Aarsh Enterprise Risk Management - 2

Operational Risk Management
Where do you STAND?
Cutting-edge risk solutions for emerging economies Confidential & Proprietary - Not for distribution
Committee of Sponsoring Organisations of the Treadway
Commission (COSO) - Background
COSO undertook a study in December 2001 and submitted its report in September 2004. Output
of the study was
A definition of risk and enterprise risk management
Concepts, categories, principles and other elements of a comprehensive risk management
framework.
Direction for companies and other organizations to use in determining how to enhance their
risk management.
Criteria for companies use in determining whether their risk management is effective, and if
not, what is needed.
Application techniques that link directly to the framework
COSO
Concluded that there was a need for a recognized framework despite an abundance of
literature on the subject.
Believes there is consensus that all organizations can benefit from improved risk identification
and risk analysis procedures.
Recognizes that many organizations are engaged in some aspects of enterprise risk
management.
Believes that this study will help identify all of the aspects that should be present and how they
can be coordinated.
COSO Enterprise Risk Management Framework has two documents
The Framework and
Application Guidance
COSO structure
COSO
COSO Advisory
Council
COMPANIES & OTHER OTHER

ORGANIZATIONS Consultants STAKEHOLDERS
Project Team
COSO member organizations Academia
Middle market companies Professional associations
Large companies Risk management professionals
Lawyers
Industry associations
Regulators
Not-for-profit, government
entities Other rule-makers
Definition and Rationale of Enterprise Risk Management
(ERM)
Enterprise Risk Management definition by COSO:2004
A process, effected by an entitys board of directors, management and other

personnel, applied in strategy setting and across the enterprise, designed to
identify potential events that may affect the entity, and manage risk to be within its
risk appetite, to provide reasonable assurance regarding the achievement of entity
objectives.
Rationale for implementing Enterprise Risk Management

Every entity, whether for-profit or not, exists to realize value for its
stakeholders.
Value is created, preserved, or eroded by management decisions in all
activities, from setting strategy to operating the enterprise day-to-day.
ERM supports value creation by enabling management to:
Deal effectively with potential future events that create uncertainty.
Respond in a manner that reduces the likelihood of downside outcomes
and increases the upside
Drivers of Enterprise Risk Management
Stakeholders Results Expected
Investors/Creditors/Policyholders Value creation juxtaposed to solvency
Environment What new risks should we be pricing now?
Regulator Requires ERM at consolidated level
Insurance company regulators - Require legal entity specific regulation
International regulators Require both legal entity and holding
company
Rating agencies Require ERM frameworks
Board of directors Attunement to firm-wide risks
Management Requirement of common language to drive
results
The ERM Framework
Entity objectives can be viewed in the context of four categories:
Strategic
Operations
Reporting
Compliance
ERM considers activities at all
levels of the organization:
Enterprise-level
Division or subsidiary
Business unit processes
Takes a portfolio / entity-level view of risks
Elements that characterise Enterprise Risk Management
ERM takes note of the interrelationships and interdependencies among risks
It improves ability to manage risks within and across business units
Improves organisations capacity to identify and seize opportunities inherent in
future events
Considers risk in the formulation of strategy
Applies risk management at every level and unit of an entity
Takes a portfolio view of risks throughout the enterprise- presents an
opportunity to set-off risks moving in opposite directions against each other
Components of ERM 1/4
Internal Environment Component
Establishes a philosophy regarding risk management. It recognizes that
unexpected as well as expected events may occur.
Establishes the entitys risk culture.
Considers all other aspects of how the organizations actions may affect its risk
culture including allocation of authority, ethics and values, and human resources
Objective Setting
Is applied when management considers risks strategy in the setting of
objectives
Forms the risk appetite of the entity a high-level view of how much risk
management and the board are willing to accept
Risk tolerance, the acceptable level of variation around objectives, is aligned
with risk appetite
Event Identification
Involves identifying those incidents, occurring internally or externally, that could affect
strategy and achievement of objectives
Addresses how internal and external factors combine and interact to influence the risk
profile
Differentiates risks and opportunities
Events that may have a negative impact represent risks
Events that may have a positive impact represent natural offsets (opportunities), which
management channels back to strategy setting
Risk Assessment
Allows an entity to understand the extent to which potential events might impact
objectives
Assesses risks from two perspectives likelihood and impact
The unit of measure assess risks should be the same or congruent to measure used for
related objectives
Employs a combination of both qualitative and quantitative risk assessment
methodologies
Time horizons are related to objective time horizons
Assesses risk on both an inherent and residual basis
Risk Response
Identifies and evaluates possible responses to risk
Evaluates options in relation to entitys risk appetite, cost vs. benefit of potential
risk responses and degree to which a response will reduce impact and/or
likelihood
Assessment of and response to risks are integral components of ERM; which
specific response is selected is not
Selects and executes its response based on evaluation of the portfolio of risks
and responses
Control Activities
Control activities are the policies and procedures that help ensure that the risk
responses, as well as other entity directives, are carried out
Occur throughout the organization, at all levels and in all functions
Includes application controls and general information technology controls
Information and Communication
Information is needed at all levels of an entity in identifying, assessing, and
responding to risk
Management identifies, captures and communicates pertinent information in a
form and timeframe that enables people to carry out their responsibilities
Communication occurs in a broader sense, flowing down, across and up the
organization
Monitoring
Monitors the ongoing effectiveness of the other enterprise risk management
components through:
Ongoing monitoring activities
Separate evaluations
A combination of the two
Roles and Responsibilities
The Board of Directors is responsible for overseeing managements design and
operation of ERM
Management is responsible for the design of an entity's enterprise risk
management framework
Risk officers work with managers in establishing and maintaining effective risk
management
Internal auditors contribute to the ongoing effectiveness of the enterprise risk
management
Key Concepts In The Enterprise Risk Management
Framework
Events and risks
Applying risk management in strategy setting
Risk appetite and risk tolerance
Portfolio view
Events and Risk
Event is an incident or occurrence that could affect the implementation of
strategy or achievement of objectives.
Distinguishes risk and opportunity
Events that may have a negative impact represent risks.
Events that may have a positive impact represent natural offsets or,
opportunities, which management channels back to strategy setting.
Risk is the possibility that an event will occur and adversely affect the
achievement of objectives.
Applied in Strategy Setting
Information and Communication
Monitors the ongoing effectiveness of the other enterprise risk management

