It provides a general overview of enterprise risk management principles which can help to transform corporate from risk exposure to the risk protected. Consideration for basic steps in Risk Management Process are critically and logically analysed
Enterprise Risk Management (ERM) is the process of planning, organizing, leading, and controlling the activities of an organization in order to minimize the effects of risk on an organization's capital and earnings.
Enterprise Risk Management expands the process to include not just risks associated with accidental losses, but also financial, strategic, operational, and other risks.
In recent years, external factors have fueled a heightened interest by organizations in ERM.
Industry and government regulatory bodies, as well as investors, have begun to scrutinize companies' risk-management policies and procedures.
In an increasing number of industries, boards of directors are required to review and report on the adequacy of risk-management processes in the organizations they administer.
Since they thrive on the business of risk, financial institutions are good examples of companies that can benefit from effective ERM.
Their success depends on striking a balance between enhancing profits and managing risk.
In order for any enterprise to properly, effectively, and prudently manage their future growth, Business Strategy needs to be sustained by modern Enterprise Risk Management (ERM) principles and practices.
The Enterprise Risk Management discipline is not anymore a separate management profession or kinky management way, but rather it is a core competency that all organizations and executives must have in this Global Age. It should be a way of life for all.
IFAC Senior Technical Manager Vincent Tophoff presentation during the Institute of Chartered Accountants of Pakistan's CFO Conference 2013, CFO: Meeting Future Challenges! Mr. Tophoff discusses current trends and thinking in risk management and best practices.
Enterprise Risk Management (ERM) is the process of planning, organizing, leading, and controlling the activities of an organization in order to minimize the effects of risk on an organization's capital and earnings.
Enterprise Risk Management expands the process to include not just risks associated with accidental losses, but also financial, strategic, operational, and other risks.
In recent years, external factors have fueled a heightened interest by organizations in ERM.
Industry and government regulatory bodies, as well as investors, have begun to scrutinize companies' risk-management policies and procedures.
In an increasing number of industries, boards of directors are required to review and report on the adequacy of risk-management processes in the organizations they administer.
Since they thrive on the business of risk, financial institutions are good examples of companies that can benefit from effective ERM.
Their success depends on striking a balance between enhancing profits and managing risk.
In order for any enterprise to properly, effectively, and prudently manage their future growth, Business Strategy needs to be sustained by modern Enterprise Risk Management (ERM) principles and practices.
The Enterprise Risk Management discipline is not anymore a separate management profession or kinky management way, but rather it is a core competency that all organizations and executives must have in this Global Age. It should be a way of life for all.
IFAC Senior Technical Manager Vincent Tophoff presentation during the Institute of Chartered Accountants of Pakistan's CFO Conference 2013, CFO: Meeting Future Challenges! Mr. Tophoff discusses current trends and thinking in risk management and best practices.
The Risk and Control Self Assessment (RCSA) is an integral part of most operational risk management frameworks. RCSAs provide a structured mechanism for estimating operational
exposures and the effectiveness of controls. In so doing RCSAs help organisations to prioritise risk exposures, identify control weaknesses and gaps, and monitor the actions taken to address any weaknesses or gaps.
A well designed and implemented RCSA can help to embed operational risk management across an organisation, improving management attitudes towards operational risk management and enhancing the overall risk culture. In contrast, an inefficient or unnecessarily complex RCSA can damage the reputation of the (operational) risk function and reinforce the perception that
operational risk management is a bureaucratic, compliance-focused, exercise that does not support the achievement of organisational objectives.
Learn more about Risk Management and the essentials with IRM’s level 1 certification.
https://www.theirmindia.org/level1
Level 1 qualified or risk management professionals with 2-3 years of experience can also enroll for level 2 certification.
https://www.theirmindia.org/level2
Visit: https://www.theirmindia.org/
Address: IRM India Affiliate, 907,908,909, Corporate Park II, 9th Floor, VN Puran Marg, Near Swastik Chambers, Chembur Mumbai 400071
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...PECB
The webinar covers:
• The start of any Enterprise Risk Management Program
• The approach to developing a framework that will assist organizations to integrate RM into their enterprise-wide risk management systems
• The relationship between the foundations of the risk management framework and their objectives
Presenter:
This webinar was presented by M. Youssef K, an executive consultant & trainer with several qualifications. He is an accomplished expert with over 10 years’ experience in the field of risk management, project and program management, PRINCE 2, Agile, EVM, business process analysis and design, as well as operational and organizational excellence.
Link of the recorded session published on YouTube: https://youtu.be/9fO-JqENL0I
This handbook is aimed at assisting those on the governing body of an organisation to: • gain clarity about the interaction of governance and risk management • avoid confusion in the responsibilities of those with an oversight role and those with an implementation role • achieve focus on embedding risk management within the strategic framework. ISO 31000:2009 Risk Management—Principles and guidelines and the related handbook, HB 436:2004 Risk management guidelines—Companion to AS/NZS ISO 31000:2009 deal with the implementation aspects of a risk management framework, and will assist entities to focus on operational risk management. Governance Institute’s publication Enterprise Risk Management1 also provides a framework for approaching the implementation of risk management. This handbook deals with the link between the deliberations of boards and their oversight of management and the alignment of risk management practices with strategic objectives throughout the organisation. This guide is not intended to advise directors on how to create an enterprise risk management system or a technical management-led risk process — these are more suited to development by management. It is intended to assist boards to integrate their governance and risk management frameworks. This in turn will assist organisations to achieve strategic focus, by providing boards with the information they need and ensuring ongoing ownership of risks by all employees in relation to achieving strategic objectives. The questions that conclude each section are included for consideration and to prompt directors’ thinking. Directors will need to decide if they are relevant to their circumstances.
The key proposition of Enterprise Risk Management is value creation and or enhancement which ultimately delivers sustainable comparative advantage exemplified by organizational excellence. This presentation highlights key components of both management concepts and points of congruence.
The Risk and Control Self Assessment (RCSA) is an integral part of most operational risk management frameworks. RCSAs provide a structured mechanism for estimating operational
exposures and the effectiveness of controls. In so doing RCSAs help organisations to prioritise risk exposures, identify control weaknesses and gaps, and monitor the actions taken to address any weaknesses or gaps.
