Clinic 3: Risk Management for Responsible Managers

Clinic 3: Risk Management for Responsible Managers

‘In practice’ exercises — Cover sheet

Last name:...... First name(s):......

Clinic date: ...... Date submitted: ......

Presenter: ......

Academic misconduct

Cheating and plagiarism (i.e. taking and using as one's own the thoughts, writings or other work of someone else, with the intent to deceive) constitute academic misconduct. Such actions are a major violation of AFMA academic values and will be dealt with severely. Refer to AFMA’sAcademic Misconduct Policyin the Student Handbook.

Plagiarism and/or cheating occur when:

• material substantially written by someone else (either another student, a previous student, the author of a publication, or some other person) is presented as one's own work
• paragraphs or sentences written by someone else are not enclosed in quotation marks and accompanied by a full reference to the source
• the work of someone else is paraphrased, and is not appropriately attributed and referenced.

Declaration

I declare that this assessment is my individual work. I have not worked collaboratively, nor have I copied from any other student’s work or from any other source except where due acknowledgment is made explicitly in the text, nor has any part been written for me by another person.

Place an ‘X’ in the box to indicate you agree to the above terms and conditions. Any electronic responses to this submission will be sent to your email address provided on registration.

AgreementEnter XDate:DD/MM/YYYY

Chapter 2: What risks need to be managed? [p 3-13]

1)What does risk mean to you?

2)What definition does your firm use?

3)For the benefit of the assessor, please briefly describe the nature of your firm’s business, and your role within it, here:

4)Identify two (2) risks you regularly take on in your current role.

Step 1: Communicate and consult AFSL risks [pp 3-21 to 3-22]

1)Describe the processes and procedures in place in your organisation for communicating AFSL risks and for consulting with key stakeholders on these risks. Provide two (2) examples of this communication and consultation.

2)Suggest one (1) way in which you could improve your current processes and procedures for communicating AFSL risks and for consulting with key stakeholders on these risks.

Step 2: Establish an AFSL risk management culture [pp 3-23 to 3-25]

1)Review your organisational chart. Does your organisation have a separate risk management function? Describe the reporting lines relevant to the risk management function.

2)Does your organisation have a risk advisory committee? If so, who sits on that committee and how often does it meet?

3)Do you participate in any risk advisory committee meetings? If so, broadly describe the typical issues discussed at these meetings.

4)Do you receive copies of risk advisory committee meeting minutes?

5)Describe any risk management functions you perform.

6)Do you meet with any risk manager(s) on a regular/irregular basis? If so, broadly describe typical issues discussed at these meetings.

7)Describe any individual key performance indicators in your role that are related to risk.

8)Is the allocation of responsibilities for the risk management function clear and understood by your organisation’s directors, employees and representatives? How would you measure their comprehension?

9)Describe the ‘tone at the top’ in your organisation. What steps does your organisation take to reinforce it/remind people of its importance?

10)How do you/could you influence the ‘tone at the top’?

11)How is the ‘tone at the top’ communicated to the organisation as a whole?

12)Suggest one (1) way in which the ‘tone at the top’ could be better communicated. Give reasons for your answer.

Stages in the development of a risk management culture [pp 3-28 to 3-29]

Read your organisation’s risk management policies and procedures documentation.

1)Are these documents available on your organisation’s intranet? If not, why not?

2)Are they referred to in your organisation’s induction processes and procedures for new staff? If not, why not?

Step 3: Identify AFSL risks [p 3-30]

Market risk [p 3-32]

Identify and describe two (2) market risks that your organisation regularly faces.

For APRA-regulated entities:

Who reports on market risk within your firm, and how?

Credit risk [p 3-33]

Identify and describe two (2) credit risks that your organisation regularly faces.

For APRA-regulated entities:

Who reports on credit risk within your firm, and how?

Liquidity risk [p 3-34]

Identify and describe two (2) liquidity risks that your organisation regularly faces.

For APRA-regulated entities:

Who reports on liquidity risk within your firm, and how?

Legal and compliance risk [p 3-36]

Identify and describe two (2) operational risks that your organisation regularly faces.

For APRA-regulated entities:

Who reports on operational risk within your firm, and how?

Selecting risk owners [p 3-35]

Using the following table identify the risk owner for each of the market, credit, liquidity and operational risks you have identified in the preceding discussion.

Content of the risk register [p 3-38 to 3-40]

Review your organisation’s risk register.

