and rapidly respond to potential catastrophic failures
 Secure and protect staff, processes, and technology
 Align organizational goals with stakeholder requirements
No Big
Mistakes
No Big Missed
Opportunities
Enhance Organizational Value
 Seek growth, ensuring threats are understood and vulnerabilities
are mitigated
 Accelerate ability to respond to change and opportunities
 Identify opportunities to improve performance and reduce costs

21
• What Is a Risk?
Practices?
Workshop Agenda

22
A simple strategy for ERM… The 3 W’s…
Where is the
fundamental
value of the
business?
What drives that
value?
What can cause
catastrophic
loss or
disruptive
opportunity?
 Risk Management
will only add value if
aligned with value
drivers
 Risk Management will
only drive results if
complex cause/effect
relationships are
understood
 ERM professionals
must identify
emerging risks and
opportunities
Caution:
Any risk management approach
whose only goal is to add
controls will simply add cost.
Risk responses must reflect risk
appetite

24
A simple strategy for ERM… The Framework
 ERM framework defines essential components, suggests a common
language, and provides clear direction and guidance for enterprise risk
management
STRATEGIC
OPERATIONS
REPORTING
COMPLIANCE
SUBSIDIARY
BUSINESS UNIT
DIVISION
ENTITY-LEVEL
 Entity objectives can be viewed in
the context of four categories:
 Considers activities at all levels of
the organization:

25
A simple strategy for ERM… The Framework
 ERM framework defines essential components, suggests a common
language, and provides clear direction and guidance for enterprise risk
management
 Entity objectives can be viewed in
the context of four categories:
 Considers activities at all levels of
the organization:

26
• What Is a Risk?
Practices?
Workshop Agenda

27
How can the ERM be an enabler ?… Having a Framework Roadmap
Dimensions of a Risk Management Framework
Risk Culture
& Policies
 Organizational
Mindset
 Tone at the Top
 Standards/Protoco
ls
 Risk Appetite &
Tolerance
Infrastructure &
Organization
 Authority,
Responsibility
& Accountability
 Bottom-up
Structure
 Top-down
Structure
Resources &
Capabilities
 Installing Centres
of Competency
 Communication
& Awareness
 Learning &
Education
 Monitoring
Functions
Tools &
Techniques
 Tools & techniques
to support the
efficient & effective
identification,
measurement,
management &
reporting of risk

28
How can the ERM be an enabler ?… Getting ERM Right…
1 Do we understand the risk context of our
key business value-drivers ? 2 Are we focused on risks in the activities
and processes that create that value ?
3 Are we engaging the business to create
more and better risk information ? 4 Are we driving consistent best practice
risk responses across the organization ?
5 Are we collaborating with other risk
managers professionals to manage risks ? 6 Can we identify, monitor and manage the
root causes of risks ?
7 Can we predict how risks will impact value
under different scenarios ? 8
Can we aggregate and communicate critical
risk information to business decision
makers ?
9 Have we standardized our practices and tools ?
Do we have a risk library or risk cemetery ? 10
Are we providing the insight our
executives and Board need to create and
preserve value ?

29
• What Is a Risk?
Practices?
Workshop Agenda

30
How to Benefit from Basel III. Basel Context (from Basel I till Basel III)
Equity standard: Bank loans are backed by 8% equity
Basel I1988 - 1996
2004 - 2009
After 2009

32
How to Benefit from Basel III. Basel Risk Context Overview
Basic Risks Other Risks Other Considerations Fairness Supervisory Action
Credit Risk
Market Risk
Operational
Risk
Settlement
Risk
Residual
Risk
Securitization
Risk
Concentration
Risk
Interest
Rate Risk
Reputation
Risk
Liquidity
Risk
Stress Tests
Scenario Analysis
Economic and Regulatory
Environment
Capital Planning
Individual Capital
Guidance
System & Control
Improvements
Provisioning
Restriction of
Business
Peer Group
Comparison
Reliance on risk management, internal audit, independent validation
units or external audit

33
How to Benefit from Basel III. An Overall Framework…
Nine principles for building an Enterprise Risk Management (ERM) framework

34
How to Benefit from Basel III. An Overall Framework…
Identify
Risks
Assess &
Evaluate
Risks
Integrate
Risks
Record to
Risks
Design,
Implement &
Test Controls
Monitor,
Assure &
Escalate
Risk Process
Risk Types
Governance
Strategy &
Planning
Operational /
Infrastructure
Compliance Reporting
Business Units
and
Supporting functions
Risk
Ownership
Business Unit
Responsibility
Support of pervasive
functions
Common Risk
Infrastructure
Executive Management
Responsibility
Objective Assurance
and Monitoring
Common Risk Infrastructure
Executive ManagementRisk
Infrastructure &
Management
People Process Technology
Roles and
Responsibilities
Transparency for
Governing Bodies
Common Definition of
Risk
Common Risk
Framework
Oversight
Board of Directors
Risk
Governance
Tone at the
Top

