Presentation is loading. Please wait.

Presentation is loading. Please wait.

 Advisory Services Governance, Risk & Compliance Caribbean Confederation of Credit Unions 2010 AGM and Conference Designing and Implementing an Enterprise.

Published byJuniper McCoy Modified over 7 years ago

Similar presentations

Presentation on theme: " Advisory Services Governance, Risk & Compliance Caribbean Confederation of Credit Unions 2010 AGM and Conference Designing and Implementing an Enterprise."— Presentation transcript:

1  Advisory Services Governance, Risk & Compliance Caribbean Confederation of Credit Unions 2010 AGM and Conference Designing and Implementing an Enterprise Risk Management Framework June 2010

2 PricewaterhouseCoopers 1.Introduction 2.After the Storm: Factors shaping the future Business Environment 3.Theoretical Framework −Overview of the COSO Enterprise Risk Management - Integrated Framework −ISO 31000: Risk Management - Principles and Guidelines on Implementation 4.Putting Theory into Practice 5.Role of Internal Audit 6.Final Thoughts June 2010 Slide 2 Designing and Implementing an Enterprise Risk Management Framework Workshop Agenda

3 Introduction

4 PricewaterhouseCoopers Hello, I am…. June 2010 Slide 4 Designing and Implementing an Enterprise Risk Management Framework Participants Introduction

5 PricewaterhouseCoopers Over the next two days, our objectives will be to: −Understand the key factors that are likely to impact on the future business environment, and by extension, business strategy −Determine where we are now, and where we ought to be, in terms of Enterprise Risk Management (ERM) −Gain an understanding as to the process of getting to the desired state −Assess the role of internal audit in supporting ERM Workshop Overview Introduction Slide 5 June 2010Designing and Implementing an Enterpise Risk Management Framework

6 After the Storm: Factors shaping the future Business Environment

7 PricewaterhouseCoopers Worst recession in post-war history Signs of recovery, but… −Slow and uncertain growth −Driven by government intervention and not through business expansion Dark clouds: −European debt crisis −Geopolitical events −Terrorism, civil disturbance −Natural and man-made disasters −Volatility in commodity prices, e.g. oil June 2010 Slide 7 Designing and Implementing an Enterprise Risk Management Framework The Global Economic Crisis and its Impact

8 PricewaterhouseCoopers Risk management has always been a key priority for boards… −Renewed attention following recent global financial crisis, particularly in light of role of risk management failures Some ‘black swan’ events, but… −Largest cause of significant incidents was failure in day-to-day operations, poor compliance culture, insufficient resources, complacency, perverse incentives, and low morale −Other factors include inadequate monitoring, insufficient enforcement, lack of follow up of known problems −Known track record of risks and possible outcomes June 2010 Slide 8 Designing and Implementing an Enterprise Risk Management Framework A New Look at an Old Issue?

9 PricewaterhouseCoopers Not clearly defined, but not business as usual! Some drivers have begun to emerge… −Role of government −Public sector finances −Regulation −Consumer behaviour −Cost containment −Risk management June 2010 Slide 9 Designing and Implementing an Enterprise Risk Management Framework The Future Business Environment

10 PricewaterhouseCoopers Bailout resulted in government assuming ownership and control Impact of wearing ‘two hats’ −Impact on role as regulator Possible bias? June 2010 Slide 10 Designing and Implementing an Enterprise Risk Management Framework Role of Government

11 PricewaterhouseCoopers Economic stabilisation costs have devastated government finances in most countries −Deficits in region of 10% of GDP! −Deficits financed by debt: total level nearing100% of GDP −Level of debt and deficit considered unsustainable Increase in sovereign risk profile, cost of borrowing Efforts to address deficit/debt −Increase in revenues (through taxation) −Decrease in public sector expenditure −Alternative funding for public infrastructure June 2010 Slide 11 Designing and Implementing an Enterprise Risk Management Framework Public Sector Finances

12 PricewaterhouseCoopers Taxation −Limited options, given need to spur expansion of business sector −Financial services sector identified for increased tax burden Expenditure −Cut backs in social services programmes −Impact of increased costs of borrowing −Need to enhance efficiency, economy and effectiveness Infrastructure financing −Increasing use of PPP models June 2010 Slide 12 Designing and Implementing an Enterprise Risk Management Framework Public Sector Finances

