Enterprise Risk Management: Developing a Model for Organizational Success. White Paper

Similar documents
Practices in Enterprise Risk Management

From Dictionary.com. Risk: Exposure to the chance of injury or loss; a hazard or dangerous chance

Risk Management Culture: The Linkage Between Ethics & Compliance and ERM September 14, 2009

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

Successful ERM Program Standards. Definitions of Enterprise Risk Management (ERM)

Aligning organisational culture with Enterprise Risk Management

Strengthening Your Enterprise Risk Management Process

Fraud Risk Management

AUDITING. Auditing PAGE 1

Charter for Enterprise Risk Management

B U S I N E S S R I S K M A N A G E M E N T L T D

A Discussion About Internal Controls February 2016

The Ins and Outs: Audits Under FDICIA. Jennifer Gureckis and Kaylyn Landry BerryDunn February 27, 2018

Lya Villasuso OECD Corporate Affairs Division Response ed to: RE: Corporate Governance and the Financial Crises

Sarbanes-Oxley Act of 2002 Can private businesses benefit from it?

Guidance Note: Corporate Governance - Board of Directors. January Ce document est aussi disponible en français.

The Current State of Risk Management Maturity for Belgian Organizations kpmg.com/be

Performance Risk Management Jonathan Blackmore, May 2013

PRACTICE. Reframing risk BY MARK BUTTERWORTH

ISACA CRISC. Certified in Risk and Information Systems Control. Download Full Version :

The COSO Risk Framework: A reference for internal control? Transition from COSO I to COSO II

COCA-COLA HELLENIC BOTTLING COMPANY RISK MANAGEMENT POLICY

Enterprise Risk Management

Enterprise Risk Management 2016

Role of Board of Directors in Risk Management. CPA Erick Audi Thursday, 15 th November 2018

Introduction to ERM (Enterprise Risk Management)

LIVING IN THE REAL WORLD THE LEGAL AND INSURANCE ASPECTS OF SMS

2013 New COSO 2013 Framework and Current Trends in Risk Management

METROPOLITAN TRANSPORTATION AUTHORITY

Internal Auditors and Enterprise Risk Management (ERM) ICPAK Presentation

The NYSE Internal Audit Requirement

ERM: Risk Maps and Registers. Performing an ISO Risk Assessment

Emerging Trends in Auditing ERM COSO ERM 2017

Financial Management in the Federal Government:

20 Years in the Making. Meet the New ICIF: Revisions to COSO s Internal Control Integrated Framework. Dr. Sandra Richtermeyer COSO Board Member

Executive Teams and the Use of ISO in Decision Making. Scott Wightman, ARM-E National Director Gallagher ERM Practice

Audit Training-of-Trainers Workshop, November 2014, Vienna Components of internal control within organization

Boards and internal audit: Working together to strengthen risk management

Maximizing value from your lines of defense

COSO ERM: Integrating with Strategy and Performance. Michael Parkinson

HCCA Compliance Institute : Intersection of Internal Audit & Compliance. April 17, Agenda. Where are we today?

It s All About Strategy!

ERM 101. Casualty Loss Reserve Seminar, Fall /5/ Practical Enterprise Risk Management (ERM) Agenda ERM 101 2

ERM Retooled: Driving Performance by Revising and Enhancing Risk Management Governance Wipfli LLP

Session 7: Corporate Governance

International Standards for the Professional Practice of Internal Auditing (Standards)

Gleim CIA Review Updates to Part Edition, 1st Printing June 2018

RISK MANAGEMENT POLICY. [Section 134 of the Companies Act, 2013 read with Clause 49]

Catching Fraud During a Recession Through Superior Internal Controls. FICPA s 25 th Annual Accounting Show. J. Stephen Nouss September 29, 2010

Risk Management Guidelines of the CGIAR System

Certificate in Internal Audit 3

Risk Intelligent Enterprise Risk Management (ERM) Dolores Atallo-Hazelgreen, Firm Director

Gleim CPA Review Updates to Business Environment and Concepts 2018 Edition, 1st Printing March 2018

ISACA. The recognized global leader in IT governance, control, security and assurance

SAMPLE BEC SuperfastCPA Review Notes

Enterprise risk management Protecting and enhancing value Advisory

Enterprise Risk Management (ERM) - Impact of 2017 COSO ERM Model

Risk Management With an Enterprise (Wide) Focus

Leveraging ERM to meet. and create business value. Management Flora Do, Senior Manager, Enterprise Risk Management

COSO What s New, What s Changed, Why Does it Matter and Other Frequently Asked Questions

EY Center for Board Matters Boards and internal audit

ENTERPRISE RISK MANAGEMENT THE KEY TO BUSINESS SUCCESS By Phil Griffiths FCA

RISK MANAGEMENT FRAMEWORKS: Adapt, Don t Adopt. Here s a primer on how to use two well-known approaches.

LEVERAGING COSO ACROSS THE THREE LINES OF DEFENSE

A Practical Approach to Enterprise Risk Management

International Standards for the Professional Practice of Internal Auditing (Standards)

REPORT 2015/077 INTERNAL AUDIT DIVISION

Sample Corporate Risk Management Policy

Enterprise Risk Management

Internal Control Questionnaire and Assessment

MANAGING RISK AT SUNCORP

Enterprise Risk Management: Aligning Risk with Strategy & Performance June 26, :45 p.m. 4:45 p.m.

Risk Management in Istat: from the project to the process

RISK MANAGEMENT FRAMEWORK OF THE CGIAR SYSTEM

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

risk management ERM Roles & Responsibilities In Community Banks: Who is Responsible for What?

By the Financial Forensic Investigation Team of the Attorneys Fidelity Fund

Present and functioning: Fine-tuning your ICFR using the COSO update

Self Assessment Workbook

Assessment of the Design Effectiveness of Entity Level Controls. Office of the Chief Audit Executive

Session 4C: Model Governance: What Could Possibly Go Wrong? (Part I) Moderator: Dwayne Allen Husbands, FSA, MAAA

In Control: Getting Familiar with the New COSO Guidelines. CSMFO Monterey, California February 18, 2015

THE ENTERPRISE AND RISK MANAGEMENT POLICY

Agenda. Agenda. Definitions and Processes. Risks. Audit & ERM. Key Strategies. Conclusions ERM and Audit 1. ERM and Audit.

IT Audit at Brown. A collaboration between the Information Technology and Internal Audit Teams

Next-generation enterprise risk management

Internal Audit & the Audit Committee

Quality Assessments what you need to know

Aligning and Integrating ERM and Business Process. Federal ERM Summit September 9, :00-12:00

Enterprise Risk Management Program

Internal Oversight Division. Audit Report. Audit of Enterprise Risk Management

Creating Business Value Through Optimized Compliance Practices

Texas Tech University System

Completing the ERM Circle

A Risk Management Framework for the CGIAR System

Tactical Implementation of Enterprise Risk Management

Introducing ISO 22301

ENTERPRISE RISK MANAGEMENT USING DATA ANALYTICS. Dan Julevich and Chris Dawes April 17, 2015

Active Essex Risk Management Strategy

HCCA Audit & Compliance Committee Conference. February 29-March 1, Drivers of ERM. Enterprise Risk Management in Healthcare.

Transcription:

Enterprise Risk Management: Developing a Model for Organizational Success White Paper January 2009

Overview Less than a decade ago, Enterprise Risk Management (ERM) was an unfamiliar concept. Today, the issue is quickly ascending the agendas of senior executives and shareholders alike, as corporate scandals and globalization challenge the status quo; and regulators publish new and updated requirements. Enterprise Risk Management is a structured approach to aligning strategy, processes, people, technology, and knowledge to identify and manage uncertainties and risk. Providing a comprehensive, integrated framework that enables organizations to proactively manage business risk, ERM achieves balance between business needs and risk thresholds to increase competitive advantage and shareholder value. ERM definitions tend to vary from source to source, but all contain common themes: a standard risk management process, an integrated view of risks, and a focus on relating risks to business objectives. What has prompted such an unprecedented interest in ERM in recent years? Some of the main drivers include: Loss of integrity of audit and financial reporting Increased regulatory pressure for risk information Accelerated speed of product and service innovations Use of open networks in business transactions Alignment of the organization to anticipate and leverage opportunities Decreased confidence in the accuracy / integrity of system solutionsincreased security risks Volatile market conditions Increased shareholder scrutiny 1

ERM Framework: A Roadmap for Managing Risks In 2004, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) formalized the ERM process with its landmark publication, Enterprise Risk Management Integrated Framework. The official COSO definition of ERM is a process, effected by an entity s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. There are infinite variations; one easy to understand version is ERM is a company s process to identify, assess, and manage risks that could interfere with achieving any of its corporate objectives. The definition reflects some fundamental concepts about ERM, including that it is: A process, ongoing and flowing through an entity Affected by people at every level of an organization Applied in strategy setting Applied across the enterprise, at every level and unit Designed to identify potential events that, if they occur, will affect the entity Designed to manage risk within the organization s risk appetite Able to provide reasonable assurance to an entity s management and directors Geared to achievement of objectives in one or more separate, but overlapping, categories. Figure 1: COSO ERM Framework Figure 1 shows the COSO ERM framework as a three-dimensional cube. An entity s business objectives can be put into four separate but overlapping categories (Strategic, Operations, Reporting, Compliance) shown on the top surface. 2

The eight components of ERM are shown on the facing surface: Internal environment establishes an entity s risk culture and considers all aspects of how an organization s actions may affect it. Objective setting reflects the risk appetite of the entity a high-level view of how much risk the board and management are willing to accept. Risk tolerance the acceptable level of variation around objectives is aligned with risk appetite Event identification differentiates risks and opportunities, with events having a negative impact representing risks and those having a positive impact representing opportunities. It addresses how internal and external factors combine to influence the risk profile. The risk assessment component assesses risks based on likelihood of occurrence and impact, both on an inherent and residual basis. Risk response requires management to decide if it will avoid, accept, reduce or share risk based on the entity s risk appetite, cost vs. benefit of potential risk responses, and the degree to which a response will reduce impact and/or likelihood. Control activities establish and implement policies and procedures to ensure that risk responses are effectively executed Information and communication ensures that relevant information is identified, captured, and communicated enabling people to carry out their responsibilities Monitoring ensures that the ERM program remains effective over time Both the objective categories and the components of ERM are applicable to every level of the organization, from the entity level down, as shown on the side surface of the cube. For ERM to be operating effectively, all eight components of ERM must be operating effectively across all four objective categories at all levels of the organization. Think of the COSO framework as a Rubik s Cube. 3

Implementing an ERM Approach ERM is a continuous process guided by the Executive Committee of the company and overseen by the Board of Directors. The charter for ERM must emanate from senior management since it is they who will establish the risk appetite and related guidelines for the entity and for each line of business. Companies can develop their own ERM framework or accept an established one, such as the COSO ERM framework. The nine key steps in the ERM process are shown in Figure 2. Figure 2: ERM - A Continuous Process Following are important points to consider when implementing the ERM process: The ERM process starts with setting objectives at all levels of the organization and ensuring their alignment. Determining risk appetite is a top-down exercise, starting with the board of directors, the executive committee, and business unit leaders. It establishes how much risk the entity is willing to accept in the aggregate, by business units, by geography, by product lines, and by function. Establishing a risk framework includes training employees at all levels of the organization in the concepts, definitions, and terminology of the accepted framework so that everyone shares a common language and understanding for identifying, assessing, and managing risks Assessing and Managing Risks There are various tools and techniques available for identifying and assessing risks, such as, scenario analysis (what if), modeling, regression analysis, historical loss and event data analysis. There are also subjective evaluations by experienced professionals. Typically, risks are assessed along two dimensions: frequency of occurrence and business impact. Critical risks have relatively high frequency of occurrence and high business impact and require immediate risk mitigation response, such as additional controls. High business impact and low probability risks require contingency planning since they may or may not ever occur (Figure 3). Some examples of these risks are illustrated in Figure 4. 4

Figure 3: Approach to Risk Assessment and Management Figure 4: Example of a Call Center Risk Assessment 5

The building blocks of ERM architecture, shown in Figure 5, reinforce the fact that commitment to implement ERM must come from the top of the organization. Acceptance of a framework provides a common language so that directors, executives, and the rank and file can talk about risk management without any confusion or misunderstanding. Process Management Figure 5: Building Blocks of an ERM Program While managing risk is everyone s responsibility, accountability for the ERM process both during and after implementation must reside with a specific individual. Often, this person is designated as the Chief Risk Officer (CRO). The scope of the CRO role can vary, but this position is ultimately responsible for supporting development of the ERM program, and directing the various processes that flow out of that program. Employees must be trained in the ERM framework and in the methodologies, techniques, and tools to be deployed. ERM must be managed as a process and not as a point in time evaluation. Its importance and continuous nature should be reinforced by integrating ERM into job descriptions, performance evaluations, and compensation and incentive programs. Finally, the ERM program should be monitored by the internal audit function to ensure its effectiveness over time in meeting organizational objectives. 6

The Way Forward Depending on where an organization is in the risk management continuum (see Figure 6), establishing an ERM infrastructure could be a phased, multi-year effort. It is important that senior management recognize this, and create a focused roadmap to get from where they are to where they want the organization to be. Final Thoughts Figure 6 As you evaluate the appropriateness of ERM for your company, remember that: Regulators and rating agencies are increasingly suggesting that a Risk Management Program be put in place Critical to the process is analyzing, documenting, and monitoring identified risks. Management then needs to determine and document the appropriate risk response. New risks based on strategic direction, event identification and new or enhanced products and services should be addressed as an ongoing monitoring step An effective risk management program is driven from the Board of Directors; and Executive Management and must be embraced by the entire organization. 7

With an integrated methodology, approach, and effective tools, your company should be well positioned to implement a comprehensive ERM program that accomplishes its goals of identifying potential events that may affect the business, and managing risk within your company s risk appetite to provide reasonable assurance for achieving organizational objectives. Establishing a risk management function with central accountability such as the CRO within the organization is key to creating a successful ERM program. This function will drive the ERM process and the various components and dimensions involved in effective enterprise risk management (see Figure 7). Figure 7 Among the many important considerations for this function are the following: What should the function be accountable for, and how will it be organized? Will it be centralized, decentralized, or matrixed? What skill sets are needed in this department, and how will success be measured? What relevant processes and tools are required to enable the risk management function to effectively do its job? And finally, what, how, and to whom will this function report and communicate? This document is for general guidance only, and is not intended to be a legal analysis or a substitute for legal or other professional advice. Please consult with a professional to obtain appropriate information and advice regarding your specific situation. 8

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback