FUNDAMENTALS OF RISK MANAGEMENT

"Kejadian yang tidak direncanakan dengan konsekuensi yang tidak dapat diduga."

Introduction to Risk Management :

Introduction to Risk Management

Risk

Definisi

ISO Guide 72 “Pengaruh ketidakpastian pada tujuan. Perhatikan bahwa efek mungkin positif, negatif, atau penyimpangan dari yang diharapkan. Juga, risiko sering digambarkan dengan suatu peristiwa, perubahan keadaan atau konsekuensi.”

Institute of Risk Management “Kombinasi peluang suatu kejadian dan konsekuensinya. Konsekuensi dapat berkisar dari positif hingga negatif.”

Orange Book from HM Treasury
“Ketidakpastian hasil, dalam rentang paparan (exposure), yang timbul dari kombinasi dampak dan kemungkinan kejadian potensial.”

Institute of Internal Auditors
“Ketidakpastian suatu peristiwa yang terjadi yang dapat berdampak pada pencapaian tujuan. Risiko diukur dari konsekuensi dan kemungkinan”

Jenis

Risiko Kepatuhan - Compliance (or mandatory) risks Ditimbulkan dari ketidakpatuhan terhadap peraturan

Risiko Bahaya - Hazard (or pure) risks
Pasti berdampak negatif, risiko operasional atau yang dapat diasuransikan, dapat dibuat batas toleransi

Risiko Pengendalian - Control (or uncertainty) risks
Tidak pasti berdampak baik maupun buruk, manajemen terhadap risiko ini diperlukan agar dampak berada pada rentang yang diinginkan (baik), bertujuan untuk mengurangi variansi dari dampak atau keluaran yang telah diantisipasi dengan hasil atau keluaran sebenarnya

Risiko Peluang - Opportunity (or speculative risks)
Risiko yang diambil perusahaan untuk mendapatkan keuntungan, spekulatif, berkaitan dengan investasi

HASIL

POSITIF

NEGATIF

Karakteristik

Merupakan sesuatu yang tidak diinginkan untuk terjadi

Bisa dipastikan, meskipun tidak selalu dapat dihitung

Berkaitan erat dengan hasil dari suatu kegiatan atau proses

Dapat dicegah

Jika terjadi dapat ditangani

Dapat berdampak negatif, positif, tidak tentu

Attachment Risiko

Corporate Objective

Core Processes

Key Dependencies

Stakeholder Expectations

PACED

Proporsional - Kegiatan manajemen risiko harus proporsional dengan tingkat risiko yang dihadapi organisasi.

Selaras (aligned) - Kegiatan ERM perlu diselaraskan dengan kegiatan lain dalam organisasi.

Komprehensif - Agar sepenuhnya efektif, pendekatan manajemen risiko harus komprehensif.

Dinamis - Kegiatan manajemen risiko harus dinamis dan responsif terhadap risiko yang muncul dan berubah.

Approach To Risk Management

Risk Management Framework

Definition of Standard

Standar untuk manajemen risiko sendiri adalah kombinasi deskripsi proses manajemen risiko, bersama dengan kerangka kerja (framework) yang direkomendasikan

Key Stages

  1. Recognition of Risk
  1. Rating of Risk
  1. Ranking against risk criteria
  1. Responding to Risk
  1. Resourcing controls
  1. Reaction Planning
  1. Reporting on Risk
  1. Reviewing and Monitoring

Key Features

Risk Architecture

Risk Strategy

Risk Protocols

Standards

IRM (2002)

Standar IRM adalah pendekatan tingkat tinggi yang ditujukan untuk spesialis manajemen non-risiko dan telah diterjemahkan ke dalam banyak bahasa

ISO 31000 : 2018

Standar ini memberikan pernyataan prinsip-prinsip manajemen risiko, serta deskripsi kerangka kerja dan proses manajemen risiko

Revisi prinsip-prinsip manajemen risiko dinyatakan sebagai 'penciptaan dan perlindungan nilai' atau “creation and protection value”

