Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253

Published byTracey Stephens Modified over 8 years ago

Similar presentations

Presentation on theme: "IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253"— Presentation transcript:

1 IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253
Enterprise Risk Management (ERM) 23 August 2007 Charles G. Gray

2 The material in this presentation is adapted from “Enterprise Risk Management – Integrated Framework” published by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission, copyright Used by permission. (The name is derived from the name of the first chairman of the 1985 National Commission on Fraudulent Financial Reporting, James C. Treadway, EVP and General Counsel, Paine Webber, Inc., and former Commissioner of the SEC.)

3 ERM Defined “A process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

4 Why is ERM Important? Every entity, whether for-profit or not, exists to realize value for its stakeholders Value is created, preserved, or eroded by management decisions in all activities, from setting strategy to operating the enterprise day-to-day.

5 ERM and Value Creation ERM enables management to:
Deal effectively with potential future events that create uncertainty Respond in a manner that reduces the likelihood of downside (negative) outcomes and increases the upside (positive).

6 The ERM Framework View objectives in the context of
Strategy Operations Reporting Compliance Consider activities at all levels Enterprise-level Division or subsidiary Business unit processes

7 Portfolio View of Risk Management must consider how individual risks interrelate Develop a “portfolio view” from the perspective of Business unit level Entity level A “holistic” view of how various risk factors impinge on the enterprise

8 Components of the ERM Framework
Internal environment Setting objectives Event identification Risk assessment Risk response Control activities Information and communication Monitoring

9 Internal Environment Establishes a philosophy regarding risk management Recognizes that unexpected as well as expected events may occur Establishes the enterprise “risk culture” Consider all other aspects of how the organization’s actions may affect its risk culture

10 Setting Objectives Applies when management considers risk strategy in the setting of objectives Forms the “risk appetite” – a high level view of how much risk management is willing to tolerate in pursuit of objectives Risk tolerance – acceptable level of variation around objectives aligned with risk appetite

11 Event Identification Differentiates risks and opportunities
Events with negative impact are risks Events that may be positive represent offsets (opportunities), which management channels back to strategy setting Identify internal or external incidents that could affect achievement of objectives Addresses how internal and external factors interact to influence the risk profile

12 Risk Assessment Evaluate the extent to which potential events might impact objectives Assesses risk as to likelihood and impact Assess risk related to objectives Combination of both qualitative and quantitative assessment methodologies Relates time horizons to objective horizons Assesses risk on both inherent and residual basis

13 Risk Response Identify and evaluate possible responses to risk
Evaluates options vis-à-vis risk appetite Cost vs. benefit Degree to which a response will reduce impact and/or likelihood Selects and executes response based on evaluation of the portfolio of risks and responses

14 Control Activities A strong system of internal control is essential to effective risk management Policies and procedures that help ensure that the risk responses, as well as other directives, are carried out Should occur throughout the organization, at all levels and in all functions Include application and general information technology controls

15 ERM Roles and Responsibilities
Board of directors Senior management CEO, CIO, CFO, COO, other? Unambiguous and enthusiastic support Risk officers VP, chief risk officer, chief security officer Risk/security steering committee Internal auditors

16 Key Implementation Factors
Organization design of the enterprise Establishing an ERM organization Performing risk assessments Determining the overall risk appetite Identifying risk responses Communication of risk evaluation results Monitoring Management oversight and periodic review

17 Risk Appetite What risks will the organization not accept?
E.g., Damage to corporate image What risks will the organization take on new initiatives? E. g., New products What risks will the organization accept for competing objectives? Sacrifice profit for environmental issues (PR)

18 Risk Appetite - Definitions
The amount of risk exposure or potential adverse impact from an event that the organization is willing to accept The level of risk an organization is prepared to be exposed to before it decides that action is necessary The level of risk you’re willing to live with before you do something about it The amount of risk you’re prepared to take in order to achieve objectives

Download ppt "IT Risk Management, Planning and Mitigation TCOM 5253 / MSIS 4253"

Similar presentations

Internal Control Integrated Framework

Internal Control Integrated Framework
Risk Management at Harvard – Panel Discussion Harvard IT Summit

Risk Management at Harvard – Panel Discussion Harvard IT Summit
Applying COSO’s Enterprise Risk Management — Integrated Framework

Applying COSO’s Enterprise Risk Management — Integrated Framework
Lisanne Sison Director ERM Bickmore

Lisanne Sison Director ERM Bickmore
IMFO Audit & Risk Indaba June 2012

IMFO Audit & Risk Indaba June 2012
Chapter 10 Accounting Information Systems and Internal Controls

Chapter 10 Accounting Information Systems and Internal Controls
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Control and Accounting Information Systems

Control and Accounting Information Systems
Control and Accounting Information Systems

Control and Accounting Information Systems
Agency Risk Management and Internal Control Standards Presentation to the Board of Visitors November 14, 2014.

Agency Risk Management and Internal Control Standards Presentation to the Board of Visitors November 14, 2014.
COBIT 5 and COSO 2013: Comparing the Frameworks

COBIT 5 and COSO 2013: Comparing the Frameworks
Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.

Executive Insight through Enhanced Enterprise Risk Management Leverage Value From Your Risk Management Investment.
Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.

Tax Risk Management Keeping Up with the Ever-Changing World of Corporate Tax March 27, 2007 Tax Services Bryan Slone March 27, 2007.
CHAPTER 16 Auditing and corporate governance. Contents  Corporate governance  Independent directors  Chairman of the board and chief executive officer.

CHAPTER 16 Auditing and corporate governance. Contents  Corporate governance  Independent directors  Chairman of the board and chief executive officer.
2011 Governance, Risk, and Compliance Conference August 29 – 31, 2011 / Orlando, FL, USA The Top Four Essential Objectives to Auditing ERM Stephen E. McBride,

2011 Governance, Risk, and Compliance Conference August 29 – 31, 2011 / Orlando, FL, USA The Top Four Essential Objectives to Auditing ERM Stephen E. McBride,
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Applying COSO’s Enterprise Risk Management — Integrated Framework

Applying COSO’s Enterprise Risk Management — Integrated Framework
Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.

Expanded Version of COSO a presentation by Steve Wadleigh Expanded Version of COSO a presentation by Steve Wadleigh Standards for Internal Control in the.
ERM for the Non-Risk Manager

ERM for the Non-Risk Manager
Risk Assessment Frameworks

Risk Assessment Frameworks

Similar presentations

Ads by Google