Pamulang
University
Wiyanto, S.Pd.,M.M.
NIDN.0421038903
Manajemen Resiko
&
Asuransi
MANAJEMEN
RESIKO & ASURANSI
Modul
Wiyanto, S.Pd.,M.M.
UNPAM
PRODI MANAJEMEN, FAKULTAS EKONOMI, UNIVERSITAS PAMULANG
Hanya Untuk Kalangan Sendiri
PENDEKATAN SAINTIFIK
(scientific Approach)
M
M
M
M
MENGAMATI
MENANYA
MENGUMPULKAN DATA
KONSEP 3 IN 1
BISA MENJAWAB SOAL DI BAWAH INI
1 + 4 = 5
2 + 5 = 12
3 + 6 = 21
5 + 8 = ……..?
INGAT 98% ORANG SALAH MENJAWAB TES INI,
BILA ANDA MENJAWAB DENGAN BENAR
BISA MENJAWAB SOAL DI BAWAH INI
1 + 4 = 5
√
2 + 5 =
12
X
3 + 6 =
21
X
5 + 8 =
13
INGAT 98% ORANG SALAH MENJAWAB TES INI,
BILA ANDA MENJAWAB DENGAN BENAR
OUTLINE PERKULIAHAN
Pertemuan 1
: Pengertian Manajemen Risiko & Asuransi
Pertemuan 2 : ISO 31000 tentang Manajemen Risiko
Pertemuan 3
: Aspek Tata Kelola Manajemen Risiko
Pertemuan 4
: Mandat dan Komitmen Manajemen Risiko
Pertemuan 5
: Kerangka Kerja Manajemen Risiko
Pertemuan 6
: Metode Manajemen Risiko
Pertemuan 7
: Jenis Risiko Utama yang Dihadapi Sebuah Bisnis
Ujian Tengah Semester (UTS)
Pertemuan 8
: Pengertian, Fungsi, Perencanaan Asuransi
Pertemuan 9
: Jenis-Jenis Asuransi
Pertemuan 10
: Manfaat Asuransi
Pertemuan 11
: Perencanaan Program Asuransi
Pertemuan 12
: Menghitung Premi Asuransi Jiwa
Pertemuan 13
: Pengertian Asuransi Jiwa Unit Link
Pertemuan 14
: Manfaat dan Kerugian Asuransi Unit Link
Manajemen Resiko dan Asuransi
PERTEMUAN PERTAMA
Risiko
adalah suatu ketidakpastian akan terjadinya
suatu peristiwa yang dapat menimbulkan kerugian.
PENGERTIAN MANAJEMEN RESIKO
Manajemen risiko
adalah suatu
pendekatan terstruktur/metodologi
dalam mengelola
ketidakpastian
yang
berkaitan dengan ancaman; suatu
rangkaian aktivitas manusia termasuk:
Penilaian
risiko
, pengembangan
strategi untuk mengelolanya dan
mitigasi
risiko
dengan menggunakan
pemberdayaan/pengelolaan
TAHAPAN MENGELOLA RESIKO
MENGIDENTIFIKASI
RESIKO
MENGANALISA
RESIKO
KETIKA RESIKO TERJADI
APA
YANG DILAKUKAN
?
MENGALIHKAN
MENERIMA
MENGHIDARI
A
S
U
R
A
N
S
PENGERTIAN MANAJEMEN RESIKO
GABUNGAN DUA KATA
MANAJEMEN
DAN
RESIKO
MANAJEMEN RESIKO ADALAH
IMPLEMENTASI
TEORI MANAJEMEN
DALAM HAL
RESIKO
PLANNING
ORGANIZING
ACTUING
CONTROLLING
Kemungkinan
terjadinya
peristiwa yang
membawa
MENGAPA MANAJEMEN RESIKO?