components through:
Enterprise risk management is applied in strategy setting, in which
management considers risks relative to alternative strategies.
For instance, a university seeks to offer high-quality educational
opportunities to students within the state, nation and worldwide.
Strategy A: Focus predominantly on campus delivery model
Strategy B: Focus more on off-campus sites
Strategy C: Develop new interactive distance education
Strategy D: Develop a mix of the above.
What additional risks levels or types of risks will arise with each choice?
Managing Risks Within Risk Appetite
Management forms a risk appetite at the entity level.
Risk appetite is a high-level view of how much risk management and the board
are willing to accept.
Risk appetite is encompassed in policy, guidelines and procedures.
For many, appetite is considered in relation to growth and return goals.
Three Related Aspects Capacity, Appetite and Limits*
Capacity is the maximum amount of risk that can be supported by the Company,
Capacity expressed as an aggregate capital amount
Risk Capacity is determined considering the following:
Available capital
Ability to raise capital
Earnings strength and stability, including planned growth in capital
Amount of risk that the Company is willing to take, given available risk capacity, risk
Appetite preferences and strategic business objectives
Risk Appetite serves as an overall guide to resource and capital allocation
Business strategy to be aligned with risk appetite
Assist in operationalizing Risk Appetite and serve to effectively control risks within the
Downstream context of our overall risk appetite
Limits
Expressed in specific metrics appropriate for a given risk
Shall reflect enterprise risk preferences and align to support strategic plans and
capital allocation
To be set at a level which may be periodically tested (i.e., limits should be established
at levels that may be exceeded at times of stress)
Relating Mission, Objectives, Appetite and Tolerance
Mission
To be the leading producer of premium household products in the regions in which we operate
Strategic Strategy Risk Appetite

Objectives Expand production of our top- Accepts that the company
To be in the top five selling retail products will consume large amounts
quartile of product of capital investing in new
sales for retailers of assets, people and process
our products Accepts that competition
could increase (e.g. through
Related Objectives
predatory pricing, etc) as we
Increase production of Unit X by
15% in the next 12 months seek to increase market
Increase new staff by 200 (net) share, thereby reducing
across all manufacturing divisions profit margins
Maintain product quality of 4.0 Does not accept erosion of
sigma product quality
Measures
Units of Production
Measures Number of staff hired
Market Share Product quality by sigma
Risk Tolerances
Measure Target Tolerances Acceptable Range
Market share 25 Percentile 23% 30%
Units of production 150,000 units +10,000 / - 7,500
Number of staff hired (net) 200 staff + 20 / - 15
Product quality index 4.0 sigma 4.0 4.5 sigma
Taking A Portfolio View
Enterprise risk Company level risk appetite
usually expressed as Earnings Enterprise Level Risk Appetite
management requires at Risk or Risk Adjusted Return (Earnings at Risk)
an entity to take a on Capital Employed
portfolio view of risk

Operational
Management considers Company level risk appetite is Credit Risk
Appetite
Market Risk
Appetite
Risk
Allocate Appetite
allocated to entity / function or Appetite
how individual risks sub-function level, typically
Feedback Limits
interrelate based on proportion of risk Profit Centres / Entities
(usually Value at Risk)
Management develops contribution of each entity /
a portfolio view from function
Entity A Entity B
two perspectives: Risk appetite is defined in terms

Company level of indicators at the lowest level.
Example of such indicators are Sub-function Sub function
Entity / function Contracts without signed A1 A2
level agreements (legal

uncertainty)
Funding ratio below 125% in Risk Appetite Risk Appetite
each maturity bucket Parameter 1 Parameter 2
(liquidity risk)
Examples of risk-related behaviours and grading
Examples of a risk appetite statement
Building an effective and robust ERM framework
An effective ERM framework can provide reasonable assurance that the
organizations strategic objectives can be achieved. Building an effective
framework requires a number of interrelated components including:
A strong risk governance structure Clear risk prioritisation and

A clearly articulated risk appetite coordination
A clear risk strategy aligned with Clear line of responsibility and
strategic objectives and key value accountability
drivers A strong compliance focus
A strong risk management culture and Continuous risk monitoring and
capability review
Ongoing review of the risk framework, Efficient and effective processes, with
tolerances, and settings appropriate tools and technology
A common risk language and criteria A commitment to continuous
improvement, training and learning
ERM Maturity Assessment
Risk Specific RM Governance Driven Change Driven Enterprise Wide
RM RM RM
Efficiency of Risk Management Process
Different type of processes RM is motivated by RM is associated RM is implicit in all

for different type of risk reporting with the management decisions
Risk categorization is High level risk of change RM processes are
largely consequence based assessment is stimulated RM is driven by integrated in all
There may be attempts at by a reporting performance based processes
some form of integrated requirements Standards RM is culturally
measurement RM measures varied Risk is seen as driven
Risk is seen as loss, harm according to types of risk uncertainty Risk is seen as
and detriment Risk is seen as events There is a uniform uncertainty
RM is closely linked to mostly with negative system for the RM is about gaining
insurance consequences analysis of all types strategic advantage
The terms Risk and There are some of risk
hazards and threats are inconsistent approaches
used interchangeably to managing different
types of risks
Stage 1 Stage 2 Stage 3 Stage 4
Degree of Integration of Risk Management

Comparison between ERM and ISO 31000 processes
ERM (COSO) ISO31000
1. Internal Environment 1. Establish the Context

2. Objective Setting 2. Identify Risks
3. Event Identification 3. Analyse Risks
4. Risk Assessment 4. Evaluate Risks
5. Risk Response 5. Treat Risks
6. Control Activities 6. Communicate and Consult
7. Information and 7. Monitor and Review
8. Monitoring
ISO 31000:2009 vs. ERM(COSO II)
ISO31000:2009 ERM (COSO II)
ISO 31000 fully complies with COSO COSO ERM typically applies to large
ERM firms and / or financial services firms
ISO 31000 is practical Difficult to implement
Easy to apply (less than 30 pages) Focus on negative risk at corporate
Applicable to organisations in all level, often very confusing when apply
industries, large or small at operational level
More clearly written and terms are
explicitly defined
Wider acceptance as reference for risk
management in existing and future
standards
No need to redesign existing
management system to apply
Apply to all levels of organisation for
any type of risk, both positive and
negative consequences
Beyond box ticking: A new era for risk governance*
In May 2009, the Economist Intelligence Unit (sponsored by KPMG and ACE)
surveyed 364 executives around the world across a range of regions and
industries on their approach to risk management and corporate governance
The key findings were:

1. Companies recognise the need for greater risk expertise but there is a
reluctance to recruit it in some areas
2. Financial constraints are hampering necessary investments in risk
management
3. Compliance, controls and monitoring are consuming a disproportionate
amount of time but risk managers real priorities lie elsewhere
4. More needs to be done to ensure that the right risk information is reaching
the right people
5. There is a window of opportunity for chief risk officers to take on a more
strategic role
*Source: Economist Intelligence Unit, May 2009 survey results
The key challenges to implementing risk management
Board/CEO support (or lack of it)
Inadequate understanding of responsibility/ accountability
Inability to measure risk
Missing link to corporate strategy
Process to add value
Lack of common risk language
Difficulties in management buy-in
Inadequate investment in technology
Common Excuses for NOT doing Risk Management
We have no risk
The program is too small to do risk management
Making risks public performance and maturity will kill the program
The customer goes ballistic whenever he/she hears of a potential problem
We deal with problems as they arise
Identifying risks is bad for my career
Risk management creates more work for me
How can you predict what will happen from now
We plan to start implementing risk management next year
Why ERM Implementation Fails?
Allowing too much complacency
Failing to create a powerful coalition
Underestimating power of vision
Under-communicating vision
Permitting obstacles to block vision
Failing to create short term wins
Declaring victory too soon
Neglecting to anchor changes in culture
RISK MANAGEMENT TOOLS
Risk identification tools
An Organisation faces Three
Categories of Risks
The Known Risks The Known Unknown Risks The Unknown

Unknowns
Work System Analysis

Brainstorming
Pathway Analysis Analysis of the
Past Data
HAZOPS past + scenario
Checklists
FMEA analysis
Thinking Prompts
HACCP
Brainstorming
Brainstorming involves stimulating and encouraging free flowing conversation
amongst a group of knowledgeable people
Purpose - to identify potential failure modes and associated risks, criteria for
decisions and/or options for treatment.
True brainstorming involves particular techniques to try to ensure that people's
imagination is triggered by the thoughts and statements of others in the group.
Brainstorming can be used in conjunction with other risk assessment methods
or stand alone
Normal facilitated process is as follows:
Objectives of the session are defined and rules explained.
The idea is to collect as many diverse ideas as possible for later analysis.
There is no discussion at this point about whether things should or should
not be in a list or what is meant by particular statements because this tends
to inhibit free flowing thought.
All input is accepted and none is criticised and the group moves on quickly
to allow ideas to trigger lateral thinking.
Past Data
Risk can be identified from past records such as:
Financial statements
Process Incidents statistics
Non-compliance or complaints
Project debriefing reports
Where a loss occurs relatively frequently within

Applicability
organisation or industry wide
Strength A good way of identifying known common failures
Rare but severe events may be ignored because it

Weakness
has not happened before within the organisation
Checklists
Listing typical uncertainties which need to be
considered
Process Users refer to a previously developed list, codes or
standards and review whether items on the checklist
are present
When there is a large experience of risk which
Applicability demonstrates that the same problems repeat
It is applied to check that everything has been covered
May be used by non experts

Strength Combine wide ranging expertise for easy to use
Help ensure common problems are not forgotten
Tend to inhibit imagination
Address only known knowns risks
Limitation
Encourage tick the box behaviour
Tend to miss problems not readily seen
Thinking Prompts
List of topics or reminders which help establish a
train of thought in identifying risks in an imaginative
Process way, for example:
Project/activity objectives and critical resources
needed to achieve these objectives
Risk categories such as financial, reputation, safety
Thinking prompts encourage imagination more than
Applicability most checklists so are appropriate when there is
more variation in the things which occur than can be
included in a checklist.
May be used by non experts, easy to use
Strength
Help ensure key issues are not overlooked
Address mainly known knowns risks

Limitation
Tend to miss problems not readily seen
Work system analysis
Work to be performed is separated into tasks and sub tasks to form a structure
for identifying risks, for each task think about
The environment in which it operates
Objective of the step and what could go wrong and what are opportunities
Sources of risk
Human errors
Equipment failure
Existing controls and how they could fail
Pathway Analysis
Undesirable Event = Risk
Barriers failed = Control Failure
Chemical Barriers may be at Target

e.g. Chemical spills into source, pathway, target: environment
waterway e.g. Chemical treatment, and wildlife
Regulation over use of
chemical
Multiple Sources and Pathways
Barriers placed in either

pathway can prevent Barriers along each pathway
explosion can prevent escalation and the
consequences
Hazard and Operability
Separate process into components
Process Define what the component is supposed to do
Define operating conditions
Use Hazop key words to see how performance or conditions
could vary from design intent
HAZOP developed by chemical and processing industry to
Applicability identify safety /operational problems of new plant
Can be applied to any process
Provides effective systematic means to examine a system,
Strength process or procedure
It generates solutions and risk treatment action
It involves a multidisciplinary team
Very time consuming