Proses manajemen risiko tidak ditampilkan sebagai rangkaian kegiatan atau tahapan dengan panah penghubung

“'Meskipun proses manajemen risiko sering disajikan secara berurutan, dalam praktiknya itu berulang.' atau “Although the risk management process is often presented as sequential, in practice it is iterative”

COSO ERM Cube (2004)

Menyatakan bahwa manajemen risiko perusahaan (enterprise risk management) tidak terbatas sebagai rangkaian kegiatan, di mana satu komponen hanya mempengaruhi komponen berikutnya. Namun, merupakan proses berulang multi arah dimana hampir semua komponen dapat dan memang mempengaruhi semua komponen lainnya.

Terdapat hubungan langsung antara tujuan, yang ingin dicapai oleh entitas, dan komponen manajemen risiko perusahaan, yang mewakili apa yang diperlukan untuk mencapainya. Hubungan ini digambarkan dalam kubus COSO (terdapat delapan komponen yang saling terikat secara internal)

Tujuan

Strategis: tujuan tingkat tinggi, selaras dengan dan mendukung misinya;

Operasi: penggunaan sumber dayanya secara efektif dan efisien;

Pelaporan: keandalan pelaporan;

Kepatuhan: kepatuhan terhadap hukum dan peraturan yang berlaku.

Memiliki ruang lingkup untuk manajemen risiko dan pengontrolan internal

Definisi ERM

RIMS: Manajemen risiko perusahaan adalah disiplin bisnis strategis yang mendukung pencapaian tujuan organisasi dengan menangani spektrum penuh

COSO:Manajemen risiko perusahaan adalah suatu proses, yang dipengaruhi oleh dewan direksi, manajemen, dan personel lain entitas, yang diterapkan dalam pengaturan strategi dan di seluruh perusahaan, yang dirancang untuk mengidentifikasi peristiwa potensial yang dapat memengaruhi entitas, mengelola risiko agar sesuai dengan selera risikonya dan untuk menyediakan keyakinan memadai mengenai pencapaian tujuan entitas.

IIA (Institute of Internal Auditors):Pendekatan yang ketat dan terkoordinasi untuk menilai dan menanggapi semua risiko yang memengaruhi pencapaian tujuan strategis dan keuangan organisasi

HM Treasury::Semua proses yang terlibat dalam mengidentifikasi, menilai dan menilai risiko, menetapkan kepemilikan, mengambil tindakan untuk mengurangi atau mengantisipasinya dan memantau dan meninjau kemajuan

Other Definirion:

ERM melibatkan identifikasi dan evaluasi risiko yang signifikan, penugasan kepemilikan, implementasi dan pemantauan tindakan untuk mengelola risiko ini dalam selera risiko organisasi.

Outputnya adalah penyediaan informasi kepada manajemen untuk meningkatkan keputusan bisnis, mengurangi ketidakpastian dan memberikan jaminan yang wajar mengenai pencapaian tujuan organisasi.

Dampak ERM adalah meningkatkan efisiensi dan penyampaian layanan, meningkatkan alokasi sumber daya (modal) untuk peningkatan bisnis, menciptakan nilai pemegang saham dan meningkatkan pelaporan risiko kepada pemangku kepentingan.

Establishing Context as the first stage

Konteks manajemen risiko telah digambarkan sebagai arsitektur risiko, strategi dan protokol atau kerangka kerja manajemen risiko dalam organisasi

Konteks internal mengacu pada organisasi itu sendiri, kegiatan yang dilakukan, berbagai keterampilan dan kemampuan yang tersedia dalam organisasi, dan bagaimana strukturnya

Konteks eksternal adalah lingkungan di mana organisasi itu berada

Steps to implement ERM

Strategi dan pengaturan tujuan

Kinerjaipilih.

Tinjauan dan revisi

Informasi, komunikasi, dan pelaporan

Tata kelola dan budaya

RISK ASSESSMENT

Considerations

Risk Assessment - gidentifikasi risiko signifikan yang dapat mempengaruhi fitur dimana risiko tersebut tertempel (feature attachment) yang dapat berupa attachment terhadap tujuan korporat, ekspektasi pemangku kepentingan, proses inti, dan dependensi utama.

