CORPORATE GOVERNANCE

Similar documents
ENTERPRISE RISK MANAGEMENT POLICY

Guidance Note: Corporate Governance - Board of Directors. March Ce document est aussi disponible en français.

Successfully identifying, assessing and managing risks for stakeholders

IRM CERTIFICATE AND DIPLOMA OUTLINE SYLLABUS

THE GOVERNANCE OF RISK MANAGEMENT. Session 5

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework

International Diploma in Risk Management Syllabus

Clarius Group Risk Management Policy and Framework

Principles for An. Effective Risk Appetite Framework

ENTERPRISE RISK MANAGEMENT FRAMEWORK

How To Save Money At The University Of California

Enterprise Risk Management

Managing Risk at Bank of America Corporation. Overview

APPLICATION OF KING III CORPORATE GOVERNANCE PRINCIPLES 2014

APPLICATION OF THE KING III REPORT ON CORPORATE GOVERNANCE PRINCIPLES

COMMISSION OF THE EUROPEAN COMMUNITIES COMMISSION RECOMMENDATION. on remuneration policies in the financial services sector

Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE

Enterprise risk management: A pragmatic, four-phase implementation plan

The Changing Landscape for Trade Compliance Enterprise Risk (and Opportunity) Management

The Role of the Board in Enterprise Risk Management

Remarks by. Carolyn G. DuChene Deputy Comptroller Operational Risk. at the

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

Sponsored by the international insurance firm AON Global, Hong Kong

UNITED NATIONS OFFICE FOR PROJECT SERVICES. ORGANIZATIONAL DIRECTIVE No. 33. UNOPS Strategic Risk Management Planning Framework

Audit of the Policy on Internal Control Implementation

Implementing an Integrated City-wide Risk Management Framework

IFAD Policy on Enterprise Risk Management

University of St. Gallen Law School Law and Economics Research Paper Series. Working Paper No June 2007

Governance and Risk Management in the Public Sector. Fernando A. Fernandez Inter-American Development Bank (202)

CSR / Sustainability Governance and Management Assessment By Coro Strandberg Principal, Strandberg Consulting

Department of Veterans Affairs VA Directive VA Enterprise Risk Management (ERM)

Guidance on Supervisory Interaction with Financial Institutions on Risk Culture. A Framework for Assessing Risk Culture

STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES. ENTERPRISE RISK MANAGEMENT Framework

Internal Auditing Guidelines

Saldanha Bay Municipality. Risk Management Strategy. Inclusive of, framework, procedures and methodology

A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000

Policy : Enterprise Risk Management Policy

DRAFT Report on Office of the Superintendent of Financial Report on Institutions Office of the Superintendent of Financial

University Audit and Compliance. Internal Controls Enterprise-Wide Risk Assessment

Basel Committee on Banking Supervision

IIA POSITION PAPER: THE ROLE OF INTERNAL AUDITING IN ENTERPRISE-WIDE RISK MANAGEMENT

Matthew E. Breecher Breecher & Company PC November 12, 2008

Developing an Effective Enterprise Risk Management Program

Enterprise Risk Management

RISK MANAGEMENT FRAMEWORK OKHAHLAMBA LOCAL MUNICIPALITYITY

Operational Risk Management Program Version 1.0 October 2013

The role and function of insurance company board of directors risk committees

Risk Management Policy

ASAE s Job Task Analysis Strategic Level Competencies

Accreditation Application Forms

Principled Performance & GRC

SECTION B DEFINITION, PURPOSE, INDEPENDENCE AND NATURE OF WORK OF INTERNAL AUDIT

Integrated Risk Management:

Audit, Risk Management and Compliance Committee Charter

Transforming risk management into a competitive advantage kpmg.com

AMTRAK CORPORATE GOVERNANCE: Implementing a Risk Management Framework is Essential to Achieving Amtrak s Strategic Goals

A Risk-Based Audit Strategy November 2006 Internal Audit Department

Direct Line Insurance Group plc (the Company ) Board Risk Committee (the Committee ) Terms of Reference

