1 / 57


ENTERPRISE RISK MANAGEMENT. Purpose. Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance Develop or benchmark ERM process. Relevance. Every entity strives to add value in the face of uncertainty

Download Presentation


An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.


Presentation Transcript


  2. Purpose • Develop a conceptually sound framework • Provide integrated principles • Common terminology • Practical implementation guidance • Develop or benchmark ERM process

  3. Relevance • Every entity strives to add value in the face of uncertainty • Value—stakeholders derive recognizable benefits that they value. • Uncertainty emanates from an inability to precisely determine the likelihood that potential events will occur and the associated outcomes.

  4. Today’s organizations are concerned about: • Risk Management • Governance • Control • Assurance (and Consulting)

  5. Why ERM Is Important Underlying principles: • Every entity, whether for-profit or not, exists to realize value for its stakeholders. • Value is created, preserved, or eroded by management decisions in all activities, from setting strategy to operating the enterprise day-to-day.

  6. Why ERM Is Important ERM supports value creation by enabling management to: • Deal effectively with potential future events that create uncertainty. • Respond in a manner that reduces the likelihood of downside outcomes and increases the upside.

  7. ERM provides a framework for management … • … to effectively deal with uncertainty and associated risk and opportunity, and thereby enhance its capacity to build value.

  8. A dynamic process that includes … • Identification of potential events that may impact objectives • Risk assessment and response • Consideration of risks in formulation of strategy • Application across the entity • Managing risk is to be within the entity’s risk appetite • A portfolio view of risks at the entity-level is taken • Monitoring the performance of ERM

  9. ERM provides enhanced capabilities to … • … align risk appetite and strategy; link growth, risk, and return; enhance risk-response decisions; minimise operational surprises and losses; identify and manage cross-enterprise risks; provide integrated responses to multiple risks; seize opportunities; and rationalise capital.

  10. Some “new” concepts in the ERM Framework • Events and risks • Applying risk management in strategy setting • Risk appetite and risk tolerance • Portfolio view

  11. Events and risk • Event is an incident or occurrence that could affect the implementation of strategy or achievement of objectives. • Distinguish risk and opportunity • Risk is the possibility that an event will occur and adversely affect the achievement of objectives. • Events that may have a positive impact represent natural offsets or opportunities. • Risks are measured using the same unit of measure as the related objectives. • Time horizons are specified and aligned with objectives

  12. Applied in strategy setting • Enterprise risk management is applied in strategy setting, in which management considers risks relative to alternative strategies. • For instance, a university seeks to offer high-quality educational opportunities to students within the state, nation and worldwide. • Strategy A: Focus predominantly on campuses structures • Strategy B: Focus more at off-campus sites • Strategy C: Develop new interactive distance education • Strategy D: Develop a mix of the above. • What additional risks levels or types of risks will arise with each choice?

  13. Relating mission, objectives, appetite and tolerance Mission To be the leading producer of premium household products in the regions in which we operate • Risk Appetite • Accepts that the company will consume large amounts of capital investing in new assets, people and process • Accepts that competition could increase (e.g. through predatory pricing, etc) as we seeks to increase market share, thereby reducing profit margins • Does not accept erosion of product quality Strategy Expand production of our top-five selling retail products Strategic Objectives To be in the top quartile of product sales for retailers of our products Measures Market Share • Related Objectives • Increase production of Unit X by 15% in the next 12 months • Increase new staff by 200 (net) across all manufacturing divisions • Maintain product quality of 4.0 sigma • Measures • Units of Production • Number of staff hired • Product quality by sigma Risk Tolerances Measure Market share Units of production Number of staff hired (net) Product quality index Target 25 Percentile 150,000 units 200 staff 4.0 sigma Tolerances – Acceptable Range 23% – 30% +10,000 / - 7,500 + 20 / - 15 4.0 – 4.5 sigma

  14. Taking a portfolio view • Enterprise risk management requires an entity to take a portfolio view of risk. • Management considers how individual risks interrelate. • Management develops a portfolio view from two perspectives: • Business unit • Entity • For instance your university, can you explain how a: • 10% loss teaching faculty would effect the faculty and the overall university • 15% increase in research funding would effect the overall university • Shift in education delivery mechanisms from classroom based learning to interactive distance learning effects the overall university

  15. Benefits of Enterprise Risk Management • Provides enhanced capability to: • Align risk appetite and strategy • Link growth, risk and return • Enhance risk response decisions • Minimize operational surprises and losses • Identify and manage cross-enterprise risks • Provide integrated Reponses to multiple risks • Seize opportunities • Rationalize capital

  16. Definition • Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

  17. Enterprise Risk Management — Integrated Framework This COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management.

  18. Components • Internal environment • Objective setting • Event identification • Risk assessment • Risk response • Control activities • Information and communication • Monitoring

  19. The ERM Framework The eight components of the framework are interrelated …

  20. The ERM Framework Entity objectives can be viewed in the context of four categories: • Strategic • Operations • Reporting • Compliance

  21. The ERM Framework ERM considers activities at all levels of the organization: • Enterprise-level • Division or • subsidiary • Business unit • processes

  22. Internal Environment • Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur. • Establishes the entity’s risk culture. • Considers all other aspects of how the organization’s actions may affect its risk culture.