13 PricewaterhouseCoopers Reform driven by adverse events −Basle III? −Rules based vs. principles based −Focussed on regulated entities, questions of ‘over-reaching’ −What about regulators? Appropriateness of measures −Poor track record of previous initiatives Specific implications for credit unions −Increasing involvement of central banks in credit union regulation Ability to leverage on existing institutional capabilities and capacity June 2010 Slide 13 Designing and Implementing an Enterprise Risk Management Framework Regulation

14 PricewaterhouseCoopers Focus on thrift and saving Distrust of financial institutions −Trickle down of financial support −Questions of integrity −Increased scrutiny likely in future Increasing intolerance and decreasing loyalties Increasing role in defining products and services −Focus on life cycle products June 2010 Slide 14 Designing and Implementing an Enterprise Risk Management Framework Consumer Behaviour

15 PricewaterhouseCoopers Key element to survival for crisis situations −Rationale not always logical Generally not sustained as business environment improves Trend unlikely to continue in future −Focus on enhancing efficiency and effectiveness −Adoption of risk based approach to resource allocation −Integration of governance, risk and compliance function −Enterprise-wide approach June 2010 Slide 15 Designing and Implementing an Enterprise Risk Management Framework Cost Containment

16 PricewaterhouseCoopers Risk management is a key area of responsibility for Boards, but.. −Priority tends to vary according to business environment −Unintended consequences of success of measures General trend to review and enhance function in post-crisis environment −Comprehensive approach −Measures must be cost efficient and effective −Control optimisation Change in risk appetite (short-term?) to a more risk averse position −Retreat to zone of comfort June 2010 Slide 16 Designing and Implementing an Enterprise Risk Management Framework Risk Management

17 PricewaterhouseCoopers Narrow view of risk: primarily as a hazard −Inadequate focus on upside (opportunity) or managing uncertainty Risk management initiatives generally driven by regulator −Level of focus dependent on adequacy of regulatory oversight −Impact of perception that there is excessive regulation on response Tendency towards achieving minimum compliance Development of a ‘checklist’ approach Initiatives overly influenced by cost considerations Lack of formal processes −Focus on ‘obvious’ risks June 2010 Slide 17 Designing and Implementing an Enterprise Risk Management Framework The Caribbean Experience – General Observations

18 PricewaterhouseCoopers Approach based on traditional model −‘Silo’ approach vis-à-vis ERM −Inadequate consideration of interrelationship of risks Internal audit not effectively utilised Remedial efforts not completed on a timely basis Increasing concerns by internal and external stakeholders relative to the effectiveness of existing practices June 2010 Slide 18 Designing and Implementing an Enterprise Risk Management Framework The Caribbean Experience – General Observations

19 Overview of the COSO Enterprise Risk Management - Integrated Framework

20 PricewaterhouseCoopers Committee of Sponsoring Organisations (COSO) of Treadway Commission: −Concluded that there was a need for a recognized framework despite an abundance of literature on the subject. −Believed there is consensus that all organizations can benefit from improved risk identification and risk analysis procedures. −Recognized that many organizations are engaged in some aspects of enterprise risk management. −Believed that the study will help identify all of the aspects that should be present and how they can be coordinated. June 2010 Slide 20 Designing and Implementing an Enterprise Risk Management Framework Background

21 PricewaterhouseCoopers Underlying principles: −Every entity, whether for-profit or not, exists to realize value for its stakeholders. −Value is created, preserved, or eroded by management decisions in all activities, from strategy setting to operating the enterprise day-to-day. ERM supports value creation by enabling management to: −Deal effectively with potential future events that create uncertainty −Respond in a manner that reduces the likelihood of downside outcomes and increases the upside. June 2010 Slide 21 Designing and Implementing an Enterprise Risk Management Framework Importance of Enterprise Risk Management

22 PricewaterhouseCoopers Enterprise risk management provides enhanced capabilities to: −Align risk appetite and strategy −Link growth, risk and return −Enhance risk response decisions −Minimize operational surprises and losses −Identify and manage cross-enterprise risks −Provide integrated responses to multiple risks −Seize Opportunities −Rationalize capital June 2010 Slide 22 Designing and Implementing an Enterprise Risk Management Framework Enhancing Management Capabilities

23 PricewaterhouseCoopers “… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO. June 2010 Slide 23 Designing and Implementing an Enterprise Risk Management Framework Definition of ERM

