4.risk Management Process

RISK MANAGEMENT PROCESS ▒
07/23/2020
▒ COVERAGE
• Risk Management Process
• Communication and Consultation
• Establishing the Context
• Risk Assessment
• Risk Treatment
• Monitoring and Review

07/23/2020
▒ RISK MANAGEMENT PROCESS
• Risk Management process is the systematic application of management
policies, procedures and practices to the activities of communication,
consulting, establishing the context, and identifying, analyzing, evaluating,
treating and reviewing risk(ISO 31000)
07/23/2020
▒ COMMUNICATION AND CONSULTATION
• Communication and consultation is the continual
and iterative process that an organization
conducts to provide, share or obtain information
and to engage in dialogue with stakeholders
regarding the management of risk.
– The information can relate to the existence,

nature, form, likelihood, significance,
evaluation, acceptability and treatment of the
management of risk.
07/23/2020
– Consultation is a two-way process of informed
communication between an organization and its
stakeholders on an issue prior to making a
decision or determining a direction on that
issue. Consultation is:
• A process which impacts on a decision
through influence rather than power; and
• An input to decision making, not joint

decision making.
07/23/2020
• Communication and consultation with external
and internal stakeholders should take place
during all stages of the risk management
process.
• Plans for communication and consultation

should be developed at an early stage to
address issues relating to the risk itself, its
causes, its causes(if known), and measures
taken to treat it.
07/23/2020
• Effective external and internal communication

should take place to ensure that those
accountable for implementing the risk
management process and stakeholders
understand the basis on which decisions are
made, and the reasons why particular actions
are required
07/23/2020
• A consultative team approach plays the crucial role:
– Helps establish the context appropriately;
– Ensures that the interests of stakeholders are

understood;
– Helps ensure that risks are adequately identified;
– Bring different areas of expertise together for

analyzing risks;
07/23/2020
• A consultative team approach plays the crucial role:
– Ensures that different views are appropriately considered
when defining risk criteria and in evaluating risk;
– Secures endorsement and support for treatment plan;
– Enhances appropriate change management during the

risk management process; and
– Develops an appropriate external and internal

communication and consultation plan.
07/23/2020
• Communication and consultation with
stakeholders is important as they make
judgments about risk based on their perceptions
of risk.
• Perceptions of risk can vary due to differences in

values, needs, assumptions, concepts, and
concerns of stakeholders.
07/23/2020
• Stakeholders views can have significant impact
on the decisions made therefore stakeholders’
perceptions should be identified, recorded, and
taken into account in the decision making
process.
• Communication and consultation should be

truthful, relevant, accurate and understandable.
Should take into account confidential and
personal integrity aspects
07/23/2020
• Stakeholders need:
– Right information in appropriate and timely

manner
– To understand the basis on which decisions are

made
– Be secured that there is adequately considered
07/23/2020
• Activities of the Communication and Consultation
may consist of:
– Creating risk management policy
– Creating risk management procedure manual/guide
– Creating risk management performance indicators for

assessing and communicating risk management maturity
– Communicating the benefits of risk management to

stakeholders
07/23/2020
• Activities of the Communication and Consultation
may consist of:
– Communicating accountabilities and responsibilities for

managing risk throughout the organization
– Communicating how risk management will be

embedded in all organization’s practices and processes
– Establishing internal and external communication

mechanisms
07/23/2020
• Internal Risk Communication and Reporting
–Risk Management Policy, and Risk Management Guide
–Risk Management Plan
–Risk Management Report
–Risk Management Reporting Responsibilities
–Risk Escalation
07/23/2020
• Internal Risk Communication and Reporting
–Risk Communication and Awareness Programs
• Risk Management Workshops
• Risk Management Committee Meetings
• Risk Management Feedback Meetings
• In-house Seminars and Trainings
• Risk Management Newsletter
• Internal Emails
07/23/2020
• External Risk Communication and
Reporting
–Disclosure _Risk Management Report
–Risk Communication and Awareness Programs

