Risk Management Implementation and Governance

by

Description

Follow the ISO 31000 framework to develop an ERM report including risk policy, and risk appetite statement in light of the risks identified in project 1. You have to use this report to analyze, assess and mitigate those risk. The report should has: 1- risk mitigation 2- risk tolerance and risk category 3- risk policy and RACI matrixExecutive Master in Information Systems
EMIS607 – Enterprise Risk Management
‫إدارة المخاطر المؤسساتية‬
Dr. Mayada Alrige
Setting up Enterprise Risk
Governance
Agenda
1.
2.
3.
4.
5.
6.
Consider ERM Frameworks (ISO 31000)
Store, quantify and assess Risks
Develop Risk Appetite Statement
Develop a sound risk policy
Organize ERM properly
Project 2 Details
Consider ERMFrameworks Thoughtfully
ISO 31000
ISO 31000

The ERM process cycle according to ISO 31000 is one of the most widespread, accepted,
and currently most up-to-date standard.

At first, management needs to establish the context. This mean that a risk management
strategy and risk management organization is defined.

It includes : establishment of a governance structure, the definition of roles and
responsibilities.

Next, risks are assessed in three mains steps: Risk identification, Risk Analysis and Risk
mitigation.
https://pecb.com/whitepaper/iso-31000-risk-management–principles-andguidelines
https://pecb.com/whitepaper/iso-31000-risk-management–principles-andguidelines
ISO 31000 Risks Assessment Steps




Firstly, risk identification takes place. Risks are identified by source, for a certain timeframe, and for
each of the different risk categories. The outcome is a qualitative assessment of the risks.
The second step, risk analysis, aims at generating a better understanding of each risk. Different
positive and negative risk scenarios are defined. Their likelihood and potential impacts are assessed.
According to the framework, risk identification and analysis can be quantitative, semi-quantitative,
qualitative, or a combination of it.
ISO 31000 suggests assessing all risk by comparing the risk analysis with established risk criteria. This
step helps to decide about the significance of every risk (IRM 2018). For example, a sensitivity
analysis can be used to priorities the quantified risk scenarios. The previous process steps allows
aggregating and evaluating risk exposure (probability of occurrence * impact ).
This step leads to the final risk mitigation. It defines the risk mitigation measures of each single key
risk. The whole process of risk management needs to be continuously monitored and reviewed.
Therefore, management can ensure that risk mitigation measures are effectively implemented. In
parallel, a major focus lieson an effective communication and consultation process. It is stated that
risk communi-cation is an effective instrument for the development of a positive risk culture
(Romeike2018, pp. 36–38).
ISO 31000 General Goals




Simplified language. The principles of risk management are stated in simple,
practical, and more accessible terms. Terms and definitions were reduced from
twenty-nine to eight.
Companies often have a minimum set of principles, frameworks, and processes
for risk management in place.
Focus on value creation and protection. To achieve this goal, the standard
contains eight principles. These principles serve as the basis to improve the
company’s risk management framework and process. ISO 31000:2018 outlines,
that risk management can create value if risk management is an integral part of
a company’s activities and decisions.
Flexible standard. This makes it useful for a large number of companies,
regardless of their size and industry.
COSO ERM
COSO ERM

Firstly, the risk that the strategy is not aligned with an entity’s mission, vision, and core
values is crucial to consider in strategic decisions.

A failure in the alignment of the strategy increases the risk that the company may not
realize its goals about mission and vision. This may be true even though the strategy is
executed success-fully. As a result, ERM should deal with the risk of a strategy not being
aligned with the company’s mission and vision (COSO 2017).