Limitation Hazop does not identify all risks (outside the process) or apply to
all circumstances
Focus on finding solutions vs. challenging outcomes
Failure Modes and Effects Analysis
Consider each component individually
Process Analyse how it might fail
What would be the result if it fails
Would it matter if the component fails
Look at safety, performance & operability, and ask What
would happen if this component failed?
FMEA traditionally used for equipment failure
Applicability FMEA is similar to Hazop - FMEA considers where a
component can fail vs. Hazop which considers how the
intended result may not be achieved
Identify component fault modes, causes and effects
Strength Identify problems early in the design process
Identify single point failure modes
Can identify only single failure modes
Limitation Can be time consuming and costly
Can be difficult and tedious for complex systems
Example of a FMEA application
ITEM COMPONENT FAILURE MODES FAILURE EFFECT FAILURE DETECTION
1 Valve Valve mechanism jammed close Low flow of A Flow meter line A
Motor which operates valve fails Low flow of A Warning lights
to start
Motor operating valve fails to High flow of A Warning lights
stop
Valve does not shut off due to Explosion of A resulting in Low flow meter reading
spring breakage injury
Valve leaks when closed Unwanted flow of A Direct observation
Failure Specific Cause Effect of Failure

Likeliness Detectability Severity of Risk
Mode of Failure of Failure Failure Priority
Valve does Spring broke Explosion resulting in 3 5 10 150
not shut off preventing valve property damage
from closing and/or serious injury
Likelihood of Failure: 1-10 with 10 representing most likely
Detectability of Failure: 1-10 with 10 representing most difficult
Severity of Failure: 1-10 with 10 representing most severe
Risk Priority = (Likeliness of Failure) X ( Detectability of Failure) X
(Severity of Failure)
Hazard Analysis And Critical Control Point (HACCP)
Identify hazards
Identify Critical Control Points step, or procedure in a process at
Process which control can be applied
Identify Control Point Conditions
Define monitoring, record keeping, corrective actions and
verification procedures to remain in control
Used by organisations operating anywhere within the food chain to
control risks from physical, chemical or biological contaminants of
Applicability food. Also extended for use in manufacture of pharmaceuticals
and medical devices
Structured process for quality control / identifying and reducing risks
Strength Focus on how and where hazards can be prevented
Encourage risk control throughout the process
Involves identification of hazards, risks, controls as inputs to the
Limitation process to specify critical control points and control parameters
Actioned when control parameters exceed defined limits - may
miss gradual changes
Example of HACCP application
CRITICAL CONTROL SOURCE OF CONTROL CONTROL MONITORING
POINTS RISK PARAMETER MECHANISM
(Food Manufacturing)
Receipt of ingredients Biological Correct Temperature under 4 Alarm in

contamination refrigeration degree celcius refrigerator when
temperature temperature over 4
degree
Storage of ingredients Biological Storage time Less than 24 hours Red flag for
contamination prior to use ingredients stored
over 24 hours
Mixing Biological Temperature of Temperature under 4 Alarm in mixing
contamination mixing degree celcius room when
temperature over 4
degree
Cooking Biological Time and Cooking at 100 degree System report for
contamination temperature of for 5 minutes deviation from
cooking cooking time and
temperature
Packing Biological Time between Packing within 5 Alarm when
contamination cooking and minutes after cooked packing time
packaging exceed 5 minutes
General Model for Identifying Risks
conditions
actions
actions of people or equipment decisions
What could go wrong? How would we know?

General Model for Identifying Risks - Methodology
Divide the process or project into steps
For each step identify required inputs, actions and outputs ie the things that
should be there
Seek things that can cause deviations to inputs, actions and outputs. List these
as risks ie an event or deviation and its consequences
This will produce one set of risks. Continue as follows:
List the required outputs of the step
Consider how those outputs may not be achieved list these as risks (ie
events and the effect on outputs).
The generic model can be applied to most processes or projects. It can also
be used in a positive sense to identify opportunities
Example Failure of Required Inputs
PROJECT INPUTS REQUIRED ACTIONS EVENTS OUTCOMES RECOMMEN
STEPS CONDITIONS DATION
Dig trenches Digger Digger not Delay in Choose

for cable machine available completion reliable
contractor
Digger machine Cost of with good
fails digger maintenance
repairs process
Fine weather Rain Delay Exclude

Rain causes weather
slippery surface Injuries related
people fell delays from
Trench collapse penalty
Time cost clause
Employ Choice of Delay or Recruit own
contractors contractor not incompetent staff
available contractor
Scenario Analysis
Scenario analysis can be used to assist in making policy decisions
Process and planning future strategies as well as to consider existing
activities.
Scenario analysis consists of defining a simplified model of a real
system and using the model to consider what might happen given
Applicability various possible future developments. Sets of scenarios reflecting
best case, worst case and expected case may be used to identify
what might happen under particular circumstances and analyse
potential consequences and their likelihood for each scenario
It takes account of a range of possible futures rather than focus

