1 If you were conducting interviews of the Akawini management team so that you could draw objective conclusions the review described in the chapter, what questions would you ask 2 What would you expect to see in the first year risk management transformation plan What would be the typical tasks 3 You have been asked to advise the Akawini management team on how they should promote and monitor the transformation of risk management in their business What performance measures would you recommend they use so that they can monitor progress and performance 4 What improvements would you make 5 Does this represent an effective risk management program If not, what is missing What represents the key success factors of the program Answer the bolded underlines questions above Below is material related to the question CHAPTER 29 Transforming Risk Management at AkawiniCopper GRANT PURDY Associate Director, Broadleaf Capital International This case study describes how the approach to managing risk can be transformed and enhanced in a company The case study is based on a hypothetical mining company, Akawini Copper, that has recently been acquired by an international concern, United Minerals has a rudimentary approach to risk management (RM) that must be improved if the new owners are to realize the level of return claimed in the business case that was used to justify the acquisition owns a single mine and concentrate plant approximately 50 kilometers from the coast It ships the concentrate using trucks to a nearby port for export The company earns revenue of $774 million a year from the sale of concentrate and employs a total of 1,500 people at the mine site and port THE ACQUISITION AND DUE DILIGENCE United Minerals and implemented a framework for managing risk based on ISO 31000 (ISO 2009) In particular, this has enabled it to properly integrate the risk management process into its approach to making decisions on major projects and investment decisions and also the way it develops, plans, and executes projects During due diligence prior to the acquisition, the risk management team for United Minerals reviewed the current approach to risk management at Akawini and, from a cursory examination of documents, was able to determine that the approach was very limited and was unlikely to yield much real value The team found, for example, that A process for formal risk assessment was applied only to what as business risks This occurred only once a year as part of a risk review that updated the current risk register so that it could be reported to an Audit Committee There was a different process applied for safety risks that actually did not consider as generated a risk rating using a matrix system only for hazards No systematic process for assessing and treating risks was used in support of major decisions In particular, project management did not include any form of explicit risk management process The Akawini risk manager mostly dealt with insurance matters and asked the company's external audit provider to offer a facilitator for the annual risk review The annual internal audit plan did not seem to be based on the outcomes of the risk assessment and did not focus on assuring many of the critical controls The risk criteria systems used for both business risks and safety risks covered only detrimental consequences and seemed to be based on five levels of consequences and consequence types that were not associated in any meaningful way with the company's objectives Both systems used the term probability to estimate and did not consider the frequency or return period for consequences In both systems, risks were analyzed incorrectly by combining the likelihood of an event with what was described as the plausible case consequences This produced many extreme risks, which were then being discounted by managers as implausible Once risk registers were created on spreadsheets, they were kept on separate personal computers and were rarely considered until the next yearly review Any risk treatment actions decided on were not followed up or closed out Critical controls were not identified and were not assigned to individuals for ongoing monitoring and periodic review There was no coherent process that defined and captured learnings from successes and failures The risk management team signaled its concerns to the acquisition team, and the need for improvement of Akawini Copper's approach to risk management to bring it into line with ISO 31000 2009 Then, the United Minerals framework was placed on the transformation plan and given a high priority THE TRANSFORMATION PROCESS Once the acquisition had been completed, the risk management team followed the stepwise process inExhibit 29 1to transform the approach to risk management atAkawini Exhibit 29 1 Risk Management Transformation Process Steps The starting point was a structured analysis of Akawini's current approach to managing risks, to identify where changes had to be made and then to assign a priority to particular tasks This was conducted in two parts 1 A full desk based review of Akawini's risk management documentation 2 A complementary set of interviews with Akawini management The second activity was particularly important because it was the experience of the United Mineral risk management team that it was vital to observe and reviewhow risk management takes place in practice This was particularly true if there might be any discontinuity of practice across Akawini or inconsistent processes and systems It was also important to test out Akawini management's perceptions of the current approach to risk management to see if it was currently viewed as effective and if managers perceived it as likely to satisfy their future needs The risk management team conducted a series of structured interviews with senior management from Akawini so that the team could draw objective conclusions on The suitability of the current approach to manage risk associated with an organization of the size and complexity of Akawini, its risk profile1and its risk attitude2 The drivers of that attitude, based on what were recognized as the key success factors and growth objectives for the organization The perceived usefulness of the current risk management process and its degree of integration into key decision making processes The strengths and limitations of the other risk type specific approaches to risk management that coexisted in the company3specifically, whether the tools and methods currently being used were capable of providing Akawini with a current, correct, and of its risks and informing it whether the risks were within its risk criteria4 The level of understanding of senior management about aspects of the risk management culture An outline of the perceived risk profile of Akawini and whether this varied from that reported to the board in the past Questions asked included What is your definition of risk How, in your view, do risk and its management relate to the company's objectives What is the purpose of risk assessment How often should risk assessment take place What triggers it in your area As a practical matter, how do you gain assurance that the critical controls that part of the company relies on in place, are