A well designed and implemented RCSA can help to embed operational risk management across an organisation, improving management attitudes towards operational risk management and enhancing the overall risk culture. In contrast, an inefficient or unnecessarily complex RCSA can damage the reputation of the (operational) risk function and reinforce the perception that
operational risk management is a bureaucratic, compliance-focused, exercise that does not support the achievement of organisational objectives.
Learn more about Risk Management and the essentials with IRM’s level 1 certification.
https://www.theirmindia.org/level1
Level 1 qualified or risk management professionals with 2-3 years of experience can also enroll for level 2 certification.
https://www.theirmindia.org/level2
Visit: https://www.theirmindia.org/
Address: IRM India Affiliate, 907,908,909, Corporate Park II, 9th Floor, VN Puran Marg, Near Swastik Chambers, Chembur Mumbai 400071
Implementation of Enterprise Risk Management with ISO 31000 Risk Management S...PECB
The webinar covers:
• The start of any Enterprise Risk Management Program
• The approach to developing a framework that will assist organizations to integrate RM into their enterprise-wide risk management systems
• The relationship between the foundations of the risk management framework and their objectives
Presenter:
This webinar was presented by M. Youssef K, an executive consultant & trainer with several qualifications. He is an accomplished expert with over 10 years’ experience in the field of risk management, project and program management, PRINCE 2, Agile, EVM, business process analysis and design, as well as operational and organizational excellence.
Link of the recorded session published on YouTube: https://youtu.be/9fO-JqENL0I
This handbook is aimed at assisting those on the governing body of an organisation to: • gain clarity about the interaction of governance and risk management • avoid confusion in the responsibilities of those with an oversight role and those with an implementation role • achieve focus on embedding risk management within the strategic framework. ISO 31000:2009 Risk Management—Principles and guidelines and the related handbook, HB 436:2004 Risk management guidelines—Companion to AS/NZS ISO 31000:2009 deal with the implementation aspects of a risk management framework, and will assist entities to focus on operational risk management. Governance Institute’s publication Enterprise Risk Management1 also provides a framework for approaching the implementation of risk management. This handbook deals with the link between the deliberations of boards and their oversight of management and the alignment of risk management practices with strategic objectives throughout the organisation. This guide is not intended to advise directors on how to create an enterprise risk management system or a technical management-led risk process — these are more suited to development by management. It is intended to assist boards to integrate their governance and risk management frameworks. This in turn will assist organisations to achieve strategic focus, by providing boards with the information they need and ensuring ongoing ownership of risks by all employees in relation to achieving strategic objectives. The questions that conclude each section are included for consideration and to prompt directors’ thinking. Directors will need to decide if they are relevant to their circumstances.
The key proposition of Enterprise Risk Management is value creation and or enhancement which ultimately delivers sustainable comparative advantage exemplified by organizational excellence. This presentation highlights key components of both management concepts and points of congruence.
This presentation provides a comprehensive plan for implementing an enterprise risk management program. It covers the costs/benefits of an ERM program, the critical knowledge, skills and abilities of a Chief Risk Officer, a risk taxonomy for insurance firms, a hypothetical organizational structure for an electric utility, a sample risk register, and other useful information.
ITS 835 enterprise risk management
Chapter 13 & 14
ERM – TD Bank & Zurich Insurance Group
University of Cumberlands
1
Chapter 13: TD Bank
Headquartered – Toronto Canada
2nd largest in Canada & 10th largest in US
85,000 Employees worldwide
Provide Financial Products and Services
22 Million Customers in the following business lines:
Canadian Retail
Wholesale Banking
US Retail
$896 Billion
University of Cumberlands
2
ERM at TD Bank
Enterprise Risk Framework (ERF)
Nature of the risks to TD’s business strategy and operations
How TD defines types of risks
Risk management governance
TD manages risk through processes that identify, measure, assess, control and monitor risk
Risk Appetite
How risks are viewed and what risks to take to grow business
Take risks to build business only if risks
Fit business strategy and can be understood and managed
Do not expose the enterprise to any significant single-loss event
Do not risk harming TD brand
University of Cumberlands
3
TD bank organizational risk
Strategic Risk – potential loss or reputational damage
Credit Risk – Most significant; payment agreement among parties fail
Market Risk – loss in financial instruments or balance sheet due to market factors
Liquidity Risk – Insufficient cash or collateral resources to meet financial obligations without raising funds
Operational Risk – loss from inadequate or failed internal processes
Insurance Risk – loss to insurance factors based on the market
Legal, regulatory and compliance Risk – risk of negative impacts to business activities
Capital Adequacy Risk – Risk of insufficient capital available compared to capital required to complete business goals
Reputational Risk – potential of stakeholder’s impressions based on business practices, activities, etc.
University of Cumberlands
4
TD bank risk governance structure
Business owns all Risks generated and responsible for accessing risks
Design
Implement Controls
Monitoring and Reporting
Members
Senior management committee
CEO and Senior Executive Team
Chief Risk Officer (CRO)
3 Lines of Defense model
Business and corporate line
Setting standards and challenging business assumptions
Independent assurance
University of Cumberlands
5
TD bank risk management processes
Risk Identification, Assessment, and Reporting
Recognize and understand existing risks from new or revolving business activities
Risk Measurement
Quantify risks
Risk Control
How risks are handled through processes
Risk Monitoring & Reporting
Dashboards, Scorecards, Reporting
University of Cumberlands
6
TD bank - conclusion
ERM framework to mitigate risks
TD Bank Risk Appetite
Governance Process
Risk Management Process
University of Cumberlands
7
Chapter 14 – Zurich insurance group
Large global insurance company
10 years using ERM to remain profitable
60,000 employees
Customers in over 170 countries and territories
Capitalize on market opportunities
Tangible Results
Optimizing Risk and Rewards
Risk Culture
University of Cumberlands
8
Zig – ...
PSD Operational Risk Event - June 2016 PSD Group Ltd
PSD's Banking & Financial Services sector recently hosted a forum to explore risk management in smaller banking firms.