Approaches

Top-Down - berfokus pada risiko yang berkaitan dengan strategi, taktik, operasi, dan kepatuhan (S - Strategy, T - Tactics, O - Operations, C - Compliance; STOC).

Kemungkinan menghasilkan pendekatan di seluruh perusahaan (company-wide approach) – risiko di puncak organisasi akan berdampak di seluruh bisnis

Risiko strategis yang paling signifikan bagi organisasi dapat ditangkap dengan cepat dan akan ada jumlah yang dapat dikelola.

Menunjukkan dukungan manajemen risiko dari atas, menghasilkan penerimaan aktivitas manajemen risiko di semua tingkatan.

Karena itu berasal dari atas, kemungkinan ada metodologi yang konsisten di seluruh organisasi.

Manajer senior dan direktur cenderung lebih fokus pada risiko eksternal organisasi

Kesadaran yang terbatas akan risiko operasional internal atau saling ketergantungan risiko dalam bisnis.

Bahaya bahwa pendekatan ini menjadi terlalu dangkal, karena manajer senior percaya bahwa mereka dapat menangani krisis.

Risiko baru yang muncul dari kegiatan operasional organisasi mungkin tidak sepenuhnya teridentifikasi.

Bottom-Up - berfokus pada risiko yang diidentifikasi sebagai kepatuhan, bahaya, control, dan kesempatan (the four types of risk: compliance, hazard, control, and opportunity)

Dukungan yang signifikan di semua tingkat organisasi harus dicapai.

Dapat dicerminkan ke bagan organisasi yang ada dan dampak risiko di luar risiko operasional langsung dapat didiskusikan.

Staf operasional memiliki kesadaran besar akan risiko lokal dan penyebabnya, yang mungkin tidak dapat dipahami oleh manajemen tingkat yang lebih tinggi.

Metodologi dapat bervariasi sesuai dengan norma dan budaya lokal dan ini berguna untuk organisasi multinasional.

Akan ada sedikit fokus pada risiko eksternal atau risiko strategis.

Memakan waktu dan dapat menurunkan motivasi, jika dibutuhkan lebih lama untuk mengembangkan hasil perusahaan secara keseluruhan.

Bahaya bahwa pendekatan menjadi terlalu rinci dan tidak jelas, menghasilkan pendekatan silo untuk penilaian risiko.

Risiko baru yang muncul dari kegiatan operasional bisnis mungkin tidak dilaporkan oleh staf operasional.

Assessment Techniques

Kuesioner dan checklist - Penggunaan kuesioner dan daftar periksa terstruktur untuk mengumpulkan informasi yang akan membantu mengenali risiko signifikan

Struktur yang konsisten menjamin konsistensi

Keterlibatan yang lebih besar daripada dalam lokakarya

Pendekatan yang kaku dapat mengakibatkan beberapa risiko terlewatkan

Pertanyaan akan didasarkan pada pengetahuan historis

Workshop dan brainstorming - Pengumpulan dan berbagi ide di lokakarya untuk membahas peristiwa yang dapat memengaruhi tujuan, proses inti, atau ketergantungan utama

Konsolidasi pendapat dari semua pihak yang berkepentingan

Interaksi yang lebih besar menghasilkan lebih banyak ide

Manajemen senior cenderung mendominasi

Masalah akan terlewatkan jika orang yang salah terlibat

Inspeksi dan audit - Inspeksi fisik tempat dan kegiatan dan audit kepatuhan dengan sistem dan prosedur yang ditetapkan

Bukti fisik menjadi dasar opini

Pendekatan audit menghasilkan struktur yang baik

Inspeksi paling cocok untuk risiko bahaya (hazard risk)

Pendekatan audit cenderung berfokus pada pengalaman historis

Diagram alur (flowchart) dan analisis ketergantungan - Analisis proses dan operasi dalam organisasi untuk mengidentifikasi komponen penting yang merupakan kunci keberhasilan

Output yang berguna yang dapat digunakan di tempat lain

Analisis menghasilkan pemahaman yang lebih baik tentang proses

Sulit digunakan untuk risiko strategis

Mungkin sangat detail dan memakan waktu

Nature of Risk Metric

Likelihood

Unlikely

Possible

Likely

Almost Certain

Impact

Small

Moderata

Severe

Catastrophic

RIsk Classification

Short-term

Medium-term

Long-term

Risk Classification Systems

COSO ERM Cube: Strategic, Operations, Reporting, Compliance

IRM Standard: Financial, Strategic, Operational, Hazard

FIRM risk scorecard: Financial, Infrastructure, Reputational, Marketplace

Benefit

Akumulasi risiko yang dapat merusak ketergantungan utama atau tujuan bisnis dan membuatnya rentan dapat lebih mudah diidentifikasi.

Tanggung jawab untuk manajemen yang lebih baik dari setiap jenis risiko yang berbeda dapat lebih mudah diidentifikasi/dialokasikan jika risiko diklasifikasikan.

Keputusan dan pengetahuan tentang jenis kontrol (s) yang akan dilaksanakan dapat diambil secara lebih terstruktur dan informasi.

Keadaan di mana selera risiko organisasi terlampaui (atau kriteria risiko tidak diterapkan) dapat lebih mudah diidentifikasi

PESTLE

Political

Economic

Sociological

Technological

Legal

Ethical or Environmental

Advantage & Disadvantage

kerangka sederhana;

memfasilitasi pemahaman tentang lingkungan bisnis yang lebih luas;

mendorong pengembangan pemikiran eksternal dan strategis;

mengantisipasi ancaman bisnis di masa depan;

membantu mengidentifikasi tindakan untuk menghindari atau meminimalkan dampak ancaman;

memfasilitasi identifikasi peluang bisnis.

dapat menyederhanakan jumlah data yang digunakan untuk keputusan;

perlu dilakukan secara teratur agar efektif;

membutuhkan orang yang berbeda untuk terlibat dengan perspektif yang berbeda;

akses ke sumber data eksternal yang berkualitas dapat memakan waktu dan biaya;

sulit untuk mengantisipasi perkembangan yang dapat mempengaruhi organisasi di masa depan;

risiko menangkap terlalu banyak data yang membuat sulit untuk melihat prioritas;

dapat didasarkan pada asumsi yang kemudian terbukti tidak berdasar.

Loss Control

Risk Likelihood

Hazard Risks

Loss Prevention

Damage Limitation

Cost Containment

Upside of Risk

Definisi

Sisi positif risiko dicapai ketika manfaat yang diperoleh dari mengambil risiko lebih besar daripada manfaat apa pun yang akan dihasilkan dari tidak mengambilnya. Juga dapat berarti sebagai reward karena mengambil risiko. Penjelasan lain terkait sisi positif dari risiko adalah, pada akhirnya organisasi akan mampu untuk melakukan aktivitas yang sebelumnya tidak ingin dilakukan oleh organisasi tersebut.

Upside in Strategy

Upside in Projects

Upside in Operations

Risk Response

Tolerate, Treat, Transfer, and Terminate
4Ts of Hazard Response

Treat Control / Reduce

Risk Response

Avoiding the risk by deciding not to start or continue with the activity

Taking or increasing the risk in order to pursue an opportunity

Removing the risk source

Changing the likelihood or the consequences

Sharing the risk with another party/parties

Retaining the risk by informed decision making

Transfer Insurance/ Contract

Conventional Insurance

Paying third party to take the risk

Tolerate Accept / Retain

Tolerable w/o any further actions being taken

If not tolerable

Limited ability

Cost > benefit

Terminate Avoid / Eliminate

Terminate the activity

May be severely limited

Types

Preventive

Preventive Terminate

Stop and undesirable outcome

Implement appropriate preventive control

Corrective

Corrective Treat

Reduce any undesirable outcomes that have been realized

Provide a route of recourse to achieve some recovery against loss or damage

Correct undesirable circumstances

Reduce unacceptable risk exposures

Directive

Directive Transfer

Based on giving directions to people on how to ensure that losses do not occur

Important, but depends on people following established safe systems of work

Detective

Detective Tolerate

‘After the event’

