1.0 Introduction
1.1 Company Information
Please provide company information
1.2 Purpose
The Enterprise Risk Management (ERM) Manual defines the overall related risk management practices for XXX. Contained within the ERM Manual is a description of the ERM practices to monitor, control, and track material risks to which XXX is exposed in its operations. The policy also contains individual and functional responsibilities required to achieve the business objectives of its ERM. The purpose is to ensure that the exposure to enterprise-wide risks, that have been identified, measured, and deemed appropriate for response, are treated using the most effective and efficient methods. Further, it provides a framework for XXX to identify opportunities and considers the implications of ignoring these opportunities. XXX management tasked with decision-making across Departments must consider associated risks, and the structure of XXX’s decision-making process to avoid risks when required. While many functions within XXX may differ in risk exposure, a common and practical risk taxonomy supported by risk categories will inform the appropriate use of risk data. As XXX changes in size, nature of operations and complexity over time, the ERM Manual should evolve to ensure that all significant new, emerging and increased risks are appropriately considered and addressed as part of the ongoing review and assessment process.
2.0 REFERENCES
The following International Standard has been used as reference documents for the development of Enterprise Risk Management.
Risk management — Guidelines – ISO 31000:2018
3.0 TERMS & DEFINITIONS
Risk | Effect of uncertainty on objectives |
Risk Management Philosophy | A consolidation and segregation of the main and sub-categories of risks affecting an organization, typically segregated in to Environmental, Process and Information for Decision-Making risks. |
Risk Management | A person or organization that can affect, be affected by, or perceive themselves to be affected by a decision or activity |
Stakeholder | An event is an incident or occurrence from internal or external sources that affects the achievement of objectives. It can have negative impacts, positive impacts, or both. A risk is the possibility that an event will occur that would adversely affect the achievement of objectives. An opportunity is the possibility that an event will occur and positively affect the achievement of objectives |
Event | A person or organization that can affect, be affected by or perceive themselves to be affected by a decision or activity |
Consequence | An entity’s Risk Management Philosophy is a set of shared beliefs and attitudes characterizing how the entity considers risk in everything it does, from strategy development and implementation to its day-to-day activities. |
control | measure that maintains and/or modifies risk |
likelihood | chance of something happening |
Risk Universe | Risk mitigation is the technique to treat the risk and reduce it to an acceptable level for the organization. It involves prioritizing, evaluating, and implementing the appropriate risk-reducing controls recommended from the risk assessment process. It is systematic reduction in the extent of exposure to a risk and / or the likelihood of its occurrence. |
Risk Source | Element which alone or in combination has the potential to give rise to risk. |
Risk Appetite | The degree of risk, on a broad-based Level, that the organization is willing to accept or take in pursuit of its objectives |
Risk Tolerance | The level of risk that the organization is willing to accept in various risk areas. This can be measured in terms of both quantitative and qualitative dimensions |
Risk Mitigation | A visual representation, accompanied by explanations, either of key or of the entire portfolio of risks facing an organization, typically depicted in a heat map. |
Risk Profile | A visual representation, accompanied by explanations, either of key or the entire portfolio of risks facing an organization. |
4.0 Principles
The Enterprise Risk Management Framework is guided by the following principles:
a) Integrated
Risk management constitutes an essential component of every organizational activity whether managed services, hard services or soft services.
b) Structured and comprehensive
An organized and thorough method towards risk management to fosters uniform and comparable results.
c) Customized
Risk assessments will be conducted on all new activities and projects (as appropriate) before commencement to ensure alignment with risk appetite, and strategic and organizational objectives.
d) Inclusive
Engaging stakeholders in a suitable and timely manner allow for the incorporation of their insights, perspectives, and expertise, leading to heightened awareness and well-informed risk management practices.
e) Dynamic
As the external and internal context of an organization evolves, risks may arise, evolve, or diminish. Risk management aims to foresee, identify, acknowledge, and address these shifts and occurrences promptly and suitably.
f) Best available information
Risk management relies on past and present data, alongside future projections, while acknowledging the inherent limitations and uncertainties. It emphasizes the importance of providing timely, transparent, and accessible information to pertinent stakeholders.
g) Human and cultural factors
Human behaviour and cultural norms exert a considerable influence on every facet of risk management across all levels and phases.
h) Continual improvement
Risk management is continually improved through learning and experience.