Dr Ariane Chapelle, Director of Chapelle Consulting, was the key note speaker, giving a thought provoking presentation.
Risk Management is an important component of project management. it all start with the planning stage to the execution stage. There is no way a project can be implemented without strong foundations of risk management. The slides expounds the subject of risk management on sidelines of the project management like a rod and staff
Risk Management is a necessity in contract management. The presentation touches the need for contract risk management which is also a foundation for project risk management
The slides provides fundamental understanding of concepts, principles and issues in fraud risk management. It is a comprehensive summary of general knowledge and understanding about the fraud risk management.
Audit Committees have highly influential roles to support entity achieve its defined goals and objectives.
Through its powers, the audit committee has ability to meet both the internal and external auditor in course of its work and become only " intelligent" team to have insights of control issues affecting an entity.
Unfortunately, the audit committees in number of organization's are not competent enough to execute their roles effectively. EMAC has capacity building programs for audit committee members geared towards capacitating the committees for effective performance
International Financial Reporting Standards (IFRS, IAS, IFRIC and SIC)
The slides provides high level overview of IFRS specifically designed for Pension Funds as presented to one of leading pension scheme in Tanzania
The presentation provides overall insight of operational fraud risk management. It explains the operational fraud risk and mitigation strategies. The role of Internal audit and audit committee is further exemplified
Management audit is a total surgery of an organisation. It diverts from the traditional financial audit and focuses on the objectives, plans, organisational structure and the right business strategy. It is of interest to the practioners and students to understanding of technical issues covering the business operation. It actually focuses on the Value for Money Audit Methodology.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasn’t one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
Operation “Blue Star” is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
Embracing GenAI - A Strategic ImperativePeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
Honest Reviews of Tim Han LMA Course Program.pptxtimhan337
Personal development courses are widely available today, with each one promising life-changing outcomes. Tim Han’s Life Mastery Achievers (LMA) Course has drawn a lot of interest. In addition to offering my frank assessment of Success Insider’s LMA Course, this piece examines the course’s effects via a variety of Tim Han LMA course reviews and Success Insider comments.
Palestine last event orientationfvgnh .pptxRaedMohamed3
An EFL lesson about the current events in Palestine. It is intended to be for intermediate students who wish to increase their listening skills through a short lesson in power point.
1. E
M
A
C
ADVANCED RISK MANAGEMENT WORKSHOP
STELLA MARIS HOSTEL
Bagamoyo
9TH -11TH April,2014
www.elsamconsult.com 1
ELSAM MANAGEMENT CONSULTANTS -
EMAC
2. E
M
A
C
These slides contains video clips for enabling a reader
to understand the risk management concepts
To view the slides you must be on slide show mode
and click on the links with underline
The video clips are copyrighted materials and EMAC
has no legal responsibility of any other use than
education dissemination
www.elsamconsult.com 2
Notes
3. E
M
A
C
Who are we?
Elsam Management Consultants (EMAC) is
a pool of professional consultants in
management disciplines established as a
limited liability company since 2006
Core Functions are: Recruitment, Training
and Consultancies
More details: www.elsamconsult.com
www.elsamconsult.com 3
Welcoming Remarks
4. E
M
A
C
Introduction of facilitators
Self introduction to others on your team
Recap- Share something on personal
experience in Risk Management and highly
the expectations of this training
Pick 1-Identify a risk-discuss it as both a
threat and an opportunity
Report to the a large group pick a
spokesperson
www.elsamconsult.com 4
Welcoming Remarks
6. E
M
A
C
Government Collapse; Greece, Turkey, Africa
Global Markets, more complex
Greater product complexity
New businesses (e-banking)
Increasing competition
New players
www.elsamconsult.com 6
Why this training?
8. E
M
A
C
Day 1 – Understanding Risk Management
Principles
Day 2 - Public Sector Risk Management
Theoretical Implication
Practical Implication
Challenges
Day 3 - Fraud Risk Management
Day 3 - Lessons Learned from practice
www.elsamconsult.com 8
Organization of this training
10. E
M
A
C
OVERVIEW OF RISK MANAGEMENT
UNDERSTANDING THE RISK
MANAGEMENT CONCEPTS
AND DIGESTS
10www.elsamconsult.com
11. E
M
A
C
Presentation Plan
Defining and understanding risk
Risk and Risk Management
Objectives of Risk Management
Modeling of Risk Management Process
Risk Management Process
Guidelines for Risk Management
11www.elsamconsult.com
12. E
M
A
C
Presentation Plan cont…
Role of Internal auditor in Risk
Management
Role of Audit Committee in Risk
Management
Examples of Models for Risk
Management
Practical sessions ( continuous)
12www.elsamconsult.com
14. E
M
A
C
Risk
Real or perceived
Risk is the threat or possibility that an
action or event will adversely or
beneficially affect organization's ability
to achieve its objectives
‘A calculation of both probability and
improbability becoming a reality’.
Risk has no religion
This definition is based on three
scenarios:
14www.elsamconsult.com
15. E
M
A
C
Risk Scenarios
Whatever can go wrong, will
go wrong
Whatever cannot go wrong,
will go wrong
When things go wrong, they
go badly wrong.
15www.elsamconsult.com
16. E
M
A
C
WHAT IS RISK?
Something happening that may have an
impact on the achievement of objectives.
It includes risk as an opportunity as well as a
threat.
By managing threats entity will be in a
stronger position to deliver its business plan
priorities. By managing opportunities the
organisation will be in a better position to
provide improved services and better value
for money.
16www.elsamconsult.com
17. E
M
A
C
Probability VS ‘Risk Magnitude’
Improbable Risk
-10; -9; -8; -7; -6; -5; -4; -3; -2; -1; 0 1; 2; 3; 4; 5; 6; 7; 8; 9; 10
Unlikely Risk Likely Risk
High Magnitude Risk Low Magnitude Risk
Probable Risks
17www.elsamconsult.com
click on underlined words to watch video
18. E
M
A
C
Based on the Video Presentation
Can you identify ten risk scenarios?
Do you agree that one risks normally
results into other potential risks?
