SlideShare uma empresa Scribd logo

Mastering Risk Assessment

Transferir como PPTX, PDF
S
simurares

The document discusses best practices for conducting effective risk assessments, including using a risk-focused approach, adopting common risk categories, parsing different types of risk information, performing scenario analysis, monitoring risks with key performance and risk indicators, increasing self-assessment, and achieving risk convergence. It emphasizes that risk assessment efforts need to converge in order to minimize confusion from varying risk information and better understand risks from a single perspective. Rejecting risk is described as the "head-in-the-sand" approach.

1 de 23
Rejecting risk is the head-in-the-sand approach Friday, 30 January 20151 QHSE office [ www.qhseoffice.com ]
INTRODUCTION The recent news headlines related to subprime mortgage crisis, rogue traders, and corporate fraud have highlighted that despite investment in risk assessment and risk management disciplines, significant risk failures persist. While isolated incidents of onetime governance failures are bound to occur, long term systemic failures are more than just an isolated anomaly. The failures may be the result of a clutter of risk information caused by many risk assessments from many perspectives. The process of organizing these risk assessments to provide organizations with a more holistic view of enterprise risk is fundamental to mastering risk assessments. This whitepaper explores approaches to risk assessment, offers some best practices for conducting risk assessments and provides practical guidance on mastering this business process. Friday, 30 January 20152 QHSE office [ www.qhseoffice.com ]
RISK ASSESSMENTS THE BASICS Risk assessments fall into the overall discipline of risk management. Risk is defined as the uncertainty of an event occurring that could have an impact on the achievement of objectives. The definition of risk assessment then follows as the identification, evaluation, and estimation of the levels of risks involved in a situation, their comparison against benchmarks or standards, and determination of an acceptable level of risk. A risk assessment should answer the following five questions:  1. What can go wrong?  2. How can it go wrong?  3. What is the potential harm?  4. What can be done about it?  5. How can we stop it from happening again? Friday, 30 January 20153 QHSE office [ www.qhseoffice.com ]
THE EMERGENCE OF RISK: BASED APPROACHES To minimize the confusion of varying risk information, risks assessment efforts need to converge. Risk convergence, the ability to look across the organization and to understand all risk information from a single perspective, is essential to be able to understand and organize the different types of risk information in order to promote the understanding and analysis that will add value to the organization. The following best practice approaches will help an organization master risk assessment and minimize disjointed risk information:  1. Use a risk-focused approach  2. Adopt a common categorization of risk types  3. Parse the risk jumble  4. Perform scenario analysis  5. Use a risk table  6. Monitor risks  7. Increase self assessment  8. Achieve risk convergence Friday, 30 January 20154 QHSE office [ www.qhseoffice.com ]
USE A RISK-FOCUSED APPROACH Risk-based approaches can be described as those that provide a ratio of at least 2:1 of risks to controls and generally have the opposite bias; producing significant amounts of information about risk events, their type, frequency, level, impact and root cause. With the capture of proper risk information, risk-based approaches provide management a better perspective on significance and likelihood of risk events and enable management to prioritize the materiality of mitigating controls. One of the major reasons for the ineffective execution of risk assessments is the significant focus on controls. The control-based approach is used to identify and assess controls, or more specifically the risk of missing or broken controls; the risk-based approach is used to identify and assess risk events, or risks that could impact the achievement of business objectives. Risk assessments are much more effective when using a true risk- based approach. Friday, 30 January 20155 QHSE office [ www.qhseoffice.com ]
A COMMON CATEGORIZATION OF RISK TYPES To assist in the discipline of risk assessment, it is important to have a common taxonomy and categorization of risk types. The risk management community has provided numerous risk models to categorize risks into types for reporting and analysis purposes. With a library of common sets of risk categories, risk assessment practitioners are better able to identify the organization's risks and can pull together risk information in a concise profile that helps users understand and monitor identified exposures. Friday, 30 January 20156 QHSE office [ www.qhseoffice.com ]
A COMMON CATEGORIZATION OF RISK TYPES ENVIRONMETAL RISKS  Business continuity  Business market environment  Environmental  Liability lawsuits  Natural disasters/weather  Pandemic  Physical damage  Political risk  Regulatory/legislative  Terrorism FINANCIAL RISKS  Capital availability  Credit counterparty  Financial market risk  Inflation  Interest rates  Liquidity Friday, 30 January 20157 QHSE office [ www.qhseoffice.com ]
A COMMON CATEGORIZATION OF RISK TYPES SUPPLY RISKS  Commodity prices  Supply chain MANAGEMENT RISKS  Corporate governance  Data security  Employee health and safety  Intellectual property  Labor disputes  Labor skills shortage  Managing complexity  Outsourcing problems  Project management  Technology failure Friday, 30 January 20158 QHSE office [ www.qhseoffice.com ]
PARSE THE RISK JUMBLE Risk information must be organized to be understood and managed. In the jumble of risk information that is currently being gathered, some of the information is about controls or more accurately missing or broken controls, some of it is about risk events (the events the controls were designed to mitigate) and some of the information describes the primary or secondary consequences of the risk events if they occur. The result is a mass of information that is described as risk, but it is not all risk. Friday, 30 January 20159 QHSE office [ www.qhseoffice.com ]
PARSE THE RISK JUMBLE Friday, 30 January 201510 QHSE office [ www.qhseoffice.com ]
SCENARIO ANALYSIS The discipline of scenario analysis is critical to effective risk assessments because it forces one to ask, “What could go wrong in the future?” Scenario analysis is the process of analyzing a number of possible future events and focuses attention on all possible outcomes of an event occurring and the associated impacts. Proper scenario analysis improves decision-making by allowing management to more completely consider various outcomes and their implications to an organization. For example, in looking at the scenario of fraudulent trades occurring, the following questions need to be evaluated: Friday, 30 January 201511 QHSE office [ www.qhseoffice.com ]
