Figure 1: COSO Enterprise Risk Management Cube

Similar documents
APM Risk SiG Conference 26 th October 2006 Reporting risks to the board

Catching Fraud During a Recession Through Superior Internal Controls. FICPA s 25 th Annual Accounting Show. J. Stephen Nouss September 29, 2010

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

Risk Management in the 21 st Century Ameren Business Risk Management

(Effective for audits of financial statements for periods ending on or after December 15, 2013) CONTENTS

Enterprise Risk Management Defined and Explained

SRI LANKA AUDITING STANDARD 315 (REVISED)

International Standard on Auditing (Ireland) 315

STRAGETIC RISK MANUAL

5 Core Must-Haves for Improved Internal Audit Performance. Copyright 2018 AuditBoard Inc. 1

716 West Ave Austin, TX USA

Enterprise Risk Management Program Development Update. Finance & Audit Committee Meeting September 25, 2015

INTERNATIONAL STANDARD ON AUDITING 315 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT CONTENTS

Auditing Standards and Practices Council

Evolving Core Tasks for Improved Internal Audit Performance. Copyright 2018 AuditBoard Inc. 1

Gleim CIA Review Updates to Part Edition, 1st Printing June 2018

FRAUD RISK FACTORS CHECKLIST (Source: New AU Section 240, Appendix A)

RISK MANAGEMENT REPORT

Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment

Effective Vendor Risk Management. April 21, Mario A. Mosse. This Training is Brought to you by ComplianceOnline. Presenter:

International Standard on Auditing (UK) 315 (Revised June 2016)

A robust and systematic review.

Review of Operations and Activities: Listing Rule Guidance Note 10. Introduction. Issued: March 2003

Asset Acceptance Capital Corp.

The Future of Consumer Health Care

UNIVERSITY OF TOLEDO INTERNAL AUDIT DEPARTMENT PURCHASE CAPITAL GOODS

Teva Pharmaceutical Industries Ltd. J.P. Morgan Healthcare Conference. Kåre Schultz President and CEO January 7, 2019

Institute of Internal Auditors. Dallas Chapter August 6, 2009

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

Maintaining a robust risk and control framework

The most commonly applied model for designing and auditing internal

CGMA Competency Framework

RISK MANAGEMENT POLICY. [Section 134 of the Companies Act, 2013 read with Clause 49]

UNIVERSITY OF TOLEDO INTERNAL AUDIT DEPARTMENT MOVE MATERIALS AND RESOURCES

and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment

Enterprise Risk Management

Enterprise Risk Management Montana State Fund

Present and functioning: Fine-tuning your ICFR using the COSO update

UNIVERSITY OF TOLEDO INTERNAL AUDIT BILL THE CUSTOMER

Enterprise Risk Management. Focus on the Future June 2017

CGMA Competency Framework

2012 CliftonLarsonAllen LLP. A Practical & Tactical Approach to. Management (ERM) Cooperatives (NSAC) Jennifer Leary, Partner National Risk Management

EY Center for Board Matters. Leading practices for audit committees

Governance Institute of Australia Ltd

PRINCIPAL RISKS AND UNCERTAINTIES TECHNOLOGY DISRUPTION BY EXISTING OR FUTURE COMPETITOR

If an adequate segregation of duties does not exist, the following could occur:

Improved Risk Management via Data Quality Improvement

An Overview of the 2013 COSO Framework. August 2013

Mapping of Original ISA 315 to New ISA 315 s Standards and Application Material (AM) Agenda Item 2-C

9. Internal control Internal control, as defined in accounting and auditing, is a process for assuring achievement of an organization's objectives in

Risk Assessment - Balancing Risk While Enhancing Controls

International Standards for the Professional Practice of Internal Auditing (Standards)

Vendor Management Challenges and Expectations An Open Discussion April 13, 2017

Private Company Services. Private companies: are your internal controls supporting your business strategy?*

International Standards for the Professional Practice of Internal Auditing (Standards)

Morgan Stanley Conference. November 15, 2017

Thomson Reuters SCREENING RESOLUTION SERVICE

Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment

Session 7: Corporate Governance

Statement on Risk Management and Internal Control

Community Bankers Conference

Gleim CPA Review Updates to Business Environment and Concepts 2018 Edition, 1st Printing March 2018

Apply accounting and finance skills. And lead within the organisation

Next-generation enterprise risk management

Sarbanes-Oxley Act of 2002 Can private businesses benefit from it?

