Enterprise Risk Management ERM‘Integrated Framework’ IMPLEMENTATION Conducting Risk Assessments... Conducting Risk AssessmentsWhat is the relationship between risk assessment and risk m
Trang 1Enterprise Risk Management (ERM)
‘Integrated Framework’
IMPLEMENTATION Conducting Risk Assessments
Trang 2FUNDAMENTALS & ROLES
• The Fundamentals
• COSO Enterprise Risk Management
• Role of Executive Management
• Role of the Director
• Role of the Chief Risk Officer
• Risk Management Oversight Structure
• Role of Internal Audit
Trang 3• Risk Management Vision and Objectives
• Conducting Risk Assessments
• Getting Started – Set the Foundation
• Building & Enhancing Capabilities
• Building a Compelling Business Case
• Making it Happen
• Relevance to Sarbanes-Oxley Compliance
• Other Questions
Trang 4Conducting Risk Assessments
What is the relationship between risk assessment and risk
management?
Risk assessment is the process of identifying, sourcing and
evaluating individual risks and the interrelationships
between risks
Materiality evaluation of available data and the application
of judgment to determine the significance of potential future events
Probability likelihood of their occurrence
Action planning leads to formulation of risk responses
Trang 5Conducting Risk Assessments
Risk management is objective-setting, event
identification and risk assessment within framework policies
Trang 6Conducting Risk Assessments
What is the relationship between risk assessment and
Objective pre-defined target or standard
Trang 7Conducting Risk Assessments
What are the components of an effective objective
statement and why are objectives important to an
effective risk assessment?
Trang 8Conducting Risk Assessments
What is the difference between an event and a risk? event is “an incident or occurrence, from sources
internal or external to an entity, that affects
achievement of objectives.”
risk is “the possibility that an event will occur and
adversely affect the achievement of objectives.”
positive impact = opportunity
negative impact = a risk threat
Trang 9Conducting Risk Assessments
Why doesn’t COSO’s definition of risk incorporate the notion that risk includes upside as well as
downside?
COSO concluded that broadening the definition of risk
to include the potential for “upside” would cloud the concepts and frustrate a primary objective of
the framework to provide a common language for ERM
Trang 10Conducting Risk Assessments
How do we articulate the concept of “inherent risk” so that
it can be effectively used as risk assessment criteria?
“the risk to an entity in the absence of any actions
management might take to alter either the risk’s
likelihood or impact.”
“residual risk” current policies and procedures are
considered during the assessment
risk should be assessed on a residual risk basis after
considering risk responses selected to mitigate the
significant risks
Trang 11Conducting Risk Assessments
Is there an officially endorsed risk language we can
use for our organization? NO
Three event categories consisting of external factors and internal factors in the framework
Environment risk
Process risk
Information for decision-making risk
Trang 12Conducting Risk Assessments
Trang 13Conducting Risk Assessments
Environment risk arises when external forces can affect the entity’s performance
make its choices regarding its strategies, operations,
customer and supplier relationships, organizational
structure or financing obsolete or ineffective
actions of competitors and regulators
shifts in market prices, technological innovation
changes in industry fundamentals
availability of capital or other factors outside the
company’s direct ability to control
Trang 14Conducting Risk Assessments
Process risk arises when internal processes do not achieve the
objectives they were designed to achieve in supporting the
entity’s business model
characteristics of poorly performing processes or process risks:
• poor alignment with business objectives and strategies
• dissatisfied customers
• inefficient operations
• diluting (instead of creating or preserving) enterprise value
• failing to protect significant financial, physical, customer,
employee/supplier, knowledge and information assets from
unacceptable losses, risk taking, misappropriation or misuse
Trang 15Conducting Risk Assessments
Information for decision-making risk arises when information
used to support business decisions is incomplete, out of date, inaccurate, late or simply irrelevant to the decision-making
providing that information to the appropriate managers in the form of timely written reports and oral communications
Trang 16Conducting Risk Assessments
Trang 18Conducting Risk Assessments
Catastrophic Loss
the inability to sustain operations, provide essential products and services, or recover operating costs as
a result of a major disaster
could damage the company’s reputation, ability to
obtain capital, and investor relationships
Trang 19Conducting Risk Assessments
Catastrophic Loss Uncontrollable events: natural
and man made
war, terrorism, revolution & expropriation (political) fire
earthquake
severe weather and flooding
cannot be prevented or even predicted, their effects
on the organization’s assets and operations can be managed
Trang 20Conducting Risk Assessments
Catastrophic Loss Controllable events: impacted by
management’s choices or by the effectiveness of the internal control environment
environmental disasters
pervasive health and safety violations
spectacularly large underwater real estate deals
headline-grabbing high litigation costs
huge losses from derivatives
massive business fraud
losses in market share due to failure to abandon bad strategies
Trang 21Conducting Risk Assessments
“Top Down” approach
senior management defines:
objectives of the organization
related risk categories impacting those objectives
specific events are then identified within each category
Trang 22Conducting Risk Assessments
To what extent does the organization strictly define risk for the enterprise as a whole, when the organization has a
variety of different businesses?