Accept the loss/damage that has occured

Limit the possibility of undesirable outcome being realized

Eliminate the hazard

No further consideration of it is required

May not be a cost effective option

May not be possible for operational reasons

May eliminate beneficial activities (either outsourced or replaced with something less effective and efficient)

Limit the scope for loss

Simple

Cost effective

Don’t require elimination of existing practices and procedures / replaced with alternatives methods of work

Controls can be implemented within the framework of existing activities

Marginal benefit may be difficult to quantify or confirm as cost effective

Sometimes are over-engineered

Sometimes cost is disproportionate to the benefit that is achieved

Ensure that a particular outcome is achieved

Can be explained during a normal training and instruction session for staffs

Can be used as immediate response

May require constant supervision in order to ensure that the correct procedures are being followed

Identify occasions undesirable outcomes have been realized

Simple to administer

Early warning

The risk will already have materialized before it is detected

Insurance and Risk Transfer

Importance

First party: Insurance contracts → require the insurance company to pay for losses suffered directly by the insured

Third party: Insurance contracts → insurance company to pay compensation to other parties if they have been injured or suffer loss because of the activities of the insured

Advantages & Disadvantages

Provides indemnity against expected loss

Provides economic benefits to the insured (loss > insurance premium)

Provides access to specialist services as part of the insurance premium (may include advice on loss control)

Delays in obtaining settlement of an insurance claim

Difficulties that can arise in quantifying the financial cost associated with the loss

May be disputes regarding the extent of the cover that has been purchased and the exact terms and conditions of the insurance contract

The insured may have difficulty in deciding the limit of indemnity that is appropriate for liability exposures

Purchase of Insurance needs to consider

Cost → insurance premium

Coverage → policies limitations

Capacity → capacity of the insurance company is willing to offer in relation to value of the assets/exposure that need to be insured

Capabilities → loss control services and assistance with business continuity planning in addition to the insurance

Claims

Compliance → national basis? Regional?; timely issuance

Business Continuity

Business Continuity Standards

Key Activities in BCP

Assess company activities to identify critical staff, materials, procedures and equipment required to keep the business operating.

Identify suppliers, shippers, resources and other businesses that are contacted on a daily basis.

Plan what to do if any important buildings, plant or store were to become inaccessible.

Identify necessary actions to ensure continuity of critical business functions, especially payroll.

Decide who should participate in compiling and subsequently testing the emergency plans.

Define crisis management procedures and individual responsibilities for disaster recovery activities.

Co-ordinate with others, including neighbours, utility suppliers, suppliers, shippers and key customers.

Review the emergency plans annually and when the business changes and/or new members of staff are recruited.

BCP plan should be

Comprehensive

Cost-effective

Practical

Effective

Maintained

Practised

Business Impact Analysis

A critical part of ensuring that adequate business continuity plans and disaster recovery plans are in place

Purpose

Determine whether the likely impact is within the risk appetite of the organization as the basis for business continuity strategy

Risk Strategy

Core Business Processes

Dynamic Business Models

Strategy and Tactics

Effective and Efficient Operations

Ensuring Compliance

Reporting Performance

Components of The Business Model

Risk Management and The Business Model

Reputation and Corporate Governance

CSR and Risk Management

Supply Chain and Ethical Trading

Importance of Reputation

Risk Management Context

Risk Architecture

Risk Management Strategy

Risk Management Protocols

Risk Management Manual

Risk Management Documentation

Risk Management Responsibilities

Allocation of Responsibilities

Range of Responsibilities

Statutory Responsibilities of Management

Role of The Risk Manager

Risk Architecture in Practice

Risk Committees

Control of Selected Hazard Risks

Cost of Risk Controls

Learning from Controls

Control of Financial Risks

Control of Infrastructure Risks

Control of Reputational Risk

Control of Marketplace Risks

Risk Culture

Risk-aware Culture

Styles of Risk Management

Compliance management → based on fulfilling obligations such as health and safety (1970s)

