Notes

Introduction to Risk Management

Module: RMI 131

Facilitated by
Ms J Mutero

1
Contents
• The nature of risk
• Emerging risks
• Risk Management Frameworks
• Risk Management Process
• Risk Governance

2
Module Objectives
To give students a fair understanding of the nature of risk.
To introduce risk management frameworks
To enable students to have an appreciation of the risk
management process

3
Introduction
All organisations Small or Large Conglomerates; Parastatal or NGO; University; Listed or
Unlisted are faced with RISKS that challenge the attainment of goals and objectives.
The speed of innovation and the highly dynamic environment creates tremendous threats and
opportunities for organisations as they pursue value.
Business leaders manage risks and they have done so for decades. Thus, calls for Enterprise
Risk Management aren’t suggesting that organizations haven’t been managing risks. Instead,
proponents of ERM are suggesting that there are benefits from thinking differently about how
an enterprise manages risks affecting the business.
Although the concept of ERM has existed for a number of years, it wasn’t until the 2008
Financial Crisis that it gained significant prominence as an integral component of an
institution’s business strategy.
What is Risk?
• Risk - An effect of uncertainty on objectives. An effect is a deviation
from the expected. It can be positive, negative or both, and can
address, create or result in opportunities and threats. (ISO 31 000).
• Risk - the possibility that an event will occur and adversely affect the
achievement of objectives. (COSO 2004)
• Opportunity – the possibility that an event will occur and positively
affect the achievement of objectives. (COSO 2004)
• Risk - Uncertainty arising from the possible occurrence of given
events. (International Risk Management Institute IRMI)
In insurance terms, risk is the chance something harmful or
unexpected could happen. This might involve the loss, theft, or
damage of valuable property and belongings, or it may involve
someone being injured. (UnderstandInsurance.com)
Components of Risk
Risk has three components considered separately when determining on how to manage the
risk:
• The event that could occur – the risk, the probability that the event will occur – the
likelihood and the impact or consequence of the event if it occurs – the penalty (the
price you pay).
• The natural instinct is to stay away from scenarios that involve risk but the fact is that
even with thorough planning, RISKS CAN NEVER BE ELIMINATED.
• We have to balance the possible negative consequences of risk with the potential
benefits of the opportunity.
• Risk can be dealt with by using a risk management approach which is proactive and
analyses the past and possible future events to identify potential risks.
• The alternative is crisis management that is a reactive and resource intensive process
whose options are restricted by the event.
What is an Emerging Risk ?
The following are characteristics of emerging Risk

• Completely new risks that have never been seen before.

• Previously known risks that are evolving in unexpected ways with
unanticipated consequences.
• Significance may be uncertain and not well understood.
• Difficult to quantify due to lack of data and/or volatility.
• Consequences and implications can be ambiguous.
Inherent Risk vs Residual Risk

Inherent Risk
Inherent risk is the risk that exists in any action, before
any precautions are taken or mitigatory action is taken.

Residual Risk
Residual risk is the remaining risk associated with a
course of action after precautions are taken.

.
Risk classification
Relates to how the entity defines the risks it faces. Classification may be by :-

• Risk Type – Systematic (uncontrollable/macro) or Unsystematic

• Risk Source and scope e.g. environmental, sector, organization, project
• Risk Impact eg critical, high, medium, low
• Activity e.g. credit, operational, political, regulatory, Legal

Risk Classification assists organization to use a common risk language.

Risk Classification - Example
Risk appetite
• Risk appetite can be defined as ‘the amount and type of risk that the institute willing
to take in order to meet its strategic objectives.

• Organisations will have different risk appetites depending on their sector, culture and
objectives. A range of appetites exist for different risks and these may change over
time.

• A clearly defined risk appetite will ensure that decisions made are in line with the
overall strategic objectives of the organisation.

• The Board should take into account the risk expectations of shareholders, regulators,
and the risk capacity of the organisation, including the amount and type of risk the
organisation is able to support.
Risk appetite

Existing Risk The Range of Risk at current level across the institute
Profile and across various risk categories

The AMOUNT (in $) OF RISK that the institute is

Risk Capacity able to support in pursuit of its objectives
Determine
Risk
Appetite
The level of Accepting the Variation the institute is
Risk Tolerance WILLING TO ACCEPT in the pursuit of its
objectives

Attitude
The attitude towards growth, risk, and return
Towards Risk
Articulating risk appetite
The following are characteristics of a well-defined risk appetite:
• Reflective of strategy
• Reflective of all key aspects of the Institute
• Acknowledges a willingness and capacity to take on risk
• Documented as a formal risk appetite statement
• Considers what is needed to manage and monitor risk exposures
• Inclusive of a tolerance for reasonably quantifiable loss or negative events
• Periodically reviewed taking into account evolving industry and market
conditions
• Approved by the board
What is Risk Management?
• Risk Management - co-ordinated activities to direct and control an
organisation with regards to risks. (ISO 31000)
• ERM is a process, effected by an entity’s board of directors, management
and other personnel, applied in strategy setting and designed to identify
potential events that may affect the entity, and manage risk to be within its
risk appetite, to provide reasonable assurance regarding the achievement of
entity objectives.” (COSO, 2004)
• Enterprise Risk Management - A strategic business discipline that supports
the achievement of an organization’s objectives by addressing the full
spectrum of its risks and managing the combined impact of those risks as an
interrelated risk portfolio. (Risk Management Society)
Traditional Risk Management Enterprise Risk Management
Departmentalized/ Segmented Holistic approach

Each Department / Unit / Silo deals with Emanates from the “top” – typically from the Board
own risk
Little or no knowledge of overall Board perspective on overall organizational risks
organizational risks
Focus is on preventing loss within the Unit Focus is on lowering risk, increasing sustainability
(tactical) and providing value across the entire organization
(strategic)
Manage uncertainties around physical and Assesses entire asset portfolio including intangibles
financial assets such as students, staff, suppliers, innovative processes,
proprietary systems

Solutions to mitigating risk based on each Solutions to mitigating risk based on strategy-setting
silo’s expertise and decision-making skills across the entire organization
Risk Management Framework
• A framework is a guide that provides an overview of different interconnected
activities within an organisation to achieve its targets.
• The focus on ERM has led to the development of various ERM frameworks, each
of which describes an approach for identifying, analysing, responding to, and
monitoring risks and opportunities, within the internal and external environment
facing the enterprise. The following frameworks/standards have been developed
and are widely used:
ISO 31000: 2009 - Risk Management - Practices and Guidelines revised in 2018
COSO: 2004 - Enterprise Risk Management - Integrated Framework revised in
2017
Each framework/standard is useful for organisations to understand a complete
picture of ERM and gives an idea of how to implement ERM in an effective way.
 COSO Framework

The Committee of Sponsoring Organisations of the Treadway Commission (COSO framework) was first published in 2004 and revised in 2017. It
clarifies the importance of enterprise risk management in strategic planning and embedding it throughout an organization. It outlines five components:
The Framework has five components supported by a set of principles.
They’re manageable in size, and they describe practices that can be applied in different
ways for different organizations regardless of size, type, or sector.
Adhering to these principles can provide management and the board with a reasonable
expectation that the organization understands and strives to manage the risks associated
with its strategy and business objectives.
ISO 31000 Framework
ISO 31000 was published in 2009 (revised 2018) as an internationally agreed standard for the implementation of
risk management principles. It is defined as “a process that provides confidence that planned objectives will be
achieved within an acceptable degree of residual risk.”
Risk Management Principles
• Integrated - Risk Management is an integral part of all Institute activities.
• Structured and Comprehensive - approach to risk management contributes to consistent
and comparable results.
• Customized - Framework and process are customized and proportionate to the Institute’s
external and internal context related to its objectives.
• Inclusive - Appropriate and timely involvement of stakeholders enables their knowledge,
views, and perceptions to be considered. This results in improved awareness and informed
risk management.
• Dynamic - Risks can emerge, change or disappear as the Institute context changes. Risk
Management will anticipate, detect, acknowledge and respond to those changes.
Risk Management Principles
• Best Available Information - Historical and current information, as well as on future
expectations. Explicitly considers limitations and uncertainties associated with such
information.
• Human and Cultural Factors - Risk Management will consider human behaviour as
Institute promotes a risk aware culture.
• Continual Improvement - Risk Management is continually improved through learning
and experience.
ISO 31000 Risk Management Process
Scope, Context and Criteria
• Involves defining the scope of the process, and understanding the internal and external context

