FUNDAMENTALS OF RISK MANAGEMENT ⭐
"Kejadian yang tidak direncanakan dengan konsekuensi yang tidak dapat diduga."
Introduction to Risk Management :
Introduction to Risk Management
Risk
Definisi
ISO Guide 72 “Pengaruh ketidakpastian pada tujuan. Perhatikan bahwa efek mungkin positif, negatif, atau penyimpangan dari yang diharapkan. Juga, risiko sering digambarkan dengan suatu peristiwa, perubahan keadaan atau konsekuensi.”
Institute of Risk Management “Kombinasi peluang suatu kejadian dan konsekuensinya. Konsekuensi dapat berkisar dari positif hingga negatif.”
Orange Book from HM Treasury
“Ketidakpastian hasil, dalam rentang paparan (exposure), yang timbul dari kombinasi dampak dan kemungkinan kejadian potensial.”
Institute of Internal Auditors
“Ketidakpastian suatu peristiwa yang terjadi yang dapat berdampak pada pencapaian tujuan. Risiko diukur dari konsekuensi dan kemungkinan”
Jenis
Risiko Kepatuhan - Compliance (or mandatory) risks Ditimbulkan dari ketidakpatuhan terhadap peraturan
Risiko Bahaya - Hazard (or pure) risks
Pasti berdampak negatif, risiko operasional atau yang dapat diasuransikan, dapat dibuat batas toleransi
Risiko Pengendalian - Control (or uncertainty) risks
Tidak pasti berdampak baik maupun buruk, manajemen terhadap risiko ini diperlukan agar dampak berada pada rentang yang diinginkan (baik), bertujuan untuk mengurangi variansi dari dampak atau keluaran yang telah diantisipasi dengan hasil atau keluaran sebenarnya
Risiko Peluang - Opportunity (or speculative risks)
Risiko yang diambil perusahaan untuk mendapatkan keuntungan, spekulatif, berkaitan dengan investasi
HASIL
POSITIF
NEGATIF
Karakteristik
Merupakan sesuatu yang tidak diinginkan untuk terjadi
Bisa dipastikan, meskipun tidak selalu dapat dihitung
Berkaitan erat dengan hasil dari suatu kegiatan atau proses
Dapat dicegah
Jika terjadi dapat ditangani
Dapat berdampak negatif, positif, tidak tentu
Attachment Risiko
Corporate Objective
Core Processes
Key Dependencies
Stakeholder Expectations
PACED
Proporsional - Kegiatan manajemen risiko harus proporsional dengan tingkat risiko yang dihadapi organisasi.
Selaras (aligned) - Kegiatan ERM perlu diselaraskan dengan kegiatan lain dalam organisasi.
Komprehensif - Agar sepenuhnya efektif, pendekatan manajemen risiko harus komprehensif.
Dinamis - Kegiatan manajemen risiko harus dinamis dan responsif terhadap risiko yang muncul dan berubah.
Approach To Risk Management
Risk Management Framework
Definition of Standard
Standar untuk manajemen risiko sendiri adalah kombinasi deskripsi proses manajemen risiko, bersama dengan kerangka kerja (framework) yang direkomendasikan
Key Stages
- Recognition of Risk
- Rating of Risk
- Ranking against risk criteria
- Responding to Risk
- Resourcing controls
- Reaction Planning
- Reporting on Risk
- Reviewing and Monitoring
Key Features
Risk Architecture
Risk Strategy
Risk Protocols
Standards
IRM (2002)
Standar IRM adalah pendekatan tingkat tinggi yang ditujukan untuk spesialis manajemen non-risiko dan telah diterjemahkan ke dalam banyak bahasa
ISO 31000 : 2018
Standar ini memberikan pernyataan prinsip-prinsip manajemen risiko, serta deskripsi kerangka kerja dan proses manajemen risiko
Revisi prinsip-prinsip manajemen risiko dinyatakan sebagai 'penciptaan dan perlindungan nilai' atau “creation and protection value”
Proses manajemen risiko tidak ditampilkan sebagai rangkaian kegiatan atau tahapan dengan panah penghubung
“'Meskipun proses manajemen risiko sering disajikan secara berurutan, dalam praktiknya itu berulang.' atau “Although the risk management process is often presented as sequential, in practice it is iterative”
COSO ERM Cube (2004)
Menyatakan bahwa manajemen risiko perusahaan (enterprise risk management) tidak terbatas sebagai rangkaian kegiatan, di mana satu komponen hanya mempengaruhi komponen berikutnya. Namun, merupakan proses berulang multi arah dimana hampir semua komponen dapat dan memang mempengaruhi semua komponen lainnya.
Terdapat hubungan langsung antara tujuan, yang ingin dicapai oleh entitas, dan komponen manajemen risiko perusahaan, yang mewakili apa yang diperlukan untuk mencapainya. Hubungan ini digambarkan dalam kubus COSO (terdapat delapan komponen yang saling terikat secara internal)
Tujuan
Strategis: tujuan tingkat tinggi, selaras dengan dan mendukung misinya;
Operasi: penggunaan sumber dayanya secara efektif dan efisien;
Pelaporan: keandalan pelaporan;
Kepatuhan: kepatuhan terhadap hukum dan peraturan yang berlaku.
Memiliki ruang lingkup untuk manajemen risiko dan pengontrolan internal
Definisi ERM
RIMS: Manajemen risiko perusahaan adalah disiplin bisnis strategis yang mendukung pencapaian tujuan organisasi dengan menangani spektrum penuh
COSO:Manajemen risiko perusahaan adalah suatu proses, yang dipengaruhi oleh dewan direksi, manajemen, dan personel lain entitas, yang diterapkan dalam pengaturan strategi dan di seluruh perusahaan, yang dirancang untuk mengidentifikasi peristiwa potensial yang dapat memengaruhi entitas, mengelola risiko agar sesuai dengan selera risikonya dan untuk menyediakan keyakinan memadai mengenai pencapaian tujuan entitas.
IIA (Institute of Internal Auditors):Pendekatan yang ketat dan terkoordinasi untuk menilai dan menanggapi semua risiko yang memengaruhi pencapaian tujuan strategis dan keuangan organisasi
HM Treasury::Semua proses yang terlibat dalam mengidentifikasi, menilai dan menilai risiko, menetapkan kepemilikan, mengambil tindakan untuk mengurangi atau mengantisipasinya dan memantau dan meninjau kemajuan
Other Definirion:
ERM melibatkan identifikasi dan evaluasi risiko yang signifikan, penugasan kepemilikan, implementasi dan pemantauan tindakan untuk mengelola risiko ini dalam selera risiko organisasi.
Outputnya adalah penyediaan informasi kepada manajemen untuk meningkatkan keputusan bisnis, mengurangi ketidakpastian dan memberikan jaminan yang wajar mengenai pencapaian tujuan organisasi.
Dampak ERM adalah meningkatkan efisiensi dan penyampaian layanan, meningkatkan alokasi sumber daya (modal) untuk peningkatan bisnis, menciptakan nilai pemegang saham dan meningkatkan pelaporan risiko kepada pemangku kepentingan.
Establishing Context as the first stage
Konteks manajemen risiko telah digambarkan sebagai arsitektur risiko, strategi dan protokol atau kerangka kerja manajemen risiko dalam organisasi
Konteks internal mengacu pada organisasi itu sendiri, kegiatan yang dilakukan, berbagai keterampilan dan kemampuan yang tersedia dalam organisasi, dan bagaimana strukturnya
Konteks eksternal adalah lingkungan di mana organisasi itu berada
Steps to implement ERM
Strategi dan pengaturan tujuan
Kinerjaipilih.
Tinjauan dan revisi
Informasi, komunikasi, dan pelaporan
Tata kelola dan budaya
RISK ASSESSMENT
Considerations
Risk Assessment - gidentifikasi risiko signifikan yang dapat mempengaruhi fitur dimana risiko tersebut tertempel (feature attachment) yang dapat berupa attachment terhadap tujuan korporat, ekspektasi pemangku kepentingan, proses inti, dan dependensi utama.