Strength on the use of historical data
Where there is a high uncertainty some of the scenarios may be

Limitation unrealistic
Data may not be available to develop realistic scenario
Risk Analysis What to Measure?
Normally involves estimation of range of possible consequences and their
associated likelihoods in order to measure risk
Level of risk should be expressed in suitable terms for the type of risk and to
aid evaluation. In some instances risk can be expressed as a probability
distribution across a range of consequences
Taking a single consequence and its likelihood as required in the matrix is an
approximation to the level of risk
One must either take maximum consequences and their likelihood or most
likely consequences and their likelihood really is the sum of all consequences
and their likelihoods
Risk Analysis
Human error Fault trees Event Trees and Scenario Consequence
Analysis Casual Analysis modelling
Organisational analysis
analysis Detect events and reduce Respond and recover
Consequences
Individual and Source of risk Loss to people

Response
organisational Cause of events Risk Assets,
Recovery
motivators/drivers Hazards Reputation etc
Remove underlying Reduce/eliminate Prevent Event Protect targets Contingency plans

causes sources of Recovery plans
Detect Event Insert Barriers Rehabilitation
risk/hazards
Detect early damage
Limit consequences
Share risk
Return to
preconditions occurrence consequence
normal
Consequence Likelihood Matrix
The consequence likelihood matrix is a means of combining qualitative or
semi-quantitative ratings of consequence and likelihood to produce a level of
risk or risk rating
A consequence likelihood matrix is used to rank risks, sources of risk or risk
treatments on the basis of the level of risk
It is commonly used as a screening tool to define which risks need further more
detailed analysis or which risks need treatment first, or which risks need not be
considered further at this time
The consequence scale should cover the range of different types of
consequence to be considered (for example financial loss, safety, environment
or other parameters depending on context)
The lowest likelihood must be acceptable for the highest defined consequence
otherwise all activities with the highest consequence are defined as intolerable
Many risk events may have a range of outcomes with different associated
likelihood. It is appropriate to focus on the most serious outcome, or to rank
both common problems and unlikely catastrophes as separate risks
Conduct Risk Analysis
Key Objectives Risk Risk Cause Likelihood Consequenc Risk Rating
Process Outcome (1-5) e (1-25)
(1-5)
Critical path What the The outcomes The event Probability or Outcome or Risk rating or
for a system process try to of the process that cause frequency of impact of an risk score is the
life cycle. achieved? that we do not or lead to an event to event. There product of
Key What are the want to the occur. Can be can be more multiplying the
functions key success happen. They undesirable expressed than one likelihood level
that help a criteria for the are indicators risk qualitatively or consequence with the
system process of a process outcomes. quantitatively from an consequence
achieves its failure event, can be level. It helps to
mission positive or determine the
negative, level of risk
qualitative or whether it is
quantitative low, medium,
high or very
high
Sample Impact Ranking
Level Descriptor Description/Impact
1 Insignificant Low financial loss, no injuries
2 Minor Medium financial loss, first aid treatment, on-site release

immediately contained
3 Moderate High financial loss, medical treatment required, on-site

release contained with outside assistance
4 Major Major financial loss, extensive injuries, loss of production

capability, off-site release with no detrimental effects
5 Catastrophic Huge financial loss, death, toxic release off-site with

detrimental effect
Sample Likelihood Ranking
Level Probability Description
1 Rare May occur only in exceptional circumstances

(e.g. once in 10 years)
2 Unlikely Could occur at some time (e.g. once in 5 years)
3 Possible Might occur at some time (e.g. once a year)
4 Likely Will probably occur in most circumstances (e.g.

monthly)
5 Almost Certain Is expected to occur in most circumstances (e.g.

daily)
Sample Risk Analysis Matrix
Likelihood Consequences
Insignificant Minor Moderate Major Catastrophic
1 2 3 4 5
A (5) H H E E E
(Almost Certain)
B (4) M H H E E
(Likely)
C (3) L M H E E
(Moderate)
D (2) L L M H E
(Unlikely)
E (1) L L M H H
(Rare)
E: Extreme Risk, Immediate Action Required

