SlideShare a Scribd company logo

mr neeraj - day 1 - compliance

•Download as PPTX, PDF•
•
Neeraj Verma
Neeraj Verma
1 of 53
Corporate compliance, Risk Management and Internal Audit February 22, 2008
Today’s organizations are concerned about: •Risk Management •Governance •Control
ERM Defined: “… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.
Why ERM Is Important Underlying principles: • Every entity, whether for-profit or not, exists to realize value for its stakeholders. • Value is created, preserved, or eroded by management decisions in all activities, from setting strategy to operating the enterprise day-to- day.
Why ERM Is Important ERM supports value creation by enabling management to: • Deal effectively with potential future events that create uncertainty. • Respond in a manner that reduces the likelihood of downside outcomes and increases the upside.
This COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management. Enterprise Risk Management — Integrated Framework
The ERM Framework Entity objectives can be viewed in the context of four categories: Strategic Operations Reporting Compliance
The ERM Framework ERM considers activities at all levels of the organization:  Enterprise-level  Division  or subsidiary  Business unit processes
Enterprise risk management requires an entity to take a portfolio view of risk. The ERM Framework
• Management considers how individual risks interrelate. • Management develops a portfolio view from two perspectives: - Business unit level - Entity level The ERM Framework
The eight components of the framework are interrelated … The ERM Framework
Internal Environment • Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur. • Establishes the entity’s risk culture. • Considers all other aspects of how the organization’s actions may affect its risk culture.
Objective Setting • Is applied when management considers risks strategy in the setting of objectives. • Forms the risk appetite of the entity — a high-level view of how much risk management and the board are willing to accept. • Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite.
Event Identification • Differentiates risks and opportunities. • Events that may have a negative impact represent risks. • Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting.
Event Identification • Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives. • Addresses how internal and external factors combine and interact to influence the risk profile.
Risk Assessment • Allows an entity to understand the extent to which potential events might impact objectives. • Assesses risks from two perspectives: - Likelihood - Impact • Is used to assess risks and is normally also used to measure the related objectives.
Risk Assessment • Employs a combination of both qualitative and quantitative risk assessment methodologies. • Relates time horizons to objective horizons. • Assesses risk on both an inherent and a residual basis.
Risk Response • Identifies and evaluates possible responses to risk. • Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood. • Selects and executes response based on evaluation of the portfolio of risks and responses.
Control Activities • Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out. • Occur throughout the organization, at all levels and in all functions. • Include application and general information technology controls.
• Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities. • Communication occurs in a broader sense, flowing down, across, and up the organization. Information & Communication
Monitoring Effectiveness of the other ERM components is monitored through: • Ongoing monitoring activities. • Separate evaluations. • A combination of the two.
Internal Control A strong system of internal control is essential to effective enterprise risk management.
• Expands and elaborates on elements of internal control as set out in COSO’s “control framework.” • Includes objective setting as a separate component. Objectives are a “prerequisite” for internal control. • Expands the control framework’s “Financial Reporting” and “Risk Assessment.” Relationship to Internal Control - Integrated Framework
ERM Roles & Responsibilities • Management • The board of directors • Risk officers • Internal auditors
Compliance/Internal Auditors • Play an important role in monitoring ERM, but do NOT have primary responsibility for its implementation or maintenance. • Assist management and the board or audit committee in the process by: - Monitoring - Evaluating - Examining - Reporting - Recommending improvements
1. Establishing an ERM organization 2. Performing risk assessments 3. Organizational design of business 4. Determining overall risk appetite 5. Identifying risk responses 6. Communication of risk results 7. Monitoring 8. Oversight & periodic review by management Key Implementation Factors
Organizational Design • Strategies of the business • Key business objectives • Related objectives that cascade down the organization from key business objectives • Assignment of responsibilities to organizational elements and leaders (linkage)
Example: Linkage • Mission – To provide high-quality accessible and affordable community-based health care • Strategic Objective – To be the first or second largest, full-service health care provider in mid-size metropolitan markets • Related Objective – To initiate dialogue with leadership of 10 top under-performing hospitals and negotiate agreements with two this year
Establish ERM • Determine a risk philosophy • Survey risk culture • Consider organizational integrity and ethical values • Decide roles and responsibilities
Example: ERM Organization ERM Director Vice President and Chief Risk Officer Corporate Credit Risk Manager Insurance Risk Manager ERM Manager ERM Manager Staff StaffStaff FES Commodity Risk Mg. Director
Risk assessment is the identification and analysis of risks to the achievement of business objectives. It forms a basis for determining how risks should be managed. Assess Risk
Environmental Risks • Capital Availability • Regulatory, Political, and Legal • Financial Markets and Shareholder Relations Process Risks • Operations Risk • Empowerment Risk • Information Processing / Technology Risk • Integrity Risk • Financial Risk Information for Decision Making • Operational Risk • Financial Risk • Strategic Risk Example: Risk Model
Source: Business Risk Assessment. 1998 – The Institute of Internal Auditors Control It Share or Transfer It Diversify or Avoid It Risk Management Process Level Activity Level Entity Level Risk Monitoring Identification Measurement Prioritization Risk Assessment Risk Analysis
Determine Risk Appetite • Risk appetite is the amount of risk — on a broad level — an entity is willing to accept in pursuit of value. • Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable variation).
Key questions: • What risks will the organization not accept? (e.g. environmental or quality compromises) • What risks will the organization take on new initiatives? (e.g. new product lines) • What risks will the organization accept for competing objectives? (e.g. gross profit vs. market share?) Determine Risk Appetite
• Quantification of risk exposure • Options available: - Accept = monitor - Avoid = eliminate (get out of situation) - Reduce = institute controls - Share = partner with someone (e.g. insurance) • Residual risk (unmitigated risk – e.g. shrinkage) Identify Risk Responses
Impact vs. Probability Control Share Mitigate & Control Accept High Risk Medium Risk Medium Risk Low Risk Low High High I M P A C T PROBABILITY
Low High High I M P A C T PROBABILITY High Risk Medium Risk Medium Risk Low Risk Example: Call Center Risk Assessment • Loss of phones • Loss of computers • Credit risk • Customer has a long wait • Customer can’t get through • Customer can’t get answers • Entry errors • Equipment obsolescence • Repeat calls for same problem • Fraud • Lost transactions • Employee morale
Control Risk Control Objective Activity Completeness Material Accrual of transaction open liabilities not recorded Invoices accrued after closing Issue: Invoices go to field and AP is not aware of liability. Example: Accounts Payable Process
• Dashboard of risks and related responses (visual status of where key risks stand relative to risk tolerances) • Flowcharts of processes with key controls noted • Narratives of business objectives linked to operational risks and responses • List of key risks to be monitored or used • Management understanding of key business risk responsibility and communication of assignments Communicate Results
Monitor • Collect and display information • Perform analysis - Risks are being properly addressed - Controls are working to mitigate risks
• Accountability for risks • Ownership • Updates - Changes in business objectives - Changes in systems - Changes in processes Management Oversight & Periodic Review
Adopting an Integrated View of Governance, Risk and Compliance (GRC)
Thank you

