Paul Hopkin. Fundamentals of Risk Management

Подождите немного. Документ загружается.

84 Risk strategy

Table 8.4 Project risk register

Risk

index

Risk description Current level of risk Action to be taken

Likelihood Magnitude Overall

rating

1. Project management

arrangements unable

to deliver project.

High High High Clear project

management structure in

place, with executive team

established to oversee

project.

Smaller project team runs

project on day-to-day

basis with expert support,

as required.

Clear links between

various management

functions to ensure

co-ordinated approach.

2. Project resources

inadequate with

insufﬁ cient staff to

support project.

Medium Medium Medium Project management team

established with support

from other staff

departments, including

HR and Finance.

3. Project resources has

insufﬁ cient funds for

the necessary external

professional technical

advice.

Low High Medium Sufﬁ cient budget

identiﬁ ed to fund external

advice.

4. Project not

co-ordinated with

other developments

in organization.

Low Low Low Project management team

also oversees related

projects with cross-

representation on other

groups.

Finally, a risk register should be attached to a business plan as a record of the risks that could

impact the achievement of that business plan. Table 8.5 shows a partially completed simple

risk register in a format that could be attached to a business plan. Simple examples of the risks

that could result in the business plan not being achieved are set out in this illustration.

Risk management documentation 85

Table 8.5 Risk register attached to a business plan

Risk

index

Circumstance Assessment

and controls

Current level of risk Action and

assurance

Likelihood Magnitude Overall risk

1.1 Loss of grant

funding

• High Negotiations are

in hand and ﬁ nal

settlement ﬁ gure

should soon be

notiﬁ ed.

1.2 Job upgrade

costs

• Medium Provision has

been made in

reserves and any

additional costs

will be met from

existing budgets.

1.3 Overtime

claims

• Medium Heads of

department

should enforce

the rules

concerning

overtime

payments as a

result of job

upgrades.

1.4 Mileage

claims

• Low Heads of

department

should ensure

that only

essential journeys

are undertaken.

For example, a sports club may wish to record risks to reputation in the risk register. There

could be particular concerns regarding the reputation of the club, so that the board will require

a detailed evaluation of the reputational risks related to:

success on the pitch; •

legal compliance; •

supply of ethical goods at a fair price. •

86 Risk strategy

When considering reputational issues, the level of control that is required will be evaluated,

together with responsibility for managing the brand. The club will also make sure that existing

controls and any additional controls are described in a way that will ensure that implementa-

tion of the controls can be fully audited.

The board will probably wish to see the risk register on at least a quarterly basis and more fre-

quently if signiﬁ cant changes occur. This will ensure that the risk register remains a dynamic

document and is kept fully up to date. This will also ensure the necessary actions are taken and

reported to the board.

Risk management responsibilities

Allocation of responsibilities

Everybody working for the organization will need to be made aware of their risk management

responsibilities, as will contractors and suppliers. There are many professional people in large

organizations who have an understanding of risk and a substantial contribution to make to the

successful management of the priority signiﬁ cant risks. Unfortunately, there is not always a

common view of risk management or the issues that are important to the organization.

Ownership of core processes, key dependencies and risks is important, because it enables the

risk management and audit committees (see Chapter 4) to monitor actions and responsibili-

ties. This ownership is important for all risks, although the audit committee will only monitor

the priority signiﬁ cant risks.

Any confusion of responsibilities and reporting structure must be eliminated. There needs to

be clear statements of responsibilities for the following aspects of the management of each pri-

ority signiﬁ cant risk:

setting required risk standards; •

implementing risk standards; •

monitoring risk performance. •

A detailed set of responsibilities will ensure that the roles of risk owners, process owners, inter-

nal audit, risk manager, specialist risk management functions, members of staff, contractors

and outsourced operations as well as all others are clearly deﬁ

ned and understood.

Information on ownership of each priority signiﬁ

cant risk should be included in the risk reg-

ister. It is important that the activities of the risk manager, risk management committee, audit

committee, internal auditors and others do not reduce local ownership of signiﬁ cant risks.

Managers must see ownership of risks as integral to the management of core processes and

88 Risk strategy

business activities, not as a separate issue that is the responsibility of specialist professional risk

management and/or internal audit practitioners.

Risk management and internal audit

There needs to be a close working relationship between risk management and internal audit.

The responsibilities allocated to each of these functions will vary according to the nature, type

and size of the organization. This is an important working relationship, because successful

management of risk depends on four important risk-based outputs, which can be summarized

as CADE3:

Compliance with appropriate standards, laws and regulations; •

Assurance for the management team and other stakeholders; •

Decisions regarding strategy based on the best information available; •

Efﬁ

cient processes, Effective processes and Efﬁ cacious

strategy. •

It is clear that if these outputs are to be successfully delivered, all stakeholders need to work

together, and that includes co-operation between risk management and internal audit. The range

of activities that are related to risk management and internal audit are explored in a later Part of

this book. In particular, the important contribution made by internal audit and a range of activ-

ities that the internal audit department undertake is considered in more detail in Part 6.