Secondly, ERM must consider the implications that are caused by the selected strategy.
Each alternative strategy has its own risk profile. Thus, the board and the management
need to decide if the selected strategy is inline with the company’s risk appetite. In
addition, management needs to reason how the chosen strategy supports the company in
achieving its goals (COSO 2017).
The five components of the strategy-setting process in
(COSO 2017)



Governance and culture. Governance reinforces the importance of ERM and creates
oversight responsibilities. Also, governance sets the company’s tone. Culture refers
to ethical values, desired behaviors, and the understanding of risk in the company.
Strategy and objective-setting. The strategic planning process involves ERM,
strategy, and objective-setting. The basis for identifying, assessing, and responding
to risk is the creation of a company’s risk appetite aligned with the strategy.
Performance. Risks that could hinder the achievement of strategy and business goal
shave to be identified and evaluated first. Then, these risks are prioritized by
severity taking into account the company’s risk appetite. Subsequently, appropriate
risk mitigation measures are selected. A portfolio view of the risk exposure should
be produced by ERM and is communicated to key risk stakeholders.
The five components of the strategy-setting process in
(COSO 2017)

Review and revision. A company can assess how well the ERM components are
working as time goes by. This can be done with a review of the company’s
performance. Further, it can determine required revisions in the light of
substantial changes.

Information, communication, and reporting. ERM demands an iterative
process of collecting and sharing meaningful information. Internal and external
sources flow across the entire company and may be relevant for decisionmaker
Examples of Strategic Risks

Competitive risk.

Give any Example of strategic risk that your
firm has identified ( and possibly tackled) ?
ISO 31000:2018 and COSO ERM 2017
Follwing the ISO 31000-2018
to initiate the ERM process
Store Key Risk Scenarios in a Database

Store Risk Scenarios in a Database

Now, the following information is available for the next step in the ERM process:

Very pessimistic, pessimistic, optimistic, and very optimistic scenarios were developed for each risk.

Be aware that for some risks, the optimistic and very optimistic scenarios do not exist (noupside
potential).

All scenarios were described by means of plausible cause-effect stories.

We took care to develop scenarios that are as precise and complete as possible and do not allow
any room for interpretation.

In practice, risks are unfortunately often described on a too summarized and too aggregated level.
We assigned all risk scenarios a probability of occurrence.

The probability of occurrence must be defined consistently. It corresponds to the “holding period”
of the risks and is often one quarter or one year in many industrial companies.
Store Key Risk Scenarios in a Database

The best available measure would be internal company value.

For Example,

We recommend the analysis of the impact of risks on for example the EBIT.

This allows us to capture risk impacts beyond one year. Often, strategic risks have a long-term
financial impact on the company.

Short-term performance measures cannot capture these effects. This information on all
quantified risk scenarios must be accessible and stored.

Simple software applications such as MS Excel may do the trick at this point.
How About Interdependencies?






correlations between individual risks?
We need historical data. Assuming we have identified 50 individual risk
scenarios, we would have to estimate1125 correlations ((50*50–50)/2).
Does it tell us anything about the
Not practical why ?
historical correlations do not have good predictive power for the future
Calculating historical correlations with insufficient or outdated data often leads
to false accuracy.
Develop Useful Risk Appetite Statements

The art of ERM is keeping risk exposure within a risk appetite limit.

practical experience shows that risk appetite is often incorrectly defined.

Often, it is not used for decision-making.

Besides, we observe in many companies a rather low level of maturity of risk appetite
dialogues.
• The development of risk appetite statements seems to be very difficult in practice.
• Some companies phrase risk appetite in a few words. For example, they express it as
“generally low”. Others, consider quantitative measures, in relation to EBIT, enterprise
value, or cash flow.


To Develop Useful Risk Appetite Statements,
What measure is better to use?
Why is that?
Risk Appetite Statements
Develop Useful Risk Appetite Statements

According to a recent study of Lucerne School of Business and SwissERM, only 25% of
Swiss non-financial companies have documented risk appetite statements.

Every fifth Swiss company does not state risk appetite at all.

For the remaining 55 percent, risk appetite is only poorly documented.

Results of a recent study by EY (Ernst & Young 2015, p. 8) show similar results for the
financial industry.