effective, and work when required What Improvements would you make Does this represent an effective Risk Management program If it does not what is missing to make it an effective risk management program What are key success factors of the program The risk management team members consolidated their findings and compared them with the elements of the existing United Minerals risk management framework and the requirements of ISO 31000 They particularly mapped what they found by comparing it with the principles for effective risk management in Clause 3 and the attributes in Annex A of the Standard GAINING SENIOR MANAGEMENT OWNERSHIP FOR TRANSFORMATION For effective management, it was regarded as critical that senior management at Akawini appreciated and could comment on and contribute to the findings and conclusion of the review so that this would lead to ownership of the transformation plan The risk management team therefore presented its findings and recommendations at a meeting with senior managers that covered Fundamentals of risk and best practice risk management Overall findings and assessment of the benchmarking review Suggested improvements and enhancement strategies Draft enhancement plan The risk management team elicited feedback and acceptance of the conditions it found and prompted a discussion the desired situation In this way the team helped managers identify what needed to change The diagram of the desiredframework architecture given inFigure 29 2was used to demonstrate the strengths and weaknesses in the current approach Exhibit 29 2 Desired Framework Architecture Indicates that the element is present and effective, means that it is not present or is ineffective To demonstrate the desired outcomes, the risk management team explained that the primary purpose of risk management in United Minerals was to act in a dynamic fashion to support decisions and that the company framework had been designed to ensure that Assumptions and preconceptions were properly challenged before decisions could be made Appropriate actions were then taken to reduce the uncertainty that objectives would be achieved Early warnings were provided if key controls were not in place or were not fully effective, so that preemptive action could be taken The organization learned in a systematic way from its successes and failures, at a fundamental level so that learnings would lead to lasting changes To help the organization as a whole improve its ability to manage risk, the company had adopted 10 performance requirements that it called its standards These were, in outline 1 The risk management process will be integrated into all key decision making processes 2 The risk management process will be integrated into strategic, business, and project planning processes 3 Key controls will be identified and allocated to owners for monitoring 4 After every major decision, event, or change or at the conclusion of all plans, the organization will learn lessons from successes and failures using root cause analysis 5 The same, consistent methodology will be used for analyzing risks and for evaluating control effectiveness 6 The significance of risks will be evaluated using one set of risk criteria 7 Viable options for treating risks will always be considered, and those options will be implemented where there is a net benefit to the business 8 Accountability for managing risk will be allocated in a manner that is fully consistent with the management of the business and with the delegations of authority system 9 Only one database system will be used to hold and manage all forms of risk management information 10 Sites will plan how they will implement these standards and will report on the progress with this implementation and the effectiveness of risk management as part of the company's governance processes THE TRANSFORMATION PLAN The Akawini management team was then encouraged to discuss and compare options and to suggest major actions for the enhancement plan The actions were allocated to members of the management team, and completion dates were agreed These agreements were recorded and became the risk management plan that described the transformation process for managing risk at the sites The management team was also asked to commit on a review and reporting process for the transformation plan QUESTIONS 1 If you were conducting interviews of the Akawini management team so that you could draw objective conclusions for the review described in the chapter, what questions would you ask 2 What would you expect to see in the first year risk management transformation plan What would be the typical tasks 3 You have been asked to advise the Akawini management team on how they should promote and monitor the transformation of risk management in their business What performance measures would you recommend they use so that they can monitor progress and performance NOTES 1A risk profile is a description of a set of risks In this case, it is that which represents the major risks the company faces 2The term risk attitude (defined as the organization's approach to assess and eventually pursue, retain, take, or turn away from risk) is used in ISO 31000 rather than the term riskappetite for two reasonsit is a wider term (risk appetite is defined in ISOGuide73 as the amount and type of risk that an organization is willing to pursue or retain) and also translates better into some other languages, a necessary consideration in the drafting of ISO31000 3These are the outcome tests for effective risk management given in Annex A of ISO 31000 4Risk criteria provide both the means to determine and express the magnitude of risk, and to judge its significance against predetermined levels of concern They comprise internal procedural rules selected by the organization for analyzing and then evaluating the significance of risk, and are also used when selecting between potential risk treatments REFERENCE 1 ISO 2009 International Standard ISO 31000 2009, Risk ManagementPrinciples and Guidelines Geneva, Switzerland International Organization for Standardization ABOUT THE CONTRIBUTOR Grant Purdy is Associate Director, Broadleaf Capital International He has specialized in the practical application of risk management for more than 38 years, working across a wide range of industries and in more than 25 countries He works with many types of organizations, helping them develop and enhance ways to manage risk in support of the decisions they make This involves mentoring, training, and giving advice, predominantly to senior managers and boards Grant is an accomplished trainer and speaker and has had more than 100 papers, books, and articles published He has been a member of the Standards Australia and Standards New Zealand Joint Technical Committee on Risk Management for more than 12 years and was its chair for seven He is coauthor of the 2004 version of AS NZS 4360 and also of AS NZS 5050, a standard for managing disruption related risk, and has also written many other risk management handbooks and guides He was the nominated expert for Australia on the working group that prepared ISO 31000 and Guide 73 and subsequently head of delegation for Australia on ISO PC 262, RiskManagement

