Developing an Effective Enterprise Risk Management Program

Similar documents
Matthew E. Breecher Breecher & Company PC November 12, 2008

A Risk-Based Audit Strategy November 2006 Internal Audit Department

Enterprise Risk Management

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

Policy : Enterprise Risk Management Policy

Implementing an Integrated City-wide Risk Management Framework

IFAD Policy on Enterprise Risk Management

University Audit and Compliance. Internal Controls Enterprise-Wide Risk Assessment

Enterprise Risk Management Process Improvement. Secure Banking Solutions, LLC

THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework

ENTERPRISE RISK MANAGEMENT POLICY

Fraud Risk Management

Risk Assessment & Enterprise Risk Management

Saldanha Bay Municipality. Risk Management Strategy. Inclusive of, framework, procedures and methodology

Sample Enterprise Risk Management Work Plan Fiscal Years 20XX and 20YY Revised June Internal Environment / Objectives Setting

Analyzing Risks in Healthcare. February 12, 2014

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

Enterprise Risk Management in a Highly Uncertain World. A Presentation to the Government-University- Industry Research Roundtable June 20, 2012

Enterprise Risk Management

and Risk Tolerance in an Effective ERM Program

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

RSA ARCHER OPERATIONAL RISK MANAGEMENT

AMTRAK CORPORATE GOVERNANCE: Implementing a Risk Management Framework is Essential to Achieving Amtrak s Strategic Goals

Fraud Prevention and Deterrence

C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n

Professional. Compliance & Ethics. 19 The cost of unethical behavior. 33 Graduate degrees in Compliance: Training the next generation

FINDING THE RISK IN RISK ASSESSMENTS NYSICA JULY 26, Presented by: Ken Shulman Internal Audit Director, New York State Insurance Fund

Enterprise Risk Management & Information Technology

RISK BASED AUDITING: A VALUE ADD PROPOSITION. Participant Guide

Get More Out of Your Risk Assessment. Austin Chapter of the IIA

The Essentials of Enterprise Risk Management. Steven C. Tourek, Senior Vice President, General Counsel & Secretary, The Marvin Companies

RISK MANAGEMENT IN A FOR-

Framework for Enterprise Risk Management

LEVERAGING COSO ACROSS THE THREE LINES OF DEFENSE

The Role of the Board in Enterprise Risk Management

Risk Management - Board & Management Responsibilities Murray Short, MBA, CPA CA Not-for-Profit Partner RLB LLP

University of Windsor Board of Governors. That the Board of Governors approve of the Enterprise Risk Management Framework.

Enterprise Risk Management

Improving Financial Performance, Governance and Compliance

Risk Management and Internal Audit Specialized Training Course Audit Risk Assessment Methodology

Transmittal Letter Objectives and Scope Approach Financial System Permitting Application... 9

Practice Guide COORDINATING RISK MANAGEMENT AND ASSURANCE

ENTERPRISE RISK MANAGEMENT. J. Joseph Hoey, Ed.D. Bridgepoint Education CAIR 2015

Comprehensive Risk Assessment and Developing the Audit Plan

Performing Effective Risk Assessments Dos and Don ts

Guidance Note: Corporate Governance - Board of Directors. March Ce document est aussi disponible en français.

IRM CERTIFICATE AND DIPLOMA OUTLINE SYLLABUS

How To Understand The Role Of An Internal Audit

Enterprise Risk Management Integrated Framework. Executive Summary

Strategic Risk Management for School Board Trustees

International Diploma in Risk Management Syllabus

Enterprise Risk Management: COSO, New COSO, ISO Review of ERM

Administrative Guidelines on the Internal Control Framework and Internal Audit Standards

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Enterprise Risk Management

RISK MANAGEMENT OVERVIEW 2011 RISK CONFERENCE SPONSORED BY THE FEDERAL RESERVE BANK OF CHICAGO AND DEPAUL UNIVERSITY

Governance and Risk Management in the Public Sector. Fernando A. Fernandez Inter-American Development Bank (202)

Enterprise Risk Management

WFP ENTERPRISE RISK MANAGEMENT POLICY

Preparing for the Convergence of Risk Management & Business Continuity

A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000

ERM Program. Enterprise Risk Management Guideline

Operational Risk Management - The Next Frontier The Risk Management Association (RMA)

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Department of Veterans Affairs VA Directive VA Enterprise Risk Management (ERM)

Operational Risk Management Program Version 1.0 October 2013

Key Components of Enterprise Risk Management (ERM) Framework

Bridgend County Borough Council. Corporate Risk Management Policy

GAINING CONTROL: Building Your Existing Framework into an ERM Model

Regulatory Compliance Framework An Electric Utility Model. Abstract. Grier Consulting Group LLC

STRESS TESTING GUIDELINE

Enterprise Risk Management: Taking the First Steps

Integrated Risk Management:

Presentation Objectives Why is Internal Audit here? Concepts (Enterprise Risk Management, Strategic Risk, Strategic Risk Management, etc.