Although the definition of risk appetite is one of the CRO’s top priorities according to the
study, only a bit more than 40% state that they have success-fully transferred risk appetite
to business activities.
The Reasons..1

We often assume that risk appetite can somehow be calculated and derived from the
ERM process.

Risk appetite is a matter of judgment based on each company’s specific circumstances
and objectives.

Risk appetite statements are often used to communicate corporate values to stakeholders. Instead, it should serve for internal decision-making.
Example

For example, companies state in published risk policies or in annual reports that personal
harm risk is not accepted. This equals a zero-risk appetite.

From the point of view of the stakeholders, this reads admirably and often matches their
own values.

Yet, such qualitative, general phrases hardly guide the company’s day-to-day actions. What
does this mean, for example, for a hospital not to accept any risks that might harm
people?
Critique the following Appetite Statement

For hospital XYZ, “allows zero tolerance for
harm to patients”.?
The Reasons..2



Quantitative or Qualitative Risk Appetite ?
Quantitative risk appetite creates potentially unpleasant transparency,
accountability, and vulnerability. This may conflict with managements’
interests. For example, if the current risk exposure exceeds the risk appetite,
this leads to unpleasant situations. It requires justifications by management. A
later change of the risk appetite to bear the current risk exposure reduces the
credibility of the entire ERM programme.
Qualitative risk appetite statements at the executive level are often not
actionable. An example is the following. “Risks that threaten our company’s
solvency should be avoided”.
Read this story about Swiss travel company

“The ERM committee of a Swiss travel company, consisting of five members (CEO, head of
division A, head of division B, risk manager, CFO) has been tasked with the definition of
risk appetite statements. A half-day meeting is scheduled to submit a proposal to the
board of directors. The risk manager has clarified for which strategic goals she needs to
define risk appetite statements. Besides, the risk manager has thoroughly analyzed
existing statements. She browsed through policies, guidelines, and documents to collect all
risk appetite statements. She summarised her findings in a list. The company applies
internal company valuation as a risk-based decision-making tool. It assesses risk-reward
contributions of future investments and projects. Key risks for the travel company are
incorporated into the company valuation model (dis-counted cash flow method). All key
risks are allocated to the individual line items (i.e.sales, costs). Using a Monte Carlo
simulation, key risks and their impact on company value can be simulated. These missing
risk appetite statements refer to the aggregated impact of several risks on strategic goals.
The executive board tasked the risk manager to develop these two missing risk appetite
statements.”
Example
Criteria to Assess Risk Appitite Statements




Up-to-dateness. Are the risk appetite statements in line with the current company
goals?
Do they match the current business model?
Consistency. Are individual company goals and risk appetite statements
compatible with each other? Let us think of a company pursuing an aggressive
growth strategy. At the same time, it phrases a risk appetite statement that
investment risks should be kept to a minimum. Does this make sense? No. Also, it
is useless to define the same risk appetite statements for all investments,
independent of the expected return (and risk) of each investment.
Adherence. Are the individual risk appetite statements adhered to? Do they
impact decisions correctly? It is pointless to add risk appetite statements in a
policy that is not even considered for decisions (e.g. outdated or unknown policy).
Criteria to Assess Risk Appitite Statements


Appropriateness. Are the individual risk appetite statements realistically
defined? Does it make sense to define them so narrowly or broadly under
given strategic objectives?
Specificity. Some companies use very general descriptions of risk appetite
statements.
Critique the following Appetite Statement

For company XYZ, “we accept a quite high risk
appetite to please our stakeholders” ?
Risk Policy
Risk Policy as the Basis for Dealing with Risk

The risk policy forms the basis for implementing ERM in coordination with corporate
policy. This is an agreement of the management that explicitly defines how a company is
dealing with uncertainty on objectives.

A risk policy is closely linked to corporate culture. This is demonstrated by the fact that a
risk policy determines how and to what extent risk awareness is to be increased in the
company.

The risk policy further defines the ultimate purpose of ERM. Information on the ERM
process is an important part of every risk policy.

