200 likes | 402 Views
What is risk? [and how should we manage it?]. AGA Central PA Chapter Joe Kull February 9, 2011 PwC . Risk Defined. ISO 3100: the effect of uncertainty on objectives
E N D
What is risk?[and how should we manage it?] AGA Central PA Chapter Joe Kull February 9, 2011 PwC
Risk Defined • ISO 3100: the effect of uncertainty on objectives • More classic: the likelihood of an event(s) occurring and the impact that event(s) will have on mission goals. The event can be positive or adverse. • Events that cause problems
ERM[Enterprise Risk Management] Risk based approach for managing an enterprise, integrating strategic planning, operations management and internal control No ‘surprises’: mitigate/eliminate preventable losses Seek/identify opportunities to achieve mission goals At its core: Identify, measure, continuously monitor, periodically assess, and recalibrate/modify
Basic Cycle Mission GOAL (Measurement) Strategies Tactics Plan Outcomes Metrics Assess Measures Indicators (Targets) Perform Operate Execute (Numbers) Record
Types of Risk • External / Inherent Risk- conditions or events beyond management control, which could impact achieving mission objectives assuming no controls are in place. • Internal / Operational Risk- conditions or events management can influence directly that could impact achieving mission objectives assuming no controls are in place. • Control Risk- the risk that controls may fail to prevent or detect inherent risks • Residual Risk- the risk that remains after management’s response to risk (considering controls that are in place).
Intangible risk management • 100% chance of occurring but cannot be identified • Usually has impact on productivity, efficiency • Deficient knowledge [knowledge risk] • Relationship risk [ineffective collaboration] • Process risk [ineffective operational procedures] • Results: reduces productivity, decreases cost effectiveness, service, quality, reputation, brand
Dealing with Risk • Reduce/mitigate • Transfer/share • Avoid • Accept and budget
COSO Internal Control Framework(same as GAO Definition of IC) Monitoring • Assessment of a control system’s performance over time. • Combination of ongoing and separate evaluation. • Management and supervisory activities. • Internal audit activities. Control Activities • Policies/procedures that ensure management directives are carried out. • Range of activities including approvals, authorizations, verifications, recommendations, performance reviews, asset security and segregation of duties. Information and Communication • Pertinent information identified, captured and communicated in a timely manner. • Access to internal and externally generated information. • Flow of information that allows for successful control actions from instructions on responsibilities to summary of findings for management action. Control Environment • Sets tone of organization-influencing control consciousness of its people. • Factors include integrity, ethical values, competence, authority, responsibility. • Foundation for all other components of control. Risk Assessment • Risk assessment is the identification and analysis of relevant risks to achieving the entity’s objectives-forming the basis for determining control activities. All five components must be in place for control to be effective.
Principles of risk management [ISO] • Creates value • Part of processes, decision making • Addresses uncertainty • Systematic and structured • Considers the human factor • Transparent and inclusive • Informed, adapts to change and improvement
Controls abound • Air traffic • Quality • Inventory • Flood • Crowd • Climate • Financial • Rodent/pest • ARRA
Recovery Act, Risk Management, and Internal ControlRisk Management – Risk Evaluation Likelihood - probability than an event could occur Impact - impact of an event should it occur
Challenges Challenges • Sponsorship, ownership, and buy-in • Jargon • Compliance drives controls, not risk • No clear approach to identifying, managing risk • No link between goals/risks/controls • Benefits (tangible and intangible) are not clearly understood • Stove-pipe, ad hoc approaches • Focus on documentation, testing, not results
> 80% of U.S. MNCslist ERM as “top 10” Challenges include quantifying risks Conflicting priorities identifying/measuring the potential benefits of ERM Timelines, availability, and quality of information Different cultures and behaviors Integrating risk management into business processes Lack of clarity, roles and responsibilities Lack of skills Challenges Private sector • Source: PricewaterhouseCoopers Management Barometer ERM Survey, 1/19/07
Enterprise Risk Benefits of ERM nag • Enhances service delivery / improves customer service • Promotes the efficient use of resources • Improves project management • Helps minimize waste, fraud, and abuse • Promotes continual improvement, innovation • Informs and directs the evaluation of internal controls • Helps achieve goals/objectives • Live within our means
We have been doing so much for so long with so little, that soon we’ll be able to do everything with nothing forever.