24 PricewaterhouseCoopers ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management. ERM is a process that includes: −Identification of potential events that may impact objectives −Risk assessment and response −Consideration of risks in formulation of strategy −Application across the entity −Managing risk is to be within the entity’s risk appetite −A portfolio view of risks at the entity-level is taken −Monitoring the performance of ERM June 2010 Slide 24 Designing and Implementing an Enterprise Risk Management Framework Key Concepts

25 PricewaterhouseCoopers The Framework Has Eight Interrelated Components June 2010 Slide 25 Designing and Implementing an Enterprise Risk Management Framework Framework Components

26 PricewaterhouseCoopers Entity objectives can be viewed in the context of four categories −Strategic −Operations −Reporting −Compliance June 2010 Slide 26 Designing and Implementing an Enterprise Risk Management Framework Categories of Objectives

27 PricewaterhouseCoopers ERM considers activities at all levels of the organization −Enterprise-level −Division or subsidiary −Business unit processes June 2010 Slide 27 Designing and Implementing an Enterprise Risk Management Framework Entity-wide

28 PricewaterhouseCoopers Enterprise risk management requires an entity to take a portfolio view of risk. −Management considers how individual risks interrelate. −Management develops a portfolio view from two perspectives: Business unit level Entity level June 2010 Slide 28 Designing and Implementing an Enterprise Risk Management Framework Portfolio View

29 PricewaterhouseCoopers Establishes a philosophy regarding risk management Recognizes that unexpected as well as expected events may occur Establishes the entity’s risk culture Considers all other aspects of how the organizations actions affect its risk culture June 2010 Slide 29 Designing and Implementing an Enterprise Risk Management Framework Internal Environment

30 PricewaterhouseCoopers Is applied in objective-setting when management considers risks strategy in the setting of objectives Forms a risk appetite at the entity level: a high-level view of how much risk management and the board are willing to accept Risk tolerance is the acceptable level of variation around objectives, and is aligned with risk appetite June 2010 Slide 30 Designing and Implementing an Enterprise Risk Management Framework Objective Setting

31 PricewaterhouseCoopers Distinguish risk and opportunity −Events that may have a negative impact represent risks −Events that may have a positive impact represent natural offsets or, opportunities, which management channels back to strategy setting −Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives −Addresses how internal and external factors combine and interact to influence its risk profile June 2010 Slide 31 Designing and Implementing an Enterprise Risk Management Framework Event Identification

32 PricewaterhouseCoopers Allows an entity to understand the extent to which potential events might impact objectives Assesses risks from two perspectives – likelihood and impact The unit of measure used to assess risks normally the same unit used to measure the related objectives Employs a combination of both qualitative and quantitative risk assessment methodologies Time horizons are related to objective time horizons Assesses risk on both an inherent and residual basis June 2010 Slide 32 Designing and Implementing an Enterprise Risk Management Framework Risk Assessment

33 PricewaterhouseCoopers Identifies and evaluates possible responses to risk Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential risk responses and degree to which a response will reduce impact and/or likelihood Assessment of and response to risks are integral components of ERM; which specific response is selected is not Selects and executes its response based on evaluation of the portfolio of risks and responses June 2010 Slide 33 Designing and Implementing an Enterprise Risk Management Framework Risk Response

34 PricewaterhouseCoopers Control activities are the policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out Occur throughout the organization, at all levels and in all functions Includes application controls and general information technology controls June 2010 Slide 34 Designing and Implementing an Enterprise Risk Management Framework Control Activities

35 PricewaterhouseCoopers Information is needed at all levels of an entity in identifying, assessing, and responding to risk. Management identifies, captures and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities. Communication occurs in a broader sense, flowing down, across and up the organization. June 2010 Slide 35 Designing and Implementing an Enterprise Risk Management Framework Information and Communication

36 PricewaterhouseCoopers Monitors the ongoing effectiveness of the other enterprise risk management components through −Ongoing monitoring activities −Separate evaluations −A combination of the two June 2010 Slide 36 Designing and Implementing an Enterprise Risk Management Framework Monitoring

37 PricewaterhouseCoopers Four broad areas of roles and responsibilities: −Management −The Board of Directors −Risk officers −Internal auditors June 2010 Slide 37 Designing and Implementing an Enterprise Risk Management Framework Roles and Responsibilities