• Risk Management Newsletter
• Annual General Meeting(AGM)
• Crisis Communication
07/23/2020
How is risk management communicated in
your organization?
07/23/2020
▒ESTABLISHING THE CONTEXT
• Establishing the context is concerned with

gaining an understanding of the
background of the business as a whole,
and the specific activity, process, or
project forming the subject of the risk
management study. It provides the basic
foundation for everything that follows.
07/23/2020
• It is defining the external and internal parameters to
be taken into account when managing risk, and
setting the scope and risk criteria for the risk
management policy
• External context refers to external environment in

which the organization seeks to achieve its objectives
• Internal context refers to internal environment in

which the organization seeks to achieve its objectives
07/23/2020
• Establishing the context input requirements:
– The Strategic Plan
– The Annual Risk Management Plan for the past three

years
– The most recent Internal and External Audits.
– Procedure Manuals
– Projects feasibility studies

07/23/2020
• Establishing the context input requirements:
– Cash flow projections of the current financial year
and the corresponding performance reports
including ratio analysis for liquidity assessment.
– Risk Management Reports for the past three

years.
– Reports of reviewed policies including reports for

compliance with Laws, Regulations, and Policies.
07/23/2020
• Establishing the external context
–Ensures that the objectives and concerns of
the external stakeholders are considered
when developing risk criteria.
–It is based on the organization-wide context,

but with specific details of legal and regulatory
requirements, stakeholder perceptions and
other aspects of risks specific to the scope of
the risk management process
07/23/2020
• Establishing the external context
– The external context can include:
• The social and cultural, political, legal,
regulatory, financial, technological, economic,
natural and competitive environment, whether
international, national, regional, or local
• Key drivers and trends having impact on the

objectives of the organization
• Relationships with perceptions and values of

07/23/2020
external stakeholders.
• Establishing the internal context
–Internal context is anything within the
organization that can influence the way in
which an organization will manage risk.
–It is necessary to establish internal context

because:
• Risk management takes place in the
context of the objectives of the
organization;
07/23/2020
– It is necessary to establish internal context
because…..:
• Objectives and criteria of a particular project,
process or activity should be considered in the
light of objectives of the organization as a whole;
and
• Some organizations fail to recognize opportunities

to achieve their strategic, project or business
objectives, and this affects ongoing organizational
commitment, credibility, trust, and value
07/23/2020
–Internal context can include:
• Governance, organization structure, roles and
accountabilities;
• Policies, objectives, and the strategies that are in place to

achieve them;
• Capabilities,
understood in terms of resources and
knowledge(e.g capital, time, people, processes, systems,
and technologies);
07/23/2020
– Internal context can include….:
• The relationships with and perceptions and values of internal
stakeholders;
• Information systems, information flow, and decision making

process(both formal and informal)
• Standards, guidelines and models adopted by the

organization; and
07/23/2020
• Form and context of contractual relationships.
• Establishing the context tools and techniques:
– Financial Analysis Tools
– Risk Management Process Diagnostic
– SWOT Analysis
– PEST Analysis
– Stakeholders Analysis
– Industrial Analysis
07/23/2020
• Financial Analysis Tools
– Financial ratios are used to examine different aspects of
financial position and performance and are widely used
for planning, control and evaluation process.
– Financial ratios relevant to the subject of risk

management study should be calculated and
interpreted as appropriate.
– For the enterprise level the most relevant ratios include

07/23/2020
investment ratios, liquidity ratios, and expense ratios.
• Risk Management Process Diagnostic
– Reviews the following areas critical to effective risk management
process:
• Senior Management support, ownership, and leadership on risk
management.
• Communication of risk management policies and the benefits of

effective management to all staff.
• Existence and adoption of a framework for management of risk that is

transparent and repeatable.
• Existence of organizational culture which supports well-thought-through

07/23/2020
risk taking and innovation.
• Risk Management Process Diagnostic
– Reviews the following areas critical to effective risk
management process:
• Management of risk fully embedded in management processes and
consistently applied.
• Management of risk closely linked to achievement of objectives.
• Risk associated with working with other organizations explicitly

assessed and managed.
• Risks actively monitored and regularly reviewed on constructive