35
• What Is a Risk?
Practices?
• Risk Assessment
Workshop Agenda

36
• Risk Assessment
Workshop Agenda

37
Risk Management Standards
The ERM Framework…
Identify
Risks
Assess &
Evaluate
Risks
Integrate
Risks
Record to
Risks
Design,
Implement &
Test Controls
Monitor,
Assure &
Escalate
Risk Process
Risk Types
Governance
Strategy &
Planning
Operational /
Infrastructure
Business Units
and
Risk
Ownership
Business Unit
Responsibility
Support of pervasive
functions
Common Risk
Infrastructure
Responsibility
Objective Assurance
and Monitoring
Executive ManagementRisk
Infrastructure &
Management
Roles and
Responsibilities
Transparency for
Governing Bodies
Common Definition of
Risk
Common Risk
Framework
Oversight
Board of Directors
Risk
Governance
Tone at the
Top

38
The ERM Framework… Governance Principles…
 Principle #1: common definition of risk
With an Enterprise Risk Management, a common definition of risk, which
addresses both value preservation and value creation, is used
consistently throughout the organization.
 people think of risk in terms of threats —bad things happening to the
business.
 But you can also consider the other side of risk, the one that applies to
value creation —risk taking for reward (For eg. new products, entering
foreign markets and acquiring competitors)
 Principle #2: common risk framework
With an Enterprise Risk Management, a common risk framework supported
by appropriate standards is used throughout the organization to manage
risks.
 Risk management in many organizations is fragmented and does not
have a centralized view
 For an enterprise risk management program to be effective, it must be
built around a framework such as COSO ERM and ISO 31000.
Identify Risks
Assess &
Evaluate Risks
Integrate Risks Record to Risks
Design, Implement & Test
Controls
Monitor, Assure
& Escalate
Risk Process
Risk Types
Governance Strategy & Planning Operational / Infrastructure Compliance Reporting
Business Units
and
Ris
k
Ow
ner
shi
p
Business Unit Responsibility
Support of pervasive functions
Executive Management Responsibility
Objective Assurance and Monitoring
Risk
Infrastructure
&
Management
Roles and Responsibilities
Transparency for Governing Bodies
Common Definition of Risk
Common Risk Framework
Oversight
Board of Directors
Risk
Governance
Tone at the Top
Identify Risks
Assess &
Evaluate Risks
Controls
Monitor, Assure
& Escalate
Risk Process
Risk Types
Business Units
and
Ris
k
Ow
ner
shi
p
Risk
Infrastructure
&
Management
Oversight
Board of Directors
Risk
Governance
Tone at the Top

39
The ERM Framework… Governance Principles…
 Principle #3: Roles and responsibilities
With an Enterprise Risk Management, key roles, responsibilities, and
authority relating to risk management are clearly defined within the
organization.
 The board to set the direction, the executive leads the risk program, the
business units work as a team for a successful implementation &
certain functions support the risk program.
 Principle #4: Transparency for governing bodies
With an Enterprise Risk Management, governing bodies (e.g., boards,
audit committees, etc.) have appropriate transparency and visibility into
the organization's risk management practices to discharge their
responsibilities.
 some boards of directors are not kept informed on how risk is being
managed within the organization..
Identify Risks
Assess &
Evaluate Risks
Controls
Monitor, Assure
& Escalate
Risk Process
Risk Types
Business Units
and
Ris
k
Ow
ner
shi
p
Risk
Infrastructure
&
Management
Oversight
Board of Directors
Risk
Governance
Tone at the Top
Identify Risks
Assess &
Evaluate Risks
Controls
Monitor, Assure
& Escalate
Risk Process
Risk Types
Business Units
and
Ris
k
Ow
ner
shi
p
Risk
Infrastructure
&
Management
Oversight
Board of Directors
Risk
Governance
Tone at the Top

40
The ERM Framework… Risk Infrastructure & Oversight Principles…
 Principle # 5: common risk infrastructure
A common risk management infrastructure is used to support the business
units and functions in the performance of their risk responsibilities.
 To effectively and efficiently manage risks and reap the rewards,
organizational silos must be bridged.
 In particular, a common risk infrastructure needs to be created. All
the business units and functions should also use the same supporting
risk technologies and processes
 Principle #6: executive management responsibility
With an Enterprise Risk Management, executive management is assigned
with primary responsibility for designing, implementing, and maintaining an
effective risk program.
 Everyone has a responsibility for risk
 Principle # 7: objective assurance & monitoring
 Certain functions (e.g., internal audit, risk management, compliance,
etc.) provide objective assurance as well as monitor and report on
the effectiveness of an organization's risk program to governing bodies
and executive management
Identify Risks
Assess &
Evaluate Risks
Controls
Monitor, Assure
& Escalate
Risk Process
Risk Types
Business Units
and
Ris
k
Ow
ner
shi
p
Risk
Infrastructure
&
Management
Oversight
Board of Directors
Risk
Governance
Tone at the Top
Identify Risks
Assess &
Evaluate Risks
Controls
Monitor, Assure
& Escalate
Risk Process
Risk Types
Business Units
and
Ris
k
Ow
ner
shi
p
Risk
Infrastructure
&
Management
Oversight
Board of Directors
Risk
Governance
Tone at the Top
Identify Risks
Assess &
Evaluate Risks
Controls
Monitor, Assure
& Escalate
Risk Process
Risk Types
Business Units
and
Ris
k
Ow
ner
shi
p
Risk
Infrastructure
&
Management
Oversight
Board of Directors
Risk
Governance
Tone at the Top

41
The ERM Framework… Risk Ownership Principles…
 Principle # 8: Business unit responsibility
Business units (departments, agencies, etc.) are responsible for the
performance of their business and the management of risks they take
within the risk framework established by executive management
 So everyone is responsible for risk. But who “owns” it?
 If you own the business unit, you own the risk.
 risk owners must also abide by the rules and operate under certain
constraints they do not choose the framework
 Principle #9: Support and pervasive functions
Certain functions (e.g., ﬁnance, legal, HR, etc.) have a widespread impact
on the business and provide support to the business units as it relates to
the organization's risk program
 certain groups within the organizations carry a unique role —namely, the
internal audit, compliance, and risk management functions.
 Their key responsibility is to provide assurance that the internal
control and risk structure operates effectively
Identify Risks
Assess &
Evaluate Risks
Controls
Monitor, Assure
& Escalate
Risk Process
Risk Types
Business Units
and
Ris
k
Ow
ner
shi
p
Risk
Infrastructure
&
Management
Oversight
Board of Directors
Risk
Governance
Tone at the Top
Identify Risks
Assess &
Evaluate Risks
Controls
Monitor, Assure
& Escalate
Risk Process
Risk Types
Business Units
and
Ris
k
Ow
ner
shi
p
Risk
Infrastructure
&
Management
Oversight
Board of Directors
Risk
Governance
Tone at the Top

42
• Risk Assessment
Workshop Agenda

43
The ERM Framework… Risk Identification… It’s Value
 Value is a function of risk and return.
 Every decision either increases, preserves, or erodes value.

44
The ERM Framework… Risk Identification… It’s Value
 being risk as an integral to pursuit of
value, strategic-minded enterprises do
not strive to eliminate risk or even to
minimize it…
 This perspective represents a critical
change from the traditional view of
risk as something to avoid.
 That’s why risk identification is important.
 It’s the way in which enterprises get a handle on how significant each risk
is to the achievement of their overall goals

45
The ERM Framework… Risk Identification
 At this stage, a wide net is cast to
understand the universe of risks
making up the enterprise’s risk
profile.
 While each risk captured may be
important to management at the
function and business unit level, the
list requires prioritization to focus
senior management and board
attention on key risks.

46
Legal &
Compliance
Finance
Operation &
IT
Identify Risks
Assess &
Evaluate
Risks
Respond
to Risks
Design,
Implement
& Test
Controls
Monitor,
Assure,
Escalate
Governance
Strategy &
Planning
Operational /
Infrastructure
 The risk (or event) identification process precedes risk assessment and produces
a comprehensive list of risks (and often opportunities as well), organized by risk
category (financial, operational, strategic, compliance) and sub-category (market,
credit, liquidity, etc.) for business units, corporate functions, and capital projects.
 While each risk captured may be important to management at the function and
business unit level, the list requires prioritization to focus senior management and
board attention on key risks.