Approaches
Top-Down - berfokus pada risiko yang berkaitan dengan strategi, taktik, operasi, dan kepatuhan (S - Strategy, T - Tactics, O - Operations, C - Compliance; STOC).
Kemungkinan menghasilkan pendekatan di seluruh perusahaan (company-wide approach) – risiko di puncak organisasi akan berdampak di seluruh bisnis
Risiko strategis yang paling signifikan bagi organisasi dapat ditangkap dengan cepat dan akan ada jumlah yang dapat dikelola.
Menunjukkan dukungan manajemen risiko dari atas, menghasilkan penerimaan aktivitas manajemen risiko di semua tingkatan.
Karena itu berasal dari atas, kemungkinan ada metodologi yang konsisten di seluruh organisasi.
Manajer senior dan direktur cenderung lebih fokus pada risiko eksternal organisasi
Kesadaran yang terbatas akan risiko operasional internal atau saling ketergantungan risiko dalam bisnis.
Bahaya bahwa pendekatan ini menjadi terlalu dangkal, karena manajer senior percaya bahwa mereka dapat menangani krisis.
Risiko baru yang muncul dari kegiatan operasional organisasi mungkin tidak sepenuhnya teridentifikasi.
Bottom-Up - berfokus pada risiko yang diidentifikasi sebagai kepatuhan, bahaya, control, dan kesempatan (the four types of risk: compliance, hazard, control, and opportunity)
Dukungan yang signifikan di semua tingkat organisasi harus dicapai.
Dapat dicerminkan ke bagan organisasi yang ada dan dampak risiko di luar risiko operasional langsung dapat didiskusikan.
Staf operasional memiliki kesadaran besar akan risiko lokal dan penyebabnya, yang mungkin tidak dapat dipahami oleh manajemen tingkat yang lebih tinggi.
Metodologi dapat bervariasi sesuai dengan norma dan budaya lokal dan ini berguna untuk organisasi multinasional.
Akan ada sedikit fokus pada risiko eksternal atau risiko strategis.
Memakan waktu dan dapat menurunkan motivasi, jika dibutuhkan lebih lama untuk mengembangkan hasil perusahaan secara keseluruhan.
Bahaya bahwa pendekatan menjadi terlalu rinci dan tidak jelas, menghasilkan pendekatan silo untuk penilaian risiko.
Risiko baru yang muncul dari kegiatan operasional bisnis mungkin tidak dilaporkan oleh staf operasional.
Assessment Techniques
Kuesioner dan checklist - Penggunaan kuesioner dan daftar periksa terstruktur untuk mengumpulkan informasi yang akan membantu mengenali risiko signifikan
Struktur yang konsisten menjamin konsistensi
Keterlibatan yang lebih besar daripada dalam lokakarya
Pendekatan yang kaku dapat mengakibatkan beberapa risiko terlewatkan
Pertanyaan akan didasarkan pada pengetahuan historis
Workshop dan brainstorming - Pengumpulan dan berbagi ide di lokakarya untuk membahas peristiwa yang dapat memengaruhi tujuan, proses inti, atau ketergantungan utama
Konsolidasi pendapat dari semua pihak yang berkepentingan
Interaksi yang lebih besar menghasilkan lebih banyak ide
Manajemen senior cenderung mendominasi
Masalah akan terlewatkan jika orang yang salah terlibat
Inspeksi dan audit - Inspeksi fisik tempat dan kegiatan dan audit kepatuhan dengan sistem dan prosedur yang ditetapkan
Bukti fisik menjadi dasar opini
Pendekatan audit menghasilkan struktur yang baik
Inspeksi paling cocok untuk risiko bahaya (hazard risk)
Pendekatan audit cenderung berfokus pada pengalaman historis
Diagram alur (flowchart) dan analisis ketergantungan - Analisis proses dan operasi dalam organisasi untuk mengidentifikasi komponen penting yang merupakan kunci keberhasilan
Output yang berguna yang dapat digunakan di tempat lain
Analisis menghasilkan pemahaman yang lebih baik tentang proses
Sulit digunakan untuk risiko strategis
Mungkin sangat detail dan memakan waktu
Nature of Risk Metric
Likelihood
Unlikely
Possible
Likely
Almost Certain
Impact
Small
Moderata
Severe
Catastrophic
RIsk Classification
Short-term
Medium-term
Long-term
Risk Classification Systems
COSO ERM Cube: Strategic, Operations, Reporting, Compliance
IRM Standard: Financial, Strategic, Operational, Hazard
FIRM risk scorecard: Financial, Infrastructure, Reputational, Marketplace
Benefit
Akumulasi risiko yang dapat merusak ketergantungan utama atau tujuan bisnis dan membuatnya rentan dapat lebih mudah diidentifikasi.
