Risk Management Plan - Case Study Example

Risk Management Plan Name: Tutor: Course: Date: Table of Contents Table of Contents 2 Stakeholder Analysis 5 Stakeholder 5 What the stakeholder wants from the business 5 What the business wants from the stakeholders 5 Employees 5 Good working conditions/environment and fair wages 5 Honesty, diligence, best efforts, engagement and attendance 5 Management 5 Secured revenue with acceptable operating costs, future innovation with low risk of failure 5 Consistency, coherence and attainable strategies 5 Shareholders 5 Liquidity and return on the investment 5 Long-term commitment and investment capital 5 Customers 5 Innovative products 5 Long-term relationship 5 Suppliers 5 Fair pricing and long-term order with timely payments 5 Innovation and responsive services 5 Regulators 5 Feedback and conformance to regulations 5 Consistency and responsiveness of regulations 5 Government 5 Contribution to national economy and compliance to the law 5 Suitable infrastructure, representations of locals and simple taxation 5 Scope of Risk Management 6 The scope includes the definition of basic assumptions for the bank’s internal and external environment alongside the activities and objectives of the risk management process. They are independent to the methods, management process and implementation tools. 6 SWOT Analysis 8 Context of the risk of the organization 9 Inner contexts; organizational structures are largely functional which are rigid and may discourage bottom-up flow of information. Resources like best employees can be lost to the competition. Culture guides behavior and influences the reputation of the bank. Power relations define the power distance between the junior employee and the CEO. Risk perception depends on the how the bank rates the impact and likelihood of the risk (Dorfman, 2007). Strategy of marketing and operations whether being a leader or follower and motivation affects how employees take commitment to their tasks or daily activities. 9 Outer contexts; Politics dictate the operational environment of the bank like offering license and rules to operate. Economic risks of the bank when they hold more stock for speculation purposes creating temporary inflation. The market is dynamic and subject to innovation and creative products. Social and cultural issues depend on the banks capability to be inclusive and diverse on employment. Legal issues affects how the bank pays employees, awards contracts and receives gifts and technological aspect is how the bank utilizes technology like internet and mobile banking (Gorrod, 2004). Environment influences sustainability and relationship to local communities and mitigating externalities. 9 Risk Management Plan 10 Risk Management Objectives and Critical Success factors 10 Identification and Documentation of Risks 10 Probability 11 Risk Impact 12 Risk Score 12 Analysis and Evaluation of Risks 14 Risk Treatment plan and Schedule 16 Schedule 17 Risk Action Plan 17 Implementation 19 Monitoring and Evaluation 19 WHS Acts, Regulations and Codes of Practice 20 Reference list 22 Stakeholder Analysis Stakeholder What the stakeholder wants from the business What the business wants from the stakeholders Employees Good working conditions/environment and fair wages Personal career growth Honesty, diligence, best efforts, engagement and attendance Management Secured revenue with acceptable operating costs, future innovation with low risk of failure Consistency, coherence and attainable strategies Investment that is appropriate Shareholders Liquidity and return on the investment Stable earnings Long-term commitment and investment capital Customers Innovative products Consistency and reliability of service Long-term relationship Continued appreciation of services Suppliers Fair pricing and long-term order with timely payments Innovation and responsive services Quality and volume with integrity of delivery Regulators Feedback and conformance to regulations Consistency and responsiveness of regulations Government Contribution to national economy and compliance to the law Suitable infrastructure, representations of locals and simple taxation Scope of Risk Management The scope includes the definition of basic assumptions for the bank’s internal and external environment alongside the activities and objectives of the risk management process. They are independent to the methods, management process and implementation tools. The banking core processes are issuance and receipt of cash deposits, issuance of loan products and safe keeping of cash and other valuables. The valuable assets are its people, reputation and structures. The competitive areas are innovative and creative products (Abrams, 2001). The risk management controls and initiatives includes; securing banking halls from robbers, control measures to deter theft from employees, mitigating against fire and securing the reputation of the bank. The external environment includes; the banking business, local market in Australia, rival banks and regulators like the central bank. The social and cultural issues associated with borrowing and making deposits. Effect of suppliers and customers on the reputation and performance of the bank is also considered. The internal environment includes; the business drivers like competitive advances, attractiveness of banking products and market indicators. The strengths, weakness, opportunities and threats of the business are undertaken. Internal stakeholders like