5.0 ERM Framework
5.1 General
The objective of the risk management framework is to aid the XXX in embedding risk management within key activities and functions. The efficacy of risk management hinges on its incorporation into organizational governance, notably in decision-making processes, necessitating backing from stakeholders, especially top management. Framework development involves integrating, designing, implementing, assessing, and enhancing risk management throughout the XXX. The XXX must assess its current risk management practices and processes, identify any deficiencies, and rectify them within the framework. The components of the framework and their interactions should be tailored to suit the organization’s requirements.
The XXX’S ERM Framework is customized to XXX’s operating environment and aligned with the recently published ISO 31000:2018 which contains standards relating to risk management codified by the International Organization for Standardization. The purpose of ISO 31000:2018 is to provide principles and generic guidelines on risk management. It seeks to provide a universally recognized standard for practitioners and companies employing risk management processes to replace the myriad of existing principles, standards and methodologies that differ between and among industries.
As part of its legal and regulatory compliance requirements, XXX implement this ERM Framework. To ensure its effective and sustainable implementation, XXX ensure the alignment with each other of the following components: the ERM process; ERM objectives and Group objectives; and key risk indicators (KRIs) and key performance indicators (KPIs). Specific accountabilities and responsibilities shall be established, and necessary resources shall be allocated to set the process into motion.
5.2 Leadership and Commitment
The Framework is anchored on the leadership and commitment of the top Management to implement the ERM Program across XXX. It is envisioned to be dynamic and shall be continuously improved to be responsive to the needs of XXX and attain their desired state. Senior management and relevant oversight bodies should ensure the integration of risk management across all organizational activities, demonstrating leadership and dedication by:
- Customizing and implementing all elements of the framework.
- Issuing a statement or policy that outlines a risk management approach, plan, or strategy.
- Allocating necessary resources for risk management.
- Designating authority, responsibility, and accountability at suitable levels within the XXX.
This will enable the XXX to:
- Align risk management with its objectives, strategy, and culture.
- Fulfill obligations and voluntary commitments.
- Determine acceptable levels and types of risk through the development of risk criteria, ensuring transparent communication with the organization and stakeholders.
- Articulate the value of risk management to both the organization and stakeholders.
- Facilitate systematic risk monitoring.
- Ensure ongoing appropriateness of the risk management framework to the organization’s context.
Senior management holds responsibility for risk management, while oversight bodies are tasked with supervising risk management processes. Oversight bodies typically:
- Ensure adequate consideration of risks in setting organizational objectives.
- Understand the risks associated with organizational objectives.
- Verify the implementation and effectiveness of risk management systems.
- Assess the appropriateness of risks concerning organizational objectives.
- Ensure proper communication of information regarding risks and their management.
5.3 Integration
Everyone is a Risk Manager. This vision can only be achieved once the risk management mindset has been integrated and embedded into XXX’s organizational purpose, governance, leadership and commitment, strategy, objectives and operations. Integrating risk management in XXX is a dynamic and iterative process and was customized to address their needs and culture. The integration of risk management hinges on a thorough comprehension of organizational structures and context, which vary based on the XXX’s mission, objectives, and complexity. Risk management permeates every aspect of the organizational framework, with every individual bearing responsibility for its management.
Governance steers the trajectory of the XXX encompassing its external and internal relationships, as well as the regulations, procedures, and practices necessary for fulfilling its mission. Management structures translate the directives of governance into strategies and associated objectives aimed at achieving sustainable performance and long-term viability. Establishing accountability and oversight roles for risk management within an XXX is an essential component of its governance.
The process of integrating risk management into an XXX is dynamic and iterative, requiring customization to fit the XXX’s specific needs and culture. Risk management should seamlessly integrate with the organizational purpose, governance, leadership, commitment, strategy, objectives, and operations, rather than existing as a separate entity.
5.4 Design
5.4.1 Understanding the organization and its context.
When developing the risk management framework, the Senior Manager should thoroughly analyze and comprehend both its external and internal contexts. Designing XXX’s ERM Framework required a thorough understanding of both the internal and external environments in which it operates. The external environment includes but is not limited to, the cultural, technological, legal, financial, and regulatory environment, its relationships with stakeholders, as well as industry and international trends. Its internal context includes company culture and values, policies and procedures, guidelines, organizational structure, and other parameters that are internally driven.
Exploring the organization’s external context may involve, among other considerations:
- Social, cultural, political, legal, regulatory, financial, technological, economic, and environmental factors, whether at international, national, regional, or local levels.
- Key drivers and trends impacting the XXX’s objectives.
- Relationships with external stakeholders encompass their perceptions, values, needs, and expectations.
