ENTERPRISE RISK MANAGEMENT ASSESSMENT GUIDE



Similar documents
USING SPREADSHEETS TO MANAGE GOVERNANCE, RISK AND COMPLIANCE:

COMPLIANCE MANAGEMENT SOLUTIONS THOMSON REUTERS ACCELUS COMPLIANCE MANAGEMENT SOLUTIONS

building a business case for governance, risk and compliance

PRACTICAL GUIDANCE: SEVEN STEPS FOR EFFECTIVE ENTERPRISE RISK MANAGEMENT

ACCELUS RISK MANAGEMENT SOLUTIONS THOMSON REUTERS ACCELUS ACCELUS RISK MANAGEMENT SOLUTIONS

THOMSON REUTERS ACCELUS

B o a r d of Governors of the Federal Reserve System. Supplemental Policy Statement on the. Internal Audit Function and Its Outsourcing

Getting to strong Leading Practices for value-enhancing internal audit By Richard Reynolds and Abhinav Aggarwal - PricewaterhouseCoopers LLP

An Effective Approach to Transition from Risk Assessment to Enterprise Risk Management

OWN RISK AND SOLVENCY ASSESSMENT AND ENTERPRISE RISK MANAGEMENT

Placing a Value on Enterprise Risk Management ADVISORY

Guidance Note: Corporate Governance - Board of Directors. March Ce document est aussi disponible en français.

Enterprise Risk Management

Operational Risk Management - The Next Frontier The Risk Management Association (RMA)

Operational Risk Management Program Version 1.0 October 2013

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

CFE 2. Enterprise Risk Management. Study Guide - Supplemental Background Material

Applying Risk Assessment to Your Audit Plan Break-out Session T3, Tuesday, October 26 2:00-2:50pm

Analyzing Risks in Healthcare. February 12, 2014

Foreign business partners under the FCPA

ACCELUS COMPLIANCE MANAGER FOR FINANCIAL SERVICES

Risk Management KPIs: Efficiency Tool or Formality?

Exhibit 1: Structure of a heat map

Developing an Effective Enterprise Risk Management Program

The Essentials of Enterprise Risk Management. Steven C. Tourek, Senior Vice President, General Counsel & Secretary, The Marvin Companies

Risk Assessment & Enterprise Risk Management

Preparing for the Convergence of Risk Management & Business Continuity

Operational Risk Management in a Debt Management Office

Effective Internal Audit in the Financial Services Sector

Accelus Audit Manager THOMSON REUTERS ACCELUS

Get More Out of Your Risk Assessment. Austin Chapter of the IIA

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework

Risk management and the transition of projects to business as usual

Sample Financial institution Risk Management Policy 2011

Understanding Today s Enterprise Risk Management Programs

A Risk-Based Audit Strategy November 2006 Internal Audit Department

How To Manage Risk At Atb Financial

Industry Sound Practices for Financial and Accounting Controls at Financial Institutions

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

CONSULTATION PAPER Proposed Prudential Risk-based Supervisory Framework for Insurers

RSA ARCHER OPERATIONAL RISK MANAGEMENT

Matthew E. Breecher Breecher & Company PC November 12, 2008

fs viewpoint

ENTERPRISE RISK MANAGEMENT POLICY

NEW YORK STATE-WIDE PAYROLL CONFERENCE. Presented to:

AN INTEGRATED APPROACH TO COMPLIANCE AND RISK MANAGEMENT IS THE BEST WAY FORWARD BY MARTIN WOODS OCTOBER 2011

Sound Practices for the Management of Operational Risk

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

Enterprise risk management: A pragmatic, four-phase implementation plan

Tying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation

Organizing a Financial Institution to Deliver Enterprise-Wide Risk Management By Kaan H. Aksel PricewaterhouseCoopers

The Value of Vulnerability Management*

6/8/2016 OVERVIEW. Page 1 of 9

OPERATIONAL RISK RISK ASSESSMENT

RISK MANAGEMENT REPORT (for the Financial Year Ended 31 March 2012)

GE Capital. Driving change and continuous process improvement. how-to

Transforming risk management into a competitive advantage kpmg.com

MISSION VALUES. The guide has been printed by:

SUPERVISION GUIDELINE NO. 9 ISSUED UNDER THE AUTHORITY OF THE FINANCIAL INSTITUTIONS ACT 1995 (NO. 1 OF 1995) RISK MANAGEMENT

APPENDIX A NCUA S CAMEL RATING SYSTEM (CAMEL) 1

Assessing Credit Risk

Impact of New Internal Control Frameworks

ERM Standards of Practice and Shared Risk Principles

Credit Union Liability with Third-Party Processors

Beyond risk identification Evolving provider ERM programs

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Good Practice Checklist

Governance, Risk, and Compliance (GRC) White Paper

Understanding and articulating risk appetite

Operational Risk Management Table of Contents

PRACTICE GUIDE. Formulating and Expressing Internal Audit Opinions

The Unintended Effects of

Facilitating sound practices in risk management with IBM OpenPages Operational Risk Management

CHAPTER 7 PLANNING THE AUDIT: IDENTIFYING AND RESPONDING TO THE RISKS OF MATERIAL MISSTATEMENT

Saxo Capital Markets CY Limited

Operational Risk Management Excellence Get to Strong Survey

Global Technology Audit Guide. Auditing IT Governance

Enterprise Risk Management in a Highly Uncertain World. A Presentation to the Government-University- Industry Research Roundtable June 20, 2012

Feature. Developing an Information Security and Risk Management Strategy

RISK FACTORS AND RISK MANAGEMENT

The Role of the Board in Enterprise Risk Management

Physician Enterprise The Importance of Charge Capture, Business Intelligence and Being a Data Driven Organization

THE PRACTICE OF PROFILING BY DAVID THOMAS

AN AUDIT OF INTERNAL CONTROL OVER FINANCIAL REPORTING THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS:

Auditing Standard 5- Effective and Efficient SOX Compliance

A proven 5-step framework for managing supplier performance

The Value of Optimization in Asset Management

THOMSON REUTERS ACCELUS. Know Your Customer (KYC), Kontrol Your Costs (KYC) and Keep Your Customers (KYC) happy

How To Use Risk It

Risk mitigation for business resilience White paper. A comprehensive, best-practices approach to business resilience and risk mitigation.

WHITEPAPER LOOKING INTO THE FUTURE WITH THE THOMSON REUTERS/ PAYNET SMALL BUSINESS LENDING INDEX (SBLI)

Advanced Data Analytics, the Fraudsters Worst Enemy

Transcription:

ENTERPRISE RISK MANAGEMENT ASSESSMENT GUIDE WHITEPAPER

CONTENTS CONTENTS INTRODUCTION 1 IS YOUR RISK MANAGEMENT PROCESS REALLY ASSESSING RISK? 1 IS YOUR RISK ASSESSMENT CONTEXT DRIVEN? 2 DOES YOUR RISK MANAGEMENT PROCESS ADDRESS ROOT CAUSE OF FAILURE? 2 WHAT DOES YOUR BUSINESS PERFORMANCE TELL YOU ABOUT RISK? 3 WHAT DO RISKS TELL YOU ABOUT YOUR CONTROLS? 4 WHAT DO CONTROLS TELL YOU ABOUT YOUR RISKS? 5 ARE YOU UP FOR THE TASK OF RISK MANAGEMENT? 6 KNOWLEDGE AND EXPERIENCE REQUIREMENTS FOR RISK MANAGEMENT LEADERS 6 ABOUT THOMSON REUTERS 7 II