employees and management. The culture and structure of the organizational also poses a risk (Roehrig, 2006). Others are limitation of capital, systems and processes, goals, strategies and objectives that are not achieved. The risk criteria is impact and likelihood and rules determining the risk level SWOT Analysis Strengths: Good financial results each successive year Higher employee cohesion and great teamwork High quality banking products Balance sheet without debts or high risk stocks Dedicated management with clear organizational structures Superior banking technology Opportunities: Low taxation from the government allows the bank to growth the balance sheet Increase employment and rise in incomes among the youth releasing more money into deposits Reduced lending rates attracts more people into taking the loan products or soft credit Increased level of inclusion Weaknesses: Ensuring consistency and quality of products is a challenge High rate of intranet breakdown and interruptions of the banking software Poor funding to infrastructure and weak connection to corporate responsibility Threats: Uncontrolled expansion likely to backfire once local competitors innovate their products Increased cases of crime likely to scare depositors Context of the risk of the organization Inner contexts; organizational structures are largely functional which are rigid and may discourage bottom-up flow of information. Resources like best employees can be lost to the competition. Culture guides behavior and influences the reputation of the bank. Power relations define the power distance between the junior employee and the CEO. Risk perception depends on the how the bank rates the impact and likelihood of the risk (Dorfman, 2007). Strategy of marketing and operations whether being a leader or follower and motivation affects how employees take commitment to their tasks or daily activities. Outer contexts; Politics dictate the operational environment of the bank like offering license and rules to operate. Economic risks of the bank when they hold more stock for speculation purposes creating temporary inflation. The market is dynamic and subject to innovation and creative products. Social and cultural issues depend on the banks capability to be inclusive and diverse on employment. Legal issues affects how the bank pays employees, awards contracts and receives gifts and technological aspect is how the bank utilizes technology like internet and mobile banking (Gorrod, 2004). Environment influences sustainability and relationship to local communities and mitigating externalities. Risk Management Plan Risk Management Objectives and Critical Success factors The organization requiring risk management plan is the HSBC bank Australia. The bank has an employee base of 600 including the middle level and technical personnel. It also has a reputation of being the best bank in employee compensation, training and development, and in customer service. The bank has broad financial base and is able to meet its marketing obligations and recruit the best talent that it can retain (Morgan & Henrion, 2002). The risk management objectives of the HSBC bank are; 1. To provide the company with 98% uptime in connectivity in all its ATMs at all branches throughout the day 2. To reduce the impact of power losses interfering with teller points and ATMs transactions by 5% in 2 weeks 3. To lower the impact of employee turnover in the technical department and systems administration by 10% in one week 4. To reduce the probability of bank robberies by 0.4 in the financial year of 2014 Identification and Documentation of Risks The risks identified by the bank in 2014 are; 1. Downtime of ATMs in some branches creating long queues and constant customer calls to call centers 2. Frequent power losses with interruption lasting more than 5 hours 3. High turnover of key-man employees working in the technical sections 4. Constant bank robberies The basis of identifying these risks were based on 1) impact of the risk on banking operations, 2) the probability of occurrence, 3) the time horizon in which the consequences will happen if at all the risk is not mitigated. The identified risks will be assessed to engender the show the range of potential operational outcomes (ISO/DIS 31000 2009). They will be qualified to establish the risks that will be placed on top, responses and those that can be ignored. The methods used are qualitative analysis of the probability and the impact of occurrence of the risks identified above (Alexander & Sheedy, 2005). The bank employees will assist in identifying the risks and escalating them once they occur or about to happen. Probability The table below will define the probability of occurrence Probability range Expression of occurrence Probability Value Numeric score 91-99% Very likely 95% 5 61-90% Probably 76% 4 41-60% May occur half of the time 51% 3 11-40% Unlikely 26% 2 1-10% Very unlikely 5% 1 Risk Impact The table below will show the risk impact terms and categories. Positive risks consider the opposite of impact description. Impact Description Example Expression Impact value Numeric score Huge financial and reputational losses $10 million bank robbery Cost impact ≥40% Critical Cost of Damage 10 Mild financial and reputational losses 10 hour power loss Cost impact≥20% Serious Cost of Damage 8 Moderate financial and reputational losses 2 hours ATM downtime Cost impact≥10% Moderate Cost of Damage 5 Minor financial and reputational losses 1 