A Discussion About Internal Controls February 2016

Pre-Engagement Activities and Audit Planning By: Tariq Mahmood FCA, ACMA

UNIVERSITY OF TOLEDO INTERNAL AUDIT DEPARTMENT SCHEDULE PRODUCTION

GAIT FOR BUSINESS AND IT RISK

Master of Business Administration Course Descriptions

SYLLABUS - ANALYSIS AND DECISION (20 credits)

Risk type Specific risk Explanation Mitigation approach. SKF customers ability to pay can have an impact on the financial result of the Group.

Private Client Services Are your internal controls supporting your business strategy?*

LCH Limited Board Reserved Matters, Executive Delegation, Local Management Committee Composition

An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements

An Audit of Internal Control Over Financial Reporting Performed in Conjunction with An Audit of Financial Statements

Internal Control Questionnaire and Assessment

Report on Inspection of Deloitte LLP (Headquartered in Toronto, Canada) Public Company Accounting Oversight Board

Risk Management Policy Arvind Infrastructure Limited

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

In Control: Getting Familiar with the New COSO Guidelines. CSMFO Monterey, California February 18, 2015

STRATEGIES FOR EFFECTIVELY WORKING WITH THIRD-PARTIES. September 2017

IAASB Main Agenda (March 2005) Page Agenda Item 12-C

Guidance on Arrangements to Support Operational Continuity in Resolution

9/17/2017. An Overview of COSO s New Framework and Implementation Guidance SPEAKER. Laura Harden, CPA History

Risk Management Policy and Framework

B U S I N E S S R I S K M A N A G E M E N T L T D

Risk Management Developing an Effective Audit Plan

STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL

Third Party Risk Management ( TPRM ) Transformation

IT Governance and the Audit Committee Recognizing the Importance of Reliable and Timely Information

Successful ERM Program Standards. Definitions of Enterprise Risk Management (ERM)

Report on Inspection of KPMG AG Wirtschaftspruefungsgesellschaft (Headquartered in Berlin, Federal Republic of Germany)

Chapter 6 Field Work Standards for Performance Audits

Minimizing fraud exposure with effective ERP segregation of duties controls

VOYA Financial CODE OF BUSINESS CONDUCT AND ETHICS

CFO Commentary on First-Quarter 2013 Results

Application: All licensed institutions and supervisory personnel

Enterprise Risk Management

Enterprise Risk Management: Developing a Model for Organizational Success. White Paper

Transcription:

Figure 1: COSO Enterprise Risk Management Cube Source: Committee of Sponsoring Organizations (COSO), "Enterprise Risk Management- Integrated Framework: Executive Summary" 5. As shown in the COSO ERM cube, enterprise risk management (ERM) is a process to help achieve objectives across the enterprise: strategic, operations, reporting, and compliance. Eight interrelated components are identified, and ERM is applied at all levels of the organization: entity, division, business unit, and subsidiary.

Table 1: Identification and Prioritization of Potential Risks* for Enterprise Risk Management External Risks * Capital Availability * Climate Change * Economy * Natural Hazard/Catastrophe * Regulatory/Legal * Shareholder Expectations * Competitor * Customer Needs/Wants * Financial Markets * Pandemic * Sovereign/Political/Terrorism * Technological Innovation * Industry * Public Relations Strategic Internal Risks Operational Financial * Acquisitions Process * Asset/Liability * Alliances * Alignment * Delivery Channels * Knowledge Management * Product/Service Liability * Cash Flow * Business Model * Business Interruption * Dispute Resolution * Measurement * Relationship Management * Collateral * Business Portfolio * Capacity * Efficiency * Partnering * Research and Development * Commodity * Due Diligence * Change Response * Environmental * Physical Security * Sourcing - Data * Concentration * Governance Structure * Compliance * Facilities Management * Product/Service Failure * Strategy Implementation * Counterparty * Intellectual Property * Contract Commitment * Health & Safety * Product/Service Pricing * Supply Chain/Procurement * Credit * Marketing / Advertising * Cycle Time * Integration * Product/Service Development * Transaction Processing * Default * Marketplace * Third-party Outsourcing * Equity * Organization Structure * Estimates * Planning Management Information Human Capital Integrity Technology * Financial Instruments * Product Life Cycle * Accounting Information * Accountability * Conflict of Interest * Access * Foreign Exchange * Reputation Risk * Budgeting & Forecasting * Bench Strength * Employee Fraud * Availability * Interest Rate * Resource Allocation * Completeness/Accuracy * Change Readiness * Ethical Decision Making * Data Integrity * Liquidity * Social Responsibility * Investment Evaluation * Communications * Illegal Acts * e-commerce * Misstatement * Trademark/Brand Erosion * Investor Relations * Competencies/Skills * Management Fraud * Infrastructure * Modeling * Pension Fund * Empowerment * Third-Party Fraud * IT Governance * Off Balance Sheet * Records Retention * Hiring/Retention * Unauthorized Acts * Obsolete/Outdated * Opportunity Cost * Regulatory Reporting * Leadership * Reliability * Recording and Oversight * Relevance * Outsourcing * Security Vulnerabilities * Reporting Integrity * Taxation * Performance Incentives * Technological Capacity * Succession Planning * Training/Development * It is recommended that companies address these predetermined risks along with other company-specific risk parameters.