- Contractual agreements and commitments.
- The intricacies of networks and dependencies.
Analyzing the XXX’s internal context may encompass, but is not restricted to:
- Vision, mission, and values.
- Governance structures, organizational hierarchy, roles, and responsibilities.
- Strategies, objectives, and policies.
- Organizational culture.
- Adopted standards, guidelines, and models.
- Capabilities include resources and knowledge such as capital, time, personnel, intellectual property, processes, systems, and technologies.
- Data, information systems, and information flow.
- Relationships with internal stakeholders, considering their perspectives and values.
- Contractual obligations and commitments.
- Interdependencies and interconnectedness within the XXX.
5.4.2 Articulating Risk Management Commitment
Expressing commitment to risk management Senior management and oversight bodies, where applicable, should exemplify and articulate their ongoing dedication to risk management through a policy statement or other mediums that clearly convey XXX’s objectives and commitment to risk management. This commitment should encompass, but not be limited to:
- Clarifying the XXX’s rationale for managing risk and its connections to objectives and other policies.
- Emphasizing the importance of integrating risk management into the organizational culture.
- Spearheading the incorporation of risk management into core business activities and decision-making processes.
- Defining authorities, responsibilities, and accountabilities.
- Allocating necessary resources.
- Addressing how conflicting objectives are managed.
- Incorporating measurement and reporting into the XXX’s performance metrics.
- Facilitating regular review and enhancement.
The commitment to risk management should be effectively communicated internally within the XXX and, as appropriate, to stakeholders.
Oversight Structure
The ERM oversight structure of XXX is illustrated in the diagram below:
5.4.3 Assigning organizational roles, authorities, responsibilities and accountabilities
Senior management and oversight bodies, where applicable, are responsible for ensuring that the necessary authorities, responsibilities, and accountabilities for key roles in risk management are assigned and communicated across all levels of XXX. They should emphasize the fundamental nature of risk management as a responsibility and identify individuals who hold the authority and accountability as risk owners to effectively manage risk.
The following describes the key roles and responsibilities of XXX‘s ERM stakeholders.
- Board of Directors
- Providing effective oversight for XXX’s risk management process.
- Understanding the most significant risks affecting XXX and being informed of the mitigating actions taken by the senior management for key risks.
- Monitoring priority risks of XXX through quarterly reports raised by the Risk Committee and make decisions in their regard.
- Review and approve the ERM policy, risk appetite, risk infrastructure, and XXX Risk Strategy.
- Approve XXX’s ERM manual and framework.
- Maintain management commitment to improving ERM performance.
- Issue directives for risk treatment to maintain risk levels within defined tolerance thresholds, and approve risk treatment expenditures.
- Monitoring priority risks of XXX through quarterly reports raised by the Risk Committee and provide directions to the Risk Committee on risk mitigation and response plans.
2. Risk Committee
- Review the ERM policy, risk appetite, risk infrastructure, and risk documentation such as risk tolerances, impact and likelihood scales, and risk rating boundaries.
- Monitor XXX ERM position maturity versus XXX ERM strategy Assume overall responsibility and accountability For ERM. Endorse XXX’s ERM Manual and framework.
- Ensure ERM objectives, plans, and procedures are developed to implement the policy. Make the necessary resources available to meet ERM’s Objectives and targets.
- Approve XXX’s risk register.
- Maintain an awareness and understanding of XXX’s risk appetite, the principal risks to achieving XXX’s strategic objectives, and the actions being taken to maintain overall risk levels within the stated risk appetite.
- Recommend directives for risk treatment to maintain risk levels within defined tolerance thresholds, and approve risk treatment expenditures.
3. Risk Officer
- Develop, implement, and administer the ERM manual.
- Develop and maintain ERM policies, processes, procedures, standard tools, and information systems.
- Develop and deliver ERM training.
- Ensure that all activities are carried out consistently with the ERM Policy.
- Ensure that appropriate processes and capabilities are in place to identify, assess measure, manage, monitor, and report risks.
- Assist management in bringing risks back within established risk tolerance thresholds in the event of a breach. Determine the consequences of such a breach and take corrective action.
- Assist management with resource allocation decisions so that they are based on the best and most correct and complete Information.
- Establish ERM communication at all levels. Gather data and develop risk reports for the Risk Committee, and management as required.
- Analyze ERM performance report. Aggregate, and prioritize risks, validate assumptions, and methodologies, report risks, and ensure information presented for decision-making and reporting is complete and correct.
- Deploy and maintain tools that assist in estimating the likelihood and impact of risk events.