Recommended

Coso erm
Coso ermCoso erm
Coso ermHumberto Omar Valverde Taborga
 
COSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORECOSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORENaresh Parandhaman
 
Entetrprise risk management process
Entetrprise risk management processEntetrprise risk management process
Entetrprise risk management processRabin K. Acharya PhD (MPhil,MBA,MPA,MA)
 
Coso erm
Coso ermCoso erm
Coso ermluisrobles_cl
 
Bcu msc cg week 4 risk management
Bcu msc cg week 4 risk managementBcu msc cg week 4 risk management
Bcu msc cg week 4 risk managementStephen Ong
 
Risk based auditing
Risk based auditingRisk based auditing
Risk based auditingTunde Elijah Kelani
 
Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)deeptica
 
Risk management models - Core Consulting
Risk management models - Core ConsultingRisk management models - Core Consulting
Risk management models - Core ConsultingCORE Consulting
 

Recommended

Coso erm
Coso ermCoso erm
Coso ermHumberto Omar Valverde Taborga
 
COSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORECOSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORENaresh Parandhaman
 
Entetrprise risk management process
Entetrprise risk management processEntetrprise risk management process
Entetrprise risk management processRabin K. Acharya PhD (MPhil,MBA,MPA,MA)
 
Coso erm
Coso ermCoso erm
Coso ermluisrobles_cl
 
Bcu msc cg week 4 risk management
Bcu msc cg week 4 risk managementBcu msc cg week 4 risk management
Bcu msc cg week 4 risk managementStephen Ong
 
Risk based auditing
Risk based auditingRisk based auditing
Risk based auditingTunde Elijah Kelani
 
Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)deeptica
 
Risk management models - Core Consulting
Risk management models - Core ConsultingRisk management models - Core Consulting
Risk management models - Core ConsultingCORE Consulting
 
Coso erm frmwrk
Coso erm frmwrkCoso erm frmwrk
Coso erm frmwrkRavinder Kumar Bhan
 
corporate risk management
corporate risk management corporate risk management
corporate risk managementUniversiti Malaysia Pahang
 
Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Sadia Razzaq
 
Risk management
Risk managementRisk management
Risk managementLepipi
 
Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk managementAndre Knipe
 
Risk management process
Risk management processRisk management process
Risk management processeduCBA
 
Upgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your OrganizationUpgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your OrganizationInternational Federation of Accountants
 
Risk Management Fundamentals
Risk Management FundamentalsRisk Management Fundamentals
Risk Management Fundamentalsmikaelastafrace
 
Risk Overview & Risk management
Risk Overview & Risk managementRisk Overview & Risk management
Risk Overview & Risk managementSubhendu Datta
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop Ersoy AKSOY
 
What is the role of a risk management ppt
What is the role of a risk management pptWhat is the role of a risk management ppt
What is the role of a risk management pptAD Baj
 
Fundamentals of-risk-management
Fundamentals of-risk-managementFundamentals of-risk-management
Fundamentals of-risk-managementMajd Ghanem,MBA
 
The role of auditing in the erm process
The role of auditing in the erm processThe role of auditing in the erm process
The role of auditing in the erm processSalih Islam
 
Risk identification
Risk identificationRisk identification
Risk identificationmurukkada
 
The importance of risk management in business
The importance of risk management in businessThe importance of risk management in business
The importance of risk management in businessr2financial
 
Enterprise risk management february 9th solution training
Enterprise risk management february 9th solution trainingEnterprise risk management february 9th solution training
Enterprise risk management february 9th solution trainingveritama
 
A Presentation on Risk Based Auditing
A Presentation on Risk Based AuditingA Presentation on Risk Based Auditing
A Presentation on Risk Based AuditingAmar Deep Ghimire
 
Corporate risk management
Corporate risk managementCorporate risk management
Corporate risk managementPraxiom
 
Risk Management1
Risk Management1Risk Management1
Risk Management1Henry H L Lim
 
Public Sector Enterprise Risk Management
Public Sector Enterprise Risk ManagementPublic Sector Enterprise Risk Management
Public Sector Enterprise Risk ManagementDr David Hancock
 
Manajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSOManajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSODina Pramudianti
 
COSO_ERM.ppt
COSO_ERM.pptCOSO_ERM.ppt
COSO_ERM.pptSashaKing4
 

More Related Content

What's hot

Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Sadia Razzaq
 
Risk management
Risk managementRisk management
Risk managementLepipi
 
Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk managementAndre Knipe
 
Risk management process
Risk management processRisk management process
Risk management processeduCBA
 
Upgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your OrganizationUpgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your OrganizationInternational Federation of Accountants
 
Risk Management Fundamentals
Risk Management FundamentalsRisk Management Fundamentals
Risk Management Fundamentalsmikaelastafrace
 
Risk Overview & Risk management
Risk Overview & Risk managementRisk Overview & Risk management
Risk Overview & Risk managementSubhendu Datta
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop Ersoy AKSOY
 
What is the role of a risk management ppt
What is the role of a risk management pptWhat is the role of a risk management ppt
What is the role of a risk management pptAD Baj
 
Fundamentals of-risk-management
Fundamentals of-risk-managementFundamentals of-risk-management
Fundamentals of-risk-managementMajd Ghanem,MBA
 
The role of auditing in the erm process
The role of auditing in the erm processThe role of auditing in the erm process
The role of auditing in the erm processSalih Islam
 
Risk identification
Risk identificationRisk identification
Risk identificationmurukkada
 
The importance of risk management in business
The importance of risk management in businessThe importance of risk management in business
The importance of risk management in businessr2financial
 
Enterprise risk management february 9th solution training
Enterprise risk management february 9th solution trainingEnterprise risk management february 9th solution training
Enterprise risk management february 9th solution trainingveritama
 
A Presentation on Risk Based Auditing
A Presentation on Risk Based AuditingA Presentation on Risk Based Auditing
A Presentation on Risk Based AuditingAmar Deep Ghimire
 
Corporate risk management
Corporate risk managementCorporate risk management
Corporate risk managementPraxiom
 
