This document is intended to provide guidance on implementing an effective Enterprise Risk Management (ERM) program for ACI Global Pty Ltd for ongoing Business Continuity. The basic principles outlined in these documents and the methodology and process adopted will need to be modified and appropriately scaled to reflect changes to ACI Global as it grows in size and complexity. This will include consideration of the range of products and services on offer, geographic coverage, business strategies and technology.
As ACI Global grows in size and complexity the ERM program should evolve to ensure that all significant new, emerging and increased risks are appropriately considered and addressed as part of the on-going review and assessment process. When establishing an appropriate and effective enterprise risk management process, ACI Global, its personnel and agencies should give consideration to the guiding principles outlined in Appendix A.
Risk is an event or activity that may have an impact on ACI Global’s ability to effectively execute its strategies and achieve its objectives or which may cause a significant opportunity to be missed.
Risk Management is an on-going process, involving ACI Global’s Owners, management and other personnel. It is a systematic approach to setting the best course of action to manage uncertainty by identifying, analysing, assessing, responding to, monitoring and communicating risk issues/events that may have an impact on an organisation successfully achieving their business objectives.
Assurance is process that provides a level of confidence that objectives will be achieved within an acceptable level of risk.
Potential Exposure is the maximum foreseeable loss is an estimate of the amount of damage that would be expected to occur in the event that all loss protections failed.
Risk Appetite is the degree of risk, on a broad-based level, that a ACI GLOBAL is willing to accept or take in pursuit of its objectives.
Risk Tolerance is the level of risk that ACI GLOBAL is willing to accept in various risk areas. This can be measured in terms of both quantitative and qualitative dimensions.
Risk Officer (if one is appointed) is normally identified as the person responsible to coordinate and oversee management of the ERM process and approve reports to the Owners.
Enterprise Risk Management is defined as:
". . . a process, effected by an entity’s Owner, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the ongoing achievement of the entity’s objectives."
In summary, ERM:
ERM involves a pro-active holistic enterprise-wide view of all risks and their associated risk appetite and tolerances to ensure that they are fully aligned with ACI Global’s objectives and strategies and reflects the quality, competencies and capacity of people, technology and asset backing of the business. ERM also helps identify the interdependency and interaction of risks across the organisation and provides the tools to rationalise risk management activities.
The purpose of ERM is to create, protect, and enhance ACI Global’s viability as a sustainable business by managing the uncertainties that could influence achieving its objectives. Implementing an effective ERM achieves the following key objectives:
Oversight: All critical risks have been identified and are being managed and monitored under a holistic approach consistent with the Owner’s approved risk appetite statement as reflected within ACI Global’s Business Review and Interested Parties Review processes.
Ownership and Responsibility: The ownership of risk is assigned to management individuals who are responsible for identifying, evaluating, mitigating and reporting risk exposures.
Assurance: The Owner, management and members have reasonable assurance that risk is being appropriately managed within defined levels to bring value to the organisation.
ACI GLOBAL which successfully implements ERM should expect the following benefits:
By being informed, the Owner and senior management can be proactive in responding to the significant risks and opportunities that ACI GLOBAL experiences as a learning services provider. ERM helps identify strategically significant high priority risk issues for the Owners’ attention. Through a comprehensive risk identification and assessment process, ACI GLOBAL can identify who owns the risk and how best to respond to the risk. This ensures that the most appropriate and optimum level of resources is assigned to areas of greatest risk. Enterprise risk management helps identify opportunities as well as identifying risks. To be effective and not create additional overhead, ERM should be integrated into existing processes within ACI GLOBAL that support such activities as strategic planning, business-planning, conformance monitoring, performance measurement and process reassessment. Building ERM into existing processes increases awareness and sensitivity to risk and helps create a culture where risk is proactively assessed and managed at every level.
The key roles and responsibilities of the Owner and Management are summarised below.
Key ERM Roles and Responsibilities
The Owner governs the risk profile of ACI GLOBAL
Management takes action to manage the risks to an acceptable level
ERM is an on-going and cyclical process. The Owner and senior management set the tone for enterprise risk management in ACI GLOBAL. This includes establishing ACI Global’s risk appetite and how risks will be identified, measured and managed.
There are five primary steps in the ERM process. It is also important to ensure that ERM process and risks are re-evaluated and updated on an on-going basis to reflect new information and experiences so that all significant risks are appropriately identified and addressed and that any material opportunities are not overlooked.
Enterprise Risk Management Cycle
The process requires the involvement from all levels in ACI GLOBAL and requires a willingness to understand the risk facing ACI GLOBAL, assist with the creation of appropriate responses to risks, and maintain them within the risk appetite and tolerances established by the Owner and senior management.