INTRODUCTION Government bail outs, pro-cyclical financial markets, and an overall economic meltdown have placed a significant focus on the discipline and practice of risk management. In light of these events, risk professionals and organizational leaders are taking an introspective view of their risk management practices. By considering these seven questions, organizations and risk professionals will sharpen their daily risk management tools and be better equipped to make tactical improvements to risk management practices. 1. Is Your Risk Management Process Really Assessing Risk? 2. Is Your Risk Assessment Context-Driven? 3. Does Your Risk Management Process Address Root Cause of Failure? 4. What Does Your Business Performance Tell You About Risk? 5. What Do Risks Tell You About Your Controls? 6. What Do Controls Tell You About Your Risks? 7. Are You Up For the Task of Risk Management? IS YOUR RISK MANAGEMENT PROCESS REALLY ASSESSING RISK? In far too many cases the answer to this question is NO. Many so-called risk management processes are not necessarily identifying and assessing risks. Many risk management practices, as implemented, are simply identifying and assessing the risk of control failure, not the specific risk the control is to mitigate. Risk-based thinking approaches the assessment with the premise that risks are predictable and avoidable. The risk-based discipline tracks loss events, analyzes root causes, and eliminates or mitigates the cause of the risk failure. Control-based thinking takes the approach that events are unpredictable and unavoidable, and controls are needed to mitigate the risks. Negative impacts are the result of broken controls, not of unidentified or mitigated risks. Risk-based thinking approaches the assessment with the premise that risks are predictable and avoidable. A simple indicator on the general emphasis on controls versus risks in common practice is outlined in the table below which reflects the word count comparison of two risk management frameworks (Basel II and ISO 31000) and several well-known control frameworks including the risk-based PCAOB AS5, ISO 27001, and the COSO Guidance on Monitoring Internal Control Systems. The word count is a simple tally of where the words risk and control appear in the referenced documents. The relevant emphasis on risk and control is evidenced in the word counts. WORD COUNT COMPARISON Risk Control Basel II 1,500 67 ISO/DIS 31000 339 5 COSO Monitoring (Volumes 1 and 2) 175 641 ISO 27001:2005 65 192 PCAOB AS5 168 635 1

If a risk is defined as a broken or failed control, a control-based approach is in use and controls are primarily being assessed, not risks. If inherent or residual risks are not measured and assessed, a control-based approach is being used and controls, not risks, are being assessed. It is imperative to know what risks the controls are addressing and to identify those risks first. If an organization reports on control effectiveness over risks, controls and not risks are being assessed. Risks are just there to hang controls from, not to be understood and managed. There is nothing wrong with identifying and assessing controls. It is a perfectly valid approach. But by itself it is insufficient and has proven to be inherently unreliable. It is imperative to know what risks the controls are addressing and to identify those risks first. For example, little faith would be put in a doctor who prescribed medication without identifying symptoms, e.g., performing a risk assessment. Don t trust control assessments where no risk assessment is conducted (or vice versa). IS YOUR RISK ASSESSMENT CONTEXT DRIVEN? Black swans hide where no one thinks to look. The history of risk assessment suggests that at least half of the problem is not looking in the right place for risks. The other half is looking in the right places and failing to find the risk. Context-driven risk assessment refers to the process of identifying all the topics or areas that need to be risk assessed. Contexts can be accounts, strategies, laws and regulations, organization entities, lines of business or any other relevant topic areas. It is wrong to believe that the right contexts will be identified and addressed from within the organization by business operational managers and professionals. These leaders have typically been proven to be blinded by narrow vision, short range thinking, or do not have perspective across the entire entity to have a good handle on the enterprise-wide risks. Therefore, context must be identified at the organization level and the related risk assessments must be coordinated by senior management and the board. DOES YOUR RISK MANAGEMENT PROCESS ADDRESS ROOT CAUSE OF FAILURE? With control-based approaches, there is typically no requirement for root cause analysis. In the control-based approach, control breakdowns simply need to be identified and reported, regardless if the root cause remains obscure. For example with PCAOB AS5 there is no requirement for the identification, reporting or remediation of any related root cause. Publicly-reported significant deficiencies and material weaknesses do not require and seldom receive any root cause analysis. The COSO Guidance on Monitoring Internal Control Systems does not require root cause analysis nor does ISO 27001. It would be unthinkable today for an airplane to crash or a bridge to collapse without a detailed public report on the root cause and measures taken to ensure the problem does not reoccur. This degree of scrutiny does not generally exist in the risk management professions. Notable exceptions are the quality, safety and environmental movements. Generally speaking, if incidents, near misses and loss events are not tracked, the root cause of failure will not be analyzed. If the root cause of failure is not addressed the problem will be repeated. The following table, created by the U.S. General Accounting Office lists the causes of bank failures in the U.S. Although created in 1987, it could have been written last week. 2