Is this a probable or improbable risks
What are major risks in your
organisation which are improbable?
www.elsamconsult.com 18
Group study 1
19. E
M
A
C
EXAMPLES OF RISKS
Resources, Political, economic, Social,
Technological, legislative/Regulatory,
Environmental, competition,
Customer/citizen, Managerial
Professional, Financial, Legal,
Partnership/Contractual, procurement,
Physical, technological……
19www.elsamconsult.com
20. E
M
A
C
Mention the risk you know in …
Public Sector Service Delivery
Banking Industry
Starting a job or carrier
Transport and travel
Financial management
Attending this workshop
Risk related to your organization
20www.elsamconsult.com
21. Risks:
Risk Category Possible Risks Areas
Strategy Planning
Business Portfolio
Management Activity
New Business/Growth
Opportunities
Strategy Development
Business Performance
Management
Target Setting/Vision/Goals
Investor Relations
Joint Venture Mgt
Rationalisation
Communicaiton of
strategic direction set by
Board
Human
Resources
Workplace Industrial
Relations
Employment Practices
Remuneration and
Entitlements
Succession Planning
Recruitment and Retention
Workers Compensation
Skills availability/Training
and Development
Leadership
Diversity
Employee Safety and
Health
Performance
Incentivisation
Communication
Contractors / 3rd
parties
Information
Technology
Data Management
Data Security
Systems Development /
New systems
Systems Maintenance
Availability
Data Integrity
Service delivery
„e‟ Commerce
Outsourcing management
Interface with 3rd
parties
Sharing of classified
inofrmation
Marketing Competitive Positioning
Market Research
Image
Trademarks
Strategic alliance
networks
Pricing / Costing
Patents
Reputation
Customer Service
New Products
Project management
Research and
Development
Product portfolio
Product Liability
Obsolescence
“e” Commerce
Risk Category Possible Risks Areas
21www.elsamconsult.com
27. E
M
A
C
Basis of Risk Management
Risk management is a part of the wider
corporate governance and internal
control system of an organization
Corporate governance is the system by
which organizations are directed and
controlled and ensures that the
objectives and plans are established and
operations adheres to transparency,
probity and accountability
27www.elsamconsult.com
28. E
M
A
C
Accountability
Ensure that management is accountable to the Board
Ensure that the Board is accountable to the shareholders
Fairness
Protects shareholders rights
Treats all Shareholders including minorities, equitably
Provide effective redress for violation
Transparency
Ensure timely, accurate disclosure on all material matters including
financial situation, performance, ownership and corporate
governance
Independence
Procedures and structures are in place so as to minimize, or avoid
completely conflicts of interest
Independent directors, advisers i.e. free from influence of others
www.elsamconsult.com 28
Risk Management
Pillars of Corporate Governance
29. E
M
A
C
Creates value (Gain should exceed pain)
Be an integral part of organisational processes
Be part of decision making process
Explicitly address uncertainty and assumptions
Be systematic and structured
Be based on best available information
Be customizable to entity needs
Take human factors into account
Be transparent and inclusive
Be dynamic, iterative and responsible to change
Be capable of continual improvement and enhancement
Be continually and periodically re-assessed
Be tailora-ble
www.elsamconsult.com 29
Principles of Risk Management
30. E
M
A
C
Risk management
It is not avoiding risk
It is application of management policies
and procedures and practices to the
task of identifying, analyzing,
assessing, treating and monitoring the
various risks that might prevent an
organization from achieving its
objectives
There is no risk free environment!
30www.elsamconsult.com
31. E
M
A
C
Risk management defined
Risk management is a process, affected by an
entity’s board of directors, management and
other personnel, applied in strategy setting
and across the enterprise, designed to
identify potential events that may affect the
entity, and manage risk to be within its risk
appetite, to provide reasonable assurance
regarding the achievement of entity
objectives.(Committee of Sponsoring Organizations of the Treadway Commission (COSO), Enterprise Risk
Management — Integrated Framework, September 2004, New York, NY).
31www.elsamconsult.com
32. E
M
A
C
RM is a structured, consistent and continuous process
across the whole organization for identifying, assessing,
deciding on responses to and reporting on opportunities
and threats that affect the achievements of its objectives.
IIA
Risk Management is the identification, assessment, and
priotization of Risk (ISO 31000) and subsequent
application of resources to minimize, monitor, and control
the probability and/or impact of downside events or to
maximize the realization of opportunities
It deals with the management of uncertainty, risks and
opportunity towards the achievement of company goals
and objectives.
www.elsamconsult.com 32
Risk Management Defined
33. E
M
A
C
Objectives of Risk Management
Support strategic and business planning
Enhances communication between directors
and departments
Support effective use of resources
Promote continual improvement
Helps focus internal audit programs
Fewer shocks and unwelcome surprises
Reassures stakeholders
Quick grasps of new opportunities
33www.elsamconsult.com
34. E
M
A
C
Objectives and RM
Risk can be describe as The chance of
something happening that will have an
impact on objectives. It is measured in
terms of consequences and likelihood.
Objective must be defined before
defining risks which may affect the
objectives.
Risk management must be linked to
objectives/ strategies/ project
34www.elsamconsult.com
35. E
M
A
C
Aligns risk profile and strategy
Broadens risk awareness
Minimizes surprise and losses
Rationalizes capital requirements
Improves the shareholders value
Assures regulatory compliance
www.elsamconsult.com 35
Benefits of Risk Management
36. E
M
A
C
Hard Side Soft Side
Measures and Reporting Risk Awareness
Risk Oversight Committees People
Policies and Procedures Skills
Risk Assessment Integrity
Risk Limits Incentives
Audit Process Culture and Values
Systems Trust and Communication
www.elsamconsult.com 36
Hard and Soft side of Risk
Management
42. E
M
A
C
Modeling of Risk Management
&
Risk Management Standards
www.elsamconsult.com 42
Risk Management Frameworks
43. E
M
A
C
Risk Management Standard (IRM, ALARM and AIRMIC) of UK
ISO 31000 Risk Management – Guidelines on principles and
implementation of risk management
ISO Guide 73 – Risk Management Vocabulary
BS 31100 Cod of best practice for Risk Management
AZ/ANS 4360:2004 Risk Management Standard
COSO Enterprise Risk Management
Canadian Government Sector Standard
Basel II/III
Solvency II (ICAAP)
Kings Report
www.elsamconsult.com 43
Common Risk Management Standards
45. Many Models To Chose Among
COSO
COCO
Cadbury Report
Deming Award
TQM
12 Attributes
Deep Learning Framework
Baldrige Award
ISO 31000
Westinghouse Award
Northrop Award
www.elsamconsult.com 45
46. E
M
A
C
Who Developed Models?
