Chapter 7 Flashcards
, our approach reflects our status as a regulated utility providing essential services and operating as part of the critical national infrastructure for the UK.
Severn Trent Water,
covers all types of risk including operational, financial, legal and regulatory.
ERM process
is integrated through a framework that is divided into three core pillars
Sustainability and responsibility at Tim Hortons
three core pillars:
individuals, communities and the planet
includes a structure and supporting processes for effective sustainability and responsibility governance and accountability, and is reviewed regularly.
Sustainability and responsibility policy
- governs sustainability and responsibility through the nominating and corporate governance committee of the board.
Board
Oversight activities include:
review of policy development; sustainability and responsibility strategies, including mitigation of risks; and organizational sustainability and responsibility commitments, goals and external reporting
resides within the Tim Hortons executive group.
Management accountability for sustainability and responsibility
Within the core department, ____ is managed actively and ______ is embedded into all departmental processes.
RISK
Risk Management
has overall responsibility for the risk management framework.
Corporate Committee
Risk Management Framework consists of three management levels at which risks are managed:
At the local level
At the committee level
Risks escalated by the corporate committee,
risk is managed and risk registers maintained by policy and operational teams and by project and programme teams across the department.
At the local level
risk is managed by the corporate committee. The committee maintains its own risk register and manages redrated operational risks within the corporate area.
At the committee level
investment committee, governance board and department-wide operational, delivery and strategic risks are managed by the executive board.
Risks escalated by the corporate committee
- covers a very wide range of topics, and risk management is an integral part of the successful corporate governance of every organization.
Corporate Governance
For instance, companies listed on the ________ have to be guided by the UK Corporate Governance Code (2016) published by the Financial Reporting Council.
London Stock Exchange
_________ is to facilitate accountability and responsibility for effective and efficient performance and ethical behaviour.
purpose of corporate governance
There are two main approaches to the enforcement of corporate governance standards. Some countries treat corporate governance requirements as
‘comply or explain’.
should be viewed as obligations placed on the board of an organization.
Corporate Governance Requirements
Reports on corporate governance standards, concerns and activities should be received at every board meeting, and these papers will often be presented by the company secretary. Such committees may include:
.
risk management committee;
audit committee;
disclosures committee;
nominations committee;
remuneration committee.
is ‘the system by which organizations are directed and controlled’.
Corporate Governance
is therefore concerned with systems, procedures, controls, accountabilities and decision making at the highest level and throughout an organization.
Corporate Governance
is concerned with the way that senior management fulfil their responsibilities and authority.
Corporate Governance
is concerned with the need for openness, integrity and accountability in decision making, and this is relevant to all organizations regardless of size or whether in the public or private sector.
Corporate Governance
is an international organization helping governments tackle the economic, social and governance challenges of a globalized economy.
The Organization for Economic Cooperation and Development (OECD)
is based on the evidence that good governance promotes success of organizations and society.
The approach in BS 13500
goes beyond the avoidance or mitigation of problems.
scope of the code
has produced guidance on corporate governance, and the focus of that guidance is on the effectiveness of the board.
London Stock Exchange (LSE)
is about the effective management of the organization and the appropriate responsibilities and the role of the senior managers and board members within the organization.
corporate governance
are centred on the board of the organization.
Governance activities
The corporate governance framework has two main components:
1) the responsibilities, obligations and rewards of board members; and.
2) the fulfilment of stakeholder expectations, rights, participation and dialogue.
The importance of board member responsibilities, obligations and rewards are emphasized and include arrangements for:
determining membership of the board;
accountability of board members;
delegation of authority from the board;
remuneration of board members.
• The responsibilities of board members must be fulfilled in five important areas
strategic thinking, planning and implementation;
corporate social responsibility;
effective management of risks;
audit and risk assurance;
full and accurate disclosure
OECD principles and the LSE corporate governance framework provide the overall requirements and framework within which corporate governance must be delivered.
OECD principles and the LSE corporate governance framework
play an important role in corporate governance.
Non-executive directors
will be a non-executive group and represents the third line of defence.
audit committee
has resulted in banks and other financial institutions reviewing their own corporate governance standards.
global financial crisis
is the largest financial services institution listed on the national stock exchange and is among the 30 most profitable financial services organizations in the world.
Bank
robust corporate governance arrangements are usually mandatory.
