RESOLVING CHALLENGES to

Implementing RISK MANAGEMENT

Kevin W Knight, CPRM; HonFAIRM; FIRM (UK)

President,
Australasian Institute of Risk Management

Chairman
ISO Working Group - Risk Management Terminology
Member
Standards Australia / Standards New Zealand
Joint Technical Committee OB/7 - Risk Management
E-mail: kknight@bigpond.net.au
 THE CHANGING APPROACH
TO MANAGEMENT

Increased pressure on CEO accountability.

Board pressures on Corporate
Governance.
Board interest in Risk Management.
Risk Management emergence as a
discipline.
UNDERSTANDING CORPORATE
GOVERNANCE
Corporate Governance is all about the
relationship between:
The Organisation;
Its Objectives;
Risk Management; and
Control.
CORPORATE GOVERNANCE
About stewardship of public as well as
private sector organisations.
The manner in which an organisation is
managed and governed in order to achieve
its strategic and operational objectives.
Sound control environment.
There is no legal definition of the term
Corporate Governance in any
legislation so far.
CORPORATE GOVERNANCE
The way in which an organisation is
governed and controlled in order to achieve
its objectives. The control environment
makes an organisation reliable in achieving
these objectives within an acceptable
degree of risk.
It is the glue which holds the organisation
together in pursuit of its objectives while
risk management provides the resilience.
GENERAL COMPONENTS OF
CORPORATE GOVERNANCE
Strategic Planning.
Risk Management.
Quality Assurance.
Performance Measurement and
Analysis.
Annual Reports.
 RISK MANAGEMENT AS DEFINED
IN AS/NZS 4360:1999
THE CULTURE, PROCESSES AND
STRUCTURES THAT ARE DIRECTED
TOWARDS THE EFFECTIVE MANAGEMENT
OF POTENTIAL OPPORTUNITIES
AND ADVERSE EFFECTS.

C 1. Strategic Ct M
O O
M N
M I
U 2. Identify Threats T
N O
I R
C
A A 3. Analyze &
T S 4. Assess
E S R
E 5. Assess/ E
S V
C S I
O E
N W
S 7. Manage the Risk
U
L
T

Culture Communication Opportunities Risks

Structure Direction Processes
THE RISK MANAGEMENT PROCESS
C
O ESTABLISH THE CONTEXT
M M
M O
U N
N IDENTIFY RISKS
I
I T
C O
A ANALYSE RISKS R
T
E ASSESS RISKS &

& EVALUATE RISKS R

E
C V
O TREAT RISKS I
N E
S W
U
L
T
 ESTABLISH THE CONTEXT
The Strategic Context
The Organisational Context
The Risk Management Context
Develop Criteria
Decide the Structure
C
O IDENTIFY RISKS
M What can happen? How can it M
M happen? O
U N
N ANALYSE RISKS
Determine existing controls
I
I T
Determine Determine
C Likelihood Consequence O
A A s
R R
T S Estimate Level of
Risk I
E S &
S
E EVALUATE RISKS K
& S R
Compare against criteria? S
S Set risk priorities E
C V
O I
N Accept Risks
Ye E
S No s W
U TREAT RISKS
Identify treatment options
L Evaluate treatment options
T Select treatment options
Prepare treatment plans
Implement plan
 TAKING A RISK: IT ISNT ALL
BAD
Taking risks is a normal unavoidable
everyday necessity.
Taking controlled, informed risks is a
sensible and everyday essential part of life.
Taking uninformed, uncontrolled risks is
patently dumb.
We take risks not to avoid harm, but to
achieve benefits and gains.
Risk taking is positive, not implicitly
negative.
RM IS EVERYBODYS BUSINESS
RM is not just the responsibility of
management.
For RM to be effective it must be
implemented by every person in the
organisation.
RM must become an integral part of
the organisational culture.
The risk makers and risk takers must be
the risk managers.
 MANAGING RISK
Managing risk means forward thinking.
Managing risk means responsible thinking.
Managing risk means balanced thinking.
RM provides a framework to facilitate
more effective decision making.
RM is all about maximising opportunity
by managing risk.
 RISK MANAGEMENT IS
NOT
Just accounting controls.
Another name for insurance.
About creating risk averse management.
A label to hide inadequate analysis
when something goes wrong.
A green light to careless enthusiasts.
Opening the door to risky
management.
KEY CHALLENGES TO IMPLEMENTING
RISK MANAGEMENT BY IMPORTANCE
Board/CEO support
Responsibility/accountability
Management buy-in
Risk measurement
Common risk language
Linked to corporate strategy
Adding value
Risk reporting
Link and impact to good corporate governance
Link to control self assessment
Technology
KEY CHALLENGES TO IMPLEMENTING
RISK MANAGEMENT BY DIFFICULTY
Linked to corporate strategy
Link and impact to good corporate governance
Risk measurement
Adding value
Responsibility/accountability
Board/CEO support
Link to control self assessment
Common risk language
Risk reporting
Management buy-in
Technology
 THE KEY CHALLENGES TO
IMPLEMENTING RISK MANAGEMENT
Board/CEO support
Responsibility/accountability
Risk measurement
Link to corporate strategy
Link and impact to good corporate governance
Adding value
Common risk language
Management buy-in
Link to control self assessment
Risk reporting
Technology
 KEY CHALLENGES TO
IMPLEMENTING RISK MANAGEMENT
Board/CEO support
The need to demonstrate the tangible
benefits of risk management and to receive
key stakeholder support for this area of
management practice.
The Board must see risk management as a
cost reducer or avoider rather than a
cost addition.
 KEY CHALLENGES TO
IMPLEMENTING RISK MANAGEMENT
Responsibility/accountability
The need to integrate assurance activities
with risk management and compliance.
The involvement of other functional skills
in the process.
Where does risk management fit within an
organisation?
The role of a CRO.
 RISK MANAGEMENT
CULTURE
Risk Culture

