Risk Management. Embedding Good Practice. Aidan Horan Governance IPA

Transcription

1 Risk Management Embedding Good Practice Aidan Horan Governance IPA Institute of Public Administration Lansdowne Road Dublin 4 Ireland Ph

2 Observations Risk Appetite Risk Maturity Questions Agenda

3 Observations The essence of risk is uncertainty Environment with much greater uncertainty and complexity Risk is a tool not a rule - To help navigate the uncertainty - To assist with stating our intent - To assist dialogue and create narrative - To demonstrate how we engage in reasoned and reasonable risk taking

4 IPA 4

5 Governance Processes, Procedures and Attitudes according to which organisation directed and controlled Conformance / Compliance Performance Risk Control Focus Assurance activity Opportunity Performance Focus Strategy activity Q Where is the emphasis in your organisation?

6 Context Risk and Governance A sound system of internal control provides assurance that an organisation will not be hindered in achieving its objectives or in the orderly and legitimate conduct of its business, by circumstances which may be reasonably foreseen.

7 Code of Practice (August 2016) The Board s role is to provide leadership and direction of the State body within a framework of prudent and effective controls which enables risk to be assessed and managed ( page )

8 International Framework: Good Governance in the Public Sector ( July 2014) Good Governance requires risk to be embedded into an entity s culture integral to activities and continuous process. It is about being risk aware rather than risk averse

9 Risk Appetite COSO definition: the amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the entity s risk management philosophy, and in turn influences the entity s culture and operating style. 9

10 Risk Appetite Statements Some organizations use specific risk appetite and tolerance statements based on certain categories of risk eg compliance, reputation, technology. Other organizations approach risk statements with overall organizational statements, such as: Take risk that the organization can manage in order to optimize returns; Balance risk and reward against the impact and cost of managing risks for the organization; Accept potential loss of x percent in earnings for a 50 percent Avoid risks that negatively impact the brand. Q ---- But do these statements help?

11 Some influencers on the organisations Risk Appetite The vision, mission and mandate The risk appetite of its leadership board and chief executive The organisational culture The sector and core activities The definition of success and high performance

12 Risk Appetite Risk appetite is defined as the amount of risk the organisation is prepared to accept or retain in the pursuit of its core priority objectives. It is an expression of the philosophy and ethos of an organisation Risk appetite will be chiefly qualitative in nature, but may include some high-level quantitative values or limits.

13 Risk appetite a discussion paper from Central Bank Setting a risk appetite is not about elimination of all risks; rather it is about embracing risks in areas in which management has the appropriate skills, knowledge and experience to take advantage of the opportunities presented, whilst limiting risks in other areas Risk appetite and strategic planning occur and evolve in parallel. 13

14 Risk Appetite 14

15 5 Optimised Mature World Class Intelligent Risk Maturity - Terminology Levels Model A Model B Model C Model D 1 Ad Hoc Immature Learner Tribal 2 Preliminary Early Starter Developer Siloed 3 Defined Progressive Contender Top down 4 Integrated Semi-Mature Performer Systematic

16 Evidence / Criteria for each level Level l: Ad hoc Undocumented; in a state of dynamic change. Depends on individual heroics rather than well-defined processes. Level 2: Preliminary. Risk is defined in different ways and managed in silos. Process discipline is unlikely to be rigorous. Level 3: Defined. A common risk assessment/response framework is in place. An organization wide view of risk is provided to executive leadership. Action plans are implemented in response to high priority risks. IPA 16

17 Evidence / Criteria for each level Level 4: Integrated. Risk management activities are coordinated across business areas. Common risk management tools and processes are used where appropriate, with enterprise wide risk monitoring, measurement, and reporting. Alternative responses are analyzed with scenario planning. Process metrics are in place. Level 5; Optimized. Risk discussion is embedded in strategic planning, capital allocation, and other processes and in daily decision-making. An early warning system is in place to notify the board and management of risks above established thresholds. IPA 17

18 Risk Management Embedding Good Practice Aidan Horan Governance IPA Institute of Public Administration Lansdowne Road Dublin 4 Ireland Ph