Government Agencies
corporate governance and risk management are designed to assist the organization to achieve its objectives, including commercial or marketplace objectives.
Commercial Organizations
is often seen by government agencies as establishing a framework of control that supports innovation, integrity and accountability and encourages good management throughout the organization.
Corporate Governance
activities within a government department, agency or authority will be the principles of public life, often referred to as the Nolan principles.
corporate governance
Nolan principles of public life
- Selflessness
- Integrity
- Objectivity
- Accountability
- Openness
- Honesty
- Leadership
- sets out policy on the identification and management of risks that it faces in the delivery of its objectives.
The risk policy of the Welsh Assembly Government (WAG)
has overall responsibility for the organization in terms of setting strategy and ensuring satisfactory governance.
BOARD
is the responsibility of the executive management, and top management.
Management of the organization
are members of the same board, this is referred to as a unitary board.
executive and non-executive directors
, and is referred to as the supervisory board.
non-executive directors
into separate committees is sometimes referred to as a two-tier board structure.
non-executive and executive directors
to be in place in charities and public-sector organizations.
two-tier board structure
- A good organizational structure supports the effective management of risk.
Governance structure
suggests that the term ‘interested party’ is preferred, but stakeholder is an acceptable alternative.
ISO Guide 83
defines a stakeholder as a ‘person or group concerned with, affected by, or perceiving themselves to be affected by an organization’.
ISO Guide 73
There will be a wide range of stakeholders in a typical organization that can be summarized as CSFSRS, as follows:
customers; staff; financiers; suppliers; regulators; society.
is a technique to ensure that an organization has the most effective and efficient processes and operations.
Business process re-engineering (BPR)
are the high-level collections of activities that are fundamentally important to the organization.
Core processes
Data for shareholders
- General
- Financial data
- Corporate governance and CSR
- Shareholder information
- Relevant news
- A clear statement of strategy and vision Corporate profile and principal markets.
General
- Annual report and financial statements Archived financial information for the past three years.
Financial data
- Information related to compliance with Combined Code Information on the company CSR policies.
Corporate governance and CSR
- Shareholder analysis by size and constituent Information on directors’ share dealings
Shareholder information
Access to all news releases and presentations Developments that might affect the share value.
Relevant news
to implement and maintain procedures that promote ethical business conduct
Rank policy
has a fraud and unethical business conduct whistleblowing policy which sets out the ways in which employees can voice their concerns about suspected fraud, corruption or unethical business conduct.
Rank
During the period under review two frauds came to light within the
Grosvenor retail casino business.
deliver stakeholder expectations and are related to the internal and external context of the organization.
Core processes
- can be defined as an event with the potential to impact the fulfilment of a stakeholder expectation.
Risk
classification of core processes as strategic, tactical and operational is acknowledged in
British Standard BS 31100.
set the future direction of the business;
Strategic perspectives
are concerned with turning strategy into action by achieving change;
Tactical perspectives
- are related to the day-to-day operations.
Operational perspectives
are assumed to underpin the other types of core processes.
Compliance processes
is also one of the fundamental requirements of the business process re-engineering (BPR) approach.
analysis of stakeholder expectations
can be one of the most robust ways of identifying risks.
Analysis of stakeholder expectations
can be a very timeconsuming exercise when undertaken thoroughly.
BPR
- need to be the most robust processes in the organization,
Strategic core processes
of an organization may be very different from those who are concerned with the organization’s operations.
Tactical stakeholders
- are generally large organizations with a very diverse range of stakeholders.
Pharmaceutical companies
- involves employee representatives who sit on the supervisory board, board of directors or similar structures in companies.
Board-level employee representation
- also differs from other types of indirect participation such as works councils.
Board-level representation
- may be considered to be the type of risk that will disrupt normal everyday activities.
Operational risk
- is closely related to infrastructure risks described in the FIRM risk scorecard classification system
Operational risk
- are usually hazard risks, and historically this has been an area of strong application of risk transfer by way of insurance.
Operational risks
- now has a more extensive application and a more specific definition, especially in financial institutions.
Operational risk
are required to have sufficient capital reserves available to meet the actual and potential financial losses and obligations faced by the organization.
Financial institutions
assessment of capital requirements.
Economic Capital
that set out recommendations on banking laws and regulations,
Basel II is the second of the Basel Accords
is to create an international standard.
The purpose of Basel II (2004)
have long been concerned with market risk and credit risk.
Banks
- was initially defined as being any form of risk that was not market risk or credit risk.
Operational risk
definition includes legal risk, but excludes strategic and reputational risk.
Basel II
is a term that has a variety of meanings and that certain financial institutions use a different term or a broader definition.
Operational Risk
Basel II definition identifies four types of risk categories:
people, process, system and external risks.
include failure to comply with procedures and lack of segregation of duties.
People risks
include process failures and inadequate controls.
Process risks
include failure of applications systems to meet user requirements and the absence of built-in control measures.
System risks
include action by regulators (change of regulation, but excluding enforcement or disciplinary action), unsatisfactory performance by service providers and fraud, both internal and external.
External Risks
is the risk that the value of investments may decline over a period
Market risk
is the risk that there will be a failure by a customer/client to repay the principal and/or interest on a loan.
Credit risk
is also important for insurance companies;
Underwriting risk
is at a crucial point in its development.
Operational risk management
As economies and financial conditions change over time, so does the
operational risk exposure.
is responsible for establishing the operational risk strategy.
Board
is responsible for implementing the operational risk strategy.
Senior management
attempts to protect the international financial system
Basel II
aims to ensure that capital allocation is more risk sensitive.
Basel II
Losses due to fraud, misappropriation or circumvention of regulations by internal party an authorized activity theft and fraud
Internal fraud
Losses due to fraud, misappropriation or circumvention of the regulations by third party. System security theft and fraud
External fraud
Losses arising from injury or noncompliance with the employment legislation.
Employees
Losses arising from failure to meet professional obligations to clients. Disclosure and fiduciary
Clients
Losses arising from loss or damage to physical assets. Disasters and other events
Physical assets
Losses arising from disruption of business or system failures.
Systems
Losses from failed transaction processing or process management.
Processes
calculates the value of operational risk capital using a single indicator
Basic indicator approach:
calculates the value for operational risk, using a broad financial indicator,
Standardized approach:
uses the internal loss data and a combination of.qualitative and quantitative methods to calculate the operational risk capital.
Advanced approach
are often larger, and include the loss of a customer.
Indirect costs
refers to not-for-profit organizations, including charities, membership and voluntary bodies.
third sector
the questions related to operational risk may well be: ‘What is the value of my assets, how do I protect them and to what extent and value (or limit of indemnity) do I need to purchase insurance?’
nonfinancial institution
the questions are more likely to be: ‘What are the capital requirements attached to my assets?’ and ‘Can I afford to keep that amount of (non-productive) capital in reserve, or do I need to purchase insurance and to what value or limit of indemnity?’
financial sector
is a requirement of Basel II, and financial institutions therefore have to undertake this work.
Calculation of operational risk exposure
are driven by increasing regulatory demands and other corporate governance pressures.
Financial institutions
has undertaken an evaluation of the causes of the global financial crisis.
The US-based Risk and Insurance Managers Society (RIMS)
concluded that the global financial crisis was not a failure of ERM, but was caused by the following failures
RIMS
– Failure to recruit, develop and retain suitable talent.
People risk:
– A failure in processes or failure of their associated controls
Process risk
Failure to invest and successfully implement, appropriate technology.
Technology risk
Financial loss, data loss, business disruption or damage to reputation from failure of IT systems.
Cyber risk
– Failure of products, processes or services to meet customer and regulator expectations
Customer outcome risk
which is about delivering the project on time, within budget and to quality,
Project risk management,
should be seen as an extension of conventional project planning
Project risk management
is often defined in terms of uncertainty or deviation from the expected/required outcomes.
Risk
should also be looking for opportunities that may arise when certain developments within the project are more favourable than expected.
project manager
should take account of these positive developments and ensure that the structure for managing risks in projects is sufficiently flexible for the opportunities
Project risk management
is a type of control management.
Project risk management
is a well-developed discipline, with risk control and (especially) event management as the risk management activities that are most important.
Project risk management
is the relationship between specification and performance
Quality
There are risks associated with failure to obtain necessary permissions and approvals
(compliance risks).
There are risks to the project that can prevent it being delivered on time and within budget
(hazard risks).
There are risks to the project concerning the specification, performance and quality of the final outcome
(control risks).