Tanggung jawab untuk manajemen yang lebih baik dari setiap jenis risiko yang berbeda dapat lebih mudah diidentifikasi/dialokasikan jika risiko diklasifikasikan.
Keputusan dan pengetahuan tentang jenis kontrol (s) yang akan dilaksanakan dapat diambil secara lebih terstruktur dan informasi.
Keadaan di mana selera risiko organisasi terlampaui (atau kriteria risiko tidak diterapkan) dapat lebih mudah diidentifikasi
PESTLE
Political
Economic
Sociological
Technological
Legal
Ethical or Environmental
Advantage & Disadvantage
kerangka sederhana;
memfasilitasi pemahaman tentang lingkungan bisnis yang lebih luas;
mendorong pengembangan pemikiran eksternal dan strategis;
mengantisipasi ancaman bisnis di masa depan;
membantu mengidentifikasi tindakan untuk menghindari atau meminimalkan dampak ancaman;
memfasilitasi identifikasi peluang bisnis.
dapat menyederhanakan jumlah data yang digunakan untuk keputusan;
perlu dilakukan secara teratur agar efektif;
membutuhkan orang yang berbeda untuk terlibat dengan perspektif yang berbeda;
akses ke sumber data eksternal yang berkualitas dapat memakan waktu dan biaya;
sulit untuk mengantisipasi perkembangan yang dapat mempengaruhi organisasi di masa depan;
risiko menangkap terlalu banyak data yang membuat sulit untuk melihat prioritas;
dapat didasarkan pada asumsi yang kemudian terbukti tidak berdasar.
Loss Control
Risk Likelihood
Hazard Risks
Loss Prevention
Damage Limitation
Cost Containment
Upside of Risk
Definisi
Sisi positif risiko dicapai ketika manfaat yang diperoleh dari mengambil risiko lebih besar daripada manfaat apa pun yang akan dihasilkan dari tidak mengambilnya. Juga dapat berarti sebagai reward karena mengambil risiko. Penjelasan lain terkait sisi positif dari risiko adalah, pada akhirnya organisasi akan mampu untuk melakukan aktivitas yang sebelumnya tidak ingin dilakukan oleh organisasi tersebut.