Operational Risk Management in a Debt Management Office

CFE 2. Enterprise Risk Management. Study Guide - Supplemental Background Material

Enterprise Risk Management, Compliance, Management Advisory Services: An Integrated Approach

Risk, Risk Assessments and Risk Management. Christopher Bowler CPA, CISA August 10, 2015

EIB Group Risk Management Charter

SOL PLAATJE MUNICIPALITY ENTERPRISE RISK MANAGEMENT FRAMEWORK AND POLICY

Tying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation

Cybersecurity The role of Internal Audit

Preparing for ORSA - Some practical issues

Corporate risk register

University of St. Gallen Law School Law and Economics Research Paper Series. Working Paper No June 2007

Enterprise Risk Management

Clarius Group Risk Management Policy and Framework

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL

Beyond risk identification Evolving provider ERM programs

POLICY. Number: Title: Enterprise Risk Management. Authorization

Enterprise risk management: A pragmatic, four-phase implementation plan

Transcription:

Developing an Effective Enterprise Risk Management Program Jay Brietz, CPA and CIA Senior Manager

This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record of the discussion. This presentation is for informational purposes and does not contain or convey specific advice. It should not be used or relied upon in regard to any particular situation or circumstances without first consulting the appropriate advisor. No part of the presentation may be circulated, quoted, or reproduced for distribution without prior written approval from Elliott Davis Decosimo. 2

Agenda Background An ERM Framework Roles in the Risk Assessment Process Key Implementation Factors 3

Background We perform risk assessments everyday and we make risk-based decisions 4

Background Importance of the risk assessment Critical part of the risk management process and important planning tool for your bank Increased focus of regulators Increased focus of rating agencies Risk 101 5

Background Risk concepts and terms: Risk -vs- uncertainty Definitions of risk Myths about risks 6

Background What is the difference between risk and uncertainty? 7

Background COSO s definition of risk The possibility that an event will occur and adversely affect the achievement of an objective. 8

Background Other definitions of risk A probability or threat of damage, injury, liability, loss, or any other negative occurrence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action. BusinessDictionary.com 9

Background The Economic Times describes risks Risks are of different types and originate from different situations. We have liquidity risk, sovereign risk, insurance risk, business risk, default risk, etc. Various risks originate due to the uncertainty arising out of various factors that influence an investment or a situation. 10

Background Myths about risk All risks are bad Some risks are so bad we should automatically eliminate them (half-court shot, hole-in-one) Playing it safe is always the safest answer You cannot develop plans for the unknown 11

Background Other risk assessments that often feed into the banks ERM Model Internal Audit Risk Assessment Our focus today Other Risk Assessments Enterprise Risk Management Fraud Risk Assessment Compliance Risk Assessment IT Risk Assessment 12

Agenda Background An ERM Framework Roles in the Risk Assessment Process Key Implementation Factors 13

An ERM Framework Credit ERM 14

An ERM Framework COSO s definition of Enterprise Risk Management A process, effected by an entity s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. 15

An ERM Framework COSO s Enterprise Risk Management Integrated Framework The eight components of the framework are interrelated 16

An ERM Framework Internal Environment Establishes a philosophy regarding risk management Recognizes that unexpected as well as expected events may occur Establishes the entity s risk culture Considers all other aspects of how the organization s actions may affect its risk culture Source: COSO s Enterprise Risk Management Integrated Framework 17

An ERM Framework Objective Setting Is applied when management considers risks in the setting of objectives Forms the risk appetite of the entity, a high-level view of how much risk management and the board are willing to accept Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite Source: COSO s Enterprise Risk Management Integrated Framework 18

An ERM Framework Event Identification Differentiates risks and opportunities Events that may have a negative impact represent risks Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives Addresses how internal and external factors combine and interact to influence the risk profile Source: COSO s Enterprise Risk Management Integrated Framework 19

An ERM Framework Risk Assessment Allows an entity to understand the extent to which potential events might impact objectives Assesses risks from two perspectives: - Likelihood - Impact Is used to assess risks and is normally also used to measure the related objectives Employs a combination of both qualitative and quantitative risk assessment methodologies Relates time horizons to objective horizons Assesses risk on both an inherent and a residual basis Source: COSO s Enterprise Risk Management Integrated Framework 20

An ERM Framework Risk Response Identifies and evaluates possible responses to risk Evaluates options in relation to entity s risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood Selects and executes response based on evaluation of the portfolio of risks and responses Source: COSO s Enterprise Risk Management Integrated Framework 21

An ERM Framework Control Activities Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out Occur throughout the organization, at all levels and in all functions Include application and general information technology controls Source: COSO s Enterprise Risk Management Integrated Framework 22

An ERM Framework Information & Communication Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities Communication occurs in a broader sense, flowing down, across, and up the organization Source: COSO s Enterprise Risk Management Integrated Framework 23

An ERM Framework Monitoring Effectiveness of the other ERM components is monitored through: Ongoing monitoring activities Separate evaluations A combination of the two Source: COSO s Enterprise Risk Management Integrated Framework 24