Scope Context Criteria

Considerations include: -Established from the internal -Define the amount and type of
 Objectives and external environment the risk that may or may not be
 Outcomes Institute operates. taken
 Time frames, location -Importance of Context -The following should be
 Risk assessment tools  Risk Management takes place considered:
 Resources and responsibilities in the context of objectives  Nature and type of risks
 Linkages with other activities and activities  How likelihood and
 Organisational factors can be consequences will be defined
a source of risk and measured
 The Institute’s capacity
Risk Identification
The deliberate and systematic effort to identify and document the Institute’s KEY RISKS.
The objective of risk identification is to:
• understand what is at risk within the context of the Institute’s objectives and
• to generate a comprehensive inventory of risks based on the threats and events that might
prevent, degrade, delay or enhance the achievement of the objectives.
The risk identification process:
 should cover all risks, regardless of whether or not such risks are within direct control.
 should include mechanisms to identify new and emerging risks timeously.
 should be inclusive, not overly rely on the inputs of a few senior personnel
Risk Identification techniques
Technique Brief Description
Questionnaires and Use of structured questionnaires and checklists to collect
checklists information to assist with the recognition of the significant
risks
Workshops and Collection and sharing of ideas and discussion of the events
brainstorming that could impact the objectives, stakeholder expectations or
key dependencies.
Inspections and audits Physical inspections of premises and activities and audits of
compliance with established systems and procedures.
Flowcharts and Analysis of processes and operations within the institute to
dependency analysis identify critical components that are key to success.
SWOT and PESTLE Strengths Weaknesses Opportunities Threats (SWOT) and
analyses Political Economic Social Technological Legal Environmental
(PESTLE) analyses offer structured approaches to risk
recognition.
 Risk Analysis
• Risk analysis is an assessment of the identified risk based on the likelihood/probability of
occurrence and severity of impacts to the Institute once the effectiveness of the control
environment has been factored in
• Assessment of financial, non-financial, expected and extreme impacts should be considered
Risks can be evaluated :

 Qualitatively – A subjective and quick method. It can be done through several techniques to
determine the probability and impact of risks, including the following: Brainstorming,
interviewing, Historical data, SWOT analysis.

 Quantitatively - Quantitative risk assessment method uses numerical measures to estimate the
values of frequency of occurrence of incidents and the probability or susceptibility of events. It
is more objective and more detailed. Tools include the use of models, scenario analysis,
decision tree analysis and sensitivity analysis.
Risk Analysis Tools - Risk Matrix
A risk matrix defines the level of risk by considering the probability or likelihood of a risk/ event against
the severity of the consequence to the business if it were to occur. A risk matrix is a visible representation
of risks to assist a business in decision making and mitigation.

Loss of a personal
1
2 computer

2 Damage to reputation

3
Unavailability of grant
1
from Government
 Risk Analysis
Risk Analysis should:
• Consider causes and sources, their positive and negative consequences, the
likelihood that they can occur, and other attributes of the risk or
opportunity.
• Consider interdependence of different risks or opportunities and their
sources.
• Include Risk Classification.
• Consider Management Control: Any process, policy, device, practice, or
other action that modifies the risk or opportunity.
• Consider the effectiveness of existing controls.
• Consider time-related factors and volatility.
 Risk evaluation
• The purpose of risk evaluation is to support decision making.
• Risk Evaluation compares the results of Risk Analysis with the metrics set in
the Risk Criteria (Risk Appetite)
• Decisions may be to:
 Take no action
 Undertake further analysis on risk for better understanding
 Maintain existing controls
 Consider alternative Risk Treatment options
 Reconsider objectives