The Answer is in the image, click to view ...

Answered step by step

Verified Expert Solution

Link Copied!

Question

1 Approved Answer

Posted on Jun 19, 2024

1.If you were conducting interviews of the Akawini management team so that you could draw objective conclusions the review described in the chapter, what questions

1.If you were conducting interviews of the Akawini management team so that you could draw objective conclusions the review described in the chapter, what questions would you ask?

2.What would you expect to see in the first year risk management transformation plan? What would be the typical tasks?

3.You have been asked to advise the Akawini management team on how they should promote and monitor the transformation of risk management in their business. What performance measures would you recommend they use so that they can monitor progress and performance?

4.What improvements would you make?

5.Does this represent an effective risk management program?If not, what is missing?

What represents the key success factors of the program?

Answer the bolded underlines questions above. Below is material related to the question

CHAPTER 29 Transforming Risk Management at AkawiniCopper

GRANT PURDY

Associate Director, Broadleaf Capital International

This case study describes how the approach to managing risk can be transformed and enhanced in a company. The case study is based on a hypothetical mining company, Akawini Copper, that has recently been acquired by an international concern, United Minerals. has a rudimentary approach to risk management (RM) that must be improved if the new owners are to realize the level of return claimed in the business case that was used to justify the acquisition. owns a single mine and concentrate plant approximately 50 kilometers from the coast. It ships the concentrate using trucks to a nearby port for export. The company earns revenue of $774 million a year from the sale of concentrate and employs a total of 1,500 people at the mine site and port.

THE ACQUISITION AND DUE DILIGENCE

United Minerals and implemented a framework for managing risk based on ISO 31000 (ISO 2009). In particular, this has enabled it to properly integrate the risk management process into its approach to making decisions on major projects and investment decisions and also the way it develops, plans, and executes projects.