We need information on assessing, quantifying, mitigating, and reporting key risks.

In addition, risk policies show us how ERM effectiveness is monitored.

In summary, a risk policy defines the basic understanding of ERM. It guides companies on
how to plan,implements, assess, and improve ERM
Risk Policy Charectristics..

One major aspect of an adequate risk policy is its connection between corporate strategy
and ERM.

Risk policy provides only rough implementation guidelines and contains the main goals of
ERM

Risk policies can vary greatly from company to company.

Risk policy is connected to corporate strategy and ERM

Risk policy is a strategic paper that outlines how ERM can support the achievement of
strategic goals.
Risk Policy & ERM

A risk policy defines the basic understanding of ERM.
• Information on the ERM process is an important part of every risk policy.
• It guides companies on how to plan, implements, assess, and improve ERM
• It forms the basis for implementing ERM in coordination with corporate policy.








is closely linked to corporate culture
determines how and to what extent risk awareness is to be increased in the company
is an integral part of internal training and communication in the area of risk culture
outlines the attitude of a company towards uncertainties and how risk awareness of employees must
be fostered.
defines the ultimate purpose of ERM.
contains information on assessing, quantifying, mitigating, and reporting key risks.
shows us how ERM effectiveness is monitored.
reveals whether ERM is geared towards a “regulatory risk approach” or a value-creating ERM.
Risk policy Structure
• Definition of the purpose of a risk policy;
• Precise formulation of the ultimate goals of ERM;
• Description of how ERM is linked to corporate strategy and goal-setting,
including sub-strategies;
• Precise definitions of management responsibilities for ERM;
• Clear definitions of ERM and risk;
• Definition of the scope of ERM;
• The risk policy also defines what risks companies needs to bear;
Risk policy Structure






Brief explanation of the ERM process steps;
Definition of risk appetite statements;
Definition of roles and responsibilities;
Description of relevant mitigation measure options;
The description of a financial rating strategy is optional;
Development of glossary in the appendix that defines all relevant terms and
abbreviations.
A risk policy could be structured as follows:






Definition of the purpose of a risk policy. Why is a risk policy important? What is the ultimate goal
of a risk policy?
Precise formulation of the ultimate goals of ERM. For example, we can improve decision- quality by
providing rational risk information.
Description of how ERM is linked to corporate strategy and goal-setting, including sub-strategies
Precise definitions of management responsibilities for ERM. The ultimate responsibility of ERM
resides with the board.
Clear definitions of ERM and risk. ERM is the process of assessing, quantifying, reporting key risks to
support decision-making. It is designed to add value to the company. Risk is defined as the deviation
from expectation. Reasons for defining risk are, for example, the following practical phenomena.
Management often perceives risks as controllable. This obviously contradicts our basic definition of
risk. We defined risks as the unexpected deviation of a future event. In practice, we also observe
that risk is often defined as a possibility of loss.
Definition of the scope of ERM. All risk categories are relevant. We need to define proper risk
categories such as strategic, operational, and financial risks.
A risk policy could be structured as follows:






Brief explanation of the ERM process steps. What about risk identification, risk assessment techniques,
risk reporting, risk disclosures, monitoring, and benchmarking?
Definition of risk appetite statements. The risk policy should define clear, quantified risk limits for
specific individual risks or business goals. For example, an individual customer should not account for
more than 20% of total revenues. Alternatively, the equity ratio should be kept at least 40%.
Definition of roles and responsibilities. We need risk owners, risk managers, subject matter experts. We
also have to clarify the role of the management, the board, and the internal audit.
Description of relevant mitigation measure options. The risk policy defines basic procedures and
principles for mitigating risks. For example, non-strategic risks are to be insured. Strategic risks are to be
accepted. Currency risks are to be hedged by call or put options.
The description of a rating strategy is optional. Loans granted by a bank must be backed by equity
corresponding to the risks of lending. Therefore, lending policies (specifically interest rate conditions) are
increasingly aligned with the rating of individual companies. Companies that fall into a low rating category
must expect higher financing costs. The risk policy—and thus the design and objectives of an ERM— can
have a decisive impact on the financial rating. For example, ERM can support to achieve stable cash flows.
Development of glossary in the appendix that defines all relevant terms and abbreviations
Limitations of Risk Policies
• It is important that risk policies are communicated to all relevant ERM
stakeholders;
• The document itself does not protect against fraud, corruption, and other
illegal behavior;
• Risk policies cannot address or translate intercultural risk components;
• Once a risk policy has been approved, its validity is very limited in time;
• a risk policy must not deteriorate into a pure marketing tool;