SCENARIO ANALYSIS  1. Where does trading activity take place?  2. What kinds of trading takes place?  3. What are all the ways unauthorized trading could take place?  4. How up to date is our information?  5. Have we involved everyone with relevant knowledge in risk identification?  6. Have we involved everyone with relevant knowledge in control assessment? Friday, 30 January 201512 QHSE office [ www.qhseoffice.com ]
SCENARIO ANALYSIS  7. What would tell us if, in fact, unauthorized trades are occurring?  8. How often do we formally analyze this scenario?  9. What issues have we identified in the past?  10. What losses have our industry competitors experienced?  11. How could trades be hidden? Friday, 30 January 201513 QHSE office [ www.qhseoffice.com ]
USE A RISK TABLE Risks and the corresponding risk assessments can be evaluated using either a quantitative or a qualitative approach. Quantitative assessments use actual dollar amounts to provide an financially-based risk value. Qualitative assessments use scoring methods and the experience of employees and consultants to arrive at a risk score. Since determining an actual dollar value of risk is often times a very resource intensive activity, the qualitative risk assessment approach is used as a best practice by most risk assessment groups. Although termed a qualitative approach, this method typically involves assigning some numerical value that can be used to stack rank or come up with some relative ratings on the assessment of risks. Friday, 30 January 201514 QHSE office [ www.qhseoffice.com ]
USE A RISK TABLE Friday, 30 January 201515 QHSE office [ www.qhseoffice.com ]
USE A RISK TABLE Friday, 30 January 201516 Once the risk assessments are scored using a risk table, they should be sorted from highest to lowest. This allows organizations to address the highest risks first. Once identified, there are essentially four ways to deal with each risk:  Reject the risk: Rejecting risk is the head-in-the-sand approach. Some managers tend to ignore difficult challenges with the hope that they will simply disappear. This approach will rarely result in a successful defense against the risk event occurring.  Accept the risk: A common action to take is to accept the stated risk. For example, if the controls necessary to eliminate or mitigate key vulnerabilities are a greater financial burden to an organization than the actual risk impact, then it’s probably a good idea to use the budget dollars in other areas. QHSE office [ www.qhseoffice.com ]
USE A RISK TABLE Friday, 30 January 201517  Transfer the risk: An alternative to accepting a higher than reasonable risk when the cost of controls is too high is to purchase insurance to lower the business impact of an incident. This is a common risk management step.  Mitigate the risk: Risk mitigation typically focuses on managing the areas where the organization is most vulnerable. Risk mitigation involves the identification and management of risk mitigating controls. QHSE office [ www.qhseoffice.com ]
MONITOR RISKS Friday, 30 January 201518 A best practice in mastering risk assessments is to establish standard metrics for the consequences and outcomes that will drive business decisions. Common metrics are classified as key performance indicators (KPI) and key risk indicators (KRI).  A KPI is part of a measurable objective and helps an organization measure progress towards goals, especially toward difficult to quantify knowledge-based processes. KPI’s are made up of a direction, benchmark, target and time frame. QHSE office [ www.qhseoffice.com ]
MONITOR RISKS Friday, 30 January 201519  A KRI measures how risky an activity is. It differs from a KPI in that the KPI is meant as a measure of how well something is being done. A KRI is an indicator of the possibility of a future adverse impact. The idea behind the KRI is to provide a set of agreed indicators, which can range from the simple, such as staff turnover, to the more sophisticated, such as the a complex calculation for measuring operational performance. The behavior of KRIs should signal how well or how badly a firm is managing potentially costly operational hazards such as fraud, legal risk, technology failure and trade settlement errors. QHSE office [ www.qhseoffice.com ]
INCREASE SELF ASSESSMENT Friday, 30 January 201520 Using risk self assessment drives the responsibility and accountability of risk management to process owners by reinforcing their responsibility and accountability for the risk areas that they own. Companies embracing risk self-assessment often view it as a cost-effective technique for establishing touch points with the right people, enabling management to communicate as well as educate. An effective risk self-assessment program reports risk assertions from process owners upward in the organization and identifies matters requiring follow-up and possible disclosure. QHSE office [ www.qhseoffice.com ]
ACHIEVE RISK CONVERGENCE Friday, 30 January 201521 Risk convergence is the integration of discrete risk assessment information into a unified framework in order to dramatically:  Streamline processes  Increase assurance reliability  Increase information quantity/quality  Decrease operational cost  Contribute directly to better business performance QHSE office [ www.qhseoffice.com ]
ACHIEVE RISK CONVERGENCE Friday, 30 January 201522 Risk-based approaches to management hold significant promise. If risks are understood in terms of cause/effect relationships, governance failures and losses should be prevented. If variance in expected business or process performance is viewed from a risk perspective as unmanaged risks, then business performance should improve or at least become less volatile. Risk assessment is the foundation of risk management. Organizing the information produced through risk assessment will allow risk convergence to fulfill its potential. QHSE office [ www.qhseoffice.com ]
THOUGHTS Friday, 30 January 201523  To minimize the confusion of varying risk information, risk assessment efforts need to converge.  Risk information can be categorized as root cause, risk event, consequence and downstream effect.  Effective risk assessments force one to ask, “What could go wrong in the future?”  Rejecting risk is the head-in-the-sand approach.  Establish standards for the consequences.  “QHSE office” provide a common point of entry for audit, risk management and compliance owners. QHSE office [ www.qhseoffice.com ]

