Supervisors and Managers Training. Risk Management. Self-Study Guide

Transcription

1

2 Supervisors and Managers Training Risk Management Self-Study Guide Self-Study Guide

3 Copyright All rights reserved world-wide under International and Pan-American copyright agreements. No part of this document can be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise.

4 How to Use This Guide This Self-Study Guide is designed and laid out in a way that will guide student learning much in the same way that an instructor would. This workbook is comprised of modules called Sessions. Each Session focuses on a major concept in the course. In each Session, we have included short-answer and (in some instances) multiple choice questions which relate directly to the Session material. Throughout the guide, you can take the opportunity to internalise what you have learned by completing the self-reflection exercises entitled Making Connections.

5 Table of Contents Session One: Course Overview... 1 Learning Objectives... 1 Session Two: Understanding Risk... 3 Defining Risk and Risk Management... 3 The Benefits of Risk Management... 6 Establishing Your Risk Management Context... 7 Making Connections... 8 Key Models Session Three: Risk Management Activities The Key Activities of Risk Management Making Connections Session Four: Assessing Risk A Risk Assessment Process Making Connections Evaluation Method Case Study: General Motors Making Connections Session Five: Responding to Risks Risk Responses Case Study: GM Risk Responses Session Six: Resourcing Controls Identifying and Evaluating Controls Case Study: GM Risk Controls Session Seven: Reaction Planning The Worst-Case Scenario Case Study: GM Reaction Plan Session Eight: Reporting and Monitoring A Reporting Hierarchy Items to Report Making Connections Session Nine: Reviewing and Evaluating the Framework A Review Checklist Back at Work Making Connections Session 10: A Personal Action Plan Starting Point Short-Term Goals and Rewards Long-Term Goals Summary Recommended Reading List... 44

6 1 Session One: Course Overview Course Overview Risk management has long been a key part of project management, but in recent years, it has become an increasingly important part of organisational best practices. Corporations have realised that effective risk management can not only reduce the negative impact of crises; it can provide real benefits and cost savings. In this course you will learn a risk management framework that is flexible enough for any organisation. You can apply it to a single project, a department, or use it as a basis for an enterprise-wide risk management programme. Learning Objectives By the end of this course, you will be able to: Define risk and risk management Describe the COSO ERM cube and ISO Establish their risk management context Describe the 7 R s and 4 T s that form the framework of risk management activities Design and complete a basic risk assessment Determine the appropriate response to risks and create a plan for those responses Describe the key components of reporting, monitoring, and evaluation of a risk management programme You will be performing several exercises throughout the course in order to help you produce an effective risk management programme in your organisation.

7 2 Consider your own experiences with risk management. Why did you decide to take this course? Take a moment to write down your personal objectives:

8 3 Session Two: Understanding Risk In order to develop a risk management plan in your organisation, you must have a solid foundation of the concepts and terms used in this course. In this session you will be introduced to the foundational ideas informing the study of risk management. The information presented here is essential to your learning experience. Defining Risk and Risk Management What is Risk? The ISO guide about risk management defines risk as, the effect of uncertainty on objectives. Risks are typically related to one of four areas: The organisation s long-term strategy (three years, five years, and beyond) The way that an organisation manages change (for example, during mergers and restructuring) The day-to-day operations of the organisation The general financial health of an organisation Risk can be positive, negative, or neutral it is simply a deviation from the norm. Risk is often defined as an event or a consequence. Examples of Risks Some risks associated with business include: Interruptions of the business cycle or business processes arising from government regulation, economic conditions, social conditions, weather systems, natural disasters, and other sources Unforeseen changes in existing strategic partnerships, key business relationships, and vendor/supply sources Changing labour market conditions affecting labour force availability and costs Issues arising from integrations of computer systems, communications networks, accounting systems, and other systems Access to information may be prevented by government or legal restrictions, privacy concerns, or other frameworks that are put in place Security conditions might arise that affect operations

9 4 Types of Risks There are two general types of risk. Quantitative risks are those that can clearly be quantified. They have an impact on time, people, money, or other resources. An example could be lost revenue, lost production, or delayed time. Qualitative risks are those that cannot easily be clearly quantified. This may be because you do not have sufficient historical data to determine the likelihood of the risk and/or its impact is not understood well enough for a qualitative impact to be associated with it. For example: Your organisation is opening an oil rig in a new area. You have no concrete data for this particular type of machinery in poor weather, but you do know that other facilities in the area have their production affected in varying amounts each year because of weather. You should always strive to make all qualitative risks quantitative, if possible, by collecting and analysing data.