Find any risk policy and identify the necessary
components (if available) in its structure ?
Organize ERM Properly
• Does a Best-Practice ERM Organization Exist?
ERM Organization
Options
Hospital
Risk
Manager

What is the Current ERM Organizational
Structure within your firm ?
Roles and Responsibilities





ERM is effectively implemented by management
it defined risk appetite statements appropriately
it reviews the business portfolio with regard to risk and reward
it takes into consideration the risk appetite statements
it understands the key risks and that these key risks are managed
appropriately.
PROJECT 2

Description:
In the process of ERM, it is important to implement it effectively. Follow the ISO 31000 framework
to develop an ERM report including risk policy, and risk appetite statement in light of the risks
identified in project 1. You have to use this report to analyze, assess and mitigate those risk. In
addition, offer your executive recommendation.





Identify risks
Quantify risks in a risk map based on histprical data ( expected values).
Store the key and non key risks in a database
Develop Risk Appetite Statement
Develop a sound risk policy

Guidelines:
1) Submit the report and slides on Blackboard.
2) Your presentation should not take more a=than 25 minutes maximum
End of Chapter
Thank You
FACILITATORS:
SHOROOQ & AMANI
SANS’s Restricted Document
ENTERPRISE RISK
MANAGEMENT
SANS RISK
IDENTIFICATION
WORKSHOP
ENTERPRISE RISK
MANAGEMENT
WORKSHOP
PARTICIPANTS
SANS’s Restricted Document
Doaa alahmadi
As an CTO
Dr. Mayada Alrige
As an COO
EMIS 607 Class
As IT Experts
BOÎTE
ENTERPRISE RISK
ÀMANAGEMENT
OUTILS DE
CONSULTATION
WORKSHOP
“Have no fear of perfection
– you’ll never reach it”.
—Salvador Dali
SANS’s Restricted Document
3
SANS’s Restricted Document
COMPANY-WIDE
RISKS
Risk Factors
Identification Techniques
Risk Scenarios
PURPOSE
SANS IT RISKS
Risk Factors
Identification Techniques
Risk Scenarios
06 03
COMPANY
OVERVIEW
05 02
04 01
Agenda
GOALS
Risk Impact &
Ranking
ENTERPRISE RISK
MANAGEMENT
WORKSHOP
Company Overview
01
SANS’s Restricted Document
Saudi Air Navigation Services (SANS)
➔ SANS is the air navigation services provider and an
independent company owned by the government of
Saudi Arabia. It covers services for the entire Saudi
airspace and provides the air traffic management, air
navigation systems including the procurement,
operations and maintenance of all air navigation
systems kingdom wide, as well as the aeronautical
information management.
SANS’s Restricted Document
6
Saudi Air Navigation Services (SANS)
SANS’s Restricted Document
Mission
To provide safe, reliable
and cost-efficient services
through investing in
people, technology and
strategic partnership
Vision
To become a regional
ANSP leader by
providing world class
services
7
02
SANS’s Restricted Document
Purpose
Purpose
A risk identification workshop is a great
way to involve the team in identifying
the potential risks that could affect the
organization.
SANS’s Restricted Document
9
SANS’s Restricted Document
03
ENTERPRISE RISK
MANAGEMENT
WORKSHOP
Goals
ENTERPRISE RISK
MANAGEMENT
WORKSHOP
Goals
Identify the generic risks that can
affect the business .
Risk Quantifying & Ranking
Preparation to present the risks
assessment & mitigation plans.
SANS’s Restricted Document
11
ENTERPRISE RISK
MANAGEMENT
WORKSHOP
04
SANS’s Restricted Document
ENTERPRISEWIDE RISK
SANS’s Restricted Document