This means that all our business behaviours relating to

our individual performance encompass informed
decisions to do or not to do things based on a
reasonable analysis of foreseeable risks, opportunities
and their associated impacts on the corporate objectives.

Opportunities Risks
 KEY CHALLENGES TO
IMPLEMENTING RISK MANAGEMENT
Risk measurement
The need for organisation specific scales to
estimate how often specified events may
occur and the magnitude of their
consequences.
The transition of measurement from
qualitative perspectives to quantitative
approximations.
 KEY CHALLENGES TO
IMPLEMENTING RISK MANAGEMENT
Link to corporate strategy
The need for tailored integration with
business strategy.
Managing risk is a way of confidently taking
the right risks and then managing the
outcomes for success.
Organisational strategic goals are set for
all the right reasons, but generally not
connected to operational capabilities.
CHANGING TO A CULTURE OF
MANAGING STRATEGIC AS
WELL AS OPERATIONAL RISKS
Risk: Chance, unpredictability, opportunity.
Managed by: Predicting, analysing, caring, preparing,
preventing,
Understood through: Communicating
Leading to:

Confidence Performance Value

CONTEXT OF STRATEGIC & CORPORATE RISKS

Strategic Core Business

Business Plans Operations

Business Business
Objectives Processes

Corporate Corporate
Risks Risks
 KEY CHALLENGES TO
IMPLEMENTING RISK MANAGEMENT

Link and impact of changes to

good corporate governance.

The ability of the AS/NZS 4360:1999 Risk

Management Standard to be proactive
in enabling Directors to meet their
corporate governance responsibilities.
 ACCOUNTABILITY
SUPERVISION
Potential greater GOVERNANCE
future role of risk
management
STRATEGIC
MANAGEMENT
Traditional and current MANAGEMENT
risk management EXECUTIVE
application
MANAGEMENT
DECISION & CONTROL
OPERATIONAL MANAGEMENT

Risk Managements Role in Corporate Governance

STRATEGIC MANAGEMENT OF
RISK

Managing risk is a way of confidently

taking the right risks
and then managing the outcomes for success

Opportunities Risks
 STRATEGIC PLANNING
Future State/ End Vision
SWOT, Opportunities and Risks
Strategy & Tactics

Planning

Review Execution/
Processes
& Change Integration

Strategic Learning Monitor Manage Tactics

Strategic Alignment Performance Manage Tasks
Strategic Manage Risks
Intelligence Performance
Capability
External Environment
 STRATEGIC PLANNING
VERSUS
OPERATIONAL REALITY
Organisational strategic goals are set for all the
right reasons, but generally not connected to
operational capabilities
Unless strategic objectives are modified by a realistic
evaluation of capabilities, and then linked, the only
outcome will be consistent frustration and
underperformance
It is no use running harder if you do not know where
you are going.
 ACHIEVING OUTCOMES -
THE PROBLEMS WITH STRATEGIC
PLANNING