TUNTUTAN MASYARAKAT
tentang
peningkatan
Good Governance
Perubahan
LINGKUNGAN
Tujuan Manajemen Resiko
a)
Melindungi perusahaan dari risiko signifikan yang dapat menghambat
pencapaian tujuan perusahaan.
b)
Memberikan kerangka kerja manajemen risiko yang konsisten atas
risiko yang ada pada proses bisnis dan fungsi-fungsi dalam perusahaan.
c)
Mendorong menajemen untuk bertindak proaktif mengurangi risiko
Kerugian, menjadikan pengelolaan risiko sebagai sumber keunggulan
bersaing, dan keunggulan kinerja perusahaan.
d)
Mendorong setiap insan perusahaan untuk bertindak hati-hati dalam
menghadapi risiko perusahaan, sebagai upaya untuk memaksimalkan
nilai perusahaan.
e)
Membangun kemampuan mensosialisasikan pemahaman mengenai
risiko dan pentingnya pengelolaan risiko.
f)
Meningkatkan kinerja perusahaan melalui penyediaan informasi
tingkat risiko yang dituangkan dalam peta risiko (risk map) yang
berguna bagi manajemen dalam pengembangan strategi dan perbaikan
proses manajemen risiko secara terus menerus dan
Fungsi pokok Manajemen Resiko
Menemukan kerugian potensial
Mengidentifikasi seluruh risiko yang akan dihadapi oleh
organisasi.
Mengevaluasi kerugian potensial
Mengenal dan menanggulangi besarnya frekuensi
kerugian dan keparahan atau kegawatan kerugian.
Menentuka cara penanggulangan risiko
PEGERTIAN ASURANSI
Asuransi atau pertanggungan
adalah
Perjanjian
Antara Dua Pihak Atau Lebih
, dengan mana pihak
Penanggung
mengikatkan diri kepada
tertanggung
,
dengan menerima
premi asuransi,
untuk
memberikan
penggantian kepada tertanggung
karena kerugian,
kerusakan atau kehilangan keuntungan yang
diharapkan, atau tanggung jawab hukum kepada pihak
ketiga yang mungkin akan diderita tertanggung yang
timbul dari suatu peristiwa yang tidak pasti, atau untuk
memberikan suatu pembayaran yang didasarkan atas
meninggal atau hidupnya seseorang yang
Manajemen Resiko dan Asuransi
PERTEMUAN KEDUA
Sebelas Prinsip Manajemen Risiko menurut ISO 31000
1)
Manajemen risiko menciptakan nilai tambah (
creates value
),
2)
Manajemen risiko adalah bagian integral proses dalam organisasi (
an integral part of
organizational processes
),
3)
Manajemen risiko adalah bagian dari pengambilan keputusan (
part of decision
making
),
4)
Manajemen risiko secara eksplisit menangani ketidakpastian (
explicitly addresses
uncertainty
,
5)
Manajemen risiko bersifat sistematis, terstruktur, dan tepat waktu (
systematic,
structured and timely
),
6)
Manajemen risiko berdasarkan informasi terbaik yang tersedia
(based on the best
available information)
,
7)
Manajemen risiko dibuat sesuai kebutuhan (
tailored
),
8)
Manajemen risiko memperhitungkan faktor manusia dan budaya (
takes human and
cultural factors into account
),
9)
Manajemen risiko bersifat transparan dan inklusif (
transparent and inclusive
),
10)
Manajemen risiko bersifat dinamis, iteratif, dan responsif terhadap perubahan
(
dynamic, iterative and responsive to change
),
11)
Manajemen risiko memfasilitasi perbaikan dan pengembangan berkelanjutan
ISO 31000
(Nov. 2009)
What is it? What’s new?
How to Implement?
Please interrupt, thank you
Proposed AGENDA
–
OK?
•
Risk is “effect of uncertainty on objectives”
•
Discussion of Adopt 31000 - PHB Bilton and KISS
•
Overview of 31000; introduction, scope, principles,
framework, process
•
How to “sell” ERM to senior management?
•
The role of risk appetite risk tolerance and the ubiquitous risk
matrix/map/profile to deal with existing silos
•
How will ERM help improve existing risk management?
•
Next steps? How to measure success?
•
Monitor, communications and consultation, and risk
ownership.
•
Role of CRO? (Ans- Minimal)
Risk -
“effect of uncertainty on objectives”
(ISO 31000)
•
NOTE 1 An effect is a deviation from the expected
—
positive
and/or negative.
(wrt achieving objectives)
•
NOTE 2 Objectives can have different aspects (such as financial,
health and safety, and environmental goals) and can apply at
different levels (such as strategic, organization-wide, project,
product and process).
•
NOTE 3 Risk is often characterized
(i.e. named, e.g. credit risk)
by
reference to potential events (2.17) and consequences (2.18), or
a combination of these.
•
NOTE 4 Risk is often expressed in terms of a combination of the
There are two ways a risk can have an effect on objectives.
1.
the effect of a risk when and if it should occur, or
2. the very existence of a risk whether it happens or not.
