Project Background • Increased awareness of the importance of Risk Management due to events of the past five years: • High-profile business scandals • Economic slowdown caused many business failures • World events impose new risks • Emphasized the danger of overlooking risk. • Need for a common guide for discussing, identifying, evaluating and managing risk.
Project Background • Project was launched by COSO in 2001 • Engaged PricewaterhouseCoopers to write the COSO ERM Framework, which consists of 3 parts: • Executive Summary • Framework • Application Guidance • Currently in draft form, expected to be issued in 3Q of 2004.
Project Background • “Enterprise Risk Management” is a process for identifying, analyzing and managing risk across the entire enterprise • ERM defines risk and risk management and provides key principles and concepts, a common language and other elements of a comprehensive risk management framework. • ERM provides criteria for companies’ use in determining whether their risk management is effective, and if not, what is needed to make it so.
ERM Defined Defined in the Framework as: Enterprise Risk Management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise. It is designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
ERM Defined • The Enterprise Risk Management process includes: • Identification of potential events that may impact objectives • Assessment of Risk and a determination of an appropriate response • Consideration of risk in the formulation of strategy • Application across the entity – takes a portfolio view of risk. • Risk management within an entity’s risk appetite • Monitoring the performance of ERM
ERM Defined ERM versus the Internal Control – Integrated Framework: • ERM is much broader than the Internal Control – Integrated Framework • ERM expands on internal control and provides a more robust and extensive focus on the broader subject of enterprise risk management. • ERM does NOT replace the internal control framework, rather incorporates elements of the internal control framework within it. • The Internal Control – Integrated Framework remains in place as the definition of and framework for internal control.
Benefits of ERM • ERM enables management to: • Deal effectively with future events that create uncertainty. • Respond in a manner that reduces the likelihood of downside outcomes and increases the upside. • Maximize value by balancing strategy and objectives within the entity’s risk appetite.
Benefits of ERM ERM helps an enterprise to: • Align risk appetite and strategy • Enhance risk response decisions • Reduce operational surprises and losses • Identify and manage enterprise-wide risks • Seize opportunities • Improve deployment of capital
ERM Framework The ERM Framework is geared to achieving an entity’s objectives, set forth in 4 categories: • Strategic – related to the high-level goals and mission of the entity, • Operations – related to efficiency, performance and profitability • Reporting – related to internal and external reporting • Compliance – related to compliance with laws and regulations
ERM Framework The ERM Framework has Eight Components. The cube depicts the interrelationship of the 8 components with the entity’s objectives and with the entity’s units:
Internal Environment The Internal Environment encompasses: • Entity’s Risk Management Philosophy • Risk Appetite • Board of Directors • Integrity and Ethical Values • Commitment to Competence • Organizational Structure • Assignment of Authority and Responsibility • Human Resource Standards Sets the Foundation for how risk and control are viewed and addressed by the entity.
Internal Environment Risk Management Philosophy: • The shared beliefs and attitudes toward risk. • Reflects the entity’s values, culture and operating style • Formal vs. Informal • Conservative vs. Aggressive • Affects how risks are identified, the types of risks accepted and how they are managed by an entity. • Management reinforces the entity’s risk management philosophy with everyday actions.
Internal Environment Risk Management Philosophy • Risk management philosophy should be consistent throughout the enterprise to effectively apply ERM. • However, risk management philosophy can sometimes vary within an enterprise: • e.g., an aggressive sales dept may be prepared to take more risk than the procurement dept. that is responsible for ensuring compliance with company policies and internal controls. • These 2 depts. compliment each other and will collectively reflect the entity’s risk management philosophy.
Internal Environment Risk Appetite: • The amount of risk an entity is willing to accept in pursuit of value. • Reflects the entity’s risk management philosophy • Desired return from a strategy should be aligned with the entity’s risk appetite. • Qualitative measures – e.g., high, moderate or low risk. • Quantitative measures – balances goals with growth and return with risk.
Internal Environment Board of Directors • An active and involved board of directors is a critical part of the internal environment. • A board that questions and scrutinizes management’s activities is an effective control. • The majority of board members should be independent outside directors. • An effective board of directors will ensure that management maintains effective risk management processes.
Internal Environment Integrity and Ethical Values: • Management’s integrity and ethical values influence the decision-making process. • Lack of integrity and ethical values creates risk. • Corporate culture influences employee behaviors; sets the standard for which rules are followed or ignored.
Internal Environment Integrity and Ethical Values: • Promoting integrity and ethics: • CEO, top mgmt, sets the example and determines the corporate culture. • Performance targets should be realistic and incentives appropriate. • Existence of written guidance on what is right and wrong – e..g, a Code of Conduct. • Written guidance must be accompanied by communication and training. • Upward communication channels are key. • Penalties to employees who violate the code act as a deterrent for others.
Internal Environment Commitment to Competence • Competence reflects the knowledge and skills needed to perform assigned tasks. • Management must determine the level of competence needed for each task. • Trade-offs are made between competence and cost. • Trade-offs are made between the extent of supervision and the competence of the individual.
Internal Environment Organizational Structure: • Entity’s organizational structure provides the framework to plan, execute, control and monitor its activities. • Defines key areas of authority, responsibility and accountability • Organizational structure should enable effective risk management by: • promoting the flow of relevant information to top management and key decision makers on a timely basis. • Appropriate assignment of authority to carry out business activities
Internal Environment Organizational Structure: • Organizational structure should be suited to the entity’s needs and corporate culture • Centralized versus Decentralized • Hierarchal reporting relationships versus Flat • Structured by product lines, geographic, or marketing channels, etc • Organizational structure should depend on size and nature of activities.
