RISK REGISTERS - Internal Audit Agency
Transcription
RISK REGISTERS - Internal Audit Agency
Internal Audit Agency 3RD Annual Internal Audit Forum Theme: Risk Management in the Public Sector: The Role of Internal Auditing Outline of Presentation: y Introduction y Risk Register y Why Develop a Risk Register? y Risk Register Template y Risk Measurement y y Likelihood Measurement Impact/ Consequence Measurement y Combined Effect of Likelihood and Impact y Conclusion 2 Introduction: y For effective management of risk, each step of the RM Process should be supported with appropriate tools and the output well documented. y A system for reporting risk helps to ensure the consistency, completeness, and timeliness of risk control decisions. y Database management systems are the most effective way to document and communicate risk information. y The primary database for documenting risk is the Risk Register. 3 The Risk Register y The Risk Register is a management tool that enables an organization to understand its comprehensive risk profile. y It is simply a repository for all risk information. y The Risk Register records details of all the risks identified for an organization, a budget centre or project. 4 The Risk Register (ctd) The RR is described as “a log of risks of all kinds that threaten an organization’s success in achieving its declared aims and objectives. It is a dynamic living document, which is populated through the organization’s risk assessment and evaluation process. This enables risk to be quantified and ranked. It provides a structure for collating information about risks that helps both in analysis of risks and in decisions about whether or how those risks should be treated.” – [The Risk Register Working Group of the UK NHS (2002) ] 5 The Risk Register (ctd) y The RR is the hub of the internal control system, given that it contains the objectives, risks and controls for the organization or operation. y Risks associated with activities and strategies are identified then graded in terms of likelihood of occurrence and seriousness of impact. y It is an important component of an organization’s risk management framework. y The Risk Register can be put together by members of the organizations, but must be owned and agreed by the Senior Management Team or the ARIC. 6 Why develop a Risk Register? y Analysis contained in a risk register can be used to document and improve workplace practices. y Can be used to notify senior managers of emerging risk exposures that warrant immediate attention. y encourage a high level of ownership of, and commitment to, the organization’s processes and activities when all staff are involved in the process of compiling a risk register y Gives assurance to Management on the status of risks they face. 7 The Risk Register Template y The Risk Register is a template to work through the risk management process. y Working from left to right across the template, one is prompted to consider all elements of the risk management process. y The risk register template consists of some headings in a table that reflects the nature of the risk that is to be addressed. y These headings are shown in the following table: (Click) 8 The Risk Register Template y The advantage of using a single template as a record of risk analysis, evaluation, treatment and monitoring actions is the clear presentation of the logic which supports the decision making process. y The completed risk register should be brief and to the point, so it quickly conveys the essential information. y It should be updated on a regular basis. 9 RISK MEASUREMENT As a guide, a brief description of the objectives and scope of the activities to be included in the Risk Register are as follows: i) Likehood Rankings: Likelihood Likelihood rankings should be calibrated, Rankings where necessary to ensure compliance with applicable regulations, safety standards and other tolerances that have been agreed with key activity sponsors. 1 Low Probability less than 5% (Has not/unlikely to occur) 2 Medium Probability less than 25% (Any history of occurrence?) 3 High Probability of over 25% (has occurred recently) 10 RISK MEASUREMENT Impact Rankings Impact rankings should be calibrated to reflect the severity of consequence, should a risk crystallize. Low impact on the organization’s strategy 1 Minor or operational activities. Low stakeholder concern Moderate impact on the organization’s 2 Moderate strategy or operational activities. Moderate stakeholder concern High impact on the organization’s strategy 3 Significant or operational activities. Significant stakeholder concern 11 Grade: Combined effect of Likelihood/Impact Likelihood High (3) B. Medium (2) C. Low (1) A. 1. Minor 2. Moderate 3. Significant M H H L M H L L M Consequence/ Impact Rating A guide of actions to Manage Risks (E.g.) An Example of a Risk Register is: (RR) 12 Conclusion: y Using the Risk Register to document risk provides a clear understanding of the risk management process and helps in the identification of inherent risk as well as appropriate strategies to mitigate these risks. 13 THANK YOU 14