07/23/2020
"no-blame" basis.
• Using Management Models _ SWOT Analysis
07/23/2020
• Using Management Models _ SWOT Analysis
07/23/2020
–SWOT ANALYSIS FOR ACC
07/23/2020
• Using Management Models_PEST Analysis
–Political
Political changes can affect both the cost and
demand. Issues to consider are:
• Fiscal Policy(Government Income and Expenditure):
– Income taxes may influence consumers spending attitude
– Corporate taxes charged on profit may affect the level of profit
and return to shareholders
– VAT may affect cost of products and services
– Monetary policy and Regulations can have dramatic impact on
the business environment including higher administrative
expenses
– Education and training have a long-term impact on business’s
07/23/2020
ability to recruit suitably qualified staff
–Economic
Changes in economic factors can affect the income
and expenditure position of the organization. The
following factors should be considered:
• Business cycle: identify sectors that are more susceptible
to the impact of business cycles
• Employment levels: high level of employment drives the
aggregate demand.
• Inflation: high inflation affects administrative expenses.
• Level of interest rates: High interest rates increases the
cost of capital and may affect business’s ability to expand.
07/23/2020
–Social
Globalization has changed the speed at which
social and demographic change can be expected
to increase. The following factors should be
considered:
• Population growth: population growth affects both the
revenue and expenditure.
• Age structure: Age structure drives business dynamics
• Social and cultural shifting: Norms and values may
influence attitude towards certain products and
services.
07/23/2020
–Technological
Changes in technology can have a rapid and
dramatic impact on the economy. Issues to
consider include:
• Level of research and development by competitors: this
will provide an indication of whether any changes in
technology-driven service delivery should be
anticipated
• Rate of adoption of new technology
• Service delivery method; how might technology be
utilized to improve service delivery
07/23/2020
• Stakeholders Analysis
07/23/2020
• Stakeholders Matrix
07/23/2020
• Industrial Analysis
– Perform Industrial Analysis and Organizational
market position using the Porter’s Five Forces Model
to identify whether:
• Other organizations are strong competitors in the industry.
• There exists substitute for the services and products
offered by the organization.
• The suppliers of materials and technology required to
deliver the required services and products can influence
the expected results.
• The existing and potential customers/buyers have powers
that may influence key decisions.
• Threat of other organizations to enter the industry.
07/23/2020
• Industrial Analysis _ Michael Porter’s Five Forces Model
07/23/2020
• Establishing the context of the risk management process
– The objectives, strategies, scope and parameters of the activities
of the organization, or those parts of the organization where the
risk management process is being applied should be established
– The management of risk should be undertaken with full

consideration of the need to justify the resources used in
carrying out risk management.
– The resources required, responsibilities and authorities, and the

records to be kept should also be established to demonstrate
transparency and build credibility.
07/23/2020
• Establishing the context of the risk management
process
– The context of risk management process can include:
• Defining the goals and objectives of the risk management
process;
• Defining responsibilities for and within the risk
management process;
• Defining the scope, as well as the depth and breadth of
the risk management activities to be carried out, including
specific inclusions and exclusions;
• Defining the activity, process, function, project, product,
service, or asset in terms of time and location;
07/23/2020
• Establishing the context of the risk management
process
– The context of risk management process can include..:
• Defining the relationships between a particular project,
process or activity and other projects, processes or activities
of the organization;
• Defining the risk assessment methodologies;
• Defining the way performance and effectiveness is
evaluated in the management of risk;
• Identifying and specifying the decisions that have to be
made; and
• Identifying, scoping or framing studies needed, their extent
and objectives, and the resources required for such studies.
07/23/2020
• Defining Risk Criteria
–Risk criteria refers to terms of reference against
which the significance of a risk is evaluated
–Risk criteria are based on organizational
objectives, and external and internal context
–Risk criteria can be derived from standards, laws,
policies and other requirements
–Risk criteria should be consistent with the
organization’s risk management policy, be defined
at the beginning of any risk management process
and continually reviewed.
07/23/2020
• Defining Risk Criteria
– Defining the risk criteria should include the following
factors:
• The nature and types of causes and consequences that can
occur and how they will be measured;
• How likelihood will be defined;
• The timeframe(s) of the likelihood and/or consequence(s);
• How the level of risk is to be determined;
• The views of stakeholders;
• The level at which risk becomes acceptable or tolerable; and
• Whether combinations of multiple risks should be taken into
account and if so how and which combinations should be
considered.
07/23/2020
• Defining Risk Criteria-Combined Risk
Assessment Matrix(RAM)
07/23/2020
• Defining Risk Criteria-Combined Risk
Assessment Matrix(RAM)
07/23/2020
• ACC _ Risk Assessment Matrix(RAM)
07/23/2020
• ACC _ Risk Assessment Matrix(RAM)
07/23/2020
▒RISK ASSESSMENT
• Risk assessment is the overall process of risk
identification, risk analysis, and risk evaluation
–Risk identification is the process of finding, recognizing
and describing risks.
–Risk analysis is the process to comprehend the nature