ROOT CAUSES OF BANK FAILURES (1987) % OF BANKS Management Philosophy and Operating Style Inadequate board supervision 49% Over reliance on volatile funding sources 32% Presence of dominant figure 37% Excessively growth oriented philosophies 26% Management Operational Practices Lack of general lending policies 79% Poor loan administration 42% Poor loan documentation/inadequate credit analysis 41% Inadequate loan loss allowance 29% WHAT DOES YOUR BUSINESS PERFORMANCE TELL YOU ABOUT RISK? Many risk and control practitioners fail to consider business performance when assessing either risk or control. In other words, it is not only possible, but common, to get a passing mark on risk management or control effectiveness when business performance is screaming the contrary. Here are some common symptoms of business performance issues that suggest risks are not being managed: 1. Process performance/error rates are off target 2. Key performance indicators are consistently outside target 3. Key performance indicators are never outside target 4. Budget/actual variances are material (positive or negative) 5. Capital projects are delayed or over/under spent 6. Earnings volatility is out of line with peers 7. Variances cannot be explained by known risks 8. Clean 404 opinions are followed by material weakness disclosures 9. Internal audit recommendations always increase vs. decrease controls Most risk and control frameworks fail to consider business or process performance. Neither SOX nor the PCAOB AS5 pay much attention to business performance. COSO monitoring prefers testing to monitoring performance. Basel II does support key risk indicators and key performance indicators. The premise here is that over time, on target, consistent business or process performance is de facto evidence of effective risk and control management. Many risk and control practitioners fail to consider business performance when assessing either risk or control. Performance variances should be explained as unidentified or unmanaged risks. Unusual business performance should be explained by unusual risks. But risk and control assessment not tied to business or process performance is not helpful and may be dangerous. 3

WHAT DO RISKS TELL YOU ABOUT YOUR CONTROLS? In late 2007, Standard & Poor s issued a discussion paper outlining their proposal to assess corporate risk management practices as part of their credit rating process. The Sample Risk Types they proposed in the discussion paper are very useful. In the normal course of events, most companies would be expected to encounter most of these risk types, quite often in multiple locations or processes. Not only that, but the nature and level of these risks will change constantly over time and by location or process. In short, most risks cannot be controlled, they must be managed. STANDARD & POOR S SAMPLE RISK TYPES In short, most risks cannot be controlled, they must be managed. Environmental risks Financial risks Supply risks Management risks Business continuity Business market environment Environmental Liability lawsuits Natural disasters/weather Pandemic Physical damage Political risk Regulatory/legislative Terrorism Capital availability Credit counterparty Financial market risk Inflation Interest rates Liquidity Commodity prices Supply chain Corporate governance Data security Employee health and safety Intellectual property Labor disputes Labor skills shortage M&A/restructuring Managing complexity Outsourcing problems Project management Reputation Risk management involves an ongoing process similar to the diagram below. It involves clarifying accountability and decision rules and continuously updating information and reporting. Risks need managing, not controlling. Controls designed to manage risks must be appropriate to the risk. COSO risk assessment, monitoring and control environment controls should be designed, documented and tested. 4

You are beginning to manage risks if: You can identify in which contexts these risks exist You can track frequency distributions of instances of risks by type You recognize risk identification and assessment in your compensation/reward system You track incidents/loss events/issues and actions associated with key risks You have identified risk tolerances and appetite WHAT DO CONTROLS TELL YOU ABOUT YOUR RISKS? More controls do not mean less risk; the opposite is often true. Too many controls may be evidence of lack of effective risk management practices. Good risk management considers a variety of risk responses, of which controls are only one. The proliferation of control-based approaches to risk has led to extensive identification, documentation, testing and reporting of controls. That can be a mistake if carried to an extreme. If you have gathered more knowledge about controls than about risks, and focus on the control side of the equation, it is a clear indication of bad risk management practices. More controls do not mean less risk; the opposite is often true. Generally speaking, good risk management practices will produce a 3:1 or greater ratio of risks to controls. Risk-based approaches gather more knowledge about risk than control. Today that ratio is often reversed. Risk control ratios of 1:3 are common. Some balance is required, but generally a risk control ratio of >1 is desirable. Risks can be documented and tested too, and should be continually assessed. If you get the risk side wrong, you can t get the control side right. Low risk:control ratios indicate business management has not been involved in risk identification, is unwilling to be candid or is not completely honest. In a healthy and safe environment, business managers, if asked, will provide a wealth of detailed information. Rich, detailed knowledge of 5