A Guide to Corporate Governance for QFC Authorised Firms

AXA GROUP GLOBAL RESPONSIBLE INVESTMENT POLICY. July 2013

Risk Management Policy and Framework

Guidance on Risk Management, Internal Control and Related Financial and Business Reporting

LEVERAGING COSO ACROSS THE THREE LINES OF DEFENSE

A&CS Assurance Review. Accounting Policy Division Rule Making Participation in Standard Setting. Report

Enterprise Risk Management: COSO, New COSO, ISO Review of ERM

Confident in our Future, Risk Management Policy Statement and Strategy

ENTERPRISE RISK MANAGEMENT FRAMEWORK

How To Manage Risk

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

FlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk

APPENDIX 50. Enterprise risk management - Risk management overview

Enterprise-Wide Risk Assessment

Framework for Enterprise Risk Management

Scenario Analysis Principles and Practices in the Insurance Industry

J u n e N a t i o n a l R e s e a r c h C o u n c i l C a n a d a. I n t e r n a l A u d i t, N R C. Audit of Risk Management.

CONSULTATION PAPER ON RISK MANAGEMENT AND INTERNAL CONTROL: REVIEW OF THE CORPORATE GOVERNANCE CODE AND CORPORATE GOVERNANCE REPORT

U N I T E D N A T I O N S J O I N T S T A F F P E N S I O N F U N D

Administrative Guidelines on the Internal Control Framework and Internal Audit Standards

WFP ENTERPRISE RISK MANAGEMENT POLICY

THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT

Transportation Security Administration Enterprise Risk Management. ERM Policy Manual. August 2014

Maryland Association of Boards of Education Insurance Programs

Hand IN Hand: Balanced Scorecards

Fraud Prevention and Deterrence

Title: Rio Tinto management system

Eclipx Group Limited Risk Management Policy

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Enterprise Risk Management

The Upside of Risk: Enterprise Risk Management and Public Real Estate Companies

ENTERPRISE RISK MANAGEMENT BENCHMARK REVIEW: 2013 UPDATE

Analyzing Risks in Healthcare. February 12, 2014

Domain 5 Information Security Governance and Risk Management

Proposed guidance for firms outsourcing to the cloud and other third-party IT services

Developing Effective Internal Controls Using the COSO Model

Enterprise Risk Management: Concepts & Issues

OCC 98-3 OCC BULLETIN

Understanding Enterprise Risk Management. Presented by Dorothy Gjerdrum Arthur J Gallagher

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing

Application of King III Corporate Governance Principles

ORGANISING COMMITTEE POLICY AND GOVERNANCE FOR RISKS TO REPUTATION

Transcription:

CORPORATE GOVERNANCE Lesson n. 9 Corporate Governance and Risk Management a.y. 2015-2016 1 st semester f.buzzichelli@lumsa.it

CG and Risk Management Contents 1. Corporate Risk Assessment: ERM 2. US COSO Integrated Framework 3. Levels of Risk 4. Responsibilities of the BoD 5. Chief Risk Officier 6. OECD surveys on RM and CG 7. Risk analysis process 8. 10 steps to structure a Risk Management Policy 2

CG and Risk Management CORPORATE RISK ASSESSMENT CG Cadbury Code refers to risk only in the context of BoD s responsibilities The need to reinforce corporate risk assessment derives from financial crisis: several surveys revealed that global financial crisis has increase the awareness of the need to manage and leverage risk ENTERPRISE RISK MANAGEMENT In an advanced approach it allows to: define a critical framework for successfull decision-making and for driving value; engage all stakeholders in the development of risk management strategy and policy setting; move from a mitigation and avoidance view of risks to leveraging and managing risks to extract business value. 3

CG and Risk Management US COSO Integrated Framework for ERM COSO=Committee of Sponsoring Organizations of the Treadway Commission (since 1985) 4