Redefining process - including an over attention to

planning and strategic analysis - rarely achieves
material outcomes because :
they rarely reflect organisational capabilities
a strategic review is like an audit - it results in the
adoption of defensive positions and damage control
approaches.
THE OPERATIONAL RISK MANAGEMENT CYCLE
Conduct risk
Review profiling
performance Jan Strategic
planning

Implement and
monitor treatment
actions
Sep May

Determine risk
Budget and
treatment actions
business
planning
 AN INTEGRATED MANAGEMENT SYSTEM TO ENSURE
PROGRESS IN STRATEGY IMPLEMENTATION
Business Strategies/Plans
Underpinned by:
AS/NZS ISO 14000: Environmental
Review management
AS/NZS ISO 9000: Quality management
Effectiveness AS/NZS 4360: Risk management
AS 4390: Records management
Board Review AS 3806: Compliance program

Management Review
AS 4269: Complaint handling
Action
Individual Team performance Change management
(review & reward) Continuous
External audit improvement
Risk management Service development
Systems development
Risk management

Measurement Implementation
Audit People; Information Technology;
Client feedback Process & Infrastructure;
Benchmarking Policies & Procedures;
Management information Change & Project management;
Risk management Risk management
 KEY CHALLENGES TO
IMPLEMENTING RISK MANAGEMENT
Adding value
The need to establish processes to link
strategic risk management with value
creation/competitive advantage.
These outcomes need not be financial, but
must be agreed.
If you do not know where you are going,
any road will take you there.
Evaluate & Prioritise Risks
SEVERITY/IMPACT/CONSEQUENCES
Almost Certain
F
Reduce Likelihood Avoid R
Risks E
Q
Likely U
Reduce E
N
C
Y
Moderate /
L
I
Unlikely
K
E
Acceptable L
or Reduce Consequences I
Tolerable H
Rare Level of Risk O
O
D
0 Insignificant Minor Major Critical Extrem
e
EVALUATE & PRIORITISE RISKS
SEVERITY/IMPACT/CONSEQUENCES
Certain 1
F
Reduce Likelihood Avoid
Risks R
E
Almost certain Q
U
E
Reduce N
Likely C
Y
/
L
I
Possible
K
Tolerable Level E
of Risk L
Reduce Consequences I
Unlikely H
O
O
D
Not Possible
0 $1,000 $100,000 $1m $100m
Mild Severe Disastrous Total
Moderate
EVALUATE & PRIORITISE RISKS
SEVERITY/IMPACT/CONSEQUENCES
Certain 1
F
Reduce Likelihood Avoid
Risks R
E
Almost certain Q
Reduce U
E
N
Likely C
Y
/
L
I
Possible
K
E
L
Reduce Consequences
I
Unlikely Tolerable H
Level of O
Risk O
D
Not Possible
0 $1,000 $100,000 $1m $100m
Mild Severe Disastrous Total
Moderate
 LEVEL OF RISK (RISK VALUE)

}SATISFACTORY

MOST COST
EFFECTIVE

}
ACCEPTED PRACTICE
BEST ACHIEVABLE

}
}
ABSOLUTE

}
MINIMUM

COST OF REDUCING RISK ($)

THE TRADE-OFF BETWEEN LEVEL OF RISK AND COST OF REDUCING RISK

B.F.Hough 1985
 Risk magnitude
Risk cannot be
Intolerable justified except in
Region extraordinary
circumstances
L
E
V
Tolerable only if risk
E
L As reduction is
impracticable
or if its cost is greatly
O Low disproportionate to the
F improvement gained

R
As
I Reasonabl
S Tolerable if cost of reduction
K y would exceed the
improvements
Practicable gained

Necessary to maintain
Broadly acceptable region assurance
that the risk remains at this
level
 KEY CHALLENGES TO
IMPLEMENTING RISK MANAGEMENT
Common risk language
The need for consistent points of
reference for communications and
reporting, and for the application of risk
management methods.
We all manage risk consciously or
unconsciously - but rarely systematically.
 KEY CHALLENGES TO
IMPLEMENTING RISK MANAGEMENT
Management buy-in
Reducing resistance to change; buy-in
from operations will facilitate acceptance
of responsibilities and proactive
participation.