38 PricewaterhouseCoopers ERM expands and elaborates on elements of internal control as set out in COSO’s Internal Control – Integrated Framework (IC-IF) ERM includes objective setting as a separate component. The IC-IF sets out that objectives as a prerequisite for internal control The ERM framework’s “Reporting” category of objectives expands the IC-IF “Financial Reporting” Effective internal control is necessary for effective enterprise risk management The ERM framework expands on the “risk assessment” component of IC-IF, separating it into three ERM components The ERM framework elaborates on other components of IC-IF as they relate to enterprise risk management June 2010 Slide 38 Designing and Implementing an Enterprise Risk Management Framework Relationship with Internal Control – Integrated Framework

39 ISO 31000: Risk Management - Principles and Guidelines on Implementation

40 PricewaterhouseCoopers Issued in 2009 Provides principles and generic guidelines on implementation of risk management Intended to harmonize risk management processes in existing (e.g., COSO ERM) and future standards Can be applied to: −Any public, private or community enterprise, association, group or individual −Throughout the life of an organization, and to a wide range of activities, processes, functions, projects, products, services, assets, operations and decisions June 2010 Slide 40 Designing and Implementing an Enterprise Risk Management Framework Background

41 PricewaterhouseCoopers Principles for managing risk Framework for managing risk Process for managing risk June 2010 Slide 41 Designing and Implementing an Enterprise Risk Management Framework ISO 3100 Key Components

42 PricewaterhouseCoopers Creates value Is an integral part of organizational processes Is part of decision making Explicitly addresses uncertainty Is systematic, structured and timely Is based on the best available information Is tailored Takes human and cultural factors into account Is transparent and inclusive Is dynamic, iterative and responsive to change Facilitates continual improvement and enhancement of the organization June 2010 Slide 42 Designing and Implementing an Enterprise Risk Management Framework Principles

43 PricewaterhouseCoopers June 2010 Slide 43 Designing and Implementing an Enterprise Risk Management Framework Framework

44 PricewaterhouseCoopers June 2010 Slide 44 Designing and Implementing an Enterprise Risk Management Framework Process

45 PricewaterhouseCoopers Articulate and endorse the risk management policy Determine risk management performance indicators that align with organizational performance indicators Ensure alignment of risk management objectives with the objectives and strategies of the organization Ensure legal and regulatory compliance. Assign management accountabilities and responsibilities at appropriate levels within the organization Ensure that the necessary resources are allocated to risk management Communicate the benefits of risk management to all stakeholders Ensure that the framework for managing risk continues to remain appropriate June 2010 Slide 45 Designing and Implementing an Enterprise Risk Management Framework Mandate and Commitment

46 PricewaterhouseCoopers Understanding the organization and its context Risk management policy Integration into organizational processes Accountability Resources Establishing internal communication and reporting mechanisms Establishing external communication and reporting mechanisms June 2010 Slide 46 Designing and Implementing an Enterprise Risk Management Framework Design of Framework

47 PricewaterhouseCoopers Links between the risk management policy and the organization’s objectives and other policies The organization's rationale for managing risk Accountabilities and responsibilities for managing risk The way in which conflicting interests are dealt with The organization’s risk appetite or risk aversion Processes, methods and tools to be used for managing risk Resources available to assist those accountable or responsible for managing risk The way in which risk management performance will be measured and reported Commitment to the periodic review and verification of the risk management policy and framework and its continual improvement June 2010 Slide 47 Designing and Implementing an Enterprise Risk Management Framework Risk Management Policy

48 PricewaterhouseCoopers Framework Process −Communication and consultation −Establish context −Risk assessment −Risk treatment −Monitoring and review June 2010 Slide 48 Designing and Implementing an Enterprise Risk Management Framework Implementation

49 PricewaterhouseCoopers Used to evaluate the significance of risk Should consider: −Nature and types of consequences that can occur and how they will be measured −How likelihood will be defined −The time frame(s) of the likelihood and/or consequence −How the level of risk is to be determined −The level at which risk becomes acceptable or tolerable −What level of risk requires treatment −Whether combinations of multiple risks should be taken into account June 2010 Slide 49 Designing and Implementing an Enterprise Risk Management Framework Risk Criteria

50 PricewaterhouseCoopers Identification Analysis Evaluation June 2010 Slide 50 Designing and Implementing an Enterprise Risk Management Framework Risk Assessment

51 PricewaterhouseCoopers Sources of risk, areas of impacts, events and their causes and their potential consequences Important to identify the risks associated with not pursuing an opportunity Process is critical, because a risk that is not identified at this stage will not be included in further analysis Identification should include risks whether or not their source is under control of the organization June 2010 Slide 51 Designing and Implementing an Enterprise Risk Management Framework Risk Identification

