Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enterprise Risk Management (ERM)

Published byMegan Butler Modified over 7 years ago

Similar presentations

Presentation on theme: "Enterprise Risk Management (ERM)"— Presentation transcript:

1 Enterprise Risk Management (ERM)
By: Ahmed AwladThani Chief Internal Auditor- Oman LNG L.L.C

2 Agenda What is Risk? Why Risk Management? What is Risk Management?
ERM framework Risk Examples

3 What is Risk?

4

5 Basic Concepts

6 What is Risk? ANYTHING that may affect the achievement of an organization’s objectives. It is the UNCERTAINTY that surrounds future events &outcomes. It is the expression of the likelihood and impact of an event with the potential to influence the achievement of an organization’s objectives.

7 Why Risk Management?

8 Risk Management is a responsibility of …………………………………………….?
ERM Quotes “The only alternative to risk management is crisis management --- and crisis management is much more expensive, time consuming and embarrassing.” JAMES LAM, Enterprise Risk Management, Wiley Finance © 2003 “Risk comes from not knowing what you`re doing.” Warren Buffett “Risk is like fire: If controlled it will help you; if uncontrolled it will rise up and destroy you.” Theodore Roosevelt “Risk management is about people and processes and not about models and technology.” Trevor Levine “Even a correct decision is wrong when it was taken too late.” Lee Iacocca “Good Risk Management fosters vigilance in times of calm and instills discipline in times of crisis.” Dr. Michael Ong Risk Management is a responsibility of …………………………………………….?

9 Why Risk Management? Increase risk Awareness:
What could affect the achievement of objectives? Increase understanding of risk Trend: What makes my risks increase/decrease/disappear? Promote a “healthy” risk Culture: Talk about risk in an Open and transparent Environment. Develop a common and consistent Approach across the organization. Not individual / group based. Focuses Efforts: Helps prioritize Top Key Risks. Is proactive…. not reactive Prepare for risks before they happen and risk mitigating strategies. Improve outcomes Achievement of Objectives

10 What is Risk Management?

11 ERM Definition Committee of Sponsoring Organizations (COSO): “A process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” ISO 31000:2009 – Developed by the International Organization for Standardization (ISO): “A process that provides confidence that planned objectives will be achieved within an acceptable degree of residual risk.”

12 What is ERM? (cont’d) To help assist with the implementation of the ERM process, COSO developed the ERM Integrated Framework (2004), also known as the COSO Cube. This cube is an update to the initial COSO I framework developed in 1992:

13 What is ERM? (cont’d) High level goals that are aligned with and support the Organisation’s mission.

14 What is ERM? (cont’d) Relate to the ongoing management process and daily activities of the organization.

15 What is ERM? (cont’d) Protection of the organization’s assets and quality of financial & non-financial reporting.

16 What is ERM? (cont’d) Organization’s adherence to applicable laws and regulations.

17 What is ERM? (cont’d) General culture, values and environment in which an organization or entity operates (Tone at the Top)

18 What is ERM? (cont’d) The process management uses to set its strategic goals and objectives. Establishes the organization’s risk appetite and risk tolerance.

19 What is ERM? (cont’d) Process by which an organization identifies events that influence strategy and objectives, or could affect an organization’s ability to achieve its objectives.

20 What is ERM? (cont’d) The process of evaluating the impact and likelihood of events, and prioritizing related risks.

21 What is ERM? (cont’d) Determining how management will respond to the risks an organization faces.

22 Typical Risk Responses
Take, Treat, Transfer, or Terminate (4 T’s): Take: Accept the risk as estimated and proceed with the Activity. Treat: Take appropriate action to reduce likelihood or Consequences Transfer: Contractual re-allocation or the purchase of insurance Terminate: Avoid risk by cancelling the activity

23 Reducing impacts and likelihood
Understanding the causes, controls and potential impacts of a risk is key to estimating the residual impact and likelihood Risk Cause 1 Cause 2 Cause 3 Cause 4 Impact 1 Impact 2 Impact 3 Controls Preventative controls Corrective Most risks have a variety of possible Causes Preventative controls reduce the likelihood or impact from these causes Corrective controls reduce the impact if the risk event happens, they can’t reduce its likelihood

24 Selecting additional controls
The wrong control strategy can be expensive and ineffective Decision on what risks to control is central to effective risk management Control: Too little Just right Too much Balance is very important: Under control can lead to increased costs as risks materialise, and unacceptable risk exposure Over control can also lead to increased cost through excessive mitigation, and reduced innovation

25 What is ERM? (cont’d) Policies and procedures that organisation implements to address the risks.

26 What is ERM? (cont’d) Practices that ensure that the right information is communicated at the right time to the right people.