of risk and to determine the level of risk
–Risk evaluation is the process of comparing the results

of risk analysis with risk criteria to determine whether
07/23/2020
the risk and/or its magnitude is acceptable.
▒RISK ASSESSMENT
• The purpose of risk assessment is to provide
information to make informed decision through:
– Comparing the risk and impact upon objectives
– Providing information for decision makers
– Contributing to the understanding of risks
– Identifying weak links in systems and organizations
– Comparing of risks in alternative approaches
– Assisting with establishing priorities
– Contributing towards incident prevention
– Selecting different forms of risk treatment
– Meeting regulatory requirements
07/23/2020
▒RISK IDENTIFICATION
• It involves the identification of risk sources, events,
their causes and their potential consequences
• It can involve historical data, theoretical analysis,

informed and expert opinions, and stakeholders’
needs
• The aim of risk identification is to generate a

comprehensive list of risks based on those events
that might create, enhance, prevent, degrade,
accelerate or delay the achievement of objectives.
07/23/2020
• Risk identification input requirements:
– Business analysis report which is the group of findings
established from establishing the context.
– Underlying assumptions concerning the outcome of
future events of the organization. Assumptions include
such issues as size of the market, competitors' behaviour,
potential changes in the market (such as regulations, tax
issues, customer needs and demand), availability of
resources etc.
– Uncertain events relating to known events, which are
certain to occur, but their magnitude is unclear.
– Lessons learnt from completed activities or projects, and
other incidents occurred.
07/23/2020
• Risk identification tools and techniques
–BOW Tie
–Risk Checklist
–Flow charts
–Risk Questionnaire
–Brainstorming
–Structured or semi-structured interviews
–Structure What if(SWIFT)
–Cause and effect analysis
–Issue based risk identification
07/23/2020
• Factors influencing choice of techniques:
– Availability of resources
• Constraint on time, degree of expertise, human, financial
and other resources needed
– Availability of information
• Quality, quantity, integrity, accuracy, reliability, consistency,
data history, capacity to collect etc
– Complexity
• Complexity of risks, of the techniques, of the system,
07/23/2020
dependencies etc.
• Issue-based risk identification
– How significant threat does the following risk pose to your organization’s
business operations today?
• Reputation risk (e.g. events that undermine public trust in your
products/services)
• IT network risk (e.g. IT Systems /Software, network security etc)
• Foreign exchange risk (risk that exchange may worsen)
• Human capital risks (e.g. skills shortages, succession issues, loss of staff)
• Regulatory risk (Problems caused by new or existing regulations)
• Country risk (Problems of operating in a particular location)
• Credit risk( risk of bad debt)
• Market risk (risk that the market value of asset will fall)
• Political risk (danger of change of government)
• Financing risk( difficulty raising finance)
• Terrorism
• Crime and physical security
• Natural hazard risk ( e.g. hurricanes, earthquakes, floods etc)
07/23/2020
Describing a risk
07/23/2020
• Examples of risk description
07/23/2020
QUIZ: RISK IDENTIFICATION
07/23/2020
▒RISK ANALYSIS
• It is the process to comprehend the nature

of risk and to determine the level of risk.
• It provides the basis for risk evaluation and

decisions about risk treatment
07/23/2020
▒RISK ANALYSIS
• It provides the judgment of the likelihood

of the risks and opportunities occurring
and their impact, should they materialize
• It provides the order of pain and gain for

each risk and opportunity respectively
• It includes risk estimation

07/23/2020
▒RISK ANALYSIS
• Risk analysis input requirements:
The main input material required for Risk
Analysis is the Risk Register which is the
output from the risk identification process.
07/23/2020
▒RISK ANALYSIS
• Risk Analysis – tools and techniques
–Structure What if(SWIFT)
–Consequence/probability matrix –Mostly used
–Root cause analysis
–Cause and effect analysis
–Decision tree
07/23/2020
▒RISK ANALYSIS
07/23/2020
▒RISK EVALUATION
07/23/2020
▒RISK EVALUATION
• The process of comparing the results of