Upside in Strategy
Upside in Projects
Upside in Operations
Risk Response
Tolerate, Treat, Transfer, and Terminate
4Ts of Hazard Response
Treat Control / Reduce
Risk Response
Avoiding the risk by deciding not to start or continue with the activity
Taking or increasing the risk in order to pursue an opportunity
Removing the risk source
Changing the likelihood or the consequences
Sharing the risk with another party/parties
Retaining the risk by informed decision making
Transfer Insurance/ Contract
Conventional Insurance
Paying third party to take the risk
Tolerate Accept / Retain
Tolerable w/o any further actions being taken
If not tolerable
Limited ability
Cost > benefit
Terminate Avoid / Eliminate
Terminate the activity
May be severely limited
Types
Preventive
Preventive Terminate
Stop and undesirable outcome
Implement appropriate preventive control
Corrective
Corrective Treat
Reduce any undesirable outcomes that have been realized
Provide a route of recourse to achieve some recovery against loss or damage
Correct undesirable circumstances
Reduce unacceptable risk exposures
Directive
Directive Transfer
Based on giving directions to people on how to ensure that losses do not occur
Important, but depends on people following established safe systems of work
Detective
Detective Tolerate
‘After the event’
Accept the loss/damage that has occured
Limit the possibility of undesirable outcome being realized
Eliminate the hazard
No further consideration of it is required
May not be a cost effective option
May not be possible for operational reasons
May eliminate beneficial activities (either outsourced or replaced with something less effective and efficient)
Limit the scope for loss
Simple
Cost effective
Don’t require elimination of existing practices and procedures / replaced with alternatives methods of work
Controls can be implemented within the framework of existing activities
Marginal benefit may be difficult to quantify or confirm as cost effective
Sometimes are over-engineered
Sometimes cost is disproportionate to the benefit that is achieved
Ensure that a particular outcome is achieved
Can be explained during a normal training and instruction session for staffs
Can be used as immediate response
May require constant supervision in order to ensure that the correct procedures are being followed
Identify occasions undesirable outcomes have been realized
Simple to administer
Early warning
The risk will already have materialized before it is detected
Insurance and Risk Transfer
Importance
First party: Insurance contracts → require the insurance company to pay for losses suffered directly by the insured
Third party: Insurance contracts → insurance company to pay compensation to other parties if they have been injured or suffer loss because of the activities of the insured
Advantages & Disadvantages
Provides indemnity against expected loss
Provides economic benefits to the insured (loss > insurance premium)
Provides access to specialist services as part of the insurance premium (may include advice on loss control)
Delays in obtaining settlement of an insurance claim
Difficulties that can arise in quantifying the financial cost associated with the loss
May be disputes regarding the extent of the cover that has been purchased and the exact terms and conditions of the insurance contract
The insured may have difficulty in deciding the limit of indemnity that is appropriate for liability exposures
Purchase of Insurance needs to consider
Cost → insurance premium
Coverage → policies limitations
Capacity → capacity of the insurance company is willing to offer in relation to value of the assets/exposure that need to be insured
Capabilities → loss control services and assistance with business continuity planning in addition to the insurance
Claims
Compliance → national basis? Regional?; timely issuance
Business Continuity
Business Continuity Standards
Key Activities in BCP
Assess company activities to identify critical staff, materials, procedures and equipment required to keep the business operating.
Identify suppliers, shippers, resources and other businesses that are contacted on a daily basis.
Plan what to do if any important buildings, plant or store were to become inaccessible.
Identify necessary actions to ensure continuity of critical business functions, especially payroll.
Decide who should participate in compiling and subsequently testing the emergency plans.
Define crisis management procedures and individual responsibilities for disaster recovery activities.
Co-ordinate with others, including neighbours, utility suppliers, suppliers, shippers and key customers.
Review the emergency plans annually and when the business changes and/or new members of staff are recruited.
BCP plan should be
Comprehensive
Cost-effective
Practical
Effective
Maintained
Practised
Business Impact Analysis
A critical part of ensuring that adequate business continuity plans and disaster recovery plans are in place
Purpose
Determine whether the likely impact is within the risk appetite of the organization as the basis for business continuity strategy
Risk Strategy
Core Business Processes
Dynamic Business Models
Strategy and Tactics
Effective and Efficient Operations
Ensuring Compliance
Reporting Performance
Components of The Business Model
Risk Management and The Business Model
Reputation and Corporate Governance
CSR and Risk Management
Supply Chain and Ethical Trading
Importance of Reputation
Risk Management Context
Risk Architecture
Risk Management Strategy
Risk Management Protocols
Risk Management Manual
Risk Management Documentation
Risk Management Responsibilities
Allocation of Responsibilities
Range of Responsibilities
Statutory Responsibilities of Management
Role of The Risk Manager
Risk Architecture in Practice
Risk Committees
Control of Selected Hazard Risks
Cost of Risk Controls
Learning from Controls
Control of Financial Risks
Control of Infrastructure Risks
Control of Reputational Risk
Control of Marketplace Risks
Risk Culture
Risk-aware Culture
Styles of Risk Management
Compliance management → based on fulfilling obligations such as health and safety (1970s)
Hazard management → ‘total cost of risk’ approach developed by insurance world (1980s)
Control management → based on the internal control approach of internal auditors (1990s)
Opportunity management → interface between risk management and strategic planning (2000s)