52 PricewaterhouseCoopers Involves developing an understanding of the risk Provides an input to risk evaluation and to decisions on whether risks need to be treated and on the most appropriate risk treatment strategies and methods Involves consideration of the causes and sources of risk, their positive and negative consequences, and the likelihood that those consequences can occur Existing risk controls and their effectiveness should be taken into account Can be undertaken with varying degrees of detail depending on the risk, the purpose of the analysis, and the information, data and resources available Analysis can be qualitative, semi-quantitative or quantitative, or a combination of these, depending on the circumstances June 2010 Slide 52 Designing and Implementing an Enterprise Risk Management Framework Risk Analysis

53 PricewaterhouseCoopers Assist in making decisions, based on the outcomes of risk analysis, about which risks need treatment to prioritize treatment implementation Risk evaluation involves comparing the level of risk found during the analysis process with risk criteria established when the context was considered If the level of risk does not meet risk criteria, the risk should be treated Can lead to a decision to undertake further analysis Evaluation can also lead to a decision not to treat the risk in any way other than maintaining existing risk controls June 2010 Slide 53 Designing and Implementing an Enterprise Risk Management Framework Risk Evaluation

54 PricewaterhouseCoopers Involves selecting one or more options for modifying risks, and implementing those options Cyclical process May include following: −Avoiding the risk −Seeking an opportunity by deciding to start or continue with an activity likely to create or enhance the risk −Removing the source of the risk −Changing likelihood and/or consequences −Sharing the risk with another party or parties −Retaining the risk by choice. June 2010 Slide 54 Designing and Implementing an Enterprise Risk Management Framework Risk Treatment

55 PricewaterhouseCoopers Involves balancing the costs and efforts of implementation against the benefits to be derived Considers legal, regulatory, and other requirements, social responsibility and the protection of the natural environment Decisions should also take into account risks that can warrant risk treatment actions that are not justifiable on economic grounds e.g. severe (high negative consequence) but rare (low likelihood) risks If the resources for risk treatment are limited, the treatment plan should clearly identify the priority order in which individual risk treatments should be implemented May introduce risks e.g., failure or ineffectiveness of the risk treatment measures June 2010 Slide 55 Designing and Implementing an Enterprise Risk Management Framework Risk Treatment Options

56 PricewaterhouseCoopers Monitoring needs to be an integral part of the risk treatment plan to give assurance that the measures remain effective Can also introduce secondary risks that need to be assessed, treated, monitored, reviewed. and incorporated into the same treatment plan as the original risk Residual risk should be documented and subjected to monitoring, review and, where appropriate, further treatment June 2010 Slide 56 Designing and Implementing an Enterprise Risk Management Framework Risk Treatment Options

57 PricewaterhouseCoopers Used to document how the chosen treatment options will be implemented Treatment plans should include: −Expected benefit to be gained −Performance measures and constraints −Persons who are accountable for approving the plan and those responsible for implementing the plan −Proposed actions −Reporting and monitoring requirements −Resource requirements −Timing and schedule June 2010 Slide 57 Designing and Implementing an Enterprise Risk Management Framework Risk Treatment Plans

58 PricewaterhouseCoopers Should encompass all aspects of the risk management process to facilitate: −Analyzing and learning lessons from events, changes and trends −Detecting changes in the external and internal context including changes to the risk itself which can require revision of risk treatments and priorities −Ensuring that the risk control and treatment measures are effective in both design and operation −Identifying emerging risks Actual progress in implementing risk treatment plans provides a performance measure Results should be recorded, reported and used as an input to the review of the risk management framework June 2010 Slide 58 Designing and Implementing an Enterprise Risk Management Framework Monitoring and Review

59 Putting Theory into Practice

60 PricewaterhouseCoopers Risk is defined as the collection of internal and external factors, which affect an organization’s growth and shareholder value creation Encompasses not only the threat that something bad will happen, (risk as a hazard), but also the possibility that something good will not happen (risk as an opportunity) and the potential that actual results will not equal anticipated outcomes (risk as uncertainty) and anything that may impede an organization from achieving its strategic objectives Credit Risk is the risk of loss to earnings or capital arising from an obligor's failure to meet the terms of any contract with the bank or otherwise fails to perform as agreed. Market Risk is the risk that arises from fluctuations in interest rates, foreign exchange rates, and commodity and equity prices that may result in changes in the values of financial instruments June 2010 Slide 60 Designing and Implementing an Enterprise Risk Management Framework Risk Definitions

61 PricewaterhouseCoopers −Risk is associated with treasury, trading and investment activities in the financial markets as well as related issues such as foreign currency risk, liquidity risk, and interest rate risk −Foreign Currency Risk is the exposure of the entity’s financial strength to the potential impact of movements in foreign exchange rates −Liquidity Risk is the risk to earnings or capital arising from an entity’s inability to meet its obligations when they come due, without incurring unacceptable losses Risk includes the inability to manage unplanned decreases or changes in funding sources Also arises from the entity’s failure to recognize or address market changes that affect the ability to liquidate assets quickly and with minimal loss in value. June 2010 Slide 61 Designing and Implementing an Enterprise Risk Management Framework Risk Definitions

62 PricewaterhouseCoopers −Interest Rate Risk is the risk to earnings or capital arising from movements in interest rates. Arises from the risk that interest-earning assets will decline in value as interest rates change. Operational Risk is the risk associated with variability in earnings arising from problems with service or product delivery, including the potential that inadequate information systems, operating processes, internal controls, employee integrity, fraud or unforeseen catastrophes will result in unexpected losses −Strategic Risk is the risk associated to earnings or capital arising from adverse business decisions or improper implementation of those decisions. June 2010 Slide 62 Designing and Implementing an Enterprise Risk Management Framework Risk Definitions

63 PricewaterhouseCoopers This risk is a function of the compatibility of an organization's strategic goals, the resources to achieve the goals and the quality of the implementation. −Compliance Risk is the risk associated with an organization's ability to comply with regulatory, legal and fiduciary requirements −Financial Risk is the risk associated with financial exposure of an organization that relates to financial reporting, budgetary pressures, and significant reported balances and may lead to incorrect or untimely management decisions. Risk of loss due to unauthorized, inaccurate, and untimely processing of adjustments to general ledger accounts resulting in duplicate errors, incomplete general ledger entries, misstated account balances, postings to incorrect accounts, improper interest rates and loss of income June 2010 Slide 63 Designing and Implementing an Enterprise Risk Management Framework Risk Definitions

64 PricewaterhouseCoopers Includes risk of loss due to unauthorized, inaccurate or untimely computations and formulas relating to processing of interest calculations and amortization of fees, thus, resulting in misstatement of accrual/income balances. −People Risk is the risk that arises from the heavy investment in people in the organization Earnings, capital, and reputation can be affected due to the loss of key personnel, lack of management succession planning, or non-market compensation packages. June 2010 Slide 64 Designing and Implementing an Enterprise Risk Management Framework Risk Definitions

65 PricewaterhouseCoopers Technology Risk is the risk to earnings or capital arising from the failure to maintain acceptable availability of service associated with automated systems −Stability −Obsolescence −Capacity −Dependence −Security −Disaster Recovery June 2010 Slide 65 Designing and Implementing an Enterprise Risk Management Framework Risk Definitions

66 PricewaterhouseCoopers Provides a structure for collating information about risks Enables an organisation to understand its comprehensive risk profile Dynamic, living document Populated through the organisation risk assessment and evaluation processes Enables risks to be quantified and ranked Assists in analysis of risks and facilitates decision making as to how risk are to be treated June 2010 Slide 66 Designing and Implementing an Enterprise Risk Management Framework Risk Register

67 PricewaterhouseCoopers Objectives Description of risk Risk ranking Responsible person Action/treatment plan Dates Source of assurance Existing controls Location, etc. Cost/benefit analysis Acceptance/completion Comments June 2010 Slide 67 Designing and Implementing an Enterprise Risk Management Framework Risk Register Components

68 PricewaterhouseCoopers Methods and metrics for tracking status and reporting upstream Status and effectiveness of existing measures Re-evaluation of probability and impact of existing risks Escalation of significant changes Identification, assessment and evaluation of new risk factors Document lessons learned June 2010 Slide 68 Designing and Implementing an Enterprise Risk Management Framework Monitoring

69 Role of Internal Audit

70 PricewaterhouseCoopers Fundamental to monitoring process: −Giving assurance on risk management processes −Giving assurance that risks are correctly evaluated −Evaluating risk management processes −Evaluating the reporting of key risks Reviewing the management of key risks −Role determined by considering whether: −The activity raises any threats to the internal auditors' independence and objectivity −It is likely to improve the organization's risk management, control, and governance processes June 2010 Slide 70 Designing and Implementing an Enterprise Risk Management Framework Internal Audit Core Role