There are risks that can enhance the delivery of the project, such as earlier than expected availability of materials
(opportunity risks).
accept uncertainty attached to each risk.
low-exposure/low-uncertainty risks,
adapt activities and procedures and introduce controls, including (when appropriate) insurance.
high-exposure/lowuncertainty risks
, the organization will adopt appropriate contingency plans and
low-risk/highuncertainty risks
wish to avoid the uncertainty attached to the risk.
high-exposure/high-uncertainty risks
plots the possible time delay that could result against the potential for cost increases associated with that even
Matrix
should be populated and updated regularly throughout the duration of the project.
risk register or risk matrix
can often be a cost-effective way of maintaining your risk register
risk management software tool
must therefore be continually updated and reports generated at regular and frequent intervals.
risk register
should provide clear visibility on the risks faced, enable prioritization of the activity and facilitate decision making.
Management reports
has become one of the best-developed and respected branches of risk management.
Project risk management
as applied to project management is similar to the standard risk management process
risk management process
is often added as the fourth output from a project that has to be successfully delivered.
compliance
is also used by some organizations as an alternative fourth output from a project.
Sustainability
- collection of projects of this sort is referred to as a programme
Programme
may be for additional time to complete a task, or additional costs that may arise to ensure that the final project deliverable operates to the required specification
Contingency
is a process that enables the analysis and management of the risks associated with a project
Project risk analysis and management
approach represents a continuous set of activities that can be started at almost any stage in the lifecycle of a project.
PRAM
There are five points in a project where particular benefit can be achieved from using the PRAM model:
Feasibility
Sanction
Tendering
Post-tender
During implementation:
at this stage the project is most flexible, enabling changes to be made that can reduce the risks at a relatively low cost.
Feasibility:
: the client can view the risk exposure associated with the project and check that all steps
Sanction
: the contractor can ensure that all risks have been identified
Tendering
: the client can ensure that all risks have been identified by the contractor
Post-tender
the likelihood of completing the project to cost and timescale will increase
During implementation:
has two key characteristics:
Built-in risk management
- is a set of interconnected processes and resources that starts with the sourcing of raw materials
Supply chain
- is normally undertaken because it is assumed that costs can be reduced and risks transferred.
Outsourcing of operations
means that the organization will not only have to focus on its own risks but should also look at the risks associated with other links in the supply chain.
Outsourcing
are interrelated. Supply chain considerations are becoming more common, as well as much more complex.
Supply chain management and risk management
- also extend to simple outsourcing decisions, such as the appointment of cleaners and caterers.
Supply chain issues
can extend to strategic partnerships, joint ventures, support services
Scope of the supply chain
- are those items that are delivered to you
Upstream supplies
- refers to the goods that you deliver onwards.
Downstream supply chain
- also allows the organization to have some management control over the operation of a supplier
Setting up joint ventures
arrangements may also be an appropriate way of responding to competitor
Joint-venture
- may also be a successful way of responding to technology changes
Joint ventures
can ensure continuity of supply chains and also, if correctly executed, deliver competitive advantage.
Joint-venture operations
will be available, including taking over the supplier or setting up a new organization jointly with your supplier as a separate jointventure organization.
Tactical options
are a mechanism whereby an organization can exploit benefits but with a lower risk exposure.
Joint ventures
is likely to include penalty clauses for failure to perform, but contracts that also include provisions for rewarding exceptional performance provide a greater sense of co-operation.
contract
can also give rise to supply chain exposures.
Outsourcing of non-core operations
is usually considered to be a mechanism for having non-core activities undertaken by a contractor.
Outsourcing of operations
is often undertaken to save costs, but it may also be undertaken so that the work is fulfilled by a specialist company.
Outsourcing
can cut costs by reducing overheads and having a professional perform the operation
Outsourcing
The benefits of outsourcing can be divided into two types.
Direct Benefits and Indirect Benefits
- is clearly an important component when setting up supply chain contracts or deciding to outsource certain activities.
Risk management
- also enables organizations to focus on their own core operations and competencies
Outsourcing
- arrangements should be introduced only when they offer a cost
Outsourcing
- decisions based on a belief that risks are being completely transferred to a third party may prove to be incorrect
Outsourcing
may be available for incidents that occur at the supplier premises Events such as poor quality of components, late delivery or the bankruptcy of the supplier are generally not insurable.
Insurance
Damage to reputation may still be suffered if the outsource manufacturing activity produces substandard goods or is exposed as operating unethical business practices
Damage to reputation
