Presentation is loading. Please wait.

Presentation is loading. Please wait.

Establishing an Effective Enterprise risk management (ERM) program

Published byRonald Williamson Modified over 8 years ago

Similar presentations

Presentation on theme: "Establishing an Effective Enterprise risk management (ERM) program"— Presentation transcript:

1 Establishing an Effective Enterprise risk management (ERM) program
. Presented by: Frank DiBenedetto Introduction to ERM Florida State Board of Accountancy # Credit Hour AA

2 Enterprise Risk Management (ERM) is a process:
What is Enterprise Risk Management (ERM) ? Enterprise Risk Management (ERM) is a process: effected by an entity’s board of directors, management, and other personnel, applied in strategic manner and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding achievement of entity objectives. COSO’s Enterprise Risk Management – Integrated Framework

3 Risk Management Approach
Attributes of Effective Leaders of Enterprise Risk Management • Broad knowledge of the business and its core strategies • Strong relationships with directors and executive management • Strong communication and facilitation skills • Knowledge of the organization’s risks • Broad acceptance and credibility across the organization Compliance and risk management framework is based on best practices from the: Committee of Sponsoring Organizations (COSO) of the Treadway Commission’s Enterprise Risk Management Integrated Framework. Project Management Institute’s (PMI) framework on project management risk.

4 Why do an ERM? #5 Identify potential events (risks) that may affect the enterprise. #4 Provide managers with ongoing information needed to make best decisions. #3 Increase confidence of rating agencies, government regulators and other stakeholders #2 Reduce operational surprises and financial losses to provide reasonable assurance of achieving objectives #1 Improve allocation of capital and resources

5 Support from the Top is a necessity
To successfully manage risk, the ERM initiative must be: • Enterprise wide • Viewed as an important strategic effort by senior management • Driven from the top down • Clearly & consistently communicated to/from the Board & Senior Management Support from the Board of Directors and senior management is essential to ensure alignment of focus, resources and attention for ERM.

6 Corporate Risk Policy Enterprise Compliance and Risk Management Policy
Establishes an Enterprise Compliance and Risk Management (ECRM) framework to provide a conscious, systematic, effective approach to managing the compliance requirements, risks and opportunities with the overall goal of reducing negative impacts to the organization. Established the Enterprise Compliance & Risk Committee (ECRC) to implement the policy. Specifically: Oversee the incorporation of risk management into the major programs, corporate processes and functions. Ensure adherence to compliance and risk management processes and inclusion of compliance and risk issues in decision making. Oversee implementation and monitoring of compliance/risk policies and procedures.

7 Conduct the Initial Enterprise-wide Risk Assessment & Develop an Action Plan
ASSESS the organization’s Top Corporate Risks: •Reach consensus on the Top Risks: those that could potentially have significant impact on the business objectives of the organization Gain understanding of Risks • Assign responsibility for managing the risk (cross function ownership) • Identify controls in place • Determine how the Top Risks will be managed and/or mitigated IDENTIFY opportunities to enhance risk management activities (especially activities that mitigate the Top Corporate Risks.)

8 Determine Risk Tolerance
Impact Level Customer Service/ Reliability Environmental Financial/ Credit Severe (5) ** Major (4) Significant (3) Moderate (2) Minor (1) ** Risk Tolerances criteria need to be determined on a Company and Business unit basis

9 Determine Risk Tolerance
Impact Level Health/ Safety Reputation Workforce Severe (5) ** Major (4) Significant (3) Moderate (2) Minor (1) ** Risk Tolerances criteria need to be determined on a Company and Business unit basis

10 5 Colors Heat Map 5 Colors Heat Map 5 4 3 2 1 10 15 20 25 8 12 16 6 9
Top Corporate Risk Score Tier 1 10-25 Impact x Likelihood Tier 2 5-9 Tier 3 1-4 Almost Certain >90% 5 10 15 20 25 15-25 Red Likely 65-90% 4 8 12 16 10-12 Orange Possible 35-65% 3 6 9 8-9 Yellow Unlikely 5-35% 2 4-6 Light Green Rare <5% 1 1-3 Dark Minor Moderate Significant Major Severe Impact

11 ERM Risk Considerations
ERM Terminology Terminology Definition Objective The main reason(s) for the existence of a process, activity, or project. Risk Description Condition (trigger event) that can result in a Quantified Consequence Inherent Risk the uncontrolled risk, prior to implementing any mitigation efforts Risk Tolerance the level of risk you are willing to take Impact the level that the event affects meeting your objective Minor (1) • Moderate • Significant • Major • Severe (5) Likelihood the probability that the event will happen Rare (1) • Unlikely • Possible • Likely • Almost Certain (5) Controls Existing activities that reduce the inherent impact and/or likelihood of the risk Residual Risk the risk that remains after Controls have been implemented ( is it acceptable based on Risk Tolerance?) Mitigations Required actions to reduce the residual impact and/or likelihood to an acceptable Risk Tolerance level.