Recomendados

Application of Stress Testing November2016
Application of Stress Testing November2016Application of Stress Testing November2016
Application of Stress Testing November2016
Sonjai Kumar, SIRM
 
Improve Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 StepsImprove Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 Steps
Resolver Inc.
 
Risk Analysis & Risk Management
Risk Analysis & Risk ManagementRisk Analysis & Risk Management
Risk Analysis & Risk Management
Grafic.guru
 
Project/Program Risk management
Project/Program Risk managementProject/Program Risk management
Project/Program Risk management
Shan Sokhanvar (CISM, AWS-SAP, PMP, MCTS)
 
Enterprise Risk Management PowerPoint Presentation Slides
Enterprise Risk Management PowerPoint Presentation Slides Enterprise Risk Management PowerPoint Presentation Slides
Enterprise Risk Management PowerPoint Presentation Slides
SlideTeam
 
Project risk management: Techniques and strategies
Project risk management: Techniques and strategiesProject risk management: Techniques and strategies
Project risk management: Techniques and strategies
DebashishDas49
 
Who would ever fore see risk identification? by Dr.Mahboob ali khan Phd
Who would ever fore see risk identification? by Dr.Mahboob ali khan Phd Who would ever fore see risk identification? by Dr.Mahboob ali khan Phd
Who would ever fore see risk identification? by Dr.Mahboob ali khan Phd
Healthcare consultant
 
Risk management
Risk managementRisk management
Risk management
Emad Nassar
 

Recomendados

Application of Stress Testing November2016
Application of Stress Testing November2016Application of Stress Testing November2016
Application of Stress Testing November2016
Sonjai Kumar, SIRM
 
Improve Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 StepsImprove Your Risk Assessment Process in 4 Steps
Improve Your Risk Assessment Process in 4 Steps
Resolver Inc.
 
Risk Analysis & Risk Management
Risk Analysis & Risk ManagementRisk Analysis & Risk Management
Risk Analysis & Risk Management
Grafic.guru
 
Project/Program Risk management
Project/Program Risk managementProject/Program Risk management
Project/Program Risk management
Shan Sokhanvar (CISM, AWS-SAP, PMP, MCTS)
 
Enterprise Risk Management PowerPoint Presentation Slides
Enterprise Risk Management PowerPoint Presentation Slides Enterprise Risk Management PowerPoint Presentation Slides
Enterprise Risk Management PowerPoint Presentation Slides
SlideTeam
 
Project risk management: Techniques and strategies
Project risk management: Techniques and strategiesProject risk management: Techniques and strategies
Project risk management: Techniques and strategies
DebashishDas49
 
Who would ever fore see risk identification? by Dr.Mahboob ali khan Phd
Who would ever fore see risk identification? by Dr.Mahboob ali khan Phd Who would ever fore see risk identification? by Dr.Mahboob ali khan Phd
Who would ever fore see risk identification? by Dr.Mahboob ali khan Phd
Healthcare consultant
 
Risk management
Risk managementRisk management
Risk management
Emad Nassar
 
Risk Analysis
Risk AnalysisRisk Analysis
Risk Analysis
Nishodh Saxena Ph. D.
 
