1 / 19

INTERNAL AUDIT, RISK AND CONTROLS SERVICES Tasmanian Audit Office Risk Management : Managing Risk In Uncertain Times A

Overview - Managing Risk In Uncertain Times. . The Global Financial Crisis Reflecting on possible causes and impacts to date Implications for risk management?Global survey results:

sherise
Télécharger la présentation

INTERNAL AUDIT, RISK AND CONTROLS SERVICES Tasmanian Audit Office Risk Management : Managing Risk In Uncertain Times A

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


    2. Overview - Managing Risk In Uncertain Times

    3. Global Financial Crisis Reflecting on outcomes

    4. Global Financial Crisis Reflecting on outcomes (Australia)

    5. The Global Financial Crisis - the causes?

    6. The last few years have seen some things go horribly wrong Poor risk culture has been blamed as one of the causes for the GFC Risk Culture failed Platinum Branded Companies and Regulators Due diligence of management decisions and actions Complicit regulations Complexity of communication The last few years have seen some things go horribly wrong Poor risk culture has been blamed as one of the causes for the GFC Risk Culture failed Platinum Branded Companies and Regulators Due diligence of management decisions and actions Complicit regulations Complexity of communication

    7. Beyond box ticking: A new era for risk governance Intro Shareholders are examining whether risk oversight has been sufficiently rigorous Wide range of industries Asia/Aust, Nth America & West Europe Respondents were C-level executives or Board level execs Intro Shareholders are examining whether risk oversight has been sufficiently rigorous Wide range of industries Asia/Aust, Nth America & West Europe Respondents were C-level executives or Board level execs

    8. Key themes of the survey

    9. 1. Building a risk culture Key findings 1. risk is not the responsibility of somebody in isolation. Its everybodys responsibility. 2. Boards tend to live in a partial assurance vacuum. Management knows risks but only tells board what they want. Managers rarely report candidly because disincentive of doing so Set tone at the top. 63% believe risk culture should come from executive management leadership 3. Only 32% believe their organisations effective instilling awareness of risk through organisation. 34% believe the least effective area is with lines of business , next on list was IT dept at 13% 4. CRO Marsh UK talk in terms people understand, everyday language not how risk function communicate amongst themselves Business ownership: A key feature of the best organisations Key front line business managers are responsible / accountable. They care 1. risk is not the responsibility of somebody in isolation. Its everybodys responsibility. 2. Boards tend to live in a partial assurance vacuum. Management knows risks but only tells board what they want. Managers rarely report candidly because disincentive of doing so Set tone at the top. 63% believe risk culture should come from executive management leadership 3. Only 32% believe their organisations effective instilling awareness of risk through organisation. 34% believe the least effective area is with lines of business , next on list was IT dept at 13% 4. CRO Marsh UK talk in terms people understand, everyday language not how risk function communicate amongst themselves Business ownership: A key feature of the best organisations Key front line business managers are responsible / accountable. They care

    10. 1. Building a risk culture Ten risk indicators of successful risk management from the current economic crisis Only four of the indicators relate to risk management techniques. 6 of the 10 indicators are cultural and point to the right culture being fundamental to the success of any risk management function. Only four of the indicators relate to risk management techniques. 6 of the 10 indicators are cultural and point to the right culture being fundamental to the success of any risk management function.

    11. 2. Gaps in corporate risk expertise and resourcing constraints Key findings 1. Stats change based on size and location but generally believe CEOs and CFOs understand risk. Only 55% believe chairman effective 46% that audit committees effective. 2. Only 30% believe boards effective at having discussion on this topic. 3. Audit committee have taken on risk by default but do they have the skills. the risk reward ratio is not right to get the right talent. 4. Less than half have / looking to recruit CRO an 1. Stats change based on size and location but generally believe CEOs and CFOs understand risk. Only 55% believe chairman effective 46% that audit committees effective. 2. Only 30% believe boards effective at having discussion on this topic. 3. Audit committee have taken on risk by default but do they have the skills. the risk reward ratio is not right to get the right talent. 4. Less than half have / looking to recruit CRO an