During due diligence prior to the acquisition, the risk management team for United Minerals reviewed the current approach to risk management at Akawini and, from a cursory examination of documents, was able to determine that the approach was very limited and was unlikely to yield much real value. The team found, for example, that:

A process for formal risk assessment was applied only to what as "business risks." This occurred only once a year as part of a risk review that updated the current risk register so that it could be reported to an Audit Committee.
There was a different process applied for safety risks that actually did not consider as generated a risk rating using a matrix system only for hazards.
No systematic process for assessing and treating risks was used in support of major decisions. In particular, project management did not include any form of explicit risk management process.
The Akawini risk manager mostly dealt with insurance matters and asked the company's external audit provider to offer a facilitator for the annual risk review.
The annual internal audit plan did not seem to be based on the outcomes of the risk assessment and did not focus on assuring many of the critical controls.
The risk criteria systems used for both "business risks" and "safety risks" covered only detrimental consequences and seemed to be based on five levels of consequences and consequence types that were not associated in any meaningful way with the company's objectives.
Both systems used the termprobabilityto estimate and did not consider the frequency or return period for consequences.
In both systems, risks were analyzed incorrectly by combining the likelihood of an event with what was described as "the plausible -case consequences." This produced many "extreme" risks, which were then being discounted by managers as implausible.
Once risk registers were created on spreadsheets, they were kept on separate personal computers and were rarely considered until the next yearly review. Any risk treatment actions decided on were not followed up or closed out.
Critical controls were not identified and were not assigned to individuals for ongoing monitoring and periodic review.
There was no coherent process that defined and captured learnings from successes and failures.

The risk management team signaled its concerns to the acquisition team, and the need for improvement of Akawini Copper's approach to risk management to bring it into line with ISO 31000:2009. Then, the United Minerals framework was placed on the transformation plan and given a high priority.

THE TRANSFORMATION PROCESS

Once the acquisition had been completed, the risk management team followed the stepwise process inExhibit 29.1to transform the approach to risk management atAkawini.

Exhibit 29.1Risk Management Transformation Process Steps

The starting point was a structured analysis of Akawini's current approach to managing risks, to identify where changes had to be made and then to assign a priority to particular tasks. This was conducted in two parts:

1.A full desk-based review of Akawini's risk management documentation

2.A complementary set of interviews with Akawini management

The second activity was particularly important because it was the experience of the United Mineral risk management team that it was vital to observe and reviewhow risk management takes place in practice. This was particularly true if there might be any discontinuity of practice across Akawini or inconsistent processes and systems. It was also important to test out Akawini management's perceptions of the current approach to risk management to see if it was currently viewed as effective and if managers perceived it as likely to satisfy their future needs.

The risk management team conducted a series of structured interviews with senior management from Akawini so that the team could draw objective conclusions on:

The suitability of the current approach to manage risk associated with an organization of the size and complexity of Akawini, its risk profile1and its risk attitude2
The drivers of that attitude, based on what were recognized as the key success factors and growth objectives for the organization
The perceived usefulness of the current risk management process and its degree of integration into key decision-making processes
The strengths and limitations of the other risk-type specific approaches to risk management that coexisted in the company3specifically, whether the tools and methods currently being used were capable of providing Akawini with a current, correct, and of its risks and informing it whether the risks were within its risk criteria4
The level of understanding of senior management about aspects of the risk management culture
An outline of the perceived risk profile of Akawini and whether this varied from that reported to the board in the past

Questions asked included:

What is your definition of risk? How, in your view, do risk and its management relate to the company's objectives?
What is the purpose of risk assessment? How often should risk assessment take place? What triggers it in your area?
As a practical matter, how do you gain assurance that the critical controls that part of the company relies on in place, are effective, and work when required?
What Improvements would you make?
Does this represent an effective Risk Management program? If it does not what is missing to make it an effective risk management program?
What are key success factors of the program?

The risk management team members consolidated their findings and compared them with the elements of the existing United Minerals risk management framework and the requirements of ISO 31000. They particularly mapped what they found by comparing it with the principles for effective risk management in Clause 3 and the attributes in Annex A of the Standard.

GAINING SENIOR MANAGEMENT OWNERSHIP FOR TRANSFORMATION

For effective management, it was regarded as critical that senior management at Akawini appreciated and could comment on and contribute to the findings and conclusion of the review so that this would lead to ownership of the transformation plan. The risk management team therefore presented its findings and recommendations at a meeting with senior managers that covered:

Fundamentals of risk and best practice risk management
Overall findings and assessment of the benchmarking review
Suggested improvements and enhancement strategies
Draft enhancement plan

The risk management team elicited feedback and acceptance of the conditions it found and prompted a discussion the desired situation. In this way the team helped managers identify what needed to change. The diagram of the desiredframework architecture given inFigure 29.2was used to demonstrate the strengths and weaknesses in the current approach.

