As-NZS 4360-2004 Risk Management

AS/NZS 4360:2004 THE AUSTRALIAN & NEW ZEALAND STANDARD ON RISK MANAGEMENT Kevin W Knight CHAIRMAN ISO WORKING GROUP - RISK MANAGEMENT TERMINOLOGY MEMBER STANDARDS AUSTRALIA / STANDARDS NEW ZEALAND JOINT TECHNICAL COMMITTEE OB/7 - RISK MANAGEMENT P0 BOX 226, NUNDAH QLD 4012 E-mail: [email protected] [email protected]

Taking a risk: it isn’t all bad • Risk taking is positive, not implicitly negative • We take risks not to avoid harm, but to achieve benefits and gains • Taking risks is a normal unavoidable u navoidable everyday necessity • Taking controlled, informed risks is a sensible sen sible and everyday essential part of life • The higher the risk the higher the reward • Without risk there is no progress.

MANAGING RISK • We all manage risk consciously or unconsciously - but rarely systematically • Managing risk involves both threats and opportunities • Managing risk requires rigorous thinking • Managing risk means forward thinking • Managing risk requires accountability in decision making • Managing risk requires communication • Managing risk requires balanced thinking • RM provides a framework to facilitate more effective decision making

Corporate Governance The way in which an organisation is governed and controlled in order to achieve its objectives. objectives. The control environment makes an organisation reliable in achieving these objectives within an acceptable degree of risk. It is the glue which holds the organisation together in pursuit of its objectives while risk management provides the resilience.

Corporate Governance As I look back on my career as an independent director, I realise that my efforts were mostly futile. Management gave us reams of information about past performance and we dutifully discussed it. We were looking at the wrong information and asking the wrong questions. We should have focussed on the future and questioned the strategy and competence of  managementt to execute it. managemen it. The board did not wake up until it was too late Guidance for Directors - Dealing with risk in the boardroom, Canadian Institute of Chartered Accounts, 2000

Risk Management as Defined in AS/NZS 4360:2004 “THE CULTURE, PROCESSES AND

STRUCTURES THAT ARE DIRECTED TOWARDS REALISING POTENTIAL OPPORTUNITIES WHILST MANAGING ADVERSE EFFECTS.”

C O M M U  N I C A T E

C O  N S U L T

1. Strategic Ct

2. Identify Threats

M O  N I T O R  &

A S S E S S

3. Analyze 4. Assess

5. Assess/

R  E V I E W

ESTABLISH THE CONTEXT The External Context The Internal Context The Risk Management Context Develop Criteria & Define the Structure

C O M M U N I C A T E & C O N S U L T

IDENTIFY RISKS What can happen, when, where, how & why

ANALYSE RISKS Identify existing controls Determine Determine Likelihood Consequences Determine Level of Risk

M O N I T O R &

EVALUATE RISKS Compare with criteria? Set priorities

Treat Risks

NO

 YES TREAT

RISKS

Identify options Assess options Prepare and Implement treatment options

R E V I E W

RM is everybody’s business • RM is not just the responsibility of  management • For RM to be effective it must be implemented by every person in the organisation • RM must become an integral part of  the organisational culture • The risk makers and risk takers must be the risk managers.

Step 1 : Establish the Context

Step 2 : Identify Risks

Step 3 : Analyse Risks

• external context • internal context • risk management context • risk criteria (i.e. threshold levels) • define the structure

• what can happen, when, where and how • identify key processes, tasks, activities • recognise risk areas • define risks • categorise risk

• identify controls • determine likelihood • determine consequence/impact • determine level of risk

Step 6 : Monitor and Review Risks • process • environment • organisation • strategy • stakeholders

Accept/Retain • based on judgement or  documented procedures/policy

Communicate and consult - at all steps

Step 5 : Treat Risks

Step 4 : Evaluate Risks • identify tolerable/unacceptable risks (referring risk rating against risk criteria) • prioritise risks for treatment

Share • insurance • outsourcing

Avoid

Reduce likelihood

• consider discontinuing or  avoiding activity • consult • risk treatment preferable to risk aversion

• controls • process improvement • training & education • policies and communication • audit and compliance