Hazard management → ‘total cost of risk’ approach developed by insurance world (1980s)

Control management → based on the internal control approach of internal auditors (1990s)

Opportunity management → interface between risk management and strategic planning (2000s)

Risk Culture

Culture: determines how an individual feels obliged to behave in all circumstances

Characterized by

Communication founded on mutual trust

Shared perception of the importance of risk management

Sharing of confidence in the selected control measures

Commitment to adhering to the established risk control procedures

LILAC

Leadership

Involvement

Learning

Accountability

Communication

Alignment

Risk management activities with the risk architecture

Strategy and protocol with the core business processes

Importance of Risk Appetite

Nature

Risk appetite → immediate or short-term willingness of an organization to undertake an activity that involves risk

Statements

High risk appetite → The college accepts opportunities that have an inherently high risk that may result in reputation damage, financial loss or exposure, major breakdown in IT systems, significant incidents of regulatory noncompliance or high potential risk of injury to staff and students

Moderate risk appetite → The college is willing to accept risks that may result in reputation damage, financial loss or exposure, major breakdown in IT systems, significant incidents of regulatory non-compliance, potential risk of injury to staff and students

Modest risk appetite → The college is willing to accept some risks in certain circumstances that may result in reputation damage, financial loss or exposure, major breakdown in IT systems, significant incidents of regulatory noncompliance, potential risk of injury to staff and students

Low risk appetite → The college is not willing to accept risks in circumstances that may result in reputation damage, financial loss or exposure, major breakdown in IT systems, significant incidents of regulatory noncompliance, potential risk of injury to staff and students

Risk Training and Communication

Consistent response of risk

Risk Training

When a manager is newly appointed or has been given new or additional responsibilities

When an individual member of staff has been given a new role and/or procedures have been updated

Following a recent incident or loss at the organization or at a competitor’s premises or location

On a refresher basis → legal requirement in certain circumstances

Risk Practitioner Competencies

Range of Skills

Technical Skills

Soft Skills

Communication Skills

Relationship Skills

Analytical Skills

Management Skills

RMIS - risk management information system

Corporate governance arrangements and reports

Disaster recovery plans and responsibilities

Business continuity plans and responsibilities

Risk improvement plans and implementation

Risk management action plans (risk register)

Insurance policy coverage and other information

Historical loss/claims experience/information

Insurance claims handling and management protocols

Insurance values and cost of risk data

Emergency contact arrangements and contact details

Risk profile data, values and information

Risk management policy and protocols

Shared Vocabulary

Risk Information & Communication

Be prepared to answer questions and agree to provide further information if itis not currently available

Develop key messages that are clear, concise and to the point, with no more than three messages communicated at any one time

Be cautious when putting risks in perspective, although comparing an unfamiliar risk with a familiar one can be helpful

Deal with uncertainty and discuss situations where not all information is available and indicate what can be done to overcome these problems

Communicate clearly and honestly, taking account of the level of understanding of the audience

Be objective in the information provided and differentiate between opinions and facts

Simplify the language and presentation, although not the content if complex issues need to be communicated

Know the stakeholders, by identifying both external and internal stakeholders and finding out their interests and concerns

RISK GOVERNANCE

Corporate Governance Model

Purpose

facilitate accountability and responsibility for effective and efficient performance and ethical behavior

Approaches

Comply or Explain → the organization should comply with the requirements OR explain why it was not appropriate

Full Compliance → detailed requirements, expect detailed compliance and exceptions is not acceptable

Committees

Risk management committee

Audit committee

Disclosures committee

Nominations committee

Remuneration committee

OECD Principles of Corporate Governance

Effective corporate governance framework

Rights and equitable treatment of shareholders

Institutional investors, stock markets and other intermediaries

Role of stakeholders in corporate governance

Disclosure and transparency

Responsibilities of the board

Corporate Governance for a Government Agency

Nolan Principles of Public Life

Selflessness

Integrity

Objectivity

Accountability

Openness

Honesty

Leadership

Evaluation Board Members

Membership and structure

Purpose and intent

Involvement and accountability

Monitoring and review

Performance and impact

Stakeholder Expectations

CSFSRS (Range of Stakeholders)