    12. 2. Gaps in corporate risk expertise and resourcing constraints Companies recognise the need to strengthen risk management but a lack of financial resources is impeding investment But - when companies are making investments, it is on process rather than expertise, technology or data A focus on process improvement alone is unlikely to address underlying risk deficiencies Past 12 Months 43% say biggest barrier in past has been poor data quality and availability. Going forward they say lack of financial resource & shortage of available expertise is ranked second for past and future. 30% say Focus on processes - will not meet expectations of risk function. Some major changes Lloyds TSB created 70 more roles in risk function despite their thousands of job cuts. But Many businesses still remain in survival mode and investing in process is relatively easy and less costly as opposed to cajoling, educating exec management. Past 12 Months 43% say biggest barrier in past has been poor data quality and availability. Going forward they say lack of financial resource & shortage of available expertise is ranked second for past and future. 30% say Focus on processes - will not meet expectations of risk function. Some major changes Lloyds TSB created 70 more roles in risk function despite their thousands of job cuts. But Many businesses still remain in survival mode and investing in process is relatively easy and less costly as opposed to cajoling, educating exec management.

    13. 3. The importance of communication Key findings The survey findings suggested that more needs to be done about the timeliness of risk information (just over 36% thought that risk info was timely and up to date) Risk professionals have a key role in education and communication within the business to help people see risk management as a performance driver. Reports need to be relevant and have purpose not too much detail Respondents indicated limited confidence in the effectiveness of risk reporting is it tailored to the audience? Does it enable an aggregate view of risk? Must not neglect judgement management know the business dont rely overly on sophiticated systems and overly long reports The survey findings suggested that more needs to be done about the timeliness of risk information (just over 36% thought that risk info was timely and up to date) Risk professionals have a key role in education and communication within the business to help people see risk management as a performance driver. Reports need to be relevant and have purpose not too much detail Respondents indicated limited confidence in the effectiveness of risk reporting is it tailored to the audience? Does it enable an aggregate view of risk? Must not neglect judgement management know the business dont rely overly on sophiticated systems and overly long reports

    14. 4. More than just compliance Key findings 1. 75% of risk managements time spent on controls and monitoring and compliance. 2. If you turn risk management into a tick the box approach, then you will miss the inter relationships between the various types of risk. Less than half of respondents believe the risk function in their company effectively supports the improvement of shareholder value.1. 75% of risk managements time spent on controls and monitoring and compliance. 2. If you turn risk management into a tick the box approach, then you will miss the inter relationships between the various types of risk. Less than half of respondents believe the risk function in their company effectively supports the improvement of shareholder value.

    15. Beyond Box-ticking: Take away observations What are the key messages from the survey responses? Businesses now know that risk management and risk governance is not about box ticking Risk Governance is perceived to have direct impact on bottom line BUT Few believe they can afford to overhaul current risk practices The answer may be that Finance departments need to re-allocate budgets to enable a change