“cascading” approach
identifying risks that are common across the enterprise risks common to all business units drive enterprise wide responses
operating units with distinctive risk profiles customized to
address the unique risks faced by those units risks
unique to individual units drive unit-specific risk responses
Trang 23Conducting Risk Assessments
What are risk maps and how are they used
appropriately during the risk assessment process? assessments of possible future events identified by
senior management or by unit management
plotted on a grid or map according to their impact on the achievement of business objectives and the
likelihood of their occurrence
Trang 24Conducting Risk Assessments
Trang 26Conducting Risk Assessments
Impact: materiality
significance of risk to the business in terms of the
effect on achieving business objectives
financial
execution of key strategies
potential cost in terms capital, earnings, cash flow and brand equity
materiality - the more severe the risk
time horizon - short, intermediate or long term
Trang 27Conducting Risk Assessments
Trang 28Conducting Risk Assessments
What’s an effective way for an organization to conduct
a risk assessment?
interviews
surveys of key personnel
review key documents
conduct facilitated workshops
perform targeted reviews
Trang 29Conducting Risk Assessments
Trang 31Conducting Risk Assessments
Trang 32Conducting Risk Assessments
Trang 33Conducting Risk Assessments
Trang 34Conducting Risk Assessments
What are the common mistakes and pitfalls during the risk assessment process?
Lack of clarification and common understanding of the meaning or definition of risk
Not including all stakeholders
Not considering or giving appropriate weight to
knowledgeable positions
Trang 35Conducting Risk Assessments
Facilitated Risk Workshop PITFALLS
Setting unclear or unrealistic objectives
Failing to structure the meeting agenda for success
Placing too little emphasis on discussion
Letting technology glitches distract the process
Not getting everyone involved
Not creating a “safe” and open environment
Failing to clarify roles and responsibilities
Poor facilities
Trang 36Conducting Risk Assessments
Ground Rules for a Risk Assessment
Lack of participant understanding of how to apply assessment criteria consistently
Confusion over inherent risk
Confusion over time horizon
Not acknowledging that the future is inherently unknowable Overlooking external environment events because of a
perception that they are outside of management’s control Ignoring the interrelationships among risks
Trang 37Conducting Risk Assessments
How do we identify, understand and apply
interrelationships among risks? a risk drivers map
Trang 39Conducting Risk Assessments
Critical events related to multiple risk categories
Will the occurrence of one event, either individually or in
combination with other events, cause another event to happen or, alternatively, affect, impact or contribute to the severity of another event?
Through refinement of this cause-effect analysis, management can select the most critical events (the ones shaded in the previous
illustration) and focus additional attention on understanding them understanding of potential future events to source why, how and
where the entity’s risks originate lays a foundation for developing measurement and monitoring tools addressing risk through a
portfolio view
Trang 40Conducting Risk Assessments
What is the appropriate level of depth when assessing risk?
If risks are assessed at too high a level, it is difficult to identify the precise issue and management will be unable to decide what to do after the assessment is completed.
At the same time, if the assessment is conducted at
too granular a level, the “big picture” issues get lost
in a sea of details and it will be difficult to complete
Trang 41Conducting Risk Assessments
Who should participate during the risk assessment
Trang 42Conducting Risk Assessments
How is risk assessment related to risk quantification and should risk quantification be used during risk assessment?
improved and is more robust when risks are
quantified
can be monitored against management’s established risk tolerance
Trang 43Conducting Risk Assessments
Is there value in using qualitative information when assessing risk? YES
qualitative information is often directional at best (i.e., it serves
as a pointer to specific areas for further investigation and
analysis) and is not effective in driving management decisions related events occur so infrequently and, if and when they do occur, they are subject to such a wide range of possible
outcomes in terms of severity that it is difficult, if not
impossible, to quantify them
managers closest to the source of the risk are the individuals
best positioned to understand its nature and root causes