risk analysis with risk criteria to
determine whether the risk and/or its
magnitude is acceptable or tolerable
• It assists in the decision about risk

treatment
07/23/2020
▒RISK EVALUATION
07/23/2020
▒RISK EVALUATION: Risk Universe
07/23/2020
▒RISK EVALUATION: Risk tolerance and Risk
appetite
07/23/2020
▒RISK EVALUATION
• Risk evaluation tools and techniques:
– Expected Monetary Value(EMV)
– Probability tree
– Utility theory and functions
– Decision tree analysis
– Investment appraisal
– Sensitivity analysis
07/23/2020
▒RISK EVALUATION
Factors affecting aggressiveness to risk
07/23/2020
▒RISK EVALUATION
• Risk evaluation outputs:
–List of risks that will be accepted as they are;
–List of risks that deserve further treatment
–List of risks that need escalation to
management
07/23/2020
▒RISK ASSESSMENT OUTPUT
• Risk Register
07/23/2020
▒RISK TREATMENT
• Risk treatment involves selecting one or more
options for modifying risks, and
implementing those options.
• Risk treatment involves a cyclical process of:

–Assessing a risk treatment;
–Deciding whether residual risk levels are tolerable;
–If not tolerable, generating a new risk treatment;
and
–Assessing the effectiveness of that treatment
07/23/2020
▒RISK TREATMENT
• Risk treatment options can include:
– Avoiding the risk by deciding not to start or continue
with the activity that gives rise to risk(Terminate)
– Taking or increasing the risk in order to pursue an

opportunity(Taking)
– Removing the risk source(Terminate)
– Changing the likelihood(Transform)

07/23/2020
▒RISK TREATMENT
• Risk treatment options can include:
–Changing the consequences(Transform)
–Sharing the risk with another party or

parties(including contracts and risk financing) -
Transfer
–Retaining the risk by informed decision(Tolerate)

07/23/2020
▒RISK TREATMENT
• Selection of risk treatment options
–Selecting the most appropriate treatment
option involves balancing the costs and
efforts of implementation against the benefit
derived, with regards to legal, regulatory, and
other requirement such as social responsibility
and the protection of the natural environment.
–Consider the values and perceptions of

stakeholders and the most appropriate ways to
communicate with them
07/23/2020
▒RISK TREATMENT
• Selection of risk treatment options
–Where risk treatment options can impact on
risk elsewhere in the organization or with
stakeholders, these should be involved in the
decision
–Risk treatment itself can introduce risk. A

significant risk can be the failure or
ineffectiveness of the risk treatment.
07/23/2020
▒RISK TREATMENT
• Preparing and implementing Risk Treatment
Plans
–The purpose of Risk Treatment Plans is to
document how the chosen treatment options will
be implemented
–The information provided in the treatment plan

should include:
• Reasons for selection of treatment options, including
expected benefits to be gained;
07/23/2020
▒RISK TREATMENT
• Preparing and implementing Risk Treatment
Plans
–The information provided in the treatment plan
should include:
• Proposed actions;
• Resource requirements including
contingencies;
• Performance measures and constraints;
• Reporting and monitoring requirements;
• Responsibilities and accountabilities; and
• Timing and schedule.
07/23/2020
▒RISK TREATMENT
• Risk Response options for downside risks
07/23/2020
▒RISK TREATMENT
• Guidance: Harzads Risks
07/23/2020
▒RISK TREATMENT
• Risk Response options for Upside risks
07/23/2020
▒RISK TREATMENT
• Strategies for Upside risks
07/23/2020
▒RISK TREATMENT
• Risk Treatment Plan
07/23/2020
▒MONITORING AND REVIEW
• Both monitoring and review should be a
planned part of risk management process and
involve regular checking or surveillance either
periodic or ad hoc
• Responsibilitiesfor monitoring and review

