Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Enterprise risk management february 9th solution training


Published on

Published in: Business, Economy & Finance

Enterprise risk management february 9th solution training

  1. 1. By CA Huzeifa I. UnwalaEnterprise Risk Management – Basics, Application,Implementation & Audit LinkagesFebruary 09 2013
  2. 2. SECTION IPre-cursor
  3. 3. “Risk is a part of Gods game, alike for men and nations.”- Warren Buffet“Hope for the best but prepare for the worst”- Anonymous
  4. 4. • Olympics organizers and the IOC have wisely leveraged the business worlds growingunderstanding of risk management. "Risk-based" approaches to planning for the Vancouver2010 Winter Olympics and the London 2012 Summer Olympics (confirmed throughresearch interviews with senior officials) reveal the strong influence of the ideas andpractice of risk management, for example in the creation of risk registers (i.e. databases)and monitoring systems put in place to spot issues that pose potential dangers further downthe line.• Ensuring readiness for Games-time (in Olympic-speak) now involves strategic pre-emptionthrough stress-testing and scenario planning. Table-top gaming exercises at the top of thechain of command and practical training of personnel through rehearsals are routine acrossmany of the diverse functions of Olympic operations. In the months leading up to London2012, for example, visible military rehearsals were staged on the River Thames in additionto many test events performed on the main site. Ahead of Vancouver 2010, IT planningidentified around six hundred scenarios for rehearsals in a formal playbook which alsodocumented procedures to follow in the event of an incident.The Olympics Risk Management Case Study
  5. 5. “Ability to anticipate is the key element in risk management”“It has two dimensions – potential damage and opportunity”Simplified version of Risk Management
  7. 7. Enterprise Risk ManagementThe Committee of Sponsoring Organizations, known as COSO, defines enterprise riskmanagement (ERM) as:“…A process, effected by an entity’s board of directors, management and other personnel,applied in strategy setting and across the enterprise, designed to identify potential events thatmay affect the entity, and manage risk to be within its risk appetite, to provide reasonableassurance regarding the achievement of entity objectives.”Annexure I (IV) (C)The company shall lay down procedures to inform boardmembers about the risk assessment and minimizationprocedures. These procedures shall be periodically reviewedto ensure the executive management controls risks throughmeans of a properly defined frameworkAnnexure I (IV) (F)Management discussion and analysis report should includediscussion on the risk and concerns within the limits set by thecompany’s competitive positionIndia :: Clause 49 of listing agreement• ISO 31000• COSO/ COBIT/IIAGlobal references• Business Value Creation & Risk Management• Decision making• Project Management• Assurance• GovernancePractical Applications
  8. 8. • Economic uncertainty & price volatility• Monitoring and performance management• Lack of appreciation of common business issues• Integrated Planning• Effective Statutory & Internal AuditNeed for Business Risk Management• Low tolerance for surprises• Need to increase transparency• Need to respond on a real time basis• Need to empower employees to take informed decisions• Create an environment for Value creation
  9. 9. Results of an opinion poll on practical benefits of ERM
  10. 10. GOOD BOARD PRACTICES Clearly defined roles and authorities Duties and responsibilities of directors understood Board is well structured Appropriate composition and mix of skills Appropriate board procedures Director remuneration in-line with best practice Board self-evaluation and training conductedCONTROL ENVIRONMENT Independent audit committee established Risk-management framework present Internal control procedures Internal audit function Independent external auditor conducts audits Management information systems established Compliance function establishedBOARD COMMITMENT The board discusses corporate governance issues and has createdcorporate governance committee The company has a corporate governance champion A corporate governance improvement plan has been created Appropriate resources are committed Policies and procedures have been formalized and distributed torelevant staff A corporate governance code has been developed The company is publicly recognized as a corporate governanceleaderTRANSPARENT DISCLOSURE Financial information disclosed Non-financial information disclosed Financials prepared according to IFRS High-quality annual report published Web-based disclosureWELL DEFINED SHAREOWNER RIGHTS Minority shareowner rights are formalized Well-organized general assembly conducted Policy on related-party transactions Policy on extraordinary transactions Clearly defined and explicit dividend policyERM a pillar of good corporate governance
  11. 11. Enterprise Risk ManagementSource: COSO• Each business entity is unique, each lifestage is unique, one size does not fit all.Risk Management is all about tailoring andcustomization.• Successfully running a business is likemastering the art of risk managementwhich enables entities to reduce the levelof uncertainty and brings in an element ofpredictability. ERM is not about holding thebusinesses back and scaring them awayfrom taking risks it is making themcognizant of the risk and opportunities toconduct business in a smarter way.