• Outcomes of risk evaluation must be recorded, communicated and then

validated at appropriate levels of the organization.
Risk Response
Avoid – remove risk source or
Accept/Tolerate –when residual stopping existing / proposed activity
risk is acceptable / tolerable

Exploit / Enhance – increase

the likelihood or return on
Risk Transfer – transfer impact and
management of risk to another party.
opportunity Response May be through Insurance arrangements

Treat / Mitigate – by lowering the likelihood and/or

consequences of the risk. Usually associated with use
of internal controls
Internal Control Mechanisms
Policies - describe THE WHAT needs to be done in managing risk. Builds
on high-level risk management requirements. Each key risk identified will
have a stand-alone risk policy that specifies its management.

Standards - support policies and set out the key controls. Standards describe
how the policy requirements will be met – ‘THE HOW’ and ‘THE WHEN’.

Process Mapping - Process mapping is the act of creating a workflow

diagram with the goal of gaining a clearer understanding of how a process
and its parallel processes work.

Procedure Manuals – Step by step documentation of key processes and

control activities. Provides guidance for the Institute’s staff to perform their
functions correctly and reasonably efficiently.
Risk Treatment Plans
The risk management treatment plan includes the following:
• Risk identified;
• Proposed actions;
• Cost/benefit analysis (where appropriate);
• Accountable Officers;
• Timescales

For the treatment plans to be successfully implemented, there is a requirement for an on-
going review and reporting of the progress against the actions stated.

Need to track the status of proposed control actions.

Open -
Closed –

Cure Rate would assess the proportion of closed treatment plans

Monitoring and review of risk
Aim is to “assure and improve the quality and effectiveness of risk management process
design, implementation and outcomes” ISO31000 2018
It should be a part of the planned risk management process with defined roles and should
takes place at all stages of the process
The following can be used:
i. Risk Registers
ii. Risk/Loss Events
iii. Key Risk Indicators - KRIs monitor the level of risk taking in an activity or an
organisation.
iv. Conformance Reviews
Risk monitoring Tools – Risk Register
Risk Register
Functional Area:
Accountable Official

Functional
Risk Date Risk Severity/Risk Responsible
Area/Proc Risk description Likelihood Impact Risk Owner Mitigating Controls
ID Assessed Area/Category Rating Individual
ess

[1] [There is a risk The [High/Medi [High/Medi [High/Medium/L [Person [Actions that can be
that.... If this organisation's um/Low] um/Low] ow based on risk managing the taken to reduce the
happens.....] key risk areas matrix] risk] likelihood of the risk
occuring. May also be
acceptance of the risk
or transferance of the
risk e.g. insurance]

The risk register serves three main purposes

• A source of information to report the key risks throughout the Institute.
• Management uses the risk register to focus their priorities risks.
• Assist auditors to focus their plans on the Institute's top risks.
Reporting Key Risk Information
Reporting aims to:
• Communicate risk management activities and outcomes
• Provide information for decision-making
• Improve risk management activities
• Assist interactions with stakeholders

• Reported risks are typically prioritized by combinations of likelihood and impact scores.
• Report will include summaries of each of the “top 10” risks, definitions of risks, key
controls or mitigating activities, mitigation progress and accountability for monitoring.
• The summary will enable key decision making based on the assessment of key risks.
Communication and Consultation
Communication and consultation with all the relevant stakeholders
involved in the risk management process externally and internally
aims to:
• bring together the different areas of expertise at each stage of the
process
• ensure different views are considered when defining and evaluating
risks
• provide sufficient information for risk oversight and decision
making
• build a sense of inclusiveness and ownership among all
stakeholders
Risk Governance
• Risk Governance refers to the processes and mechanisms by which decisions about
risks are taken and implemented across the Institute.
• Successful Risk Governance requires the Institute Board, Board Committees,
Management Committee, Senior Management, Staff and Service Providers to work
together in managing risks. The following are key:
Organisational Structure supportive of risk management approach
Definition of roles and responsibilities (Terms of Reference + Job Descriptions)
A System Of Internal Controls (Policies and Procedure Manuals)
A Risk Aware Culture supportive of Risk Management.
Three Lines of Defense Model