Range of responsibilities

Table 9.1 sets out examples of the range of risk management responsibilities of line manage-

ment, the main functional departments and individual employees involved in risk manage-

ment. The risk management professionals involved will include the following individuals (at

least), depending on the size of the organization:

insurance risk manager; •

corporate treasurer; •

ﬁ nance

director; •

internal auditor; •

compliance manager; •

health, safety and environment manager; •

business continuity manager. •

Risk management responsibilities 89

Table 9.1 Risk management responsibilities

1. Main risk management responsibilities for the CEO:

Determine strategic approach to risk

•

Establish the structure for risk management •

Understand the most signiﬁ cant risks •

Consider the risk implications of poor decisions •

Manage the organization in a crisis •

2. Main RM responsibilities for the location manager:

Build risk-aware culture within the location

•

Agree risk management performance targets for the location •

Evaluate reports from employees on risk management matters •

Ensure implementation of risk improvement recommendations •

Identify and report changed circumstances/risks •

3. Main RM responsibilities for individual employees:

Understand, accept and implement RM processes

•

Report inefﬁ cient, unnecessary or unworkable controls •

Report loss events and near-miss incidents •

Co-operate with management on incident investigations •

Ensure that visitors and contractors comply with procedures •

4. Main risk management responsibilities for the risk manager:

Develop the risk management policy and keep it up to date

•

Facilitate a risk-aware culture within the organization •

Establish internal risk policies and structures •

Co-ordinate the risk management activities •

Compile risk information and prepare reports for the board •

5. Main RM responsibilities for specialist risk management functions:

Assist the company in establishing specialist risk policies

•

Develop specialist contingency and recovery plans •

Keep up to date with developments in the specialist area •

Support investigations of incidents and near misses •

Prepare detailed reports on specialist risks •

6. Main risk management responsibilities for internal audit manager:

Develop a risk-based internal audit programme

•

Audit the risk processes across the organization •

Provide assurance on the management of risk •

Support and help develop the risk management processes •

Report on the efﬁ ciency and effectiveness of internal controls •

90 Risk strategy

Externally, insurance brokers, insurance companies, accountancy ﬁ rms and external auditors

also have a contribution to make to the improved management of risk in their client organiza-

tions. It is important that risk management professionals work together. However, it is also

important that the beneﬁ ts of risk management are embedded into the core processes of the

organization.

There is a need to ensure that management of risks receives a sufﬁ ciently high proﬁ le. It will

normally be a board member who sponsors risk management awareness at the board and

presents risk management reports to it. Typically, the risk manager will report to that board

member, in the role of guardian of the risk architecture, strategy and protocols (GRASP).

One of the most important responsibilities to be allocated is that of ‘risk owner’. ISO Guide 73

deﬁ nes risk owner as ‘person with authority and accountability to make the decision to treat,

or not to treat a risk’. The guide also states that anyone who has accountability for an objective

also has accountability for the risks associated with the objective and the implementation of

the controls to manage those risks.

Statutory responsibilities of management

There has been a developing trend in many countries towards ensuring greater clarity in regard

to the obligations of company directors. The general duties of directors have developed in the

common law over many years in most countries. The Companies Act 2006 in the UK has con-

solidated the common law duties of directors and codiﬁ ed the general duties, as follows:

act in accordance with allocated responsibilities; •

act in accordance with the constitution of the company; •

promote the success of the company; •

exercise independent judgement; •

exercise reasonable care, skill and diligence; •

avoid/declare conﬂ

icts of interest; •

not accept beneﬁ

ts from third parties. •

The responsibilities of directors are important in relation to risk management and adequate

management of risk will assist in the successful fulﬁ

lment of these obligations. Risk manage-

ment is particularly important in promoting the success of the organization and exercising

reasonable care, skill and diligence. Directors of organizations need a good understanding of

risk management so that they will be in a better position to fulﬁ

l their statutory and other

duties.

Risk management responsibilities 91

Usually, board directors will be either executive directors or non-executive directors of the

organization. In certain organizations, such as charities and most government departments,

executive directors will meet separately as an ‘executive committee’ and the non-executive

directors will form a ‘board of governors’. Typically, executive directors will be full-time

employees of the organization with a speciﬁ c area of responsibility.

Non-executive directors have an important role to play in risk management within the organ-

ization. However, this role will normally be restricted to audit, assurance and compliance

activities. It may be inappropriate for non-executive directors to become involved in the man-

agement of the individual risks, because of the conﬂ ict with non-executive audit responsibili-

ties and because executive directors are in a better position to understand and deal with the

risks that the organization faces.

The box below provides an example of the role and expectations of non-executive directors.

