Module 2 – Assessing Risk & Risk Management

esophagusbunnyΔιαχείριση

20 Νοε 2013 (πριν από 3 χρόνια και 11 μήνες)

80 εμφανίσεις

School Board Audit Committee Training


Module 2


Assessing Risk and Risk Management

1

Session objectives

After completing this session you will:

Understand the Audit Committee’s responsibilities related to risk management

Identify and assess the various types of risks


Governance


Service Delivery / Operational


Stakeholder Satisfaction / Public Perception


Human Resources


Financial


Legal & Compliance


Information Management


Technology

Assess risk against likelihood and significance

Understand standard risk management techniques

Understand the assessment of risk within the School Board Audit Universe

2

Risk terminology

Definition of
risk
1


Risk is defined as “anything of variable
uncertainty and significance that
interferes with the achievement of
organizational strategies
and objectives”.


.

3

1
Source
:
COSO

Audit Committee duties related to Risk Management

[ON Regulation 361/10 9(6)]

4


To inquire about significant risks


To review the School Board’s policies for risk assessment and risk
management and to assess the steps taken to manage such risks
(i.e. Internal controls, the adequacy of insurance).


To perform other activities related to the oversight of the School
Board’s risk management issues or financial matters, as requested.


To initiate and oversee investigations, as appropriate.


Risk categories

5

Risks

Technology

Operational


Human
Resources

Financial

Public
Perception

Governance

Legal &
Compliance


Collectively, Ontario’s 72 District
School Boards (DSBs) have the
responsibility for education over two
million students. School boards are
faced with a wide range of risks that
must be managed in order to
achieve the educational outcomes
demanded by stakeholders.


These risks may be categorized to
better facilitate the risk identification
and management process.


It is the responsibility

of the Audit
Committee to oversee the process
used to assess risk and be
comfortable that significant risks are
identified and emerging risks
considered
.

Information
Management

An integrated approach to risk management is critical

Risk type: Governance


The risk that the organization structure, accountabilities, or responsibilities
are not designed, communicated or implemented to meet the organization's
objectives, and the risk that culture and management commitment do not
support the formal structures.


Example of a governance risk that could potentially impact a DSB:


Accountability and Oversight


The risk that ineffective or undefined lines of authority may cause managers or
employees to do things they should not do or fail to do things they should.


Operationa
l

Governance

6

Risk type: Service Delivery / Operational


The risk that ineffective and/or inefficient operations or interruptions to
service delivery will impact the school board's ability to meet its goals and
objectives.


Examples of operational risks that could potentially impact a DSB:


Outcome achievement:


The risk that academic outcomes will not be achieved due to an inability to effectively
deliver the academic curriculum to the student population.


Student experience


The risk of failing to deliver quality programs to students to allow them to develop the
skills of lifelong learning.


Personal security


The risk of failing to provide a safe and secure environment for students, educators,
parents and other members of the school community.

Operational

7

Risk type: Stakeholder Satisfaction/Public

Perception


The risk the school board will not meet the expectations of the public, the
Ministry of Education and other external stakeholders and that the school
board's actions will affect its public image.


Example of stakeholder satisfaction/ public perception risks that could
potentially impact a DSB:


Stakeholder Engagement:


The risk that stakeholders are not sufficiently engaged or provide the necessary
oversight required to monitor and assess the organization.


Public
Perception

8

Risk type: Human Resources


The risk that insufficient, inappropriate or unqualified staff are
hired/retained and that the turnover ratio of qualified staff is high.



Examples of potential people risks in the context of a DSB include:


Recruiting and retention


The risk of failing to attract and retain personnel with the requisite knowledge, skills
and experience to allow the DSB to effectively achieve its educational outcomes and
business objectives.


Attendance management


The risk of impacting curriculum delivery and incurring additional teaching costs due
to unplanned or excessive educator absences.


Succession planning


The risk of the DSB failing to appropriately anticipate and plan for the succession
and renewal of key personnel resulting in the ability to perform critical functions or
the loss of organizational knowledge capital
.


Human
Resources

9

Risk type: Financial


The risk of financial loss caused by theft, incorrect financial reporting, fraud
and/or the inability to meet budget requirements. Examples of financial
risks facing a DSB include:


Budgeting and forecasting


The risk that unrealistic, irrelevant or unreliable budget and planning information or
inadequate Ministry funding knowledge may cause inappropriate financial
conclusions and operational decisions.