Risk Culture
Culture: determines how an individual feels obliged to behave in all circumstances
Characterized by
Communication founded on mutual trust
Shared perception of the importance of risk management
Sharing of confidence in the selected control measures
Commitment to adhering to the established risk control procedures
LILAC
Leadership
Involvement
Learning
Accountability
Communication
Alignment
Risk management activities with the risk architecture
Strategy and protocol with the core business processes
Importance of Risk Appetite
Nature
Risk appetite → immediate or short-term willingness of an organization to undertake an activity that involves risk
Statements
High risk appetite → The college accepts opportunities that have an inherently high risk that may result in reputation damage, financial loss or exposure, major breakdown in IT systems, significant incidents of regulatory noncompliance or high potential risk of injury to staff and students
Moderate risk appetite → The college is willing to accept risks that may result in reputation damage, financial loss or exposure, major breakdown in IT systems, significant incidents of regulatory non-compliance, potential risk of injury to staff and students
Modest risk appetite → The college is willing to accept some risks in certain circumstances that may result in reputation damage, financial loss or exposure, major breakdown in IT systems, significant incidents of regulatory noncompliance, potential risk of injury to staff and students
Low risk appetite → The college is not willing to accept risks in circumstances that may result in reputation damage, financial loss or exposure, major breakdown in IT systems, significant incidents of regulatory noncompliance, potential risk of injury to staff and students
Risk Training and Communication
Consistent response of risk
Risk Training
When a manager is newly appointed or has been given new or additional responsibilities
When an individual member of staff has been given a new role and/or procedures have been updated
Following a recent incident or loss at the organization or at a competitor’s premises or location
On a refresher basis → legal requirement in certain circumstances
Risk Practitioner Competencies
Range of Skills
Technical Skills
Soft Skills
Communication Skills
Relationship Skills
Analytical Skills
Management Skills
RMIS - risk management information system
Corporate governance arrangements and reports
Disaster recovery plans and responsibilities
Business continuity plans and responsibilities
Risk improvement plans and implementation
Risk management action plans (risk register)
Insurance policy coverage and other information
Historical loss/claims experience/information
Insurance claims handling and management protocols
Insurance values and cost of risk data
Emergency contact arrangements and contact details
Risk profile data, values and information
Risk management policy and protocols
Shared Vocabulary
Risk Information & Communication
Be prepared to answer questions and agree to provide further information if itis not currently available
Develop key messages that are clear, concise and to the point, with no more than three messages communicated at any one time
Be cautious when putting risks in perspective, although comparing an unfamiliar risk with a familiar one can be helpful
Deal with uncertainty and discuss situations where not all information is available and indicate what can be done to overcome these problems
Communicate clearly and honestly, taking account of the level of understanding of the audience
Be objective in the information provided and differentiate between opinions and facts
Simplify the language and presentation, although not the content if complex issues need to be communicated
Know the stakeholders, by identifying both external and internal stakeholders and finding out their interests and concerns
RISK GOVERNANCE
Corporate Governance Model
Purpose
facilitate accountability and responsibility for effective and efficient performance and ethical behavior
Approaches
Comply or Explain → the organization should comply with the requirements OR explain why it was not appropriate
Full Compliance → detailed requirements, expect detailed compliance and exceptions is not acceptable
Committees
Risk management committee
Audit committee
Disclosures committee
Nominations committee
Remuneration committee
OECD Principles of Corporate Governance
Effective corporate governance framework
Rights and equitable treatment of shareholders
Institutional investors, stock markets and other intermediaries
Role of stakeholders in corporate governance
Disclosure and transparency
Responsibilities of the board
Corporate Governance for a Government Agency
Nolan Principles of Public Life
Selflessness
Integrity
Objectivity
Accountability
Openness
Honesty
Leadership
Evaluation Board Members
Membership and structure
Purpose and intent
Involvement and accountability
Monitoring and review
Performance and impact
Stakeholder Expectations
CSFSRS (Range of Stakeholders)
Customers
Staff
Financiers
Suppliers
Regulators
Society
Stakeholder Dialogue
General
A clear statement of strategy and vision
Corporate profile and principal markets
Financial Data
Annual report and financial statements
Archived financial information for the past three years
Corporate Governance and CSR
Information related to compliance with Combined Code
Information on the company CSR policies
Shareholder Information
Shareholder analysis by size and constituent
Information on directors’ share dealings
Relevant News
Access to all news releases and presentations
Developments that might affect the share value
Stakeholders and Core Processes
Stakeholders and Strategy
Stakeholders and Tactics
Stakeholders and Operations
Operational Risk Management
Basel II Types of Risk
Internal fraud, including misappropriation of assets, tax evasion and bribery
External fraud including theft, hacking and forgery
Employment practices and workplace safety
Clients, projects and business practices
Damage to physical assets
Business interruption and systems failures
Execution, delivery and process management :
Basel II ORM Principles
The board is responsible for establishing the operational risk strategy
Senior management is responsible for implementing the operational risk strategy
Information, communication and escalation flows must be established.