    16. KPMGs enterprise risk management framework has five elements which enable discrete assessment of maturity for each element What have we observed? KPMG ERM framework This model is consistent with the concepts in the COSO ERM model and AS/N2Si4360 and outlines 5 key areas. 1. RISK GOVERNANCE Considers the organisations approach and attitude to risk management. Need to consider: The Environment you operate. Risk Strategy extent of alignment with business strategy. Policy & communication is there a common language to communicate risk within the business. Building a structure what are the processes and tools used to support RM centralised or decentralised. Enabling people how the people engaged and mobilised. 2. RISK ASSESSMENT Setting Context extent of alignment with business strategy? Process How are risks identified, assessed and treated? Sustainability Extent of embedding risk man activities 3. QUANTIFICATION & AGGREGATION Processes that support the measurement criteria if its not measured its not done How risks are analysed and quantified within the business. 4. MONITORING & REPORTING Monitoring processes to monitor risks in light of tolerance levels. Reporting escalation and reporting processes risk information going to the right people/forums at the right time and in the most appropriate form? 5. Control Optimisation Risk management activity risk treatment how is the organisation responding to the risk? How controllable is the risk? Proactive response/monitor? What does this do to the risk profile? Business Performance how does risk information enhance business strategy is it used as a feeder to business planning/strategy? This model is consistent with the concepts in the COSO ERM model and AS/N2Si4360 and outlines 5 key areas. 1. RISK GOVERNANCE Considers the organisations approach and attitude to risk management. Need to consider: The Environment you operate. Risk Strategy extent of alignment with business strategy. Policy & communication is there a common language to communicate risk within the business. Building a structure what are the processes and tools used to support RM centralised or decentralised. Enabling people how the people engaged and mobilised. 2. RISK ASSESSMENT Setting Context extent of alignment with business strategy? Process How are risks identified, assessed and treated? Sustainability Extent of embedding risk man activities 3. QUANTIFICATION & AGGREGATION Processes that support the measurement criteria if its not measured its not done How risks are analysed and quantified within the business. 4. MONITORING & REPORTING Monitoring processes to monitor risks in light of tolerance levels. Reporting escalation and reporting processes risk information going to the right people/forums at the right time and in the most appropriate form? 5. Control Optimisation Risk management activity risk treatment how is the organisation responding to the risk? How controllable is the risk? Proactive response/monitor? What does this do to the risk profile? Business Performance how does risk information enhance business strategy is it used as a feeder to business planning/strategy?

    17. What have we observed - Nationally ERM framework industry benchmarking data Some industries are more advanced than others - Banks have embraced RM concepts and have been embedding risk man. Into day to day practices. used quantifying and measurement techniques e.g. Value at risk assisted by regulatory bodies Also those businesses with a focus on risk / reward investment planning and prioritising safety conscious behaviour (eg mining). Many industries are in their infancy eg retail & media. still use risk management as a bolt on rather than as a means to optimise business outcomes & returns prepare risk registers and report but are yet to move beyond this reactive approach these have tended to be industries with a strong cost and margin culture largely depending on consumer confidence or day to day sustainability Business are starting to get risk management into the business planning processes. Will a more mature ERM framework secure a competitive advantage.Some industries are more advanced than others - Banks have embraced RM concepts and have been embedding risk man. Into day to day practices. used quantifying and measurement techniques e.g. Value at risk assisted by regulatory bodies Also those businesses with a focus on risk / reward investment planning and prioritising safety conscious behaviour (eg mining). Many industries are in their infancy eg retail & media. still use risk management as a bolt on rather than as a means to optimise business outcomes & returns prepare risk registers and report but are yet to move beyond this reactive approach these have tended to be industries with a strong cost and margin culture largely depending on consumer confidence or day to day sustainability Business are starting to get risk management into the business planning processes. Will a more mature ERM framework secure a competitive advantage.

    18. What have we observed - Locally Generally there is no quick fix risk management is a journey No one size fits all each organisation should determine the desired level of maturity Requires senior management commitment (Culture) Challenges of bringing changes to existing practices and cultures should not be under estimated (Change management & culture) Risks should be considered from multiple perspectives Board focus ? gross risk Management focus ? net risk Risk controllability To remain effective tool for top level governance Dont identify too many risks Leverage risk informationinputs for: Strategic business planning, resource allocation, financing, assurance activities

    19. Relevant recent KPMG Risk Management Publications Beyond box-ticking A new era for risk governance The business case for a risk executive Leading efforts to avoid surprises, manoeuvre through challenges and add value Placing value of Enterprise Risk Management The convergence challenge Global survey into the integration of governance, risk & compliance (Publications available via email on request)

    20. Presenters contact details Name: Alastair McDougall Position: Director Phone: 03 6230 4000 Email: amcdougall@kpmg.com.au

More Related