12 Risk Assessment Questions
Questions that could be asked to help identify the organization’s most significant strategic or emerging risks: What are your primary business objectives or strategies? What are the key components of enabling your business strategy or objectives? What internal factors or events could impede or derail each of these key components? What events (external to the organization) could impede or derail each of the key components? What are the three most significant risk events that concern you regarding the organization’s ability to achieve business objectives? Where should the organization enhance its risk management processes to have maximum benefit and impact on its ability to achieve business objectives? •What types of catastrophic risks does the organization face? How prepared is the organization to handle them, if they occur? Attributes of Effective Leaders of Enterprise Risk Management • Broad knowledge of the business and its core strategies • Strong relationships with directors and executive management • Strong communication and facilitation skills • Knowledge of the organization’s risks • Broad acceptance and credibility across the organization

13 Risk Assessment Questions
Attributes of Effective Leaders of Enterprise Risk Management • Broad knowledge of the business and its core strategies • Strong relationships with directors and executive management • Strong communication and facilitation skills • Knowledge of the organization’s risks • Broad acceptance and credibility across the organization Questions that could be asked to help identify the organization’s most significant strategic or emerging risks. • What financial market risks do you believe are (or will be) significant? • What current or developing legal/regulatory/governmental events or risks might be significant to the success of the business? • Are you concerned about any emerging risks or events? If so, what are they? • What risks are competitors identifying in their regulatory reports that we have not been addressing in our risk analysis?

14 Risks That Could Effect JEA’s Objectives:
Conduct the Initial Enterprise-wide Risk Assessment & Develop an Action Plan Risks That Could Effect JEA’s Objectives: Effect JEA’s Objectives: d Effect JEA’s Objectives: Formalize ERM Governance Structure: to perpetuate and instill ERM throughout management’s decision making and risk mitigation practices

15 Establish a Management Risk Committee Structure
Management risk committees, bring together a wide array of personnel from across the entity that collectively have sufficient knowledge of the organization’s core business model and related risks and risk management practices. A risk committee structure should include: Enterprise Compliance & Risk Committee Subordinated Committees Risk Working Groups Comprised of the most senior executives Led by business executives Subject Matter Experts supporting Subordinate Committees Makes all major risk & compliance decisions Coordinate mitigation efforts across functions Assist in determining mitigation strategies Approves risk score changes and additions/removal of risks Make recommendations to ERCRC on major risk decisions Implement and assess mitigation effectiveness and challenges Evaluate & monitor risk levels, gaps, & mitigation efforts Approve less significant risk \ decisions Identify evaluate top corp. risks

16 Establishing Resources
Attributes of Effective Leaders of Enterprise Risk Management Broad knowledge of the business and its core strategies Broad knowledge, experience and capabilities relating to risk identification and management Strong relationships with mid-level and executive management Strong communication and facilitation skills Knowledge of the organization’s risks Broad acceptance and credibility across the organization Attributes of Effective Leaders of Enterprise Risk Management • Broad knowledge of the business and its core strategies • Strong relationships with directors and executive management • Strong communication and facilitation skills • Knowledge of the organization’s risks • Broad acceptance and credibility across the organization Internal Audit resources can be used as the catalyst to begin the ERM initiative.

17 Director Audit Services & Chief Risk Officer
Treatment of proceeds and bond issue costs per the Bond Resolution, establishment of reserves and adequacy of documentation. Internal Audit / ERM INTERNAL AUDIT ERM CEO Board of Directors Director Audit Services & Chief Risk Officer Audit Manager ERM Manager Internal Auditors ERM Analyst Focus on Current Control Condition • Evaluates existing processes and controls • Tests noted controls • Makes recommendations for deficient controls • Develops annual Audit Plan by conducting Audit Risk Assessment interviews with management Focus on Risk & Control Consciousness • Performs ongoing assessments of risks having greatest impact • Assists management to continuously assess potential risks or ‘what if’ events • Strategizes for long term risk management • Relies on management assertion without testing

18 Audit Services Independence
Maintaining independence between Audit Services and ERM functions in compliance with IIA standards Internal audit should: document its responsibilities in the audit charter which is approved by the Finance and Audit committee. provide advice and support management’s decision making. recognize any work beyond the assurance activities as a consulting engagement, and the implementation standards related to such engagement should be followed NOT manage the risks on behalf of management NOT give objective assurance on any part of the (ERM) framework for which it is responsible NOT adversely affect the level or quality of its work due to assuming responsibility for risk management activities • ERM guidelines requires that Management: -remains responsible for risk management -make risk management decisions themselves -assume responsibility for assessing and evaluating risks