COSO: The major accounting and audit
professional organizations issued COSO in 1992.
12 Criteria: The Canadian Comprehensive Auditing
Foundation published Effectiveness Reporting
and Auditing in the Public Sector in 1987.
COCO: In November 1995, The Canadian Institute
of Chartered Accountants (CICA) published
Guidance on Control.
www.elsamconsult.com 46
47. E
M
A
C
Who Developed Models? (Continued)
ISO 31000 developed by the International
Organization for Standardization (ISO)
Deep Learning Framework: In 1990, Peter Senge
published the now classic The Fifth Discipline and
then in 1995 published The Fifth Discipline
Fieldbook.
www.elsamconsult.com 47
48. E
M
A
C
Different Frameworks: Same Goals
Frameworks provide a way of understanding
our organizations.
By having different groupings, each highlights
some aspects of control more than others.
The criteria in the frameworks provide a basis
for understanding control in an organization
and for making judgment about the
effectiveness of control.
www.elsamconsult.com 48
49. E
M
A
C
Different Frameworks: Same Goals
Frameworks provide a systematic step by step
method of evaluating and addressing the
adequacy of controls in multiple dimensions of a
business.
Frameworks provide a standard review process.
Frameworks provide a tool that helps
management and auditors evaluate the adequacy
of controls in multiple dimensions of the business.
It helps give a picture of how well all of the
controls in all of the dimensions are working.
www.elsamconsult.com 49
55. Risk Management Process
Establish Context
Identify Risks
Analyse Risks
Evaluate Risks
Treat risks
Assess Risks and Controls
Context:
Strategic, internal, external context
Identification:
What can go wrong? Missed opportunities?
Analysis/Measurement:
Assess risk likelihood and
consequence, review
Evaluate:
Compare risks, set risk priorities
Treatment Options:
Reduce, avoid, transfer or retain
CommunicationandConsultation
Establish Context
Identify Risks
Analyse Risks
Evaluate Risks
Treat risks
Risk Assessment
MonitorandReview
55www.elsamconsult.com
56. Risk Management Process
COSO Framework
COSO stands for Committee
of Sponsoring Organizations
of the Treadway Commission
It is the US Private Sector
organization,
Dedicated to providing
guidance to executives,
management and
governance entities on
critical aspects of
governance, Business Ethics
Guidance on Internal
Control, ERM, Fraud, and
financial reporting
COSO has established a
common internal control
model against which
companies and
organizations may assess
their control systems.
www.elsamconsult.com 56
57. COSO AND ISO 31000
COSO defines ERM as a process;
Effected by an entity’s board of
directors, management and
other personnel;
Applied in strategy setting and
across enterprise;
Designed to identify potential
events that may affect the
entity;
Manage risks within its risk
appetite;
Provides reasonable assurance
regarding the achievement of
entity objectives.
IRM (New COSO) defines Risk
Management as
The process whereby the
organizations methodically
address the risks attaching to
their activities
With a goal of achieving
sustained benefits within each
activity and across the portfolio
of all activities
Generally it is a decision-making
discipline that reduces
uncertainty and managers
potential variations from
expected outcomes in achieving
company goals (RIMS)
www.elsamconsult.com 57
58. COSO AND ISO 31000
ISO 31000 defines risk
Management as
Integral part of all
organization processes
It is not a stand alone activity
that is separate from main
activities and processes of
the organization
It is part of responsibilities of
management and
An integral part of all
organizational processes
including strategic planning
and all project and change
management processes
In practical insight the whole
of the business is just like risk
management, why?
Buffet Defines
Risk Management
as
www.elsamconsult.com 58
59. Analysis of Warren Case
What is risk Management
What are consequences of
dedicating risk
management activities to
a unit in a organisation?
Who is supposed to
manage risk in an
organization
What is the status of Risk
Management today?
Summary of Risk
Management
Models
www.elsamconsult.com 59
Case study of risk in Hospitality industry
Case Study II – Risk Management
62. E
M
A
C
COSO - Framework (Control
Framework)
62www.elsamconsult.com
A Car internal
control
exemplification
63. E
M
A
C
Effective Risk Management
Organizations should come out with risk
management strategy in order to ensure that
the organizations Achieves their goals and
objectives
When management of risk goes well it often
remains unnoticed. When it fails, the
consequences can be significant and high-
profile. Any responsible organisation needs
to avoid this – hence the need for effective
risk management.
63www.elsamconsult.com
64. E
M
A
C
Effective Risk Management
Risk management strategy describes
the processes that will be put in place to
link, identify, assess, address, review
and report risks, and describes the
principles that will be used to underpin
this approach.
The Diagram below summarizes the
process risk management within the
organisation.
64www.elsamconsult.com
68. E
M
A
C
ELEMENTS OF RISK MANAGEMENT
Identifying risks;
Assessing risks;
Addressing risks;
Reviewing and reporting
risks.
68www.elsamconsult.com
69. Entity should ensure that it has…
have a robust approach to risk management -
aiming to identify, assess, address and review and
report risk in a way that can stand audit scrutiny,
building on best practice and protecting the
interests of our stakeholders.
be accountable - processes and data will be open
to review by our auditors and will respond to the
improvements they suggest.
We will encourage appropriate risk-taking, with a
view to fostering an innovative approach to policy
making and service delivery.