Risk Identification Technique
13
Enterprise-wide risk:
01
SANS’s Restricted Document
Lack or absence of Engaging New Technologies in Air Traffic Management
Risk Type: Strategic Risks
Area: Technology Risks
14
Best- and Worst-Case Scenarios
01
Lack or absence of Engaging New Technologies
in Air Traffic Management
Best Case Scenarios
Worst Case Scenarios
➔ We will still using the traditional ways
without any operational or financial
impact.
➔ Cybersecurity attacks.
➔ Extra efforts for maintenance and
operational challenges.
➔ Airports or GACA will start
implementing virtual towers for air
traffic management.
SANS’s Restricted Document
15
SANS IT Risks
05
SANS’s Restricted Document
Risk Identification Techniques
Brainstorming
Identify extreme and
potential risks that are
not considered in daily
operations.
SANS’s Restricted Document
Scenario
Planning
We’ll
Use
Expert
Interviews
Powerful tool for
finding opportunities
as well as risk
identification.
Is quite often
recommended as one
among the best tools
and techniques.
17
SANS IT risks:
02
Old setup and absence of periodic maintenance.
03
Inappropriate/absence of IT disaster recovery.
SANS’s Restricted Document
Risk Type: Operational Risks
18
Best- and Worst-Case Scenarios
02
Old setup and absence of periodic maintenance.
Best Case Scenarios
Worst Case Scenarios
➔ Minor IT operational effects caused by
absence of maintenance.
➔ Cybersecurity attacks.
➔ Huge increase in users IT issues.
➔ Systems will stop fully or partially
functioning.
SANS’s Restricted Document
19
Best- and Worst-Case Scenarios
03
Inappropriate/absence of IT disaster recovery.
Best Case Scenarios
➔ No disasters will accrue so we will not
need any DRs
SANS’s Restricted Document
Worst Case Scenarios




Critical systems / applications lose.
Customers / Employees data lose.
IT Services not available.
Financial loss
20
06
SANS’s Restricted Document
Risk Impact
& Ranking
Risk Impact & Ranking
Risk
01
Lack or absence of Engaging New
Technologies in Air Traffic Management
02
Old setup and absence of periodic
maintenance.
03
Inappropriate/absence of IT disaster
recovery.
SANS’s Restricted Document
Impact
Priority
Appreciate your participation on risk impact and priority identification
https://forms.office.com/r/efMpxde7Hp
22
THANK YOU
SANS’s Restricted Document

Purchase answer to see full
attachment

We offer the bestcustom writing paper services. We have done this question before, we can also do it for you.

Why Choose Us

  • 100% non-plagiarized Papers
  • 24/7 /365 Service Available
  • Affordable Prices
  • Any Paper, Urgency, and Subject
  • Will complete your papers in 6 hours
  • On-time Delivery
  • Money-back and Privacy guarantees
  • Unlimited Amendments upon request
  • Satisfaction guarantee

How it Works

  • Click on the “Place Order” tab at the top menu or “Order Now” icon at the bottom and a new page will appear with an order form to be filled.
  • Fill in your paper’s requirements in the "PAPER DETAILS" section.
  • Fill in your paper’s academic level, deadline, and the required number of pages from the drop-down menus.
  • Click “CREATE ACCOUNT & SIGN IN” to enter your registration details and get an account with us for record-keeping and then, click on “PROCEED TO CHECKOUT” at the bottom of the page.
  • From there, the payment sections will show, follow the guided payment process and your order will be available for our writing team to work on it.