19 Risk Reporting and Monitoring
Develop risk reporting protocols including communication processes, target audiences, and reporting formats. Reporting must clearly: • reflect the relative significance of each risk • identify gaps in controlling/reducing the inherent risk • track progress on mitigation efforts

20 Enterprise Risk Management – Top Corporate Risks Trends – Tier 3 Risks
. Total Risk Scores should be tracked over an extended time period to assess progress in mitigating the risks

21 Sustaining ERM Sustaining ERM Given the evolutionary nature of ERM and the dynamic nature of risk, the ERM process must be: • ongoing • not viewed as a one-time event. The initial risk assessment process needs constant monitoring and updating. The entity needs to be attuned to identify new and emerging risks.

22 Why does JEA do Risk Management?
Sustaining ERM Why does JEA do Risk Management? Sustaining ERM Ongoing communications from senior management and training will serve to reinforce and nurture the risk management culture. Including but not limited to: Developed: •Board and corporate policies and practices for ERM •Continuing ERM education for the directors and executives •ERM education and training for business-unit management •Policies and action plans to embed ERM processes into the business units Establishing clear linkage between strategic planning and budgeting processes Defining risk appetite(tolerance) for the organization and/or significant business units, including quantification of risk exposure

23 Risk Assessment and Action Plan
4. Conduct an Initial Enterprise-wide Risk Assessment and Action Plan ERM Program Summary Seek Board and Senior Management Involvement and Oversight Identify and position a leader to drive the ERM Initiative Establish a Management Working Group Establish Risk Tolerance Conduct an Initial Enterprise-wide Risk Assessment and Action Plan Inventory the Existing Risk Management Practices Develop Risk Reporting Develop the Ongoing Communications and Training

24 ERM Program Summary ERM is an evolutionary process of:
• Determining/revising tolerance for risk • Identifying potential risks (risk inventory) • Assigning responsibility for risks • Documenting controls in place to reduce Inherent Risk • Addressing mitigations required to shrink Residual Risk to fit within Acceptable Risk Tolerance • Monitoring • Re-assessing, revising, reporting, repeating

25 Florida State Board of Accountancy #0016036 1Credit Hour AA
Questions? Introduction to ERM Florida State Board of Accountancy # Credit Hour AA

Download ppt "Establishing an Effective Enterprise risk management (ERM) program"

Similar presentations

Organizational Governance

Organizational Governance
Risk Management at Harvard – Panel Discussion Harvard IT Summit

Risk Management at Harvard – Panel Discussion Harvard IT Summit
Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.

Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences.
Lisanne Sison Director ERM Bickmore

Lisanne Sison Director ERM Bickmore
IMFO Audit & Risk Indaba June 2012

IMFO Audit & Risk Indaba June 2012
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Risk Management and Internal Controls ASSAL 20 November 2014 Annick Teubner Chair, IAIS Governance Working Group.

Risk Management and Internal Controls ASSAL 20 November 2014 Annick Teubner Chair, IAIS Governance Working Group.
It’s Time to Talk About Risk and Control

It’s Time to Talk About Risk and Control
Introduction to Enterprise Risk Management (ERM)

Introduction to Enterprise Risk Management (ERM)
Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.

Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
2011 Governance, Risk, and Compliance Conference August 29 – 31, 2011 / Orlando, FL, USA The Top Four Essential Objectives to Auditing ERM Stephen E. McBride,

2011 Governance, Risk, and Compliance Conference August 29 – 31, 2011 / Orlando, FL, USA The Top Four Essential Objectives to Auditing ERM Stephen E. McBride,
Eliot M. Stenzel, CPA,CIA IIA Instructor for many years. 220-3198 Risk Based Auditing.

Eliot M. Stenzel, CPA,CIA IIA Instructor for many years Risk Based Auditing.
Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.

Operational risk management Margaret Guerquin, FSA, FCIA Canadian Institute of Actuaries 2006 General Meeting Chicago Confidential © 2006 Swiss Re All.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
PwC Role of Internal Audit in Corporate Governance September 2010 Tumin Gültekin, Partner.

PwC Role of Internal Audit in Corporate Governance September 2010 Tumin Gültekin, Partner.
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
By Saurabh Sardesai www.starvaluemodel.com October 2014.

By Saurabh Sardesai October 2014.
Risk Assessment Frameworks

Risk Assessment Frameworks
Purpose of the Standards

Purpose of the Standards

Similar presentations

Ads by Google