Operational risks inherent in activities, processes, systems and products should be identified
Processes necessary for assessing operational risk should be established
Systems should be implemented to monitor operational risk exposures and loss events
Policies, processes and procedures to control or mitigate operational risks should be in place
Supervisors should require banks to have an effective system to identify, measure, monitor and control operational risk
Supervisors should conduct regular independent evaluations of these principles
Sufficient public disclosure should be made to allow stakeholders to assess the operational risk exposure and the quality of operational risk management
Project Risk Management
Respond to Project's Uncertainty
Accept the risk or uncertainty;
Adapt activities and procedures;
Adopt contingency plans and responses;
Avoid the risk or uncertainty
To be successful
Making risk management part of the project
Identifying risks early in the project
Communicating about risks
Considering both threats and opportunities
Clarifying ownership issues
Prioritizing risks
Analysing risks
Planning and implementing risk responses
Registering project risks
Tracking risks and associated tasks
Project Risk Analysis and Management (PRAM)
Benefit
Feasibility
Sanction
Tendering
Post-tender
During implementation
Supply Chain Management
Scope
strategic partnerships
joint ventures
support services
outsourcing of facilities management activities
Strategic Partnership
Joint Ventures
Outsourcing of Operations
Risk and Contracts
Level of the risk associated with the contracted service
Value of the contract for supply of goods or services
Duration and scope of the contract
Level of skill required in the delivery of the contracted services
Critical nature of the goods or services that are being contracted
Risk Assurance
The Control Environment
Nature of Internal Control
Concerned with → methods, procedures and checks that are in place to ensure that a business or organization meets its objectives
Goals
maintenance of reliable systems;
timely preparation of reliable information;
safeguarding of assets;
optimum use of resources;
preventing and detecting fraud and error.
Control Environment
Commitment
Shared ethical values should be established, communicated and practised.
HR policies should be consistent with ethical values.
Authority, responsibility and accountability should be clearly defined.
Mutual trust should be fostered to support the flow of information
Capabillity
People should have the necessary knowledge, skills and tools.
Communication processes should support the values of the organization.
Sufficient and relevant information should be identified and communicated.
Decisions and actions within the organization should be coordinated.
Control activities should be designed as an integral part of the organization.
Monitoring and learning
Environment should be monitored to re-evaluate controls.
Performance should be monitored against the targets.
Assumptions behind objectives should be periodically challenged.
Information needs and related information systems should be reassessed.
Procedures should be established to ensure appropriate actions occur.
Management should periodically assess the effectiveness of control.
CoCo Framework of Internal Control
Purpose → concerned with the establishment and communication of objectives, the significant internal and external risks faced by the organization and the policies designed to support achievement of the organization’s objectives
Commitment → concerned with shared ethical values, including integrity. It is also concerned with human resource policies and practices and communication throughout the organization.