Source: FERMA/ECIIA
First Line of Defence – Operational Management
• Operational managers own and manage risks.
• Operational Managers include: Administrators, Technicians, Accounting
Officers, Security Officers, Ground Persons, Cleaners, Student Affairs
Officers.
• Reports through the Management Risk Committee.
Responsible for day to day Risk Management by:
• Identifying, analysing, evaluating, controlling and mitigating risks.
• Maintaining effective internal controls and for executing risk and control
procedures.
• Guiding the development and implementation of internal policies and
procedures and ensuring that activities are consistent with goals and
objectives.
• Implementing corrective actions to address process and control deficiencies.
Second Line- Risk, Compliance and Quality Assurance Functions

Included in the second line of defence are the following:

Risk Management Function
Compliance / Legal Function
Quality Assurance Function
Occupational Health, Safety, and Wellness
Environmental Control
Security
Second Line – Risk & Compliance Functions
 Lead the development of the Risk Management System
 Lead the Formulation of the Risk Management Framework
 Provide quantitative and modelling support for Risk Assessment
 Act as a Strategic Controller. Preside over the close integration of
risk and performance measurement.
 Strategic Advisor: bring judgment into high-level risk decisions,
challenge assumptions of underlying plans, and use risk controls to
alter the risk profile of the Institute
 Ensure Compliance with applicable laws; regulations, statutes,
ordinances, internal policies and that the Institute conducts its
activities ethically and responsibly.
Second Line – Risk & Compliance Functions
 Provide support and Leadership to First Line of Defence on risk
assessment and risk treatment.
 Create and disseminate risk reports to different stakeholders, including
Staff, Management Risk Committee, Board Committees and Board.
 Ensure that risk management priorities are reflected in the Institute's
strategic plans.
 Develop budgets for risk-related projects and supervising their funding
 Develop risk related plans and formulate strategies to minimize and
mitigate risks.
 Assess and provide support to risk training needs of the Institute.
 Third Line of Defence - Internal Audit
An independent and objective assurance and consulting unit.
Assists the Institute in accomplishing its strategic objectives by bringing a professional,
systematic and disciplined approach to evaluate and improve the effectiveness of the
organization's risk management, control, and governance processes.
Functionally reports to the Board Audit Committee, and administratively to the CEO.
Work with the management to evaluate administrative processes and identify
opportunities for improvement.
Performs operational, financial, compliance and information technology audits and
reviews
Monitor and evaluate processes to determine if they are working to effectively manage
key risks.
Work with management to develop effective remedial action proposals, and
Offer insights developed from best practices of leading companies, recent research, and
cumulative professional experience.
Risk Oversight - Management Risk Committee
• Composed of e.g Pro-Vice Chancellors, Faculty Deans and Heads of
Departments. E.g Chaired by the Pro-Vice Chancellor.
• Reports to Board Risk Committee.
• Ensure adequate managerial and supervisory controls in place to enable
compliance; highlight control breakdown, inadequate processes, and
unexpected events.
• Manage Risk at an Enterprise Level including identification, analysis,
evaluation and control.
• Consider the interactivity and aggregate nature of risk.
• A platform for escalation of Risk Issues.
• Receives and consolidates reports of Operational Managers.
• Receives and interrogates reports of the Second Line Functions.
 Risk Oversight - Board Risk Committee
The risk management committee should be composed of at least x Board
members and should meet every quarter of the company`s financial year;
preferably before every quarterly Board meeting.
The risk management committee may supplement its risk management skills and
experience by inviting independent management experts and senior management
personnel responsible for the various aspects of risk management to attend its
meeting.
Reports to the Board.
Receives the reports of the Management Risk Committee. (First Line of
Defence)
Receive the reports of the Risk Management Function. (2nd Line of Defence)
 Risk Oversight- Board Risk Committee
The risk management committee should, as its main function, consider the risk
management policy and plan of the Institute and monitor, evaluate and recommend
amendments to the risk management processes, procedures, policies and implementation
strategies.
The Board Risk Committee sets the levels of risk tolerance and the nature and extent of
significant risks it is willing to embrace in achieving its strategic objectives.
The risk management committee should ensure:
Internal Controls are in place depending on size, complexity and cost-benefit analysis of
the Institute
A Chief Risk Officer is appointed with sufficient authority, stature, competence,
resources and independence and reports functionally to the Board Risk Committee and
administratively to the CEO.
It receives assurance from the Chief Risk Officer regarding the effective-ness of the risk
management processes
a framework methodology is established to increase the likelihood of anticipating
Risk Oversight – Audit Committee
The Audit Committee –
• approves the risk-based internal audit plan, and the annual expenditure and capital budget of the
auditing department, and evaluates the performance of the internal audit function annually.
• recommend the nomination and remuneration of external auditors;
• review the audit carried out by external auditors;
• Review the company`s accounting policies and the need to make changes to them;
• Review the company`s internal control environment;
• Review reports from the company’s internal audit department
• Review financial statements prior to their approval by the Board;
• Prepare the terms of reference of new auditors for adoption by the Board
Risk Governance – Board of Directors
The Board has overall responsibility for Risk Management.
May, if deemed desirable, appoint a risk management committee to assist it in the
discharge of its duties and responsibilities in respect of risk management.
The risk management committee’s responsibility should be clearly set out in its
terms of reference, which must deal with the scope of its mandate, its
composition, roles and duties.
Evaluate the risk management committee’s performance in terms of its mandate
and effectiveness.
Ensure that processes are established to foster the complete, timely, relevant,
accurate and accessible risk disclosures to the shareholders.
 External parties
• Play an important role regarding the Institute’s overall governance and control
structure.
• Regulators establish requirements often intended to strengthen governance and
control of the Institute, and they actively review and report on compliance.
• Similarly, external auditors may provide important observations and
assessments of the Institute’s controls over financial reporting and related
risks.
Examples of external parties are:
• The Auditor General / External Auditors
• Regulator
• Actuaries
• Ministry
Risk Culture