should be clearly defined under the risk
governance
07/23/2020
• The purpose of Monitoring and review is:
– to ensure that controls are effective and efficient in
both design and operations;
– to obtain further information to improve risk
assessment;
– to analyze and learn lessons from events(including
near misses) changes, trends, successes, and failures;
– to detect changes in the external context, including
changes to risk criteria and the risk itself which can
require revision of risk treatments and priorities; and
– To identify emerging risks
07/23/2020
• Monitoring and review activities
– Reacting to early warning indicators to forewarn
Management of the need to make risk management
interventions.
– Registering changes in the details of the risk and

opportunities already captured on the risk register.
– Recording emerging risks and opportunities, lessons

learnt and changes in the internal and external context.
07/23/2020
• Monitoring and review activities
– Reviewing whether the risk owners and control
owners are implementing the responses for which
they are responsible.
– Reporting on the success or otherwise of the risk

and opportunity management actions
implemented to date, the need for additional
response actions and the changes in the overall
risk exposure profile.
07/23/2020
• Monitoring and review tools and techniques:
– Execution of risk response actions
– Monitoring
– Controlling
– Reporting
07/23/2020
• Execution of risk response actions
– Risk response actions should be executed as
planned.
– Unless the planned actions to respond to the

risks and opportunities identified are executed
as planned, the time effort, and energy
expended in the treatment planning process
will largely be wasted.
07/23/2020
– To ensure that planned response actions are
executed, Risk Owners and Control Owners
should accomplish the following key roles for
execution of treatment plans: -
• sign an attestation statement by a set date to kick
start the implementation process;
• plan for resources and include in their annual

action plans those activities in the Risk Statement
that address risk and opportunities;
07/23/2020
– To ensure that planned response actions are executed,
Risk Owners and Control Owners should accomplish the
following key roles for execution of treatment plans: -
• translate the high level guidelines in the Risk Register and Risk
Statement into tasks and assign responsibilities to staff within
their departments;
• incorporate the responsibilities to execute risk response actions

with the performance measures of the individual staff within the
department; and
• maintain risk and control information as guided by the office of

Chief Risk Officer.
07/23/2020
• Monitoring
– This refers to tracking of progress and effectiveness of
risk management actions to determine the movement
in risk exposure. It involves continual checking,
supervising, critical observations of the status in order
to identify change from the performance level
required or expected. Monitoring must be embedded
into business processes by Risk and Control Owners
and it must therefore be a part of corporate culture.

07/23/2020
• Monitoring
– Data collected from the Key Risk Indicators, and Key
Control Indicators will help draw Management
attention to the level of effectiveness of risk
management and whether changes are necessary. It
is the primary responsibility for Risk Owners and
Control Owners to maintain the required data and
share the information with the Office of Chief Risk
Officer.

07/23/2020
• Monitoring
– Monitoring activities should include an understanding of
whether: -
• People with responsibility to monitor risks and
implement controls are working together successfully;
• Adopted risk response and control actions are still valid in

the operating environment;
• Activities and functions which attract reputation risk and

07/23/2020
represented;
• Monitoring
– Monitoring activities should include an understanding of whether: -
• New risks and opportunities are being identified across the business
processes;
• The emergence of changes in legislation and compliance are

identified;
• The risk register and statement are reviewed and updated regularly;
and
• Risk management is providing the expected contribution.

07/23/2020
• Controlling
– Control activities make use of information
obtained from monitoring to make informed
decision. Controlling means understanding who
needs what information for what purpose.
– Controls should be designed to intervene and

address the situation based on the information
obtained during monitoring.
07/23/2020
• Controlling
– Controls must satisfy the following specifications:
• Controls must be economical: The less effort to gain
control of the process, the better the control
design. The fewer control required, the more
effective they will be.
• Controls must be meaningful: Controls should be

focused on those risks that will have the greatest
impact.
07/23/2020
• Controlling
• Controls have to be appropriate to the character and
nature of the phenomenon measured: The controls
must give the right information for effective action.
• Measurements have to be congruent with the event

measured: It is important to think what kind of
measurement is appropriate to the event being
measured.
07/23/2020
• Controlling
• Controls have to be timely: The time dimension of control
has to correspond to the time span of the event measured.
• Controls need be simple: Complicated controls do not work.
• Controls must be operational: Controls must focus on action

rather than information. They must not be constrained by
predetermined meeting dates. They must be flexible
enough to suit circumstances.
07/23/2020
• Risk reporting
– Progress in implementing risk treatment plans provides
performance measures
– The overall results can be incorporated into the

organization’s overall performance management,
measurement and external and internal reporting activities
– Results of monitoring and review should be recorded and

externally and internally reported as appropriate, and should
also be used as an input to the review of the risk
management framework
07/23/2020
• Risk reporting _Risk Profile
• The risk profile report provides a graphical
representation of the placement of key risks
on a heat map.
• The report provides a quick reference for