  12. 12. Establish the context• Set the objectives• Gather theexpectations of thestakeholders• Define the risk andreward criteria and keyelementsERM processIdentify the risks• What can happen?• How it can happen?Analyse the risks• Review controls• Likelihood• Consequences• Level of riskEvaluate the risks• Screen and evaluate• Rank and prioritiseTreat the risks• Identify options• Select the bestresponse• Develop plans• Implement
  13. 13. ERM Processes /ApproachERM StructureERM Framework
  14. 14. Risk Identificationand Assessment1Risk Identification• Understand the objective and strategy of organization• Identify the focus areas to guide the risk management activities (strategic businessunit and business support areas)• Conduct executive interviews at all business units to develop an overall companyspecific risk model (An “As Is” Analysis)• Develop Risk Universe• Map the risks to the focus areas• Use agreed-upon rating scales to assess Significance, Likelihood, and RiskManagement Capabilities for identified risksRisk Assessment and Prioritization• Conduct risk assessment voting workshops to identify and prioritize risks and discusspotential risk events and strategies to better manage identified risks• Develop risk heat maps to prioritize risksRisk Model Development• Risk Model• Risk Universe & Risk Register• Risk Heat Maps (Group wise & Entity wise)
  15. 15. Infrastructure• Availability of assets• Capability of assets• Access to capital• Complexity• Mergers/ acquisitionsPersonnel• Employee capability• Fraudulent activity• Health and safety• Judgment• Malfeasance• Security practices• Sales practicesNatural Environment• Biodiversity• Emissions, effluents and waste• Energy• Fire• Natural disaster(earthquake, flood, etc.)• Sustainable development• Transport• WaterRisk Events/ Identification TriggersProcess• Capacity• Design• Execution• Suppliers/ dependenciesTechnological• Electronic commerce• External data• Emerging technologySource: COSO
  16. 16. Risk Events/ Identification TriggersTechnology• Data Acquisition• Data Maintenance• Data Distribution• Data Confidentiality• Data Integrity• Data and system availability Capacity• System Selection Development• Deployment• ReliabilityEconomic• Capital availability• Credit Issuance•Default•Concentration• Liquidity•Market•Funding•Cash flow•Commodity prices•Interest rate•Unemployment•Indices•Exchange rate•Equity valuation•Real estate valuesBusiness• Brand/ trademark• Competition• Consumer behavior• Counterparty• Fraud• Industry standards• Ownership structure• Publicity• Product relevancePolitical• Governmental changes• Legislation• Public policy• RegulationSocial• Demographics• Corporate citizenship• Environmental stewardship• PrivacySource: COSO
  17. 17. ERM Reporting andImplementation Plan3 ERM Report and Implementation Plan• Develop overall report on risk assessments, gap analysis, risk managementevaluation (for selected risk categories and events) and residual risks.• Develop a proposed time bound ERM implementation planRisk Category Identification and Gap Analysis• Evaluate the Risk Management Competence of the Organization• Conduct a gap analysis for each selected risk, by assessing current managementcapability and desired capability• Undertake root cause analysisRisk Management Evaluation• Identify current risk responses/risk management activities, initiatives currentlyunderway for selected risk categories, and opportunities for improvementRisk Categorizationand RiskManagementEvaluation2• Risk Control Matrix• Control wise Capability Maturity Model• ERM Report & Implementation Plan
  18. 18. ERM Structure• Develop an appropriate risk management and oversight structure to execute andmonitor the execution of risk management related activities• Risk Management Policies e.g. Policy governing risk assessment of contracts overa specified value or requiring signing of guarantees, M&A decisions etc.• Roles and responsibilities of the constituents of the risk management andoversight structure• Standard procedures to guide risk identification, prioritization, mitigation andmonitoring process on an ongoing basis• Risk Management Activity Calendar (Formalizing Risk Management as an ongoingactivity by identifying key dates related to risk management review and reporting)• Enablers for creating a common language across the organization e.g. Riskclassification framework and definitions, Risk assessment criteria• Risk Management Organization Structure and Roles & Responsibilities• Risk Management Policy• Risk Management Activity Calendar