CG and Risk Management US COSO Integrated Framework for ERM 5

CG and Risk Management US COSO Integrated Framework for ERM THREE DIMENSIONS FOR ERM 1. Achievement of 4 objectives 2. 8 interrelated components 3. Entity s unit 6

Emphasis on corporate risk CG and Risk Management OECD reviewed the adequacy of CG by suggesting: risk management function reporting directly to the BoD; risk management function to consider any risk deriving from existing compensation and incentive system; effectiveness of risk assessment and management process to be monitored and disclosed ICGN published a set of Corporate Risk Oversight Guidelines: risk oversight process begin with the BoD; corporate management responsible for developing and executing a risk program ; shareholders have a responsibility to assess and monitor the effectiveness of BoD in overseeing risk 7

CG and Risk Management Levels of risk Corporate risk arises at every level in the organization OPERATIONAL RISK Within the company (fire, accident, ) MANAGERIAL RISK Hazards deriving from company s activities (product liability, third-party risk, ) STRATEGIC RISK Responsibility of directors who does not know risk profile, wrong decisions of the BoD 8

CG and Risk Management Levels of risk Corporate risk arises at every level in the organization BoD has a supervisory role on policies, sysyems, performances. OPERATIONAL RISK Within the company (fire, accident, ) Delegating MANAGERIAL resonsibilities RISK to AUDIT COMMITTEE is frequent and recommended for some Hazards deriving from company s activities listed companies (product liability, third-party risk, ) STRATEGIC RISK Responsibility of directors who does not know risk profile, wrong decisions of the BoD 9

Responsibilities of the BoD RISK MANAGEMENT 10 CG and Risk Management RISK MINIMIZATION BoDs should recognize, understand and accept the RISK PROFILE of the company, balancing risks with approprate/acceptable rewards «creating business value while managing risk» Duties of the BoD: Recognize significant risks facing the company; Ensure the existance and the effectiveness of risk assessment systems; Ensure the development and the effectiveness of risk evaluation procedures; Ensure efficiency and effectiveness of risk monitoring systems; Ensure the existance, updating and application of business continuity strategies and risk management policies

CG and Risk Management Responsibilities of the BoD Options for the BoD: 1. Delegating to AUDIT COMMITTEE 2. Creating a RISK ASSESSMENT or RISK MANAGEMENT COMMITTEE 3. Creating a management-based RISK MANAGEMENT GROUP In the peculiar case of financial institutions, a RISK POLICY COMMITTEE is created, to support the BoD in its responsibility of setting tolerance thresholds for risks 11

CG and Risk Management A new Chief Officier CRO - CHIEF RISK OFFICIER he/her is the executive accountable for enabling the efficient and effective governance of significant risks, and related opportunities, to a business and its various segments in complex organizations, he/her is generally responsible for coordinating the organization's ERM approach he/her has to ensure that the organization is in full compliance with applicable regulations and to analyze all risk related issues he/her has business-related experience, with actuarial, accounting, economics, and legal backgrounds he/her is accountable to the Executive Committee and the Board for enabling the business to balance risk and reward 12

OECD RM & CG CG and Financial Crisis (OECD, 2010) CG and Risk Management One of the greatest shocks from the financial crisis has been the widespread failure of risk management; It should be fully understood by regulators and other standard setters that effective risk management is not about eliminating risk taking: risks should be understood, managed and, when appropriate, communicated; Effective implementation of risk management requires an enterprise-wide approach rather than treating each business unit individually; The board should also review and provide guidance about the alignment of corporate strategy with risk-appetite and the internal risk management structure; Risk management and control functions should be independent of profit centres and the CRO or equivalent should report directly to the board; The process of risk management and the results of risk assessments should be appropriately disclosed; CG standard setters should be encouraged to include or improve references to risk management in order to raise awareness and improve implementation 13

OECD RM & CG Financial Crisis effects on listed companies CG and Risk Management Main outcome risk not managed on an enterprise wide basis and not adjusted to corporate strategy Boards were ignorant of the risk facing the company Challanges: Linking risks to strategy; Better defining risks; Effectively considering stakeholders concerns 14