- Facilitate the identification, measurement, monitoring, and reporting of risks through risk identification and assessment workshops.
- Own and manage XXX’s risk register.
4. Risk Champion
- Coordinating with the Risk Officer for periodic risk assessment which involves identifying, analyzing, describing and estimating the impact of identified and emerging risks.
- Planning, designing, and implementing an overall risk management process for the respective department, all of which is performed in conjunction with the Risk Officer.
- Monitoring controls, mitigation plans, and risk treatment plans.
- Periodically reporting on risk mitigation activities for all identified risks to the Risk Management Department, ensuring accountability for risk management and providing status updates on action plans.
- Monitor and report on the risk indicators to ensure that XXX has not exceeded the approved risk appetite.
5. Process owners
The process owner is the ultimate owner of the identified risks; thus process owners are responsible for managing risks and implementing risk mitigation plans and controls subject to monitoring and reporting of the risk champions The process owners are responsible for providing the risk champions with risks identified in their respective areas
6. Internal Audit Function
The Internal Audit function in XXX is responsible for monitoring compliance with ERM policies and procedures, evaluating the effectiveness of current ERM processes, including the effectiveness of controls and other risk treatment actions, and providing recommendations for improvement.
5.4.4 Allocating resources
Senior management and oversight bodies, when applicable, are tasked with ensuring the allocation of suitable resources for risk management, encompassing but not limited to:
- Personnel with the requisite skills, experience, and competence.
- Organizational processes, methodologies, and tools employed for risk management.
- Documented processes and procedures.
- Information and knowledge management systems.
- Professional development and training requirements.
Senior management should assess the capabilities and limitations of current resources.
5.4.5 Establishing communication and consultation.
Senior management should devise an endorsed strategy for communication and consultation to bolster the framework and enable the efficient implementation of risk management. Communication entails disseminating information to specific audiences, while consultation entails participants offering input with the anticipation that it will influence decisions or other endeavours.
Methods and content for communication and consultation should align with stakeholders’ expectations, where applicable. Both communication and consultation should be timely, ensuring that pertinent information is gathered, organized, synthesized, and disseminated as necessary, and that feedback is received and used to make enhancements.
5.5 Implementation
Senior Management should execute the risk management framework by:
- Formulating a suitable plan inclusive of time and resources.
- Identifying the where, when, and how various types of decisions are made across the XXX, along with the responsible parties.
- Adjusting relevant decision-making processes as needed.
- Ensuring that the XXX’s risk management arrangements are comprehended and put into practice.
Successful implementation of the framework hinges on stakeholder engagement and awareness. This enables XXX to explicitly address uncertainty in decision-making, while also ensuring the incorporation of any emerging uncertainty as it arises.
When appropriately designed and implemented, the risk management framework guarantees that the risk management process is integrated into all organizational activities, including decision-making, and that changes in both external and internal contexts are adequately addressed.
The Facility Manager leads the implementation of the XXX ERM Program. Appropriate timing and strategy for implementation were determined. The facility Manager developed the plan to ensure that risk management is applied at all levels and functions and that decision-making and target-setting are aligned with the outcomes of the risk management process.
Each line management should ensure that it adheres to the following:
- Hold the line management accountable for the management of risks that are significant to the fulfilment of business objectives.
- Set appropriate goals, objectives, targets and performance indicators for all operations to ensure that risks are effectively managed under the set ERM Framework.
- Allocate adequate financial and human resources for risk management consistent with corporate priorities, and;
- Ensure that employees at all levels within their group have the competence and responsibility through selection, education, and training to carry out the ERM process.
5.6 Evaluation
The implementation of the ERM Program shall be assessed by the Internal Audit team during the internal audit. The Internal audit considers certain criteria to determine the level of the organization’s maturity in implementing the ERM Program. The criteria are grouped into components which are critical in ensuring the successful implementation of the program, namely, governance and organization, risk management strategy, reporting and communication structure, tools and technology and XXX’s culture and capability. To assess the efficacy of the risk management framework, Senior Management should Regularly gauge the performance of the risk management framework against its intended purpose, implementation strategies, indicators, and anticipated outcomes Ascertain whether the framework continues to be appropriate in aiding the organization in accomplishing its objectives.
5.7 Improvement
5.7.1 Adapting
Senior Management should continually monitor and adapt the risk management framework to address external and internal changes so as to improve its value.
5.7.2 Continually improving.
Senior management will consistently enhance the appropriateness, sufficiency, and efficiency of the risk management framework and its integration into the risk management process. Upon identifying pertinent gaps or opportunities for improvement, senior management should devise plans and allocate responsibilities for their execution. Upon implementation, these enhancements should contribute to the improvement of risk management practices. The ERM Framework, Process and Plan shall be reviewed and improved periodically, taking into consideration internal and external environment at each period. The results of the assessment by the Internal Audit shall also be used to determine gaps between the current and desired state of ERM maturity. Decisions shall be made on how the risk management program can be improved. The Manual shall be updated to reflect enhancements that may be made to the program. Changes shall be communicated to all stakeholders concerned.
6 Process
6.1 General
The ERM Process is customized to XXX’s operating environment and is also aligned with ISO 31000:2018. The risk management process can be applied to decisions at all levels within the XXX’s. At each stage of the risk management process, tools and techniques that are suited to XXX’s objectives, resources and capabilities shall be employed. Risk Management involves the identification and treatment of risks that impact on the XXX’s strategies, regulatory objectives and operations. The risk management process ought to seamlessly intertwine with management and decision-making, integrating into the organization’s structure, operations, and processes. It is applicable across strategic, operational, programmatic, or project levels. Numerous applications of the risk management process can be tailored within an organization to meet objectives and adapt to the external and internal contexts in which they are employed. Throughout the risk management process, the dynamic and variable aspects of human behavior and culture should be considered. While the risk management process is typically depicted as sequential, it operates as an iterative cycle.
6.2 Communication and consultation
The following actions are to be considered in ensuring clear lines of communication and consultation in relation to emerging XXX risks:
- All internal and relevant external stakeholders, relevant to the risk context, are to be consulted in the identification and assessment of XXX risks.
- Communication protocols to ensure staff are aware of operational and strategic risks to the XXX are to be established and implemented.
- Consultation is to be made with all relevant XXX staff in the identification of the context and risks environments, the inherent risks to the operations of the XXX, the assessment of the risk rating and the determination of risk treatments.
- XXX strategic and operational risks are to be reviewed as part of XXX governance processes on a regular basis during relevant meetings of the risk committee.
- Risk management reviews are to be scheduled as a regular meeting agenda item at governance meetings.
The objective of communication and consultation is to aid relevant stakeholders in comprehending risk, the rationale behind decision-making, and the necessity for specific actions. Communication endeavors to foster awareness and understanding of risk, while consultation involves soliciting feedback and information to support decision-making. Effective coordination between the two should facilitate the exchange of information that is factual, timely, relevant, accurate, and understandable, while also respecting the confidentiality, integrity of information, and privacy rights of individuals. Communication and consultation with appropriate external and internal stakeholders should occur throughout all stages of the risk management process. Their aims include:
- Bringing together diverse areas of expertise for each phase of the risk management process.
- Ensuring that various perspectives are appropriately considered when defining risk criteria and evaluating risks.
- Providing adequate information to facilitate risk oversight and decision-making.
- Fostering a sense of inclusivity and ownership among those impacted by risk.
6.3 Scope, context and criteria
6.3.1 General
Establishing the scope, context, and criteria aims to tailor the risk management process, facilitating effective risk assessment and suitable risk treatment. This involves defining the process’s scope and comprehending both external and internal contexts.
6.3.2 Defining the scope.
XXX define the scope of its risk management activities. The scope of risk management would be every level of management activity, and all strategic planning and decision-making processes within XXX to support achievement of strategies and objectives. When strategizing the approach, factors to consider encompass:
- Objectives and decisions requiring attention.
- Anticipated outcomes resulting from the process steps.
- Timeframes, locations, specific inclusions, and exclusions.
- Suitable risk assessment methodologies and tools.
- Necessary resources, delineation of responsibilities, and record-keeping.
- Interconnections with other projects, processes, and activities.
6.3.3 External and internal context
The Context of the risk management process varies according to the needs of the organization and circumstances upon which risk management process is applied. Establishing the Context may involve defining the scope and objectives of the activity, defining the relationships that will be affected, determining liabilities and obligation connected with the activity, as well as the resources required. The Context must be properly established, otherwise, results of assessment could be inaccurate or inadequate. XXX reviews on an annual basis the risk appetite (the amount and type of risks that they may or may not take, in relation to their objectives) that is being presented during the annual strategic planning. The XXX Executive is to establish and document the various internal and external context and environments to ensure a broad spectrum of risk assessment and coverage over XXX operations.
External contexts include the following:
- Legal and regulatory requirements
- Social, cultural, political, financial, technological, and economic environments
- Local, regional and state-wide context
- Key business drivers and trends which may impact operations and resources
- Relationships and perception of external partners and stakeholders, including the general public.
Internal contexts include the following:
- Funding and resources
- Organizational culture, structure and lines of authority
- Internal policies and procedural requirements
- Employee capabilities – knowledge, skills and experience
- Information systems and decision-making processes.
6.3.4 Defining risk criteria.
The Risk committee should define the extent and nature of risk it is willing to accept in relation to its objectives and establish criteria for assessing risk significance and guiding decision-making processes. These risk criteria should be harmonized with the risk management framework and tailored to the specific purpose and scope of the activity in question. They should also reflect the organization’s values, objectives, resources, and be consistent with its risk management policies and statements. Moreover, they should consider the organization’s obligations and stakeholder perspectives. Although risk criteria should be determined at the outset of the risk assessment process, they are subject to change and should be regularly reviewed and adjusted, if necessary. When establishing risk criteria, the following factors should be considered:
- The nature and variety of uncertainties affect outcomes and objectives (both tangible and intangible).
- Definition and measurement of both positive and negative consequences and likelihood.
- Time-related considerations.
- Consistency in measurement application.
- Determination of risk level.
- Incorporation of combinations and sequences of multiple risks.
- Organizational capacity.
6.4 Risk Assessment
6.4.1 General
Risk Assessment is the overall process of risk identification, risk analysis and risk evaluation. The aim of risk treatment is to choose and execute strategies for managing risk. This process involves an iterative cycle of:
- Developing and choosing risk treatment strategies.
- Planning and executing risk treatment measures.
- Evaluating the efficacy of the treatment.
- Determining whether the residual risk is acceptable.
- If deemed unacceptable, implementing additional treatment measures.
6.4.2 Risk identification
Risk identification is the process of finding, recognizing and describing risk. The first part of Risk Assessment is Risk Identification, which is the identification of events, consequences or changes in circumstances that could affect objectives, strategies, process or operations. This aims to generate a comprehensive list of risks that might create, enhance, prevent, degrade, accelerate, delay, or otherwise affect the achievement of objectives. It is recognized that comprehensive identification is critical because a risk that is not identified at this stage will not be included in further analysis. This step essentially aims to answer the question: What circumstances or events might affect the achievement of the objectives?
XXX adopts the ISO definition of Risk which is “the effect of uncertainty on objectives.” The effect may be positive, negative, or a deviation from the expected. Also, a risk is often described by an event, a change in circumstances or a consequence.
The organization should use Risk Identification techniques that are suited to its culture and capability. To facilitate enterprise risk identification, The risks are classified into the following:
- Strategic Risks – These risks arise when there are forces in the external environment that could either put the organization out of business, or significantly change the fundamentals that drive its overall objectives and strategies.
- Operations Risks – These risks arise when operations are inefficient and ineffective in executing the organization’s business model, satisfying customers and achieving the organization’s quality, cost and time performance objectives.
- Compliance Risks – These risks arise when there is noncompliance with prescribed organization policies, procedures or laws and regulations that result in penalties, fines, etc.
- Financial Risks – These risks arise when cash flows and financial risks are not managed cost effectively to maximize cash availability, reduce uncertainty of currency, interest rate, credit and other financial risks, or move cash funds quickly and without loss of value to wherever they are needed most.
The XXX Executive is to take the following actions to effectively identify risks associated with major projects, programs and change initiatives:
The Risk committee is to take the following actions in performing risk analysis associated with major projects, programs and change initiatives. Each risk identified shall be risk analyzed to ensure an in-depth understanding of the risk, including: Sources and causes of the risk. and negative consequences of the risk occurring. Likelihood of the risk occurring without controls being applied. Factors that may impact, encourage, limit the risk eventuating as described. Interdependence of risks to each other, including multiplicity affects |
Process Risk Assessment is carried out by the Risk Assessment Team at Facility Management Division of Alghanim International comprising of Department Head & MR Process Risk Assessment is carried out for all key processes as well as support processes. |
Risk Assessment Team shall carry out a Brainstorming Session, to identify all risks having a negative impact on the quality of the product/service and business reputation. |
Risk Assessment is carried out, based on the Matrix/ guidelines given below: |
- Consider all sources of potential risk, potential impacts and changes in the regulatory environment. The risk categories identified below are to be used to ensure that all risk areas have been considered in the risk identification process. These categories outline the sources of risk:
- Human ResourcesReputationBusiness ContinuityCorruption & FraudFinancialData and Information ManagementStakeholder (Community & Political)Service/Product DeliveryWork Health & SafetySecurity & PropertyLegal & LegislativeEnvironment
- Technology.