10 5 What is Risk Management? Risk management is defined as a set of principles and processes that help minimise the negative impacts of risks and maximise the positive impacts. Risk management should identify risks, assess them, determine a suitable response, and implement that response. In order for risk management to be successful, it must be integrated into the culture and the day-to-day activities of the organisation. Your risk management process should be PACED: Proportionate to the size of your organisation Aligned to your organisation s mission Complete Embedded into the culture of the organisation and its day-to-day activities Dynamic and responsive Exercise: Risk Management in Your Life Can you provide examples of risk management processes and plans that you already use in your everyday life? Think of your personal property and assets. Here are a few examples of risk management processes and plans that you may have created (or obtained for yourself), or you may be a participant in. House insurance Disaster recovery plans Succession planning

11 6 The Benefits of Risk Management How are these plans beneficial to you as an individual or to your organisation? They allow you to be compliant with regulations and laws. They also allow you to make better decisions. Some other benefits include: Reduced operating and legal costs More accurate reporting Improved image in the community, marketplace, and/or industry Competitive advantage Exercise: Additional Benefits Can you think of any additional benefits to developing a risk management plan?

12 7 Establishing Your Risk Management Context Each organisation is unique, and it is crucial that you identify the context in which your risk management framework must operate. When you are developing a Risk Management Plan for your business, consider the following: The regulatory or legal environment you operate in with respect to both internal practices (e.g. labour laws and regulations, liability claims, etc.) and how you relate to your customers and vendors. Communication methods you will use to notify and communicate with your stakeholders, as a range of techniques may be required to suit different stakeholder groups. The size of the organisation in terms of the number of divisions, revenue of business lines, size of markets, and budgets of functional groups. Labour relations in the organisation. The structure of the organisation, which can affect risk analysis, planning, and implementation. The culture of the organisation with respect to risk tolerance. Is your organisation a conservative family business or an edgy risk-taker?

13 8 Making Connections Identifying Your Risk Management Context Can you identify the context in which your organisation s risk management framework must operate? Describe and analyse three different factors (business environment, structure, or culture) that could potentially influence your risk management process. Factor 1: Factor 2:

14 9 Factor 3:

15 10 Key Models There are two key models which can be used to construct a risk management plan. The COSO ERM Cube ISO Standard and Guide 73 Model 1 COSO ERM Cube In 2004, the Committee of Sponsoring Organisations of the Treadway Commission (COSO) published a risk management standard known as the COSO ERM (Enterprise Risk Management) cube. It was designed to match up to Sarbanes-Oxley regulatory requirements for organisations in the United States, and is therefore quite popular.

16 11 The COSO ERM Cube lays out four categories of risk management objectives: Compliance Operational Reporting Strategic This is followed by eight rows of components that are needed to achieve those objectives. Control Activities Event Identification Information and Communication Internal Environment Monitoring Objective Setting Risk Assessment Risk Response The third dimension illustrates an organisation s various business units: Subsidiary Business Unit Division Entity Level Source: Enterprise Risk Management Integrated Framework, Executive Summary (September 2004), Committee of Sponsoring Organisations of the Treadway Commission Model 2 ISO Standard and Guide 73 In 2009, the International Organisation for Standardisation published a guide and a standard for risk management. ISO Guide 73 defines generic risk management terms to provide a consistent foundation for frameworks and processes. ISO Standard provides best practice principles about risk management. Because this is an international standard, much broader based, and very recent, this is the standard that we will focus on during this course.

17 12 Exercise: Key Models Using two sentences, restate the most important aspect of each of these key models. Model 1 - COSO ERM Cube Model 2 - ISO Standard and Guide 73

18 13 Session Three: Risk Management Activities There are several activities that must be performed as you manage risks. These activities proceed from identifying and evaluating the risk, to planning your reaction, monitoring performance, and finally to reviewing your risk management framework. This session provides an overview of these activities. You will be referring to this process later on in the course. The Key Activities of Risk Management This graphic shows the seven R s and four T s that traditionally represent the key activities of risk management: Recognise and identify risks Rank and evaluate risks Respond to significant risks: Tolerate, Treat, Transfer, or Terminate Resource controls Plan your reaction Report and monitor performance Review the risk management framework

19 14 Making Connections Seven R's and Four T's After studying the graphic on the previous page, select one activity and elaborate on why you think it is included as a key activity of risk management.

