Waqas Yousafzai, Policy and Government Relations Advisor with the Mongolian Wool and Cashmere Collaborative Council presents to Mongolian SMEs on the topic of Risk Management, Enterprise Risk Management, Risk Identification, Risk Mitigation, Risk Analysis, Risk Monitoring and some best practices.
Waqas uses examples from his background as a member of the Board of Directors of two Canadian NGOs and years of experience with government agencies. The examples provided to participants focused on the audience - i.e fibre sector SME managers and executives as well as power plant managers.
Presented at the Darkhan Polytechnical Institute and at the government offices of Erdenet Aimag. Program funded by the Government of Canada through the World University Service of Canada's Mongolia office.
Time: 3hrs
Translation services: Enkhmaa B-E. (WUSC-Mongolia)
Presenter: Waqas Yousafzai
1. Introduction to Organizational
Risk Management
Waqas I. Yousafzai
Вакас И. Юзафзэй
Policy and Government Relations Advisor
The Uniterra program receives funding from
the Government of Canada, provided through
Global Affairs Canada.
2. Risk 101: DefinitionsUnderstanding Risk
- What do you think when someone
says ‘Risk’
- What does someone saying “that is
risky” mean to you?
Вакас И. Юзафзэй | Waqas I. Yousafzai
Policy and Government Relations Advisor
3. Risk 101: DefinitionsWhat is Risk?
Risk is the “effect of uncertainty on
objectives”
- ISO 31000 Definition
Вакас И. Юзафзэй | Waqas I. Yousafzai
Policy and Government Relations Advisor
4. Hazard is defined as anything that has the potential to
cause harm, ill health, injury, damage to property,
products or the environment, production losses or an
increase in liabilities
Risk is the combination of the likelihood of a
hazardous event occurring and the subsequent
consequences of the event
Risk = likelihood x consequence
Risk 101: DefinitionsHazard vs. Risk
Вакас И. Юзафзэй | Waqas I. Yousafzai
Policy and Government Relations Advisor
5. Risk 101: DefinitionsRisk Explained
• Risks are an expression of uncertainty
• Risks are events that may occur, and if they occur, have
harmful or negative effects on the achievement of results
Вакас И. Юзафзэй | Waqas I. Yousafzai
Policy and Government Relations Advisor
6. Risk 101: Definitions
For Business:
• Risks are closely related to the
results and should consequently
be analysed against the results
framework of the organization
• Risk analyses strengthen the
basis for choosing realistic
objectives and level of ambitions
Вакас И. Юзафзэй | Waqas I. Yousafzai
Policy and Government Relations Advisor
7. 7
Risk Management
Risk management includes an assessment/evaluation of
the risks and its related components. There are four
components :
- Risk Assessment/Risk Evaluation
- Risk Communication
- Risk Perception
- Risk Management
Objective is to minimize risk because it can never be fully
eliminated
Вакас И. Юзафзэй | Waqas I. Yousafzai
Policy and Government Relations Advisor
8. 8
Definition of Enterprise Risk Management (ERM)
1. It is a strategic discipline that
supports the achievement of
an organization’s objectives
2. It addresses the full spectrum
of risks and manages the
combined impact as an
interrelated risk portfolio.
Вакас И. Юзафзэй | Waqas I. Yousafzai
Policy and Government Relations Advisor
9. 9
Benefits of Enterprise Risk Management
Reduces surprises
o Improve control of adverse events
and take action
Exploitation of opportunities
o Seek opportunities
Improved planning, performance,
effectiveness and utilization of
resources.
Вакас И. Юзафзэй | Waqas I. Yousafzai
Policy and Government Relations Advisor
10. 10
Benefits of Enterprise Risk Management
Positive effect on ‘Reputation’
o Attracts-investors, employees, improved quality
Documentation for
actions and enquiries
o liability coverage
Accountability,
assurance and
governance
o Maintain integrity and
confidence
Вакас И. Юзафзэй | Waqas I. Yousafzai
Policy and Government Relations Advisor
11. 11
Four ‘types’ of Risks
Trends in Risk:
• Measured and maintained by organization
• Oversight by Executive management
• Oversight by Board of Directors through an Audit
committee
Вакас И. Юзафзэй | Waqas I. Yousafzai
Policy and Government Relations Advisor
16. 16
Risk 101
RISK can be measured at any level
Вакас И. Юзафзэй | Waqas I. Yousafzai
Policy and Government Relations Advisor
17. 17
Risk Attitude
Risk Avoiding Risk SeekingRisk
Optimizing
Вакас И. Юзафзэй | Waqas I. Yousafzai
Policy and Government Relations Advisor
18. 18
Risk Appetite and Tolerance
Risk Appetite: Amount and type of risk that an organization
is willing to pursue or retain.
