Get documents about "HRG Process Management Auditing - 22 Sept 2003
Document Sample
Risk Assessment & Management
Risk Assessment & Management
Risk Assessment & Management Version K.10.1-UK Oct 03
1 The High Performance Organisation Ltd
Agenda
Introductions
1 - Types of Risk & Why We Need To Manage Them
2 - Risk Identification, Assessment & Profiling
3 - Risk Management & Implementation
4 - Measuring & Improving the Risk Profile
5 - Assessing the Effectiveness of Risk Management
6 - Confirmation of Key Learning Points
Close
Risk Assessment & Management Version K.10.1-UK Oct 03
2 The High Performance Organisation Ltd
Session 1
Types of Risk
&
Why we need to manage them
Risk Assessment & Management Version K.10.1-UK Oct 03
3 The High Performance Organisation Ltd
Risk Definitions
“ chance or possibility of loss or bad consequence “
Pocket Oxford Dictionary
“ chance of something happening, measured in
terms of impact & probability ”
PAS 56:2003 Guide to Business Continuity Management
“ the combination of the probability of an event
and its consequences “
Risk Management Standard - Institute of Risk Management
Risk Assessment & Management Version K.10.1-UK Oct 03
4 The High Performance Organisation Ltd
Risk Management
“Managing to an acceptable level the exposure
of the organisation to the effects of event(s) that
would affect performance”
Rob Peddle - The HPO
Risk Assessment & Management Version K.10.1-UK Oct 03
5 The High Performance Organisation Ltd
Risk Management in The Real World
Increasing Risk Management reduces your dependence on
Crisis Management. It required PROACTIVE skills rather
than REACTIVE skills.
It does not however completely remove the need for these.
Risk Mgmt.
Crisis Mgmt.
Risk Assessment & Management Version K.10.1-UK Oct 03
6 The High Performance Organisation Ltd
‘Risks’ Can Also Be Positive!
Risks are all about Events & Consequences
An Event Occurs An Impact is Felt
We normally think of Risk in terms of negative impacts
(Threats)
But impacts can sometimes be beneficial or positive
(Opportunities)
either way, it’s all about Managing Improvement
Risk Assessment & Management Version K.10.1-UK Oct 03
7 The High Performance Organisation Ltd
Examples of Business Risk Areas
• Health & Safety • Independence of
• Environmental Services
• Knowledge & IP • IT Systems
• Buildings Security • People
• Brand & Reputation • Governance
• Supply Chain • Processes
• Customers • Competition
• Financial • Projects
• etc.
Risk Assessment & Management Version K.10.1-UK Oct 03
8 The High Performance Organisation Ltd
Exercise 1
Give Some Examples
of the Risks that face
your Organisation?
Risk Assessment & Management Version K.10.1-UK Oct 03
9 The High Performance Organisation Ltd
Types of Risk
There are a number of ways in which you can categorise risks.
One convenient way is to think of them as:
STRATEGIC FINANCIAL
OPERATIONAL HAZARD Based on
“A Risk Management Standard”
published by IRM
Risks in each of these areas will be caused
by either External and/or Internal Drivers (Events)
Risk Assessment & Management Version K.10.1-UK Oct 03
10 The High Performance Organisation Ltd
When Should We Manage Risk?
It is not:
– a one-off event
– only carried out by a Risk Manager
It needs to be:
– driven from the top - linked to strategy
– embedded into our processes & management
practices
– part of the way we think (cultural)
– visible, reported against and audited
Risk Assessment & Management Version K.10.1-UK Oct 03
11 The High Performance Organisation Ltd
Risk Management should therefore
be primarily about Sustainability
We manage risk so that we can deliver
maximum value to our organisation, through
either:
• Reducing the effect of negative events
• Increasing the effect of positive events
We usually focus on the negative aspects when considering
Risk Management - but the positive ones are also powerful
Risk Assessment & Management Version K.10.1-UK Oct 03
12 The High Performance Organisation Ltd
At Detail level Risk Management is about:
Ensuring that we can:
• consistently deliver to customers
• consistently deliver to stakeholders
• consistently deliver against required standards & frameworks
• change & improve at known levels of risk
• maintain required brand values & reputation
• keep abreast of changes external to the organisation
• reduce the likelihood of legal action
• minimise PI, Liability & other Insurance costs, etc.