20 15 Session Four: Assessing Risk Identifying potential risks for your business or organisation is the essential element in the risk assessment process. As well, evaluating the probability of a particular risk is another aspect included in this process. In this session you will learn and practically apply the components of a risk assessment process to your own experiences. A Risk Assessment Process Types of Processes The first step in risk management is to recognise and identify risks. Remember, your risk assessment process should be proportionate to your organisation. If you have a large, complex organisation, you will need a formal, complex risk identification process. If you have a small organisation, a short, informal process may suffice. Either way, you need to spend time recognising and identifying risks. Templates You should have (or create) a template to track and record all relevant information. The template will vary in complexity according to your organisation s needs, but basic information should include: A risk identifier, such as a number or code A description of risk o Classification (usually based on organisation s business or operating units, but should be customised for each organisation) o Why is it a risk? o Is this a hazard, opportunity, or uncertainty? o Tangible impact (people, time, money, etc.) o Non-tangible impact (reputation, morale, objectives, etc.) o Data gathered or studies completed A timeline o When might the risk occur? o How long could it last? o Could it reoccur? o What signals or alarms will we see?

21 16 The scope of risk. o What could happen as a result of this risk? o What is the likelihood of the overall risk and each consequence? o What data do we have about the consequences of this risk? o What other risks could occur from this risk? An impact rating and likelihood: A rating of the impact of the particular risk (low, medium, or high),and the likelihood of the risk (likely, neutral, not likely) Any previous experience with this risk The risk attitude: A description of the organisational tolerance for the risk Existing risk systems. o Existing controls and estimated effectiveness o Monitoring procedures o Improvement recommendations and information Related policy or procedural information Sample Template This example of a risk identification template is based on the General Motors Case Study found at the end of this session. Risk: New technologies such as hybrid vehicles Description: The marketplace is beginning to ask for hybrid vehicles but these products are not included in our lineup. Area: Legal Regulatory Marketplace Financial Operating Other (describe) Possible Tangible Effects (such as money, time, and resources): Loss of market share, reduced profit Possible Intangible Effects (such as morale and reputation): Could affect GM s reputation as a cutting-edge auto manufacturer and industry leader Impact: Low Medium High Likelihood: Unlikely Neutral Likely When might this occur? Rival automakers have their product launch scheduled for Q3 next year. How long could it last? These vehicles will likely be slow to catch on but will quickly rise in popularity. What other risks could result? If we are required to start manufacturing these new vehicles, we will face significant challenges in worker knowledge, manufacturing equipment, and product sourcing.

22 17 Identifying Risks How do you identify risks? There are a number of ways: Using real or hypothetical case studies Drawing on personal and organisational experience Looking at similar projects and learning from their experience Consulting experts Mind mapping or brainstorming techniques Considering points of failure Extrapolating from past incidents reports or complaints Interviewing and/or surveying stakeholder groups Using systems analysis techniques like flow charting Operational modeling Formal auditing or inspections Conducting new studies or consulting previous studies Work breakdown structure analysis Formal analyses such as: o SWOT: Stands for Strength, Weakness, Opportunities, and Threats. A good system to create a broad picture of any situation. o PESTLE: Stands for Political, Economic, Social, Technological, Legal, and Environmental. Used to assess the current market conditions and create a strategic plan. o HAZOP: Stands for HAZard and OPerability study. Provides a structure and system to examine a process or operation to identify risks. o FMEA: Stands for Failure Mode and Effects Analysis. A system that analyses system failures and their effects.

23 18 Making Connections Risk Assessment at Your Work Compare the risk identification strategies that are listed on the previous page to the strategies of your own organisation. Which do you do? Which do you not do? Which should you do? A final note: Information gathering should always be a group activity. Gather hard data whenever possible.