Risk Tolerance: Organization’s or stakeholder’s readiness to
bear the risk after risk treatment in order to achieve its
objectives.
Organizational Risk Appetite comes from Executive
Management
Tries to answer: How much risk is acceptable? What is
tolerable?
Вакас И. Юзафзэй | Waqas I. Yousafzai
Policy and Government Relations Advisor
19. 19
Risk and Assumptions
• A lot of risk comes from untested assumptions.
• Assumptions are:
• Necessary conditions that allow for a succesful cause-
and-effect relationship between the different levels of
results.
• Critical success factors.
• Formulated after the objectives, to ensure results are
anchored in reality
Вакас И. Юзафзэй | Waqas I. Yousafzai
Policy and Government Relations Advisor
20. 20
Example of Assumptions
Outcome
Company increases its net
revenues and increases its
shares of sector profits by
10% from 2014-2017
Output
Sales of wool products
increase by 30% from
2014 to 2017.
Assumption
Machinery,
Electricity, and other
inputs are
operational and
function without fail
Вакас И. Юзафзэй | Waqas I. Yousafzai
Policy and Government Relations Advisor
21. 21
Risk Identification
Risk identification:
• Done in all phases of a company or value chain
• Requires several contributers from different areas of business
• is expressed as negative statements in relation to achievement of
the desired result or final outcomes
• May include perception of conflict of interest regarding sharing
information on risks (i.e maybe perceived as ’weakness’)
• Always document your risk identification, analysis and mitigation
Вакас И. Юзафзэй | Waqas I. Yousafzai
Policy and Government Relations Advisor
22. 22
Risk Categories
There are no specific number of categories that risk can fall into.
Examples include:
1) Governance Risk (Institutional, management, transparency,
accountability)
2) Strategic Risk
3) Compliance Risk
4) Operational/Technical Risk
5) Regulatory Risk (compliance, corruption, procurement)
6) Financial Risk
7) Reputational Risk
8) Systemic Risk
9) Environmental Risk
10) Partner Risk
Вакас И. Юзафзэй | Waqas I. Yousafzai
Policy and Government Relations Advisor
23. Examples of Human Risk
• Death
• Owner
• Employee
• Illness
• Short term
• Long term
• Indefinite
Вакас И. Юзафзэй | Waqas I. Yousafzai
Policy and Government Relations Advisor
Source: Participant Risk Management, Small Business Administration (US)
24. • Theft and fraud
• Product and inventory theft
• Time sheet/Employee fraud
• Accounting and cash fraud
• Low morale, dissatisfaction
• Failure to perform
• Sabotage of systems,
equipment or customers
Вакас И. Юзафзэй | Waqas I. Yousafzai
Policy and Government Relations Advisor
Source: Participant Risk Management, Small Business Administration (US)
25. Examples of Operational Risks
• Equipment breakdowns
• New equipment integration
• Worn older equipment
• Damage to vehicles,
machiners, building, etc.
Вакас И. Юзафзэй | Waqas I. Yousafzai
Policy and Government Relations Advisor
Source: Participant Risk Management, Small Business Administration (US)
26. • IT/Computer system downtime
• Lack of backup or recovery system
• Updates and repairs
• Power and connectivity (physical damage and
outdated systems)
• Lack of administrative controls
Вакас И. Юзафзэй | Waqas I. Yousafzai
Policy and Government Relations Advisor
Source: Participant Risk Management, Small Business Administration (US)
27. Examples of Other Internal Risk
• Physical plant repairs
• Breaks in lines or utilities
• Routine maintenance time
• Incidents
• Work related injuries
• Damage to others’
property by employees
• Damage to your property
by othersSource: Participant Risk Management, Small Business Administration (US)
Вакас И. Юзафзэй | Waqas I. Yousafzai
Policy and Government Relations Advisor
28. Example of Financial Risks
• Cash flow changes
• Unexpected costs
• Loss of credit lines
• Expenses to establish lines of credit
Source: Participant Risk Management, Small Business Administration (US)
Вакас И. Юзафзэй | Waqas I. Yousafzai
Policy and Government Relations Advisor
29. Examples of External Risks: Competition
and Market Risks
• Loss of clients or customers
• Loss of employees
• Decrease in sales prices/fluctuating markets
• Increases in vendor costs
• Oil or gasoline price increases
• Fixed cost changes (e.g., rent)
Source: Participant Risk Management, Small Business Administration (US)
Вакас И. Юзафзэй | Waqas I. Yousafzai
Policy and Government Relations Advisor
30. Examples of External Risks: Business
Environment Risks
• Laws
• Weather
• Natural Disaster
• Community
Source: Participant Risk Management, Small Business Administration (US)
Вакас И. Юзафзэй | Waqas I. Yousafzai
Policy and Government Relations Advisor
31. SME/Micro Enterprises’ Unique Risks
• Family obligations, illnesses or deaths
• Events of disaster that affect the home
• Community involvement
• Complacency
Source: Participant Risk Management, Small Business Administration (US)
Вакас И. Юзафзэй | Waqas I. Yousafzai
Policy and Government Relations Advisor
32. 32
Risk Assessment
• Risk assessment is a forward-looking exercise
• Make sure to distinguish probability and consequence
• The aim is not to avoid all risks
• High risk is often acceptable in contexts where expected
impact and benefits are higher than the potential risk.