Risk Capital Availability Climate Change Competitor Customer Needs/Wants Economy Financial Markets Industry Natural Hazard/Catastrophe Pandemic Public Relations Regulatory/Legal Shareholder Expectations Sovereign/Political Technological Innovation Terrorism External Risks Definition(s) Insufficient access to capital threatens company capacity to grow, execute its business model, and generate future financial returns Unable to respond to actual or indirect consequences due to climate change-related regulatory or business trends Company is unable to keep pace with our competitors for people, resources, investments, and investors Company is unable to anticipate and is not aware of changes in customer wants and needs Drastic changes in a country's business environment adversely affect profit and other goals Movements in prices, rates, and indices affect the value of the company's assets, stock price, and cost of capital Changes in opportunities and threats, capabilities of competitors, and other conditions affecting the company's viability Major natural disaster or other catastrophic event that may affect business operations Adverse conditions may affect operations if the operations are concentrated within a specific geographic area/segment The public's perception of the company becomes unfavorable Changes in laws/regulations by the gov't or regulatory body that increase costs or reduce the attractiveness of investments A decline in investor confidence in company s business model, or ability to execute model, threatens capacity to efficiently raise capital or sustain share valuations. Adverse political actions threaten company's resources and future cash flows Unable to leverage technology advancements in the business model to achieve or sustain competitive advantage Unable to respond to terrorist attacks and threats

STRATEGIC Acquisitions Alliances Risk Internal Risks Definition(s) Risk of poor acquisition decision making and/or poor integration of acquisitions dilutes company s value Inefficient or ineffective alliance, joint venture, affiliate, and other external relationships affect company s capability to compete Business Model Business Portfolio Due Diligence Intellectual Property Marketing/Advertising Marketplace Organization Structure Planning Product Life Cycle Reputation Risk Resource Allocations Social Responsibilities Trademark/Brand Erosion Obsolete business model, and company does not recognize it or lacks information to respond to the model Company does not have a proper mix of products/properties/locations that provides for a rational asset base and which may affect overall performance Management does not have sufficient financial and operational information and/or is unable to reliably measure the value of a potential acquisition in order to make informed, strategic acquisition decisions Inability to protect firm's intellectual property Erosion of a trademark or brand over time threatens the demand for the product and impairs growth Nonexistent, irrelevant, or unreliable performance measures are used that are inconsistent with strategies Organizational structure becomes cumbersome or ineffective in maximizing net asset value Planning and budgeting do not result in a realistic view of situation therefore leading to improper decision making Inability to manage and monitor the evolution of company's industry/product along the life cycle Company may lose customers, key employees, or managers, or its ability to compete, due to perceptions that it does not provide appropriate products and services to customers and internal and external stakeholders Not appropriately ranking or allocating resources or investment of capital against a broad spectrum of needs and priorities Inability to act in the best interest of society, which could result in negative public image The risk that a trademark or brand will lose its value. A trademark is a word, symbol, or device, or any combination of these that identifies a product or service and distinguishes that product or service from the products or services of competitors OPERATIONAL Process Alignment Business Interruption Capacity Change Response Compliance Contract Commitment Cycle Time Delivery Channels Efficiency Inability to align business objectives to the company's long-term objectives Business interruptions stemming from unavailability of resources (materials, systems, people, etc.) threaten operations Insufficient capacity threatens the firm's ability to generate growth Inability to response to change in a timely manner or with appropriate actions Failure to comply with internal policies, procedures, customer or regulatory requirements Entering into contracts that negatively impact company or are against company policies and procedures Drilling and operational projects are not delivered within the budgeted time and cost Poorly performing or positioned distribution channels threaten the firm's ability to timely deliver products to customers Cost of doing business is increased due to inefficient operations leading to unnecessary spending

