Desktop version

Home arrow Management

BUILDING THE RISK PROFILE

One of the first steps often taken by many organizations in developing enterprise risk management is to identify the risks that the organization faces, although ISO 31000 recommends that the risk framework is established prior to this step and that the context is established prior to risk identification. For BCLC's first risk identification exercise, the context was provided by the consultancy team in the form of a risk dictionary or universe. The idea behind the risk universe concept is that all potential risks can be identified and classified into definitive categories, which can then be used as a generic tool to identify risk within and across organizations in a consistent manner.

The universe used for the initial BCLC risk assessment contained 70 generic descriptions of risks, which were adapted after consultation to fit the BCLC environment more accurately. The resulting 2003 BCLC risk universe included 59 potential risks divided into external and internal categories with strategic, operations, technology, financial, and organizational health subcategories, and can be seen in Exhibit 10.4. Each risk was given both a two- or three-word title and a short high-level description.

Some risk practitioners consider that the development and use of a risk universe or defined classification system is essential in any enterprise risk management program (Society of Actuaries 2009, 2010). However, to be effective there must be clear rules to support consistent classification, and each set of risks must consist of like items that are relevant to management decision making.

Exhibit 10.4 The 2003 BCLC Risk Universe

External Risks

Competitor Legal Economic, Political & Technological Catastrophic Loss Regulatory Societal Change Innovation Financial Markets Player Demands & Industry Satisfaction

Internal Risks

Strategic

Environmental Scan

External Relations

Business Portfolio

Performance Measurement

Mergers & Acquisitions Alignment

Organizational Structure Business Model

Culture

Governance

Strategic Alliance

Operations

Capacity

Fraud

Communication

Extended Enterprise

Vendor Management

Health & Safety

Change Management Environmental

Compliance

Customer Satisfaction

Brand Name

Reputation

Pricing

Product Development

Safeguarding of Assets

Business Interruption

Supply Chain

Product/Service Failure

Knowledge Management

Project Planning

Performance Gap

Gaming Integrity

Organizational Health

Recruitment

Training & Development

Employee Satisfaction

Ethics & Values Accountability & Responsibility Leadership

Retention, Recruitment, & Succession Planning

Technology

Access, Security, & Tech. Integrity

Information Availability

Technology Infrastructure

Financial

Credit

Market

Liquidity

Budget & Planning Valuation

Capital Acquisition & Management

Financial & Management Reporting

One common issue is that the list of risk statements may contain a mix of risk events, root causes, and outcomes, leading to imprecision and confusion, which may make assessing the level of risk or determining appropriate treatment more difficult. Another issue is that risk statements may be expressed in very generic terms that may not easily apply to the organization in question, or may make contributors feel that the risk assessment exercise is academic and not directly related to their day-to-day experiences.

The 2003 BCCL risk dictionary exhibited both of these issues, as can be shown in Exhibit 10.5.

Exhibit 10.5 Analysis of Sample Statements from the 2003 BCLC Risk Dictionary

Example

Statement Type

Issue

Catastrophic loss risk – A major disaster threatens BCLC's ability to sustain its operations and minimize financial losses.

Outcome

The outcome could arise from a variety of different circumstances, making risk response problematic.

Governance risk – BCLC does not have the appropriate governance practices in place.

Cause

It is unclear why practices might be a cause for concern, making assessing the level of risk difficult.

Health and safety risk – Failure to provide a safe working environment for its workers exposes the organization to compensation liabilities, loss of business reputation, and other costs.

Risk

This is a clear problem and outcome statement but is expressed generically, which may mean that there is a poor fit to the organization.

The intention behind the development of the risk dictionary was to provide common categorizations for specific risks identified across BCLC, and it was used effectively at a business unit level both to stimulate conversation and to identify specific risks, which were then translated to draft risk registers. At the enterprise level, the high-level statements were used for evaluation, and specific risk statements were not created.

The BCLC risk dictionary was reviewed, updated, and expanded in 2007 following the risk assessment exercise conducted by the Enterprise Risk Manager and the ERMAC team. One hundred and nine risk statements were captured in the categories of external, process, strategic, information, human capital, integrity, technical, and financial.

Through 2007 and 2008, the risk dictionary was used as the basis for assessments at an enterprise level, and the prioritized enterprise risks were then used to structure project risk assessments and also increasingly to support risk assessments in business cases.

In late 2008, as part of the ongoing development of corporate performance management, BCLC completed an exercise to implement the balanced scorecard methodology. This approach greatly assisted the risk management program in taking a fresh look into the corporate risk profile, and all of the risks were aligned to the new balanced goals. As a result, the risk dictionary was retired, with new guidance issued in 2009 recommending that all risk assessments start not from a predetermined list, but instead by looking at the objectives of the enterprise and, where relevant, the specific initiative.

The BCLC risk register generally includes around 100 risks across the nine divisions. As spreadsheets are currently used to manage the risk information, a decision was made to remove green (low) risks where it is determined that the risk level is stable and provided that there are sufficient monitoring processes embedded into mainstream management. Each quarter, a small number of new risks are identified and an equally small number are retired as circumstances change, awareness increases, and treatment plans come to fruition.

BCLC pays particular emphasis to the construction of clear descriptions for each risk, with the following guidance provided to all employees:

It is of particular importance that all risks are clearly expressed. BCLC has adopted a "CCC" approach where all risk statements should include not only the potential change but also the most significant consequence and cause. Risk statements should start with wording equivalent to "The risk of/that" or "The opportunity to" and be expressed as a possibility (using "may" or "might"). Descriptions should be limited in length and specialized jargon or acronyms should be avoided where possible, so that anyone reading the risk statement can easily understand the risk.

Care should be taken in order to avoid alarmist language. When recording particularly sensitive risks, advice should be sought from either Risk Advisory Services or the Legal Services team.

BCLC Risk Management Guidelines, 2013

On a regular basis, the Enterprise Risk Manager assesses the full set of risks and develops thematic risk maps, cascading from organizational goals and relating to key corporate strategies (the template schematic is shown in Exhibit 10.6). These maps have been used as a key input to risk review workshops and are incorporated into quarterly reporting processes. The advantage to this fluid approach is that the maps are easily modified as organizational focus has evolved; however, at present production is reliant on the insight and capacity of the Enterprise Risk Manager. BCLC is currently exploring purchasing a specialist ERM

Thematic Risk Map Schematic

Exhibit 10.6 Thematic Risk Map Schematic

software support solution to more efficiently manage the program. Automated risk interdependency mapping is a function that the administrators hope to be able to purchase.

 
< Prev   CONTENTS   Next >

Related topics