33. 33
Risk Identification and Analysis
Best Practice is to incorporate the risk identification, analysis, and
mitigation process as part of the annual work and strategic planning
process.
Increasingly donor agencies,
banks and credit agencies,
auditors, and partner
organizations are asking for
risk assessments.
It is important to utilize
‘outside the box’ thinking
Вакас И. Юзафзэй | Waqas I. Yousafzai
Policy and Government Relations Advisor
34. 34
The Uniterra program receives funding from the Government
of Canada, provided through Global Affairs Canada.
-- Lunch Break --
https://www.facebook.com/WUSCofMongolia
Notes de l'éditeur
The human component of your business is a source of risk. Think about these possible human risks to your business:
Illness and death. A business owner may be ill for a day or be unable to work for months. The same situation could happen to an employee. The death of a person involved in a business poses a risk to continued operations.
Theft and fraud. Most businesses want to have an honest working environment, yet theft by employees and employee fraud are major risks businesses face. Timecard fraud is a risk. Diverting funds to fictitious accounts are accounting risks.
Low morale and employee dissatisfaction. Unhappy employees can cost money through negligence or through willful acts. For example, an employee who forgets to reorder inventory is a risk to sales because back orders lead to cancellations.
Older equipment may run slower or require more maintenance than new equipment. New equipment may require adjustments to work with older equipment.
Worn parts may cause damage or cause company vehicles to break down. What would a broken-down delivery van cost a business for one day?
Downtime from physical damage or outdated systems may slow business profits. Most businesses rely on a computer system to process credit cards. These systems are risks to continued business when they are not working, especially if no backup plan exists. Lack of administrative controls may lead to downtime, in addition to fraud and theft.
Another source of risk might be the physical plant of your business. Phone lines and other utilities are risks to a business. The appearance of a building such as its walls, windows, and doors may require maintenance to continue to draw customers.
Injuries and damages may be caused by your business or your business may receive damage. For example, a storm may cause damage to a business or a business may cause damage by selling a faulty product. Either way, injuries and damages come with a cost.
Cash flow is the lifeline of a business. When unexpected costs affect the ability of a business to meet monthly expenses or when credit lines are lost, a business may fail. A plan to maintain cash flow is crucial.
Even new financing has its own cost-associated risks. The risks can include the following:
Appraisal costs
Closing costs
Costs for points to buy down rates
Deposits placed on hold as collateral
Are you prepared?
Market changes will cause businesses to change. Competitors advertise sales, wholesale costs go up and down, and oil and gasoline prices affect your costs and those of your vendor.
Employees may leave to go to a competitor’s shop, taking loyal customers with them.
Rent increases may be caused by increased demand for space. For example, getting a lease when construction on new space is not completed can start at a lower rent, but when the lease renews and there is a demand for your space, rent may go up.
Your environment is more than the space you rent or buy. What happens around your business affects it. Here are some examples of environmental changes:
Federal, state, county, and city laws and ordinances can and will change.
Weather and natural disasters can shut down a business for a short period or close it.
Structural changes in the community may be the result of progress or may be due to empty stores and offices in a declining market.
Your community may change as the needs, age groups, spending habits, and incomes of the population change.
Personal conflicts are external risks that can be stumbling blocks to both business owners and employees. Families and homes do not cease to exist at the start of a work day. Children become ill. Medical emergencies, or worse, will happen. Broken heating systems and plumbing repairs will be required at home.
For a small business owner, involvement in the community creates visibility. However, the visibility comes with a cost, namely time. Employees and their children are involved in outside activities as well. We don’t usually think of outside activities as a risk, but consider how you would handle this situation: your most reliable manager wants to attend an out-of-town playoff game with her child on the busiest day of the month.
Even complacency is a risk. Complacency comes from being comfortable. Your business may be successful and has been for a while. You may be comfortable with the hours you are working, but you may miss opportunities for growth because you do not want to expend the extra effort. Now, multiply the effect of complacency because complacency also happens to employees.