Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enterprise Risk Management

Published byJoey Hemple Modified over 9 years ago

Similar presentations

Presentation on theme: "Enterprise Risk Management"— Presentation transcript:

1 Enterprise Risk Management
Cursus Good Governance Leidraad naar Commissariaat Verhouding tussen commissarissen en acountants Steven Martina 17 Januari 2009

2 Why is ERM important? ERM supports value creation by enabling management to: Deal effectively with potential future events that create uncertainty. Respond in a manner that reduces the likelihood of downside outcomes and increases the upside.

3 Enterprise Risk Management
“… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO Enterprise Risk Management – Integrated Framework COSO.

4 Enterprise Risk Management — Integrated Framework
This COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management. Enterprise risk management requires an entity to take a portfolio view of risk.

5

6 The COSO Framework The COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management.

7 The ERM Framework ERM considers activities at all levels
of the organization: Enterprise-level Division or subsidiary Business unit processes Requires an entity to take a portfolio view of risk.

8 The ERM Framework Entity objectives can be viewed in the
context of four categories: Strategic Operations Reporting Compliance

9 The ERM Framework The eight components of the framework
are interrelated … Internal Environment Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur. Establishes the entity’s risk culture. Considers all other aspects of how the organization’s actions may affect its risk culture. Objective setting Is applied when management considers risks strategy in the setting of objectives. Forms the risk appetite of the entity — a high-level view of how much risk management and the board are willing to accept. Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite. Event Identification Differentiates risks and opportunities. Events that may have a negative impact represent risks. Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting. Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives. Addresses how internal and external factors combine and interact to influence the risk profile. Risk Assessment Allows an entity to understand the extent to which potential events might impact objectives. Assesses risks from two perspectives: - Likelihood - Impact Is used to assess risks and is normally also used to measure the related objectives. Employs a combination of both qualitative and quantitative risk assessment methodologies. Relates time horizons to objective horizons. Assesses risk on both an inherent and a residual basis Risk Response Identifies and evaluates possible responses to risk. Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood. Selects and executes response based on evaluation of the portfolio of risks and responses. Control Activities Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out. Occur throughout the organization, at all levels and in all functions. Include application and general information technology controls. Information & Communication Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities. Communication occurs in a broader sense, flowing down, across, and up the organization. Monitoring Effectiveness of the other ERM components is monitored through: Ongoing monitoring activities. Separate evaluations. A combination of the two

10 Internal Environment Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur. Establishes the entity’s risk culture. Considers all other aspects of how the organization’s actions may affect its risk culture.

11 Objective Setting Is applied when management considers risks strategy in the setting of objectives. Forms the risk appetite of the entity — a high-level view of how much risk management and the board are willing to accept. Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite.

12 Event Identification Differentiates risks and opportunities.
Events that may have a negative impact represent risks. Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting.

13 Event Identification Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives. Addresses how internal and external factors combine and interact to influence the risk profile.

14 Risk Assessment Allows an entity to understand the extent to which potential events might impact objectives. Assesses risks from two perspectives: - Likelihood - Impact Is used to assess risks and is normally also used to measure the related objectives.

15 Risk Assessment Employs a combination of both qualitative and quantitative risk assessment methodologies. Relates time horizons to objective horizons. Assesses risk on both an inherent and a residual basis.

16 Kern Vragen Risk Assessment
Waar/Wat kunnen we verbeteren? Waar wringt de schoen? Wat gaat er fout? Welk proces betreft het? Waar lopen we risico’s? Wat is het risico? Wat is de oorzaak? Wat zijn de gevolgen bij ongewijzigd beleid? Hoe kunnen we het risico kwalificeren? Hoe kunnen we het risico het beste beheersen? Wat moeten we daarvoor doen? Hoe is de kosten / baten verhouding? Hoe kunnen we de vereiste actie het beste aansturen? L H Probability / Impact L H

17 RISK IMPACT ASSESSMENT
SCORE 1 2 3 4 5 6 7 8 9 10 LOW MEDIUM HIGH MARKET POSITION Remaining market position Drop from nr.3 to nr.4 position Drop from nr.3 to nr.5 position EBITDA Loss less than 1% compared to budget Loss between 1% and 10% compared to budget Loss more than 10% compared to budget GROWTH Losing less than 1% growth target Losing between 1 and 3% growth target Losing more than 3% growth target REPUTATION No negative press Limited negative press; regulator warning Excessive negative press; regulator sanction CI-VERA 2009 Curacao Accountants in Business 17

18 Risk Response Identifies and evaluates possible responses to risk.
Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood. Selects and executes response based on evaluation of the portfolio of risks and responses.

19 Control Activities Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out. Occur throughout the organization, at all levels and in all functions. Include application and general information technology controls.

20 Information & Communication
Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities. Communication occurs in a broader sense, flowing down, across, and up the organization.

21 Monitoring Effectiveness of the other ERM components is monitored through: Ongoing monitoring activities. Separate evaluations. A combination of the two. Monitoring helps determine the effectiveness of the processes, technologies and personnel executing enterprise risk management. The entity establishes minimum standards for each component of enterprise risk management. The entity’s performance against these standards can then be monitored objectively. Monitoring can be done in two ways: through ongoing activities or separate evaluations. Enterprise risk management mechanisms usually are structured to monitor themselves on an ongoing basis, at least to some degree. Ongoing monitoring is built into the normal, recurring operating activities of an entity. Ongoing monitoring is performed on a real-time basis, reacts dynamically to changing conditions and is ingrained in the entity. As a result, it is more effective than separate evaluations. The greater the degree and effectiveness of ongoing monitoring, the lesser need for separate evaluations. The frequency of separate evaluations is a matter of management's judgment. In making that determination, consideration is given to the nature and degree of changes occurring, from both internal and external events, and their associated risks; the competence and experience of the personnel implementing risk responses and related controls; and the results of the ongoing monitoring. Usually, some combination of ongoing monitoring and separate evaluations will ensure that enterprise risk management maintains its effectiveness over time. Deficiencies in an entity’s enterprise risk management may surface from many sources, including the entity's ongoing monitoring procedures, separate evaluations and external parties. All enterprise risk management deficiencies that affect the entity’s ability to develop and implement its strategy and to achieve its established objectives should be reported to those who can take necessary action, as discussed in the next section

22 Information and Communication
Risk Management (the embedding) SWOT/PEST TQM ERP COSO project EH&S 6 SiGMA Monitoring Information and Communication Control Activities Risk Response Risk Assessment Event Identification Objective Setting Internal Environment STRATEGIC OPERATIONS REPORTING COMPLIANCE ENTITY - LEVEL DIVISION BUSINESS UNIT SUBSIDIARY Co2/GhG SOX Loss Preventiion Performance system Newsletters + websites Corp. Planning Risk appetite . IA .Budget + Profit Plan 6 SiGMA Policies + Procedures Guides BSC Customer Continuous monitoring feed back COBIT for IT Internal Audit L. Hubbard (ed.) 22

23 Internal Control Environment
Risico-indeling Fatum Internal Control Environment Strategic Risks Operational Risks Financial Risks Concentratie Krediet Liquiditeit Interest Valuta Mismatch Solvabiliteit Verz. tech. reservering. Herverzekering Fiscaal Externe verslaglegging Interne informatie voorziening Strategie ontwikkeling Strategie planning Strategische sturing Processen ICT Projectmanagement Info beveiliging Interne fraude Compliance Klachtenmanagement Juridisch Veiligheid Business continuity Cultuur intern Risicomanagement (quality) Org. Structuur Personeel (quality) Reporting Risks Extern Environment Externe criminaliteit Zakelijke omgeving Het is niet de bedoeling om per risico 1 verantwoordelijke aan te wijzen voor 1 specifieke risico.

24 ERM – Risk Hierarchy REPUTATIONAL RISK STRATEGIC RISK MARKET RISK
CREDIT RISK OPERATIONAL RISK

25 RM can/should be about more than audit
Value added for insurer Insurance & Compliance Core risk management Risk-return optimisation VII “Decision making across firm is linked to building economic value” → Risk adjusted resource allocation at all levels “We need to know the economic impact of our largest risks” → Specific risk quantification VI “We need a sustainable process for monitoring all our risks” → Qualitative RM “Shareholders demand a risk/return framework” → Risk and growth appetite defined, risk dynamically measured and aggregated properly “Risk management equals buying reinsurance” → Risk transfer via reinsurance IV III V I “Risk needs to be quantified comprehensively” → Over-control by centralized risk management, initial quant models too primitive II “Regulators are demanding risk management activities” → Over-reliance on ‘checklists’, false sense of security Stages of development

26 CI-VERA 2009 Curacao Accountants in Business
VOB VOC VOR CI-VERA 2009 Curacao Accountants in Business 26

27 De chaotische werkelijkheid
In werkelijkheid een bizar en chaotisch geheel van activiteiten Anticiperend op de positieve en negatieve aspecten van risico Allerlei risico indelingen Ontelbare verschillende perspectieven Soms goed op elkaar aansluitend Soms ook niet Soms elkaar zelfs onderling uitsluitend

28 THE PROCESS

29 Initiation Assessment Monitoring Control Audit Committee Risk
Probability Impact L M H L M H Audit Committee Risk Assessment MT Risk Corrective Action yes Internal Audit no yes Management Considered in Control External Audit no Het gestructureerd identificeren en inventariseren, het analyseren en kwantificeren en het beheersen van risico’s. Risico’s worden gemonitord en over risico’s wordt gerapporteerd. Risk Management maakt Fatum aantoonbaar beter in control over hetgeen binnen het bedrijf gebeurt. Risk Sessions yes no Impact >= “M” Probability >= “M” Risk Life Cycle In Control ? Request

30 RISK AND REWARD ARE INSEPARABLE.
THE TWO TOGETHER MAKE A PERFORMANCE VALUABLE OR NOT! 30

31 Most Risks do have a Reward!
31

Download ppt "Enterprise Risk Management"

Similar presentations

Internal Control Integrated Framework

Internal Control Integrated Framework
COSO I COSO II. Meycor COSO, a Comprehensive Solution for Enterprise Risk Management (ERM)

COSO I COSO II. Meycor COSO, a Comprehensive Solution for Enterprise Risk Management (ERM)
Risk Management at Harvard – Panel Discussion Harvard IT Summit

Risk Management at Harvard – Panel Discussion Harvard IT Summit
Internal Control–Integrated Framework

Internal Control–Integrated Framework
Applying COSO’s Enterprise Risk Management — Integrated Framework

Applying COSO’s Enterprise Risk Management — Integrated Framework
Lisanne Sison Director ERM Bickmore

Lisanne Sison Director ERM Bickmore
IMFO Audit & Risk Indaba June 2012

IMFO Audit & Risk Indaba June 2012
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Agency Risk Management and Internal Control Standards Presentation to the Board of Visitors November 14, 2014.

Agency Risk Management and Internal Control Standards Presentation to the Board of Visitors November 14, 2014.
COBIT 5 and COSO 2013: Comparing the Frameworks

COBIT 5 and COSO 2013: Comparing the Frameworks
Prepared by Wa'el Bibi,CPA,CIA,CISA1 Internal Control Integrated Framework An Overview.. Bibi Consulting COSO’s Source: COSO’s Internal Control Integrated.

Prepared by Wa'el Bibi,CPA,CIA,CISA1 Internal Control Integrated Framework An Overview.. Bibi Consulting COSO’s Source: COSO’s Internal Control Integrated.
It’s Time to Talk About Risk and Control

It’s Time to Talk About Risk and Control
Manulife Financial Corporation operates as John Hancock in the United States, and Manulife in other parts of the world. Enterprise Risk Management in Life.

Manulife Financial Corporation operates as John Hancock in the United States, and Manulife in other parts of the world. Enterprise Risk Management in Life.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
2011 Governance, Risk, and Compliance Conference August 29 – 31, 2011 / Orlando, FL, USA The Top Four Essential Objectives to Auditing ERM Stephen E. McBride,

2011 Governance, Risk, and Compliance Conference August 29 – 31, 2011 / Orlando, FL, USA The Top Four Essential Objectives to Auditing ERM Stephen E. McBride,
Eliot M. Stenzel, CPA,CIA IIA Instructor for many years. 220-3198 Risk Based Auditing.

Eliot M. Stenzel, CPA,CIA IIA Instructor for many years Risk Based Auditing.
Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.

Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.

Similar presentations

Ads by Google