Enterprise Risk Management: Concepts & Issues

Transcription

1 Enterprise Risk Management: Concepts & Issues Jacques Lapointe Internal Audit, Management Board Secretariat November

2 The Basic Concept of Risk Management The active process of identifying risks, assessing risks and developing appropriate action plans. 2

3 Model for Understanding Risk and Control Risk - Control = Exposure (residual risk) - = Understand Objectives Understand Risks Manage Risks Acceptance or Action 3

4 Key Elements of Enterprise Risk Management Risk policy and guiding framework Review cycle that allows for formal reassessment of risks on a periodic basis Processes to provide reasonable assurance that risks are identified, reported and mitigated Active oversight by the audit committee and governing body of organization s risk management system 4

5 Principles of Effective Risk Management Manage what might happen Both hazard and opportunity Optimize rather than minimize Common language/common understanding Coherent set of concepts and formal tools A governance responsibility 5

6 Key Features of the New Risk Management Paradigm Old Paradigm: Fragmented Risk as a negative factor to be minimized Risk managed in organisational silos Role of specialists Ad hoc Narrowly focused Audit committee to police internal control New Paradigm: Integrated Risk as opportunity Risk managed in an integrated, enterprise-wide fashion Role of everyone Continuous/ Systematic Broadly focused Risk committee to ensure an effective risk management structure exists 6

7 Applications of Risk Management Strategic and business planning Setting priorities Allocating resources Implementation plans Business improvement Issues identification Assurance 7

8 Risk Management: Essential to Governance Effective governing bodies: Understand what constitutes reasonable information for good governance and obtain it Once informed, are prepared to act to ensure that the organization s objectives are met and that performance is satisfactory (from Six Principles of Effective Governance by the CCAF) 8

9 Risk is An Evolving Concept Opportunity Uncertainty Hazard Harness risk to your advantage and enhance shareholder value Risk arising from change Event driven risk * From Price Waterhouse Coopers 9

10 Framework of Risk Types Risks that result from: Risks that result from: The business that you are in (volatility of external factors) The direction that you plan on going Environmental Risk Strategic Risk Carrying out your objectives Obtaining, committing and using economic resources Operational Risk Financial Risk Organizational & Cultural Risk Systemic issues Culture and values Organizational capacity Commitment Learning and management systems Having to comply with laws, regulations, standards and policies Compliance Risk Relying on information Informational Risk 10

11 1. ESTABLISH THE CONTEXT Objectives Values Environment Risk Management Process 2. IDENTIFY RISKS What can go wrong? How can it happen? 3. ANALYZE RISKS Review existing controls. Determine the likelihood and impact of each major risk. 4. EVALUATE & PRIORITIZE RISKS Establish the level of risk. Decide on acceptance or action. Set action priorities. 6. MONITOR AND REVIEW 5. TAKE ACTION Identify treatment strategies. Prepare action plan. Implement action plan. 11

12 Risk Management Matrix Focused on risks that could impede the achievement of specified business objectives. Assists in mapping and prioritizing risks considering both the likelihood and the impact. Impact Assures that high priority, unacceptable exposures are treated May identify further areas for drill down(opportunity for internal audit) 7 6 B A E F G Likelihood D C Average 12

13 Building Risk Capabilities Capabilities are characteristic of individuals, not of the organization Process established and repeating; reliance on people is reduced Performance Enhancement Policies, processes and standards defined and formalized across the Ministry, including training programs and quality assurance Risks measured and managed quantitatively and aggregated on an enterprisewide basis and diligently followed up Organisation focused on continuous improvement of business risk management and sophisticated change management Initial Repeatable Defined Managed Optimizing Systematically Build and Improve Risk Management Capabilities *From the Software Engineering Institute: The Capability Maturity Model 13

14 Our Goal with ERM To provide leadership and support in the implementation of systematic, organizationwide risk management and control 14

15 Roles for Internal Audit Champion the adoption of risk management as an institutional process Assist the organization in establishing a risk management system Provide guidance and education on risk management standards, tools & techniques Ensure risk management policies and processes are integrated with the organization s system of assurance Provide services that allow audit committees and boards to objectively monitor their risk profile Provide assurance as to the state of risk and control 15

16 New Definition of Internal Auditing Internal auditing is an objective assurance and consulting activity Assists an organization in accomplishing its objectives by bringing a systematic and disciplined approach to enable and improve the effectiveness of the organisation's risk management, control and governance processes. 16

17 Challenges and Issues in Risk Management Adequate coverage of the organization Cultural readiness Creating a sustainable system Clarity of roles Organizational attention 17