Capability → concerned with the fact that people should have the necessary knowledge and skills to support the organization’s objectives, as well as its values
Monitoring and learning → concerned with external and internal environments and the fact that they should be monitored to obtain information
Internal Audit Activities
Scope of Internal Audit
methods, procedures and checks that are in place to ensure that a business organization meets its objectives
Undertaking an Internal Audit
Planning
Fieldwork
Audit Report
Follow-up
Risk Management and Internal Audit
Three lines of defence
Ideas
management has primary responsibility for the management of risk;
specialist risk management functions can assist management in developing an approach to fulfilling their responsibilities;
the internal audit function checks that the risk management process and the risk management framework are effective and efficient.
Management Responsibilities
Internal Audit Activities
giving assurance on risk management processes
giving assurance that risks are correctly evaluated
evaluating risk management processes
evaluating the reporting of key risks
reviewing the management of key risks
Risk Management Support
facilitating identification and evaluation of risks
coaching management in responding to risks
coordinating ERM activities
consolidated reporting on risks
maintaining and developing the ERM framework
championing establishment of ERM
developing RM strategy for board approval
Management Responsibilities
setting the risk appetite
imposing risk management processes
management assurance on risks
taking decisions on risk responses
implementing risk responses on behalf of management
accountability for risk management
Risk Assurance Techniques
Audit Committee
External Audit
recommend the appointment and re-appointment of external auditors
review the performance and cost-effectiveness of the external auditors
review the qualification, expertise and independence of external auditors
review and discuss any reports from the external auditors
Internal Audit
review internal audit and its relationship with external auditors
review and assess the annual internal audit plan
review promptly all reports from the internal auditors
review management response to the findings of the internal auditors
review activities, resources and effectiveness of internal audit
Financial Reporting
review the annual and half-year financial results
evaluate annual report against requirements of the governance code
review disclosure by CEO and CFO during certification of annual report
Regulatory Reports
review arrangements for producing the audited accounts
monitor and review standards of risk management and internal control
develop a code of ethics for CEO and other senior management roles
annually review the adequacy of the risk management processes
receive reports on litigation, financial commitments and other liabilities
receive reports of any issues raised by whistleblowing activities
Risk Assurance
Sources
Culture measurement
Audit reports
Unit reports
Performance of the unit
Unit documentation
Benefit or Risk Assurance
builds confidence with stakeholders;
provides reassurance to sponsors and financiers;
demonstrates good practice to regulators;
prevents financial and other surprises;
reduces the chances of damage to reputation;
encourages the risk culture within the organization;
allows more secure delegation of authority.
Reporting on Risk Management
Risk Reporting
Types of documents
risk management administration;
risk response and improvement plans;
event reports and recommendations;
risk performance and certification reports.
Risk Reporting by US Companies
Charities’ Risk Reporting
Public Sector Risk Reporting
Purpose
Plans should include measurable performance targets and indicators
Plans should be established and communicated.
Policies should be established, communicated and practised.
Significant Internal and external risks should be identified and assessed.
Objectives should be established and communicated.
Risk Assessment of Business Model: identify options for improvements to customer offering and/or the business model
Successful: success in gaining new customers and draws customer into a deeper relationship with the organization
Health and Safety
Employees
Customers
Environment
Suppliers
Community
Products/services
failure to comply with rules and regulations;
trading with undesirable overseas governments;
excessive payments to political parties; tax evasion or dubious tax arrangements;
inappropriate criticism of competitors;
false allegations against competitors;
unethical alliances with competitors
Capabilities → Does the organization have a clear purpose or resolve, together with the commitment, vision, capabilities and resources to deliver that purpose?
Activities → Which sector and what activities does the organization undertake and does it have the financial resources and stability to support those activities?
Standards → What range of services or products does the organization offer and what are the standards of quality, delivery, support, execution, innovation and investment?
Ethics → Does the organization adhere to appropriate CSR, integrity, values and governance, and continuously monitor performance to learn and achieve improvements?
Tertanam (embedded) - Aktivitas manajemen risiko perlu ditanamkan di dalam organisasi.