Assignment 1

Question 1:
Risk is the effect of uncertainty on objectives. This effect is a deviation from the expected,
whether positive and/or negative.
Risk is often characterized by reference to potential events and consequences, or a
combination of both and is expressed in terms of a combination of the consequences of an
event and the associated likelihood of occurrence.
Risk management is the coordinated activities to direct and control an organization with
regards to risk. It can be applied to an entire organization, as well as to specific functions,
projects, and activities.
It is crucial to establish the context as an activity at the start of the risk management
process.
The implementation of risk management process in any organization has many benefits, for
example: -increasing likelihood of achieving objectives
o -improve the identification of opportunities and threats
o -improve stakeholders’ confidence and trust
o -improve governance
o -improve controls
o -improve operational effectiveness and efficiency
o -comply with legal and regulatory requirements
o -helps to allocate and use resources for risk treatment.

Question 2:
Risk management framework is a set of components that provide the foundations and
organizational arrangements for designing, implementing, monitoring, reviewing and
continually improving risk management throughout the organization.
The foundations include the policy, objective, mandate, and commitment to manage risk.
The organizational arrangements include plans, relationships, accountabilities, resources,
processes, and activities.
Risk management is not a stand-alone discipline, it needs to be integrated within the existing
business processes to maximize its benefits, for example:

1-Alignment between the internal audit function and the risk management process is
critical, so in following a risk -based approach to the internal audit planning, the risk
management outputs are used as an input to the internal audit function, which in turn
identifies and assesses operational risks and assures that specific risk controls are being
designed and operated effectively.
2-Identifying the risks during the business planning process allows realistic delivery
timelines to be set for the strategies/activities or the choice of removing a strategy/activity
if the risk is too high or unmanageable.
3-Individual performance plans should include all risk responsibilities whether general or
specific.
4-The risk management processes should be integrated as closely as possible into the
existing strategic planning and operational processes.
5-Risk management should be incorporated within the projects. All projects should include
projects risk management register, either separately or within the organization general risk
register.

Question 3:
When developing a risk management framework, some of the key questions that need to be
answered are:

1-How advanced should a risk management framework be?

No single risk framework will be appropriate for all organisations. Every organisation’s board and
executives should decide on the appropriate level of risk management sophistication that they want
to achieve.

The desired level of risk maturity may change overtime to reflect changes in the organisational’s
complexity, size and risk appetite.

To determine the appropriate level of risk management maturity some factors should be considered:

a-External factors:

Political, economic, social, technological, legal, and environmental factors.

b-Internal factors:

Strategies, objectives, capabilities, processes, structure, system, and culture.

2-How effective are current risk management practices?

To determine the effectiveness of the current risk management practices it is necessary to consider
the hard (processes and structures) and soft (culture and people) aspects of risk management.

Two questions must be answered:

a-Are the current risk management practices and framework fit for purpose given the context of the
organization?

b-Are they operating as anticipated?

The organization wide risk management aims to look at all risks across the company or entity, it
differs depending on the background of the practitioner, the size and nature of the company and the
time at which it was adopted.

Some of the key attributes of the organisation-wide risk management framework include the
support of the board/executives, dedicated risk management coordinator, consideration of
operational and strategic risks, integration of the risk management within the operational and
management processes, clear accountabilities and time frames, risk reporting to stakeholders and
regular reviews of risks and risk management processes.

It is a holistic approach to manage response to critical risks across the organisation to support
business strategy and plans.

The scope of organisation-wide risk management is to use common risk language, risk assessment
techniques and response strategies across the whole of the organisation functions as:

 . occupational health and safety

 loss control and internal audit
 legal and regulatory compliance risk
 clinical healthcare risk
 strategic risk.

When determining the organisation desired risk management maturity, the objectives should be to
maximize the value created through the risk management framework and practices.

Value= Benefits -costs

Improving the risk management maturity requires time and resources, balanced enhancement and
always takes time.

3- What is the most effective and efficient way of closing the gap?

a-Developing a plan.

b-Avoiding the common pitfalls.

The risk management embedment in the organisation faces a lot of struggles in many areas
including:

 . insuring the integration of business planning with risk management

 . better definitions of risk
 . improving identification of risk
 . Linking the internal audit with the risk management
 . improving quality and content of risk register
 . embedding operational risk management
 . identifying controls
 . allocating accountability
 . improving risk reporting and management
 . project risk management

Question 4

a-Documenting an organisation’s risk management framework and recording each step of the risk
management process is important for several reasons:

 . demonstrating to stakeholders that the process has been conducted properly

 . providing evidence to a systematic approach to risk identification and analysis
 . enabling decisions or processes to be reviewed
 . providing a record of risks and developing the organisation’s knowledge database
 . providing decision makers with a risk management plan for approval and subsequent
implementation
 . providing accountability mechanism and tool
 . facilitating ongoing monitoring, review, and continuous improvement
 . providing an audit trail
 . sharing and communicating information

b-what needs to be documented:

 Objectives and rationale for managing risks

 Accountabilities and responsibilities for managing and overseeing risks
 Processes and methods to be used for managing risks
 Commitment to the periodic review and verification of risk management framework and
its continuous improvement
 The way in which the risk management performance will be measured and reported
 Resources available for managing risks
  Organisation’s risk appetite translated into risk-rating criteria
 Links between risk management and organisation’s strategic and operational objectives
 Links between risk management and other processes and activities
 Scope and application of risk management within the organisation
 Requirements for recording and documenting the risk management processes (e.g.,
communications plan, stakeholder analysis, risk register, risk profile and risk reporting).

Question 5:
A risk management strategy typically documents factors as:

. objectives and rationale for manging risk

. the organisation’s overall appetite/tolerance for risks

. the organisation’s strategic objectives and strategies deployed to achieve these objectives

. key risks associated with these strategies within a one- to- three years’ time frame

. the organisation ’s high level approach to managing these risks

. a plan for progressive enhancement of the organisation risk management practices and
competencies, including key risk management initiatives.

While formulating a risk management strategy, the following questions must be answered:

1-what are the organisation’s key objectives and strategies?

2-what are the risks associated with these?

3-how is the organisation assessing, measuring, and monitoring these risks?

4-are the risk management processes working effectively?

There is no prescribed format for how a risk management strategy should be documented, some
organisations disclose it in their annual reports, some choose to have a separate document, in
addition to a risk management policy and procedure document and some incorporate their strategy
within their business plan.

Risk management policy:

It should clearly state the organisation objectives and commitment to risk management. It typically
specifies:

. accountabilities and responsibilities for managing risk

. commitment to the periodic review and verification of the risk management policy and framework
and its continual improvement.

. links between this policy and the organisation’s objectives

. the organisation’s risk appetite

. the organisation rationale for managing risks

. processes and methods to be used for managing risks

. resources available to assist those responsible for managing risks

. the way of measurement and reporting of risk management performance

Question 6:

Conduction of an effective risk management is dependent on having an appropriate risk

management governance structure and well-defined roles and responsibilities.

Risk management is not merely about having a well-defined process but also about facilitating the
behavioural change necessary for risk management to be embedded in all organisational activities.

Management should:

. articulate and endorse the risk management policy

. communicate the benefit of risk management to all stakeholders

. define risk management performance indicators that are aligned with the organization
performance

. ensure alignment of risk management objectives with the objectives and strategies of the
organisation

. ensure legal and regulatory compliance

. ensure that the necessary resources are allocated to risk management

Key factors to consider when developing a risk management governance structure:

1. . current organisational structure and authorities

 2. . the current level of understanding, appreciation, and commitment to risk management by
key individuals
3. . the current level of change readiness within the organisation
4. . key types of risks faced by the organisation and functions currently managing the key risks
5. . the existence of logical risk champions within the organisation

Question 7:

Roles and responsibilities for risk management:

The roles and accountabilities of each of the key parties to whom risk management duties have been
delegated are as follows:

1-Board:

a-Approve the organisations risk management documentation including the strategic risk profile, risk
appetite and tolerance, risk management policy and risk management procedure.

b-Setting the standard and expectations of the organisation with respect to conduct and behaviour
and ensuring the effective risk management is enforced through an effective performance
management system.

c-Monitoring the management of high and significant risks, and the effectiveness of associated
controls through the review and discussion of risk management reports.

d-Satisfying itself that risks with lower ratings are effectively managed, with appropriate controls in
place and effective reporting structure.

e-Approving major decisions affecting the organisation risk profile or exposure.

2-Chief Executive Officer (and Secretary):

a- Participating in the review and update of the strategic risk profile.

b- Reviewing key risk information, identifying key risk trends, and assessing the impact for the
organisation a whole.
c- Monitoring the management of high and significant risks and the effectiveness of associated
controls through the review and discussion of regular risk management reports.
 d- Ensuring that adequate processes are being followed about lower-level-risks.
e- Setting the tone and promoting a strong risk management culture by providing a firm and
visible support for risk management.

3-Audit/Risk committee:
a. Is accountable to the board and meets and reports to the board advising of its activities,
findings, and recommendations, including risk management policies.
b. Its primary objective is to assist the board in discharging its responsibilities to exercise due
care, diligence, and skill in relation to any business operation and to give advice on any
financial or regulatory matter.
c. assists the board in fulfilling its responsibilities related to compliance by the organisation
with legal and contractual obligations.

4-Executive and Management:

a. Are responsible for the oversight of risk management framework and reviewing risk
management policies and procedures on annual basis.
b. Establishing policies and revieing effectiveness of the organisation s approach to risk
management including the status of major business risks.

The typical composition of the risk management committee would be:

Core members:

 CEO
 Risk manager
 Chief financial officer
 Operations manager
 Internal Auditor
 Occupational Health and Safety Officer

Optional members:

 Human Resource Manager

 IT Manager
 Legal Counsel
 Other Functional Specialists

5-Chief risk officer/risk manager:

 Develop, enhance and implement appropriate risk management policies , procedures and
systems.
 Coordinate and monitor the implementation of risk management initiatives within an
organisation.
  Work with risk owners to ensure that the risk management processes are implemented in
accordance with the agreed risk management policy and strategy.
 Collate and review all risk registers for consistency and completeness.
 Provide advice and tools to staff, management, the executive, and Board on risk
management issues within the organisation, including facilitating workshops in risk
identification.
 Promote understanding of and support for risk management, including delivery of risk
management training.
 Oversee and update organisational -wide risk profiles with inputs from risk owners.
 Ensure that relevant risk information is reported and escalated or cascaded, as the case may
be, in a timely manner that supports organisational requirements.
 Attend risk committee or audit committees where risk management issues are discussed.
 Ensure that there is clarity about roles and responsibilities to progress risk management
throughout the organisation.

5-Risk owners:

They are typically line mangers or functional specialists who are responsible for designing,
implementing and/or monitoring risk treatments.

They may be responsible for:

 Manging the risks for which they have accountability

 Reviewing the risks on a regular basis
 Identifying where current control deficiencies may exist
 Updating risk information about the risk
 Escalating the risk where the risk is increasing in likelihood or consequence
 Providing information about the risk when requested.

6- Staff and contractors:

 They are responsible to apply the risk management processes to their respective roles.
 They should focus on identifying risks and reporting them to relevant risk owners.
 They should manage the risks where relevant and appropriate.
Question 8:

Developing a risk management framework involves identifying the appropriate tools and technology
that will help the organisation capture, analyse, and communicate risk-related information.

1-Identifying the requirements:

The key questions to ask are:

 What risk information or data do you need to capture?

 How do you capture this risk information?
 Who are your end users and What do they need?

The requirements generally involve:

 Capturing risk data

 Monitoring and recording risk information
 Analysing and reporting the risk performance
 Communicating the risk management information to the stakeholders.

2-Develpoing appropriate tools and technology:

This depends on

 The scale and the scope of the risk management framework

 The stakeholders involved.

Choosing the appropriate tools will provide comprehensive , relevant, timely and accurate risk
information. This will facilitate better and more informed decision making.

3- Capturing risk information:

Tools to capture risk information from various sources across the organisation include:

 Leadership team
 Business unit managers
 Selected staff
 Other stakeholders

The captured risk information should include:

 Actual losses, potential losses and near miss events.

 Business risk profile, including new and changed exposure to key risks.
 Significant control weaknesses
 Progress on action plans to deal with significant risks or control weakness.
4- Monitoring and recording risk information:

Risk reports include information about:

 Extreme risks
 The total risk profiles
 Reasons of risk rating movements
 Risk treatment actions
 Assurance coverage of key risks
 Risk management strategy
 New and emerging risk issues
 Detailed risk register

5-Capability to analyse and report risk performance:

 To effectively analyse and report risk performance, one will need tools and technology that:
 Analyse risk based on quantitative or qualitative parameters

o . qualitative risk analysis will require tools that are capable of classifying risks,
according to categories, impact, and likelihood.

o . quantitative risk analysis will require tools capable of calculation and/or simulating
value of risk.

 Facilitate ranking or prioritisation of risks

 Facilitate trend analysis
 Aggregate risk information at various levels as required by different levels of
staff/management.

6-Communicating risk management information:

The communication tools should

 Provide easy reporting of and access to risk information for all relevant stake holders
 Archive lessons learned from implementing the risk management framework
 Store risk management policies, procedures, and other documents
 Trace users’ actions to determine reach utilisation
 Provide an audit trail to ensure integrity of information
 Enable escalation of risk related issues and incidents

7-Selecting the risk management software:

The key areas to consider when assessing an organisation need for risk management software are:

 Cost
 Functionality
 Accessibility
 scalability