Environmental Activities harmful to the environment may lead to exposures including liabilities for financial damages and/or loss of business reputation Health and Safety Knowledge Management Measurement (Operations) Partnering Physical Security Product/Service Development Product/Service Failure Product/Service Liability Product/Service Pricing Relationship Management Sourcing Strategy Implementation Supply Chain Transaction Processing Third Party Outsourcing Management Information Accounting & Information Budgeting & Forecasting Completeness/Accuracy Investment Evaluation Investor Relations Pension Fund Regulatory Reporting Relevance Taxation Injury, sickness, or death of employees could cause delay to ongoing or future operations, significant litigation costs, or loss of human capital Process for capturing and institutionalizing company's ideas and procedures may be ineffective or nonexistent (i.e., no policy or procedures) Irrelevant and/or unreliable nonfinancial measures may cause erroneous assessment of operations Inefficient or ineffective alliance, joint venture, affiliate, and other external relationships that may impact operations Inability to secure firm's physical assets Inadequate process to develop product/service to sustain market competitiveness Significant equipment or service failure leading to downtime and loss of production Significant equipment or service failure leading to financial loss Significant equipment or service price increase and significant commodity price fluctuations Management does not effectively foster critical relationships and customer/partner concerns Availability is limited or unavailable, leading to quality decline or unavailability of company products Annual business plan and management/board strategy is not effectively designed, implemented, communicated, or executed Supply chain is vulnerable to disruption or does not effectively reduce costs where possible Transaction processing failures from planned conversions, merger integration, or ongoing accounting/operations Outside service providers do not act within their defined limits of authority and do not perform in a manner consistent with the values, strategies, and objectives of the company Information provided by operational personnel is not efficient or effective in creating accurate accounting entries to reflect operations Management reporting analysis does not effectively or timely communicate results or realistic budgets and forecasts Management reporting analysis is not complete or accurate enough for management to adjust to current market conditions Valuation of investment/acquisition opportunity is inaccurate or incomplete Communication with shareholders in regards to current operations or financial position is misleading, inaccurate, duplicative, or not complete Incomplete or inaccurate data pertaining to compensation and benefits exposes the company to financial loss Noncompliance with regulatory reporting requirements Inability for management to make decision based on timely and relevant information Changes in tax environment are unknown, or if known, not effectively implemented and the company does not take advantage of tax savings

Human Capital Accountability Individual and group performance is sub par and no personal responsibility is taken or required by direct supervision Bench Strength Change Readiness Communications Competencies/Skills Empowerment Hiring/Retention Leadership Outsourcing Performance Incentives Succession Planning Training/Development Integrity Conflict of Interest Employee Fraud Ethical Decision Making Illegal Acts Management Fraud Third Party Fraud Unauthorized Acts Technology Access Availability Data Integrity - Internal data e-commerce Infrastructure IT Governance Obsolete/Outdated Reliability Management and employees do not possess the knowledge, skills, and experience necessary to effectively execute their duties, including making good business decisions and aligning these with enterprise goals and strategies Unable to implement process/product improvements/changes in a timely manner to keep up with the marketplace Communication across the organization does not allow for personnel to effectively execute change or management strategy Personnel do not have the necessary competencies or skill base to execute their responsibilities Regional or focused tone leads to poor company performance or results in different strategies than that of the senior management and the board Obtaining and retaining talented, technical, experienced, and expert personnel Senior management does not effectively lead/motivate the management team to meet or exceed budgets and expectations Contracted third parties are not acting within the authority that was agreed upon Performance incentives are misunderstood or not effective to align performance to the firm's objectives Unexpected change in or termination of senior management positions that are not timely filled with qualified or trained personnel Inability to train and develop resources to competently perform job responsibilities Conflicts of interest are not identified, reported, or understood Major management fraud or ethical scandal committed by employees Management does not clearly communicate ethical behavior to employees Illegal acts committed by employees expose the firm to loss and fines/penalties Intentional misstatement or misrepresentation of the firm's financial capabilities and intentions Fraudulent activities by third parties expose the firm to loss Unauthorized use of the firm's physical, financial, or information assets exposes the firm to financial loss Failure to adequately restrict access to data may impact unauthorized usage/knowledge of confidential data Unavailability of data or systems when needed Data entered in the system(s) is not complete and accurate or may be compromised Unable to protect firm's assets and information through e-commerce medium Inadequate technology infrastructure to support data requirements of the business System in which all stakeholders, including the board, internal customers, and especially departments have the necessary input into the decision-making process Object, service, or practice is no longer wanted even though it may still be in good working order Data is not processed accurately or completely by IT systems.