Accounting and financial reporting


The risk that transactions are not properly processed, reviewed, reported and
disclosed resulting in errors or omissions in financial reporting.


Cash Handling


The risk that cash is misappropriated, is not accounted for, or is not adequately
safeguarded.


Fraud


The risk of fraudulent activities (such as the misappropriation of assets) perpetrated
by management, administrative employees, teachers or students, causing loss.

Financial

10

Risk type: Legal & Compliance


The risk the school board will not be in compliance with legislation,
regulations, contracts, guidelines and policy direction.



Examples of legal & compliance risks in the context of a DSB include:


Compliance risk


The risk of the organization failing to comply with Ministry requirements or guidelines,
resulting in corrective action and/or negative publicity.


Legal risk


The risk of the organization failing to meet or adhere to legal obligations and/or
violating statutory requirements.





Operationa
l

Legal &
Compliance

11

Risk type: Information Management


The risk that school board information is incomplete, out
-
of
-
date, irrelevant
or inappropriately disclosed. Examples include:


IM/IT strategy


The risk of a DSB failing to develop and implement an effective information
management and technology strategy in order to meet the needs and requirements
of multiple stakeholders.

12

Information

Management

Risk type: Technology


The risk that IT does not align with business and does not support
availability, access, integrity, relevance and security of data.


Examples include:


IT reliability and availability


The risk of information technology systems, business applications and
telecommunications systems being unavailable to support operations.


Data privacy, quality and integrity


The risk that there are inadequate controls in place to ensure the privacy, quality,
integrity and accuracy of a DSB’s electronic information.


IT security


The risk of failing to appropriately secure a DSB’s networks, systems, applications.


Technology

13

Discussion

-

Risk Categories


Identify other examples of risks affecting a DSB under the following categories:

o
Governance

o
Service Delivery / Operational

o
Stakeholder Satisfaction / Public Perception

o
Human Resources

o
Financial

o
Legal & Compliance

o
Information Management

o
Technology


How would these risks impact the Board?


What can be done to prevent these risks from impacting the organization?


14

Assessing risk: likelihood and significance


Risk has two dimensions



likelihood
and
significance


Likelihood:


The probability that the risk will occur and impact the organization


Significance:


The potential impact that the risk will have (should it occur) on the organization


Significance can be rated using various criteria. For the purposes of the DSB
risk assessments the following criteria are used:


Reputational


How would the occurrence of the risk impact the school / DSB /
Ministry's reputation?


Financial


What would be the financial impact/ consequences of the occurrence of
the risk?






15

Assessing risk: likelihood and significance

Significance of risk

Likelihood
of occurrence

High Damage

High

Likelihood

16

Exercise


Assessing Risk


In your groups, identify 8
-
10 risks that might prevent the workmen from
meeting their objective (having lunch on top of the tall building)


Using a flipchart, draw a risk map and map the risks to the appropriate
quadrant.




17

Exercise


Assessing Risk

Significance vs. Likelihood


Losing balance

Low

High

High

Significance

Likelihood

Strong wind

Building falling down


Small birds hitting workmen

Dropping lunch

Losing hard hat

18

Assessing risk: inherent vs. residual


Risk can be assessed on two levels, Inherent and Residual.


Inherent risk
is the assessed level of risk in the absence of internal
controls.


Residual risk
is the assessed level of risk once internal controls are taken
into account.


Internal controls
can aid in the reduction of both the likelihood and
significance of risk.




19

Why should we assess risks?


Executing an organizational risk assessment is the first step in determining
the focus of the internal audit function. It is completed to:


Understand the risks within the environment in which the DSB operates


Assess the potential likelihood and significance of the impact of these risks on
the various processes undertaken by the DSB


Identify the DSB’s higher risk processes



20

How is risk assessed?


As part of the risk assessment process, the population of risks the DSB
faces needs to be identified to understand how and where they could
impact the organization.


Using the risk categories as a guide, relevant sub risks in each category
can be identified and assessed for applicability.


As risks impact the organization in different areas, a top
-
down process
view of the organization is required.


This top
-
down, process view of the organization is referred to as the
process universe.



21

22

District School Board:
For the period:
September 1, 2009 to August 31, 2010
Entity Level Risk Ranking:
Process
LK
FI
RI
%
Process
LK
FI
RI
%
Process
LK
FI
RI
%
Process
LK
FI
RI
%
Process
LK
FI
RI
%
Process
LK
FI
RI
%
Plan and develop
programs
H
M
L
Plan and provide
support services
Enrolment
Attendance
Managing instructional
day
Monitoring & Reporting
outcomes
Special Education
Special Education - High
Needs
Coordinate Student
organizations & athletics
Professional
Development
Management of
Suspensions &
Expulsions
Budget planning,
development & control
Management reporting
and analysis
Ministry reporting
Grant and non grant
revenue management
Fundraising
Treasury
Facility Procurement
Procurement & A/P
Purchasing Cards
Expense Reporting
Risk Management
Payroll
Facility requirement
forecasting/capital
planning
EDC by law process
Manage facility
operations
Repairs & Maintenance
Custodial services
Construction monitoring
& management
ODA Compliance
Recruiting and retention
Hiring
Teacher staffing
Non teacher staffing
allocation
Attendance support
Compensation &
benefits
Termination & retirement
Manage labour relations
Health & Safety
Supply Teachers
Develop IT strategy
Develop & deploy
applications
Network and application
access management
Manage IT security
Data management
Records Management
Back up
Manage communication
system
Deploy non-IT
resources
Define parameters for
transportation service
Monitor consortium
relationship
Manage service delivery
Transportation to
Provincial school
Legend:
District School Board Audit Universe
London District Catholic School Board
Transportation
Business Services
Facilities
Human Resources
Information Tech & Comm.
Process Level Risk Rating:
Instruction and Schools
LK
- the likelihood (probability) of risk occurring based on the risk assessment findings after considering mitigating factors
Colour Legend:
% -
Process risk assessment percentage based on the combined assessment of likelihood and impact
Low Risk
Medium Risk
High Risk
FI
- the financial impact to the school board should a risk materialize
RI
- the reputational impact to the school board should a risk materialize
Executing a risk assessment

Define Process
Universe

Create Risk
Framework

Assess Process
Risk

Objective


To identify the
DSB’s major

instructional and
supporting activities


q漠c牥慴攠愠
晲慭敷潲欠景爠
慳s敳si湧nsi杮g晩c慮琠
牥慬⁡r搠灯瑥湴p慬
物rks 晡fi湧†瑨攠䑓a

across business
processes



To assess inherent risk
of each process
contained in the DSB’s
偲潣敳s⁕湩v敲獥ei渠
潲摥o 瑯