Exhibit 29.2Desired Framework Architecture

Indicates that the element is present and effective, means that it is not present or is ineffective.

To demonstrate the desired outcomes, the risk management team explained that the primary purpose of risk management in United Minerals was to act in a dynamic fashion to support decisions and that the company framework had been designed to ensure that:

Assumptions and preconceptions were properly challenged before decisions could be made.
Appropriate actions were then taken to reduce the uncertainty that objectives would be achieved.
Early warnings were provided if key controls were not in place or were not fully effective, so that preemptive action could be taken.
The organization learned in a systematic way from its successes and failures, at a fundamental level so that learnings would lead to lasting changes.

To help the organization as a whole improve its ability to manage risk, the company had adopted 10 performance requirements that it called its "standards." These were, in outline:

1.The risk management process will be integrated into all key decision making processes.

2.The risk management process will be integrated into strategic, business, and project planning processes.

3.Key controls will be identified and allocated to owners for monitoring.

4.After every major decision, event, or change or at the conclusion of all plans, the organization will learn lessons from successes and failures using root cause analysis.

5.The same, consistent methodology will be used for analyzing risks and for evaluating control effectiveness.

6.The significance of risks will be evaluated using one set of risk criteria.

7.Viable options for treating risks will always be considered, and those options will be implemented where there is a net benefit to the business.

8.Accountability for managing risk will be allocated in a manner that is fully consistent with the management of the business and with the delegations of authority system.

9.Only one database system will be used to hold and manage all forms of risk management information.

10.Sites will plan how they will implement these standards and will report on the progress with this implementation and the effectiveness of risk management as part of the company's governance processes.

THE TRANSFORMATION PLAN

The Akawini management team was then encouraged to discuss and compare options and to suggest major actions for the enhancement plan. The actions were allocated to members of the management team, and completion dates were agreed. These agreements were recorded and became the risk management plan that described the transformation process for managing risk at the sites. The management team was also asked to commit on a review and reporting process for the transformation plan.

QUESTIONS

1.If you were conducting interviews of the Akawini management team so that you could draw objective conclusions for the review described in the chapter, what questions would you ask?

2.What would you expect to see in the first year risk management transformation plan? What would be the typical tasks?

NOTES

1A risk profile is a description of a set of risks. In this case, it is that which represents the major risks the company faces.2The termrisk attitude(defined as the organization's approach to assess and eventually pursue, retain, take, or turn away from risk) is used in ISO 31000 rather than the termriskappetitefor two reasonsit is a wider term (risk appetite is defined in ISOGuide73 as the amount and type of risk that an organization is willing to pursue or retain) and also translates better into some other languages, a necessary consideration in the drafting of ISO31000.3These are the outcome tests for effective risk management given in Annex A of ISO 31000.4Risk criteria provide both the means to determine and express the magnitude of risk, and to judge its significance against predetermined levels of concern. They comprise internal procedural rules selected by the organization for analyzing and then evaluating the significance of risk, and are also used when selecting between potential risk treatments.

REFERENCE

1.ISO. 2009. International Standard ISO 31000:2009, "Risk ManagementPrinciples and Guidelines." Geneva, Switzerland: International Organization for Standardization.

ABOUT THE CONTRIBUTOR

Grant Purdyis Associate Director, Broadleaf Capital International. He has specialized in the practical application of risk management for more than 38 years, working across a wide range of industries and in more than 25 countries. He works with many types of organizations, helping them develop and enhance ways to manage risk in support of the decisions they make. This involves mentoring, training, and giving advice, predominantly to senior managers and boards. Grant is an accomplished trainer and speaker and has had more than 100 papers, books, and articles published. He has been a member of the Standards Australia and Standards New Zealand Joint Technical Committee on Risk Management for more than 12 years and was its chair for seven. He is coauthor of the 2004 version of AS/NZS 4360 and also of AS/NZS 5050, a standard for managing disruption-related risk, and has also written many other risk management handbooks and guides. He was the nominated expert for Australia on the working group that prepared ISO 31000 and Guide 73 and subsequently head of delegation for Australia on ISO PC 262, RiskManagement.