Enterprise risk management ERM l5 v1

Enterprise Risk Management ERM‘Integrated Framework’ IMPLEMENTATION Building Capabilities Taking A Process View... Building Capabilities Taking A Process ViewWhat alternative risk respon

Trang 1

Enterprise Risk Management (ERM)

‘Integrated Framework’

IMPLEMENTATION Building Capabilities Taking A Process View

Trang 2

FUNDAMENTALS & ROLES

• The Fundamentals

• COSO Enterprise Risk Management

• Role of Executive Management

• Role of the Director

• Role of the Chief Risk Officer

• Risk Management Oversight Structure

• Role of Internal Audit

Trang 3

• Risk Management Vision and Objectives

• Conducting Risk Assessments

• Getting Started – Set the Foundation

• Building & Enhancing Capabilities

• Building a Compelling Business Case

• Making it Happen

• Relevance to Sarbanes-Oxley Compliance

• Other Questions

Trang 4

Building Capabilities Taking A Process View

What steps does management take to build risk

management capabilities?

step one - assess risk and develop responses

step two - design and implement capabilities

step three - continuously improve capabilities

Trang 5

Building Capabilities

Taking A Process View

Trang 10

How does management decide on the appropriate risk management capabilities?

judgment, culture and operating style

How does management improve the organization’s

risk assessments?

directing the necessary resources to support the

process

Trang 11

How are objective-setting, event identification and risk assessment related?

“Objective-setting” occurs when management sets

strategic objectives  context for establishing

operational, reporting and compliance objectives

Future potential events are identified with specific

objectives in mind

Risk assessment occurs when management considers qualitative and quantitative methods to evaluate the probability and materiality of potential events

Trang 12

How important is risk assessment to the ERM effort? needed to identify priority risks and to initiate a gap analysis around the capabilities in place for

managing those risks

Unacceptable gaps relating basis for value proposition

of advancing an organization’s ERM infrastructure provides quality inputs into risk response planning

Trang 13

What alternative risk responses are available to manage risk?

avoid (eliminate the risk by preventing exposure to future possible events from occurring)

accept (maintain the risk at its current level)

reduce (implement policies and procedures to lower the risk to an acceptable level)

share (shift the risk to a financially capable, independent counterparty)

Defer (decision)

Trang 14

Trang 15

Trang 16

Trang 17

Trang 18

Desirable Risks

core business model/normal future operations

can effectively measure and manage it

Desirable Risk Responses

Accept the risk at its present level

Reduce materiality (diversification) and/or

probability (control)

Share the risk with a financially capable 3rd parties

Trang 19

Undesirable Risks

off-strategy

offers unattractive rewards

can not measure or manage it

Undesirable Risk Responses

Avoid

Share

Trang 20

Accept can mean much more than merely retaining a risk

incurring internal charges to P&L

creating contingent sources of borrowed funds

reserving losses under generally accepted accounting principles setting up a pure captive insurance company

participating in an associate captive

offset a risk against other risks within a well-defined pool

response may be a combination of options

control activities to reduce

share actions to lay off a portion of the residual risk

Trang 21

Exploiting risk - pursuit of opportunities - not ERM

Diversify financial, physical, customer, employee/supplier and asset holdings

Expand the business portfolio by investing in new industries, geographic areas and/or customer groups

Create new value-adding products, services and channels

Redesign the firm’s business model, i.e., its unique combination

of assets and technologies for creating value

Reorganize processes through restructuring, vertical

integration, outsourcing, re-engineering and relocation

Trang 22

Exploiting risk - pursuit of opportunities - not ERM

Allocation of capital (NPV)

Pricing products and services to influence customer choice

Renegotiate existing contractual agreements to reshape the risk profile, i.e., transfer, reduce or take risk differently

Arbitrage price discrepancies by purchasing securities or other assets in one market for immediate resale in another

Influence regulators, public opinion, law makers and standards setters through focused lobbying, political activism, public relations, etc.

Trang 23

What factors must management consider when evaluating

alternative risk responses?

Management’s objectives/strategies: ST tactics, MT strategies and

LT business objectives incorporating constraints

Risk and reward trade-offs

Risk management capabilities

Time horizon

Financing

Residual risk (never completely eliminated)

Inadvertent risk taking (response)

Risk manageability

Trang 24

Other factors to consider

costs and benefits

option value of waiting versus acting immediately

(defer)

effectiveness in achieving stated goals

interaction with other contemplated responses

Trang 25

Understand nature of potential events and the related effect

Business plan uncertainties (key variables and assumptions)

Business plan exposures to change in variables/assumptions

Performance variability versus loss exposures (only bad)

Scenarios (sensitivity analysis)

Controllable vs non-controllable (internal/external)

Operational versus contractual (nature and duration)  ST

contractual protection vs LT operationally focused strategies

Trang 26

Important factors to consider

Compliance issues - reduce non-conformance

Pervasive issues - throughout the organization

Expected frequency - regularly recurring 

operational issues not risks

Infrastructure issues – interface ‘hand-offs’

Data availability – not data use judgment

Trang 27

What are the elements of risk management

infrastructure, why are they important and how are they considered?

Trang 28

Policies: specific guidelines/more general principles

The formal policy framework includes specific

guidelines as well as the more general principles

that apply to all aspects of the business and the

management of its risks Business policies enable risk owners to understand what the organization

intends to accomplish Policies are the link to

strategy; they put a strategy in play.

Trang 29

Processes: sequence of activities and tasks that must

be performed to execute the desired risk response The organization’s processes are its primary means of executing its business policies Risk responses and control activities are desirably integrated within

business processes because risks are best managed and controlled as close as possible to the source

Process definitions should precisely describe the

sequence of activities and tasks that must be

performed to execute the desired risk response.

