Eeste Begin Farm
BarnOwl would like to extend a big thank you to the organisers of the Cape Winelands Risk and Audit Forum for inviting Jonathan Crisp, Director at BarnOwl GRC and Audit solutions to present on the practical implementation of risk appetite and tolerance. The venue was set in the majestic mountains of Worcester and as always such a warm reception. Thank you.
Jonathan briefly ran through the various definitions of risk appetite and risk tolerance which are a bit vague to say the least and a bit contradictory. The aim of my presentation however was to demonstrate the practical implementation of risk appetite / tolerance using BarnOwl with less focus on theoretical definitions.
In my opinion, the most important outcome is for the various risk owners (corporate, divisional, regional, business unit, process) to see risks ranked appropriately taking into account at what level of the organisation they are reporting. For example, at a corporate level, the exco / board / council would not like to see a low level (immaterial) 5×5 risk in ‘Timbuctoo’ filter its way up to the top 10 strategic risk register even though it is a critical risk for the business unit owner in ‘Timbuctoo’. In other words risks must be ranked by relevant importance to one another taking into account the materiality of the business units.
Whilst it is pretty simple to rank risks when they are rated quantitatively, it is not as simple when risks are rated qualitatively. BarnOwl provides the ability to rate risks both qualitatively and quantitatively according to risk impact criteria (risk model) specific to each business unit. In addition, different quantitative risk impact scales can be defined per business unit per category of risk. This is useful in that you can set different risk tolerance levels depending on whether it is a risk that you wish to take (opportunity) versus a risk that you would like to avoid.
So here are a few ways that you can report on risks in BarnOwl:
- Simple qualitatively risk heat map plotting all selected risks (without weighting) based on their impact and likelihood rating.
- Weighted qualitatively risk heat map taking into account the relevant importance of business units ensuring that strategic / business risks are plotted higher than risks from ‘business activity’ units / ‘process-based’ units.
- Only selecting strategic and business unit risks and excluding the lower level risks captured at ‘business activity’ units and / or ‘process’ units. Often audit concern themselves with process-based risks and controls. These process-based risks are captured at a lower level in the organisational structure and can be linked to a parent risk/s (business and / or strategic risk) at a higher level in the organsational structure. Any rating changes to a process-based risk (child risk) triggers a reassessment of the business (parent) risk ensuring that business risks are rated appropriately.
- Quantitative risk aggregation reported and ranked against aggregated risk thresholds per business unit.
Business Intelligence module:
In addition, the Barnowl Business Intelligence module provides graphical dashboards showing the correlation between qualitative risk rating and quantitative risk rating as well risk rating correlations based on control effectiveness ratings, number of audit findings per risk, materiality of loss events / incidents per risk etc.
Once again thank you very much Cape Winelands for inviting me to present and your warm hospitality.
Written by: Jonathan Crisp
Director – BarnOwl GRC and Audit software
BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by over 200 organisations in Africa, Australasia, Europe and the UK. BarnOwl is a locally developed software solution and is the preferred risk management solution for the South African public sector supporting the National Treasury risk framework.