Practical aspects of determining and applying a risk ...

1 147 Key Issues Applied Corporate GovernanceBy Tim Timchur acis, Director, ActivePro Consulting Pty LtdPractical aspects of determining and applying a risk appetite for SMEs Important to determine appetite for risk before determining what risk management strategies are appropriate Different risk appetites will apply to different areas of operations within the same organisation Essential that risk appetites are re-evaluated continually because organisations and environments changePicture this. As the new chief executive of a small to medium enterprise (SME), you have been asked by the board to implement an enterprise risk management (ERM) system for the organisation.

2 You are reasonably aware of the processes involved in ERM, and understand that before commencing any risk assessments there are some key issues to of these is to determine and then articulate the risk appetite . However, there is surprising little available in the literature to assist you in how to do article aims to provide some assistance in how an SME may go about determining its risk appetite , to use as it applies the discipline of ERM to its organisation. The information provided here has been developed following real-life projects to implement ERM in industries including health care, professional services and manufacturing.

3 There is no attempt to suggest that solutions presented here follow best practice. Examples of ways of addressing the issues are offered which may be modified to suit a particular is risk appetite ?Risk appetite has been defined as the level of risk that an organisation is willing to accept 1, the amount of risk an entity is willing to accept in pursuit of value 2, or The amount of risk which is judged to be tolerable and justifiable .3 Where does risk appetite fit in?For the purposes of this article, we will assume that management has adopted the current international standard for risk An understanding of risk appetite is required during risk evaluation, a component of risk assessment.

4 Residual risk ratings are compared with the risk appetite to determine if the risk requires process for implementationFollowing our example of a new implementation of an ERM project for an SME, six phases are provided as an outline for the project. See Table GovernanceGood practice suggests that any implementation of an ERM project would start with a comprehensive system of governance to ensure that objectives are met within project constraints. Typically a risk committee will be formed to provide oversight of the ERM function and to ensure an appropriate level of reporting to the Risk management frameworkA risk management framework should be developed with reference to the standard which describes how the business will implement ERM.

5 A risk appetite statement provides guidance as to when treatment of risks is required to bring their risk rating within that of the lossPersonal safetyBusiness disruptionReputation impactInsignificant<$10,000No injuries requiring time off workVirtually no disruption to business activitiesNo impact to reputationMinor$10,000 $50,000No injuries requiring medical treatmentSlight disruption to business activitiesNo impact to reputationModerate$50,000 $250,000 Medical treatment requiredSignificant disruption to business activities (> 2 days)Reputation damaged press coverage likelyMajor$250,000 $1,000,000 Serious injury including hospitalisationMajor disruption to business activities (> 1 week)Reputation damaged press coverage extends to newspapers and evening newsCatastrophic>$1,000,000 DeathClosure of offices, large number of staff lossesInvestigation by government officesTable 2: Sample consequence table148 Keeping good companies April 2011 A risk management policy is a key component of this framework, describing the tables of likelihood and consequence, and combining these in a risk rating matrix.

6 A 5 x 5 matrix is recommended for SMEs, to provide a sufficient level of detail without being overly complicated. Examples are as set out in Tables 2 to practice would also see the risk ratings of low, moderate, high and extreme linked to a specifically determined management action and a defined level of accountability for managing the Planning A risk management plan may be used to document the project of implementing enterprise risk management for the organisation. It may include project objectives, scope, resources, expected benefits, costs, and timeframe, and be supported by a business case, budget and benefits realisation Setting up a systemA system will be required to track risks, including their identification, analysis and evaluation, as well as treatment plans and risk reports.

7 A typical SME solution would be a spreadsheet-based solution, but consideration should be given to specific applications designed for risk management. Opportunities to integrate this information with other corporate systems should be investigated, including integration with enterprise reporting systems, dashboards, corporate intranets and applications for accounting, human relations, internal audit and incident Issues Applied Corporate GovernancePhasesNotesDeliverables1 Governance Identify accountability for ERM and communicate with stakeholders Risk committee charter2 Framework Describe the application of risk management principles to your business Risk appetite statement Risk management policy3 Plan Project plan for the implementation of ERM Business case Risk management project plan Budget4 System Spreadsheets Software application Integration Application documentation Data integration map5 Management Risk assessment Risk treatment Risk reporting Risk register Risk treatment plans

8 Risk reports6 Continuous improvement Embed a risk culture Ongoing review of risk documents and processes Business process reviewTable 1: Phases in the implementation of an ERM projectTable 4: Sample risk matrixTable 3: Sample likelihood tableRatingDescriptionOccurrenceFrequenc yRareNot expected to occurOnceLess than once every 5 yearsUnlikelyOnly expected to occur in exceptional circumstancesOnce2 5 yearsModerateMight occur at some timeOnce1 2 yearsLikelyWill probably occur at least onceOnce1 yearAlmost certainIs expected to occur in most situationsMultiple1 yearConsequenceLikelihoodInsignificantMi norModerateMajorCatastrophicAlmost certainModerateHighHighExtremeExtremeLik elyModerateModerateHighHighExtremeModera teLowModerateModerateHighHighUnlikelyLow LowModerateHighHighRareLowLowModerateMod erateHigh 149 Example This strategic planning

9 Framework has been developed from experience at a global manufacturing business, an Australian not-for-profit organisation, and a small professional services process commences with the strategic plan, from which business unit managers can develop their more detailed business plans. Operational plans are developed from the business plans, and include A system will be required to track risks, including their identification, analysis and evaluation, as well as treatment plans and risk reports. A typical SME solution would be a spreadsheet-based solution, but consideration should be given to specific applications designed for risk managementoperational as well as strategic activities.

10 For this example, operational plans follow a 100-day planning process, and are supported by project plans as each level of the planning process, risks are captured, aggregated and reported upwards, until the strategic risks supporting the strategic plan are linked to and populated by the lower level risks. At the same time, project and operational KPIs feed the business unit KPIs, in turn being summarised at the strategic level. Figure 1: Sample strategic planning frameworkRisk managementPlanningReportingEntepriseStra tegic RisksStrategic planStrategic KPls5 yearsBusiness unitBusiness unit risksBusiness plansBusiness unit KPls1 yearBusiness unitOperational risksOperational plansOperational KPls100 daysProjectProject risksProject plansProject KPlsProject life150 Keeping good companies April 2011 Key Issues Applied Corporate Governance5.