hour interrupted connectivity Cost impact≥5% Minor Cost of Damage 3 Negligible financial and reputational losses Customer complaint on long queues Cost impact≤5% Negligible Cost of Damage 1 Risk Score Risk score is determined by computing probability and the impact. The product of the two gives the risk score and enables the prioritization process to take place. The values determined range from 1(very low exposure) to 50 (very high exposure). The risk exposure ranking does not show specific break points but the risk exposure of less than 20 is ordinarily considered as low risk. The values between 20 and 39 indicate moderate risk and exposure values between 40 and 50 are considered as high risks (Crockford, N 2006). The definitions of High (H), Moderate (M) and Low (L) are; High Risk: Likely to cause huge financial and reputational loses to the bank. It requires a high priority management and additional action to control acceptable risk. The bank will conduct in-depth response plans for the risk. Moderate Risk: Causes moderate financial and reputational losses. Management attention and special action is required to control the acceptable risk. The bank will also perform response planning. Low Risk: No potential or little financial and reputational losses. Actions within the scope of banking operations and normal business continuity management should control acceptable risk. No response plans will be required but the bank will monitor and manage as they come. The risk score table is as shown below Impact Probability Negligible (1) Minor (3) Moderate (5) Serious (8) Critical (10) Very likely (5) 5 15 25 40 50 Likely (4) 4 12 20 32 40 50% chance (3) 3 9 15 24 30 Unlikely (2) 2 6 10 16 20 Very unlikely (1) 1 3 5 8 10 The risk falling in the RED zone and YELLOW Zone requires immediate risk response planning which involves a risk contingency plan and risk mitigation strategy (Roehrig, 2006). Analysis and Evaluation of Risks The table above allows us to assess and evaluate the level of risk which is tabulated below. Risk Likelihood(H,M,L) Level of risk (H,M,L) Score Mitigation Responsibility Bank heist H (5) H (10) 50 Critical Involve armed security officers to escort cash on transit and at the strong rooms Bank Manager Loss of key-man employee to competition M(3) M(8) 24 Moderate Have alternative methods of hiring or increasing compensation to retain the individual HR Manager Power outages H(4) H(10) 40 Critical Use Backup generators and solar panels Technical officer Low internet connectivity H(3) M(8) 24 Moderate Operate with superior gadgets on LAN and Ethernet Operations manager Long queues H(2) L(3) 6 Minor Increase teller speeds and create more counters Banking hall executive Fish bone Diagram The fish bone diagram above ordinarily shows that the position of the branch office of the bank, operations/tasks, people/employees, equipment and controls must be adequately catered for in the bank. The set priorities require that the location of the bank be in spacious offices, reasonably pleasant building and not in a run-down area vulnerable to crime and depression. Controls include regular branch managers meeting to provide updates in fire drills, notification on crime and high turnover (Gorrod, 2004). The diagram asserts that it is critical to consider the aspects of control, equipment, people, site and tasks to mitigate the effects of risks. Risk Treatment plan and Schedule Every major risk especially the ones appearing in Red and Yellow zones are assigned to responsible team member in the bank for monitoring purposes. This will enable the risk not to “fall through the cracks”. One of the following approaches for each major risk will be selected to address it: 1. Avoid – Eliminating the cause thus eliminating the threat 2. Mitigate – Identify ways to reduce the impact of the risk or the probability 3. Accept – There is nothing to be undertaken 4. Transfer – outsource or buy insurance hence making another party responsible for the risk. The probability of occurrence or reduction of impact for each risk that will be mitigated will assist the banking operations team to identify ways of preventing the risk from occurring. This may constitute erecting fire extinguishers, conducting safety drills on periodical basis, adding more teller points and buying a super generator. Every major risk that is accepted or that is to be mitigated demands a course of action on the basis of event outline where the risk materializes so as to minimize its impact (Dorfman, 2007). The risks are evaluated in terms of risk score with the highest place first and the lowest placed last. The options are identified on the basis of suitability, evaluated and selected. For instance, the identified option for a bank heist is transfer of the risk while regular power outages are mitigated. The evaluation is based on the fact that substantial loss is experienced which can only be compensated by a third party (ISO/DIS 31000 2009). Risk Responsibility Treatment Bank heist Bank Manager Transfer the risk by taking insurance for any potential loss of cash on transit or at the bank Loss of key-man employee to competition HR Manager Mitigate by having alternative methods of hiring or increasing compensation to retain the individual Power outages Technical officer Mitigate by using Backup generators and solar panels Low internet connectivity Operations manager Mitigate by operating with superior gadgets on LAN and Ethernet Long queues Banking operations Avoid