10-005 Enterprise Risk Management



Similar documents
STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES. ENTERPRISE RISK MANAGEMENT Framework

THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT

Managing Risk at Bank of America Corporation. Overview

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

Saldanha Bay Municipality. Risk Management Strategy. Inclusive of, framework, procedures and methodology

Clarius Group Risk Management Policy and Framework

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Operational Risk Management Program Version 1.0 October 2013

Developing an Effective Enterprise Risk Management Program

ENTERPRISE RISK MANAGEMENT POLICY

Policy : Enterprise Risk Management Policy

Matthew E. Breecher Breecher & Company PC November 12, 2008

Department of Veterans Affairs VA Directive VA Enterprise Risk Management (ERM)

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing

DTCC RISK COMMITTEE CHARTER

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

GAO. Standards for Internal Control in the Federal Government. Internal Control. United States General Accounting Office.

On the Setting of the Standards and Practice Standards for. Management Assessment and Audit concerning Internal

IRM CERTIFICATE AND DIPLOMA OUTLINE SYLLABUS

Enterprise Risk Management

International Diploma in Risk Management Syllabus

A Risk-Based Audit Strategy November 2006 Internal Audit Department

Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE

University Audit and Compliance. Internal Controls Enterprise-Wide Risk Assessment

ENTERPRISE RISK MANAGEMENT POLICY

Guide to Internal Control Over Financial Reporting

Analyzing Risks in Healthcare. February 12, 2014

Effective Enterprise Risk Management with ErmsCo ERM Foundation

Framework for Enterprise Risk Management

Avondale College Limited Enterprise Risk Management Framework

IFAD Policy on Enterprise Risk Management

Enterprise Risk Management Process Improvement. Secure Banking Solutions, LLC

HSBC FINANCE CORPORATION CHARTER OF THE RISK COMMITTEE

University of Washington Investment Policy Statement of the Fund Review Committee

Governance and Risk Management in the Public Sector. Fernando A. Fernandez Inter-American Development Bank (202)

Risk Management Primer

Transportation Security Administration Enterprise Risk Management. ERM Policy Manual. August 2014

AMTRAK CORPORATE GOVERNANCE: Implementing a Risk Management Framework is Essential to Achieving Amtrak s Strategic Goals

CORP RISK MANAGEMENT POLICY & METHODOLOGY

Confident in our Future, Risk Management Policy Statement and Strategy

Integrated Risk Management:

STRESS TESTING GUIDELINE

Risk Management Within an Organisation

Guidance Note: Corporate Governance - Board of Directors. March Ce document est aussi disponible en français.

Enterprise Risk Management: COSO, New COSO, ISO Review of ERM

Implementing an Integrated City-wide Risk Management Framework

University of Wisconsin-Madison Policy and Procedure

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

Administrative Guidelines on the Internal Control Framework and Internal Audit Standards

Board of Directors Meeting 12/04/2010. Operational Risk Management Charter

WFP ENTERPRISE RISK MANAGEMENT POLICY

Audit of the Test of Design of Entity-Level Controls

How To Manage Risk

CALIFORNIA PUBLIC EMPLOYEES RETIREMENT SYSTEM STATEMENT OF INVESTMENT POLICY FOR GLOBAL EQUITY. October 13, 2014

Get More Out of Your Risk Assessment. Austin Chapter of the IIA

fs viewpoint

Governance Guideline SEPTEMBER 2013 BC CREDIT UNIONS.

UNITED NATIONS OFFICE FOR PROJECT SERVICES. ORGANIZATIONAL DIRECTIVE No. 33. UNOPS Strategic Risk Management Planning Framework

Regulatory Change Management Stephen R. King, Wolf & Company, P.C. Jeanne P. Kelley, The Suffolk County National Bank Andy Vanderhoff, Quantivate

Direct Line Insurance Group plc (the Company ) Board Risk Committee (the Committee ) Terms of Reference

Improving Financial Performance, Governance and Compliance

J u n e N a t i o n a l R e s e a r c h C o u n c i l C a n a d a. I n t e r n a l A u d i t, N R C. Audit of Risk Management.

