3. Why manage risks ?
“A company's objectives, its internal organisation and the environment in which it operates
are continually evolving and as a result, the risks it faces are continually changing. A
sound system of internal control therefore depends on a thorough and regular evaluation
of the nature and extent of the risks to which the company is exposed. Since profits are,
in part, the reward for successful risk-taking in business, the purpose of internal control is
to help manage and control risk appropriately rather than to eliminate it.”
“The guidance is based on the adoption by a company's board of a risk-based approach to
establishing a sound system of internal control and reviewing its effectiveness. This
should be incorporated by the company within its normal management and governance
processes. It should not be treated as a separate exercise undertaken to meet regulatory
requirements.”
Turnbull Report, September 1999
4. The Evolution of Risk Management
Previously Now
Historical risks only Non-traditional risks
Expert management Causes of risk
Statistical analysis Organisation-wide involvement
Senior management buy-in
Risk indicators
5. Risk Governance Maturity
Maturing
• Simplistic framework
• Departmental
• Limited corporate visibility
• Risk exposure may be inaccurate
• Mitigation plans may be used
to identify priorities
Mature
• Flexible governance framework
• Whole of company
• Corporate visibility & control
• Risk appetite known & monitored
• Use of risk data to drive
Immature investments & priorities
• Risk management is ad-hoc
• Individuals or small teams
• No corporate visibility
• Appetite & exposure unknown
• Risk data not used to drive strategy
6. Integrated risk management
Risk management must be a “whole of company” process
Requires board level buy-in to objectives and methods of risk management
Risks are controlled at the appropriate level within the business, by the most
appropriate people
Control & management of risks must be part of the normal business process – not an
add-on or afterthought
Risks must be balanced at the corporate level
Without risk co-ordination, perceived risks may be blown out of proportion
There must be mechanisms to escalate risks to the appropriate level.
The risk management system needs to support the risk process without being
intrusive
Intrusion usually results in non-use
Risk co-ordination & challenge processes become “big stick” exercises.
8. Line Xero : Company Overview
Formed in 1990 as an IT strategy consultancy
Provides IT Design Authority services to a number of FTSE-100
companies
Created XeroRisk as a product in 2004
Originally built for United Utilities
Strong take up in asset intensive & regulated businesses
Launched RiskTaker in 2008
Operates e-commerce web application facilities on behalf of
several Internet based businesses
9. Line Xero: RiskTaker Overview
Licensing
Easy& flexible licensing schemes
Web based purchasing process ensures no “down time”
Support
Dedicated RiskTaker support team – email, telephone and self-
service portal options available
Maintenance
Clearroadmap – XeroRisk release + 1 month
Maintenance contract to cover support and new releases
10. RiskTaker: A risk management solution
Fully web based application
Integrates with existing business
processes
Simple to deploy
Very intuitive to use
Risks identified, managed &
controlled “on the ground”
Corporate exposure valued &
monitored through escalation and
aggregation
12. RiskTaker Features
Full organisation model support
Role based security
Fully configurable risk assessment
categories & levels
Email escalation & notification
Full audit trail of all user risk
management activities
Built in reporting functions include
Excel export, graphs etc
Support for unlimited risks,
organisation units, hierarchy levels
13. A flexible deployment solution
Quick Implementation
RiskTaker doesn’t require installation on each client
Supplied as a pre-configured appliance – simply plug in and go.
Reduced support costs
New releases & updates are installed on central servers
Does not impact desktop builds or current security policies
True Thin-Client
There are no ActiveX or Java components downloaded to the client
Partners or contractors can be quickly added without IS intervention
Low client hardware demands
Only a standard web browser is required for access
Integrates with standard or thin client desktops (e.g. Citrix)
Industry leading components
Windows 2003 Server R2 or higher (Windows 2003 R2 Advanced server recommended)
Microsoft SQL Server 2000 (Microsoft SQL Server 2005 SP2 recommended)
14. Reliable Hardware
Dedicated appliance pre-configured with the latest RiskTaker software version
All third party components licensed through the RiskTaker license
Simply plug into your network and run
Eliminates expensive server hardware and complex installation
No co-existence issues to complicate the support requirements.
Can be upgraded as the business grows
Additional memory and/or processors
Additional licenses to increase RiskTaker users
15. Support Services
Dedicated Support Team
Web portal – Online submission of low priority support requests, access to FAQ’s and upgrades
Phone – Support for urgent requests including hardware failures, software errors and problems
with licensing and upgrade services
Email – Dedicated email queue monitored by the support team
Hosting Service
If you cannot host your own RiskTaker appliance, Line Xero can do it for you – simply access
your RiskTaker over the Internet
Licensing Service
Fully automated licensing service ensures additional licenses can be added without waiting for
purchase approvals
Temporary licensing possible for short-term projects & programmes.
Migration Services
For RiskTaker installations growing beyond the scalability of the hardware, an upgrade to
hosted XeroRisk canbe performed
Data is transferred securely from RiskTaker to the hosted XeroRisk installation with no loss of
information
Talk about the agenda in terms of why risk governance is needed, through an overview of Line Xero and its capabilities and finally onto XeroRisk itself. We will look briefly at the product roadmap which is provided at least bi-annually to the customers for input and priorities.
Background to risk management. Increasing use of regulatory, legal and litigation pressures has forced the risk governance agenda. It’s nothing new but the visibility has increased…
Talk about project management and financial risk governance as being the typical scenarios. Solutions that supported these areas are either extremely complex & specialist or are built into project management toolsets – e.g. Primavera Corporate & business risks are not widely catered for. Prior to implementation in UU there were 3 “other” risk systems (H&S, Display Screen Equipment, Leakage) plus a plethora of spreadsheets to manage project risks.
Cash positive company – No debts, loans etc Capability in application development, support and application hosting services