Note: Some organisations may not maintain a risk register. Instead they may have some other way of recording risks and the results of their risk analysis and evaluation in relation to a specific activity/risk. If this applies to your organisation, your answers below should be based on the documents/processes relevant to your organisation.

1)Who is responsible for maintaining and updating the risk register?

2)Describe the processes in place for updating the register.

3)How frequently is the register reviewed and updated? List at least four (4) of your organisation’s review triggers.

4)Describe any restrictions on access to the risk register. Comment on whether you believe they are appropriate.

5)Check whether each of the risks you have identified above is included. If not, find out why they have not been included.

6)Explain how the register fits into your organisation’s framework for managing risk.

7)Does the register indicate whether action has been taken or is it part of a contingency plan? Give two (2) examples.

8)Comment on whether the risks are adequately identified (e.g. whether it is clear they relate to a particular project). Suggest one (1) way in which the identification of risks could be improved.

9)Has each risk been allocated an owner? If not, why not.

10)Check whether the risk owners you have identified above correspond to the risk owners included in the register for the particular risk. If not, why not?

11)Have costs been identified for each risk as a ‘risk allowance’?

12)Suggest one (1) way you would improve your organisation’s risk register.

13)Find out whether your organisation’s Board reviews the risk register and, if so, how often.

Step 4: Analyse AFSL risks [pp 3-44 to 3-45]

Using the ratings in the above tables,now analyse the likelihood and consequence of each of the risks that you identified earlier in your responses to the ‘In practice’ exercises for Step 3. Use the table below to record your findings.

Now plot your findings on the heat map below.

Step 5: Evaluate AFSL risks [pp 3-50 to 3-51]

Evaluate the risks you have identified and analysed so far and prioritise the risk rating. You should then determine what action needs to be taken, for example:

• involvement of Board
• involvement of senior management
• involvement of business unit
• do nothing
• elimination
• management controls
• administrative controls.

Use the table below to record your findings about your organisation.

Step 6: Treat AFSL risks [p 3-54]

Select the most organisationally significant risk you have identified so far in your responses to the ‘In practice’ exercises. Describe two (2) strategies your organisation uses to reduce the likelihood of this risk. Comment on whether you believe these strategies are adequate.

Key issues for assessing and minimising risk treatment/control options [pp 3-53 to 3-58]

1)You should determine what treatment or control should be applied to each risk you have identified in your responses to the ‘In practice’ exercises for Step 3 (i.e. accept, avoid, reduce, transfer, retain) using the table below.

2)Using the most significant risk you have identified for your organisation, provide a detailed explanation of your decision. Your explanation should consider the:

• key issues for assessing and minimising risk treatment/control options
• key issues for preparing a treatment plan
• steps involved in implementing a treatment plan.

Risk recovery plan [pp 3-60 to 3-61]

1)Review your treatment plan for each of the risks you have identified in your responses to the ‘In practice’ exercises for Step 3 and re-rate the likelihood and consequence of each risk.

Use the table below to record your findings about your organisation.

2)Do you think the answers you have provided above have sufficient factual bases?

Step 7: Monitor and review [p 3-61]

1)Does your organisation have a business continuity plan? If not, should it? Give two (2) reasons for your answer.

2)If applicable, does the business continuity plan meet the above requirements? If not, should it? Give two (2) reasons for your answer.

3)If applicable, suggest one (1) way in which the business continuity plan could be improved.

Monitoring and reviewing risks [p 3-62]

1)Describe the risk monitoring and reviewingprocesses in your organisation.

2)Does your organisation have an internal audit function? If yes, who is involved and briefly describe their responsibilities.

3)Does your organisation have external auditors to test its risk systems? If yes, briefly describe what is involved.

4)How are staff members made aware of the results of an internal/external audit?

5)Are you involved in regular line management risk-related reviews with your staff? Describe what is involved in these reviews and their impact on the organisation’s overall risk management processes.

Monitor risks [p 3-63]

1)How does your organisation document measures of success of its risk management system? Comment on whether you believe these are adequate.

2)Suggest one (1) way in which the measurement of success in your organisation could be improved.

Review risks [p 3-64]

Using the above as a guide, develop a brief process for monitoring and reviewing the most significant risk you have identified for your organisation.

Review effectiveness of process [p 3-65]

Does your organisation undertake a regular review of its risk management measures, processes and procedures? Describe what is involved in such a review.

Record the risk management process [p 3-65]

1)What methods does your organisation use to create and maintain risk management records?

2)How easy is it to access and retrieve useful information regarding risk management?

Clinic 3 ‘IN PRACTICE’ EXERCISES— fourth edition PAGE 1