Principles for An. Effective Risk Appetite Framework

Risk and Contingency Planning. Today s Topics. Key Terms. A Vital Component of Your ICD-10 Program

Transmittal Letter Objectives and Scope Approach Financial System Permitting Application... 9

RISK MANAGEMENT FRAMEWORK OKHAHLAMBA LOCAL MUNICIPALITYITY

Enterprise Risk Management

Information Technology Governance Overview and Charter

DATA AUDIT: Scope and Content

C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

Business Logistics Specialist Position Description

APPENDIX 50. Enterprise risk management - Risk management overview

CONSULTATION PAPER CP 41 CORPORATE GOVERNANCE REQUIREMENTS FOR CREDIT INSTITUTIONS AND INSURANCE UNDERTAKINGS

NORTHERN TRUST CORPORATION BUSINESS RISK COMMITTEE CHARTER

U.S. Department of Education. Office of the Chief Information Officer

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

Phase II of Compliance to the Policy on Internal Control: Audit of Entity-Level Controls

RISK MANAGEMENT OVERVIEW 2011 RISK CONFERENCE SPONSORED BY THE FEDERAL RESERVE BANK OF CHICAGO AND DEPAUL UNIVERSITY

Performance Management. Date: November 2012

How To Manage Risk At Atb Financial

Accreditation Application Forms

[RELEASE NOS ; ; FR-77; File No. S ]

DRAFT Report on Office of the Superintendent of Financial Report on Institutions Office of the Superintendent of Financial

SOL PLAATJE MUNICIPALITY ENTERPRISE RISK MANAGEMENT FRAMEWORK AND POLICY

Guide to the Sarbanes-Oxley Act: IT Risks and Controls. Frequently Asked Questions

Health Sciences Compliance Plan

CPS SECURITY & INFORMATION RISK MANAGEMENT POLICY CPS SECURITY & INFORMATION RISK MANAGEMENT POLICY

In the wake of setting its primary focus in 2003 of

Guidance Note: Stress Testing Class 2 Credit Unions. November, Ce document est également disponible en français

Joint Operations Steering Committee Charter

Performance Audit Concurrent Review: ERP Pre-Solicitation

Transcription:

10-005 Enterprise Risk Management Current update: 09/16/10 Original Issuance: 03/31/08 Purpose This policy provides guidance and direction to State Board of Administration business unit heads for identifying, assessing, monitoring and managing risk. The policy also sets forth the roles of the Risk Management and Compliance (RMC) Unit and Risk and Compliance Committee. Policy It is the policy of the Executive Director & CIO of the State Board of Administration (SBA) that: A dynamic risk management framework shall be developed and maintained via a risk management plan which will ensure that risks undertaken by the SBA, and the applicable risks undertaken by external parties that assist the SBA in performing its duties are identified, understood, assessed and effectively managed. Background and Implementation By identifying, assessing, monitoring and managing the risks within their respective business units on a regular basis, SBA business unit heads will improve the probability that risks at the consolidated enterprise level will be consistent with the organizational goals and objectives of the SBA enterprise and within risk tolerances approved by senior management. Components of Enterprise Risk Management The Committee of Sponsoring Organizations of the Treadway Commission (COSO) developed and published Enterprise Risk Management Integrated Framework in 2004 in response to heightened concern and focus on risk management, particularly in light of a series of high profile business scandals and failures. Within their framework, the COSO set forth that enterprise risk management consists of a number of interrelated components, which are derived from the way management runs a business and are integrated with the management process. These components are: Internal environment - Management sets a philosophy regarding risk and establishes a risk appetite. The internal environment sets the basis for how risk and control are viewed and addressed by staff. Objective setting Objectives must exist before management can identify

potential events affecting their achievement. Enterprise risk management ensures that objectives are consistent with the entity s risk appetite. Event identification Potential events, both internal and external, that might have an impact on the entity and affect achievement of objectives must be systematically identified. Risk assessment Identified risks are analyzed and assessed on both an inherent and a residual basis, with the assessment considering both risk likelihood and impact. Risk response Management must identify and evaluate possible risk responses, which include avoiding, accepting, reducing and sharing risk, that are aligned with the entity s risk tolerances and risk appetite. Control activities Policies, guidelines and procedures are implemented to ensure risk responses are effectively carried out. Information and Monitoring Relevant information is identified, captured and communicated in a form and timeframe that enables staff to execute their responsibilities and to monitor risk, allowing staff to react dynamically as conditions warrant. Risk Management and Compliance Unit The role of the RMC unit is to provide independent and objective oversight, coordination and support to risk management processes at the SBA. RMC shall centrally coordinate the cross-functional management of enterprise-wide risks and shall provide an enterprise-wide consolidated view of risks and risk control procedures. RMC will be responsible, through their participation in the Senior Investment Group and Senior Operations Group (and their associated oversight sub-committees/groups), for reviewing and evaluating new initiatives, products and processes, both investment and operational, to ensure adequate risk identification, assessment and management (i.e., reasonable risk avoiding, accepting, reducing and/or sharing tactics have been identified) has been performed by the business unit(s) implementing the proposed change. In addition to promoting enterprise-wide awareness of risk management, RMC will seek to enhance senior management s awareness and understanding of the key risks faced by the SBA (i.e., likelihood and potential severity), in order to help advance the goals and objectives of the SBA. RMC will accomplish this through reporting risk management and control issues to the Executive Director & CIO, and the Risk and Compliance Committee on a regular basis. The Executive Director & CIO retains all decision-making authority over the enterprise risk management function and corresponding strategic risk management and control issues. RMC, in turn, shall advise the Executive Director & CIO on enterprise risk management related policies, processes and issues including:

Promoting a culture of risk awareness, including fostering a cross-functional and enterprise-wide focus on risk management; Providing guidance on the risk management and control aspects of SBA policies; Reviewing risk inventories, risk assessments, risk and compliance issues identified by external audits and consultant recommendations, and associated risk response strategies; Reviewing enterprise-wide risk limits and compliance exception reports; Facilitating the implementation of appropriate risk standards and controls; Facilitating the analysis and reporting of key risk information; Reviewing new program/product/investment vehicle risks, including evaluating the effect on the SBA s overall risk profile; Reviewing recommendations by the Office of Internal Audit (OIA) that identify risk management and compliance-related issues. Risk and Compliance Committee The Risk and Compliance Committee serves as a cross-functional consultative forum which: Provides feedback and direction to new and ongoing RMC initiatives; Reviews significant/material compliance exceptions; Reviews and evaluates effectiveness of compliance monitoring efforts Evaluates management efforts for key enterprise risks; Identifies, reviews and assesses emerging risk issues, continuously scanning for potential new or altered industry, vendor, environmental or internal risks; and Provides an opportunity for RMC to promote awareness among senior management pertaining to the risk management and compliance-related issues facing the SBA. The Risk and Compliance Committee is composed of the following staff members: Executive Director & CIO (Group Leader) Chief Risk and Compliance Officer, (Staff Director) Deputy Executive Director Chief Operating Officer Senior Investment Policy Officer Inspector General General Counsel Director of Investment Risk Management Senior Defined Contribution Programs Officer (as needed) Senior Hurricane Catastrophe Fund Officer (as needed) Senior Officer Investment Programs and Governance

Business Unit Risk Management This section of the policy applies to all business units except Office of Inspector General and Office of Internal Audit. Risk Identification Business units will implement a regular risk identification process to maintain a current inventory of key risks faced by the unit. The objective of this process is to identify any significant potential risks that have not been addressed in existing policies, procedures or guidelines, but which may require further assessment, monitoring and management. Risk Assessment Business units will conduct quantitative and/or qualitative risk assessment on a regular or as-needed basis, including accounting for the risk exposures that are incurred on the SBA s behalf by external entities. Risk Management Response Strategies Business units will develop and implement risk management response strategies that may include any prudent combination of the categories of risk response, i.e., avoidance, reduction, sharing and acceptance. In considering a risk management response, business units shall consider risk likelihood and impact, as well as cost and benefits, when developing a response that brings residual risk within desired risk tolerances. Policy Development and Implementation Business units will develop policies, guidelines, or procedures as necessary that implement risk management strategies and associated control activities. Monitoring and Reporting Business unit heads or their designees shall monitor business unit risks on a regular or as-needed basis. Business units will institute and maintain escalation thresholds and/or procedures to promote timely reporting of risk issues as they arise and to ensure prompt action is implemented as necessary. Material issues will be reported to RMC as soon as they are identified. RMC will in turn review material risk issues and report them to the Executive Director & CIO, and/or the Risk and Compliance Committee at a regularly scheduled meeting, or immediately if the severity and/or frequency of the issues warrant such action. Risk Management Plan An updated SBA Risk Management Plan shall be prepared by the RMC unit on an annual basis. The Risk Management Plan shall include the identification of enterprise-wide

risks, as well as business unit risks, assessments of identified risks, including likelihood and severity, and current response strategies. Business units are required to update their component of the SBA Risk Management Plan annually and timely submit their updates to RMC as requested. The Risk Management and Compliance Committee shall be responsible for reviewing the Risk Management Plan prior to approval by the Executive Director & CIO. Compliance RMC and SBA business unit managers and supervisors are assigned responsibility for compliance with this policy through regular and routine risk identification and assessment, development of risk response strategies, and development of policies, guidelines and procedures that clearly outline relevant control requirements and monitoring processes. RMC and business unit managers may develop additional procedures to implement this policy and shall maintain sufficient documentation to demonstrate compliance with this policy. The Inspector General may review and test compliance with this policy as deemed necessary.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information