Agenda Background An ERM Framework Roles in the ERM Process Key Implementation Factors 25

Roles in the ERM Process Three lines of defense 1. Front line unit 2. Risk management, compliance, etc. 3. Internal audit, credit review, etc. 26

Roles in the ERM Process Three lines of defense - Front line unit Boots on the ground managers of risk Must have the ability to identify, assess and react to risks on a day-to-day basis Own and manage the risks of their area Incented to raise the flag 27

Roles in the ERM Process Three lines of defense Risk Management Supports and guides the risk owners Manages the risk framework Monitors risk and compliance with guidance via metrics and other measures 28

Roles in the ERM Process Three lines of defense Internal Audit Play an important role in monitoring ERM, but should NOT have primary responsibility for its implementation or maintenance Assist management and the board or audit committee in the process by: Ongoing monitoring Separate evaluations Recommending improvements 29

Agenda Background An ERM Framework Roles in the ERM Process Key Implementation Factors 30

Key Implementation Factors Organizational design of the business Establishing an ERM organization Performing risk assessments Determining overall risk appetite Identifying risk responses Communication of risk results Monitoring Oversight and periodic review by management The last key implementation factor 31

Key Implementation Factors Organizational Design of the Business Strategies of the business Key business objectives Related objectives that cascade down the organization from key business objectives Assignment of responsibilities to organizational elements and leaders (linkage) 32

Key Implementation Factors Establishing an ERM Organization Determine a risk philosophy Survey risk culture Consider organizational integrity and ethical values Decide roles and responsibilities 33

Key Implementation Factors Example Organizational Structure Board of Directors Enterprise Risk Management Committee Audit Committee Asset/Liability Risk Operational Risk Risk Management (ERM) Internal Audit Fraud Risk Reputational Risk Compliance 34

Key Implementation Factors Performing Risk Assessments Identify the risk opportunities Assess/measure the risks identified Prioritize or rank the risks in order to form a risk appetite strategy 35

Key Implementation Factors Determining Overall Risk Appetite Risk appetite is the amount of risk an entity is willing to accept in order to attain appropriate or sought after returns Three components you should know before drafting a risk appetite: Strategic plan and organizational goals Organizational risk profile Risk thresholds used to monitor exposure compared to risk appetite 36

Key Implementation Factors Determining Overall Risk Appetite Key questions in developing your risk appetite: What risks will the organization not accept? (e.g. environmental or quality compromises) What risks will the organization take on new initiatives? (e.g. new product lines) What risks will the organization accept for competing objectives? (e.g. gross profit vs. market share?) 37

Key Implementation Factors Identifying Risk Responses Avoidance Exiting the activities giving rise to the risk Reduction Action taken to reduce the risk likelihood or impact or both Management s response to risk Sharing Reducing the likelihood or impact by transferring or sharing a portion of the risk Acceptance No action is taken to affect risk likelihood or impact 38

Key Implementation Factors Identifying Risk Responses High Medium Risk High Risk I M P A C T Share Low Risk Mitigate & Control or Avoid Medium Risk Accept Control Low PROBABILITY High Source: COSO s Enterprise Risk Management Integrated Framework 39

Key Implementation Factors Communication of risk results Dashboard of risks and related responses (visual status of where key risks stand relative to risk tolerances) Flowcharts of processes with key controls noted Narratives of business objectives linked to operational risks and responses List of key risks to be monitored or used Management understanding of key business risk responsibility and communication of assignments 40

Key Implementation Factors Monitoring Collect and display information Perform analysis - Risks are being properly addressed - Controls are working to mitigate risks 41

Key Implementation Factors What is the Secret Key Implementation Factor? This is not sprint, it is a marathon - How about a 5K - How about a half marathon - Get some wins and build momentum Develop a plan to get to the finish line Communicate your progress 42

Additional Resources North Carolina State s ERM Initiative http://mgt.ncsu.edu/erm/ Institute of Internal Auditors http://www.theiia.org/ COSO http://www.coso.org/ Embracing Enterprise Risk Management: Practical Approaches for Getting Started Developing Key Risk Indicators to Strengthen Enterprise Risk Management 43

Additional Resources AICPA: ERM Guide for Practical Implementation and Assessment Professional standards: PCAOB Standards Nos. 8-15 The Risk Assessment Standards Auditing Standards SAS Nos. 104-112 Publications: Current Issues in Bank Auditing Bank Research Associates Bank Directors Magazine Federal Reserve Board: www.bankdirectorsdesktop.com 44

Questions 45

Jay Brietz, CPA and CIA Email: Jay.Brietz@elliottdavis.com Phone: 704.808.5247 Website: www.elliottdavis.com Elliott Davis Decosimo ranks among the top 30 CPA firms in the U.S. With seventeen offices across seven states, the firm provides clients across a wide range of industries with smart, customized solutions. Elliott Davis Decosimo is an independent firm associated with Moore Stephens International Limited, one of the world's largest CPA firm associations with resources in every major market around the globe. For more information, please visit elliottdavis.com. 46

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information