Risk Assessment & Management Version K.10.1-UK Oct 03
13 The High Performance Organisation Ltd
Risk Management for Performance
Stakeholder requirements
+
Business Objectives
+
Required Standards & Frameworks Reduced Risk &
Organisation/
Process/ Sustained/Improved
Activity Performance
Performance Achieved v Objectives
+
Auditing for Compliance & Risk Improvement Project
Risk & Improvement Assessment Risk & Improvement Strategies
Risk Assessment & Management Version K.10.1-UK Oct 03
14 The High Performance Organisation Ltd
Session 2
Risk Identification, Assessment
& Profiling
Risk Assessment & Management Version K.10.1-UK Oct 03
15 The High Performance Organisation Ltd
Understand what creates a Risk
When considering Risk, it is essential to think about the potential
EVENT first - this is the CAUSE or Driver
of the risk
You can then consider the IMPACT of the event - this
is the EFFECT
Should the event not occur, then the impact will not happen.
However this does not mean that the best thing to do is always to
prevent the event ever happening!
But we do need to effectively ‘manage’ the event
Risk Assessment & Management Version K.10.1-UK Oct 03
16 The High Performance Organisation Ltd
Identifying Risks
A range of approaches are available
to identify potential risk events
• Brainstorming • Questionnaires
• Structured Interviews • Risk Workshops
• Process Reviews • Scenario Reviews
• Strategic Reviews • HAZOP
• Performance/Incident • Focused Auditing
Reviews • etc.
Risk Assessment & Management Version K.10.1-UK Oct 03
17 The High Performance Organisation Ltd
Assessing Risks
Having identified possible Risk Events that could
occur we now need to understand the potential
Impact of these, should they actually happen.
The consequence should be described in
business terms - i.e. something that is of value to
the business, its customers or its stakeholders. If
you cannot express a consequence in these
terms, it is unlikely to be a real risk to the
organisation.
What types of ‘things’ could these be?
Risk Assessment & Management Version K.10.1-UK Oct 03
18 The High Performance Organisation Ltd
Exercise 2
In Groups, brainstorm some potential Risk events that
could occur within one of your key processes.
{One Group take the Management System and consider
strategic risks for the system (organisation) as a whole}
Against each risk you identify, define the potential impact
in general terms on the business, customers or
stakeholders
Feedback your findings to the other groups
Risk Assessment & Management Version K.10.1-UK Oct 03
19 The High Performance Organisation Ltd
Analysing Risk
All organisations face MANY Risks.
Analysing the Risks we have identified provides the
organisation with a structured view on how we should
prioritise them.
The TWO key things to consider when analysing risk are:
1. The Impact of the risk occurring
2. The Likelihood of the risk occurring
Risk Assessment & Management Version K.10.1-UK Oct 03
20 The High Performance Organisation Ltd
Risk ‘Impact’
Rate against a scale of say 0 to 3,
0 = would have no effect on the organisation at all
1 = would have small effect, which could be managed
2 = would have significant effect, but not disastrous
3 = would have a disastrous effect
Impact
0 1 2 3
Rating
Risk Assessment & Management Version K.10.1-UK Oct 03
21 The High Performance Organisation Ltd
Risk ‘Impact’
Criteria for basis of estimating consequence:
• Financial
• Brand
• Customer Perception
• Stakeholder Perception
• Staff Morale/Motivation
• Non-compliance with Framework or Standard
• Non-compliance with legal requirement
• Impact on Strategy
• etc.
How could you estimate Impact?
Risk Assessment & Management Version K.10.1-UK Oct 03
22 The High Performance Organisation Ltd
Risk ‘Likelihood’
Rate against a scale of say 0 to 3,
0 = is impossible to happen
1 = is unlikely to happen
2 = could quite feasibly happen
3 = is quite likely to happen
Likelihood
0 1 2 3
Rating
Risk Assessment & Management Version K.10.1-UK Oct 03
23 The High Performance Organisation Ltd
Risk ‘Likelihood’
Possible Criteria for basis of estimating likelihood:
This is based on the estimated % chance of it happening within
a given time, e.g.
1 = Unlikely to occur within a 5 to 10 year period
2 = Likely to occur within a 3 to10 year period
3 = Likely to occur at least once within a 1 to 3 year
period
How could you estimate Likelihood?
Risk Assessment & Management Version K.10.1-UK Oct 03
24 The High Performance Organisation Ltd
Risk Analysis Chart
Risk Analysis for ------------------------------------------ As @-------------
No Event/Risk Impact Likelihood Rating Impact
Timescale
1 Event/Risk 1 2 3 6 2-3 months
2 Event/Risk 2 1 2 2 Immediate
3 Event/Risk 3 3 0 0 1 month
4 Event/Risk 4 1 3 3 6-12 months
5 Event/Risk 5 3 3 9 3-6 months
6 Event/Risk 6 3 2 6 Immediate
7 Event/Risk 7
8 Event/Risk 8
Risk Assessment & Management Version K.10.1-UK Oct 03
25 The High Performance Organisation Ltd
Exercise 3
Populate the Risk Analysis Chart with the Risks
you identified earlier, and complete the remaining
columns, using your assessments of Impact,
Likelihood and Timing.