Risk Management1
Risk Management1Risk Management1
Risk Management1Henry H L Lim
 
Public Sector Enterprise Risk Management
Public Sector Enterprise Risk ManagementPublic Sector Enterprise Risk Management
Public Sector Enterprise Risk ManagementDr David Hancock
 

What's hot (20)

Coso erm frmwrk
Coso erm frmwrkCoso erm frmwrk
Coso erm frmwrk
 
corporate risk management
corporate risk management corporate risk management
corporate risk management
 
Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Risk management ppt 111p (training module)
Risk management ppt 111p (training module)
 
Risk management
Risk managementRisk management
Risk management
 
Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk management
 
Risk management process
Risk management processRisk management process
Risk management process
 
Upgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your OrganizationUpgrading Risk Management and Internal Control in Your Organization
Upgrading Risk Management and Internal Control in Your Organization
 
Risk Management Fundamentals
Risk Management FundamentalsRisk Management Fundamentals
Risk Management Fundamentals
 
Risk Overview & Risk management
Risk Overview & Risk managementRisk Overview & Risk management
Risk Overview & Risk management
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop
 
What is the role of a risk management ppt
What is the role of a risk management pptWhat is the role of a risk management ppt
What is the role of a risk management ppt
 
Fundamentals of-risk-management
Fundamentals of-risk-managementFundamentals of-risk-management
Fundamentals of-risk-management
 
The role of auditing in the erm process
The role of auditing in the erm processThe role of auditing in the erm process
The role of auditing in the erm process
 
Risk identification
Risk identificationRisk identification
Risk identification
 
The importance of risk management in business
The importance of risk management in businessThe importance of risk management in business
The importance of risk management in business
 
Enterprise risk management february 9th solution training
Enterprise risk management february 9th solution trainingEnterprise risk management february 9th solution training
Enterprise risk management february 9th solution training
 
A Presentation on Risk Based Auditing
A Presentation on Risk Based AuditingA Presentation on Risk Based Auditing
A Presentation on Risk Based Auditing
 
Corporate risk management
Corporate risk managementCorporate risk management
Corporate risk management
 
Risk Management1
Risk Management1Risk Management1
Risk Management1
 
Public Sector Enterprise Risk Management
Public Sector Enterprise Risk ManagementPublic Sector Enterprise Risk Management
Public Sector Enterprise Risk Management
 

Similar to mr neeraj - day 1 - compliance

Manajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSOManajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSODina Pramudianti
 
COSO_ERM.ppt
COSO_ERM.pptCOSO_ERM.ppt
COSO_ERM.pptSashaKing4
 
COSO ERM Framework
COSO ERM FrameworkCOSO ERM Framework
COSO ERM Frameworkssuser6ea258
 
Risk Management - A Journey
Risk Management - A JourneyRisk Management - A Journey
Risk Management - A JourneyDebashis Gupta
 
ThinkGRC justifying the transition to an Enterprise Risk Management (ERM) model
ThinkGRC justifying the transition to an Enterprise Risk Management (ERM) modelThinkGRC justifying the transition to an Enterprise Risk Management (ERM) model
ThinkGRC justifying the transition to an Enterprise Risk Management (ERM) modelThinkGRC
 
Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk managementComplianceOnline
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksAronson LLC
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditManoj Agarwal
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk ManagementNikhil Soni
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk ManagementGoutama Bachtiar
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceEnterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceResolver Inc.
 

Similar to mr neeraj - day 1 - compliance (20)

Manajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSOManajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSO
 
COSO_ERM.ppt
COSO_ERM.pptCOSO_ERM.ppt
COSO_ERM.ppt
 
COSO ERM Framework
COSO ERM FrameworkCOSO ERM Framework
COSO ERM Framework
 
Internal Control COSO
Internal Control COSOInternal Control COSO
Internal Control COSO
 
Risk Management - A Journey
Risk Management - A JourneyRisk Management - A Journey
Risk Management - A Journey
 
Erm tm 10
Erm tm 10Erm tm 10
Erm tm 10
 
Creating Value Through Enterprise Risk Management
Creating Value Through Enterprise Risk Management Creating Value Through Enterprise Risk Management
Creating Value Through Enterprise Risk Management
 
Hoover.2016 Texas Bankers CFO Conference
Hoover.2016 Texas Bankers CFO ConferenceHoover.2016 Texas Bankers CFO Conference
Hoover.2016 Texas Bankers CFO Conference
 