(2.) is the acceptance, or not, of being in risky situations - a friend of mine says he
can not sleep at night if his money is invested in stocks, even knowing they
provide better returns. So he invests in government bonds. It is the
uncertainty that he can not stand.
Related to risk appetite.
(1.) is the traditional risk and where risk management seeks to increase the good
and decrease the bad consequences (as translated into objectives)
The "uncertainty" or ambiguity, is the essence of risk, and can be part of:
a. the risk identification (source, associated event(s) & consequence(s) )
b. the event effect or consequence as estimated by analysis methods
c. the probability itself (in addition to uncertainty of identification (a), event (b),
and effect (d)) [probability of a probability drives mathematicians mad]
d. the objectives themselves and the link between consequences and
(Aside)
ISO Definitions are nested
–
rigorous substitution rule
(2.18) Consequence -
outcome of an
event
(2.17)
affecting objectives
and since Event - occurrence or change of a particular set of
circumstances, then
(2.18) Consequence -
outcome of an
occurrence or
change of a particular set of circumstances
affecting
objectives
(2.26 )control -
measure that is modifying
risk
(2.1)
(2.26 )control -
measure that is modifying
effect of
uncertainty on objectives
Discussion of
“YES Adopt 31000 “
-
PHB Bilton and KISS
•
survey question
–
which framework is right?)
•
Answer -
ISO 31000 should be adopted immediately
and that existing COSO, PMI, and other frameworks
and processes integrated with 31000 in the short
term and in the longer term modified to better
reflect, not so much 31000, as the “ERM risk
framework” in the organization.
•
The rational is that ISO incorporates these other approaches
[with gaps], is principle and performance based and is simple
enough and flexible enough to be used by any organization.
The COSO ERM
Framework
only negative risk!
(a common problem)
Entity objectives can be viewed in the context of four categories:
•
Strategic
•
Operations
•
Reporting
BHP Billiton
RISK MANAGEMENT POLICY
Risk is inherent in our business. The identification and management
of risk is central to delivering on the Corporate Objective.
•
By understanding and managing risk we provide greater certainty and
confidence for our shareholders, employees, customers and suppliers,
and for the communities in which we operate.
•
Successful risk management can be a source of competitive
advantage.
•
Risks faced by the Group shall be managed on an enterprise-wide
basis.
•
Risk Management will be embedded into our critical business activities,
functions and processes. Risk understanding and our tolerance for risk
will be key considerations in our decision making.
•
Risk controls will be designed and implemented to reasonably assure the
achievement of our Corporate Objective. The effectiveness of these controls
will be systematically reviewed and, where necessary, improved.
•
Risk management performance will be monitored, reviewed and reported.
Oversight of the effectiveness of our risk management processes will provide
assurance to executive management, the Board and shareholders.
•
The effective management of risk is vital to the continued growth and
success of our Group.
•
signed Chip Goodyear
•
Chief Executive Officer (see web site for all the BHP good stuff)
Done by 3 people (lead Grant Purdy) in 4 years
for all 200,000 employees, with 80,000 risk owners identified
Over 12,000 risk assessments on file (open), and then
Risk management department eliminated.
Commit and Mandate
•
Policy Statement
•
Standards
•
Guidelines
•
RM Plan and RM Process
•
Assurance Plan
Communicate & Train
•
Stakeholder analysis
•
Training needs analysis
•
Communication
strategy
•
Training strategy
•
Roles and Reporting
Structure &
Accountability
•
Board RM Committee
•
Executive RM Group
•
RM Working Group
•
Facilitator for Risk Management
•
RM Champions
•
Risk and Control Owners
Review & Improve
•
Control assurance
•
RM Plan progress
•
RM Maturity Evaluation
•
RM KPIs
•
Benchmarking
•
Governance reporting
Management Information System
-
Risk Registers -Treatment Plans
-Assurance Plan -Reporting templates
Framework Implementation
Establish context
Identify risks
Analyse risks
Evaluate risks
Treat risks
Co
Risk assessment
Process
for Managing Risk
4.2
Mandate
and
commitment
4.4
Implementing
risk
management
4.3
Design of
framework
for managing risk
4.6
Continual
improvement
of the
framework
4.5
Monitoring
and review
of the
framework
Framework for
managing risk
(Clause 4)
a) Creates value
b) Integral part of
organizational processes
c) Part of decision making
d) Explicitly addresses
uncertainty
e) Systematic, structured
and timely
f) Based on the best
available information
g) Tailored
h) Takes human and
cultural factors into
account
