1 / 29

IMPLIMENTING ENTERPRISE RISK MANAGEMENT(ERM); A PROCESS OVERVIEW

IMPLIMENTING ENTERPRISE RISK MANAGEMENT(ERM); A PROCESS OVERVIEW. BY Hussein k. Isingoma Cisa, CISM, CRISC, Fcca,cia, cpA. Introduction . All organizations exist to provide value to shareholders and stakeholders

alka
Download Presentation

IMPLIMENTING ENTERPRISE RISK MANAGEMENT(ERM); A PROCESS OVERVIEW

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IMPLIMENTING ENTERPRISE RISK MANAGEMENT(ERM); A PROCESS OVERVIEW BY Hussein k. Isingoma Cisa, CISM, CRISC, Fcca,cia, cpA ISACA- KAMPALA 24th April 2013

  2. Introduction • All organizations exist to provide value to shareholders and stakeholders • Every organisation needs to determine how much uncertainty it should accept in seeking to create value or deliver service • Uncertainty has the potential to enhance or erode value • Organisations have growing concerns about a broader spectrum of risks • For many organizations, risk management is rapidly developing into a more forward looking, enterprise-wide approach ISACA- KAMPALA 24th April 2013

  3. Contd….. • Risk Management(RM) is about systematically identifying and actively managing risks to the business • Its about increasing the likelihood of success by minimising threats and maximising opportunities • Its being in control and being seen to be ! • Recent World Disasters and Scandals bear the hallmarks of failure in Risk Management Process; identification, assessment of risks etc • The downturn in the global economy raises important questions about how organisations conduct their business – and particularly about how they assess and manage risk ISACA- KAMPALA 24th April 2013

  4. World Disasters and Scandals. What Happened ?? Fukushima Nuclear Disaster Financial/Sovereign Debt Crisis • Tokyo Electric Power Company(TEPCO) failed to prevent the disaster not because a large tsunami was unanticipated, but because they were reluctant to invest time, effort and money in protecting against a natural disaster considered unlikely. • The utility and regulatory bodies were overly confident that events beyond the scope of their assumptions would not occur and were not aware that measures to avoid the worst situation were actually full of holes • The U.S. Financial Crisis Inquiry Commission concluded in January 2011 that the crisis was avoidable and was caused by: • Widespread failures in financial regulation, including the Federal Reserve’s failure to stem the tide of toxic mortgages; • Dramatic breakdowns in corporate governance including too many financial firms acting recklessly and taking on too much risk • Characterized by high-risk lending and borrowing practices ISACA- KAMPALA

  5. Enterprise Risk Management(ERM) ERM-Definition Core Elements of Risk Management Framework A structured, consistent and continuous process across the whole organization for: • Identifying • Assessing • Deciding on responses • And reporting on opportunities and threats that affect the achievement of its objectives (IIA-Definition) ISACA- KAMPALA

  6. COSO-ERM Framework ISACA- KAMPALA 24th April 2013

  7. Deloitte East Africa ERM Survey • 1st Baseline survey on the state of ERM in the Financial Services Industry(FSI)- Banking, Insurance, Securities, Real Estate and Investment Management. • Implementation of ERM is fairly limited with only 31% of companies surveyed having fully implemented ERM programme • 23% had their Risk Appetite both quantitatively and Qualitatively defined • Top rated challenges during ERM Implementation included; integrating risk data across the organization(70%) and having the appropriate risk management skills(64%) ISACA- KAMPALA 24th April 2013

  8. Assessing Risk Maturity • Risk Maturity is the extent to which a robust RM approach has been adopted and applied as planned • Assessment of your Organization's Risk Maturity is a critical input in the effective implementation of ERM • It provides a baseline upon which the organization's risk assurance strategies and activities will be determined • Risk Maturity assessment is about understanding how well the business risks are being managed • It involves • determining and obtaining the information necessary to carry out the assessment • defining the methods of obtaining the information and • getting evidence to substantiate the assessment. ISACA- KAMPALA 24th April 2013

  9. Risk Maturity Levels Enabled RM & IC’s fully embedded into operations Managed Enterprise approach to RM developed & communicated • Defined • Strategy, policies in place, Risk Appetite defined Risk Aware Scattered silo based approach to RM Scattered Risk Naïve No formal approach developed for RM N ISACA-KAMPALA

  10. ERM-Process Overview ISACA- KAMPALA 24th April 2013

  11. Drivers of ERM ISACA- KAMPALA 24th April 2013

  12. 1. Setting the Context for RM. • Senior Management plays a critical role in establishing and communicating the foundation against which RM decisions are to be taken throughout the business. The roles include: • Strategic direction and goals • Appetite for risk • Risk Management framework • Roles and responsibilities ISACA- KAMPALA 24th April 2013