  19. 19. ERM Approach – Alignedwith COSO FrameworkMapping of ERM Framework with COSO FrameworkInternal Environment• Risk management philosophy• Risk appetite• Risk culture• Integrity and ethical values• Commitment to competence• Management’s philosophy and operating style• Organizational structure• Assignment of authority and responsibility• Human resources policies and practicesEvent Identification• Events• Factors influencing strategy and objectives• Methodologies and techniques• Event interdependencies• Event categories• Risks and opportunitiesRisk Assessment• Inherent and residual risk• Likelihood and impact• Methodologies and techniques• CorrelationRisk Response• Identify risk response• Evaluate possible risk responses• Select responses• Portfolio viewControl Activities• Integration with risk response• Types of control activities• General controls• Application controls• Entity specificInformation & Communication• Information• Strategic and integrated systems• CommunicationMonitoring• Separate evaluations• Ongoing evaluations
  20. 20. Risk Control Matrix Risk ModelEntity wise Risk Heat Map Group wise Risk Heat MapERM Sample Deliverables
  21. 21. Risk Management Evaluation Risk wise Capability Maturity ModelImplementation Calendar
  23. 23. Control EnvironmentRisk AssessmentControl ActivitiesInformation and CommunicationMonitoring Activities12345COSO : The 5 Components of IC
  24. 24. INTERNAL CONTROL IS DEFINEDIs a process, effected by an entity’s board ofdirectors, management, and other personnel,designed to provide reasonable assuranceregarding the achievement of objectives in thefollowing categories:• Effectiveness and efficiency of operations• Reliability of reporting• Compliance with applicable laws andregulationsA process consisting of on-going tasks and activities. Policiesand procedures exist to effect control.Effected by people.Able to provide reasonable assurance, not absolute assurance.Geared to the achievement of objectives in a one or moreseparate but overlapping categories. The categories are:- Effectiveness and efficiency of Operations Reliability ofReporting (internal, external and non-financial)- Adherence to laws and regulationsAdaptable to the entity structure. IC can be applied as permanagement’s decision in the context of legal requirement,operating model, entity structure or combination of these.Understanding Internal Control
  25. 25. Operations Objectives Avoiding wastage Avoiding rework Reducing cost Reducing production time Improving customer satisfaction Improving employee satisfaction Improving innovation Accurate & timely financial closureReporting Objectives Corporate Laws and CorporateFilings Pre-requisite for accessing capitalmarkets Tax Laws and Tax filings Dealing with large suppliers andcustomers Private equity / Resource raisingCompliance Objectives Adherence to all applicable legaland regulatory framework Adherence to code of conduct /ethicsOverlap is possible and sometimes frequentKey Objectives of Internal Control – in a general business environmentSource: COSO
  26. 26. Control Environment (Principles) Organization demonstrates a commitmentto integrity and ethical values Board demonstrates independence Management establishes oversight,reporting lines and authority structure Organization demonstrates a commitmentto attract, develop and retain competentindividuals Individual accountability for ICresponsibilitiesRisk Assessment (Principles) Risk specific objectives Risk identification and analysis Consider the potential for fraud Identify and assess changes that couldsignificantly impact the system of internalcontrolControl Activities (Principles) Organization selects and developscontrol activities that contribute to themitigation of risks Organization selects and developsgeneral control activities overtechnology that contribute to themitigation of risks Organization deploys control activitiesas manifested in policies that establishwhat is expected and in relevantprocedures to effect the policiesInformation and Communication (P) Information generation and use Internal communications External communicationsMonitoring Activities (Principles) Organization selects, develops and performs on going and/or separateevaluations to ascertain whether the components of IC exists andfunction Communicates IC deficienciesComponents of Internal Control / System of ICSource: COSO
