enterprise risk management + fraud framework VACPA

Current ERM FrameworksThe two most commonly used sources of guidance on effective risk management frameworks are: • Enterprise Risk Management Integrated Framework published by the Commi

Enterprise Risk Management

Ivan Pham, CPA, CIA, CISA, CFE

Opportunity Loss

Risk of opportunity loss

or something good not happening

a potential future event that prevents an organisation from

achieving its objectives

Risk

What CEOs and senior management are saying about risk…

• 58% - Inability to effectively model global risk early enough

• 65% - Over focus on short-term goals as opposed to emerging risks

• 67% - Short-term priorities don’t override long-term goals is a top challenge

• 79% - Receiving the right information at the right time is a top challenge

• 44% - Relied too much on quantitative modeling, obscuring a broader perspective of risk

Lessons from the financial crisis

CEOs recognize the importance of risk information to the success of their organizations…1

…but lack actionable information to allow for effective risk decisions with clarity and confidence1

5

ERM is really about adopting good business practices

ERM Misconceptions:

Hinders doing ‘real business’, i.e taking risks

Promotes a conservative business mindset

Is just to introduce and implement controls

A granular operational exercise

A software implementation exercise

Is effective via a checklist

Can be obtained ‘off the shelf’

Something you can set & forget

One person show

“Doable” in a day

Precise rocket science

An audit of existing frameworks, controls and

processes

ERM – the Truth :

Encourages the pursuit of business objectives by proactively identifying and managing risks

Helps minimise uncertainty and maximise opportunities for an enterprise

Forms a key part of strategy planning and decision making

A process that is integrated within all other key processes of the organisation

Goes beyond controls, compliance procedures and audits

Addresses organisation-wide key stakeholders goals

The value of risk management is that it gets the right

information to the right people at the right time for decisive

• Confidence in process below

• Factors that influence “Business As Usual”

performance

• Portfolio risk management

• Optimise risk management process

• Control of escalation and delegation of risk management

• Task/ process focused risk management

• Focus on efficiency and reliability

• Simple tools and output

• Progressively stabilise risk profile and then focus on effectiveness of controls and monitoring

Typical volume of risk information managed Escalation and delegation

Current ERM Frameworks

Current ERM Frameworks

The two most commonly used sources of guidance on effective risk management

frameworks are:

• Enterprise Risk Management Integrated Framework published by the Committee of

Sponsoring Organizations of the Treadway Commission (“COSO”)

• Australia/New Zealand Standard on Risk Management (AS/NZS 4360)

COSO Elements Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information and Communication Monitoring

AS/NZS 4360 Elements Establish Context Identify Risks Analyse Risks Evaluate Risks Treat Risks Monitor and Review Communicate and Consult similarities

9

The ISO 31000 Standard is the latest ERM standard

• Published in Nov 2009 – it is the ‘current’ global standard in risk

management

• Seeks to provide a universally recognised guideline to replace the myriad of

existing standards and methodologies that differ between industries, subject

matters and regions

• Provides a generic framework for identifying, analysing, evaluating, treating,

monitoring and communicating risk

• Is seen as an update to the COSO ERM Framework and the AS/NZS ERM

Standard

- ISO 31000 is said to better explain concepts and terms but does not alter

the fundamentals presented in COSO or AS/NZS

Who is responsible?

11

It’s Everybody’s job, but he thought Somebody would do it

‘Who’s to blame?’ is a question on many people’s lips these days

• If risk management has failed, why has it done so?

We believe that it’s because most companies have relied too heavily on risk models

that are necessarily limited, rather than making everyone personally accountable for

managing risk

It’s only when risk management is an integral element of day-to-day business that

you will get the results that you want, within the risk parameters that you can live

with

How to ensure that risk management is part of the

daily activities of everyone in your organisation

1 Focus on personal accountability:

Spell out the responsibility, authority and accountability of every individual in

the organisation

2 Hold your business units accountable:

Get the managers of your business units to assess the maturity of their risk

processes, rectify any flaws and sign off on the risks they’ve assumed

3 Lead from the front:

punishing those who don’t

3 Lead from the front:

Show your business unit managers that you’re serious about risk management

by regularly reviewing key risks, rewarding those who manage risks well and

punishing those who don’t

4 Re-focus your risk management function:

Reposition your risk management function to do the job it’s supposed to be

doing – i.e., providing information, advice and assurance

13

Everyone has a role to play in managing risks

A company’s business units:

• Should be responsible for the decisions they take, how their employees behave

and the effectiveness of the controls they use

Senior management’s job:

• provide visible support for the business units and individual employees alike, and

thus to reinforce their efforts

• By insisting that they pay constant attention to key risks – and rewarding or

punishing their performance accordingly – it sets the tone for the entire organisation

The risk management function’s role:

• By contrast, is to design a risk framework, develop risk models and identify and

interpret new laws and stakeholder expectations;

• to help the business units understand the risks they’re taking and how best to

mitigate them; and

• to assist the company in staying on course by periodically checking that it’s taking

the right steps to manage the risks it faces

Risk management is everyone’s responsibility – introducing

the 3 lines of defence model

• Standard procedures:

Important for front line Teach Check compliance Design process with front line

• Risk Management:

Assists top management in decision making – identify risks, measure exposures, mitigate and report.

• Internal Audit:

Assurance to Board

on the quality of internal control system Helps to reduce risk of loss and reputational damage.

Front Line Staff

Risk Management

Board Oversight

For Vietnam – Start by placing ERM under the CFO to leverage

on knowledge of controls and reporting

ERM Monitoring Structure – based on 3 levels of defense model

Key roles:

BOD/ Audit Committee

• On a bi-annual basis review ERM Report received from CEO/CFO, ensure that all areas of risk have been considered and that all HIGH and MEDIUM risks identified are being appropriately managed/ mitigated

Risk Owners

• Coordinate and oversee/ manage development and implementation of action plans to mitigate HIGH and MEDIUM risks

Risk Coordinators/ Action Plan Owners

• Implement the relevant action plans

• Participate in bi-annual risk discussion with the ERM function

ERM Function

• Provide advice and guidance to assist in inculcating a risk management culture

• Prepare all ERM related reports required

• Facilitate discussions with Risk Owners on the implementation status of action plans

Internal Audit

Board of Directors/

Commissioners

Board of Management

Audit Committee/

Supervisory Board

CEO

CEO Direct Reports CFO

ERM Function

Main types of risk a business is likely

to face

To what extent does your organisation’s risk management framework cover the above

classes of risk? How much effort is devoted to each area? Is the balance right?

17

The COSO ERM framework

The COSO definition of ERM

– Enterprise Risk Management is a process, effected by an entity’s board of

directors and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives

– Event - an incident or occurrence, from sources internal or external to an

entity, that could affect the implementation of strategy or achievement of objectives

– Risk - the possibility that an event will occur and adversely affect the

achievement of objectives– Opportunity - the possibility that an event will occur and positively affect the

• Strategic, Operations, Reporting and Compliance– Applies to activities at all

levels of the organization– Has eight interrelated

Components – Key ERM concepts:

• Events and risks, Risk appetite and risk tolerance, Portfolio view, Assess AND Manage

Board of directors role

Oversight with regard to enterprise risk

management and how management is response to

significant risks

Helps to strategy and high level objectives

Delegates responsibilities and accountabilities for

specified aspects of enterprise risk management to

one or more board committees (e.g Board Audit

Committee, Board Risk Management Committee or

combined committees) to help ensure a clear focus

on the risk areas.

21

Management’s role

Enterprise Risk Management:

Overall responsibility for the enterprise risk

management process, including the processes used to

identify, assess, respond to, and report on risk

Defining roles, responsibilities, and accountabilities at

the executive and senior management level

Providing policies, frameworks, methodologies, and

tools to business units for the identification,

assessment, and management of risks

Reviewing the company’s risk profile

Reviewing performance measures against tolerances

and recommending corrective action where appropriate

Chief Risk Officer

Report to Risk Committee of the Board and CEO

Promote the ERM model to the CEO and Business

Unit heads

Provides central coordination across organization

Ensure a risk management capability is developed

and maintained in all Business Units

Communicate and manage the establishment and

ongoing maintenance of ERM

Communicating the risk management process to

the CEO and the board

Facilitating risk management workshop

Active, continuous support and involvement in the risk management

process

Managing and coordinating the risk management process.