Trang 30

Competencies: knowledge, expertise and experience People with the requisite knowledge, expertise and experience execute the entity’s processes The roles and responsibilities of these process owners must define and delineate risk taking versus risk

monitoring functions as well as the interaction and the information and decision flows between related functions Overall responsibility for implementing improved risk management capabilities should rest with one or more process owners.

Trang 31

Reports: actionable, easy to use, accountabilities, and frequencies

The organization’s management reporting is designed according to the information needs of process

owners Management reports should be actionable, easy to use, linked to well-defined accountabilities and prepared with appropriate frequencies.

Trang 32

Methodologies: systematic procedures

The robustness of management reports is enhanced or constrained by the methodologies supporting them Effective methodologies help identify and prioritize

risk, source risk to their key drivers and quantify risk They also support analysis of risk/reward trade-offs, portfolio diversification, allocation of capital to absorb potential losses, pricing of products and services to

compensate adequately for risks undertaken, and

contingency planning given uncertain outcomes.

Trang 33

Systems and data: relevant, accurate and on-time information Information systems support the modeling and reporting that provide the foundation needed for cutting-edge risk

management capabilities They provide relevant, accurate and on-time information New technologies are leading to more refined measures and are making it easier to identify and understand risks, risk drivers and the impact they have

on the company Information systems should not only meet the company’s current business requirements, they should

be flexible for future enhancement, scalability and

integration with other systems.

Trang 34

Trang 35

Is there a model to help us set our priorities when

implementing ERM and monitor our progress as we improve our risk management capabilities? capability maturity model How capable do we want our risk management to be as we

improve our policies, processes and measures for each of

our priority risks?

Do we vary the rigor and robustness of our risk responses and related control activities by risk?

Do we rely on a few well-qualified individuals to manage a

particular risk in an ad hoc manner and regularly put out

fires? Or do we improve our capabilities?

Trang 36

Trang 43

Managing Procurement Risk

Trang 44

Application in Practice

Trang 45

Capability Maturity Model - Application in Practice

current state - For each type of individual risk or group

of related risks evaluate current state of risk

management capabilities

desired state - decide how much added capability is needed to achieve the selected risk response

gap analysis - expected costs and benefits of

increasing risk management capabilities

Trang 46

“Staged Approach” preferable

more systematic of the two approaches - least disruptive to the organization and is more in line with the change readiness of its personnel.

deployment of capability maturity with managing software

solutions has proven that a staged approach increases the chances of a successful implementation.

best practices are often useful and insightful, they are not a

substitute for the exercise of careful thought and judgment

by knowledgeable personnel about the enterprise’s desired risk management capabilities for a given risk.

Trang 47

‘Best Practices’

in the context of a particular risk at one company may

be insufficient or overdone in the context of the

same risk at another company

Unnecessary to deploy the most sophisticated and

advanced techniques for all risks

No organization has the resources to do that

Nor is there a viable business reason to do so

Trang 49

Risk measurement at the initial state - more

directional than actionable - point out areas

requiring further investigation and analysis

Self-assessment techniques

facilitated assessments

risk indicator analysis

position reports (exposure measurement)

gap analyses (using common frameworks – peer &

internal benchmarking)

Trang 50

Risk measurement at the repeatable state

Risk rating or scoring (customer credit risk)

Claims exposure/cost analysis (evaluates the variables) Sensitivity analysis (impact of change key risk factors) Deterministic stress testing (impact highly unlikely

situation or event)

Parametric value at risk (potential impact of an

underlying variable e.g FX rate)

Uncertainty measures (expected volatility)

Trang 51

Risk measurement at the defined state

Surrogate performance measures: uses measures of

quality, time and cost performance as surrogates for measuring risk (customer satisfaction - integrate

internal operating statistics, customer feedback and other external information)

Historical simulation value at risk: distribution of

historical values observed over a specified period of time

Scenario analysis: impact of large risk factor changes

Trang 52

Risk measurement at the managed state

Monte Carlo value at risk – statistical simulation

Earnings at risk - potential outcomes

Integrated measurement methodologies - rigorous

models and analytics

Risk-adjusted performance measurement (discount

rate)

Trang 53

Risk measurement at the optimizing state

portfolio view – aggregate and manage as a portfolio

develop quantitative means to transfer/securitize

pooling risks into logical families to be measured and

managed as a portfolio (FX net exposure)

natural grouping of risks sharing fundamental

characteristics, e.g., common drivers, positive or

negative correlations or other characteristics that make the risks susceptible to the application of common

measurement methodologies and risk responses

Trang 54

How does ERM influence management reporting?

Trang 55

What risk management software products are

currently available to assist companies with

implementing ERM?

Enterprise risk assessment (ERA) tools

Operational risk management (ORM)

Compliance and risk management

Trang 56

Has the ERM software market reached maturity such that there are established solutions and clear leaders?

Many solutions are relatively new to the market or in beta

Risk management software tends to be very different across

geographies, with different factors driving adoption leading

to different prioritizations of functionality

Software solutions that integrate compliance, risk

management, and internal audit efforts are likely to be the most successful over time

Trang 57

What criteria should we use to evaluate the software

alternatives? Are there different prioritizations of

functionality?

The criteria for evaluating ERM software and the relative

priority of functionality may vary from company to company The organization’s requirements and approach typically drive the relative priority The significant features and definitions

of an end-to-end solution for risk management are

summarized below to provide criteria for evaluating

alternatives (Note: ERA = Enterprise Risk Assessment; ERM = Enterprise Risk Management; ORM = Operational Risk

Management; IA = Internal Audit):

Định dạng
Số trang	73
Dung lượng	2,92 MB