24 Likelihood Risk Management 19 Evaluation Method Once risks have been identified, you can evaluate them by choosing their rank based on their severity and likelihood. One common method is a 3 x 3 matrix. Severity Low Medium High Likely Focus efforts here FIRST Neutral Not Likely Focus efforts here LAST This tool can be customised and even expanded to include additional levels of severity and likelihood.

25 20 Exercise: A Severe Risk Have you ever experienced a situation when you had to manage a severe risk? What techniques did you use to diffuse the potential risk? (If you have not had to manage a severe risk, can you imagine an example of a severe risk for a business or organisation in your industry?)

26 21 Case Study: General Motors This case study focuses on the company General Motors (GM). Your goal is to perform a risk assessment of GM's new approach. You will first identify three risks and then evaluate them. Background Information General Motors (GM) has long been the world s number one manufacturer of cars and trucks. Their brand line has included Buick, Cadillac, GMC, Chevrolet, Pontiac, and Saab. Their business model includes overseas operations such as Vauxhall and Opel, Hughes Electronics, Allison Transmission, and GM Locomotive. They also have stakes in other brands, including Isuzu, Subaru, Suzuki, Fiat, and Daewoo. After years of a downward spiral in their market share, GM finally achieved two straight years of increase in In 2003, GM planned to continue this gain by launching 30 new gas-powered vehicles. (The questions are on the following pages.)

27 22 General Motors Case Study Use the background information to identify three risks to GM s approach and complete a risk assessment template for each. Present as much information as possible throughout your analysis. Be creative and identify research that they might want to complete if this were a real situation. Risk One: Description: Area: Legal Regulatory Marketplace Financial Operating Other: (describe) Possible Tangible Effects (such as money, time, and resources): Possible Intangible Effects (such as morale and reputation): Impact: Low Medium High Likelihood: Unlikely Neutral Likely When might this occur? How long could it last? What other risks could result?

28 23 Risk Two: Description Area: Legal Regulatory Marketplace Financial Operating Other: (describe) Possible Tangible Effects (such as money, time, and resources): Possible Intangible Effects (such as morale and reputation): Impact: Low Medium High Likelihood: Unlikely Neutral Likely When might this occur? How long could it last? What other risks could result?

29 24 Risk Three Description: Area: Legal Regulatory Marketplace Financial Operating Other: (describe) Possible Tangible Effects (such as money, time, and resources): Possible Intangible Effects (such as morale and reputation): Impact: Low Medium High Likelihood: Unlikely Neutral Likely When might this occur? How long could it last? What other risks could result?

30 Likelihood Risk Management 25 Plot the risks Now that you have identified analysed the risks, evaluate their severity and likelihood by plotting them on the evaluation grid. Severity Low Medium High Likely Neutral Not Likely

31 26 Case Study Responses: Possible Risks Some possible risks that GM might encounter include: Volatile financial markets Change in emissions standards New technologies such as hybrid and electric vehicles New automakers in the market Changing currency rates New hazard standards (such as a reduction in asbestos use) Labour strikes and work stoppages Political instability in overseas manufacturing areas Fuel shortages and price changes Increased pressure to produce may result in quality decrease More new products increases the possibilities of defects and problems

32 27 Making Connections Managing Risk Reflect on your own experiences. In your current job, are you responsible for identifying risks? How might the risk identification process and risk plot help you to manage potential problems that you might encounter at work?

33 28 Session Five: Responding to Risks After you have performed a risk assessment, the next step in risk management is choosing a plan of action. Considering these activities as you develop a risk management plan will be helpful when it comes time to deal with an immediate threat. In this session, you will learn the ways that your risk management team can proceed after a risk has been identified. Risk Responses There are generally four ways that you can respond to risks. The best risk response plans usually provide a few options, ranked in order of preference. Tolerate Accept that the risk exists. Tolerate the possible consequences. Treat Perform an action to mitigate the risk. For example, if you know that the bank may not approve you for as much money as you need, you may want to look for other sources of funding. Transfer Transfer the responsibility or the consequences of the risk to a third party. This is often done through a guarantee or insurance. Terminate Stop the activity that causes the risk.