H: High Risk, Senior Management Attention Needed
M: Moderate Risk, Management Responsibility Must be Specified
L: Low Risk, Manage by Routine Procedures
EVENT TREE ANALYSIS (ETA)
Applicability ETA can be used at any stage in the lifecycle of a product or process.
Used qualitatively or quantitatively to help understand potential
scenarios and sequences of events following an initiating event
Analyse how outcomes are affected by various treatments, barriers or
controls intended to mitigate unwanted outcomes
Select an initiating event

List as headings for functions or systems which are in place to mitigate
outcomes in sequence.
Process For each function draw a line to represent their success or failure.
There can be only 2 branches for each function (yes it will happen or no
it wont).
Estimate the probability of success or failure for each branch.
The frequency of the outcome is the product of the individual
probabilities and the frequency of the initiation event
Example of an Event Tree
Initial event Alternative Immediate No modification Outcome Probability
supplier supply needed
No delay 0.252
Yes 0.9
Yes 0.7
Delay for
No 0.1 modification 0.026
Yes 0.4
Delay for
Yes 0.9 supply 0.108
Supplier No 0.3
fails to No 0.1
deliver Very late 0.012
No 0.6
Cannot 0.600
complete
1.000
Root Cause Analysis
Involves analysis of a major loss to prevent its reoccurrence

RCA is focused on asset losses due to various types of
Applicability failures
Attempts to identify the root or original causes instead of
dealing only with the immediately obvious symptoms
For accident investigations and occupational health & safety

In technological systems related to reliability & maintenance
Process Quality control for industrial manufacturing
On business processes
In change management, risk management and systems
analysis
Root Cause Analysis - Example
Lost High Speed Data Stream From
Satellite (Mission Failure)
Thrusters Oriented Poor Satellite Failed Technician Used Wrong

Space Craft Line of To Deploy Method to Correct
Sight Antenna
Didnt Perceive Didnt Understand Correct Correct Decision

System System Feedback Interpretation But
Feedback Incorrect Decision Incorrect Action
Perception Error Interpretation Error Decision-Making Error Action-Execution Error
Knowledge-Based Rule-Based Skill-Based

Error Error Error
Root Cause Analysis another example
Maximum
Objective profitability
Necessary Conditions
Dominant market
(Success Criteria)
share
Customer Leading edge
satisfaction technology
World class
communication World class
customer support Innovation
systems/products
Speed of
development
and/or response
High quality High quality, secure,
hardware, software satisfied workforce
Highly competent Fulfillment of

associates individual needs
Example of a Fault Tree
The fault tree below demonstrates the causes of the problem of a projector
failure during a lecture
Projector
Lamp Outage
Head Event OR (Any one of the events below
Top Event causes the one above)
Unresolved Accidental Wiring Failure

Power Lamp Failure
outage Shutdown
Base Event
No
Lamp Trip and
spare Operator Internal External
Failure unplug
lamp error
AND (All of the events below needed to cause events

above)
Ishikawa Fishbone Diagram - Example
Control Inventory
Inventory Update
No Clear
Every 12 hours
Understanding
Scope Definition Real time inventory
No Clear deadlines Separate Systems
Wrong Estimates Separate Systems for

Sales & Supplier
Project Delay
No backup for Critical Managed Systems
Resources
Inadequate Resources Different Suppliers
Communication Lack of Standards
No Communication Time and Format of

plan Systems different
Resources Benchmarking
Ishikawa Fishbone Diagram Another Example
People Process
Lack of standard HR
protocols
The stigma of Declining Lack of attention and
Public Health - interest in Rise in popularity of
focus
care for the hard sciences computer science
indigent
Diversion No formal training program on Lack of integrated
General lack of the job infrastructure
of awareness attention
to other
priorities
Workforce
Lack of marketing of shortage
the PHL and its stories 50 unique personnel systems
Lack of identification Lack of HR procedures

Elimination of formal and publication of best
education tracks Chasm practices
between public
Draconian budget cuts and private Lack of policies to address
sectors rapidly changing skill
requirements
Systems Non supportive political Procedures
administration
Bow Tie Analysis - focuses on the barriers to threats
Light Projector
Failure Lecture proceeds
Preventative
Setup error maintenance
Lecturer
Training Fixes
Power cut
Ventilation Projector Lecture delayed
Failure
Back up Hard
projector copy
Preventative
Globe failure maintenance
Training
Accidentally Design Tape down cable Lecture Cancelled