  23. Internal Environment • Risk Management Philosophy • Risk Culture • Board of Directors • Integrity and Ethical Values • Commitment to Competence • Management's Philosophy and Operating Style • Risk Appetite • Organizational Structure • Assignment of Authority and Responsibility • Human Resource Policies and Practices

  24. Objective Setting • Is applied when management considers risks strategy in the setting of objectives. • Forms the risk appetite of the entity — a high-level view of how much risk management and the board are willing to accept. • Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite.

  25. Objective Setting • Strategic Objectives • Related Objectives • Selected Objectives • Risk Appetite • Risk Tolerance

  26. Event identification component • Identify those incidents, occurring internally or externally, that could affect strategy and achievement of objectives. • Addresses how internal and external factors combine and interact to influence its risk profile. • Distinguish risk and opportunity

  27. Event Identification • Differentiates risks and opportunities. • Events that may have a negative impact represent risks. • Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting.

  28. Event Identification • Events • Factors Influencing Strategy and Objectives • Methodologies and Techniques • Event Interdependencies • Event Categories • Risks and Opportunities

  29. Risk assessment component • Allows an entity to understand the extent to which potential events might impact objectives. • Assesses risks from two perspectives – likelihood and impact. • The unit of measure used to assess risks should be the same or congruent to measure used for the achievement of objectives. • Employs a combination of both qualitative and quantitative risk assessment methodologies. • Time horizons are related to objective time horizons. • Assesses risk on both an inherent and residual basis.

  30. Risk Assessment • Inherent and Residual Risk • Likelihood and Impact • Methodologies and Techniques • Correlation

  31. Risk response component • Identifies and evaluates possible responses to risk. • Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential risk responses and degree to which a response will reduce impact and/or likelihood. • Assessment of and response to risks are integral components of ERM; which specific response is selected is not. • Selects and executes its response based on evaluation of the portfolio of risks and responses.

  32. Responses Fit Within The Following Categories: • Avoidance– Action is taken to exit the activities that create risks. • Reduction – Action is taken to reduce the risk likelihood or impact, or both. • Sharing – Action is taken to reduce either the likelihood or impact of a risk by transferring or otherwise sharing a portion of the risk. • Acceptance – No action is taken to affect either the likelihood or impact.

  33. Risk Response • Identify Risk Responses • Evaluate Possible Risk Responses • Select Responses • Portfolio View

  34. Control Activities • Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out. • Occur throughout the organization, at all levels and in all functions. • Include application and general information technology controls.

  35. Control Activities • Integration with Risk Response • Types of Control Activities • General Controls • Application Controls • Entity Specific

  36. Information & Communication • Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities. • Communication occurs in a broader sense, flowing down, across, and up the organization.

  37. Information and Communication • Information • Strategic and Integrated Systems • Communication

  38. Monitoring component • Monitors the ongoing effectiveness of the other enterprise risk management components through: • Ongoing monitoring activities • Separate evaluations • A combination of the two

  39. Relationship with internal control

  40. Relationship to Internal Control — Integrated Framework • Expands and elaborates on elements of internal control as set out in COSO’s“control framework.” • Includes objective setting as a separate component. Objectives are a “prerequisite” for internal control. • Expands the control framework’s “Financial Reporting” and “Risk Assessment.”

  41. Key Implementation Factors • Organizational design of business • Establishing an ERM organization • Performing risk assessments • Determining overall risk appetite • Identifying risk responses • Communication of risk results • Monitoring • Oversight & periodic review by management

  42. Organizational Design • Strategies of the business • Key business objectives • Related objectives that cascade down the organization from key business objectives • Assignment of responsibilities to organizational elements and leaders (linkage)

  43. Example: Linkage • Mission – To provide high-quality accessible and affordable community-based health care • Strategic Objective – To be the first or second largest, full-service health care provider in mid-size metropolitan markets • Related Objective – To initiate dialogue with leadership of 10 top under-performing hospitals and negotiate agreements with two this year

  44. Establish ERM • Determine a risk philosophy • Survey risk culture • Consider organizational integrity and ethical values • Decide roles and responsibilities

  45. Example: ERM Organization Vice President andChief Risk Officer Insurance Risk Manager ERM Director Corporate Credit Risk Manager FES Commodity Risk Mg. Director ERMManager ERMManager Staff Staff Staff

  46. Assess Risk Risk assessment is the identification and analysis of risks to the achievement of business objectives. It forms a basis for determining how risks should be managed.

  47. Example: Risk Model • Environmental Risks • Capital Availability • Regulatory, Political, and Legal • Financial Markets and Shareholder Relations • Process Risks • Operations Risk • Empowerment Risk • Information Processing / Technology Risk • Integrity Risk • Financial Risk • Information for Decision Making • Operational Risk • Financial Risk • Strategic Risk

  48. Risk Analysis Risk Assessment Risk Management Risk Monitoring Identification Control It Process Level Measurement Share or Transfer It Activity Level Prioritization Diversify or Avoid It Entity Level Source: Business Risk Assessment. 1998 – The Institute of Internal Auditors

  49. DETERMINE RISK APPETITE • Risk appetite is the amount of risk — on a broad level — an entity is willing to accept in pursuit of value. • Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable variation).

  50. DETERMINE RISK APPETITE Key questions: • What risks will the organization not accept? (e.g. environmental or quality compromises) • What risks will the organization take on new initiatives? (e.g. new product lines) • What risks will the organization accept for competing objectives?(e.g. gross profit vs. market share?)

More Related