47

48

49

50
• Risk Assessment
Workshop Agenda

51
The ERM Framework… Risk Assessment
Develop assessment criteria
The first activity within the risk assessment
process is to develop a common set of
assessment criteria to be deployed across
business units, corporate functions, and large
capital projects.
Risks and opportunities are typically
assessed in terms of impact and likelihood.
Many enterprises recognize the utility of
evaluating risk along additional dimensions
such as vulnerability and speed of onset.
Legal &
Compliance
Finance
Operation &
IT
Identify Risks
Assess &
Evaluate Risks
Respond to
Risks
Design,
Implement &
Test Controls
Monitor,
Assure,
Escalate
Governance Strategy & Planning
Operational /
Infrastructure

52

53

54

55

56
Legal &
Compliance
Finance
Operation &
IT
Identify Risks
Assess &
Evaluate Risks
Respond to
Risks
Design,
Implement &
Test Controls
Monitor,
Assure,
Escalate
Operational /
Infrastructure
Assess risks
Assessing risks consists of assigning values
to each risk and opportunity using the
defined criteria.
This may be accomplished in two stages
where an initial screening of the risks is
performed using qualitative techniques
followed by a more quantitative analysis of
the most important risks.
Additional techniques could (should) be used like:
 Analysis of Existing Data
Reviewing internal and external data can help
individuals assess the likelihood and impact of a risk
or opportunity.
 Interviews and Cross-Functional Workshops
Assessment can be conducted through one-on-one
interviews or facilitated meetings.
 Surveys
Surveys are useful for large, complex, and
geographically distributed enterprises or where the
culture suppresses open communication.
 Benchmarking
Benchmarking is a collaborative process among a
group of entities.
 Scenario Analysis
Scenario analysis has long been recognized for its
usefulness in strategic planning.

57

58

59
Assess risk interactions
Risks do not exist in isolation.
Enterprises have come to recognize the
importance of managing risk interactions.
Even seemingly insignificant risks on their
own have the potential, as they interact with
other events and conditions, to cause great
damage or create significant opportunity.
Therefore, enterprises are gravitating toward
an integrated or holistic view of risks using
techniques such as risk interaction matrices,
bow-tie diagrams, and aggregated probability
distributions.
Legal &
Compliance
Finance
Operation &
IT
Identify Risks
Assess &
Evaluate Risks
Respond to
Risks
Design,
Implement &
Test Controls
Monitor,
Assure,
Escalate
Operational /
Infrastructure

60

61
Legal &
Compliance
Finance
Operation &
IT
Identify Risks
Assess &
Evaluate Risks
Respond to
Risks
Design,
Implement &
Test Controls
Monitor,
Assure,
Escalate
Operational /
Infrastructure
Prioritize risks
Risk prioritization is the process of
determining risk management priorities by
comparing the level of risk against
predetermined target risk levels and tolerance
thresholds.
Risk must be viewed not just in terms of
financial impact and probability, but also
subjective criteria such as health and safety
impact, reputational impact, vulnerability, and
speed of onset.

62

63
• Risk Assessment
Workshop Agenda

64
The ERM Framework… Risk Treatment / Response
Legal &
Compliance
Finance
Operation &
IT
Identify Risks
Assess &
Evaluate
Risks
Respond
to Risks
Design,
Implement
& Test
Controls
Monitor,
Assure,
Escalate
Governance
Strategy &
Planning
Operational /
Infrastructure
 Identifies and evaluates possible responses to risk.
 Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential
risk responses, and degree to which a response will reduce impact and/or
likelihood.
 Selects and executes response based on evaluation of the portfolio of risks and
responses.
 Responses include risk avoidance, reduction, sharing, and acceptance.

65

66

67

68
• Risk Assessment
• Risk Treatment
Workshop Agenda

69
The ERM Framework… Risk Reporting and Communication
 To ensure that the risk response is followed consistently throughout the organization, Enterprise
risk management functions may set policies, issue guidance and/or minimum standards that
apply to all business units globally .
 Business unit management, in consultation with the appropriate risk management functions, will
design and document action plans to implement or strengthen risk-mitigating activities,
as applicable .
Legal &
Compliance
Finance
Operation &
IT
Identify Risks
Assess &
Evaluate
Risks
Respond
to Risks
Design,
Implement
& Test
Controls
Monitor,
Assure,
Escalate
Governance
Strategy &
Planning
Operational /
Infrastructure
 Increasingly, as a best practice, systems and critical business processes are designed and
implemented to automate or “design in” compliance with these standards and other risk
mitigation strategies .

