Enterprise Risk Management

Similar documents
A Risk-Based Audit Strategy November 2006 Internal Audit Department

ENTERPRISE RISK MANAGEMENT POLICY

Risk Assessment & Enterprise Risk Management

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

Matthew E. Breecher Breecher & Company PC November 12, 2008

Developing an Effective Enterprise Risk Management Program

Operational Risk Management - The Next Frontier The Risk Management Association (RMA)

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

University Audit and Compliance. Internal Controls Enterprise-Wide Risk Assessment

Analyzing Risks in Healthcare. February 12, 2014

Governance and Risk Management in the Public Sector. Fernando A. Fernandez Inter-American Development Bank (202)

Enterprise Risk Management: COSO, New COSO, ISO Review of ERM

Enterprise Risk Management Integrated Framework. Executive Summary

Integrated Risk Management:

COSO Internal Control Integrated Framework (2013)

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT

Board oversight of risk: Defining risk appetite in plain English

Enterprise Risk Management Framework. Executive Summary. Exposure Draft for Public Comment

Fraud Risk Management

Get More Out of Your Risk Assessment. Austin Chapter of the IIA

ASAE s Job Task Analysis Strategic Level Competencies

Fraud Prevention and Deterrence

Enterprise Risk Management

Tying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation

and Risk Tolerance in an Effective ERM Program

Understanding Enterprise Risk Management. Presented by Dorothy Gjerdrum Arthur J Gallagher

ENTERPRISE RISK MANAGEMENT POLICY

IFAD Policy on Enterprise Risk Management

Tailoring enterprise risk management strategies to the Main-Street insurer

Module 6 Documenting Processes and Controls

Guidance Note: Corporate Governance - Board of Directors. March Ce document est aussi disponible en français.

Enterprise Risk Management in Colleges and Universities

Linking Risk Management to Business Strategy, Processes, Operations and Reporting

Export Development Canada

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework

Operational Risk Management in a Debt Management Office

POL ENTERPRISE RISK MANAGEMENT SC51. Executive Services Department BUSINESS UNIT: Executive Support Services SERVICE UNIT:

Effective Enterprise Risk Management with ErmsCo ERM Foundation

WFP ENTERPRISE RISK MANAGEMENT POLICY

The Role of the Board in Enterprise Risk Management

Strategic Risk Management for School Board Trustees

The Updated COSO Internal Control Framework. Frequently Asked Questions

RISK MANAGEMENT IN A FOR-

Performing a Compliance Risk Assessment for Compliance Auditing & Monitoring in Healthcare Organizations

Enterprise Risk Management Process Improvement. Secure Banking Solutions, LLC

Internal Auditing Guidelines

Impact of New Internal Control Frameworks

Enterprise risk management: A pragmatic, four-phase implementation plan

Board of Directors Meeting 12/04/2010. Operational Risk Management Charter

Comparison Between Joint Commission Standards, Malcolm Baldrige National Quality Award Criteria, and Magnet Recognition Program Components

Competency Requirements for Executive Director Candidates

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL

Audit of the Policy on Internal Control Implementation

GAO. Standards for Internal Control in the Federal Government. Internal Control. United States General Accounting Office.

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

How to Develop Successful Enterprise Risk and Vendor Management Programs

Hand IN Hand: Balanced Scorecards

University of St. Gallen Law School Law and Economics Research Paper Series. Working Paper No June 2007

Guide to Internal Control Over Financial Reporting

Enterprise Risk Management

Audit of the Test of Design of Entity-Level Controls

Capital Requirements Directive Pillar 3 Disclosure. December 2015

Implementing an Integrated City-wide Risk Management Framework

STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES. ENTERPRISE RISK MANAGEMENT Framework

Understanding and articulating risk appetite

On the Setting of the Standards and Practice Standards for. Management Assessment and Audit concerning Internal

SOL PLAATJE MUNICIPALITY ENTERPRISE RISK MANAGEMENT FRAMEWORK AND POLICY

COBIT 5 for Risk. CS 3-7: Monday, July 6 4:00-5:00. Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.

STANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices

Enterprise Risk Management

How To Save Money At The University Of California

The Updated COSO Internal Control Framework

Enterprise-Wide Risk Assessment

FINDING THE RISK IN RISK ASSESSMENTS NYSICA JULY 26, Presented by: Ken Shulman Internal Audit Director, New York State Insurance Fund

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

LEVERAGING COSO ACROSS THE THREE LINES OF DEFENSE

INTERNAL CONTROL AND ENTERPRISE RISK MANAGEMENT NO. П4-01 П-01 REVISION1.00

Department of Veterans Affairs VA Directive VA Enterprise Risk Management (ERM)

Internal Control Questionnaire and Assessment

Cyber-Security Risk Management Framework (CSRM)

Introduction to Enterprise Risk Management at UVM DRAFT

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

Governance Guideline SEPTEMBER 2013 BC CREDIT UNIONS.

Enterprise Risk Management in a Highly Uncertain World. A Presentation to the Government-University- Industry Research Roundtable June 20, 2012

[RELEASE NOS ; ; FR-77; File No. S ]

Risk Management Policy

Enterprise Risk Management (ERM) & Compliance

Clarius Group Risk Management Policy and Framework

CFE 2. Enterprise Risk Management. Study Guide - Supplemental Background Material

ERM and GRC Fundamentals. Risk Management Definitions & Guiding Principles. Module 1

Internal Control Systems and Maintenance of Accounting and Other Records for Interactive Gaming & Interactive Wagering Corporations (IGIWC)

A Risk Management Standard

Enterprise Risk Management

RISK MANAGEMENT FRAMEWORK OKHAHLAMBA LOCAL MUNICIPALITYITY

SECTION B DEFINITION, PURPOSE, INDEPENDENCE AND NATURE OF WORK OF INTERNAL AUDIT

FRAUD RISK ASSESSMENT

National Occupational Standards. Compliance

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

Transcription:

Cayman Islands Society of Professional Accountants Enterprise Risk Management March 19, 2015 Dr. Sandra B. Richtermeyer, CPA, CMA

What is Risk Management? Risk management is a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Source: The Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2

Risk Management: The Big Picture Strategic Goals Must align with the mission, overall objectives, vision, and values Must be clear & concise Foundation for risk planning and solid internal controls Internal Control Describing Approach to Risk Management Benefits Characteristics Approaches & processes Communication Strategy Foundation Risk Jl 3

Key Organizational Concepts Mission Vision Values Strategy Metrics Performance Evaluation

The Big Picture Key Relationships!! Governance Enterprise Risk Management Internal Control 5

Enterprise Risk Management (ERM) Framework

What does risk management encompass? Aligning risk appetite and strategy Enhancing risk response decisions Reducing operational surprises and losses Identifying and managing multiple and crossorganizational risks Seizing opportunities Improving deployment of capital

Benefits of Risk Management Achieve the entity s performance targets Achieve the entity s profitability targets Prevent loss of resources Ensure compliance with laws and regulations Avoid damage to entity s reputation It helps the management and board of an organization achieve its goals avoid pitfalls and surprises along the way!

Risk management is a process, ongoing and flowing through an entity

Key Risk Concepts: Risk Management An Intentional Process Effected by people Applied in strategic context Applied across the enterprise Designed to identify events potentially affecting the entity Intended to manage risk within an entity s risk appetite Provides reasonable assurance Geared to achievement of objectives 10

Risk Management: Linking with the Achievement of Objectives Types of objectives: Strategic high level goals, aligned with and supporting its mission Operations effective and efficient use of resources Reporting reliability of reporting Compliance applicable laws and regulations These four categories are distinct, but overlapping One objective can fall into more than one category Top of the cube!

Key Concepts: The COSO Enterprise Risk Management Framework Cube Representation

Components of Enterprise Risk Management Internal environment Objective setting Event identification Risk assessment Risk response Control activities Information and communication Monitoring Front of the cube!