Internal Environment Assignment of Authority and Responsibility: • Increased delegation of authority empowers employees and often encourages creativity, initiative, faster response times and greater accountability. • As authority and responsibility is granted to lower levels within an entity, risk is often increased. • Must ensure that authority and responsibility is delegated to competent individuals who understand the entity’s objectives.
Internal Environment Human Resource Standards • Human resource practice play a key role in promoting integrity, ethical behavior and competence • Hiring standards • Orientation programs • Training programs • Performance evaluations • Compensation and incentive programs • Disciplinary actions
Internal Environment • The importance of a strong Internal Environment must not be underestimated. • Internal environment is the foundation of all the other ERM components • Management is responsible for setting the tone - not just words and policies, but actions must permeate the organization • Enron example: flawed internal environment
ERM Framework Objective Setting:
Objective Setting • Objectives must exist before management can identify and assess risks and take steps to manage those risks. • Enterprise Risk Management requires that all employees understand the entity’s objectives as it relates to their individual function. • Understand what is to be accomplished and how to measure accomplishment.
Objective Setting Strategic Objectives • High level goals, • Aligned with entity’s mission/vision Related Objectives Activity level goals - 3 categories: • Operations objectives • Reporting objectives • Compliance objectives
Objective Setting Operations Objectives: • Pertain to the effectiveness and efficiency of operations. • Reflect entity’s business, industry and economic environment. • Basis for allocating an entity’s resources • Unclear or misunderstood operational objectives could lead to the entity’s resources being misdirected.
Objective Setting Reporting Objectives: • Complete and accurate information • Supports management’s decision making process • Enables monitoring activities • Internal vs. external reporting • Financial vs. non-financial data
Objective Setting Compliance Objectives: • Actions taken to comply with applicable laws and regulations Examples: • Taxes, markets, pricing • Environmental • Employee welfare • International trade • Failure to meet compliance objectives can be costly: • Fines, penalties imposed • Impact entity’s reputation, loss of market share
Objective Setting Overlap of Objectives • Activities may support more than one objective Achievement of Objectives • Reporting and Compliance objectives are generally easier as within an entity’s control • Operations objectives more difficult as may be dependent upon external factors: • Competitors actions • Poor weather • Changes in government • Risk identification and risk management can mitigate the impact of external events.
Objective Setting Risk Appetite • The acceptable balance between growth, risk and return • Strategy setting must be aligned with the entity’s risk appetite. • ERM, applied in strategy setting, helps management select a strategy within its risk appetite Risk Tolerance • Amount of variation the entity is willing to accept in achieving objectives
ERM Framework Event Identification:
Event Identification • Identification of potential events from internal or external sources that influence strategy, and/or the achievement of objectives. • Events may be negative or positive – risk or opportunity • Event Identification Techniques • Event Categories
Event Identification Examples of Techniques for Identifying Events: • Event inventories • Internal analysis • Escalation or threshold triggers • Facilitated workshops and interviews • Leading event indicators • Loss event data methodologies • Process flow analysis Event interdependencies
Event Categories Examples:
ERM Framework Risk Assessment
Risk Assessment • The extent to which potential events will impact an entity’s objectives. • Inherent and Residual risk • Events are evaluated from 2 perspectives: • Likelihood that the event will occur • Impact - the effect of the event on the entity • Techniques used to assess Likelihood and Impact: • Qualitative • Quantitative
Risk Assessment Qualitative Techniques: • Used when quantification of risk amounts is not feasible due to lack of data or collection of data is not cost effective. • Not as accurate as quantitative • Examples: • Self-assessment (low, medium, high) • Questionnaires • Internal audit reviews
Risk Assessment Quantitative Techniques: • More accurate than qualitative • Used when there is enough data to produce mathematical or statistical models, performance or benchmarking metrics. • Examples: • Probability based • Non-probabilistic models – utilize impact assumptions only, not likelihood • Benchmarking
Risk Assessment Events Relationships • While the impact of a singe event might be minimal, a sequence of events can be significant. • When a correlation between events exists, events should be assessed together • Risks that impact multiple business units may be grouped into common event categories, and assessed in the aggregate.
ERM Framework Risk Response
Risk Response 4 categories of Risk Responses: • Avoidance – Exit the activities causing the risk • Reduction – Take action to reduce the likelihood or impact of risk • Sharing – Transfer or share the risk or portion of the risk with another party • Acceptance – Risk accepted, No action is taken
Risk Response In selecting an appropriate risk response, management should consider: • Impacts of each response on risk likelihood and impact • Which response best fits with the entity’s risk appetite and tolerances • Cost versus benefits of potential responses • Potential opportunities that may result from each risk response.
ERM Framework Control Activities
Control Activities • Control activities are the policies and procedures established to ensure that the risk responses are carried out. • Control activities vary based upon the entity’s goals, implementation techniques, and internal and external environments.
Control Activities Examples of Control Activities: • Senior Management reviews • Project management – monitor progress • Information processing – controls to check completeness and accuracy • Physical controls – inventories, security controls • Performance indicators – results analysis • Segregation of duties
Control Activities Control Activity Examples (cont’d): • Information Technology Controls: • General controls: IT infrastructure and management, security management and software. • Application controls: ensure completeness, accuracy and validity of data.
ERM Framework Information and Communication