Share these with the rest of the group when
complete
Risk Assessment & Management Version K.10.1-UK Oct 03
26 The High Performance Organisation Ltd
Session 3
Risk Management
& Implementation
Risk Assessment & Management Version K.10.1-UK Oct 03
27 The High Performance Organisation Ltd
Risk Management
• In order to deliver the maximum business benefit, all
organisations will need to take some risks
• The Risk Analysis will help you to understand the Risks
you face - you can then decide how best to address them
• How you address them will depend on how
‘Risk Averse’ or ‘Risk Tolerant’ the organisation is
• Not all risks will therefore require activities to be
put in place to manage them in advance
- the key is to decide your Risk Strategy and apply it
Risk Assessment & Management Version K.10.1-UK Oct 03
28 The High Performance Organisation Ltd
Risk Management
What level of Risk Tolerance do you have?
Risk Mgmt.
Crisis Mgmt.
Risk Tolerant Risk Averse
Risk Assessment & Management Version K.10.1-UK Oct 03
29 The High Performance Organisation Ltd
Risk Strategies
A number of distinct approaches can be adopted for each Risk that you
have identified. The one you choose will depend on your Risk Tolerance :
• Reduce - either the likelihood or the consequence
• Avoid - remove opportunity for the event to happen
• Transfer - move the effect to others
• Contingency - let it happen, but plan what you will do if it does
• Mitigate - accept some of the effect, but reduce it in some planned way
• Ignore - accept that this may happen, but react only when and if it does
Risk Assessment & Management Version K.10.1-UK Oct 03
30 The High Performance Organisation Ltd
Risk Prioritisation
• Risk Analysis is often used as the basis for
deciding which Strategies you wish to Apply to
which Risks
• It will also help you Prioritise the order in
which you deal with them
• The allocation of specific strategies to each
Risk also creates Clarity and Reduces
Misunderstanding about what you are actually
doing within the organisation
Risk Assessment & Management Version K.10.1-UK Oct 03
31 The High Performance Organisation Ltd
Risk Management Implementation
This is the implementation of your chosen strategies
The implementation is in effect an ‘improvement project’
(reduced risk = improvement) and therefore needs the normal project
management disciplines in order to be successful.
- formality is normally related to complexity of implementation
It should therefore follow the normal improvement cycle of:
PLAN - what is needed to apply the Risk Strategy
DO - implement the plan
CHECK - that the required actions have effectively delivered required
strategy. Re-Analyse to measure new profile of the Risk
ACT - Re-work or re-design the activity if profile is not
now acceptable
Risk Assessment & Management Version K.10.1-UK Oct 03
32 The High Performance Organisation Ltd
Risk Log
A Risk Log is often the most appropriate way of keeping control of
Risks - especially if you identify a reasonable number of them.
It also provides a central focus on the importance of Risk
management and how we are dealing with currently identified Risks.
The following Headings are useful
• Risk Number • Initial Risk Rating
• Date Identified • Proposed Actions
• Description of the Risk Event • Owner of Actions
• Initial Impact Assessment • Date Risk Strategy ‘Completed’
• Initial Likelihood Assessment
Should we have a single Improvement/Risk Log?
Risk Assessment & Management Version K.10.1-UK Oct 03
33 The High Performance Organisation Ltd
Exercise 4
For the Risks you identified earlier, define appropriate
strategies for their management, based on the analysis
you made and your knowledge of your business
Share these with the rest of the group when complete
Who do you believe should be responsible for deciding
these strategies?
Risk Assessment & Management Version K.10.1-UK Oct 03
34 The High Performance Organisation Ltd
Session 4
Measuring & Improving
the Risk Profile
Risk Assessment & Management Version K.10.1-UK Oct 03
35 The High Performance Organisation Ltd
Risk Measurement
• Individual Risks are measured by their current rating
(Impact X Likelihood)
• The higher the number, the greater the risk
• Providing Risk Identification and Analysis has been
effectively carried out, and risks are being managed,
the cumulative totals for all Risks in the log gives a
good indication of Overall Risk Status
• BUT BEWARE - you need to assure yourselves that
Risk Identification and Assessment is effective.
Risk Assessment & Management Version K.10.1-UK Oct 03
36 The High Performance Organisation Ltd
Risk Measurement (2)
• This can be looked at, reported and sub-divided by any
relevant criteria or for the organisation as a whole.