Bertrand's Individual Essay
Bertrand's Individual EssayBertrand's Individual Essay
Bertrand's Individual Essay
Prince Bertrand
 
Risk and Uncertainty
Risk and UncertaintyRisk and Uncertainty
Risk and Uncertainty
Brad Stollery
 
The Purpose of Holistic Risk Management
The Purpose of Holistic Risk ManagementThe Purpose of Holistic Risk Management
The Purpose of Holistic Risk Management
Corporater
 
Introduction to risk management
Introduction to risk managementIntroduction to risk management
Introduction to risk management
Kannan Subbiah
 
Risk Management Best Practices
Risk Management Best PracticesRisk Management Best Practices
Risk Management Best Practices
PMILebanonChapter
 
Risk assessment
Risk assessmentRisk assessment
Risk assessment
PANNALAL SONI
 
Risk Assessment PowerPoint Presentation Slides
Risk Assessment PowerPoint Presentation Slides Risk Assessment PowerPoint Presentation Slides
Risk Assessment PowerPoint Presentation Slides
SlideTeam
 
Risk Assessment and Risk Assessment Matrix Presentation
Risk Assessment and Risk Assessment Matrix PresentationRisk Assessment and Risk Assessment Matrix Presentation
Risk Assessment and Risk Assessment Matrix Presentation
Usama Saeed
 
Introduction to Risk Management
Introduction to Risk ManagementIntroduction to Risk Management
Introduction to Risk Management
FAA Safety Team Central Florida
 
Ballot: Risk Assessments Made Simple
Ballot: Risk Assessments Made SimpleBallot: Risk Assessments Made Simple
Ballot: Risk Assessments Made Simple
Resolver Inc.
 
Risk Management
Risk ManagementRisk Management
Risk Management
Krishna Deo Prasad
 
Risk management
Risk managementRisk management
Risk management
Harold Malamion
 
Risk Management
Risk ManagementRisk Management
Risk Management
Lifelong Learning
 
The Role of Data Science in Enterprise Risk Management, Presented by John Liu
The Role of Data Science in Enterprise Risk Management, Presented by John LiuThe Role of Data Science in Enterprise Risk Management, Presented by John Liu
The Role of Data Science in Enterprise Risk Management, Presented by John Liu
NashvilleTechCouncil
 
Risk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideRisk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation Slide
SlideTeam
 
Risk analysis
Risk analysisRisk analysis
Risk analysis
saurabhshertukde
 
Risk project management - Notes for the CAMP exam
Risk project management - Notes for the CAMP examRisk project management - Notes for the CAMP exam
Risk project management - Notes for the CAMP exam
Maria Kirk
 
Risk Management Process Steps PowerPoint Presentation Slides
Risk Management Process Steps PowerPoint Presentation Slides Risk Management Process Steps PowerPoint Presentation Slides
Risk Management Process Steps PowerPoint Presentation Slides
SlideTeam
 
1 -corinne_berinstein
1 -corinne_berinstein1 -corinne_berinstein
1 -corinne_berinstein
Aahil Malik
 
FRH Asphalting audit report
FRH Asphalting audit reportFRH Asphalting audit report
FRH Asphalting audit report
Andy Slade
 
Ultranet - An Overview
Ultranet - An OverviewUltranet - An Overview
Ultranet - An Overview
dbanova
 

Mais conteúdo relacionado

Mais procurados

Bertrand's Individual Essay
Bertrand's Individual EssayBertrand's Individual Essay
Bertrand's Individual Essay
Prince Bertrand
 
Risk and Uncertainty
Risk and UncertaintyRisk and Uncertainty
Risk and Uncertainty
Brad Stollery
 
Risk Assessment PowerPoint Presentation Slides
Risk Assessment PowerPoint Presentation Slides Risk Assessment PowerPoint Presentation Slides
Risk Assessment PowerPoint Presentation Slides
SlideTeam
 
Ballot: Risk Assessments Made Simple
Ballot: Risk Assessments Made SimpleBallot: Risk Assessments Made Simple
Ballot: Risk Assessments Made Simple
Resolver Inc.
 
Risk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideRisk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation Slide
SlideTeam
 
1 -corinne_berinstein
1 -corinne_berinstein1 -corinne_berinstein
1 -corinne_berinstein
Aahil Malik
 

Mais procurados (20)

Risk Analysis
Risk AnalysisRisk Analysis
Risk Analysis
 
Bertrand's Individual Essay
Bertrand's Individual EssayBertrand's Individual Essay
Bertrand's Individual Essay
 
Risk and Uncertainty
Risk and UncertaintyRisk and Uncertainty
Risk and Uncertainty
 
The Purpose of Holistic Risk Management
The Purpose of Holistic Risk ManagementThe Purpose of Holistic Risk Management
The Purpose of Holistic Risk Management
 
Introduction to risk management
Introduction to risk managementIntroduction to risk management
Introduction to risk management
 
Risk Management Best Practices
Risk Management Best PracticesRisk Management Best Practices
Risk Management Best Practices
 
Risk assessment
Risk assessmentRisk assessment
Risk assessment
 
Risk Assessment PowerPoint Presentation Slides
Risk Assessment PowerPoint Presentation Slides Risk Assessment PowerPoint Presentation Slides
Risk Assessment PowerPoint Presentation Slides
 
Risk Assessment and Risk Assessment Matrix Presentation
Risk Assessment and Risk Assessment Matrix PresentationRisk Assessment and Risk Assessment Matrix Presentation
Risk Assessment and Risk Assessment Matrix Presentation
 
Introduction to Risk Management
Introduction to Risk ManagementIntroduction to Risk Management
Introduction to Risk Management
 