Technological Capacity Security Vulnerabilities IT infrastructure cannot keep up with the current organizational needs Varying, large and/or complex systems increase the probability of flaws and unintended access points FINANCIAL Cash Flow Collateral Commodity Concentration Counterparty Credit Default Equity Financial Instruments Foreign Exchange Interest Rate Liquidity Misstatement Modeling Opportunity Cost Recording and Oversight Reporting Integrity Limited sources of funding and inadequate preferred lender selection threaten company s ability to provide access to funds on a timely basis. Loss of value or inability to secure the collateral provided Uncertainty in future cash flows and future growth due to unreplaced production or significant decrease in prices Significant resources and asset base pose over-concentration of operations and financial condition Counterparty does not comply with contractually obligated terms Company enters into contracts with uncreditworthy parties Counterparty is unable to fulfill obligations Net asset value per share goals are not met or realistically developed Exposure to excessive costs due to the complexity of the financial instrument structures Volatility in foreign exchange rates exposes the firm to losses Changes in interest rates expose the firm to higher borrowing costs and decrease in net assets Company cannot meet obligations as they become due and the current asset base is not marketable to divest into liquid form Failure to accumulate relevant, reliable, and timely external and internal information may result in the issuance of misleading financial reports that contain material errors or omit material facts to external stakeholders or misleading internal reports that contain inaccurate assumptions, estimations, and/or do not include important disclosure information Critical models are applied to operations/projects/acquisition for which they are inappropriate or implemented incorrectly Current investments result in lost opportunities for more profitable investments Financial accounting information used to manage business processes is not properly integrated with nonfinancial information focused on customer satisfaction, measuring quality, reducing cycle time, and increasing efficiency Reports of operating and financial information required by regulatory agencies, are incomplete, inaccurate, or untimely, exposing the company to fines, penalties and sanctions

Impact Table 3: Risk Matrix PURE RATING Risk Matrix Rare - 1 Remote - 2 Likelihood/Timeframe Reasonable Probable - 4 Probable - 3 Almost Certain - 5 Major - 5 M H H H H High - 4 L M M H H Moderate - 3 L M M M H Minor - 2 L L M M H Insignificant - 1 L L L L M Impact Level Descriptor Definition Measurement 1 Minimal Minimal financial loss with easily mitigated remediation >.1% of EBITDA Minor financial loss with remediation requiring some 2 Minor resources.1-.5% of EBITDA Moderate financial loss with remediation requiring mostly 3 Moderate internal resources.5-1% of EBITDA High financial loss with remediation requiring internal and/or 4 High external resources 1-5% of EBITDA Major financial risk with remediation requiring immediate 5 Major attention with all necessary resources < 5% of EBITDA Likelihood Level Descriptor Definition Occurrence 1 Rare Likely to occur only in exceptional situations < 5% 2 Remote 3 Reasonable Possible 4 Probable 5 Almost Certain Chance of occurrence is slight 6-30% Chance of occurrence is more than remote but less than probable 30-70% Chance of occurrence is very likely 71-95% Is expected to occur in almost all cases > 95% TIME FRAME Level Descriptor Definition Time frame 1 Long Term 2 Med-Long Term Risk will affect the company in the long term Risk will affect the company between medium term and long term > 3 years 2 years - 3 years 3 Medium-Term Risk will affect the company within the medium term 1 years - 2 years 4 Short Term 5 Today Risk will affect the company within the short term Risk will affect the company in the immediate future 6 months - 1 year < 6 months

Table 4: Risk Tolerance Calculation Potential Materialty Measurement for ERM Weighting Earnings Assets Revenue $ 20,000,000 $ 5,000,000,000 $ 250,000,000 0.10% $ 20,000 $ 5,000,000 $ 250,000 0.50% $ 100,000 $ 25,000,000 $ 1,250,000 1% $ 200,000 $ 50,000,000 $ 2,500,000 5% $ 1,000,000 $ 250,000,000 $ 12,500,000 Business Continuance* High Greater than 36,500,000 Medium 36,499,999 18,250,000 Low Less than 18,249,999 *Based on Business Continuity Project with $100K daily (365 days) at risk factoring medium risk at 50% Insurance Limits* Min $ 1,000,000 Max $ 30,000,000 *Levels of deductibles may range from basic coverages to directors and officers aggregate limits Note: Multiple criteria may "trigger" a specific tolerance level for a specific risk area Risk Tolerance Limit (area where company would initiate action plans): Depending on risks (and aggregate sub-risks) - company's tolerance level would range from $1M to $10M

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback