Risk

Report
Risk Management in the
Public Service
Caleb Sunguti
Kenya School of Government
1
Risk – Legal Definition
Definition:
1 a) possibility of loss or injury;
b) liability for loss or injury if it occurs
2 a) the chance of loss to the subject
matter of an insurance contract uncertainty with regard to loss;
b) a person or thing that is a specified
hazard to an insurer
What is risk?
• A chance of something happening that when it
occurs, will impact on your goals & objectives.
• An event that may or may not happen but if it
does, it causes unpleasant outcomes for our
projects.
• Risks are threats to the success of the
Organization!
3
Types of risks
•
•
•
•
•
Knowledge risk -deficient knowledge is applied
Relationship risk –failure to collaborate effectively
Process-engagement risk – failure to operate effectively
Strategic risk, e.g. risks arising from policy decisions
Opportunity risk, e.g. the risk of missing opportunities to
improve on delivery of the Ministry/ department’s
objectives
• Risks arising from pilot projects, e.g. risk of not learning
from pilots
• Reputation risk, e.g. risk of damage to the Ministry/
department’s credibility and reputation
Types of risks…ctd
• Financial risk, e.g. risks arising from spending on
capital projects
• Operational risk, e.g. risks associated with delivery
of public services
• Project risk e.g. risks of introducing new systems
• Compliance risk, e.g. the risk of failing to meet
government standards/laws and regulations
• Risks arising from new ways of working, e.g.
Concessioning or Public Private Partnerships.
• Risks facing the public which fall within your
Ministry/ department’s area of responsibility.
Types of Risks
• Operational
• Hazard
• Physical
• Strategic
• Capital / resource allocation
• Industry / competitors
• Technological
• Databases
• Security
• Confidential information
• Stakeholder
• Legal
• Compliance
• Regulatory
• Financial
• Capital markets
• Credit risks
• Taxes
• Human capital
• Retention
• Training
• Reputational
Sources of Risk
•
•
•
•
•
•
•
•
•
•
•
•
•
Unreasonable timelines
Requirements change
Budget overruns
Legal risks
Untested technology
Unknown suppliers
Unusual deliverables
Interpersonal dynamics
Failure/deficiency of input
Unforeseen problems
Lack of options for contingencies
Unrelated party actions
Acts of God
Risk management
• Is the process of measuring or assessing risk and developing
strategies to manage it.
• Strategies include transferring the risk to another party,
avoiding the risk, reducing the negative effect of the risk, and
accepting some or all of the consequences of a particular
risk.
• Risks with the greatest loss and the greatest probability of
occurring are handled first, and risks with lower probability of
occurrence and lower loss are handled later.
• The leader’s challenge is to balance between risks with a
high probability of occurrence but lower loss versus those
with high loss but lower probability of occurrence.
8
Risk Management
• Identification, assessment, evaluation and
mitigation of risks and their associated outcomes
• Cost/benefit analysis
• Between various risk alternatives
• Analysis
• The identification and assessment of the risk as to
likelihood and potential outcomes
• The costs associated with the potential outcome
• The costs associated with various alternatives and
mitigating against potential risks
Why manage risk?
• Managing risk comes with creation of
immediate value from the identification
and reduction of risks that reduce
productivity.
• It also helps to solve resource allocation
problems by allocating resources on
more profitable activities that effectively
benefits from them.
10
Why Risk Lesson is Important?
•
Compliance with applicable laws and regulations.
Accomplishment of the entity’s mission.
Relevant and reliable risk reporting.
Effective and efficient operations.
•
Safeguarding of assets.
•
•
•
11
Justification to Public service in Kenya
•
•
•
•
•
•
Improvement on public service delivery
Achievement of V2030 flagship projects
Maximum benefits from devolved funds
Motivation of public sector employees
Proper management of public debt
Proper management of public sector
contracts.
• Good governance in government
12
Purpose of risk management
• To provide support on Risk management to your
department
• To develop and implement risk management
policies, guidelines and frameworks;
• To provide risk management technical support to
your institution;
• To facilitate implementation of risk management
best practice in the work place;
• To facilitate risk management knowledge
sharing; and
• To provide fraud prevention support to your
institution.
13
An Integrated Risk Management Framework
• The Integrated Risk Management Framework
provides guidance to adopt a more holistic
approach to managing risk.
• The application of the Framework is expected
to enable employees and organizations to
better understand the nature of risk, and to
manage it more systematically.
14
Enterprise RM Definition
• ERM “is a structured, consistent and
continuous process across the whole
organization for identifying, assessing, deciding
on responses to and reporting on opportunities
and threats that affect the achievements of its
objectives.”
• Public sector adopts ERM by developing and
implementing a RM Policy.
Issues in ERM Implementation
• Different corporate cultures require different ERM approaches
• Who is going to be the ERM champion within the organization
• Among senior executives
• Among departments / functions
• How to embed a risk management culture and responsibilities
throughout the organization.
Keys to Success in ERM
• Senior management commitment and sponsorship
• Embed a “risk management culture” in the corporation at the
operational level
• Provide for accountability, both specific and widespread
• Clearly defined responsibilities for coordination and maintenance
• Adequate communication
A Paradigm Shift
Traditional
• Risks managed in
•
silos
• Concentrates on
•
physical hazards and
financial risks
•
• Insurance orientation
• Ad hoc / one-off
•
projects
Emerging
Centralized mgt., with
exec-level coordination
Integrated consideration
of all risks, firm-wide
Opportunities for hedging,
diversification
Continuous and
embedded
The Hierarchy of Risks
Public Reforms
Performance
Contracting Secretariat
Ministry of
Finance
Leading Government Agencies
Strategic Operational Compliance Environmental
Risk Issues Risk Issues Risk Issues
Risk Issues
Political risk
Thematic Areas
Finance Risk Procurement Risk
HR Risk
19
Effects of these risks include:
• Poor public service delivery, insecurity, low food
production, poor physical infrastructure, high costs of
doing business, environmental degradation, reduced
productivity, loss of public funds, low cost
effectiveness, reduced public trust and confidence,
reduction in Foreign Direct Investments (FDIs), low
reputation in the international community and low
credit rating among donors.
• These effects carry with them a multiplier effect of
high poverty levels, unemployment, low food
production and slow economic growth.
20
Typical effects of unmanaged risks on
Organizations
•
•
•
•
•
•
They cost more than we thought they would!
They take longer than we thought they would!
They don’t deliver what we expected them to deliver!
They don’t produce the effects we desired!
Reputation is weakened
Our customers aren’t delighted!
Steps in the
Risk Management Process
•
•
•
•
•
•
•
Determine the corporation’s objectives
Identify the risk exposures
Quantify the exposures
Assess the impact
Examine alternative risk management tools
Select appropriate risk management approach
Implement and monitor program
Risk Management Process
C
O
M
M
U
N
I
C
A
T
E
ESTABLISH THE CONTEXT
A
N
D
EVALUATE RISK
C
O
N
S
U
L
T
M
O
N
I
T
O
R
IDENTIFY RISK
ANALYSE RISK
A
N
D
Accept
Risk
No
TREAT RISK
Yes
R
E
V
I
E
W
1. Establish the context
•
•
•
•
•
Planning the remainder of the process,
Mapping out the scope of the exercise,
The identity and objectives of the institution,
The basis upon which risks will be evaluated,
Defining a framework for the process, and agenda for
identification and analysis of risk involved in the
process.
24
2. Identification of potential risks
After establishing the context, the next step is to identify
potential risks
 Risks are about events that, when triggered, cause
problems; hence risk identification can start with the
source of problems, or with the problem itself.
25
How do you Identify RISKS?
Lessons
Learned
Intelligent
Tools
Questionnaires
Intuition
Experts
Personal
Experience
Assumptions
Logs
Interviews
Records
Checklists
slide 26 of 18
Brainstorming
26
Office tool for Risk Management : Risk
Register
The main output of the risk identification process is a list of
identified risks and other information needed to begin
creating a risk register.
A risk register is:
• A document that contains the results of various risk
management processes and that is often displayed in a table
or spreadsheet format.
• A tool for documenting potential risk events and related
information.
Risk events refer to specific, uncertain events that may
occur to the detriment or enhancement of the project.
27
Sample Risk Register
No.
Rank
1
1
2
2
3
3
Risk
Description
Category
Root
Cause
Triggers
Potential
Responses
Risk
Owner
Probability
Impact
Status
28
3. Assessment
• Risks must be assessed as to their potential severity of loss
and the probability of occurrence
• These quantities can be either simple to measure, in the case of
the value of a lost building, or impossible to know for sure in the
case of the probability of an unlikely event occurring
• It is critical to make the best educated guesses possible in order
to properly prioritize the implementation of the risk management
plan.
• Risk assessment is used to identify, measure, and prioritize
risks so that the greatest effort is used to address the auditable
areas of greatest significance. Risk assessment is one means
of allocating resources to meet the auditing needs of the
organization.
29
4. Risk analysis
• Risk analysis involves estimating the
probability of each factor affecting a
programme and then determining the range
of possible outcomes.
30
4. Risk analysis framework
Step A
Define and
categorize the
risks to be
ranked.
Step C
Describe the
risks in terms of
the attributes in
risk summary
sheets
Step E
Describe the
Analysts
issues identified
and the
resulting
rankings.
Experts
Step B
Identify the risk
attributes that
should be
considered
Step D
Perform the risk
rankings.
Lay
people
31
5. Potential risk treatments
1.
Once risks have been identified and assessed, all techniques to
manage the risk fall into one or more of these four major
categories: (The 4 T's)
 Tolerate (retention)
 Treat ( mitigation)
 Terminate (elimination)
 Transfer (buying insurance)
2. Ideal use of these strategies may not be possible. Some of them
may involve trade-offs that are not acceptable to the
organization or person making the risk management decisions
32
Ways of dealing with RISK?
Reduce its
Transfer it
likelihood
Tolerate
& Watch it
Mitigate its
effect
Budget
for it
Ignore it
Avoid it
slide 33 of 18
Eliminate it
Treat, transfer, terminate, take the risk!
33
6. Create the plan
 Decide on the combination of methods to be used for
each risk
 Each risk management decision should be recorded
and approved by the appropriate level of
management
 For example, a risk concerning the image of the
organization should have top management decision
behind it whereas IT management would have the
authority to decide on computer virus risks
34
The risk management plan should propose
applicable and effective security controls for
managing the risks
For example, an observed high risk of
computer viruses could be mitigated by
acquiring and implementing anti virus
software
A good risk management plan should contain
a schedule for control, implementation and
responsible persons for those actions
35
• Risk analysis results and management plans should be
updated periodically. There are two primary reasons
for this:
 To evaluate whether the previously selected security
controls are still applicable and effective, and
 To evaluate the possible risk level changes in the
business environment. For example, information risks
are a good example of rapidly changing business
environment.
36
Current State
• Findings from various surveys
• An acknowledged need to improve risk management
• A recognition that a holistic approach is appropriate and preferable
• ERM can improve overall capital management and thus enhance
corporate value and competitiveness
• A variety of approaches to improving risk management
• There are still problems to overcome
Conclusion
• “The revolutionary idea that defines the
boundary between modern times and the past is
the mastery of risk”
- Peter Bernstein, Against the Gods

similar documents