Identification of risks should occur on an on-going basis for existing processes and on an adhoc basis as required for new learning product introductions, training projects or changes contemplated to existing learning products and processes.
There are several techniques that may be used to help identify risks including self-assessment of interested parties, questionnaires, surveys, workshops and interviews.
ACI Global uses a rigorous review of all its Interested parties on an annual basis or on the occurrence of renewal of contracts. The following schematic reflects ACI Global’s on-going re-evaluation of its key risks.
Risk Identification Process
To help with risk identification, risks should be considered within main risk categories. ACI GLOBAL has two clear risk areas: Organisational and Operational / Learning Services.
Organisational risk relates to the business plan and can be further classified as: strategic, professional, financial and compliance risks.
Operational / Learning Services risk covers actions like: facilitation, assessment establishment, Facilitation and Mentoring job acceptance protocol, terms of learning services engagement with the learner and conformance to applicable standards ISO 21001:2018, ISO 26000:2010, ISO 29993:2017, ISO 17024:2012, ISO 27001:2013, ISO 31000:2018 and ISO 22301:2012.
Main Risk Categories
Risk assessment includes consideration of the likelihood of a risk occurrence and the impact of a risk on the achievement of ACI Global’s objectives within a specified timeframe.
The likelihood of occurrence is often based on the probability or frequency (number of times) the risk might occur over a specified timeframe such as once a quarter, daily, twice a year, etc. A higher probability or frequency of the event occurring will result in higher risk weightings. An event that is expected to occur sooner rather than later will also result in a higher likelihood. The impact of occurrence is often stated as a dollar value of loss or percent of impact on earnings or capital, but can also be described in qualitative terms (e.g. reputation, service quality, regulatory compliance, etc.) that could result if the risk event occurred. The magnitude or severity of a risk is based on the product of its likelihood and impact.
For the purpose of planning the following Risk Weightings will be used:
|1||Insignificant or Minor||Low-Medium Financial Loss – a cause for concern if arises too frequently|
|2||Moderate||High Financial Loss – may need to seek outside assistance to resolve / recover|
|3||Major / Catastrophic||Huge Financial Loss – without protection afforded by insurance would definitely pose a threat to the financial viability of the business|
|1||Likely||Has a high probability of occurring.|
|2||Possible||Can occur at sometime in the future.|
|3||Rare||May happen but only in exceptional circumstances.|
For each identified risk ACI GLOBAL should establish an appropriate “response” option in order to optimise risk management. These generally range from accept to avoid. Four possible response options are identified below:
Accept ACI GLOBAL decides to accept, manage and monitor the level of risk and take no action to reduce the risk.
Mitigate ACI GLOBAL is willing to accept some risk by implementing control processes to manage the risk within established tolerances.
Transfer ACI GLOBAL chooses to transfer the risk to a third party (e.g. obtaining insurance).
Avoid ACI GLOBAL feels the risk is unacceptable and will specifically avoid the risk (e.g. cease selling a learning/training product or providing learning services within a specific market).
Generally, if the magnitude or severity of the risk under consideration is high or moderate, the risk response needs to be strong (mitigate, transfer or avoid). Each risk and related response should be assigned to the manager who is responsible for the area affected by the risk. As part of the response process, management should determine and document what actions (prevention or detection) are necessary to manage the risk.
Risks and risk response activities should be monitored by the responsible manager to ensure that significant risks remain within acceptable risk levels, that emerging risks and gaps are identified and that risk response and control activities are adequate and appropriate. Internal and external Audit plays an important oversight role in confirming that management is monitoring and managing risks in accordance with established levels. Indicators that fall outside of acceptable risk levels should be escalated with appropriate action plans to bring the risk back within established risk levels. Those risks that still remain above acceptable risk levels should be considered by the Owner for their approval of any necessary resolution strategies. This activity will form the basis for reporting to the Owner and recorded within ACI Global’s Business Review process and on-going monitoring by management will also be recorded.
It is also helpful to “quantify” the aggregate exposure of significant risks (or specified subset of risks) in terms of potential impact on finances. While this is often subjective and may be difficult to determine, it does help indicate any material change in risk levels from one period to another and could identify potential risks that may not otherwise be fully noted.
The ACI Global Business Review Process of ERM helps to confirm that the level of aggregate risk exposure is within the established risk appetite of ACI GLOBAL as established in policy.
The Owner and senior management will require the results of the ERM process to be reported to them in their oversight capacity and to gain assurance that risks are being managed within approved risk levels. At a minimum, ERM reports to the Owner from each Region and should:
On a periodic basis, the Owner should review all high-risk areas (even those that are appropriately mitigated within acceptable levels) in order to have a full understanding of all the significant risks facing ACI GLOBAL.