Ballot: Risk Assessments Made Simple
Ballot: Risk Assessments Made SimpleBallot: Risk Assessments Made Simple
Ballot: Risk Assessments Made Simple
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Risk management
Risk managementRisk management
Risk management
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
The Role of Data Science in Enterprise Risk Management, Presented by John Liu
The Role of Data Science in Enterprise Risk Management, Presented by John LiuThe Role of Data Science in Enterprise Risk Management, Presented by John Liu
The Role of Data Science in Enterprise Risk Management, Presented by John Liu
 
Risk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation SlideRisk Identification PowerPoint Presentation Slide
Risk Identification PowerPoint Presentation Slide
 
Risk analysis
Risk analysisRisk analysis
Risk analysis
 
Risk project management - Notes for the CAMP exam
Risk project management - Notes for the CAMP examRisk project management - Notes for the CAMP exam
Risk project management - Notes for the CAMP exam
 
Risk Management Process Steps PowerPoint Presentation Slides
Risk Management Process Steps PowerPoint Presentation Slides Risk Management Process Steps PowerPoint Presentation Slides
Risk Management Process Steps PowerPoint Presentation Slides
 
1 -corinne_berinstein
1 -corinne_berinstein1 -corinne_berinstein
1 -corinne_berinstein
 

Destaque

FRH Asphalting audit report
FRH Asphalting audit reportFRH Asphalting audit report
FRH Asphalting audit report
Andy Slade
 
Ultranet - An Overview
Ultranet - An OverviewUltranet - An Overview
Ultranet - An Overview
dbanova
 
Employee Motivation : How to kill a employee's morale in 5 steps! - By Owais ...
Employee Motivation : How to kill a employee's morale in 5 steps! - By Owais ...Employee Motivation : How to kill a employee's morale in 5 steps! - By Owais ...
Employee Motivation : How to kill a employee's morale in 5 steps! - By Owais ...
Syed Owais Mukhtar
 
Sustainability report 2015 Esprinet
Sustainability report 2015 EsprinetSustainability report 2015 Esprinet
Sustainability report 2015 Esprinet
Esprinet
 
Violence in the workplace Training
Violence in the workplace TrainingViolence in the workplace Training
Violence in the workplace Training
Dan Junkins
 

Destaque (20)

FRH Asphalting audit report
FRH Asphalting audit reportFRH Asphalting audit report
FRH Asphalting audit report
 
Ultranet - An Overview
Ultranet - An OverviewUltranet - An Overview
Ultranet - An Overview
 
Risk assessment
Risk assessmentRisk assessment
Risk assessment
 
The workplace safety report - OSHA for 2015 - Littler Mendelson Executive Emp...
The workplace safety report - OSHA for 2015 - Littler Mendelson Executive Emp...The workplace safety report - OSHA for 2015 - Littler Mendelson Executive Emp...
The workplace safety report - OSHA for 2015 - Littler Mendelson Executive Emp...
 
Incident Investigation Guidelines
Incident Investigation GuidelinesIncident Investigation Guidelines
Incident Investigation Guidelines
 
Let Us Learn
Let Us LearnLet Us Learn
Let Us Learn
 
Manager Auditing
Manager AuditingManager Auditing
Manager Auditing
 
Workplace Safety Audit Report
Workplace Safety Audit Report Workplace Safety Audit Report
Workplace Safety Audit Report
 
Employee Motivation : How to kill a employee's morale in 5 steps! - By Owais ...
Employee Motivation : How to kill a employee's morale in 5 steps! - By Owais ...Employee Motivation : How to kill a employee's morale in 5 steps! - By Owais ...
Employee Motivation : How to kill a employee's morale in 5 steps! - By Owais ...
 
OSHA Injury and Illness Reporting and Recordkeeping Changes for 2015
OSHA Injury and Illness Reporting and Recordkeeping Changes for 2015OSHA Injury and Illness Reporting and Recordkeeping Changes for 2015
OSHA Injury and Illness Reporting and Recordkeeping Changes for 2015
 
Implementation of QHSE
Implementation of QHSEImplementation of QHSE
Implementation of QHSE
 
Osha injury reporting
Osha injury reportingOsha injury reporting
Osha injury reporting
 
Hazard (2)
Hazard (2)Hazard (2)
Hazard (2)
 
Joint Occupational Health and Safety Committee Effectiveness
Joint Occupational Health and Safety Committee EffectivenessJoint Occupational Health and Safety Committee Effectiveness
Joint Occupational Health and Safety Committee Effectiveness
 
Sustainability report 2015 Esprinet
Sustainability report 2015 EsprinetSustainability report 2015 Esprinet
Sustainability report 2015 Esprinet
 
EHS Audit Overview
EHS Audit OverviewEHS Audit Overview
EHS Audit Overview
 
Safety Week Activity Report
Safety Week Activity ReportSafety Week Activity Report
Safety Week Activity Report
 
How to control electrical safety risk
How to control electrical safety riskHow to control electrical safety risk
How to control electrical safety risk
 
Violence in the workplace Training
Violence in the workplace TrainingViolence in the workplace Training
Violence in the workplace Training
 