unplug
Risk source/Cause Controls Risk Event Controls Consequences
Decision tree analysis
A decision tree is similar to an event tree but rather than considering only
chance events, both events and decisions are included in the analysis.
Decision nodes an a decision tree are indicated by rectangles and chance
events by circles. Below is a decision tree whether to proceed with a
development project.
$23m
High demand $55m $43m
0.55 Medium $33m $21m
Low demand $15m $3m
-$2m
0
Organising for Risk Management The Three Lines of Defense*
Three Lines of Defence Framework
1st line 2nd line 3rd line
of defense of defense of defense
Business Risk Internal audit
Business line managers Formulate high-level policies, Assurance of the
have primary responsibility limits, risk appetite overall
for day to day risk Provide oversight, challenge effectiveness of
management.. and support to optimise the internal controls
..and bear the consequences risk/reward trade-off
of losses In the case of products, ensure
In the case of products, adherence to relevant pricing
responsible for appropriate and product design
design and pricing requirements
Alignment between risks taken and the Group risk appetite

*Source:ING presentation, Feb-11
Cutting-edge risk solutions for emerging economies

A typical organisation structure
Integrated Risk Management framework guides risk-taking activities
to align with client needs, shareholder expectations and regulatory requirements
Board of Directors
Board Risk Review Committee Board Audit Committee
CEO
1st Line of Defence 2nd Line of Defence
Operating Groups Operating Group CROs CRO Risk Management
Own Risks Associated with Business Activities Policies Measurement Limits Monitor
Balance Sheet Risk Management Reputation Risk

Management Committee Committee Management Committee
Liquidity,
Funding, Trading and Credit and
Operational Reputation Business
and Underwriting Counterparty
Risk Risk Risk Trading Products Risk Capital Management Operational Risk
Structural Market Risk Risk
Market Risk Committee Committee Committee
3rd Line of Defence Corporate Audit and Compliance
Cutting-edge risk solutions for emerging economies

Aarsh Enterprise Risk Management - 2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Aarsh Enterprise Risk Management - 2

Uploaded by

Copyright:

Available Formats

Operational Risk Management

Where do you STAND?

COMPANIES & OTHER OTHER

A process, effected by an entitys board of directors, management and other

Rationale for implementing Enterprise Risk Management

Monitors the ongoing effectiveness of the other enterprise risk management

Strategic Strategy Risk Appetite

portfolio view of risk

two perspectives: Risk appetite is defined in terms

level agreements (legal

A strong risk governance structure Clear risk prioritisation and

Different type of processes RM is motivated by RM is associated RM is implicit in all

Stage 1 Stage 2 Stage 3 Stage 4

Degree of Integration of Risk Management

1. Internal Environment 1. Establish the Context

The key findings were:

*Source: Economist Intelligence Unit, May 2009 survey results

The Known Risks The Known Unknown Risks The Unknown

Work System Analysis

Where a loss occurs relatively frequently within

Strength A good way of identifying known common failures

Rare but severe events may be ignored because it

May be used by non experts

Address mainly known knowns risks

Undesirable Event = Risk

Barriers failed = Control Failure

Chemical Barriers may be at Target

Barriers placed in either

Very time consuming

Failure Specific Cause Effect of Failure

Receipt of ingredients Biological Correct Temperature under 4 Alarm in

What could go wrong? How would we know?

Dig trenches Digger Digger not Delay in Choose

Fine weather Rain Delay Exclude

It takes account of a range of possible futures rather than focus

Where there is a high uncertainty some of the scenarios may be

Individual and Source of risk Loss to people

Remove underlying Reduce/eliminate Prevent Event Protect targets Contingency plans

Level Descriptor Description/Impact

1 Insignificant Low financial loss, no injuries

2 Minor Medium financial loss, first aid treatment, on-site release

3 Moderate High financial loss, medical treatment required, on-site

4 Major Major financial loss, extensive injuries, loss of production

5 Catastrophic Huge financial loss, death, toxic release off-site with

Level Probability Description

1 Rare May occur only in exceptional circumstances

2 Unlikely Could occur at some time (e.g. once in 5 years)

3 Possible Might occur at some time (e.g. once a year)

4 Likely Will probably occur in most circumstances (e.g.

5 Almost Certain Is expected to occur in most circumstances (e.g.

E: Extreme Risk, Immediate Action Required

Select an initiating event

Involves analysis of a major loss to prevent its reoccurrence

For accident investigations and occupational health & safety

Thrusters Oriented Poor Satellite Failed Technician Used Wrong

Didnt Perceive Didnt Understand Correct Correct Decision

Knowledge-Based Rule-Based Skill-Based

Highly competent Fulfillment of

Unresolved Accidental Wiring Failure

AND (All of the events below needed to cause events

Scope Definition Real time inventory

No Clear deadlines Separate Systems

Wrong Estimates Separate Systems for