景f畳⁩湴敲湡n
control documentation

Activities


Conducted

interviews, reviewed
documentation and
validated with
stakeholders


䱥i敲慧敤ei湴敲湡n
慮搠數瑥a湡n 物rk
k湯nl敤来⁢慳敤渠
摩sc畳si潮猬o牥獥慲r栠
慮搠灲a潲o數灥物敮p敳



䅳s敳s敤e灲潣敳s⁲楳k
扡b敤

潮ik敬i桯潤Ⱐ
晩湡湣i慬 i浰慣琠慮搠
牥灵瑡瑩潮慬
c潮o敱略湣敳

Deliverables


DSB

Process
Universe



䑓a 剩sk 䙲慭敷潲o


剩sk
-
牡湫敤⁄卂
偲潣敳s

啮rv敲獥

23

24

District School Board:
For the period:
September 1, 2009 to August 31, 2010
Entity Level Risk Ranking:
Process
LK
FI
RI
%
Process
LK
FI
RI
%
Process
LK
FI
RI
%
Process
LK
FI
RI
%
Process
LK
FI
RI
%
Process
LK
FI
RI
%
Plan and develop
programs
H
L
M
52.00%
Plan and provide
support services
L
M
L
42.12%
Enrolment
H
M
L
68.50%
Attendance
H
M
M
72.60%
Managing instructional
day
L
M
M
48.96%
Monitoring & Reporting
outcomes
M
L
M
59.96%
Special Education
L
H
H
66.50%
Special Education - High
Needs
H
M
M
74.34%
Coordinate Student
organizations & athletics
L
L
L
38.00%
Professional
Development
L
H
M
59.67%
Management of
Suspensions &
Expulsions
M
M
L
57.13%
Budget planning,
development & control
M
H
H
89.67%
Management reporting
and analysis
M
M
M
65.84%
Ministry reporting
M
L
L
35.33%
Grant and non grant
revenue management
M
M
M
53.72%
Fundraising
H
L
H
72.40%
Treasury
H
M
M
65.00%
Facility Procurement
L
H
M
60.28%
Procurement & A/P
M
M
H
77.17%
Purchasing Cards
H
M
L
68.00%
Expense Reporting
L
H
H
67.00%
Risk Management
L
L
L
26.83%
Payroll
M
H
L
66.83%
Facility requirement
forecasting/capital
planning
L
M
M
49.84%
EDC by law process
L
L
M
44.59%
Manage facility
operations
M
H
L
59.45%
Repairs & Maintenance
H
H
H
86.17%
Custodial services
L
M
M
49.84%
Construction monitoring
& management
L
L
L
33.75%
ODA Compliance
L
M
H
60.17%
Recruiting and retention
M
M
L
37.17%
Hiring
M
M
M
65.45%
Teacher staffing
H
H
M
88.50%
Non teacher staffing
allocation
H
L
L
36.00%
Attendance support
M
H
H
78.00%
Compensation &
benefits
M
L
L
39.17%
Termination & retirement
M
M
M
57.46%
Manage labour relations
H
L
H
72.83%
Health & Safety
L
M
M
51.62%
Supply Teachers
H
M
L
68.50%
Develop IT strategy
L
L
L
24.83%
Develop & deploy
applications
L
M
L
43.28%
Network and application
access management
M
L
H
56.28%
Manage IT security
H
M
M
76.95%
Data management
M
L
M
56.57%
Records Management
L
L
M
41.17%
Back up
L
L
M
49.67%
Manage communication
system
L
M
L
34.95%
Deploy non-IT
resources
L
M
L
33.17%
Define parameters for
transportation service
L
H
L
50.33%
Monitor consortium
relationship
M
M
M
57.34%
Manage service delivery
L
M
H
58.17%
Transportation to
Provincial school
L
L
H
49.83%
Legend:
% -
Process risk assessment percentage based on the combined assessment of likelihood and impact
Low Risk
Medium Risk
High Risk
FI
- the financial impact to the school board should a risk materialize
RI
- the reputational impact to the school board should a risk materialize
Process Level Risk Rating:
Instruction and Schools
LK
- the likelihood (probability) of risk occurring based on the risk assessment findings after considering mitigating factors
Colour Legend:
District School Board Audit Universe
Medium
London District Catholic School Board
Transportation
Business Services
Facilities
Human Resources
Information Tech & Comm.
Risk Assessment Results

What to do with the Risk Assessment Results?



Internal Audit should focus efforts and resources on areas of highest
perceived risk


Process reviews of higher risk areas should be performed to:


Identify and evaluate the internal controls currently in place within the DSB’s
current processes


Find and remediate existing internal control gaps


Promote the achievement of the DSB’s objectives by strengthening processes
and controls


25

Risk Management Techniques

Risk Management Techniques

Eliminate a service or an activity it considers too risky.

Avoidance

Reduce the likelihood of a risk (and related losses) occurring, by changing the
activity so that internal controls reduce the probability of risk occurrence.

Prevention or
modification

Accept the risk but lessen the impact of losses should they occur through
existing or additional internal controls.

Mitigation

Accept the risk (and its consequences) as is. Some risk is inherent in the
activities of your operation.

Retention

Transfer either the actual risk or the financial consequences of a loss to
another party.

Transfer
(sharing)

26

Leading risk management practices


Applying risk management to
manage transformation
issues


Aligning
strategic planning
with risk management


Focus on
integration of risk management
with existing business
process/initiatives


Integrating dispersed risk management roles through clear
governance
structure


Developing key risk indicators to
link risk management with
performance measurement


Performing controls reviews/audits to
assess financial risks and controls


Performing
operational reviews


Information technology
risk assessments and reviews


Instilling
“ethical”, open culture
by promoting risk management and
enhancing linkage to incident reporting

Some risk management techniques exist in the absence of an internal control.

27

Discussion
-

Risk

1.
In groups, select a business process within the organization that your
group members are familiar with.

2.
Identify the most important risks impacting this area.

3.
If these risks weren’t managed, assess the likelihood of risk occurrence
and significance to the organization.





28