risks provides a basis for far more efficient-and-effective control portfolios. The more and better the knowledge of risk, the more effective and efficient the control portfolio. Expect fewer, not more controls, but expect them to be better, more powerful controls. Standard & Poor s, in assessing ERM, looks for compliance-based approaches to risk management and scores them poorly. Low risk:control ratios are indicative of compliance-based approaches to risk management. Many control portfolios are designed from a react and respond perspective. They are not designed with specific risks in mind. The philosophy is that risks are unknown and unavoidable but enough controls will save the day. That has proven to be inefficient and ineffective. ARE YOU UP FOR THE TASK OF RISK MANAGEMENT? Risk management requires the mastery of a body of knowledge, specific skill sets and the appropriate use of technology. A sample of the knowledge and skill requirements is set out below. KNOWLEDGE AND EXPERIENCE REQUIREMENTS FOR RISK MANAGEMENT LEADERS Risk management is a young profession with huge potential to help address and resolve some of the worst problems we are experiencing on a day-to-day basis. 1. Technology implementation for risk management which includes knowledge of best practices in a wide range of topics such as developing process structure, KPIs, KRIs and selecting or designing other critical contexts for risk management 2. Experience leading and completing ERM assessments for the organization as a whole or major business units or functions, completing SOX certifications and ORM and other process level risk assessments 3. Selection and application of risk models and use of the risk identification and rating desktop for identifying and classifying all relevant risks 4. Tools and techniques for root cause analysis and business process improvement 5. Development of reliable descriptions of loss events, incidents and issues or actions with respect to the context selected 6. Understanding the major approaches to self-assessment and business reasons for adopting self-assessment approaches to risk and control management 7. Understanding organizational risk and control self-assessment (RCSA) barriers and implementation of effective tactics and tools for RCSA 8. Understanding of generally accepted control criteria including all major control and quality models (COSO/CobiT/COCO/ISO/OTOL, etc.) 9. Understanding of generally accepted risk criteria including the leading risk standards and frameworks (COSOERM, AS/NZ4360, ISO31000, etc.) 10. Linkages between SOX legislation, relevant PCAOB audit standards, the Basel II and Solvency 2 ORM requirements and other major regulatory frameworks governing risk and control such as Turnbull, J-SOX and IIA Professional Practice Framework, etc. 11. Understanding and implementing major industry specific risk and control assessment frameworks Risk management is a young profession with huge potential to help address and resolve some of the worst problems we are experiencing on a day-to-day basis. But true professionals are rooted in public service and some degree of altruism. There is a long way to go to achieve that goal. But fundamental tools, practices, knowledge and skills exist today. Risk managers must proceed carefully but quickly. 6

ABOUT THOMSON REUTERS Thomson Reuters is the world s leading source of intelligent information for businesses and professionals. The company combines industry expertise with innovative technology to deliver critical information for leading decision-makers in the financial, legal, tax and accounting, scientific and healthcare markets. Our solutions dynamically connect business transactions, strategy, and operations to the everchanging regulatory environment, providing highly regulated firms with the knowledge to act. Our client groups include compliance, audit, legal and risk functions within the organization. We partner with firms to manage their risk exposure and accelerate their business at every step. The Thomson Reuters Accelus suite of products provides powerful tools and information that enable proactive insights, dynamic connections, and informed outcomes that drive overall business performance. Thomson Reuters Accelus is the combination of the market-leading solutions provided by the heritage businesses of Complinet, Oden, Paisley, West s Capitol Watch, Westlaw Business, and Westlaw Compliance Advisor. Learn More Call: 763.450.4700 Email: enterprisegrc@thomsonreuters.com Visit: accelus.thomsonreuters.com Thomson Reuters. All rights reserved. Republication or redistribution of Thomson Reuters content, including by framing or similar means, is prohibited without the prior written consent of Thomson Reuters. 'Thomson Reuters' and the Thomson Reuters logo are registered trademarks and trademarks of Thomson Reuters and its affiliated companies.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information