  27. 27. Risk Assessment (Principles) Risk specific objectives Risk identification and analysis Consider the potential for fraud Identify and assess changes thatcould significantly impact the system ofinternal control1. Circumstances requiring special attention:1. Changes in external environment2. Changes in physical environment (disasters)3. Significant acquisitions / divestitures4. Foreign operations5. Rapid growth6. New technology7. Significant changes in personnelControl Activities (Principles) Organization selects and developscontrol activities that contribute to themitigation of risks Organization selects and developsgeneral control activities overtechnology that contribute to themitigation of risks Organization deploys control activitiesas manifested in policies thatestablish what is expected and inrelevant procedures to effect thepolicies1. Integration with Risk Assessment2. Each entity is unique3. Business Process Controls / Transaction Controls: Completeness,Accuracy & Validity4. Control Activities:1. Verifications2. Reconciliations3. Direct Observation4. Authorisations5. Physical controls6. Controls over standing data7. Supervisory controls8. Automated controls9. Segregation of duties10. Choice of alternative controls11. Technology controls (General, Infra, & Security)12. Policies & procedures13. Reassess policiesRisk Assessment as a Component of Internal ControlSource: COSO
  29. 29. What is Risk Assessment?Risk assessment is the determination of quantitative or qualitative value of risk related to a situation and arecognized threatRisk assessment measurement is a process used to identify and evaluate risks and their potential effectRisk assessment is the process where you:• Identify risk.• Analyze or evaluate the risk.• Determine appropriate ways to eliminate or control the risk.Why is Risk Assessment important?The auditor should perform risk assessment procedures to obtain an understanding of the entity and itsenvironment, including its internal controlThey help to:• Create awareness of risks.• Identify who may be at risk• Determine if existing control measures are adequate or if more should be done.• Prioritize risk and control measures.Risk Assessment in IA
  30. 30. Risk Assessment in IAUnderstandingthe OrganizationRiskAssessmentBusinessProcess Scopeand PlanRisk andControlevaluationsRecommendand Report• Understanding of:• BusinessObjectives• Organizationstructure• Businesssegments• Value chain• Reporting andmonitoringframework• RiskIdentification• RiskAssessment anddetailed profilingof each identifiedrisks• Prioritization ofrisks andmapping on therisk heat mapDeliverables• Prioritized risklisting• Risk heat map• Identification ofbusiness unitsand processesto be coveredunder processreview scope• Detailed processunderstand(interviews andwalkthroughs)• Processvalidation• Identifyprocesses risksfor variousactivities• Identify existingcontrols• Evaluate designeffectiveness• Test operatingeffectiveness• Identify gaps• Comparison withleading practices• Developrecommendationsto bridge the gaps• Summarization ofissues to bepresented to themanagement• Rate the findingsas per the scaleagreed with theManagement• Process ownerbuy-in• ExecutiveSummary andfinal report –discussion withthe Managementand AuditCommitteeDeliverables• Risk BasedInternal AuditReport
  31. 31. Statutory auditors expectations from risk management No surprises on the financial statement signing date or after Move from Annual to continuous/ on-going risk assessments Watch out for risks encountered by competition and their impactIdentify andassess risk ofmaterialmisstatement Fraudulent financial reporting Enhances knowledge of the auditor and assists in evaluation ofeffectiveness of internal controls
  32. 32. The entity’s risk assessment process may address how the entity considers the possibility of unrecordedtransactions or identifies and analyzes significant estimates recorded in the financial statements.Risks relevant to reliable financial reporting include external and internal events, transactions or circumstancesthat may occur and adversely affect an entity’s ability to initiate, record, process, and report financial dataconsistent with the assertions of management in the financial statements. Certain operational events that mayhave an impact on the financial reporting include:• Changes in the regulatory or operating environment• Significant and rapid changes in information systems can change the risk relating to internal control.• New personnel• Corporate restructurings. Restructurings may be accompanied by staff reductions and changes insupervision and segregation of duties that may change the risk associated with internal control.• Expanded foreign operations. The expansion or acquisition of foreign operations carries new and oftenunique risks that may affect internal control, for example, additional or changed risks from foreigncurrency transactions.• New accounting pronouncements.Business risks relevant to financial reportingStatutory Auditor is expected to perform risk assessment procedures that extend beyond the internal informationgateways of an entity and look at reviewing information obtained from external sources such as trade andeconomic journals; reports by analysts, banks, or rating agencies; or regulatory or financial publications. Makinginquiries of the entity’s external legal counsel or of valuation experts that the entity has used.