OECD RM & CG CG and Risk Management McKinsey survey on listed companies (2011) reveales that: 1. 44% of respondents said that boards simply review and approve management s proposed strategies; 2. 14% (only) of board time was spent on business risk management; 3. 14% of respondents had a complete understanding of the risks their company faced; 4. 50% of directors said that information received was too shorttime 15

OECD RM & CG CG and Risk Management Risk Management and Corporate Governance (OECD, 2014) survey on 27 jurisdictions (participants to OECD Corporate Governance Committee); while risk-taking is a fundamental driving force in business and entrepreneurship, the cost of risk management failures is still often underestimated; that most companies consider that risk management should remain the responsibility of line managers; Corporate governance standards should place sufficient emphasis on exante identification of risks; risk governance standards tend to be very high-level, limiting their practical usefulness, and/or focus largely on financial institutions; boards place sufficient emphasis on potentially catastrophic risks, even if these do not appear very likely to materialize 16

CG and Risk Management Companies with a comittee with explicit reference to risk (2010) 17

CG and Risk Management Risk governance requirements/recommendations for listed companies 18

Risk analysis process Risk Recognition Identify risks, threats and hazards Risk Assessment Assess the effect; consider the value, sensitivity and criticality of the event; prioritize risk exposure CG and Risk Management Risk Monitoring and Reporting Monitoring and recording risk Review of ongoing insurance coverage Risk Evaluation Determine the probability of the event Risk Management Policy Determine RMP to resolve the risk Routine board supervision for the application of the policy Revision of the policies Board Policy Approval 19

CG and Risk Management Risk recognition and assessment How to recognize/assess risks? Never occurred before or No data or experience to evaluate the impact It is important to create a corporate culture throughout the organization to RISK RECOGNITION AND ASSESSMENT tabular approach mind mapping software programs questionnaires risk benchmarking 20

CG and Risk Management Risk recognition and assessment How to recognize/assess risks? Never occurred before or No data or experience to evaluate the impact SOFTWARE PROGRAMS: It is important to create a corporate culture throughout the organization to RISK RECOGNITION AND ASSESSMENT Identification of risks Development of appropriate risk management policies tabular approach Supporting ongoing mind mapping business activities software programs questionnaires risk benchmarking 21

CG and Risk Management Risk evaluation To measure the extent of a risk (i): Ri= Li * p(li) but Both the amount of the loss (L) and the probability of a risk occuring ( p(l) ) might be difficult to be determined 22

CG and Risk Management Risk evaluation To measure the extent of a risk (i): Ri= Li * p(li) APPROPRIATE RISK MANAGEMENT POLICIES! but Both the amount of the loss (L) and the probability of a risk occuring ( p(l) ) might be difficult to be determined 23

high Impact of the event low Mitigate, assume or insurance the risk Carry any further costs itself Risk evaluation Sharing risk No significant need of RM policies CG and Risk Management BoD decision low Likelihood of the event high 24

CG and Risk Management Risk mangement information system Directors don t have to be concerned about risks only once they have occurred! Centralization of information and risk management responsibility is the core approach of ENTERPRISE RISK MANAGEMENT: Provide information on regular basis for management, to take executive decisions; Support the board in its monitoring and supervisory function; Enable the company to communicate externally (auditors, regulators, shareholders) 25

CG and Risk Management Risk mangement information system Directors don t have to be concerned about risks only once they have occurred! Centralization of information and risk management responsibility is the core approach of ENTERPRISE RISK MANAGEMENT: Issue of confidentiality Provide information on regular basis for management, to take executive decisions; Support the board in its monitoring and supervisory function; risk Enable the company to communicate externally (auditors, regulators, shareholders) management data 26

CG and Risk Management Risk transfer The oversight of risks is a strictly BoD responsibility, as a basic element of corporate governance Therefore, the BoD should define / agree on corporate risk strategies and risk policies AVOID THE RISK TRANSFER THE RISK MITIGATE THE RISK RETAIN THE RISK 27