27 What is ERM? (cont’d) Ongoing evaluations to ensure controls are functioning as designed, and taking corrective action to enhance control activities if needed.

28 Threats and opportunities
Threat – a risk that may HINDER the achievement of objectives Opportunities - a risk that may HELP in the achievement of objectives Interest rates Foreign exchange rates Supply of service/product/resources Demand/uptake for service/product/resources The economy The weather The stock market

29 ERM Framework?

30 Communicate, learn, improve
A Simple Framework Evaluate & Take Action Establish Objectives Identify Risks & Controls Assess Monitor & Report Step 1 Step 2 Step 3 Step 4 Step 5 Communicate, learn, improve

31 Enterprise Risk Management
Division Level Periodic Summary Analysis & Report Branch Level Periodic Summary Analysis & Report Unit or Project Level

32 Risk rating Combining impact and likelihood (Organisation Wise)
In phase I we facilitated a number of IRM activities. Here are three examples: Oak Ridge Facility at the Mental Health Centre Penetanguishene Colorectal Cancer Screening Program LHIN Readiness I and II These 3 examples showed us how we could implement IRM. Sharon Zwicker told us: put in quote Marsha Barnes told us: put in quote Gail Paech told us: put in quote Carrie Hayward told us: put in quote Slide 32

33 Risk Prioritization – likelihood and impact
Likelihood of a risk event occurring Very High: Is almost certain to occur High: Is likely to occur Medium: Is as likely as not to occur Low: May occur occasionally Very Low: Unlikely to occur Risk Impact: Level of damage that can occur when a risk event occurs Very High: Threatens the success of the project High: Substantial impact on time, cost or quality Medium: Notable impact on time, cost or quality Low: Minor impact on time, cost or quality Very Low: Negligible impact In phase I we facilitated a number of IRM activities. Here are three examples: Oak Ridge Facility at the Mental Health Centre Penetanguishene Colorectal Cancer Screening Program LHIN Readiness I and II These 3 examples showed us how we could implement IRM. Sharon Zwicker told us: put in quote Marsha Barnes told us: put in quote Gail Paech told us: put in quote Carrie Hayward told us: put in quote Slide 33

34 Risk Assessment Matrix (RAM) Example
In phase I we facilitated a number of IRM activities. Here are three examples: Oak Ridge Facility at the Mental Health Centre Penetanguishene Colorectal Cancer Screening Program LHIN Readiness I and II These 3 examples showed us how we could implement IRM. Sharon Zwicker told us: put in quote Marsha Barnes told us: put in quote Gail Paech told us: put in quote Carrie Hayward told us: put in quote Slide 34

35 Risk reporting and communications

36 Why Risk Management May Fail
Limitations of scope Lack of top management support – Do Not See Added Value Did not engage all stakeholders – Lack of Communication Failure to share information RM not embedded within planning & management system Too Optimistic Program in a very short time Quick Wins could not be realised

37 Risk Examples?

38 Stakeholder Management
Strategic Risks Strategic Planning Business plans are not driven by creative and intuitive input or not based on accurate assumptions. Resource Allocation Resource allocation process does not establish and sustain competitive advantage or maximize returns for shareholders. Reputation Reputation and Image is not strong as perceived by one or more key stakeholders (public, suppliers, customers, media, employee,…etc). Stakeholder Management Organisation is not effective in managing key stakeholders in order to attain sustainable business. Political Adverse consequences through political actions in a country in which Organisation is operating. Unrest Organisation is susceptible to employee or external unrest affecting company operation and continuity.

39 Interfaces Management
Operational Risks Leadership Leadership & management of critical business processes is not effective. Human Resources Vacancies on critical resources to manage key business process or/and major competency gaps. Quality Quality Management System is not effective to prevent major quality issues. Health & Safety Organisation is exposed to significant liabilities, financial loss & negative publicity due to Health & Safety incidents. Access Access to information or systems is inappropriately granted or used. Interfaces Management Key and critical interfaces are not well identified, not managed sufficiently or/and significant miss-alignment between parties.

40 Financial Risks Cash Flow
Organisation’s cash flow is not healthy and Organisation is unable to fund the operational or financial obligations. Currency Organisation is exposed to fluctuations in exchange rates as a result of activity in foreign markets or/and investment in foreign currency denominated securities. Budget & Planning Budgets and business plans are not realistic or/and based on inappropriate assumptions or cost drivers. Product/Service Pricing Organisation’s price is more than customers are willing to pay or does not cover production & distribution costs. Contract Commitment Contractual commitments outstanding data is not accurate or not up to date. Accounting Information Financial accounting information is not accurate or not up to date.

