1 / 36

Risk management and Investigation

Risk management and Investigation. Peter Roberts peroberts@csu.edu.au. Session Overview. 1 What is risk management? 2 How to do risk management 3 How CSU staff can use risk management. What is Risk Management. Contents The notion of risk Defining risk management

macayle
Télécharger la présentation

Risk management and Investigation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Risk management and Investigation Peter Roberts peroberts@csu.edu.au

  2. Session Overview 1 What is risk management? 2 How to do risk management 3 How CSU staff can use risk management

  3. What is Risk Management Contents • The notion of risk • Defining risk management • The objectives of risk management • Organisational responsibilities and obligations in risk management

  4. What is risk? • Common language understanding • Formal ‘The chance of something happening that will have an impact upon objectives’ • Represents a rational response to dealing with an unknowable future • Can be measured in terms of likelihood and consequence

  5. Risk management Definition ‘The culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects” • Treadway, COSO and Cadbury • Australian /New Zealand Risk Management Standard 4360:1999.

  6. Risk Management Objective ‘To enable business operations to be conducted within an environment of acceptable loss’ Process ‘The systematic application of management policies,procedures and practices to the tasks of establishing the context, identifying analysing, evaluating, treating monitoring and communicating risk’ The ‘Why?’ of risk management

  7. Professional/Organisational overview Professional reasons • common language • rationality, consistency Organisational reasons • legal, ethical, business responsibilities • safety, fraud control, insurance, disaster recovery

  8. Professional reasons for risk management • Standard 4360:1999 imposes a common language on key terms which is universally accepted in public and private enterprise • encourages to think rationally • promotes consistency in decisions • assists in defending key decisions

  9. Organisational reasons for risk management • Organisational Legal Obligations • contracted • legislated • Other Organisational Responsibilities • ethical • self-regulated agreements

  10. Organisational Legal Obligations • Contractual • employment agreements • Legislated • OH&S & EEO • environmental • Myriad of other regulatory statutes • Use words like ‘reasonable’

  11. Corporate Ethical Responsibilities Includes a range of socially based expectations, including: • fairness • internal self regulation • industry self regulation • maintaining industry standards

  12. The result Risk management provides a proactive contribution to: • contracted, legislated and ethical compliance • increased revenue • reduced costs • positive ethical climate within the organisation

  13. The ‘how’ of risk management

  14. Australian /New Zealand Risk Management Standard 4360:1999 1) establish the context 2) identify risks 3) analyse risks 4) evaluate and prioritise risks 5) treat (or recommend treatments) for risks • Consult and communicate at each stage • Monitor and Evaluate at each Stage and loop back to earlier stages if necessary

  15. Establishing the context • strategic context • organisational context • risk management context

  16. Establishing the context (cont) • Start with objectives • ‘The chance of something happening that will have an impact upon objectives’

  17. Establishing the context (cont) To define the objective, consider: • what do we do? • how do we do it? • who are our customers/stakeholders? • what do they want? • what does all this mean to us?

  18. Establishing the context (cont) Three key elements: 1 what is/are our objectives? 2 what activities need to be completed to achieve the objectives 3 what resources are available for use to perform the activities which will lead to the successful achievement of the objectives?

  19. Establishing the context (cont) • Develop risk evaluation criteria based upon policy, goals, objectives, stakeholder interests • operational • technical • financial • legal • social humanitarian

  20. Identifying risks/threats Link all customers/stakeholders to: • objectives • activities • resources

  21. Identifying risks/threats (cont) • Identify what can happen to threaten the the process or system being analysed and how that threat may occur • Then list all those risks/threats

  22. Assessing risks/threats • Quantitatively • historical data • statistical information on incidents • surveys • Qualitatively • determine likelihood • determine consequence

  23. Assessing risks - rating the impact • Disastrous - achieving the objective may not be attainable. May be forced to discontinue or transfer function • Critical - Will produce difficulties beyond the capacity of existing resources. May require additional resources or funding to restore/achieve minimum function • Serious - Will produce difficulties to function that can be readily absorbed by current resources • Minor - Anything less than above

  24. Assessing risks - rating likelihood • Definite - almost certain to occur • Probable - distinct possibility of occurring in the time given • Possible - likely to occur over an extended period of time • Remote - more likely not to occur • Improbable - very unlikely to occur

  25. Presenting the risks • Can use a matrix - one provided in papers • Can develop different kinds of ratings for different circumstances • Can apply numerical values to the ratings - this helps when prioritising a large number of risks • Can use a risk register

  26. Treating risks • Identify treatment options • Evaluate treatment options • Recommend treatment options • Prepare treatment plan • Implement treatment plan

  27. Developing/implementing a risk management program Appendix B of the Standard • Step 1- Support of senior management • Step 2 - Develop organisational policy • Step 3 - Communicate policy • Step 4 - Manage risks organisationally • Step 5 - Manage risks at work unit level • Step 6 - Monitor and review

  28. Who should be involved • horizontal spread - as many different functions as necessary • vertical spread - as many levels of the organisation as possible • skill spread • external stakeholders • consultants?

  29. Revisit key elements of Standard 1) establish the context 2) identify risks 3) analyse risks 4) evaluate and prioritise risks 5) treat (or recommend treatments) for risks • Consult and communicate at each stage • Monitor and Evaluate at each Stage and loop back to earlier stages if necessary

  30. Establishing CSU context Three key elements: 1 what is/are our objectives? 2 what activities need to be completed to achieve the objectives 3 what resources are available for use to perform the activities which will lead to the successful achievement of the objectives?

  31. CSU context (cont) Develop risk evaluation criteria based upon policy, goals, objectives, stakeholder interests • amount lost • damage to reputation of organisation • threat to health, safety, security These criteria feed into the risk assessment process

  32. Identifying risks • Identify what can happen to threaten the the process or system being analysed and how that risk may occur • Then list all those risks

  33. Assessing risks • Quantitatively • historical data, internal audit reports • files • statistical information on incidents • Qualitatively • determine likelihood • determine consequence

  34. Treating risks • Identify treatment options • Evaluate treatment options (cost, effectiveness) • Recommend treatment options • Prepare treatment plan • Implement treatment plan

  35. Other governance processes • Cross linkage with other governance processes. Each of these organisational policies need to be integrated with each other:eg • Corporate planning • Physical security • Computer security • Internal audit • Organisational ethics • Anti-corruption activity

  36. Any comments?

More Related