Presentation_20110802213554
Presentation_20110802213554Presentation_20110802213554
Presentation_20110802213554
 
ThinkGRC justifying the transition to an Enterprise Risk Management (ERM) model
ThinkGRC justifying the transition to an Enterprise Risk Management (ERM) modelThinkGRC justifying the transition to an Enterprise Risk Management (ERM) model
ThinkGRC justifying the transition to an Enterprise Risk Management (ERM) model
 
Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk management
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
 
Erm talking points
Erm talking pointsErm talking points
Erm talking points
 
HIRimsISO311KandERMFINAL
HIRimsISO311KandERMFINALHIRimsISO311KandERMFINAL
HIRimsISO311KandERMFINAL
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal Audit
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
COSO ERM
COSO ERMCOSO ERM
COSO ERM
 
Mastering Information Technology Risk Management
Mastering Information Technology Risk ManagementMastering Information Technology Risk Management
Mastering Information Technology Risk Management
 
Iso 31000 presentation
Iso 31000 presentationIso 31000 presentation
Iso 31000 presentation
 
Enterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and PerformanceEnterprise Risk Management - Aligning Risk with Strategy and Performance
Enterprise Risk Management - Aligning Risk with Strategy and Performance
 

mr neeraj - day 1 - compliance

  • 1. Corporate compliance, Risk Management and Internal Audit February 22, 2008
  • 2. Today’s organizations are concerned about: •Risk Management •Governance •Control
  • 3. ERM Defined: “… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.
  • 4. Why ERM Is Important Underlying principles: • Every entity, whether for-profit or not, exists to realize value for its stakeholders. • Value is created, preserved, or eroded by management decisions in all activities, from setting strategy to operating the enterprise day-to- day.
  • 5. Why ERM Is Important ERM supports value creation by enabling management to: • Deal effectively with potential future events that create uncertainty. • Respond in a manner that reduces the likelihood of downside outcomes and increases the upside.
  • 6. This COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management. Enterprise Risk Management — Integrated Framework
  • 7. The ERM Framework Entity objectives can be viewed in the context of four categories: Strategic Operations Reporting Compliance
  • 8. The ERM Framework ERM considers activities at all levels of the organization:  Enterprise-level  Division  or subsidiary  Business unit processes
  • 9. Enterprise risk management requires an entity to take a portfolio view of risk. The ERM Framework
  • 10. • Management considers how individual risks interrelate. • Management develops a portfolio view from two perspectives: - Business unit level - Entity level The ERM Framework
  • 11. The eight components of the framework are interrelated … The ERM Framework
  • 12. Internal Environment • Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur. • Establishes the entity’s risk culture. • Considers all other aspects of how the organization’s actions may affect its risk culture.
  • 13. Objective Setting • Is applied when management considers risks strategy in the setting of objectives. • Forms the risk appetite of the entity — a high-level view of how much risk management and the board are willing to accept. • Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite.
  • 14. Event Identification • Differentiates risks and opportunities. • Events that may have a negative impact represent risks. • Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting.
  • 15. Event Identification • Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives. • Addresses how internal and external factors combine and interact to influence the risk profile.
  • 16. Risk Assessment • Allows an entity to understand the extent to which potential events might impact objectives. • Assesses risks from two perspectives: - Likelihood - Impact • Is used to assess risks and is normally also used to measure the related objectives.
  • 17. Risk Assessment • Employs a combination of both qualitative and quantitative risk assessment methodologies. • Relates time horizons to objective horizons. • Assesses risk on both an inherent and a residual basis.
  • 18. Risk Response • Identifies and evaluates possible responses to risk. • Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood. • Selects and executes response based on evaluation of the portfolio of risks and responses.
  • 19. Control Activities • Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out. • Occur throughout the organization, at all levels and in all functions. • Include application and general information technology controls.
  • 20. • Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities. • Communication occurs in a broader sense, flowing down, across, and up the organization. Information & Communication
  • 21. Monitoring Effectiveness of the other ERM components is monitored through: • Ongoing monitoring activities. • Separate evaluations. • A combination of the two.
  • 22. Internal Control A strong system of internal control is essential to effective enterprise risk management.