41 Compliance Risks Compliance
Failure to conform with laws & regulations at the international, country, state and local level. Fraud Fraudulent activities perpetrated by management, employees, customers, suppliers and third-party against the organization for personal gain. Illegal Acts Managers and employees individually or in collusion commit illegal acts. Unauthorized Use Organisation’s employees (or others) use its physical and financial assets for unauthorized or unethical purposes. Ethical Behaviour The organization does not demonstrate its commitment to ethical and responsible business behavior.

42 Reporting Risks Financial Reporting
Financial reports include material misstatements or omit material facts. Internal Control Failure to accumulate sufficient relevant & reliable information to assess the design and operating effectiveness of internal control over financial reporting. Taxation Failure to comply with tax regulations or/and significant transactions have adverse tax consequences. Pension Fund Pension funds are not actuarially sound or insufficient to satisfy benefit obligations defined by the plan. Regulatory Reporting Reports of operating and financial information required by regulatory agencies are incomplete, inaccurate or untimely, exposing the company to fines, penalties and sanctions.

43 Risk Register Example

44 Questions?

45

46 Backup Slides

47 ISO 31000 Framework Overview

48 ERM Maturity Model

49 ERM Maturity Model (Cont.)

50 ERM Maturity Model (Cont.)

51 ERM Maturity Model (Cont.)

52 Management Discussion
Do we have an effective management strategy that supports the identification, assessment, and management of risk? Are the right people engaged and accountable for the results? Are there suggestions for how we should better manage the high probability / high impact risks that we have identified? Is the Governing Body satisfied that management is periodically monitoring changes in the environment to identify significant impacts on the assumptions and risk inherent in the strategy? Do we have an effective “tone at the top” and “tone of the organization” with respect to ERM? What should be our appetite for risk?

53 For further reading: A Wake-up Call: Enterprise Risk Management at Colleges and Universities Today, Association of Governing Boards of Universities and Colleges and United Educators, “Negative Outlook for US Higher Education Continues Even as Green Shoots of Stability Emerge,” Moody’s Investors Service, July 11, Janice M. Abraham, Risk Management: An Accountability Guide for University and College Boards, AGB Press, “The Five Lines of Defense – A Shareholder’s Perspective,” Board Perspectives: Risk Oversight, Issue 51, Protiviti, 2013.

Download ppt "Enterprise Risk Management (ERM)"

Similar presentations

Risk Management at Harvard – Panel Discussion Harvard IT Summit

Risk Management at Harvard – Panel Discussion Harvard IT Summit
Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.
Internal Control–Integrated Framework

Internal Control–Integrated Framework
Lisanne Sison Director ERM Bickmore

Lisanne Sison Director ERM Bickmore
IMFO Audit & Risk Indaba June 2012

IMFO Audit & Risk Indaba June 2012
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
Building a Better Business Model Start with a discussion of Risk Higher Education Policy Commission Board of Governors Summit August 2, 2014.

Building a Better Business Model Start with a discussion of Risk Higher Education Policy Commission Board of Governors Summit August 2, 2014.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.

Title slide PIPELINE QRA SEMINAR. PIPELINE RISK ASSESSMENT INTRODUCTION TO GENERAL RISK MANAGEMENT 2.
Risk Assessment Frameworks

Risk Assessment Frameworks
Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.

Sarbanes-Oxley Project Summary of COSO Framework Presented by Larry Dillehay & Scott Reitan Parkfield Group LLC.
Information Systems Controls for System Reliability -Information Security-

Information Systems Controls for System Reliability -Information Security-
Chapter 4 Internal Controls McGraw-Hill/Irwin

Chapter 4 Internal Controls McGraw-Hill/Irwin
WHERE WE ARE 22 member associations in 20 countries Over 4300 individual members who are responsible for risk management and/or insurance in their organisations.

WHERE WE ARE 22 member associations in 20 countries Over 4300 individual members who are responsible for risk management and/or insurance in their organisations.
Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.

Audits & Assessments: What are the Differences and How Do We Learn from the Results? Brown Bag March 12, 2009 Sal Rubano – Director, Office of the Vice.
1 Bölgesel Rekabet Edebilirlik Operasyonel Programı’nın Uygulanması için Kurumsal Kapasitenin Oluşturulmasına Yönelik Teknik Yardım Technical Assistance.

1 Bölgesel Rekabet Edebilirlik Operasyonel Programı’nın Uygulanması için Kurumsal Kapasitenin Oluşturulmasına Yönelik Teknik Yardım Technical Assistance.

Similar presentations

Ads by Google