69www.elsamconsult.com
70. E
M
A
C
Identifying risk
A ‘risk’ is something that may have an impact on
the achievement of our priorities. It may come
from outside the organisation, or may arise from
shortcomings of its own systems and procedures
Identification can be done through staff
workshops or work groups
Consideration should be given to categories of
risk
The issues should be prepared and presented in
the form of risk scenarios
70www.elsamconsult.com
71. Identifying risk
Risk category Possible risks
Compliance risk the risk of failing to comply with statutory
requirements
External risk risks from changing public or government
attitudes.
Financial risk risks arising from spending, fraud or
impropriety, or insufficient resources
Operational risk risks associated with the delivery of examination
papers to the regional centres– arising, for
example, from logistic difficulties, diversion
of staff to other duties, or IT failures
Project risk risks of specific projects missing deadlines or
failing to meet stakeholder expectations
71www.elsamconsult.com
72. IDENTIFYING RISK
Risk type Possible risks
Reputation risk risks from damage to the organisation’s credibility
and reputation
Risks facing banking Sector Risk to our stakeholders that need to be taken into
account in our planning and service
provision – for example, fraud
Strategic risk risks arising from policy decisions or major
decisions affecting organisational priorities;
risks arising from senior-level decisions on
priorities
Technology risk Risk arising from outdated technology, inadequate
data processing and the software
malfunctioning
Human resource risk It is impossible to recruit staff with the required
skills or Key staff are ill and are unavailable
at critical times or required training for staff
is not available
72www.elsamconsult.com
73. E
M
A
C
Identifying Risk, What To Do?
Once risks have been identified,
essential information about them
will be gathered in the form of a risk
register (see appendix 1). There will
be a central register of its most
important risks, built up from
information provided from each
department.
73www.elsamconsult.com
74. E
M
A
C
IDENTIFYING RISK, WHAT TO DO?
The identification of risks is a continuous
process and all staff have a part to play - it is
not the sole domain of managers.
Systematically identifying risks will enable
risks to be assessed and dealt with.
It will also help to identify new opportunities
for policy direction and business planning, by
showing what the future risks to management
of .................................
74www.elsamconsult.com
75. E
M
A
C
ASSESSING RISK
To assess risks adequately entity will
identify the consequences of a risk
occurring and give each risk a score or
risk rating.
Whoever identifies the risk should be
responsible for assessing the risk.
75www.elsamconsult.com
76. E
M
A
C
ASSESSING RISK
This initial assessment will then be refined
with the help of colleagues and managers
and a ‘risk owner’ will be identified who will
be responsible for reviewing and accepting
the assessment that will be entered onto the
risk register.
The consequences of the identified risks will
be grouped into one or more of the
categories outlined earlier. Using these
categories will allow similar risks to be
grouped and will help to identify cross-
cutting risks
76www.elsamconsult.com
77. E
M
A
C
RISK RATING
A means of comparing risks is needed so that
efforts can be concentrated on addressing
those that are most important.
Each risk will be given a score, depending on
both its likelihood and its impact, as shown in
Figure 1 below.
Any risks which are both very likely to occur and
will have a high impact are the ones that
demand immediate attention.77www.elsamconsult.com
78. RISK RATING
Risk Assessment
Likelih
o
o
d
Very High (4) 4 8 12 16*
High (3) 3 6 9 12
Medium (2) 2 4 6 8
Low (1) 1 2 3 4
Low (1) Medium (2) High (3)
Very High
(4)
Impact 78www.elsamconsult.com
79. E
M
A
C
RISK RATING - LIKELIHOOD
Likelihood
The probability of the threat being realised will be
expressed in terms of
Very High (VH), High (H), Medium (M) or Low (L)
using the definitions below:
L: Rare (the risk may occur in exceptional
circumstances);
M: Possible (the risk may occur in the next three
years);
H: Likely (the risk is likely to occur more than once
in the next three years); and,
VH: Almost certain (the risk is likely to occur this
year or at frequent intervals).
79www.elsamconsult.com
80. E
M
A
C
RISK RATING -IMPACT
The effect of the risk being realised will be
expressed in terms of Very High (VH), High (H),
Medium (M) or Low (L) using the definitions
below:
L: minimal financial losses; service delivery
unaffected; no legal implications; unlikely to
affect the core business; unlikely to damage
reputation.
M: medium financial losses; reprioritising of
services required; minor legal concerns raised;
minor impact on the health sector and facilities;
short-term reputation damage.
80www.elsamconsult.com
81. E
M
A
C
RISK RATING -IMPACT
The effect of the risk being realised will be
expressed in terms of Very High (VH), High (H),
Medium (M) or Low (L) using the definitions
below:
L: minimal financial losses; service delivery
unaffected; no legal implications; unlikely to
affect the core business; unlikely to damage
reputation.
M: medium financial losses; reprioritising of
services required; minor legal concerns raised;
minor impact on the health sector and facilities;
short-term reputation damage.
81www.elsamconsult.com
82. E
M
A
C
RISK RATING -IMPACT
The effect of the risk being realised will be expressed in
terms of Very High (VH), High (H), Medium (M) or Low
(L) using the definitions below:
H: major financial loss; need to renegotiate business
plan priorities; potentially serious legal implications
(e.g. risk of successful legal challenge); significant
impact on the ..............; longer-term damage to
reputation.
VH: huge financial loss; key deadlines missed or
priorities unmet; very serious legal concerns (e.g. high
risk of successful legal challenge, with substantial
implications for entity); major impact on core business;
loss of stakeholder public confidence.
82www.elsamconsult.com
83. Requires Active Management where
Consequence is rated 5 else Periodic
Monitoring.
Risks where treatment options require
preparation, active review and
management.
Control is adequate, continued
monitoring of controls to confirm this.
Control is not strong but risk impact is
not high. Options include improving
control or monitoring risk impact to
ensure the residual risk rating does
not increase over time.
Risks where systems and processes
managing the risks are adequate and
subject to minimal monitoring.