Ladder safety Posters - Syed Owais Mukhtar
Ladder safety Posters - Syed Owais MukhtarLadder safety Posters - Syed Owais Mukhtar
Ladder safety Posters - Syed Owais Mukhtar
 

Semelhante a Mastering Risk Assessment

Risk Management in Business
Risk Management in BusinessRisk Management in Business
Risk Management in Business
paperpublications3
 
Super Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationSuper Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy Presentation
David Fernandes
 
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
Keith Darcy
 
46753267 20075325-principles-of-risk-management-and-insurance-f
46753267 20075325-principles-of-risk-management-and-insurance-f46753267 20075325-principles-of-risk-management-and-insurance-f
46753267 20075325-principles-of-risk-management-and-insurance-f
Gaba Florian
 
Introduction to Risk ManagementMana.6330Overview
Introduction to Risk ManagementMana.6330OverviewIntroduction to Risk ManagementMana.6330Overview
Introduction to Risk ManagementMana.6330Overview
TatianaMajor22
 
Optimizing Uncertainty In Complex Industry Environment
Optimizing Uncertainty In Complex Industry EnvironmentOptimizing Uncertainty In Complex Industry Environment
Optimizing Uncertainty In Complex Industry Environment
aradhanalaw
 

Semelhante a Mastering Risk Assessment (20)

Managing Risk and Uncertainty in Business.pptx
Managing Risk and Uncertainty in Business.pptxManaging Risk and Uncertainty in Business.pptx
Managing Risk and Uncertainty in Business.pptx
 
project risk management
project risk managementproject risk management
project risk management
 
Risk Management in Business
Risk Management in BusinessRisk Management in Business
Risk Management in Business
 
Enhancing Existing Risk Management in National Statistical Institutes by Usin...
Enhancing Existing Risk Management in National Statistical Institutes by Usin...Enhancing Existing Risk Management in National Statistical Institutes by Usin...
Enhancing Existing Risk Management in National Statistical Institutes by Usin...
 
Risk Management and Control(Insurance).pptx
Risk Management and Control(Insurance).pptxRisk Management and Control(Insurance).pptx
Risk Management and Control(Insurance).pptx
 
Essay On Risk Management
Essay On Risk ManagementEssay On Risk Management
Essay On Risk Management
 
Super Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationSuper Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy Presentation
 
Risk-Management-ppt.pptx
Risk-Management-ppt.pptxRisk-Management-ppt.pptx
Risk-Management-ppt.pptx
 
Comprehensive Overview Of Risk Management
Comprehensive Overview Of Risk ManagementComprehensive Overview Of Risk Management
Comprehensive Overview Of Risk Management
 
Risk management
Risk managementRisk management
Risk management
 
cue presentation.pptx
cue presentation.pptxcue presentation.pptx
cue presentation.pptx
 
ToTCOOP+i O3 o4 unit-9_final_version_en
ToTCOOP+i O3 o4 unit-9_final_version_enToTCOOP+i O3 o4 unit-9_final_version_en
ToTCOOP+i O3 o4 unit-9_final_version_en
 
Risk management
Risk managementRisk management
Risk management
 
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
WSJ-Compliance Risks What You Don’t Contain Can Hurt You - Deloitte Risk (1)
 
51_operational_risk
51_operational_risk51_operational_risk
51_operational_risk
 
46753267 20075325-principles-of-risk-management-and-insurance-f
46753267 20075325-principles-of-risk-management-and-insurance-f46753267 20075325-principles-of-risk-management-and-insurance-f
46753267 20075325-principles-of-risk-management-and-insurance-f
 
Introduction to Risk ManagementMana.6330Overview
Introduction to Risk ManagementMana.6330OverviewIntroduction to Risk ManagementMana.6330Overview
Introduction to Risk ManagementMana.6330Overview
 
Optimizing Uncertainty In Complex Industry Environment
Optimizing Uncertainty In Complex Industry EnvironmentOptimizing Uncertainty In Complex Industry Environment
Optimizing Uncertainty In Complex Industry Environment
 
Risk management
Risk managementRisk management
Risk management
 
Deloitte_Risk Sensing
Deloitte_Risk SensingDeloitte_Risk Sensing
Deloitte_Risk Sensing
 