  • 23. • Expands and elaborates on elements of internal control as set out in COSO’s “control framework.” • Includes objective setting as a separate component. Objectives are a “prerequisite” for internal control. • Expands the control framework’s “Financial Reporting” and “Risk Assessment.” Relationship to Internal Control - Integrated Framework
  • 24. ERM Roles & Responsibilities • Management • The board of directors • Risk officers • Internal auditors
  • 25. Compliance/Internal Auditors • Play an important role in monitoring ERM, but do NOT have primary responsibility for its implementation or maintenance. • Assist management and the board or audit committee in the process by: - Monitoring - Evaluating - Examining - Reporting - Recommending improvements
  • 26. 1. Establishing an ERM organization 2. Performing risk assessments 3. Organizational design of business 4. Determining overall risk appetite 5. Identifying risk responses 6. Communication of risk results 7. Monitoring 8. Oversight & periodic review by management Key Implementation Factors
  • 27. Organizational Design • Strategies of the business • Key business objectives • Related objectives that cascade down the organization from key business objectives • Assignment of responsibilities to organizational elements and leaders (linkage)
  • 28. Example: Linkage • Mission – To provide high-quality accessible and affordable community-based health care • Strategic Objective – To be the first or second largest, full-service health care provider in mid-size metropolitan markets • Related Objective – To initiate dialogue with leadership of 10 top under-performing hospitals and negotiate agreements with two this year
  • 29. Establish ERM • Determine a risk philosophy • Survey risk culture • Consider organizational integrity and ethical values • Decide roles and responsibilities
  • 30. Example: ERM Organization ERM Director Vice President and Chief Risk Officer Corporate Credit Risk Manager Insurance Risk Manager ERM Manager ERM Manager Staff StaffStaff FES Commodity Risk Mg. Director
  • 31. Risk assessment is the identification and analysis of risks to the achievement of business objectives. It forms a basis for determining how risks should be managed. Assess Risk
  • 32. Environmental Risks • Capital Availability • Regulatory, Political, and Legal • Financial Markets and Shareholder Relations Process Risks • Operations Risk • Empowerment Risk • Information Processing / Technology Risk • Integrity Risk • Financial Risk Information for Decision Making • Operational Risk • Financial Risk • Strategic Risk Example: Risk Model
  • 33. Source: Business Risk Assessment. 1998 – The Institute of Internal Auditors Control It Share or Transfer It Diversify or Avoid It Risk Management Process Level Activity Level Entity Level Risk Monitoring Identification Measurement Prioritization Risk Assessment Risk Analysis
  • 34. Determine Risk Appetite • Risk appetite is the amount of risk — on a broad level — an entity is willing to accept in pursuit of value. • Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable variation).
  • 35. Key questions: • What risks will the organization not accept? (e.g. environmental or quality compromises) • What risks will the organization take on new initiatives? (e.g. new product lines) • What risks will the organization accept for competing objectives? (e.g. gross profit vs. market share?) Determine Risk Appetite
  • 36. • Quantification of risk exposure • Options available: - Accept = monitor - Avoid = eliminate (get out of situation) - Reduce = institute controls - Share = partner with someone (e.g. insurance) • Residual risk (unmitigated risk – e.g. shrinkage) Identify Risk Responses
  • 37. Impact vs. Probability Control Share Mitigate & Control Accept High Risk Medium Risk Medium Risk Low Risk Low High High I M P A C T PROBABILITY
  • 38. Low High High I M P A C T PROBABILITY High Risk Medium Risk Medium Risk Low Risk Example: Call Center Risk Assessment • Loss of phones • Loss of computers • Credit risk • Customer has a long wait • Customer can’t get through • Customer can’t get answers • Entry errors • Equipment obsolescence • Repeat calls for same problem • Fraud • Lost transactions • Employee morale
  • 39. Control Risk Control Objective Activity Completeness Material Accrual of transaction open liabilities not recorded Invoices accrued after closing Issue: Invoices go to field and AP is not aware of liability. Example: Accounts Payable Process
  • 40. • Dashboard of risks and related responses (visual status of where key risks stand relative to risk tolerances) • Flowcharts of processes with key controls noted • Narratives of business objectives linked to operational risks and responses • List of key risks to be monitored or used • Management understanding of key business risk responsibility and communication of assignments Communicate Results
  • 41. Monitor • Collect and display information • Perform analysis - Risks are being properly addressed - Controls are working to mitigate risks
  • 42. • Accountability for risks • Ownership • Updates - Changes in business objectives - Changes in systems - Changes in processes Management Oversight & Periodic Review
  • 43. Adopting an Integrated View of Governance, Risk and Compliance (GRC)
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
  • 49.
  • 50.
  • 51.
  • 52.