The risk makers and the risk takers MUST

be the risk managers.
 Umbrella of Risk
Management of specific
1 1
business risks

STR ITICA
PO

GE E &
2 Insurable risks

AT E L
L
2

A N AL
CH MOR :
LE
CU Disaster risks & incidents
3

GIC
S

S& OP
QU TO (BCP)
A L ME

OH PE
3 4 Policies & strategies for mana

R,
IT R
Y UR
risks
T
R UC
LE G S T
AL R RA E
ISKS 4 IN F
& S
T
SE
AS

NC E INFO FRAFRA
LIA F UDUD
P
CO
M
S T R IN A
IN N
VE E AS CE
RMA NTERR

SK
RI
ON

ST U &
R U SS

CT M RY
TION
P TI

EN :
I

JE
INT USINE

O TS
PR
SYS TION
ER
B

UP
TEM
S
 Board of Directors
Approves policy
Approves risk limits
Approves risk tolerance
Provides oversight

Risk Management Committee

Monitor - Coordinate - Teach
Measure - Benchmark
Report to Board
Enforce

Executive
Management
Line Managers Establishes policy
Identify risk Establishes risk limits
Propose risk limits Establishes risk tolerances
Control Reports to Board
Report Enforces
 RISK MANAGEMENT POLICY
Risk Management Processes
The policy will be implemented by each business unit:
Maintaining documented business risk profiles using
analytical techniques to identify, evaluate, and manage
risks in compliance with AS/NZS 4360.
Communication of risk management issues, where
appropriate, to all relevant stakeholders.

C 1. Strategic Ct M
O O
M N
M 2. Identify Threats I
U T
N O
I R
C A 3. Analyze
A
T
S
S
E
4. Assess

5. Assess/
&
The culture, processes and structures which
E R
S
S
E
V are directed towards the effective management of
C I
O
N
7. Manage the Risk E
W potential opportunities and adverse effects.
S
U
L
T
Processes
 RISK MANAGEMENT POLICY
Risk Management Structure & Responsibility
The Board approves the corporate risk management policy
and strategy.
The Board Risk Management Committee reviews the
effectiveness of the policy.
All managers and staff are responsible for managing risk.
The Risk Management Champion is responsible for
facilitating the risk management program and reporting to
the Board Risk Management Committee.
The culture, processes and structures which
are directed towards the effective management of
potential opportunities and adverse effects.

Structure Direction
 KEY CHALLENGES TO
IMPLEMENTING RISK MANAGEMENT

Link to control self assessment

The need to integrate and compare top down
strategic risk management processes to
bottom up control/self assessments.
What existing controls are in place, how
effectively are they managed and enforced?
Do they support or impair the organisations
ability to manage risk?
KEY CHALLENGES TO IMPLEMENTING
RISK MANAGEMENT
Risk reporting
The need to design appropriate reports to
assist and facilitate management and to
make decisions with due regard for risk
management principles.
Obtain appropriate risk tools that assist in
identifying and reporting risks.
Ensure data is capable of readily being
used as management information.
KEY CHALLENGES TO IMPLEMENTING
RISK MANAGEMENT
Technology
The need for consistent methods for
warehousing and reporting risk
management data captured across the
organisation.
Methods should have a design/develop or
purchase, or a paper based decision
process embedded as a part of their
implementation.
 RISK MANAGEMENT
BENEFITS
More effective strategic planning.
Better cost control.
Increased knowledge & understanding of
your personal and corporate exposure to risk.
More systematic & thorough method of
decision making.
Greater transparency in decision making.
Prevention rather than reaction to risk.
Better preparedness for external review.
YOU DO NOT HAVE
TO DO IT!!