Customers

Staff

Financiers

Suppliers

Regulators

Society

Stakeholder Dialogue

General

A clear statement of strategy and vision

Corporate profile and principal markets

Financial Data

Annual report and financial statements

Archived financial information for the past three years

Corporate Governance and CSR

Information related to compliance with Combined Code

Information on the company CSR policies

Shareholder Information

Shareholder analysis by size and constituent

Information on directors’ share dealings

Relevant News

Access to all news releases and presentations

Developments that might affect the share value

Stakeholders and Core Processes

Stakeholders and Strategy

Stakeholders and Tactics

Stakeholders and Operations

Operational Risk Management

Basel II Types of Risk

Internal fraud, including misappropriation of assets, tax evasion and bribery

External fraud including theft, hacking and forgery

Employment practices and workplace safety

Clients, projects and business practices

Damage to physical assets

Business interruption and systems failures

Execution, delivery and process management :

Basel II ORM Principles

The board is responsible for establishing the operational risk strategy

Senior management is responsible for implementing the operational risk strategy

Information, communication and escalation flows must be established.

Operational risks inherent in activities, processes, systems and products should be identified

Processes necessary for assessing operational risk should be established

Systems should be implemented to monitor operational risk exposures and loss events

Policies, processes and procedures to control or mitigate operational risks should be in place

Supervisors should require banks to have an effective system to identify, measure, monitor and control operational risk

Supervisors should conduct regular independent evaluations of these principles

Sufficient public disclosure should be made to allow stakeholders to assess the operational risk exposure and the quality of operational risk management

Project Risk Management

Respond to Project's Uncertainty

Accept the risk or uncertainty;

Adapt activities and procedures;

Adopt contingency plans and responses;

Avoid the risk or uncertainty

To be successful

Making risk management part of the project

Identifying risks early in the project

Communicating about risks

Considering both threats and opportunities

Clarifying ownership issues

Prioritizing risks

Analysing risks

Planning and implementing risk responses

Registering project risks

Tracking risks and associated tasks

Project Risk Analysis and Management (PRAM)

Benefit

Feasibility

Sanction

Tendering

Post-tender

During implementation

Supply Chain Management

Scope

strategic partnerships

joint ventures

support services

outsourcing of facilities management activities

Strategic Partnership

Joint Ventures

Outsourcing of Operations

Risk and Contracts

Level of the risk associated with the contracted service

Value of the contract for supply of goods or services

Duration and scope of the contract

Level of skill required in the delivery of the contracted services

Critical nature of the goods or services that are being contracted

Risk Assurance

The Control Environment

Nature of Internal Control

Concerned with → methods, procedures and checks that are in place to ensure that a business or organization meets its objectives

Goals

maintenance of reliable systems;

timely preparation of reliable information;

safeguarding of assets;

optimum use of resources;

preventing and detecting fraud and error.

Control Environment

Commitment

Shared ethical values should be established, communicated and practised.

HR policies should be consistent with ethical values.

Authority, responsibility and accountability should be clearly defined.

Mutual trust should be fostered to support the flow of information

Capabillity

People should have the necessary knowledge, skills and tools.

Communication processes should support the values of the organization.

Sufficient and relevant information should be identified and communicated.

Decisions and actions within the organization should be coordinated.

Control activities should be designed as an integral part of the organization.

Monitoring and learning

Environment should be monitored to re-evaluate controls.

Performance should be monitored against the targets.

Assumptions behind objectives should be periodically challenged.

Information needs and related information systems should be reassessed.

Procedures should be established to ensure appropriate actions occur.

Management should periodically assess the effectiveness of control.

CoCo Framework of Internal Control

Purpose → concerned with the establishment and communication of objectives, the significant internal and external risks faced by the organization and the policies designed to support achievement of the organization’s objectives

Commitment → concerned with shared ethical values, including integrity. It is also concerned with human resource policies and practices and communication throughout the organization.