Mitigating Practices /
Control Rating
InherentRiskRating
Active Management
Periodic Monitoring
Control Critical
No Major
Concern
0 1 2 3 4 5 6 7 8 9 10
10
9
8
7
6
5
4
3
2
1
0
Adequate Inadequate
Very High
High
Low
Moderate
83www.elsamconsult.com
84. Residual risk ratings
This is an alternative risk
heat map preferred by
some as it shows that
there is no absolute risk
boundaries, but rather a
gradual change in risk
Unsatisfactory
Mitigating Practices /
Control Rating
InherentRiskRating
Periodic
Review
Active
Management
Continuous
Review
No Major
Concern
High
Excellent
Low
84www.elsamconsult.com
85. E
M
A
C
Risk Appetite
Risk appetite is the amount of risk —on a broad level
—an entity is willing to accept in pursuit of value.
Use quantitative or qualitative terms (e.g. earnings at
risk vs. reputation risk), and consider risk tolerance
(range of acceptable variation).
The primary objective of Managing operational risk is
risk reduction/ proactive prevention
Risk cut across all financial institution operation
and function
85www.elsamconsult.com
88. E
M
A
C
Risk Assessment Process
To make an initial assessment of risk, a ‘bottom-
up and top-down’ approach will be adopted.
This will mean identifying and assessing risks
both at an operational level, using the
departmental Performance Teams, directorates’
team meetings and by Management Team
identifying the major risks affecting the
organisation
88www.elsamconsult.com
89. E
M
A
C
Risk Assessment Process
The bottom-up process of identifying
risks through involving staff should be
as exhaustive as possible, identifying
all potential risks no matter how small
(and including health and safety risks
for staff).
89www.elsamconsult.com
90. E
M
A
C
Risk Assessment Process
These will then be reviewed by the departmental
Performance Team, comprising a nominated departmental
risk co-ordinator from each department and the Risk
Coordinator.
The group will identify the more significant risks that will
need to be placed on the corporate risk register. This process
will be overseen by the Risk Coordinator, who will ensure
consistency in the way risks are assessed and categorised.
For every risk to be identified as important enough to be
placed on the corporate risk register, a ‘risk owner’ will be
identified (who will be responsible for overseeing the
management of the risk, and making sure appropriate
resources are available to do this) and a ‘risk coordinator’
(who will be responsible for day-to-day management of the
risk, implementing countermeasures and monitoring their
effectiveness).
90www.elsamconsult.com
91. E
M
A
C
Risk Assessment Process
Management Team will also identify the major
corporate risks to the organisation, with the
Director responsible identifying in particular major
financial risks. For such major corporate risks,
directors are likely to be both the risk owner and
risk coordinator.
Management Team will then take a strategic view
of all risks identified as needing to be placed on the
corporate risk register, assessing them against the
entity’s business plan priorities. They will identify
the most critical risks, and report these to key
Board of Directors through the audit committee.
91www.elsamconsult.com
92. E
M
A
C
Risk Assessment Process
This process will identify a set of significant
risks that need to be addressed, and placed
on the corporate risk register, which will
then be maintained by the organisation’s risk
co-ordinator. Other risks identified by staff
through risk identification workshops, team
meetings etc. should be recorded within the
originating department and kept under
review by the department risk co-ordinator.
92www.elsamconsult.com
93. E
M
A
C
Addressing Risks
Having identified significant risks and
placed them on the corporate risk
register, a process will be undertaken to
decide what to do about each risk,
through the departmental Performance
Team and the Management Team.
93www.elsamconsult.com
94. E
M
A
C
Addressing Risk
Assessing current risk controls
The first step is to look what mechanisms are already in
place to deal with the identified risks. For many risks, for
example examination leakage risk, action may have
already been taken to treat or eliminate the risk under all
circumstances under which it could arise.
Where such mechanisms are in place, the Departmental
Performance Teams should examine them to judge
whether they are adequate or whether any ‘residual risk’
remains, or whether the risk might ‘slip through’ these
existing mechanisms under some circumstances. In some
cases, risks may be deemed to be ‘over-controlled’ –
action in this case may be to ease such controls and allow
the risk to be taken.
94www.elsamconsult.com
95. E
M
A
C
Addressing Risk
In this way, risks can be addressed
through ‘gap analysis’, focussing only on
those risks that are not adequately
treated, or are not treated at all.
The next stage is to look at how such
risks may be dealt with.
95www.elsamconsult.com
96. E
M
A
C
How to deal with risk
Transfer the risk
conventional insurance or by asking a
third party to take on the risk in another
way.
Contracting out services, for example,
transfers some, but not all, risks (but can
introduce a new set of risks to be
managed);
96www.elsamconsult.com
97. E
M
A
C
How to deal with risk
Tolerate the risk:
the ability to take effective action against some
risks may be limited, or
the cost of taking action may be
disproportionate to the potential benefit gained.
In this instance, the only management action
required is to ‘watch’ the risk to ensure that its
likelihood or impact does not change. If new
management options arise, it may become
appropriate to treat this risk in the future;
97www.elsamconsult.com
98. E
M
A
C
How to deal with risk
Treat the risk:
by far the greater number of risks will be
in this category.
The purpose of ‘treatment’ is not
necessarily to terminate the risk but,
more likely, to establish a planned series
of mitigating actions to contain the risk
to an acceptable level; and,
98www.elsamconsult.com
99. E
M
A
C
How to deal with risk
Terminate the risk:
this is a variation of the ‘treat’ approach,
and involves quick and decisive action to
eliminate a risk altogether.
For example, terminating risks arising from
outdated .............. systems by buying new
ones (although new systems, in
themselves, may introduce new risks).
99www.elsamconsult.com
100. Risk Treatment
Is Risk
Acceptable?
Accept
Treatment Strategy
(1) Recommend
(2) Choose
(3) Implement
Retain
Monitor
and
Review
Is Residual
Risk
Acceptable?
Part Retained
Yes
NoUnacceptable
residual risk
No Yes
Reduce Likelihood
Reduce Consequence
Transfer
Avoid
START
HERE
100www.elsamconsult.com
111. E
M
A
C
Role of internal auditor in RM
Giving assurance on risk management
processes.
Giving assurance that risks are correctly
evaluated.
Evaluating risk management processes.
Evaluating the reporting of key risks.
Reviewing the management of key
risks.
111www.elsamconsult.com
112. E
M
A
C
Role of internal auditor (with safeguard)
Facilitating identification and evaluation of risks.
Coaching management in responding to risks.
Coordinating ERM activities.
Consolidating the reporting on risks.
Maintaining and developing the ERM
framework.
Championing establishment of ERM.
Developing risk management strategy for
board approval.
112www.elsamconsult.com
113. E
M
A
C
What the IA should not do
Setting the risk appetite.
Imposing risk management processes.
Management assurance on risks.
Taking decisions on risk responses.
Implementing risk responses on
management's behalf.
Accountability for risk management.
113www.elsamconsult.com
115. E
M
A
C
Role of Audit committee in RM
Critical role in ERM by establishing the right
environment or tone-at-the-top
Vital role in overseeing management’s approach to
ERM
Without their oversight, ERM may not be embraced
by senior management
Discuss policies with respect to risk assessment and
risk management
Better risk intelligence means both audit
committees and the full board are better informed
115www.elsamconsult.com
116. E
M
A
C
Conclusion
Risk management is a process and therefore
put in place a strategy for introducing risk
management
Develop a risk management strategy
Develop a risk management framework
tailored to your activities ( avoid copying and
pasting)
Develop risk management policy and
guidelines
Develop a risk management capacity building
program
116www.elsamconsult.com
118. E
M
A
C
Risk management in public
institutions
It is now recognized that risk management is an
essential part of securing the health of any
organization including public sector institutions
Risks are inherent in the public institutions as well as
in private sector. It entails the whole of Public
Sector.
It is new in public organization but the concept of
risk is not new
Government internal auditors have special mandate
to champion its establishment and monitoring
118www.elsamconsult.com
119. E
M
A
C
RISK MANAGEMENT IN PUBLIC SECTOR
The public sector is currently undergoing radical
changes through reforms
There are new risks related to human rights,
unemployment, corporate governance.
Risk management should be a vital part of functions
and activities provided by public institutions.
Without risk management it will not be possible to
achieve good corporate governance and the aims
and intentions of many legislation and rules
119www.elsamconsult.com
120. E
M
A
C
RISK MANAGEMENT IN PUBLIC SECTOR
Failure to pay proper attention to likelihood and potential
consequences of risk can cause public institutions serious
problems
These includes high employee absenteeism, financial costs,
service disruption, bad publicity, low staff morale, threat to
public health, high staff turnover, violent demonstrations
and claims for compensation.
What to do then? Public sector institutions should recognize
risk management as a critical achievement of its goals and
governance responsibilities. It should establish a risk
management processes that is clearly defined and
documented and continuously apply risk management
practices in the decision making.
120www.elsamconsult.com
125. E
M
A
C
Pillars of Operational Risk Management
Losses
EXECUTIVE MANAGEMENT
CSA
Issues
Indicators
Qualitative/Quantitative Analyses
Common Operational Risk Classification Scheme
127. E
M
A
C
Control Self Assessment
Control-Self Assessment Definition
Control-Self Assessment Objectives
Enterprise wide Control Self Assessment Framework
Balanced Scorecard
CSA Methodology
Results
Corporate Governance
CSA Rollout - Project Time Line
Outline
128. E
M
A
C
Control Self Assessment
Control-Self Assessment is a risk management
tool used by business managers to transparently
assess risk and control strengths and weaknesses
against a Control Framework. The “self”
assessment refers to the involvement of
management and staff in the assessment process.
Definition
129. E
M
A
C
Control Self Assessment
Communication
To ensure better communication of DG‟s objectives and strategies to all business lines
To ensure business line managers communicate their risks and controls more
effectively
Education
To ensure business line managers have a better comprehension of effective risk
control
To ensure business line managers have a better comprehension of risk management
Proactive Management
To ensure business line managers align their objectives and strategies with the DG's
objectives and strategies
To ensure business line managers assume greater responsibility and accountability for
their risks and controls
To ensure business line managers monitor their risk effectively and timely
To ensure business line managers utilize and allocate their resources effectively
Objectives
132. E
M
A
C
Step 1: Objective Setting
Balanced Scorecard *
A tool that translates a firm‟s mission and strategy into a comprehensive
set of performance measures that provides the framework for a strategic
measurement and management system
Objectives
Ensures linkage between the objective of senior management and the
businesses
Increased focus on the appropriateness of the objectives
Reinforced as the central “top down” articulation of goals
Provides a framework within which the oversight functions, risk
management and the business lines operate
133. E
M
A
C
Step 2: CSA Methodology
ORCA Framework
Objectives
Risk Assessment of Key Processes
Controls
Action Plans
The ORCA framework components fit logically together to form a
comprehensive relationship between firm-wide objectives,
processes and risks, and controls. This relationship may be viewed
as the core of a firm‟s internal control.
134. E
M
A
C
Step 2: CSA Methodology
ORCA Framework
To find equilibrium, the business managers must carefully
assess the risks inherent within their key processes and
apply controls that will work at a reasonable cost.
136. E
M
A
C
Step 2: CSA Methodology
Key Indicators
Metrics to measure the effectiveness of controls in the
mitigating
or managing risks
TO measure operational problems
TO monitor the quality of the services provided
TO provide early warning for problems
TO aid in the containment of losses
TO determine trends
TO set limits for risk or escalation criteria
TO facilitate everyday decisions.
137. E
M
A
C
General Approaches for CSA
Facilitated meetings – group
workshops
Questionnaires – yes/no answers
Management analysis – self
studies
137
138. E
M
A
C
Corporate Governance
The enterprise-wide CSA framework
presented here is a key component of a
robust corporate governance structure. It
enables the organization to inform
executive management of the current state
of the firm‟s risk environment on an
ongoing basis
141. E
M
A
C
Advantages of CSA
The presented enterprise-wide control self-assessment
framework:
Provides flexibility and dynamism to evolve
with the changing firm
Allows a firm to manage risks from both the
“top-down” and “bottom-up” perspectives
Is an integral component of a strong
corporate governance structure
142. E
M
A
C
Way Forward
CRSA is an important management tools
We have matured in risk management and
therefore it is time to move a step further
through CRSA
We have a new issues in place, a need for
control review is imperative
There a critical need for organisations to
prepare CRSA for efficiency and effectiness of
operations
142