  13. 2. Risk Identification(RI) RI- Methods RI-Tools • One to one interviews • Brainstorming • Round table discussions • Interactive Workshops • Questionnaires • SWOT Analysis • PESTLE Analysis • Scenario Planning • Stakeholder Analysis ISACA-KAMPALA

  14. Contd.. How to Make RI Successful Effective RI Should be…. • Get the right people involved • Brief them adequately • Give them the right tools • Think outside the box • Have a meaningful definition of risk(distinction between Risk and problem!) • Comprehensive • Complete • Honest • Covering all relevant business activities • Entailing training and awareness activities ISACA-KAMPALA

  15. Risk Register The output of a risk identification process is the Risk Register. Its role is to: • Capture all major business risks in one place • So they can be compared, contrasted and combined • So they are given the attention at the right level in the organisation Typically, there could be multiple risk registers; • Corporate risks • Divisional, country, functional risks • Project risks • etc ISACA- KAMPALA 24th April 2013

  16. It involves ascertaining: 3. Assessing and Prioritizing Risks • The measures in place to control risk • the effectiveness of controls • The likelihood of risk occurrence • The impact of risk if it did occur • Significance of risk • Risk Significance is a product of the likelihood of occurrence and the impact if it did • Assessment scales are used to determine likelihood and impact • Assessment scale levels depend on the organisation’s risk maturity ISACA- KAMPALA 24th April 2013

  17. Contd…..Risk Assessment Scales(5-level) ISACA- KAMPALA 24th April 2013

  18. Contd….Risk Map- 3 Level Risk Significance Scale(High, Medium, Low) ISACA- KAMPALA 24th April 2013

  19. Contd….. • The risk assessment matrix is a key way of establishing and communicating risk appetite • Risk Appetite: The amount of risk that an entity is willing to accept in pursuit of its mission. • It confirms what level of risk is acceptable and which risks are significant and should be reported upwards • Inherent risk Exposure before any controls • Residual risk Exposure after controls are in place and are operating ISACA- KAMPALA 24th April 2013

  20. Risk Appetite impact Inherent Risk Response Residual Risk Risk appetite Likelihood ISACA- KAMPALA 24th April 2013

  21. 4. Risk Response Impact Contingency Plans Manage actively Review periodically Good house keeping Likelihood ISACA- KAMPALA 24th April 2013

  22. Risk Response Options-4 T’s 22

  23. 5. Monitoring and Reporting The role of risk monitoring is: • To check that risk responses are in place and working as intended • To check the risk status; no unwelcome surprises • To ensure risks are considered at the right level • Provide assurance to management that risks are being managed in the way approved ISACA- KAMPALA 24th April 2013

  24. ERM- Benefits • Business objectives more likely to be met • Focus on issues or activities that count • Fewer shocks and surprises • Early warning of problems • Effective use of resources • More focused and viable strategies; informs future strategy development • Clarity on risk appetite and freedom to act • Facilitates meaningful disclosure • Enhanced organizational learning ISACA- KAMPALA 24th April 2013

  25. ERM Implementation Challenges • Organizational silos and outdated information systems prevent many enterprises from adequately sharing information(silos vs Enterprise). • Risk Maturity. The extent to which robust RM approach has been adopted and applied. • Organizational culture. An organization that delivers only ‘good news’ results into poor quality decisions based on a ‘sanitized version of reality’ • Costs affect operations and investment decisions • Misalignment of risk management strategy with the overall business strategy • Inadequate skills and competences in Risk Management ISACA- KAMPALA 24th April 2013

  26. Contd… • Internal Control environment • Risk Management philosophy and operating style • Risk appetite • Human resource policies and practices • Assignment of authority and responsibility • Failure to strike a clear balance between the hard and soft sides of RM ISACA- KAMPALA 24th April 2013

  27. Wayforward on ERM Implementation • Organizational review to ensure better structures, C-level Risk executives with visibility and oversight • Risk awareness across the organization • Investment in modern information systems and technologies to enhance information sharing and organizational learning • Training, retention and sourcing of RM subject matter experts • Determining and communicating the business appetite for risk • Establish organizational risk and control policies( Risk Policy) • Carry out risk maturity assessment as a baseline for ERM implementation ISACA- KAMPALA 24th April 2013

  28. Contd…. • Balance between the hard and soft sides of RM • Seamlessly integrate RM thinking and practices into strategic planning and day to day activities of the organisation. How ??? • Risk Assess the strategic options • Communicate risk appetite for key risks • Establish Key Performance Indicators(KPIs) to track progress of mitigation • Include risk status reporting at Management and Board Levels • Continuously check the business risk profile ISACA- KAMPALA 24th April 2013

  29. ConclusionHow Competent is your Organization Vs Risk Appetite ? ISACA- KAMPALA 24th April 2013

More Related