Board and Management as to the
organization's risk exposure.
07/23/2020
• Risk reporting _Risk Profile
• It helps to guide the allocation of resources
to treat those risks which pose the biggest
threat, both in terms of likelihood and
consequence.
• This report is a snapshot of the

organization's current organizational risk
profile.
07/23/2020
• Risk reporting _Risk Profile – Heat Map
07/23/2020
• Risk reporting _Risk Profile – KRI
07/23/2020
• Risk reporting
– Risk treatment actions implementation status
• The Risk Treatment Actions Report contains
a status update on progress against
approved risk treatment actions.
• People are more likely to deliver upon what

they are measured against.
07/23/2020
• Risk reporting
– Risk treatment actions implementation status
• Therefore this report increases
accountability for deliver against agreed risk
management actions.
• It also provides to the Board and

Management that risks are being treated as
anticipated.
07/23/2020
• Risk reporting
07/23/2020
• Risk reporting
– Assurance of Key Risks
• The Assurance Coverage of Key Risks Report
indicates which risks have been covered by
assurance activities in the previous year and
which are proposed to be covered over the
coming year.
• This assurance can cover reviewing current

control existence and effectiveness, as well as
07/23/2020
treatment action completion.
• Risk reporting
– Assurance of Key Risks
• Gaining assurance around key risks provides an objective
review of self-assessed risk and control effectiveness
ratings.
• Sometimes perceptions about a given risk may be incorrect.
• This objective assessment of risks provides comfort that the

information, as contained in the risk register, is reflective of
the actual situation.
07/23/2020
• Risk reporting
07/23/2020
Thank You
07/23/2020

4.risk Management Process

Uploaded by

Copyright:

Available Formats

You might also like

4.risk Management Process

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

4.risk Management Process

Uploaded by

Copyright:

Available Formats

RISK MANAGEMENT PROCESS ▒

• Communication and Consultation

• Establishing the Context

• Monitoring and Review

– The information can relate to the existence,

• An input to decision making, not joint

• Plans for communication and consultation

• Effective external and internal communication

– Ensures that the interests of stakeholders are

– Helps ensure that risks are adequately identified;

– Bring different areas of expertise together for

– Secures endorsement and support for treatment plan;

– Enhances appropriate change management during the

– Develops an appropriate external and internal

• Perceptions of risk can vary due to differences in

• Communication and consultation should be

– Right information in appropriate and timely

– To understand the basis on which decisions are

– Be secured that there is adequately considered

– Creating risk management procedure manual/guide

– Creating risk management performance indicators for

– Communicating the benefits of risk management to

– Communicating accountabilities and responsibilities for

– Communicating how risk management will be

– Establishing internal and external communication

–Risk Management Plan

–Risk Management Report

–Risk Management Reporting Responsibilities

• Risk Management Committee Meetings

• Risk Management Feedback Meetings

• In-house Seminars and Trainings

• Risk Management Newsletter

–Risk Communication and Awareness Programs

• Annual General Meeting(AGM)

• Establishing the context is concerned with

• External context refers to external environment in

• Internal context refers to internal environment in

– The Annual Risk Management Plan for the past three

– The most recent Internal and External Audits.

– Projects feasibility studies

– Risk Management Reports for the past three

– Reports of reviewed policies including reports for

–It is based on the organization-wide context,

• Key drivers and trends having impact on the

• Relationships with perceptions and values of

–It is necessary to establish internal context

• Some organizations fail to recognize opportunities

• Policies, objectives, and the strategies that are in place to

• Information systems, information flow, and decision making

• Standards, guidelines and models adopted by the

– Risk Management Process Diagnostic

– Financial ratios relevant to the subject of risk

– For the enterprise level the most relevant ratios include

• Communication of risk management policies and the benefits of

• Existence and adoption of a framework for management of risk that is

• Existence of organizational culture which supports well-thought-through

• Management of risk closely linked to achievement of objectives.