The review of all high-risk areas as above will be recorded within ACI Global’s Business review process.
When developing an appropriate and effective enterprise risk management framework, Regions should consider the following key guiding principles:
ACI GLOBAL will maintain a robust ERM framework to ensure:
The objectives of this policy are to:
The risk appetite of ACI GLOBAL is [INSIGNIFICANT OR MINOR] [This is where the potential exposure is less than 2% of gross revenue for the group] or the group is maintaining a ZERO DEBT TO EQUITY RATIO. Significant risks must have Owner approved risk management policies and/or risk management strategies.
Risk tolerances will be developed for each identified significant risk that reflect the level of risk appetite elected by the Owner and management [based upon potential exposure].
The Owner is responsible for:
The [Chief Risk Officer] is responsible for:
The [Agency Owner] is responsible for:
Management will submit a report to the [Chief Risk Officer] at least quarterly. The report should provide appropriate information on the following:
The [The Chief Risk Officer] will report to the Owner on its review of risk management activities, including the status of any significant current and emerging exposures and trends.
The effectiveness of the ERM framework should be assessed from time to time including a review of all significant risks and the risk environment of ACI GLOBAL. As well, any changes to the framework should be recommended to the Owner.
The following is a risk identification summary of risks associated with the ACI Global. Its aim is to provide a top-down stimulus for Regional risk analysis and introduces concepts and areas of risk not previously given significant weight in the Organisation as our focus has been mainly on Operational Risk. Most risk analysis currently undertaken by ACI GLOBAL relates to the physical risk of execution with some contract and quoting ‘stop-loss’ mechanisms. Areas of organisational risk include:
Clients ACI GLOBAL should not become reliant on one particular client. As a rule no one client should exceed 10% of our revenue base. This is because:
Disaster Recovery ACI Global uses it digital information security framework as guidance in managing its Disaster recovery process, supported by a secure framework for the location of it Academy (e-Quip) servers of which are not accessible by direct web login.
Clear setting of goals and responsibilities is important for financial success. A "grey" or "rubbery" scope or Training Needs leads to disputes, scope creep, rework, damaged expectations, frustration and ultimately margin reduction or actual financial loss. Expectations on both sides must be managed as part of the risk process.
On any Learning Services Project over $20,000 a senior ACI GLOBAL employee must sit down with the Client and agree on the Learning Needs Analysis and deliverables and incorporate them into a learning services project brief which needs to be issued to the Client and support staff so no ambiguity exists. Any project over $50,000 or is a two or three year project must have a learning services needs analysis raised and accepted by the client outlining all aspects of methodology and delivery including accuracy, attributes and delivery formats. The following ambiguous situations must be avoided:
Too quickly disputes can escalate into conflict and subsequent legal action. Therefore it is imperative that such events are managed quickly and effectively. The easiest way to do this is remove the egos and personality issues and focus on the facts. If no progress is made then an outside arbitrator maybe useful.
The same type of issue applies to an interfering client. Such interference can be difficult to void but if left unchecked may derail the learning services project and increase our liability and ultimately affect our maintenance of a zero debt to equity ratio. This is best dealt with by clearly defining roles and tasks.
As professional trainers and mentors covered by our Accreditations and Professional Indemnity Insurance we must work within our area of competency. We must be clear and do not undertake work we are either not qualified to do or is outside our area of expertise. Competencies are to be clearly detailed. This not only includes the company but also individuals in the Company and Facilitators and Mentors. Some areas we might like to push into like international face to face in house learning service delivery are high risk because we aren’t geophysical associated and the consequences of getting it wrong could be very costly.
If a Learning services project is more technically challenging or involves complex course design work including innovative concepts, it is generally accepted that the learning services project will carry a higher risk rating than other projects. ACI GLOBAL must have a strategy to identify the level of design complexity or technical innovation and remember that ‘cutting edge solutions’ generally mean ‘high risk’ and again may compromise our ability to maintain our zero debt to equity ratio.
In any learning services project there must be a set of terms and conditions that form part of the contract, quote or tender. If there is not, we should not be doing the learning services project. Contained in these terms and conditions will be a set of liability clauses or concepts that assign liability / risk between the parties. ACI GLOBAL Management must closely review any set of terms and conditions and look for the works like: ‘indemnify, ‘absolve all risk’ etc as these terms normally are associated with the cascading of responsibility and hence liability for any negligent claim against the learning services project. What may look benign on the surface may contain onerous liabilities when examined in detail and in the context of the contract as a whole.