SURVIVAL IS NOT
COMPULSORY
Rather than have the carpet
pulled out from under you

Visit
www.riskbusiness.com
to learn how to dance on a
moving surface.
The greatest risk of
all
is to take no risk at
all!
 A journey . A race In pursuit of performance Building Value

The End
C 1. Strategic Ct M
O O
M N
M I
U 2. Identify Threats T
N O
I R
C
A 3. Analyze
A &
S 4. Assess
T
S
E R
E 5. Assess/ E
S
V
S
C I
O E
N
S
7. Manage the Risk
W
Opportunities Risks
U
L
T

Processes Culture Communication

Structure Direction
References:
AS/NZS4360:1999 - Risk Management
Standards Australia/Standards New Zealand, ISBN 0 7337 2647 X
SAA HB141-1999 Risk Financing Guidelines; Standards Australia, ISBN 0 7337 2814 6
SAA HB142-1999 A Basic Introduction to Managing Risk using the Australian and
New Zealand Risk Management Standard AS/NZS4360:1999; Standards Australia,
ISBN 0 7337 2794 8
SAA/NZS HB143-1999 Guidelines for Managing Risk in the Australian and New
Zealand Public Sector; Standards Australia/Standards New Zealand, ISBN 0 7337
2815 4
SAA/NZS HB203:2000 Environmental risk management Principals and process
Standards Australia/Standards New Zealand, ISBN 0 7337 3540 1
SAA/NZS HB228:2001 Guidelines for managing risk in healthcare
Standards Australia, ISBN 0 7337 3419 7
SAA HB 231:2000 Information Security Risk Management Guidelines, Standards
Australia.
SAA HB240-2000 Guidelines for Managing Risk in Outsourcing using the AS/NZS
4360 Process Standards Australia, ISBN 0 7337 2815 4
SAA HB250-2000 Organisational experiences in implementing risk management
practices Standards Australia ISBN 0 7337 3562 2
CAN/CSA-Q850-1997 - Risk Management: Guideline for Decision-Makers
Canadian Standards Association, ISSN 0317-5669
JIS Q 2001:2001 Guidelines for development and implementation of risk
management system; Japanese Standards Association July 2001
99/402 000DC - Draft Guide to the Management of Business Related Project Risks
British Standards Institute
Financial Management Standard 1997 (Queensland): Subordinate Legislation 1997
No 141, Government Printer, Queensland
Financial Reporting of Risk - Proposals for a Statement of Business Risk.
Institute of Chartered Accountants in England & Wales 1998
Guidance for Directors - Governance Processes for Control (December 1995)
Guidance for Directors - The Millennium Bug (February 1998)
Learning about Risk: Choices, Connections and Competencies (July 1998)
Canadian Institute of Chartered Accountants
Non-stop service (Continuity Management Guidelines for Public Sector Agencies)
Emergency Management Australia 1997, ISBN 0 642 28329 X
Emergency Risk Management - Applications Guide
Emergency Management Australia 2000.
Professional Associations
The Association of Risk and Insurance Managers of Australasia
PO Box 93
BOX HILL Vic 3128
Internet address: http://www.arima.com.au
E-mail address: admin@arima.com.au

The Australasian Institute of Risk Management

PO Box 93
BOX HILL, Vic 3128
Internet address: http://www.airm.org.au
E-mail address: admin@airm.org.au

Risk Engineering Society

The Institute of Engineers, Australia
11 National Circuit
Barton ACT 2600
Web Sites
Standards Australia: - www.riskbusiness.com
Australian National Audit Office: - www.anao.gov.au
Emergency Management Australia: - www.ema.gov.au
New South Wales Audit Office: -
http://www.audit.nsw.gov.au/perfaud-rep/RiskManagement-June2002/Risk-
Contents.html
Queensland Audit Office Report No. 7 1998- 99: -
http://www.qao.qld.gov.au/publications/view_publication.asp?Pub_ID=66
Queensland Audit Office Report No. 1 2001- 02: -
http://www.qao.qld.gov.au/publications/view_publication.asp?Pub_ID=98
UK Auditor General: - http://www.nao.gov.uk/publications/nao_reports/9900864.pdf
UK Cabinet Office: - http://www.strategy.gov.uk/2002/risk/risk/home.html
Further education & professional development
Australasian Risk Management Unit, Monash University, Melbourne.
flexlearn@buseco.monash.edu.au
Queensland University of Technology, Brisbane. Terry Farr at: t.farr@qut.edu.au
Regency TAFE, Adelaide. Michael Barron at:
michael.barron@regency.tafe.sa.edu.au
University of NSW, Sydney. Professor Jean Cross at: j.cross@unsw.edu.au
University of Technology, Sydney. Hugh Morris at: hugh.morris@uts.edu.au