Capability → concerned with the fact that people should have the necessary knowledge and skills to support the organization’s objectives, as well as its values

Monitoring and learning → concerned with external and internal environments and the fact that they should be monitored to obtain information

Internal Audit Activities

Scope of Internal Audit

methods, procedures and checks that are in place to ensure that a business organization meets its objectives

Undertaking an Internal Audit

Planning

Fieldwork

Audit Report

Follow-up

Risk Management and Internal Audit

Three lines of defence

Ideas

management has primary responsibility for the management of risk;

specialist risk management functions can assist management in developing an approach to fulfilling their responsibilities;

the internal audit function checks that the risk management process and the risk management framework are effective and efficient.

Management Responsibilities

Internal Audit Activities

giving assurance on risk management processes

giving assurance that risks are correctly evaluated

evaluating risk management processes

evaluating the reporting of key risks

reviewing the management of key risks

Risk Management Support

facilitating identification and evaluation of risks

coaching management in responding to risks

coordinating ERM activities

consolidated reporting on risks

maintaining and developing the ERM framework

championing establishment of ERM

developing RM strategy for board approval

Management Responsibilities

setting the risk appetite

imposing risk management processes

management assurance on risks

taking decisions on risk responses

implementing risk responses on behalf of management

accountability for risk management

Risk Assurance Techniques

Audit Committee

External Audit

recommend the appointment and re-appointment of external auditors

review the performance and cost-effectiveness of the external auditors

review the qualification, expertise and independence of external auditors

review and discuss any reports from the external auditors

Internal Audit

review internal audit and its relationship with external auditors

review and assess the annual internal audit plan

review promptly all reports from the internal auditors

review management response to the findings of the internal auditors

review activities, resources and effectiveness of internal audit

Financial Reporting

review the annual and half-year financial results

evaluate annual report against requirements of the governance code

review disclosure by CEO and CFO during certification of annual report

Regulatory Reports

review arrangements for producing the audited accounts

monitor and review standards of risk management and internal control

develop a code of ethics for CEO and other senior management roles

annually review the adequacy of the risk management processes

receive reports on litigation, financial commitments and other liabilities

receive reports of any issues raised by whistleblowing activities

Risk Assurance

Sources

Culture measurement

Audit reports

Unit reports

Performance of the unit

Unit documentation

Benefit or Risk Assurance

builds confidence with stakeholders;

provides reassurance to sponsors and financiers;

demonstrates good practice to regulators;

prevents financial and other surprises;

reduces the chances of damage to reputation;

encourages the risk culture within the organization;

allows more secure delegation of authority.

Reporting on Risk Management

Risk Reporting

Types of documents

risk management administration;

risk response and improvement plans;

event reports and recommendations;

risk performance and certification reports.

Risk Reporting by US Companies

Charities’ Risk Reporting

Public Sector Risk Reporting

Purpose

Plans should include measurable performance targets and indicators

Plans should be established and communicated.

Policies should be established, communicated and practised.

Significant Internal and external risks should be identified and assessed.

Objectives should be established and communicated.

Risk Assessment of Business Model: identify options for improvements to customer offering and/or the business model

Successful: success in gaining new customers and draws customer into a deeper relationship with the organization

Health and Safety

Employees

Customers

Environment

Suppliers

Community

Products/services

failure to comply with rules and regulations;

trading with undesirable overseas governments;

excessive payments to political parties; tax evasion or dubious tax arrangements;

inappropriate criticism of competitors;

false allegations against competitors;

unethical alliances with competitors

Capabilities → Does the organization have a clear purpose or resolve, together with the commitment, vision, capabilities and resources to deliver that purpose?

Activities → Which sector and what activities does the organization undertake and does it have the financial resources and stability to support those activities?

Standards → What range of services or products does the organization offer and what are the standards of quality, delivery, support, execution, innovation and investment?

Ethics → Does the organization adhere to appropriate CSR, integrity, values and governance, and continuously monitor performance to learn and achieve improvements?

Tertanam (embedded) - Aktivitas manajemen risiko perlu ditanamkan di dalam organisasi.