i) Transparent and inclusive
j) Dynamic, iterative and
responsive to change
k) Facilitates continual
improvement and
enhancement of the
organization
Principles for
managing risk
(Clause 3)
Process for managing
risk
(Clause 5)
ISO Overview
3 main clauses
How to “sell” ERM to senior management? Up to Organization
not you
When implemented and maintained in accordance with this International
Standard, the management of risk enables an organization to, for example:
•
increase the likelihood of achieving objectives;
•
encourage proactive management;
•
be aware of the need to identify and treat risk throughout the organization;
•
improve the identification of opportunities and threats;
•
comply with relevant legal and regulatory requirements and international norms;
•
improve mandatory and voluntary reporting;
•
improve governance;
•
improve stakeholder confidence and trust;
•
establish a reliable basis for decision making and planning;
•
improve controls;
•
effectively allocate and use resources for risk treatment;
•
improve operational effectiveness and efficiency;
•
enhance health and safety performance, as well as environmental protection;
•
improve loss prevention and incident management;
•
minimize losses;
•
improve organizational learning; and
The role of risk appetite & risk attitude
―amount and type of
risk
that an organization is willing to
pursue or retain‖
―organization's approach to assess and eventually pursue,
retain, take or turn away from
risk
“
•
Vague term that is still evolving, can be bottom up (from typical
decisions) or top down from basics of survival and comfort of board
and senior management
•
In conceptual terms
–
Identify all risks (events and consequences ) [high level]
–
Estimate plausible worst case and best case scenarios
–
may be
expressed as a risk profile
–
Examine the robustness of the organization wrt plausible cases
–
Balance opportunities and threats against the organization’s
capabilities/resources and select a risk appetite or risk attitude
–
Risk Tolerance is the practical step between risk
appetite and risk criteria
(risk evaluation)
(also deals with silos)
•
for specific consequence categories
(reputation, credit, compliance, country, etc.)
•
for predetermined categories of likelihood
•
find equivalent effects on objectives
•
done by senior management (workshops)
Likelihood Scale for Tolerance (Simple Rating Scale)
(Hydro 1 Harvard Business School case study 9-109-001)
1.
Remote 5% probability that the event will occur in the next 36
months
2.
Unlikely 25% probability that the event will occur in the next 36
months
3.
Even Odds 50% probability that the event will occur in the next
36 months
4.
Very Likely 75% probability that the event will occur in the next
36 months
Hydro 1 Risk Tolerances for 3 Silos
(Fraser, 2009)
Business
Objective
Conse-quence
5
Worst Case
4
Financial
Net income
(shortfall)
Leaders and
Public
Standard sort of Risk Matrix
be careful, extremely careful, with risk matrices
works well at the understanding/communications level, BUT
Very Likely (>.45)
Likely (.45 - .19)
Medium (.19 - .05)
Unlikely (.05 - .011)
Remote (< .011)
Mino
r
Mo derat
e
Ma jor
Sev ere
Cat astr
ophi c
Lik
el
ihoo
d
Consequences
High Medium Low
Risk levels plotted
in structured
Workshop with
Example of use of Risk Matrix
to set priorities
What might be wrong with this?
1. Refurbish
3. IT Upgrade
Medium High
Low
KPI - Tx/Dx Reliability
Consequences >
1
KPI - Unsupplied Energy
Li
KPI - Unavailability
Li
KPI - Worst Served Cust.
li
2. Vegetation Mgmt
Medium
Consequences C
a
Consequences C
Basic and overarching in 31000
–
Integration
ISO 31000 ―
recommends that ;
organizations develop, implement and
continuously improve a framework whose
purpose is to
integrate
the process for
managing risk (RMP) into the organization's
overall governance, strategy and planning,
management, reporting processes, policies,
values and culture.
‖
Overarching in 31000
–
Integration
(continued)
4.3.4 Integration into organizational processes
•
Risk management (RM) should be embedded in all the organization's
practices and processes in a way that it is relevant, effective and efficient.
•
The risk management process should become part of, and not separate
from, those organizational processes
Overarching in 31000
–
Integration
(continued)
“
2.7 risk owner -
person or entity with the
accountability
and authority
to manage a
risk
‖
•
Every risk (effect of uncertainty on objectives) is
owned
•
Risk owners are listed in risk register
•
Ownership has its privileges
–
get to monitor: risk,
risk controls
(may be responsibility of others),
cost of controls,
effectiveness of controls, value of RMP
(risk
management process
); and continuously improve all
Ironically, 48.7% of respondents describe the
sophistication of their risk oversight
processes as immature to minimally mature.