the long queues by introducing internet and mobile banking as options Schedule Risk Action Plan Risk Action Time Frame Bank heist Transfer the risk by taking insurance for any potential loss of cash on transit or at the bank 2 months Loss of key-man employee to competition Mitigate by having alternative methods of hiring or increasing compensation to retain the individual 2 weeks Power outages Mitigate by using Backup generators and solar panels One day Low internet connectivity Mitigate by operating with superior gadgets on LAN and Ethernet One day Long queues Avoid the long queues by introducing internet and mobile banking as options One hour Implementation Description Duration Responsibility Trainings Quarterly Operations Briefings Weekly Operations Mock drills Biannually Manager Negotiations with third parties Yearly Manager Communication and escalation Every time there is a major risk Regional Manager Monitoring and Evaluation The optimal procedure for monitoring and evaluation is through third party audits and independent inspections. This will involve outsourcing the services of HR consultants, structural and electrical engineers, fire inspectors, auditors and architects. They will assess and evaluate the current state of buildings, appliances, people and equipment to obtain their current performance and their shortcomings (Borodzicz, 2005). For instance, if a building housing the bank is about to collapse or has a leakage, it is a risk to people and property. It should be escalated and prompt action taken. The level of risk on banking operations will be tracked, monitored and reported at all times when activities are taking place. The operations team will maintain a “Top 10 Risk List” that will be reported as a component for the banking operations status reporting process. All the operational change requests shall be analyzed for their potential impact on the operations of the bank. The senior management of HSBC will be notified of essential changes to risk status as an element of the Executive Operations Status Report (Nederpelt, 2012). The bank operations will also maintain a risk log and reviewed an agenda that stands in operations team meetings. WHS Acts, Regulations and Codes of Practice The risks identification and treatment should conform to the laid down procedures. For instance, in Australia, the New work safety and health (WHS) laws started on 1 January 2012 in many territories and states to harmonize safety and occupational health (OH&S) laws throughout Australia. WHS legislation constitutes regulations, a model WHS Act, enforcement policy, Codes of Practice and a national compliance (Abrams, 2001). The present safety & occupational health (OH&S) laws is not significantly different from model WHS Act, but it is easier for workers and businesses to be compliant with their requirements throughout the various territories and states. Each territory and state is responsible for enforcing and regulating WHS laws. The national body in charge of creating safety, workers’ compensation policy and work health is Safe Work Australia. The following territories and states currently use harmonized WHS legislation and not the previous OH&S laws: 1. New South Wales 2. Australian Capital Territory 3. Queensland 4. South Australia 5. The Commonwealth of Australia 6. Northern Territory In the start of 2013, the remaining states were anticipated to be moved to the new model WHS Act. OH&S Acts: Territories and states that are yet to implement new WHS laws are responsible for enforcing and making their own OH&S Act. These laws outline the roles of different groups of people with different responsibilities in workplace safety and health. OH&S, Codes of Practice and WHS Regulations require that codes of practice or specific regulations are needed to control some workplace hazards that can cause disease or so much injury. These codes and regulations explain the duties of specific groups of people in risk control (Abrams, 2001). Regulations and codes are different given that regulations are legally enforceable while Codes of Practice offer advice on the means of meeting regulatory requirements. Codes can be used in courts as evidence that legal requirements have not been or have been met but they are not legally enforceable. Reference list Abrams, H K 2001, A Short History of Occupational Health, Journal of Public Health Policy, 22 (1): 34–80.  Alexander, C & Sheedy, E 2005, The Professional Risk Managers' Handbook: A Comprehensive Guide to Current Theory and Best Practices. PRMIA Publications. Borodzicz, E 2005, Risk, Crisis and Security Management. New York: Wiley. Crockford, N 2006, An Introduction to Risk Management (2 ed.). Cambridge, UK: Woodhead- Faulkner. p. 18. Dorfman, M S 2007, Introduction to Risk Management and Insurance (9 ed.). Englewood Cliffs, N.J: Prentice Hall. Gorrod, M 2004, Risk Management Systems : Technology Trends (Finance and Capital Markets). Basingstoke: Palgrave Macmillan. ISO/DIS 31000 2009, Risk management — Principles and guidelines on implementation. International Organization for Standardization. Morgan, G & Henrion, M 2002, Uncertainty: A Guide to Dealing with Uncertainty in Quantitative Risk and Policy Analysis. Cambridge University Press. Nederpelt, P 2012, Object-oriented Quality and Risk Management (OQRM). A practical and generic method to manage quality and risk. MicroData. Roehrig, P 2006, Bet On Governance To Manage Outsourcing Risk, Business Trends Quarterly. Sydney. Read More