Internal Environment –

Management sets a philosophy

regarding risk and establishes a

risk appetite The internal

environment sets the basis for

how risk and control are

viewed and addressed by an

entity’s people The core of any

business is its people –

their individual attributes,

including integrity, ethical

values, and competence – and

the environment in which they

operate.

Components of Enterprise Risk Management

Definition from COSO ERM Framework Sept 04

25

Objective Setting – Objectives must

exist before management can

identify potential

events affecting their achievement

Enterprise risk management

ensures that

management has in place a

process to set objectives and that

the chosen objectives

support and align with the entity’s

mission and are consistent with its

risk appetite.

Components of Enterprise Risk Management

Definition from COSO ERM Framework Sept 04

Event Identification – Potential

events that might have an impact

on the entity must be

identified Event identification

involves identifying potential

events from internal or

external sources affecting

achievement of objectives It

includes distinguishing

between events that represent

risks, those representing

opportunities, and those that

may be both Opportunities are

channeled back to management’s

strategy or

objective-setting processes.

Components of Enterprise Risk Management

Definition from COSO ERM Framework Sept 04

27

Risk Assessment – Identified

risks are analyzed in order to

form a basis for

determining how they should be

managed Risks are associated

with objectives that

may be affected Risks are

assessed on both an inherent

and a residual basis, with the

assessment considering both

risk likelihood and impact.

Components of Enterprise Risk Management

Definition from COSO ERM Framework Sept 04

Risk Response – Personnel identify

and evaluate possible responses to

risks, which

include avoiding, accepting,

reducing, and sharing risk

Management selects a set of

actions to align risks with the

entity’s risk tolerances and risk

appetite.

Components of Enterprise Risk Management

Definition from COSO ERM Framework Sept 04

29

Control Activities – Policies and

procedures are established and

executed to help

ensure the risk responses

management selects are effectively

carried out.

Components of Enterprise Risk Management

Definition from COSO ERM Framework Sept 04

Information and Communication –

Relevant information is identified,

captured, and

communicated in a form and

timeframe that enable people to

carry out their

responsibilities Information is

needed at all levels of an entity for

identifying,

assessing, and responding to risk

Effective communication also

occurs in a broader

sense, flowing down, across, and

up the entity Personnel receive

clear

communications regarding their

role and responsibilities.

Components of Enterprise Risk Management

Definition from COSO ERM Framework Sept 04

31

Monitoring – The entirety of

enterprise risk management is

monitored, and

modifications made as necessary

In this way, it can react

dynamically, changing as

conditions warrant Monitoring is

accomplished through ongoing

management

activities, separate evaluations of

enterprise risk management, or a

combination of the

two.

Components of Enterprise Risk Management

Definition from COSO ERM Framework Sept 04

ISO 31000

33

What is ISO 3100 - Risk Management?

ISO 31000

• Came out in November 2009

• Prepared by the ISO Technical Management Board Working Group

on risk management

• International Standard

• Provides principles and generic guidelines on Risk Management

Risk Defined in ISO 31000

The effect of uncertainty on objectives.

Risks can have positive or negative outcomes.

35

Risk Assessment

ISO 31000 – Principles, Implementation Framework & Process

h) Takes human and cultural

factors into account

i) Transparent and inclusive

j) Dynamic, iterative and

Implementing risk management

Monitoring and review

of the framework

Continual improvement

of the framework

Establishing the context

Risk Management Process

Risk Assessment

Establishing the context

Communication & Consultation

- should facilitate truthful, relevant, accurate and understandable exchanges of information, while respecting confidentiality and personal privacy

- should take place during all stages of the risk management process using existing organization communication channels and methods

Risk Management Process

37

Risk Management Process

Risk Assessment

Establishing the context

Establishing the Context

- Articulate the organization’s objectives

- Establish the external and internal context

- the external and internal environment in which the organization seeks to achieve its objectives

- Establish the context of the risk management (RM) process

- define the goals and objectives of the RM activities

- define the responsibilities

- define the processes to be managed

- Define the risk criteria for the process

- e.g Impact & Likelihood

Risk Management Process