• If cut by Process, it can be a useful way of understanding
the risk levels associated with each process
• At appropriate intervals, and as Risk Strategies are
implemented, the Risk Analysis for each Risk on the Log
should be reviewed and adjusted as necessary. Any New
Risks should also be added
Risk Assessment & Management Version K.10.1-UK Oct 03
37 The High Performance Organisation Ltd
Risk Monitoring & Reporting
A possible way of monitoring & Reporting Risk
500
450
Risk Rating
400
350
Process 4
300
Process 3
250
Process 2
200
150 Process 1
100 REMEMBER - This only means
50 something if you know that Risk
0 Identification & Analysis is
1st Qtr 2nd Qtr 3rd Qtr 4th Qtr effective
Risk Assessment & Management Version K.10.1-UK Oct 03
38 The High Performance Organisation Ltd
Exercise 5
How do you think Risks and their
profile should be monitored and/or
reported within your Organisation?
Risk Assessment & Management Version K.10.1-UK Oct 03
39 The High Performance Organisation Ltd
Session 5
Assessing the Effectiveness
of Risk Management
Risk Assessment & Management Version K.10.1-UK Oct 03
40 The High Performance Organisation Ltd
Assessment
Assessment of Risk Management should review the following:
• Identifying Risks and Deciding How To Handle them:
– Effective & Rigorous Risk Identification
– Effective and Realistic Risk Analysis
– Risk Strategies that Reflect Risk Tolerance
• Managing the Implementation of Risk Strategies
– Planning of activities required
– Effective management of those activities
– Review of outcome in relation to Risk Rating
– Close-out or further implementation
Risk Assessment & Management Version K.10.1-UK Oct 03
41 The High Performance Organisation Ltd
Assessment
Processes and Systems should therefore be Assessed :
• To see if activities do actually occur:
– to Identify and Assess Risk
– to Analyse Risks and Prioritise Activities to address them
– to define Risk Management Strategies for each Risk
– to implement these strategies
– to monitor changes in Risk Profile over time
• To see if they are effective in Reducing Risk to a level considered
acceptable to the owner of the process or system, and in-line with
the risk tolerance of the organisation
Approaches need to be appropriate to the actual risks
faced by the organisation
Risk Assessment & Management Version K.10.1-UK Oct 03
42 The High Performance Organisation Ltd
Generic Risk Management Process
NO
Understand Define YES Close
Objectives Strategies Acceptable?
Log Entry
Owner
Identify Analyse Review Update
Risks Risks New Profile Log
Team
Create Implement
Plan Plan
Proj Mgr
Risk Assessment & Management Version K.10.1-UK Oct 03
43 The High Performance Organisation Ltd
Assessments as a Risk Tool
In reality, your current Audits and Process
Assessments are also part of the Risk Management
process for your organisation.
- How do you think they help to manage risk?
- Where do they fit into the typical Risk Management
Process?
- How effective are they at helping to manage Strategic
and/or Process Risks, or are they more focused on
Procedural Risks?
Risk Assessment & Management Version K.10.1-UK Oct 03
44 The High Performance Organisation Ltd
Exercise 6
Choose one of your Processes.
What questions would you ask a Process Owner & Staff Member
to check that Risk is being effectively managed within the process?
Purpose of process
(supplier inputs & customer outputs)
Monitor performance Process objectives
& improve and targets
‘Assessor tool 2’ The process itself
Key performance
indicators
Risk Assessment & Management Version K.10.1-UK Oct 03
45 The High Performance Organisation Ltd
Questions?
Would it be better to have specific Risk
Management Assessments, or to carry this out
as an integral part of a Process or System
assessment?
Where do you think that Risk Management
Processes/Procedures should be embedded
within your Management System?
Risk Assessment & Management Version K.10.1-UK Oct 03
46 The High Performance Organisation Ltd
Session 7
Confirmation of
Key Learning Points
Risk Assessment & Management Version K.10.1-UK Oct 03
47 The High Performance Organisation Ltd
Key Learning Points
• What is a Risk?
• Who should manage risk?
• What Creates a Risk?
• How can we Analyse Risk?
• How can we Prioritise Risks to determine action
• What Risk Strategies could we adopt?
• How Can we Make Visible our Risk profile
• How can we Assess Risk Management?
Risk Assessment & Management Version K.10.1-UK Oct 03
48 The High Performance Organisation Ltd
Any Questions?
Risk Assessment & Management Version K.10.1-UK Oct 03
49 The High Performance Organisation Ltd
Guidance, advice & support
Working in partnership with
The High Performance Organisation Ltd
+44 (0)1604 470837
enquiries@the-hpo.com
Risk Assessment & Management Version K.10.1-UK Oct 03
50 The High Performance Organisation Ltd
Related docs
Other docs by HC121002101549