In general, non-executive directors should not become directly involved in the day-to-day

management of the organization. In most cases, their role is to assist with the formation of

strategy and the monitoring of performance. Implementation of strategy is the responsibility

of executive directors.

Role of non-executive directors

The role of the non-executive director has the following speciﬁ c key elements:

Strategy – constructively challenge and help develop proposals on strategy. •

Performance – scrutinize the performance of management. •

Risk – challenge the integrity of the ﬁ nancial

information. •

Controls – seek assurance that ﬁ

nancial controls and systems of risk •

management are robust and defensible.

People – determine the appropriate level of remuneration for the executive •

directors and have a prime role in succession planning.

Conﬁ

dence – seek to establish and maintain conﬁ

dence in the conduct of the •

company.

Independence – be independent in judgement and promote openness and trust. •

Knowledge – be well informed about the company and the external •

environment in which it operates, with a strong command of relevant issues.

92 Risk strategy

Role of the risk manager

The typical historical role of the insurance risk manager is set out in Table 9.2. Historically, the

risk manager has been involved in assessing overall risk policy with endorsement from the

board. Decisions on insurance risk management issues and the provision of statistical analysis

of insurance losses have been part of these historical responsibilities.

The insurance risk manager needs to evaluate the current status of risk management and reﬂ ect

on the current state of the insurance market. Increases in insurance rates and a more sophisti-

cated approach to risk ﬁ nancing have affected the amount of insurance purchased by large

organizations. In many cases, there has been less insurance purchased and this has led to a

reduced premium spend and a lower budget for the insurance risk management department.

There is no single established reporting position in the structure of an organization for the risk

manager. At present, risk managers may report to human resources, the ﬁ nance director or

the company secretary. Sometimes, the risk manager is a report to the corporate treasurer and,

occasionally, the chief executive ofﬁ cer (CEO).

There is still a need for a risk management facilitator and co-ordinator in most large organiza-

tions. This will enable the organization to apply risk management tools and techniques to a

wider range of issues. Risks have historically been divided into insurable (pure) and non-

insurable (speculative) risks. From a business success perspective, these are artiﬁ cial divisions

between types of risks.

Table 9.2 Historical role of the insurance risk manager

1. To establish the risk management strategy for protecting company property and

people.

2. To co-ordinate the company insurance programme through the captive insurance

company.

3. To work with the manager of the captive to maximize the contribution made by the

captive insurance company.

4. To maintain key insurer relationships, monitor service providers and ensure

cost-effective placement of insurance contracts.

5. To measure and monitor cost of risk performance of the group and individual

group companies.

6. To ensure safe keeping and adequate retention of all insurance contracts and

agreements.

7. To supervise the co-ordination of service provider activities and place the group and

global insurances.

8. To co-ordinate the property survey programme, risk management procedures and

incentive schemes.

Risk management responsibilities 93

The risk manager should be responsible for the corporate learning that has to take place so

that the organization can understand the beneﬁ ts of risk management. As guardian of the risk

architecture, strategy and protocols (GRASP), the risk manager will be responsible for devel-

oping the strategy, systems and procedures by which the required risk management outcomes

for the organization are achieved.

Historically, the insurance risk manager has probably not been involved in the strategic man-

agement and development of the organization. The broader role now required of a risk

manager should lead to a greater involvement in project management and strategy formula-

tion and delivery. The risk manager who enjoys a broad range of responsibilities will have a

very challenging role within the organization. It will be a role that enables the risk manager to

obtain a better level of understanding and involvement than most other roles or functions

achieve.

Chief risk ofﬁ cer (CRO)

Perhaps, the title ‘Risk Manager’ has too many historical connections for it to be used as an

appropriate description of what is now required. There is a need to ﬁ nd a new title and re-

deﬁ ne the role of risk management at the same time.

Many organizations in the ﬁ nance and energy sectors have identiﬁ ed the beneﬁ ts of bringing

the management of credit, market and operational risks together. It has been the case for some

time in the ﬁ nance sector that risk management has been separate from the purchase of insur-

ance. The development of the role of chief risk ofﬁ cer (CRO) reporting directly to the CEO

reﬂ ects this fact.

Given that one of the key principles of risk management is that the approach to risk should be

proportionate to the level of risk faced by the organization, it is unlikely that the majority of

organizations will need to appoint someone of the seniority of a CRO. Nevertheless, organiza-

tions should, when reviewing their risk management architecture, decide the appropriate

range of responsibilities and level of seniority of the risk manager.

The introduction of the job title Chief Risk Ofﬁ cer (CRO) is not universal, but it is becoming

common in the specialist ﬁ nance and energy sectors. Guardian of the risk architecture, strat-

egy and protocols (GRASP) is a superior description of the role that must be fulﬁ lled.

The box below provides an overview of the developing role of the chief risk ofﬁ cer. For organ-

izations where it is proportionate for a CRO to be appointed, the contribution that can be

made by that individual will be substantial.