Risk Management Policy 10 step to define a Risk Management Policy A Risk Management Policy serves two main purposes: to identify, reduce and prevent undesirable incidents or outcomes; to review past incidents and implement changes to prevent or reduce future incidents Knowing how to write a risk management policy is a central part of an organization or business's strategic planning and growth 28

Risk Management Policy 1.POTENTIAL RISKS Identify all potential risks for the company Consider all the different transactions or processes in the reference context. Include long-term strategic objectives and decisions, operational or day-to-day activities, financial management and controls, intellectual and information technology actions and knowledge, and compliance/regulatory issues and policy decisions. Write down all the things that could potentially go wrong and how that might happen. Divide this information into sections to address each individually 29

Risk Management Policy 2. TO ANALYZE THE RISKS All the identified potentential risks should be analyzed Write down how they may occur and potential methods of prevention, additional steps that could be taken to prevent them, and how those risks are evaluated and assessed regularly 30

Risk Management Policy 3. PAST INCIDENTS Assess all the past incidences occurred to the organization and how these occurrences were handled Consult past records to determine how frequently incidents have happened, and how they were handled, including processes that worked and those where there were areas of improvement 31

Risk Management Policy 4. RE-OCCURRENCE Estimate the likelihood of each risk The probability of each risk should be estimated, basing on the history of the organization, best practices, and peer experiences 32

Risk Management Policy 5. TREATMENT PLAN Develop a treatment plan for all of the identified risks The treatment plan should be designed prioritizing the identified risks that will be more likely to occur. Be sure to outline a step-bystep expectation for how each risk will be avoided, how it will be handled if it does occur, and how it will be recorded. 33

Risk Management Policy 6. COSTS Calculate and include cost estimations For all the steps needed to align with the risk management policy recommendations, costs should be estimated Information on costs should be provided to the internal audience when the policy is proposed 34

Risk Management Policy 7. REPORTING Prepare a report for both internal and external stakeholders Auditing steps in place to revisit and evaluate the policy should be illustrated. The internal audiences need to know the greatest risks, who is accountable for what, and how the process will be monitored. The external audiences need to know risk management is a part of the organization's culture and how the process and policy has been laid out. 35

Risk Management Policy 8. DATA TRACKING Create a data tracking system to input all statistics on risk management successes and failures Training activities on staff to use the created database should be performed Creating a risk assessment form to be used after an incident can be a useful tool to examine whether more precautions should have been taken. This allows all the data to be recorded right after the occurrence, and for the same information to be gathered each time 36

Risk Management Policy 9. MONITORING Design a monitoring process Set up a regular monitoring process to review all risks and evaluate how the treatment plan has been working 37

Risk Management Policy 10. RMP REVIEW Regularly update the RMP Revisit the risk management policy every 6 months to evaluate its effectiveness by comparing incident occurrence rates. Revise the plan as necessary. Risk management planning and evaluation should be a continuous, evolving process that integrates seamlessly into a company or organization's culture. 38

Risk Management Policy DON T FORGET.. The needed awareness of all board members, senior managers, employees, volunteers and residents concerning risk management within the organization Establishing a Risk Management Committee with representatives from each department, whose responsibilities will be to implement, monitor, evaluate and revise plans to achieve goals and objectives Electing a Risk Management Coordinator to serve as the head of the Risk Management Committee and report to the BoD Including risk management as an item for discussion at every staff meeting 39

References Tricker B., 2015, Corporate Governance. Principles, Policies and Practices, Third edition. Oxford University Press. Chapter 8 Committee of Sponsoring Organizations of the Treadway Commission (COSO), 2004, Enterprise Risk Management Integrated Framework Executive Summary OECD (2014), Risk Management and Corporate Governance, Corporate Governance, OECD Publishing. http://dx.doi.org/10.1787/9789264208636-en 40

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information