Forty-seven percent do not have their
business functions establishing or updating
assessments of risk exposures on any formal
basis. Almost 70% noted that management
does not report the entity’s top risk
“risk management framework
–
set of components that provide the foundations and
organizational arrangements for designing, implementing,
monitoring
, reviewing and continually improving
risk
management
throughout the organization
NOTE 1 The foundations include the policy, objectives,
mandate and commitment to manage
risk
NOTE 2 The organizational arrangements include plans,
relationships, accountabilities, resources, processes and
activities
NOTE 3 The risk management framework is embedded
within the organization's overall strategic and operational
7 components to the ERM Framework
1. Mandate and commitment to
the framework
(step 1)
a. Agreement in principle to proceed
b. Gap analysis
c. Context for framework
d. Design of framework
e. Implementation plan
2. Risk management policy
a. Policies for the framework, its
processes and procedures
b. Policies for risk management
decisions;
–
i. Risk Appetite
–
ii. Risk Criteria
–
iii. Internal Risk Reporting
3. Integration into the Organization
4. Risk Management Process
5. Communications and Reporting
6. Accountability
•
a. Risk ownership and risk register
•
b.
Managers’ performance
evaluation
7. Monitoring, Review and
Continuous improvement
a. Responsibility for maintaining and
improving framework
Commit and Mandate
•
Policy Statement
•
Standards
•
Guidelines
•
RM Plan and RM Process
•
Assurance Plan
Communicate & Train
•
Stakeholder analysis
•
Training needs analysis
•
Communication
strategy
•
Training strategy
•
Roles and Reporting
Structure &
Accountability
•
Board RM Committee
•
Executive RM Group
•
RM Working Group
•
Facilitator for Risk Management
•
RM Champions
•
Risk and Control Owners
Review & Improve
•
Control assurance
•
RM Plan progress
•
RM Maturity Evaluation
•
RM KPIs
•
Benchmarking
•
Governance reporting
Framework Continuous
Management Information System
-
Risk Registers -Treatment Plans
-Assurance Plan -Reporting templates
Framework Implementation
Establish context
Identify risks
Analyse risks
Evaluate risks
Treat risks
Co
Risk assessment
Process
for Managing Risk
The risk management process
Establish the context
Identify risks
Analyse risks
Evaluate risks
Treat risks
Co
mmun
ic
a
te
an
d
co
ns
ul
t
Mo
ni
to
r an
d
rev
iew
Risk Assessment
•
Identify the risks
•
Analyze the risks (Note: when numerical estimates of
likelihood, consequences not available then
subjective risk matrix methods may be used)
•
Evaluate the risks against Risk Criteria
•
Result of Evaluation is to (or not to)
Accept Risk
-
‖in
formed decision to take a particular
risk
”
Risk Treatment-
“
process to modify
risk
”
―
NOTE 1 Risk treatment can involve:
—
avoiding the risk
—
increasing risk in order to pursue an opportunity;
—
removing the
risk source
—
changing the
likelihood
—
changing the
consequences
—
sharing the risk with another party or parties [including
risk
financing]
—
retaining the risk by informed decision
NOTE 3 Risk treatment can create new risks or modify existing
risks.
‖
Risk Treatment is often a cycle of: Control options, Assessment of
Residual Risk, Accept?, Treat risk?, Control options,
“
communication and consultation
”
―
continual and iterative processes that an organization
conducts to provide, share or obtain information, and
to engage in dialogue with
stakeholders
regarding
the management of
risk
•
NOTE 1 The information can relate to the existence, nature,
form,
likelihood
, significance, evaluation, acceptability,
treatment aspects
•
NOTE 2 Consultation is a two-way process of informed
communication between an organization and its stakeholders on
an issue prior to making a decision or determining a direction on
that issue. Consultation is:
–
a process which impacts on a decision through influence
rather than power; and
Example risk register for a specific Strategic Objective
–
illustration only
Courtesy of the Food Company
•
High
Risk
Profile
Objective xx “Ready
-to-
Heat”
Action Plan
Accelerate innovation
Conduct competitor analysis
session
Increase of aggressive competition
from Rice Master and Fast Rice
Aggressive year for growth target
for the segment & brand
Achieve new product growth
targets
Control Activities
Risks (uncertainties re Obj)
•
Joe
Owner
•
yes
Priority
Aggressively grow and build the ready-to-heat business by expanding the
product line (15% NSV growth & maintain shares above 30%) and
broaden the availability of the product.
1. Identify initiatives and their associated descriptions with measurable objectives
2. Prioritize order of the key initiatives based on their contribution to achieving the overall financial and strategic objectives within the OP
4. List of risks that could hinder the ability to
meet the initiative’s objectives
5. List of planned activities that will modify the
risks – match the treatment strategies to risk
through the reference numbers
6. Management Team evaluates the probability
of success in achieving this initiative’s overall
objectives
3. Document the individual in charge of the given initiative
7. Document the immediate next steps for effective initiative
1
2
3
1,2,3
1
4. Existing Controls
4. Existing Controls
Preventative
5. Existing Controls
5. Existing Controls
Reactive
–
Post Event
2. Causes
6. Risk Control Effectiveness
7. Consequence rating
3. Impacts
Existing Preventative Controls Control Owner Existing Reactive Controls Control Owner
Task (future controls) Task Owner Due Date Task (future controls) Task Owner Due Date
8. Likelihood rating
9. RISK
RATING 10, Comments
Bow
Bow
-
-
Tie Risk Treatment Tool
Tie Risk Treatment Tool
11. Risk Owner
© Broadleaf Capital International, 2006
1.
Companies that are considered "strong" demonstrate an
enterprise-wide view of risks, but are still focused on loss control. These
companies have control processes for major risks, thus giving them
advantages due to lower expected losses in adverse times, as such
companies can consistently identify, measure, and manage risk
exposures and losses in predetermined tolerance guidelines. Strong
ERM firms are unlikely to experience unexpected losses outside of
tolerance levels. Risk and risk management are usually important
considerations in such firms' corporate judgment.
Companies that are considered "excellent" possess all of the
characteristics of those scored "strong" and will also demonstrate
risk/reward optimization. Such companies have very well-developed
capabilities to consistently identify, measure, and manage risk
exposures and losses in predetermined tolerance guidelines. Risk and
risk management are always important considerations in such firms'
corporate judgment. It is highly unlikely that these firms will experience
How to measure success?
–
Risk Maturity?
Risk Maturity Score
–
Fraser Valley Health
Level of ERM Maturity
Elements of ERM
1
Initial
2
Repeatable
3
Defined
4
Managed
5
Optimized
Organization Philosophy &
Culture
Leadership Commitment
RM Capabilities
RM Process
Organization Philosophy & Culture
responding to crises and tends to be reactive rather than proactive.People tend to be risk averse. Risks are identified primarily at operational and project levels. RM concepts are intuitively understood and practised on ad hoc basis. A cautious approach is taken to RM overall.
RM is done proactively to anticipate risks and develop mitigation plans. Emerging risks are considered. Focus is on opportunities, not just risk avoidance. Risk implications are considered in all major decisions.
Risks are consistently managed. Staff are encouraged to be innovative. The organization fosters a culture of continuous learning and
participation. Staff are highly committed to organization success.
RM is done at every level in the
organization, and is strongly integrated with management practices. Individual and organization expectations for RM are synchronized.
2. Roles and
responsibilities
for managing risk
Roles and
responsibilities are not documented and are unclear. No individual accountability for managing risk. RM is viewed as a
department rather than a process.
Responsibilities for managing risk have been established (job descriptions, terms of reference, etc.), but are not understood or consistently
followed. Risk is managed intuitively, on an ad hoc basis.
Roles and
responsibilities for RM are clear, well communicated and understood throughout the organization.
RM is embedded in individual behaviour. Individuals are empowered to manage risks. Responsibility for RM is an integral part of goal setting and performance planning.
Individual accountability for RM is firmly embedded in organization culture. Roles and
Organization Philosophy & Culture cont’d
ethics and values
No ethics policy or guidelines in place. Policy statements are issued on ad hoc basis. No clear statements of shared values or principles, or attention to legal or political
considerations.
Organization has an ethics and values statement. RM philosophy is reflected in written code of ethics and values. Philosophy is attuned to legal and political
considerations. Policies are
communicated across the organization but applied
inconsistently.
Ethics and values principles and legal/political considerations are well understood by staff, and applied consistently throughout the organization. RM approach is closely aligned with ethics and values.
Ethics and values help managers take a balanced approach to RM, and reconcile competing external forces. Ethics and values surveys consider risk, and are carried out regularly. Improvements are made.
Ethics, values and sensitivity to legal/political considerations are consistently reflected in organization practices and RM approach. Atmosphere of mutual trust exists at all levels of
organization. Few infractions or incidents occur.
4. Valuing risk
management
behaviour
High level of scepticism exists within organization. Mixed messages are given to staff. RM is not considered in assessing and rewarding
performance. Staff contribution to managing risk is not recognized or valued.
People are consulted and given
opportunity to participate in RM. Staff contribution to managing risk is recognized on ad hoc basis. Performance in managing risks is considered in recognition and rewards programs.
The working
environment supports a proactive approach to managing risks. Information on risk is shared openly. Strong sense of teamwork exists across the organization.
Recognition and rewards programs encourage staff to manage risks and take advantage of opportunities. Management is committed to continuous RM learning. Sanctions in place for knowingly ignoring risks. Staff development is a major organization priority.
Leadership Commitment to Risk Management
5. Leadership
RM is the concern of managers, and is dealt with on an ad hoc basis. RM concepts are ill defined and not well understood. No leadership engagement.RM initiatives are supported by senior management on ad hoc basis. Risks are managed by operational
managers. No Board engagement.
Senior management regularly engaged in formal RM process. Minimal Board engagement.
Senior management oversee and champion the
organization’s RM
framework, and lead by example. Some Board engagement.
Board and senior management commitment for RM clearly articulated, and strongly embedded at all levels of the organization.
6. Risk
management
framework &
policy
The organization has no formal RM framework or policy.
Some RM policies for specific areas have been formally documented to address specific risks.
Organization RM framework in place.
Organization RM framework and policy. These are well communicated and followed.
Board approved RM framework and policy are well communicated, followed and compliance is monitored.
7. Roles and
responsibilities of
senior
management
Unclear roles and responsibilities for RM. The audit function is seen as responsible for identifying risks.
Specialists are responsible for managing risks. Managers identify and respond to risks on an ad hoc basis.
Senior management assume responsibility for RM practices. Collectively, they identify and assess key organization risks, and develop mitigation plans.
Senior management roles and
responsibilities for RM are well documented in accountability agreements or governance
documents. They are consistently applied and monitored.
Risk Management Capabilities
RM is not perceived to be a formal competency. RM concepts are not well understood.
RM competencies have been identified, and skills gap established by some managers. Little or no formal training has been done.
Training in RM is high priority. Skills gap is being addressed. Training is being sourced.
There is “cross
-fertilization” between
specialists and managers.
RM competency development is integral part of individual learning plans, and
organization development programs. Staff at all levels are being trained, and skills gaps addressed.
Ongoing commitment to ensure continuous renewal of RM competencies. The organization is well known and respected for its RM training program.
9. Risk
management
techniques
Limited RM tools and techniques are available.
Managers tend to use their own individual approach for risk analysis. Available RM techniques have limited focus in specialised areas (e.g., finance, OH&S, IT project management).
Managers have access to various RM techniques that integrate financial and non-financial information for risk analysis. Tools are used with specialist support.
Wide range of RM tools/techniques available to all staff who understand how to use them, as well as their benefits and limitations.
Knowledge transfer occurs between specialists and managers.
RM tools and techniques are integrated with other management decision support tools. Strong interface with IS. Periodic review and update of tools and techniques.
10. Specialist
support
No specialist support for RM.
Specialists are used by management to carry out basic risk analysis on an ad hoc basis.
Specialists are known throughout the organisation and often called upon by managers to provide RM analysis and advice on specific issues.
The expert advisory role of specialists is valued by all levels of management. Specialist support viewed as a key enabler in initiating change.
Specialists advise on broad range of issues, on an integrated basis, through multi-disciplinary teams. Externally
Risk Management Process
identification &
assessment
No formal process to identify and assess risks.
Risks are identified for specific areas, and assessed by managers on an ad hoc basis. No formal process in place. No attempt to aggregate risks across the organization.
Formal risk assessment process and tools available to managers. Tools are used with specialist support. Risks are identified across the organisation to provide aggregate view.
Formal process and tools available to managers who understand their benefits/limitations, and know how to apply them. More sophisticated tools available with specialist support. Risk categories provide aggregate view for better understanding.
Risk assessment process and tools are integrated with other management decision support tools. Strong interface with organization management
information systems.
12. Risk
tolerance
Risk tolerance is not defined.
Risk tolerance is not defined. Specific risk levels are accepted or rejected intuitively.
Risk tolerance is somewhat defined for the organization and used by management.
Common
understanding and application of specific risk tolerance levels.
Risk tolerance levels established at all levels of the organization guide decision making.
13. Risk
documentation
No formal risk documentation is done.
No formal process in place. Risks
documentation that does occur is ad hoc and inconsistent.
Formal
documentation of risks in some areas – i.e., risk register, RM plans.
Formal
documentation of risks at all levels of the organisation. Risk registers and RM plans are regularly monitored and updated.
Formal
Monitoring & Review
14. Performance
measurement
No formal performance measurement system in place.
Performance measurement at departmental level involves monitoring of risks. Some risk indicators have been developed but not consistently applied.
Organization-wide performance measurement system includes monitoring of risk indicators.
Risk indicators are interpreted in relation to other corporate performance measures. Regular monitoring and review by Executive.
Strategic and operational risk indicators and performance measures are closely linked. Regular monitoring and review by Executive and the Board.
15. Review of the
risk management
practices
No measurement framework in place to assess RM practices.
Evaluation of RM practices occurs in specific areas. This is typically done by internal audit.
Performance indicators to assess progress in implementing organization RM framework, and the effectiveness of RM practices have been developed.
Information is regularly collected to monitor outcomes achieved as a result of RM framework and practices. Benchmarks established against which to assess progress.
Performance against indicators is
Reporting & Control
No formal RM plans exist.
Formal RM plans in place to address and report on specific risks. However, RM plans are not developed on a consistent basis throughout the organization.
RM is discussed as a part of the strategic and business planning processes. Plans include an overview of key risks and mitigation.
Organization-wide RM plan in place that includes
comprehensive analysis of organization risks and mitigation. Plan is regularly reported against, reviewed and updated by senior management.
Organization RM plan is viewed as integral to
organization success. The plan is regularly reviewed and updated by senior management, and reported to the Board.
17. Controls
Existing controls are not linked to corporate objectives or risk appetites. No criteria in place to evaluate controls effectiveness.Controls are used on an ad hoc basis to respond to new risks. Limited cost/ benefit analysis of controls. Controls
effectiveness is not monitored on a regular basis.
Controls reflect corporate objectives and risk appetites. Cost/ benefit analysis of controls is regularly conducted. Controls compliance and effectiveness is monitored at high level.
Risk significance, as well as the cost/ benefit of mitigation options is considered prior to
implementing controls. Compliance with, and
effectiveness of, controls is regularly monitored and reported throughout the organization.
The organization’s
Integration with Other Management Systems
strategic and
operational
planning
RM is not linked with organization planning processes.
Risks are considered in development of business and operational plans on ad hoc and
inconsistent basis.
Formal consideration of risks is integral part of strategic and operational planning.
Formal RM process integral to strategic and operational planning. Risks are prioritized, and cost/benefit of mitigation options are assessed.
RM process is fully embedded in organization
planning at all levels. A variety of
modelling techniques used to quantify risks.
19. Linkage to
management
information
system
Limited management information to support RM.
Management information exists to varying degrees to support RM at departmental level.
Management
information exists for organisation as a whole but with
limited “drill-down” capability.
Organization-wide performance management system in place. Information is used on ongoing basis to support RM.
Sophisticated decision support tools available on-line to support RM at all levels of the organization.
20. Linkage to
internal
communication
and feedback on
risks
No formal internal communication channels for risk issues.
Ad hoc
communication on risk issues at departmental level. Managers tend to work independently with some
interaction.
Communication on risk issues follows normal reporting channels. Some sharing of
information across the organization.
Risk information is shared across the organization. A pro-active effort made to communicate information on RM best practices and lessons learned.
RM best practices and lessons learned are regularly
communicated to the organization via newsletter, web page, orientation, etc.
21. Linkage to
communication
with external
stakeholders
No formal
communication with external stakeholders on risk issues.
Communication with stakeholders is ad hoc. Risk information is communicated on
a “need to know”
basis.
Formal process to communication with stakeholders on risk issues.
Regular reporting to stakeholders on performance and risks. Stakeholder feedback obtained and considered in risk mitigation.
Roles in ERM
–
One scheme
Giving assurance that the control systems are effective
Giving
assurance th at risk
s are c
orrectly evalu ated
Managing ris
ks on Manag
ement’s beha lf
Accountability for risks and controls
Giving assurance on th
e Risk Management p
rocesses