  33. 33. • Inadequate Segregation of duties. Assigning different people the responsibilities of authorizingtransactions, recording transactions, and maintaining custody of assets. Segregation of duties isintended to reduce the opportunities to allow any person to be in a position to both perpetrate andconceal errors or fraud in the normal course of the person’s duties.• The information system relevant to financial reporting objectives, which includes the financial reportingsystem, encompasses methods and records that:• Identify and record all valid transactions.• Describe on a timely basis the transactions in sufficient detail to permit proper classification oftransactions for financial reporting.• Measure the value of transactions in a manner that permits recording their proper monetary value inthe financial statements.• Determine the time period in which transactions occurred to permit recording of transactions in theproper accounting period.• Present properly the transactions and related disclosures in the financial statements.• The quality of system-generated information affects management’s ability to make appropriate decisionsin managing and controlling the entity’s activities and to prepare reliable financial reports.Business risks relevant to financial reporting
  34. 34. CoreProcessOrder ofImportanceApplications Location Worst CaseScenarioFinancialImpactNon-FinancialImpactRegionalOperationsXX • Coreapplication• Non-coreNorthCentralTerrorist StrikeBusiness Impact AnalysisRisk AssessmentAssets Threats(Nature, 1 to 5)Probability(1 to 3)Risk Impact(T *P)Importance EnlistControlMeasuresData Centre Inland Flooding, 5 1 5 1Risk Assessment (example)
  35. 35. • Your risk portfolio should becomprehensive but concise• Monitor your risk portfolio andundertake root cause analysis forsticky risks• Update the risk portfolio as businessis dynamicERM – avoid the common mistakes• Prediction of Black swan events• History alone is sufficient to give usforesight• Sophisticated models may mislead attimes
  36. 36. ERM Policy Charter ERM Steering Committee Risk OwnersRisk Information andReporting SystemERM POLICYFRAMEWORKFinancial RisksMarket RisksOperational RisksStrategic RisksRisk Identification andAnalysisRisk Portfolio andProfilingRisk Mitigation PlanQuantified RiskAssessmentRISKCLASSIFICATIONAND PORTFOLIOAPPROACHRisk Management FrameworkRiskBenchmarkingOn-goingHistoryScenario Play
  38. 38. Practical Case Study on ERMBusiness Scenario :The company is a family owned business since 1931. It has manufacturing plants atTarapur & Jammu with plans to set up one more plant in India. It is currently themarket leader in fine chemicals, stationery and school products. Since last decadethe company has been steadily losing out to competition and its market share isdeclining. If things don’t improve then the promoters will be forced to exit thebusiness by stake sale to international players. You have been requested by theBoard to carry out a ERM exercise and present results.Develop a indicative risk register covering strategic, operational, compliance andfinancial risks.
  39. 39. The views expressed in this material are personal in nature. Any reliance should be placed only postconsultation with the author.Questions