Mastering Risk Assessment

  • 1. Rejecting risk is the head-in-the-sand approach Friday, 30 January 20151 QHSE office [ www.qhseoffice.com ]
  • 2. INTRODUCTION The recent news headlines related to subprime mortgage crisis, rogue traders, and corporate fraud have highlighted that despite investment in risk assessment and risk management disciplines, significant risk failures persist. While isolated incidents of onetime governance failures are bound to occur, long term systemic failures are more than just an isolated anomaly. The failures may be the result of a clutter of risk information caused by many risk assessments from many perspectives. The process of organizing these risk assessments to provide organizations with a more holistic view of enterprise risk is fundamental to mastering risk assessments. This whitepaper explores approaches to risk assessment, offers some best practices for conducting risk assessments and provides practical guidance on mastering this business process. Friday, 30 January 20152 QHSE office [ www.qhseoffice.com ]
  • 3. RISK ASSESSMENTS THE BASICS Risk assessments fall into the overall discipline of risk management. Risk is defined as the uncertainty of an event occurring that could have an impact on the achievement of objectives. The definition of risk assessment then follows as the identification, evaluation, and estimation of the levels of risks involved in a situation, their comparison against benchmarks or standards, and determination of an acceptable level of risk. A risk assessment should answer the following five questions:  1. What can go wrong?  2. How can it go wrong?  3. What is the potential harm?  4. What can be done about it?  5. How can we stop it from happening again? Friday, 30 January 20153 QHSE office [ www.qhseoffice.com ]
  • 4. THE EMERGENCE OF RISK: BASED APPROACHES To minimize the confusion of varying risk information, risks assessment efforts need to converge. Risk convergence, the ability to look across the organization and to understand all risk information from a single perspective, is essential to be able to understand and organize the different types of risk information in order to promote the understanding and analysis that will add value to the organization. The following best practice approaches will help an organization master risk assessment and minimize disjointed risk information:  1. Use a risk-focused approach  2. Adopt a common categorization of risk types  3. Parse the risk jumble  4. Perform scenario analysis  5. Use a risk table  6. Monitor risks  7. Increase self assessment  8. Achieve risk convergence Friday, 30 January 20154 QHSE office [ www.qhseoffice.com ]
  • 5. USE A RISK-FOCUSED APPROACH Risk-based approaches can be described as those that provide a ratio of at least 2:1 of risks to controls and generally have the opposite bias; producing significant amounts of information about risk events, their type, frequency, level, impact and root cause. With the capture of proper risk information, risk-based approaches provide management a better perspective on significance and likelihood of risk events and enable management to prioritize the materiality of mitigating controls. One of the major reasons for the ineffective execution of risk assessments is the significant focus on controls. The control-based approach is used to identify and assess controls, or more specifically the risk of missing or broken controls; the risk-based approach is used to identify and assess risk events, or risks that could impact the achievement of business objectives. Risk assessments are much more effective when using a true risk- based approach. Friday, 30 January 20155 QHSE office [ www.qhseoffice.com ]
  • 6. A COMMON CATEGORIZATION OF RISK TYPES To assist in the discipline of risk assessment, it is important to have a common taxonomy and categorization of risk types. The risk management community has provided numerous risk models to categorize risks into types for reporting and analysis purposes. With a library of common sets of risk categories, risk assessment practitioners are better able to identify the organization's risks and can pull together risk information in a concise profile that helps users understand and monitor identified exposures. Friday, 30 January 20156 QHSE office [ www.qhseoffice.com ]
  • 7. A COMMON CATEGORIZATION OF RISK TYPES ENVIRONMETAL RISKS  Business continuity  Business market environment  Environmental  Liability lawsuits  Natural disasters/weather  Pandemic  Physical damage  Political risk  Regulatory/legislative  Terrorism FINANCIAL RISKS  Capital availability  Credit counterparty  Financial market risk  Inflation  Interest rates  Liquidity Friday, 30 January 20157 QHSE office [ www.qhseoffice.com ]
  • 8. A COMMON CATEGORIZATION OF RISK TYPES SUPPLY RISKS  Commodity prices  Supply chain MANAGEMENT RISKS  Corporate governance  Data security  Employee health and safety  Intellectual property  Labor disputes  Labor skills shortage  Managing complexity  Outsourcing problems  Project management  Technology failure Friday, 30 January 20158 QHSE office [ www.qhseoffice.com ]
  • 9. PARSE THE RISK JUMBLE Risk information must be organized to be understood and managed. In the jumble of risk information that is currently being gathered, some of the information is about controls or more accurately missing or broken controls, some of it is about risk events (the events the controls were designed to mitigate) and some of the information describes the primary or secondary consequences of the risk events if they occur. The result is a mass of information that is described as risk, but it is not all risk. Friday, 30 January 20159 QHSE office [ www.qhseoffice.com ]
  • 10. PARSE THE RISK JUMBLE Friday, 30 January 201510 QHSE office [ www.qhseoffice.com ]
  • 11. SCENARIO ANALYSIS The discipline of scenario analysis is critical to effective risk assessments because it forces one to ask, “What could go wrong in the future?” Scenario analysis is the process of analyzing a number of possible future events and focuses attention on all possible outcomes of an event occurring and the associated impacts. Proper scenario analysis improves decision-making by allowing management to more completely consider various outcomes and their implications to an organization. For example, in looking at the scenario of fraudulent trades occurring, the following questions need to be evaluated: Friday, 30 January 201511 QHSE office [ www.qhseoffice.com ]