- Determine potential causes of risks without consideration of current controls to determine inherent risks associated with IPC functions/processes. Risk identification should include risks regardless of whether the risk source is under the control of the IPC or external parties;
- Consideration should be made as to cumulative effects of multiple risks to IPC functions/operations.
- Wide ranges of potential consequences should be considered, recorded and assessed;
- A broad range of employees/stakeholders are to be consulted in determining the inherent risks to the IPC.
6.4.3 Risk analysis
The Risk committee is to take the following actions in performing risk analysis associated with major projects, programs and change initiatives. Each risk identified shall be risk analyzed to ensure an in-depth understanding of the risk, including:
- Sources and causes of the risk.
- Positive and negative consequences of the risk occurring.
- Likelihood of the risk occurring without controls being applied.
- Factors that may impact, encourage, and limit the risk eventuating as described.
- Interdependence of risks to each other, including multiplicity affects
Process Risk Assessment is carried out by the Risk Assessment Team. Assessment is carried out for all key processes as well as support processes. Risk Assessment Team shall carry out a Brainstorming Session, to identify all risks having a negative impact on the quality of the product/service and business reputation.
Risk Assessment is carried out, based on the Matrix/ guidelines given below:
Some Techniques for Risk Assessment & Management include:
- Interviews
- Benchmarking
- SWOT analysis
- Risk questionnaires and risk surveys
- Using technology
6.4.4 Risk evaluation
The Risk committee is to take the following actions in performing risk evaluation:
- Identify the existing practices and procedures that currently exist that minimize the risk and assess their strengths and weaknesses. A control may be a process designed to provide reasonable assurance regarding the achievement of objectives. Controls may arise as outcomes of previous risk treatment activities. Types of controls include:
- Segregation of duties.
- Documentation trails.
- Physical security over assets.
- Checks and reconciliations.
- Authority for approvals.
- Risk Assessment details are entered in the Process Risk Assessment Format by the Risk Team.
- For each risk element, Severity is assigned on a scale of 1 to 5, based on the consequences identified in terms of Quality of Product/ Service and Business Reputation.
- Assign in a Probability scale from 1, 2, 3, 4, 5. Based on severity and consequences of the risk as per Risk Assessment Matrix guidelines.
- Calculate the overall risk level i.e. Severity Multiplied by probability and see whether the overall risk level is Low, Medium or High as per Risk Matrix Guidelines.
- Develop Mitigation Steps to reduce the probability that a risk (High, Medium or Low) will materialize.
- Develop Contingency Plans for High Risks.
- All Mitigate steps listed in the Process Risk Analysis Record and effectively implemented by the Department.
- How much have reduced the Probability and Impact? Evaluate the Contingency and Mitigation strategies and reassign Effective Ratings to risks.
- Residual Risk Analysis/ Monitoring of the effectiveness of mitigation steps is carried out by the Risk Assessment Team after the implementation of all mitigation Steps and the same is recorded in the Process Risk Analysis Format by the Risk Assessment Team.
- Monitoring of the effectiveness of the implementation controls/mitigation steps is carried out by the team, at least once a year, based on which the risk assessment records may be modified.
6.5 Risk treatment
6.5.1 General
Risk Evaluation might show that certain risks need to be modified. In such case, Risk Owners shall develop strategies and implement actions that will treat or modify these risks. The objective of risk treatment is to choose and execute strategies for managing risk. Risk treatment encompasses a cyclical procedure that includes:
- Developing and choosing risk management strategies.
- Planning and executing risk management strategies.
- Evaluating the efficacy of those strategies.
- Determining if the residual risk is tolerable.
- If deemed unacceptable, pursuing additional risk management measures.
6.5.2 Selection of risk treatment options
Choosing the most suitable risk treatment option(s) entails weighing the potential benefits in achieving objectives against the costs, efforts, or drawbacks of implementation. Risk treatment options may not always be mutually exclusive or universally appropriate.
Options for managing risk may include one or more of the following:
- Avoiding the risk by opting not to initiate or continue the activity associated with the risk.
- Embracing or escalating the risk to pursue an opportunity.
- Eliminating the source of the risk.
- Altering the likelihood or consequences of the risk.
- Distributing the risk through contracts or insurance.
- Retaining the risk through informed decision-making.
