Post on 31-Mar-2015
Enterprise Risk Management
CursusGood Governance
Leidraad naar CommissariaatVerhouding tussen commissarissen en acountants
Steven Martina17 Januari 2009
Enterprise Risk Management
“… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”
Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.
The COSO Framework
The COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management.
The ERM Framework
ERM considers activities at all levelsof the organization:
• Enterprise-level• Division or
subsidiary• Business unit
processes
The ERM Framework
Entity objectives can be viewed in thecontext of four categories:
• Strategic • Operations• Reporting• Compliance
The eight componentsof the frameworkare interrelated …
The ERM Framework
Internal Environment
• Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur.
• Establishes the entity’s risk culture.
• Considers all other aspects of how the organization’s actions may affect its risk culture.
Objective Setting
• Is applied when management considers risks strategy in the setting of objectives.
• Forms the risk appetite of the entity — a high-level view of how much risk management and the board are willing to accept.
• Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite.
Event Identification
• Differentiates risks and opportunities.
• Events that may have a negative impact represent risks.
• Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting.
Event Identification
• Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives.
• Addresses how internal and external factors combine and interact to influence the risk profile.
Risk Assessment
• Allows an entity to understand the extent to which potential events might impact objectives.
• Assesses risks from two perspectives:- Likelihood- Impact
• Is used to assess risks and is normally also used to measure the related objectives.
Risk Assessment
• Employs a combination of both qualitative and quantitative risk assessment methodologies.
• Relates time horizons to objective horizons.
• Assesses risk on both an inherent and a residual basis.
Kern Vragen Risk Assessment
1. Waar/Wat kunnen we verbeteren? Waar wringt de schoen? Wat gaat er fout?
2. Welk proces betreft het?3. Waar lopen we risico’s? Wat is het risico? 4. Wat is de oorzaak?5. Wat zijn de gevolgen bij ongewijzigd beleid?6. Hoe kunnen we het risico kwalificeren? 7. Hoe kunnen we het risico het beste beheersen?8. Wat moeten we daarvoor doen?9. Hoe is de kosten / baten verhouding?10. Hoe kunnen we de vereiste actie het beste aansturen?
Probability / Impact
L H
L
H
CI-VERA 2009 Curacao Accountants in
Business17
IMPACT
MARKETPOSITION
REPUTATION
GROWTH
EBITDALoss less than
1% compared to
budget
Loss between 1% and 10%compared to
budget
Loss more than 10%
compared to budget
Drop from nr.3 to nr.5 position
Drop from nr.3 to nr.4 position
Remaining market position
Excessive negative press;
regulator sanction
Limited negative press;
regulator warning
No negative press
Losing less than 1% growth target
Losing between 1 and 3%
growth target
Losing more than 3%
growth target
SCORE1 2 3 4 5 6 7 8 9 10
LOW MEDIUM HIGH
RISK IMPACT ASSESSMENTRISK IMPACT ASSESSMENT
Risk Response
• Identifies and evaluates possible responses to risk.
• Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood.
• Selects and executes response based on evaluation of the portfolio of risks and responses.
Control Activities
• Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out.
• Occur throughout the organization, at all levels and in all functions.
• Include application and general information technology controls.
Information & Communication
• Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities.
• Communication occurs in a broader sense, flowing down, across, and up the organization.
Monitoring
Effectiveness of the other ERM components is monitored through:
• Ongoing monitoring activities.
• Separate evaluations.
• A combination of the two.
22
Risk Management (the embedding)
Monitoring
Information and Communication
Control Activities
Risk Response
Risk Assessment
Event Identification
Objective Setting
Internal Environment
STRATE
GIC
OPERATI
ONS
REPO
RTIN
G
COM
PLIA
NCE
EN
TIT
Y - LE
VEL
DIV
ISIO
N
BU
SIN
ESS U
NIT
SU
BSID
IAR
Y
SWOT/PEST6 SiGMA
6 SiGMA
Risk appetite
Co2/GhGSOX
L. Hubbard (ed.)
Corp. Planning
feed backCustomer
BSC
Performancesystem
TQM COSOproject EH&S
Loss Preventiion
Newsletters +websites
. IA
.Budget + Profit Plan
Policies + Procedures Guides
Internal AuditCOBIT for ITContinuous monitoring
ERP
Risico-indeling
Extern Environment
•Externe criminaliteit•Zakelijke omgeving
Fatum
Internal Control Environment
Strategic Risks Operational Risks Financial Risks
• Concentratie • Krediet • Liquiditeit • Interest • Valuta • Mismatch • Solvabiliteit • Verz. tech. reservering. • Herverzekering• Fiscaal
•Externe verslaglegging
• Interne informatie voorziening
•Strategie ontwikkeling•Strategie planning•Strategische sturing
•Processen• ICT•Projectmanagement• Info beveiliging• Interne fraude•Compliance•Klachtenmanagement•Juridisch•Veiligheid•Business continuity
•Cultuur intern•Risicomanagement (quality)•Org. Structuur•Personeel (quality)
Reporting Risks
ERM – Risk Hierarchy
REPUTATIONAL RISK
STRATEGIC RISK
MARKET RISK CREDIT RISK OPERATIONAL RISK
RM can/should be about more than audit
“Risk management equals buying reinsurance”→ Risk transfer via reinsurance
“Decision making across firm is linked to building economic value”→ Risk adjusted resource allocation at all levels
Value added for insurer
Stages of development
Insurance & Compliance Risk-return optimisationCore risk management
“Regulators are demanding risk
management activities” → Over-reliance on ‘checklists’, false sense of security
“We need to know the economic impact of our largest risks”→ Specific risk quantification “We need a
sustainable process for monitoring all our risks”
→ Qualitative RM
“Risk needs to be quantified comprehensively”→ Over-control by centralized risk management, initial quant models too primitive
“Shareholders demand a risk/return framework”→ Risk and growth appetite defined, risk dynamically measured and aggregated properlyI
IV
VI
VII
II
III V
CI-VERA 2009 Curacao Accountants in
Business26
VORVOR
VOCVOC
VOBVOB
De chaotische werkelijkheid
• In werkelijkheid een bizar en chaotisch geheel van activiteiten
• Anticiperend op de positieve en negatieve aspecten van risico
• Allerlei risico indelingen• Ontelbare verschillende perspectieven
– Soms goed op elkaar aansluitend– Soms ook niet– Soms elkaar zelfs onderling uitsluitend
THE PROCESS
AuditCommittee
MT
Internal Audit
External Audit
Risk Sessions
Risk Corrective
Action
ManagementConsideredin Control
RiskAssessment
Initiation Assessment Monitoring Control
Probability ImpactL M H L M H
Impact >= “M” Probability >= “M”In Control ?
yes
no
yes
no
no
yes
Risk Life CycleRequest
30
RISK AND REWARD ARE INSEPARABLE. THE TWO TOGETHER MAKE A PERFORMANCE VALUABLE OR NOT!
31
Most Risks do have a Reward!