  • 12. SCENARIO ANALYSIS  1. Where does trading activity take place?  2. What kinds of trading takes place?  3. What are all the ways unauthorized trading could take place?  4. How up to date is our information?  5. Have we involved everyone with relevant knowledge in risk identification?  6. Have we involved everyone with relevant knowledge in control assessment? Friday, 30 January 201512 QHSE office [ www.qhseoffice.com ]
  • 13. SCENARIO ANALYSIS  7. What would tell us if, in fact, unauthorized trades are occurring?  8. How often do we formally analyze this scenario?  9. What issues have we identified in the past?  10. What losses have our industry competitors experienced?  11. How could trades be hidden? Friday, 30 January 201513 QHSE office [ www.qhseoffice.com ]
  • 14. USE A RISK TABLE Risks and the corresponding risk assessments can be evaluated using either a quantitative or a qualitative approach. Quantitative assessments use actual dollar amounts to provide an financially-based risk value. Qualitative assessments use scoring methods and the experience of employees and consultants to arrive at a risk score. Since determining an actual dollar value of risk is often times a very resource intensive activity, the qualitative risk assessment approach is used as a best practice by most risk assessment groups. Although termed a qualitative approach, this method typically involves assigning some numerical value that can be used to stack rank or come up with some relative ratings on the assessment of risks. Friday, 30 January 201514 QHSE office [ www.qhseoffice.com ]
  • 15. USE A RISK TABLE Friday, 30 January 201515 QHSE office [ www.qhseoffice.com ]
  • 16. USE A RISK TABLE Friday, 30 January 201516 Once the risk assessments are scored using a risk table, they should be sorted from highest to lowest. This allows organizations to address the highest risks first. Once identified, there are essentially four ways to deal with each risk:  Reject the risk: Rejecting risk is the head-in-the-sand approach. Some managers tend to ignore difficult challenges with the hope that they will simply disappear. This approach will rarely result in a successful defense against the risk event occurring.  Accept the risk: A common action to take is to accept the stated risk. For example, if the controls necessary to eliminate or mitigate key vulnerabilities are a greater financial burden to an organization than the actual risk impact, then it’s probably a good idea to use the budget dollars in other areas. QHSE office [ www.qhseoffice.com ]
  • 17. USE A RISK TABLE Friday, 30 January 201517  Transfer the risk: An alternative to accepting a higher than reasonable risk when the cost of controls is too high is to purchase insurance to lower the business impact of an incident. This is a common risk management step.  Mitigate the risk: Risk mitigation typically focuses on managing the areas where the organization is most vulnerable. Risk mitigation involves the identification and management of risk mitigating controls. QHSE office [ www.qhseoffice.com ]
  • 18. MONITOR RISKS Friday, 30 January 201518 A best practice in mastering risk assessments is to establish standard metrics for the consequences and outcomes that will drive business decisions. Common metrics are classified as key performance indicators (KPI) and key risk indicators (KRI).  A KPI is part of a measurable objective and helps an organization measure progress towards goals, especially toward difficult to quantify knowledge-based processes. KPI’s are made up of a direction, benchmark, target and time frame. QHSE office [ www.qhseoffice.com ]
  • 19. MONITOR RISKS Friday, 30 January 201519  A KRI measures how risky an activity is. It differs from a KPI in that the KPI is meant as a measure of how well something is being done. A KRI is an indicator of the possibility of a future adverse impact. The idea behind the KRI is to provide a set of agreed indicators, which can range from the simple, such as staff turnover, to the more sophisticated, such as the a complex calculation for measuring operational performance. The behavior of KRIs should signal how well or how badly a firm is managing potentially costly operational hazards such as fraud, legal risk, technology failure and trade settlement errors. QHSE office [ www.qhseoffice.com ]
  • 20. INCREASE SELF ASSESSMENT Friday, 30 January 201520 Using risk self assessment drives the responsibility and accountability of risk management to process owners by reinforcing their responsibility and accountability for the risk areas that they own. Companies embracing risk self-assessment often view it as a cost-effective technique for establishing touch points with the right people, enabling management to communicate as well as educate. An effective risk self-assessment program reports risk assertions from process owners upward in the organization and identifies matters requiring follow-up and possible disclosure. QHSE office [ www.qhseoffice.com ]
  • 21. ACHIEVE RISK CONVERGENCE Friday, 30 January 201521 Risk convergence is the integration of discrete risk assessment information into a unified framework in order to dramatically:  Streamline processes  Increase assurance reliability  Increase information quantity/quality  Decrease operational cost  Contribute directly to better business performance QHSE office [ www.qhseoffice.com ]
  • 22. ACHIEVE RISK CONVERGENCE Friday, 30 January 201522 Risk-based approaches to management hold significant promise. If risks are understood in terms of cause/effect relationships, governance failures and losses should be prevented. If variance in expected business or process performance is viewed from a risk perspective as unmanaged risks, then business performance should improve or at least become less volatile. Risk assessment is the foundation of risk management. Organizing the information produced through risk assessment will allow risk convergence to fulfill its potential. QHSE office [ www.qhseoffice.com ]
  • 23. THOUGHTS Friday, 30 January 201523  To minimize the confusion of varying risk information, risk assessment efforts need to converge.  Risk information can be categorized as root cause, risk event, consequence and downstream effect.  Effective risk assessments force one to ask, “What could go wrong in the future?”  Rejecting risk is the head-in-the-sand approach.  Establish standards for the consequences.  “QHSE office” provide a common point of entry for audit, risk management and compliance owners. QHSE office [ www.qhseoffice.com ]