51
 Risk Management Culture
• What is Culture? – It is our way of doing things.
• Risk culture describes the values, beliefs, knowledge, attitudes and understanding
about risk shared by a group of people with a common purpose.
• Leadership must be the driver of the correct risk culture.
• It must translate risk strategy into tactical and operational objectives, and assign risk
management responsibilities throughout the Institute.
• It should support accountability, performance measurement and reward, thus
promoting operational efficiency at all levels.
• An effective risk culture is one that enables and rewards individuals and groups for
taking the right risks in an informed manner.
• The goal of a risk-aware culture is to ensure that all members of the Institute
understand the importance or risk, risk management and taking risk and reward into
account in decision-making
Risk culture and the individual

Risk Culture

• Additional factors affecting risk

culture include personal needs,
Behaviours
motives, goals, psychological
characteristics, past experiences and
the social, organisational and cultural
Personal Ethics environment.
• The above will LEAD to ACTION or
INACTION

Personal
predisposition
To Risk
How to embed Risk Management Culture
•Review current risk culture & risk maturity level and determine a target level – a vision.
•Risk management awareness, training and induction process (applies to all members of
staff).
•Secure and maintain support and buy-in from senior management. Promote a strong tone
from the top.
•Develop risk management policies for the Institute (documentation).
•Report and communicate regularly and consistently aligned to other organisational
processes e.g. budgeting, reports, quarterly reviews etc.
•Ensure there are clear descriptions of risk management roles, responsibilities, processes
and language.
•Integrate risk into performance management process –appraisals, compensation / rewards,
balanced scorecards, reporting of near misses.
THIS IS A PROCESS AND NOT AN EVENT.
CORONATION RISK ADVISORY
THE END!

TREY 55
research