70
 Information and communication channels are in place to make business leaders, as well as
individuals, aware of risks that fall into their area of responsibility and the expected behaviour
to mitigate negative outcomes .
 Formal and informal training should be conducted with applicable personnel.
 For many areas of risk, mandatory training is conducted annually.
 Knowledge is also exchanged within risk management functions through regular department
meetings, short-term rotations through Corporate or enterprise functions and ad hoc cross-
business unit assignments .
Legal &
Compliance
Finance
Operation &
IT
Identify Risks
Assess &
Evaluate
Risks
Respond
to Risks
Design,
Implement
& Test
Controls
Monitor,
Assure,
Escalate
Governance
Strategy &
Planning
Operational /
Infrastructure

71

72

73

74

75
• Risk Assessment
Workshop Agenda

76
The ERM Framework… Monitoring and Control
 Monitoring and Control activities are the policies and procedures that help ensure that
management’s risk responses are carried out.
 Monitoring and Control activities occur throughout the organization, at all levels and in all
functions.
 They include a range of activities - as diverse as approvals, authorizations, verifications,
reconciliations, reviews of operating performance, security of assets, and segregation of duties
Legal &
Compliance
Finance
Operation &
IT
Identify Risks
Assess &
Evaluate
Risks
Respond
to Risks
Design,
Implement
& Test
Controls
Monitor,
Assure,
Escalate
Governance
Strategy &
Planning
Operational /
Infrastructure
 Having selected risk responses, management identifies control activities needed to help
ensure that the risk responses are carried out properly and in a timely manner. .

77

78
• Risk identification
• Risk Assessment
Workshop Agenda

79
The ERM Framework… The Structure and Administration
 An organisation’s risk management policy should set out its approach to and appetite for risk
and its approach to risk management.
 The policy should also set out responsibilities for risk management throughout the
organisation
 The Board has responsibility for determining the strategic direction of the organisation and for
creating the environment and the structures for risk management to operate effectively.
 This may be through an executive group, a nonexecutive committee, an audit committee or
such other function that suits the organisation’s way of operating and is capable of acting as a
‘sponsor’ for risk management.
 The Board should, as a minimum, consider, in evaluating its system of internal control:
 the nature and extent of downside risks acceptable
for the company to bear within its particular
business
 the likelihood of such risks becoming a reality
 how unacceptable risks should be managed
 the company’s ability to minimise the probability
and impact on the business
 the costs and benefits of the risk and control activity
undertaken
 the effectiveness of the risk management process
 the risk implications of board decisions
Role of the Board

80
 The Business Units have primary responsibility for managing risk on a day-to-day basis
 business unit management is responsible for
promoting risk awareness within their operations;
they should introduce risk management objectives
into their business
 risk management should be a regular management-
meeting item to allow consideration of exposures
and to reprioritise work in the light of effective risk
analysis
 business unit management should ensure that risk
management is incorporated at the conceptual
stage of projects as well as throughout a project
Role of the Business Units

81
 Depending on the size of the organisation the risk management function may range from a
single risk champion, a part time risk manager, to a full scale risk management department.
 setting policy and strategy for risk management
 primary champion of risk management at strategic
and operational level
 building a risk aware culture within the organisation
including appropriate education
 establishing internal risk policy and structures for
business units
 designing and reviewing processes for risk
management
 co-ordinating the various functional activities which
advise on risk management issues within the
organisation
 developing risk response processes, including
contingency and business continuity programmes
 preparing reports on risk for the board and the
stakeholders
Role of the Risk Management

82
 The role of Internal Audit is likely to differ from one organisation to another.
 In practice, Internal Audit’s role may include some or all of the following: .
 focusing the internal audit work on the significant
risks, as identified by management, and auditing
the risk management processes across an
organisation
 providing assurance on the management of risk
 providing active support and involvement in the risk
management process
 facilitating risk identification/assessment and
educating line staff in risk management and internal
control
 co-ordinating risk reporting to the board, audit
committee, etc
Role of the Internal Audit

83
Questions?
Comments?
We’ll be happy to help you!

84
Our Contacts
For ERM consultation and workshops:
Jorge Vaz Girão, CISA, PMP, PMDPro I, ERMCP, CAMS
Regional Director, MakeITWork Consulting ME
+44 37 0801 1345 (UK)
+962 798 110 562 (Jordan)
jorgevazgirao@makeitworkconsulting.co.uk
For overall consultation, general inquiries:
MakeITWork Consulting ME
+44 37 0800 1306 (UK)
+962 795 338 447
+962 (0) 658 135 05
makeitwork@makeitworkconsulting.co.uk

MakeITWork Consulting Event Explores Enterprise Risk Management

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to MakeITWork Consulting Event Explores Enterprise Risk Management

Similar to MakeITWork Consulting Event Explores Enterprise Risk Management (20)

Recently uploaded

Recently uploaded (20)

MakeITWork Consulting Event Explores Enterprise Risk Management