Key Concepts: The COSO Enterprise Risk Management Framework Cube Representation

Effectiveness of Risk Management Effectiveness is a judgment Are the 8 risk management components present and functioning effectively? Are there material weaknesses? Have the risk needs been considered within the entity s risk appetite?

Limitations of Risk Management Human judgment can be faulty Risk management decisions need to consider the cost vs. the benefits Human failures errors, mistakes Controls can be overridden by collusion between two or more people Management has the ability to override ERM decisions Culture is critical If these limitations exist, the board and management cannot have absolute assurance that the entity s objectives are being considered

Risk Management Encompasses Internal Control Internal control is an integral part of enterprise risk management Internal controls make risk management more robust Internal controls can help with conceptualization of risk management

Relationships Between ERM and Internal Control Governance Enterprise Risk Management Internal Control 18

Key Concepts: Frameworks for Internal Controls and Risk Management Linking the COSO Internal Control Integrated Framework with the COSO Enterprise Risk Management Framework Internal Control Framework ERM Framework Expanded into 3 components 19

Roles and Responsibilities for Risk Management Everyone in the organization has some responsibility Board is ultimately responsible Without board oversight, risk management will fail or be suboptimal Senior management team All levels of management For global organizations, consider ways to communicate responsibilities in a way that supports cultural or educational differences

Relationships Between Governance and ERM Governance Enterprise Risk Management Internal Control 21

Roles and Responsibilities for Risk Management External entities play an important role in how an entity implements overall risk management: Regulators Customers Vendors Overall supply chain Professional organizations

Key Risk Concepts: Risk Management Fundamental Characteristics A portfolio view of risks at the entity level Identification of potential events that may impact objectives Risk identification, prioritization, and response Managing risk within the entity s risk appetite Consideration of risk in formulation of strategy 23

Key Risk Concepts: Types of ERM Risks Strategic High-level goals aligned to mission Operations Effective and efficient use of resources Reporting Reliability of entity s reports Compliance Effective and efficient use of resources 24

Key Risk Concepts: Effective Risk Management Strategies Identify (internal / external) Risks Develop Risk-based Culture Objectives Value Objectives Link & Values Controls Risk Tolerance/appetite? 25

Key Risk Concepts: A Process Overview Risk Assessment and Response Manage Risk Within the Entity s Risk Appetite Identification of Potential events that may impact objectives and values Consideration of Risk in Formation of Strategy Application Across the Entity Take a Portfolio View of Risks at the Entity-level Monitor Performance of ERM 26

Discussion Question What areas do you believe have primary responsibility for risk management? 1. Accounting / finance 2. Risk management group 3. Legal 4. Compliance 5. Internal audit 6. Unsure How can this vary by culture or business model? 27

Key Risk Concepts: ERM Enhances Management Capabilities Align risk appetite Link growth, risk and return Enhance risk responses decisions Minimize operational surprises and losses Identify and manage cross-enterprise risk Provide integrated responses to multiple risks Seize opportunities Rationalize capital 28

Key Risk Concepts: ERM Benefits to Management Promotes awareness of existing risk Establishes common risk language Illustrates risk interrelationships and impacts Enables development of more precise risk information Enhances ability to Identify risk in a timely manner Increases confidence to seize opportunities inherent in potential future events Remember. Manage risk within and across business units A common risk language facilitates communication 29 This helps to minimizes operational surprises and losses

Key Risk Concepts: Characteristics of Effective ERM Must be owned and led by the board and senior management Encompasses entire business with connection between functional areas Strategies address a full spectrum of risks Processes augment conventional emphasis on probability by also weighing vulnerability Does not solely consider single events, but considers scenarios and interaction between risks

Key Risk Concepts: Characteristics of Effective ERM Effective risk management Is a key element of the organizational culture Focuses not solely on risk avoidance, but also value creation Enables entity to take a portfolio view of risk 31 31