Reduce consequence • Business Continuity Plans • contractual arrangements • public relations

Communication & Consultation in the risk management process

COMMUNICATE & CONSULT • ANY TWO-WAY DIALOGUE BETWEEN STAKEHOLDERS • DEVELOP COMMUNICATION STRATERGY AT THE CONTEXT STAGE • ENSURE STAKEHOLDERS PERCEPTATION OF RISK IS ADDRESSED

ACCOUNTABILITY SUPERVISION Potential greater future role of risk management

GOVERNANCE

STRATEGIC MANAGEMENT

Traditional and current risk management application

MANAGEMENT

EXECUTIVE MANAGEMENT DECISION & CONTROL  OPERATIONAL MANAGEMENT

Risk Management’s Role in Corporate Governance

STRATEGIC FRAMEWORK FOR MANAGING RISKS

Risk 

Business Strategies

Taking Risks

Risk   Adding Value

Communication Consultation

Managing Risk

Preserving Value Business Processes

C O M M U N I C A T E

ESTABLISH THE CONTEXT The External Context The Internal Context The Risk Management Context Develop Criteria & Define the Structure

ANALYSE RISKS

M O N I T O R

EVALUATE RISKS

&

IDENTIFY RISKS

& C O N S U L T

Tolerate Risks

 YES TREAT

RISKS

NO

R E V I E W

ESTABLISH THE CONTEXT • Objectives and environment • Relevant Legislation • Stakeholder identification & analysis • Government Policy • Corporate Policy • Management Structures • Community Expectations • Criteria • Consequence Consequence criteria.

Stories (business experiences)

Rituals & Routines

Symbols

An Organisation’s Paradigm

Control Systems

Power  Structures

Organisational Structures

Adapted from Johnson & Scholes, 1993, p.61

ORGANISATIONAL RISK CRITERIA Organisation risk personality or propensity Strategic management decision

Indecision Irresponsible

Aversion Denial

Risk  tolerance range

Dislike Disinclination

Corporate culture

Impulsive

Excessive appetite

Board of Directors Approves policy Approves risk limits Approves risk tolerance Provides oversight

Risk Management Committee Monitor - Coordinate - Teach Measure - Benchmark Report to Board Enforce

Line Managers Identify risk Propose risk limits Control Report

Executive Management Establishes policy Establishes risk limits Establishes risk tolerances Reports to Board Enforces

ESTABLISH THE CONTEXT

C O M M U N I C A T E

IDENTIFY RISKS

What can happen, when, where, how & why

ANALYSE RISKS

& EVALUATE RISKS

& C O N S U L T

M O N I T O R

Treat Risks

 YES TREAT

RISKS

NO

R E V I E W

Risk Identification A risk is associated with • A source • An event or incident • A consequence, outcome or impact • A cause (what & why) • Controls and their level of effectiveness and application • When & where could a risk occur.

Identification of Sources of Risk • personnel/human behaviour  • management activities and controls • economic circumstances • natural and unnatural events • political circumstances • technology/technical issues • commercial and legal relationships • public/professional/product liability • the activity itself.

Risk Management Methods Comprehensive identification using a wellstructured systematic process is critical, because a risk not identified at this stage may be excluded from further analysis. More Significantly A well-structured process leads to quality collection of  AS/NZS 4360:2004. data, as strongly emphasized by AS/NZS4360:2004. HB436:2004 Risk Management Guidelines  A Companion to AS/NZS 4360:2004

ESTABLISH THE CONTEXT

C O M M U N I C A T E

IDENTIFY RISKS

ANALYSE RISKS Identify existing controls Determine Determine Likelihood Consequences Determine Level of Risk

&

& C O N S U L T

M O N I T O R

EVALUATE RISKS

Treat Risk

 YES TREAT

RISKS

NO

R E V I E W

Risk Analysis 



Where possible confidence limits placed on estimates Best available information sources used

• Purpose  –  Separate minor risks from major  –  Provide data to assist in evaluation and treatment

• Preliminary Analysis  –  Excluded Risks where possible possible should should be listed

Examples of Qualitative Analysis Questionnaires • Checklists and Questionnaires • SWOT Analysis • Physical Inspections • Analysis Based on Records of the Operation • Flowcharts • Event trees.

S.W.O.T. ANALYSIS

Resources (Skills & Experience) Impacts

INPUTS

Stakeholders (External/ Internal)

Resources (Financial) Affects

Influences Infl uences

Influences attitudes, approach and process Influences efficiency

Cultural  Web Affects

Organisational Environment (Internal/External)

Affects

Power  (Authority, Knowledge, Delegations) Af fec fects

Source: HD 240:2000

OUTPUTS

TRANSFORMATION PROCESS

Influences attitudes and approach

Intrinsic/ Extrinsic Rewards Af fects fects

Examples of  Quantitative Analysis • Computer Modelling • Fault Tree Analysis • Hazard Indices • Statistical Analysis.

Examples of Likelihood Tables Likelihood Ex. 1

Likelihood Ex. 2

Almost Certain

5

Common

4

Likely

4

Potential

3

Possible

3

2

Unlikely

2

Low Potential Almost Never 

Rare

1

1

Likelihood Ex. 3 High Frequency

3

Moderately Frequent

2

Low Frequency

1

It Is up to each organisation to define the  parameters that allow users to assess likelihood 

Examples of Consequence Tables Consequence Ex. 1

Consequence Ex. 2

Catastrophic

5

Critical

4

Major 

4

Severe

3

Moderate

3

Medium

2

Minor 

2

Negligible

1

Insignificant

1

Consequence Ex. 3 Significant

3

Moderate

2

Insignificant

1

It Is up to each organisation to define the severity of  impact that allow users to assess consequence

Examples of Risk Rating Tables Risk Rating Ex. 1

Risk Rating Ex. 2

Risk Rating Ex. 3

Very High

5

Extreme

4

High

3

High

4

Significant

3

Medium

2

Tolerable

3

Moderate

2

Low

1

Low

2

Low

1

Very Low

1

It Is up to each organisation to define the terminology for  risk rating levels, and how this is set in the risk rating  matrix.

Example Of A Risk Rating Matrix

 AS/NZS4360 – 2004 emphasises that organisations tailor the criteria that drives assessment and analysis to

suit the nature and business environment of their  operations.

ESTABLISH THE CONTEXT

C O M M U N I C A T E & C O N S U L T

ANALYSE RISKS

M O N I T O R

EVALUATE RISKS

&

IDENTIFY RISKS

Compare against criteria? Set priorities Treat risks

 YES TREAT

RISKS

NO

R E V I E W

Risk Evaluation Consider  •

Objectives of project and opportunities

•

Tolerability of risks to others

•

Whether a risk needs treatment

•

Deciding whether risk can be accepted

•

Whether an activity should be undertaken

•

Priorities for treatment

Comparing levels of risk found in analysis with previously established criteria

RISK Risk TOLERABILITY Tolerability SEVERITY/IMPACT/CONSEQUENCES ALMOST CERTAIN

REDUCE LIKELIHOOD

AVOID RISKS

LIKELY       D       O       O       H       I       L       E       K       I       L       /       Y       C       N       E       U       Q       E       R       F

REDUCE MODERATE

UNLIKELY

RARE

0

ACCEPTABLE OR TOLERABLE LEVEL OF RISK INSIGNIFICANT

REDUCE CONSEQUENCES

MINOR

MAJOR

CRITICAL

EXTREME

Tolerability RISK Risk TOLERABILITY SEVERITY/IMPACT/CONSEQUENCES CERTAIN 1

REDUCE LIKELIHOOD

AVOID RISKS

ALMOST CERTAIN       D       O       O       H       I       L       E       K       I       L       /       Y       C       N       E       U       Q       E       R       F

REDUCE LIKELY

POSSIBLE

TOLERABLE LEVEL OF RISK UNLIKELY

NOT POSSIBLE 0

$1,000 MILD

$100,000 MODERATE

REDUCE CONSEQUENCES

$1M $100M SEVERE DISASTEROUS

TOTAL

RISK Risk TOLERABILITY Tolerability SEVERITY/IMPACT/CONSEQUENCES CERTAIN 1

REDUCE LIKELIHOOD

AVOID RISKS

ALMOST CERTAIN       D       O       O       H       I       L       E       K       I       L       /       Y       C       N       E       U       Q       E       R       F

REDUCE LIKELY

POSSIBLE

REDUCE CONSEQUENCES

UNLIKELY

NOT POSSIBLE 0

TOLERABLE LEVEL OF RISK $1,000 MILD

$100,000 MODERATE

$1M SEVERE

$100M DISASTEROUS

TOTAL

Risk magnitude

Intolerable Region L E V E L

Risk cannot be  justified except in extraordinary circumstances

Tolerable only if risk

As O Low F As R I Reasonably S K Practicable Broadly acceptable region “de minimus” risk

reduction is impracticable or if its cost is greatly disproportionate to the improvement gained

Tolerable if cost of reduction would exceed the improvements gained Necessary to maintain assurance that the risk remains at this level

ESTABLISH THE CONTEXT

C O M M U N I C A T E

M O N I T O R

IDENTIFY RISKS

ANALYSE RISKS

&

EVALUATE RISKS

& C O N S U L T

Treat risks

NO

 YES TREAT

RISKS

Identify options; Assess options; Prepare and Implement treatment options; Analyse & evaluate residual risk

R E V I E W

   )    E    U    L    A    V    K    S    I    R    (    K    S    I    R    F    O    L    E    V    E    L

SATISFACTORY

   }

MOST COST EFFECTIVE

     }

ACCEPTED PRACTICE

       } 

BEST ACHIEVABLE ABSOLUTE          }   MINIMUM

           }   

COST OF REDUCING RISK ($)

THE TRADE-OFF BETWEEN LEVEL OF RISK AND COST OF REDUCING RISK B.F.Hough 1985

COST OF RISK REDUCTION MEASURES O V E R A L L L E V E L O F R I S K

I M P L E M E N T USE JUDGEMENT

UNECONOMIC

CUMULATIVE COST OF RISK REDUCTION MEASURES

Risk Treatment • reduce  – likelihood  – consequences

• • • •

business continuity management sharing in full or in part (this creates a new risk) avoid (but not because of aversion) retain residual (but not by default)

REDUCE LIKELIHOOD Risk prevention • compliance compliance programmes • inspection & process controls • security devices, alarms and processes • preventive maintenance • training & education. education.

REDUCE CONSEQUENCES Risk reduction • medical & first aid procedures • off site data & information storage • fraud control planning • fire suppression. suppression.

Business Continuity Management • emergency evacuation plans • off site data & information storage • business contingency plans • business relocation plans • business resumption plans • review, reassess and revise plans.

SHARING RISK Contractual transfer of legal responsibility • sub contracting of hazardous processes • exclusion clauses • outsourcing • partnerships & joint ventures

Insurance

AVOID Reduce probability of loss to zero • cease activity • closure of facility • sell business.

RETAIN RESIDUAL RISKS Losses funded from general operating expenses • vital to record all incidents • ensure retention is not due to failure to identify.

Treatment Options • Consider  • • • • • •

Opportunities created by risk Cost of implementation vs benefits Extent of risk reduction vs benefits Criteria of acceptability Rare but severe risks Risk perception and communication.

In general

Costs of managing risk commensurate with benefits Adverse impacts As Low As Reasonably Achievable

Treatment Plans Document how options implemented 

Responsibilities



Schedules



Expected outcomes



Budgeting



Performance measures



Review processes

ESTABLISH THE CONTEXT The External Context The Internal Context The Risk Management Context Develop Criteria & Define the Structure

C O M M U N I C A T E & C O N S U L T

IDENTIFY RISKS What can happen, when, where, how & why

ANALYSE RISKS Identify existing controls Determine Determine Likelihood Consequences Determine Level of Risk

M O N I T O R &

EVALUATE RISKS Compare with criteria? Set priorities

Treat Risks

NO

 YES TREAT

RISKS

Identify options Assess options Prepare and Implement treatment options

R E V I E  W

AS/NZS 4360:2004 Extending The Process • The role of assurance activity, not just as a risk control, but as part of ‘Monitor and Review’ should be developed. • This should go further than just audit. Other interested stakeholders can also benefit from the risk process, such as quality assurance, safety & environment management. The latest update is facilitating linkages between different stakeholders.