ACI GLOBAL should only accept and work on learning services projects where we are solely responsible for our actions or non-actions and cannot be co-joined, grouped or otherwise drawn into any action against delivering the required learning outcome.
Where possible ACI GLOBAL should only be bound by our own terms and conditions. Where this is not possible we should only accept standard industry contracts. Where words like ‘indemnify’ exist then ACI GLOBAL should seek to have them struck out, reviewed by our insurance broker or a commercial lawyer. A $20,000 job may expose ACI GLOBAL to millions of dollars of compensation.
Professional and Public Liability insurances operate to exclude any liability that is imposed upon you by contract unless that liability would have existed in the absence of the contract. ACI GLOBAL must not accept insurance requirements that impose a greater liability than the amount of the liability we are insured for.
ACI GLOBAL will be engaged to deliver learning services through agencies only after the agency satisfies ACI GLOBAL’S criteria of conformance and registration by a Third Party approved Contract Auditor or Appraiser to ISO 21001:2018, and were possible ISO 29993:2017. Other standards such as ISO 17021, ISO/IEC 17024 and ISO 31000 will need to be conformed to by the agency covered within a contract before engagement by ACI GLOBAL.
ACI GLOBAL will require Third Party verification to the above standards before entering into any contractual agreement with a third party (Agency)
ACI GLOBAL cannot be engaged in a contract under which we expect to lose money, or we cannot deliver (technically or physically). We must go into any contract believing that we can and will make money and deliver to the client’s expectations. We must also only be engaged in learning services projects where we get a fee for our service. ACI GLOBAL cannot engage in projects where a success fee is our only potential reward as it creates a ‘conflict of interest’ situation and ultimately may compromise ACI GLOBAL’S zero debt to Equity Ratio.
Given our appetite for risk is [INSIGNIFICANT or MINOR] high risk delivery of learning services projects like overseas in countries where we do not have a presence, are working for the first time with an unfamiliar client in a foreign currency and in a different time zone will not be considered.
Collection of fees is also a prime risk. ACI GLOBAL considers a sale not a sale unless payment is made. As a rule ACI GLOBAL should not accept a contract from a new supplier when we have concerns about our ability to be paid.
The terms of payment should be clearly outlined in the learning services project brief or our terms and conditions. If we are in doubt about our ability to collect or be paid within a ‘stated’ time period then we should either pass on the project or ask for a significant portion of the cost up front.
Engaging a Facilitator sub-contractor or agent does not release us from the liability. We remain vicariously liable for their actions or non-action. Therefore it is prudent risk management to manage our Facilitators, sub-contractors or agents and be aware of their limitations.
In all cases we must ensure that we have a written contract / terms of engagement with our Facilitators sub-contractors and that the terms of this sub-contract mirror the main contract ie liability clauses match those in the main contract. We must agree the skill set and qualifications needed to be provided by the facilitator sub-contractor and clearly identify their role and responsibilities and seek their explanation as to how they propose to deliver the required services. We should also spend time investigating their management practices and ensure they are similar if not better than our own. Timelines and budget / cost of facilitation sub-contractor services are in line with our own contract ie we not paying more for facilitation than we have charged the client. We need to consider spot checks VOC to monitor their performance. We need to ensure they have current and sufficient Professional Indemnity and Public Liability to meet the head contract and our needs.
We must remember that reports are our ‘output’ of our services and maybe held up in court as ‘evidence’ of our negligence of professional work. As such they must be of a high standard and cross checked. The report must reflect the training plan brief and where possible make reference to the brief. Key strategies to minimise our liability include:
The development and review of a business plan is a necessary and crucial step in managing risk. Without a plan any path or action will take us to where we don’t want to go. However if we are clear and unified in our plan then we will all be working towards a common goal and outcome.
The Key is the maintenance of a ZERO DEBT to EQUITY Ratio
Succession planning is the process whereby we train and develop the next generation of leaders, facilitators and mentors who will one day take over our roles and responsibilities. I have often said that a person in ACI GLOBAL cannot be promoted and achieve a higher salary until they have trained a competent successor.
A failure to develop successors leaves the business vulnerable to dependency on key personnel who may or may not work for the total benefit of the company. The more ‘indispensable’ a person feels, the more likely they will demand (and in most cases, be granted) concessions not earned or available to other employees. This causes disharmony in the workforce. It also allows for a shock when a person (or family member) is suddenly struck down by a debilitating illness or they seek to leave or have time off to start a family.
No plan, no flexibility and increased risk of losing momentum or having to put in a higher cost solution is not acceptable
ACI GLOBAL has a ZERO DEBT to EQUITY RATIO and will strive at all accounts to maintain this ratio as this is the greatest protection we have in succeeding with our Succession Plan.