Key Risk Concepts: Basic ERM Process Responses Events Objectives 32

Key Risk Concepts: The Highs and the Lows High Impact / Low Likelihood High Impact / High Likelihood Risk Low Impact / Low Likelihood Low Impact / High Likelihood 33

Examples from our conversation (from audience during session) High impact high likelihood data security breach, foreign regulation, health and safety, foreign competition, competition, substitute products, climate change High impact low likelihood airport tower loses communication, security at airport, terrorism, staff turnover, public register of ownership, technology downtown, internet down Low impact high likelihood petty cash, tropical storm, staff turnover Low impact low likelihood??? Audience did not offer many examples in this category! (discussion centered on other three areas above)

Key Risk Concepts: What are the BIG Risks? Failure to identify and pursue opportunities IT System Failures Lack of intelligence about marketplace and competitor actions Attracting Capital Sustainability 35

Key Risk Concepts: Board Oversight and ERM 4 Critical Roles! 1. Understand the entity s risk philosophy and concur with the entity s risk appetite 2. Know the extent to which management has established effective enterprise risk management of the organization 3. Review the entities portfolio of risk and consider it against the entity s risk appetite 4. Be apprised of the most significant risks and whether management is responding appropriately Source: Effective Enterprise Risk Oversight Role of the Board of Directors, 2009. COSO www.coso.org 36

Risk Process Considerations

Moving thru the framework.

Internal Environment Implementation Strategies Risk management philosophy statement Risk appetite describe and communicate Board of directors regularly include on agenda Integrity and ethical values code of conduct, make sure personnel are aware and that the code is alive in the organization Commitment to competence - be clear on how the leaders in the organization support this Organizational structure must be clear and understood throughout the organization Assignment of authority and responsibility air for clarity and understanding in terms of roles Human resource (HR) standards HR goals are transparent and available to all personnel

Internal Environment Follow-up - from our conversation indicators of a healthy culture (responses from participants during session) A healthy culture is key to the Internal Environment component of the ERM Framework Staff retention Environmental responsible Personnel climate survey Adherence to policy at acceptable levels Increased incident reporting Employees are proud Communication style Leadership style Reward and recognition Staff development Team building Staff orientation

Can you test for a healthy culture? Risk-Related Culture Survey Sample Items Use Scale of 1-5 The leaders of my area set a positive example for ethical conduct I understand the entity s overall mission and strategy Disciplinary action is taken against those who engage in professional misconduct Turnover of personnel has not significantly affected our ability to achieve objectives The leaders in my department are open to communication about risk The leaders in my department are open to bad news

Code of Conduct Sample of Key items for Inclusion Letter from chief executive Goals and philosophy Conflicts of interest Sign-offs Discussion Gifts and gratuities Transparency A best practice in reviewing your code of conduct benchmark with similar entities and/or aspirational entities!

Moving thru the framework.

Objective Setting Strategic objectives Related objectives Operations Reporting Compliance Overlap of objectives Achievement of objectives Risk appetite Risk tolerances

Moving thru the framework.

Event Identification Events Influencing factors Event identification techniques event inventories, output from planning process, triggers, workshops, interviews, diagrams, lead indicators, analysis of past losses Interdependencies always consider how one event can trigger another Event categories economic, natural environment, political, infrastructure, personnel, process, technology, social, technological Distinguishing risks and opportunities look at both negative and positive outcomes

Moving thru the framework.