The rationale for risk treatment should extend beyond purely economic factors and consider all organizational obligations, voluntary commitments, and stakeholder perspectives. Selection of risk treatment options should align with XXX’s objectives, risk criteria, and available resources. When choosing risk treatment options, XXX considers stakeholder values, perceptions, and potential involvement, as well as the most suitable methods for communication and consultation. While certain risk treatments may be equally effective, they may vary in acceptability among different stakeholders. Despite careful design and implementation, risk treatments may not always yield anticipated outcomes and could lead to unintended consequences. Therefore, monitoring and review must be integral to the implementation of risk treatment to ensure effectiveness. Additionally, risk treatment may introduce new risks that require management. If no viable treatment options are available or if existing options do not sufficiently mitigate the risk, the risk should be documented and continually reviewed. Decision-makers and stakeholders should be informed about the nature and extent of residual risk following treatment. Remaining risk should be documented and subjected to ongoing monitoring, review, and, if necessary, further treatment.
6.5.3 Preparing and implementing risk treatment plans.
When determining appropriate risk treatments/mitigation actions in respect of identified risks the risk committee is to ensure a Risk Treatment Plan (typically in the form of the Strategic Plan, Business Plan and Regulatory Plan) is defined and implemented for all medium, high and extreme risks. Risk mitigation strategies may include:
- Avoiding the risk by deciding not to commence or continue a particular activity.
- Increasing the level of acceptable risk.
- Remove the source of the risk.
- Changing the likelihood through control management.
- Change the consequences through control management.
- Transferal of risk (i.e. insurance);
- Risk Retention by informed decision and acceptance.
Select the best option in terms of feasibility and cost-effectiveness. Risk treatment is a cyclical process and after implementation of a treatment option, it should be monitored and reviewed regularly for effectiveness and modified if necessary.
Escalate any issues or events which pose a high or extreme level of risk to the risk champions. In determining what type of issues/events need to be escalated, managers and employees should have regard to the following:
- Incidents which have occurred or are likely to occur very shortly have the potential to attract media coverage and/or adversely impact the management of the XXX, for example, failure to meet a statutory deadline, major disruption, such as industrial action or a major accident/incident.
- Failure of a stakeholder relationship which will seriously impact a major or high-profile project, for example, a lead agency withdraws or threatens to withdraw its involvement or support for the initiative.
- Significant budget shortfall or cost blowout of a project.
- Failure to meet critical timeframes for completion of major or sensitive projects.
- Breaches of probity
- Identification of a serious breach under the Code of Conduct or significant fraud.
6.6 Monitoring and review
Risk priorities do not always stay fixed but alter with changing circumstances. Risk mitigation strategies, such as Risk Treatment Action Plans and Risk Registers need to be regularly reviewed and maintained as new risks emerge, old ones disappear, and existing risks change. The Risk Committee is to undertake a brief review of all Risk Treatment Action Plans monthly. Any significant issues should be addressed and recorded in the minutes of the meeting. A medium-level compliance review of selected Business process, major projects and change initiatives is to be undertaken through the internal audit plan. A comprehensive review of the Risk Register is to be performed annually by the risk committee and a new Risk Register or an updated version of the previous year’s Risk Register needs to be compiled and tabled at the Risk Committee. Review and Monitoring must also be done at each stage of the risk management process. Responsibilities for review and monitoring as well as frequency and scope, should be determined. The results of review and monitoring must be recorded and reported internally and externally as appropriate. XXX has a template for risk assessment. It contains information that is essential in monitoring and reviewing the risk. The template is scalable and can be modified to reflect the complexity of risk assessment required by the given situation.
6.7 Recording and reporting
Documentation and reporting of the risk management process and its results should be conducted through suitable channels. Recording and reporting serve the following purposes:
- Disseminating risk management activities and outcomes throughout the organization.
- Offering information to aid decision-making.
- Enhancing risk management endeavours.
- Facilitating engagement with stakeholders, including those responsible and accountable for risk management activities.
Decisions regarding the creation, retention, and management of documented information should consider, among other factors, their intended use, sensitivity, and the external and internal context. Reporting plays a crucial role in the organization’s governance, aiming to enrich dialogue with stakeholders and aid top management and oversight bodies in fulfilling their duties. Considerations for reporting encompass, but are not restricted to:
- Identifying diverse stakeholders and their unique information needs and preferences.
- Evaluating the cost, frequency, and timeliness of reporting.
- Selecting appropriate reporting methods.
- Assessing the relevance of information to organizational objectives and decision-making processes.