71 PricewaterhouseCoopers May undertake, with adequate safeguards: −Facilitating identification and evaluation of risks −Coaching management in responding to risks −Coordinating ERM activities −Consolidating the reporting on risks −Maintaining and developing the ERM framework −Championing establishment of ERM −Developing risk management strategy for board approval June 2010 Slide 71 Designing and Implementing an Enterprise Risk Management Framework Possible Roles

72 PricewaterhouseCoopers Internal Audit must not undertake: −Setting the risk appetite −Imposing risk management processes −Management assurance on risks −Taking decisions on risk responses −Implementing risk responses on management's behalf −Accountability for risk management June 2010 Slide 72 Designing and Implementing an Enterprise Risk Management Framework Prohibited Roles

73 PricewaterhouseCoopers Can your IA function deliver? Six steps to achieving strategic performance through quality assurance −Commit to quality −Design and implement a quality assurance program −Implement policies and protocols −Conduct an external quality assurance review −Correct and enhance −Assess performance June 2010 Slide 73 Designing and Implementing an Enterprise Risk Management Framework From Promise to Performance…

74 PricewaterhouseCoopers Make a deliberate and documented commitment to quality assurance and improvement Commitment should be −Recognized as significant −Understood by the internal audit department and its stakeholders −Documented in the internal audit charter and approved by the audit committee or the board of directors Successful implementation of a quality assurance and improvement program will demand a significant rigor throughout the entire audit process June 2010 Slide 74 Designing and Implementing an Enterprise Risk Management Framework Commit to Quality

75 PricewaterhouseCoopers Build a quality assurance program consistent with the IIA Standards Three components of an effective quality assurance program: −Ongoing monitoring −Periodic internal assessments −External assessments IIA Standard 1300: Quality Assurance and Improvement Program June 2010 Slide 75 Designing and Implementing an Enterprise Risk Management Framework Design and Implement a Quality Assurance Program

76 PricewaterhouseCoopers Establish appropriate policies, procedures and controls to enhance quality and ensure conformance with IIA Standards Conduct a GAP analysis Benchmark against IIA Standards −4 attribute standards −7 performance standards Identify areas for improvement and remediate June 2010 Slide 76 Designing and Implementing an Enterprise Risk Management Framework Implement Policies and Protocols

77 PricewaterhouseCoopers Charters Reporting structure Policies and procedures Risk assessment Stakeholder input Chief audit executive reporting Audit tracking systems June 2010 Slide 77 Designing and Implementing an Enterprise Risk Management Framework Common Weaknesses

78 PricewaterhouseCoopers Significant preparation will be necessary −Refer to the IIA’s Quality Assessment Manual Perform a periodic internal GAP analysis and assessment Determine type of external quality assurance review to be used −A full external quality assessment −Self assessment with independent validation Requires extensive preparation, analysis and documentation June 2010 Slide 78 Designing and Implementing an Enterprise Risk Management Framework Conduct a Quality Assurance Review

79 PricewaterhouseCoopers A full external assessment should address: Compliance with the IIA standards and code of ethics Internal audit’s charter, plans, policies, procedures, practices and applicable legislative and regulatory requirements Key stakeholder perspectives, including board, audit committee, executive and operational management pertaining to the internal audit department Integration of internal audit within the organization’s governance process Tools and techniques for internal audit Self assessment Charter evaluation June 2010 Slide 79 Designing and Implementing an Enterprise Risk Management Framework Scope

80 PricewaterhouseCoopers Should focus on the core processes of internal auditing including −Organization −Human resources −Technology −Working practices −Communications and reporting −Knowledge management −Performance metrics June 2010 Slide 80 Designing and Implementing an Enterprise Risk Management Framework Methodology

81 PricewaterhouseCoopers The quality assurance review report should provide: −A set of actionable recommendations intended to ensure conformity with the IIA standards and to enhance the strategic performance of the department −A benchmarking analysis that indicates the extent to which internal audit has adopted best practices −An assessment of how well an internal audit function is adding value to the company and meeting the expectations of key stakeholders −A strategic plan directed toward implementing changes needed to improve performance and value −A tactical plan outlining specific change initiatives June 2010 Slide 81 Designing and Implementing an Enterprise Risk Management Framework Correct and Balance