Risk Assessment Context for risk assessment Inherent risk risk if there are no controls Residual risk risk after controls are implemented Estimate likelihood and impact Assessment techniques benchmarking, using probability models Consider relationships between events

Key Concepts: Frameworks for Internal Controls and Risk Management Linking the COSO Internal Control Integrated Framework with the COSO Enterprise Risk Management Framework Internal Control Framework ERM Framework Expanded into 3 components 49

Four Key Principles of the COSO Internal Control Framework Related to Risk Assessment 1. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 2. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. 3. The organization considers the potential for fraud in assessing risks to the achievement of objectives. 4. The organization identifies and assesses changes that could significantly impact the system of internal control. 50 50

Four Key Principles of the COSO Internal Control Framework Related to Risk Assessment Operations Objectives Reflects management s choices Considers tolerances for risk Includes operations and financial performance goals Forms a basis for committing of resources 51 51

Four Key Principles of the COSO Internal Control Framework Related to Risk Assessment Reporting Objectives External financial reporting objectives Complies with applicable accounting standards Considers materiality Reflects entity activities External non-financial reporting objectives Complies with externally established standards and frameworks Considers the required level of precision Reflects entity activities 52 52

Four Key Principles of the COSO Internal Control Framework Related to Risk Assessment Reporting Objectives Internal financial reporting objectives Reflects management s choices Considers the required level of precision Reflects entity activities Compliance Objectives Reflects external laws and regulations Considers tolerances for risk 53 53

Four Key Principles of the COSO Internal Control Framework Related Characteristics to Risk Assessment (Points of Focus) Associated With Each of the Four Key Principles of Risk Assessment Identifies and Analyzes Risk Includes entity, subsidiary, division, operating unit and functional levels Analyzes internal and external factors Involves appropriate levels of management Estimates significance of risks identified Determines how to respond to risks 54 54

Four Key Principles of the COSO Internal Control Framework Related Characteristics to Risk Assessment (Points of Focus) Associated With Each of the Four Key Principles of Risk Assessment Assesses Fraud Risk Considers various types of fraud Assesses incentives and pressures Assesses opportunities Assesses attitudes and rationalizations 55 55

Four Key Principles of the COSO Internal Control Framework Related Characteristics to Risk Assessment (Points of Focus) Associated With Each of the Four Key Principles of Risk Assessment Identifies and Analyzes Significant Change Assesses changes in the external environment Assesses changes in the business model Assesses changes in leadership 56 56

Process Considerations: Determine Risk Appetite Quantitative or Qualitative Earnings at risk Reputation at risk Risk Tolerance Range of acceptable variation Risk appetite is the amount of risk (on a broad level) an entity is willing to accept in pursuit of value 57

Process Considerations: Establish a Portfolio View of Key Risks Impact Likelihood 58

Process Considerations: What is the level of your risk appetite? Impact Likelihood 59

Process Considerations: Identify Risk Responses Options Available to Quantify Risk Exposure Impact Likelihood 60

Process Considerations: Impact Versus Probability High I M P A C T Low Share Accept Medium Risk Low Risk PROBABILITY Mitigate & Control Control High Risk Medium Risk High 61

Risk Response Evaluating possible responses Risk likelihood and impact Assessing costs vs. benefits Opportunities in response options Selected responses Portfolio view

Moving thru the framework.

Control Activities Integration with risk response Types of control activities top level reviews, activity management, information processing, physical controls, performance indicators, segregation of duties Policies and procedures in writing, wellcommunicated, integrated in culture Controls over information systems general controls, application controls Entity specific controls

Moving thru the framework.

Information and Communication Using relevant quality information to support the functioning of risk management processes Internally communicating information necessary for the functioning of internal control Externally communicating information regarding matters affecting the functioning of internal control

Moving thru the framework.

Monitoring The entity selects, develops and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action

Moving thru the framework.

Process Considerations: Common Risk Management Failures Less than robust risk management implementation Not a management or board priority: ineffective board oversight Failure to anticipate and respond to changed internal and external environment Reckless risk taking: Compensation not aligned with risk management Overconfidence: Failure to recognize and prioritize remote risks 70

Process Considerations: Key Implementation Factors 1 2 3 Organizational design of the business Establishing an ERM organization Performing risk assessments 4 5 6 Determining overall risk appetite Identifying risk responses Communication of risk results 7 Monitoring 8 Oversight and periodic review by management 71

Questions? Contact me at richtermeyer@xavier.edu or sandra.richtermeyer@gmail.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information