34 29 Key Considerations Keep the following points in mind when choosing a mitigation strategy. Any strategy should do as much as possible to ensure normal business practices are not interrupted or are delayed as little as possible. In any larger company a risk materialising will almost certainly require media engagement to make announcements, clarify details, and provide on-going information to stakeholders and the general public. They will want to be informed about what your organisation is doing to manage the risk. Managing the media should be part of your risk management plan. Direct communication with stakeholders is critical. It should be either general but informative, or very specific to the impact the risk has on them. If there is any chance that people may be injured or worse, you should include medical support in your planning. This can mean having an emergency response team standing by or simply providing emergency support numbers to your staff. Depending on the risk, you may be required by law to obtain insurance against it occurring. If this is not the case, but insurance is available, you should perform a cost/benefit analysis to determine if insurance should be part of your risk mitigation strategy. Example of responses to the General Motors hybrid risk described in the case study. Tolerate Treat Transfer Terminate Risk One (Emergence of Hybrids) Do nothing and continue with existing plan Add hybrids to lineup Outsource production of new hybrids to another company

35 30 Case Study: GM Risk Responses In the previous session, you identified and evaluated three risks that General Motors might encounter with their new business approach. For this exercise, we would like you to outline one or more strategies for mitigating the previously identified risks. Risk 1: Tolerate Treat Transfer Terminate

36 31 Session Six: Resourcing Controls Once a risk has been identified as a potential reality, your risk control plan must be put into action. There are several possible actions which can be implemented in order to manage the situation. In this session we will describe possible controls that can be used to mitigate the risk. You will then be presented with a series of risk evaluation questions you can ask as you manage a situation. Identifying and Evaluating Controls Once a risk has been identified, and you have chosen to treat it, it s time to look at controls that can be put into place to mitigate the risk. Possible controls can include: Re-allocating existing people or equipment Additional people New equipment Skills and training New information Your evaluation should answer the following questions: Does the control meet laws and regulations? How well does each control mitigate the risk? What is the cost of the control vs. the implementation benefit? What is the sustainability of the control? What changes might have to be made to this control? What other effects will this control have?

37 32 Case Study: GM Risk Controls Choose two risks you identified in the General Motors Case Study from Session 4. What controls could you use to mitigate that risk? For example, with the emerging hybrid marketplace (risk), one control could form a team to monitor marketplace changes and trends, or a facility to build the vehicles. Risk: Control: Risk: Control: Risk: Control:

38 33 Session Seven: Reaction Planning As part of the risk management process, it is critical to build a contingency plan for each major risk that has been identified. This session outlines the particular details that should be considered in your risk reaction. Knowing what to do if the risk occurs will add to a complete management plan. The Worst-Case Scenario You should build a contingency plan for each major risk that has been identified. What will you do if the risk does occur? Your risk reaction plan should include the following considerations: When: o How will we know when the risk will happen? o What will alarms look like? o When should we start acting? Who: o Who has responsibility for this risk? o What other resources might they need? o Who else should be informed? What: o What will happen when the risk occurs? o What will we do when the risk happens? (Depending on the risk, this plan could be very detailed or very simple. A step-by-step, timed plan may be necessary.) o What consequences could the risk have? o What other risks might this event create? Where: o Where is the risk going to happen?

39 34 Case Study: GM Reaction Plan Choose one risk that you identified in the General Motors case study in Session 4. Create a reaction plan for that risk. Risk: When: Who: What: Where:

40 35 Session Eight: Reporting and Monitoring When your organisation establishes its risk management framework, there are several components that must be established. Developing a reporting and monitoring system can prevent risks from reoccurring or worsening. In this session we will review topics that must be considered in observing the nature of a particular risk. A Reporting Hierarchy A reporting hierarchy should be established. Your reporting structure will differ depending on the complexity of your risk management programme. Some common setups include: A part-time risk manager A risk management committee A full-time risk management champion A risk management team A risk management department with an internal audit team Your organisation will need to develop a checklist of items that will need to be reported on and monitored on a regular basis. This checklist should include: What data is to be gathered What form it is to be presented in Templates to be used When data should be gathered and reported Who is responsible for measuring, reporting, and monitoring

41 36 Items to Report Items that will need to be reported on include: Changes to risks Near misses and incidents Changes that will affect the risk management programme, such as legislative changes, industry developments, and changes in supporting elements of risk planning Depending on your organisation, you may also need to provide reporting according to external guidelines, such as Sarbanes-Oxley or Turnbull. Items that should be monitored include: Effectiveness of risk controls Cost of controls vs. benefit achieved Laws and legislation Industry climate Alignment of risk management plan with corporate goals

42 37 Making Connections Risk Management Structure What type of risk management structure would you consider to be most suitable for your organisation? Reporting and Monitoring Propose possible measuring, reporting, and monitoring techniques that your organisation would require.

43 38 Session Nine: Reviewing and Evaluating the Framework The previous sessions have reviewed the most important points to consider as you develop a risk management plan for your organisation. We believe however, that the risk management process must be continually updated to reflect any changes in the organisational environment. This session will prepare you for the practical application of your risk management skills in your workplace. A Review Checklist A plan for periodic review and evaluation of the risk management framework is a critical element of any risk management programme. Typically a thorough review is performed annually. Here are several examples of activities that should be performed in the review process: Analysis of risk response measures and whether they achieved the desired result, and did so efficiently Review of reporting and monitoring procedures Knowledge gap analysis for risk assessments (Were people able to find the information they needed?) Compliance check with appropriate regulations and organisations Opinions of key external and internal stakeholders Self-certification Risk disclosure exercise, to identify future risks Repeat of risk assessment Lessons learned Recommendations and implementation plan Remember, the review should be proportionate to your organisation. If your organisation is small, an afternoon meeting to review your risk management programme may be sufficient. For larger organisations, the review process may take weeks or even months and require outside assistance.

44 39 Back at Work As you finish this course, you must now consider how you will implement a unique risk management plan that meets the needs of your organisation. We have included the following exercises to help you begin to organise your ideas and questions you may have. Making Connections Return to Work Plan Can you propose three objectives or goals for developing your risk management plan, to which you could refer when you return to work?

45 40 Possible Problems What problems can you anticipate that may influence your ability to develop a risk management plan when you return to work? Risk Management Improvements Has your organisation made any previous efforts to establish a risk management plan? Do you have any comments or suggestions of how current risk management activities could be performed differently?

46 41 Session 10: A Personal Action Plan You have participated in this course and have learned a lot about risk management. How will you use the things you have learned in the future? Now is the time to take action. In this session, you will be asked questions to help you plan your short-term and long-term goals. By reflecting on where you currently are and where you want to be, you can solidify, in your mind, what you want your future to hold. Starting Point I know where I m starting from. I know I am already good at these things, and I can do them more often: I can learn this, I am learning this, and I am doing what I can at this stage as well. I have already learned:

47 42 Short-Term Goals and Rewards I will start with small steps, especially in areas that are difficult for me. My short-term goals for improvement are: I promise to congratulate and reward myself every time I do something, no matter how small, to maintain and improve my skills. My rewards will be: Long-Term Goals I m setting myself up for success by choosing long-range goals to work for gradually. My longterm goals for success are as follows:

48 43 Summary Congratulations! You have completed the course "Risk Management." In this course, we started with a focus on risk its definition, benefits and context in your workplace. We looked at the key risk management activities, such identifying and evaluating risks. We then explored risk responses, resourcing controls, reaction planning, and reporting and monitoring. After this, we looked at how to review and evaluate a risk management framework. To give you practice with the material presented in this course, we used a case study based on the risks that a car manufacturer, General Motors, might encounter in the attempt to increase its market share. Developing a risk management plan is essential for organisations and business of all sizes, within any industry. We encourage you to practically apply these risk management techniques in your workplace.

49 44 Recommended Reading List If you are looking for further information on this subject, a recommended reading list is included below. "A Structured Approach to Enterprise Risk Management (ERM) and the Requirements of ISO " The Institute of Risk Management Committee of Sponsoring Organisations of the Treadway Commission. "Enterprise Risk Management - Integrated Framework (Executive Summary)." Committee of Sponsoring Organisations of the Treadway Commission. September Crouhy, Michel, Dan Galai, and Robert Mark. The Essentials of Risk Management. 2005: McGraw- Hill, n.d. Hampton, John. Fundamentals of Enterprise Risk Management. AMACOM, International Organisation for Standardisation. ISO 31000: International Organisation for Standardisation. ISO Guide 73: Project Management Institute. A Guide to the Project Management Body of Knowledge, Fourth Edition. Project Management Institute, 2009.