MONITOR & REVIEW • RM is a journey not a destination • What may be of minor significance today may be the disaster of  tomorrow • Review is an integral part of the risk management process

AS/NZS 4360:2004 Role Of Assurance Activity

Recording the Risk Management Process • demonstrates process conducted properly • provides a record of risks • provides decision makers with plan for  approval and implementation • provides accountability tool • facilitates monitoring and review • provides an audit trail • enables sharing and communication communication of  information.

Establishing Effective Risk Management • Board & Management commitment • Risk management planning • Culture change • Accountability & authority • Customise to organisational paradigm • Ensure adequate resources • Board monitoring and review of risk management effectiveness

POLICY DEVELOPMENT • NO MORE THAN ONE PAGE • MUST BE SIMPLE, ACHIEVABLE, UNDERSTANDABLE & AUDITABLE • THE RISK MAKERS AND THE RISK TAKERS MUST BE THE RISK MANAGERS • SERVES AS A PLATFORM FOR ORGANISATIONAL GUIDELINES

RISK MANAGEMENT FRAMEWORK Risk Management Processes The framework will be implemented by each business unit in accordance with the policy by: • Maintaining Maintaining documented business risk profiles using analytical techniques to identify, evaluate, and manage risks in compliance with AS/NZS 4360:2004 • Communication of risk management issues, where appropriate, to all relevant stakeholders

C O M M U  N I C A T E

C O  N S U L

1. Strategic Ct

2. Identify Threats

M O  N I T O R  &

A S S E S S

3. Analyze 4. Assess

5. Assess/

R  E V I E W

“The culture, processes culture, processes and structures that are directed towards realising potential opportunities whilst managing adverse effects.”

RISK MANAGEMENT FRAMEWORK Risk Management Structure & Responsibility The Board approves the corporate risk management policy policy and framework. The Board Risk Management Committee reviews the effectiveness of the policy.

All managers and staff are accountable for managing risk. The Risk Management “Champion” is responsible for  facilitating the risk management program and reporting to the Board Risk Management Committee. “The culture, processes and  structures  structures that are directed towards realising potential opportunities whilst managing adverse effects.”

“STRATEGIC MANAGEMENT OF RISK”  “Managing risk is a way of confidently taking the right risks and then managing the outcomes for success” 

Opportunities

Risks

Risk Management and the Strategic Planning Cycle • Future State/ End Vision • SWOT, Opportunities and

Risks • Strategy & Tactics Planning Review & Change

Processes

• Strategic Learning • Strategic Alignment • Strategic

Monitor  Performance

Intelligence

• Performance • Capability • External Environment Environment

Execution/ Integration • Manage Tactics • Manage Tasks • Manage Risks

Conduct risk   profiling Review performance

Implement and monitor treatment actions

Jan

Sep

Budget and  business  planning

Strategic  planning

May Determine risk treatment actions

The Operational Risk Management Cycle

RISK

MANAGEMENT

BENEFITS

• Fewer surprises • Exploitation of opportunities • Improved planning, performance and effectiveness • Economy and efficiency • Improved stakeholder relationships • Improved information for decision making • Enhanced reputation • Director protection • Accountability, assurance and governance • Personal wellbeing.

RISK MANAGEMENT OUTCOMES RM leads to more informed decision making business continuity planning minimising disruptions better utilisation of resources strengthening of the culture of  continuous improvement • best practice • a quality organisation • • • • •

  YOU DO NOT HAVE TO DO IT!! SURVIVAL IS NOT

COMPULSORY

The greatest risk of all is to take no risk at all!

The Journey Continues A journey ……….

A race

In pursuit of performance

Building Value

AS/NZS 4360:2004 and its accompanying Handbook provide generic guidance on how to embed risk managemen management, t, and introduces the concept of “positive” risk to help you on the way. C O M M U  N I C A T E

C O  N S U L T

Structure Direction

1. Strategic Ct

2. IdentifyThreats

A S S E S S

3. Analyze 4. Assess 5. Assess/

7. Manage the Risk 

Processes

M O  N I T O R  & R  E V I E W

Opportunities

Risks