82 PricewaterhouseCoopers Formulate specific action plans to remedy deficiencies Continually assess internal audit’s compliance with the standards Integrate performance measurement into a quality assurance and improvement program e.g. use of a “balanced scorecard” June 2010 Slide 82 Designing and Implementing an Enterprise Risk Management Framework Assess Performance

83 Final Thoughts

84 PricewaterhouseCoopers Don’t be complacent… −Survival does not necessarily mean preparedness Luck as a factor Tri-partite cooperation ‘Integrated’ and ‘enterprise wide’ does not preclude a staged approach One bad apple does spoil the whole bunch −Seek help when necessary −Seek to assist others in their efforts June 2010 Slide 84 Designing and Implementing an Enterprise Risk Management Framework Final Thoughts

85 PricewaterhouseCoopers We must dare to think about unthinkable things; Because when things become unthinkable, thinking stops and actions become mindless. James W. Fulbright June 2010 Slide 85 Designing and Implementing an Enterprise Risk Management Framework Final Thoughts

86 PricewaterhouseCoopers Berkeley Greenidge Director PricewaterhouseCoopers The Financial Services Centre Bishop Court Hill Collymore Rock St. Michael Barbados Telephone (246) 626 6813 (o)(246) 233 5761 Facsimile (246) 427 0676 E-mail berkeley.greenidge@bb.pwc.com June 2010 Slide 86 Designing and Implementing an Enterprise Risk Management Framework Keep in touch….

87  Just do it! © 2010 PricewaterhouseCoopers. All rights reserved. "PricewaterhouseCoopers" refers to the East Caribbean firm of PricewaterhouseCoopers or, as the context requires, the PricewaterhouseCoopers global network or other member Firms of the network, each of which is a separate and independent legal entity.

Download ppt " Advisory Services Governance, Risk & Compliance Caribbean Confederation of Credit Unions 2010 AGM and Conference Designing and Implementing an Enterprise."

Similar presentations

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.
Applying COSO’s Enterprise Risk Management — Integrated Framework

Applying COSO’s Enterprise Risk Management — Integrated Framework
Lisanne Sison Director ERM Bickmore

Lisanne Sison Director ERM Bickmore
IMFO Audit & Risk Indaba June 2012

IMFO Audit & Risk Indaba June 2012
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Introduction to Enterprise Risk Management (ERM)

Introduction to Enterprise Risk Management (ERM)
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
2011 Governance, Risk, and Compliance Conference August 29 – 31, 2011 / Orlando, FL, USA The Top Four Essential Objectives to Auditing ERM Stephen E. McBride,

2011 Governance, Risk, and Compliance Conference August 29 – 31, 2011 / Orlando, FL, USA The Top Four Essential Objectives to Auditing ERM Stephen E. McBride,
Eliot M. Stenzel, CPA,CIA IIA Instructor for many years. 220-3198 Risk Based Auditing.

Eliot M. Stenzel, CPA,CIA IIA Instructor for many years Risk Based Auditing.
AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.

AUDIT COMMITTEE FORUM TM ACF Roundtable IT Governance – what does it mean to you as an audit committee member July 2010 The AUDIT COMMITTEE FORUM TM is.
Pwc Performance Measurement Frameworks Acumen Fund - Discussion Document June 16, 2008 *connectedthinking.

Pwc Performance Measurement Frameworks Acumen Fund - Discussion Document June 16, 2008 *connectedthinking.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Applying COSO’s Enterprise Risk Management — Integrated Framework

Applying COSO’s Enterprise Risk Management — Integrated Framework
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
Risk Assessment Frameworks

Risk Assessment Frameworks
Purpose of the Standards

Purpose of the Standards
CORPORATE RISK MANAGEMENT & INSURANCE BY R P BLAH D.G.M. INCHARGE THE ORIENTAL INSURANCE COMPANY LIMITED REGIONAL OFFICE BHUBANESWAR.

CORPORATE RISK MANAGEMENT & INSURANCE BY R P BLAH D.G.M. INCHARGE THE ORIENTAL INSURANCE COMPANY LIMITED REGIONAL OFFICE BHUBANESWAR.
Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.

Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.
Australia’s Experience in Utilising Performance Information in Budget and Management Processes Mathew Fox Assistant Secretary, Budget Coordination Branch.

Australia’s Experience in Utilising Performance Information in Budget and Management Processes Mathew Fox Assistant Secretary, Budget Coordination Branch.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-

Similar presentations

Ads by Google