Enterprise risk management

download Enterprise risk management

of 48

Embed Size (px)

Transcript of Enterprise risk management

  • 1.Page 1 of 48 TO STUDY ENTERPRISE RISK MANAGEMENT A COMPETITIVE EDGE FOR THE COMPANY AND HOW IT ADDS VALUE TO ITS SHAREHOLDERS This term paper is submitted in partial completion of MBA SUBMITTED TO: Faculty Guide: Mr. C.T. Sunil Assistant Prof - Finance & Accounts Amity University, Dubai, U.A.E. SUBMITTED BY: Student: Ms. Anu Damodaran Registration No: AUD0260 Program: MBA - General (Semester 2) Year: 2012 to 2014

2. Page 2 of 48 CERTIFICATE FROM FACULTY GUIDE This is to certify that Ms. Anu Damodaran, Reg. No. AUD0260, a 1st Year MBA General, 2nd semester student of Amity University, Dubai, UAE, has carried out her term paper - To study ERM - A competitive edge for the company and how it adds value to its shareholders from 01-Apr-2013 to 12-May-2013. She has completed the term paper successfully. She has done this term paper work independently and submitted the same on 19-May-2013. Mr. C.T. Sunil, Faculty Guide, Assistant Professor of Finance & Accounts, Amity University, Dubai, UAE 3. Page 3 of 48 ACKNOWLEDGEMENT I, Ms. Anu Damodaran, sincerely thank and acknowledge the valuable inputs and guidance extended to me by Mr. C.T. Sunil, Assistant Professor of Finance and Accounts at Amity University, Dubai, U.A.E. toward successful completion of this term paper To study ERM - A competitive edge for the company and how it adds value to its shareholders. I extend my sincere thanks to Mr. Chandrashekar Salla & Mr. Jitendar Kumar for the guidance toward completion of this term paper. Thanking you, Yours sincerely, Ms. Anu Damodaran Reg. No. AUD0260, 1st Year MBA General, 2nd Semester Amity University, Dubai, U.A.E. 4. Page 4 of 48 TABLE OF CONTENTS No. TOPIC PAGE NO EXECUTIVE SUMMARY 7 OBJECTIVE 8 1 CHAPTER 1 INTRODUCTION 9 1.1 BACKGROUND 10 1.2 RELATED INFORMATION 11 1.3 SCOPE OF ENTERPRISE RISK MANAGEMENT 13 1.4 RELEVANCE OF ERM 13 1.5 VALUE PROPOSITION FOR IMPLEMENTING ERM - PROTECT AND ENHANCE ENTERPRISE VALUE 14 1.6 WHAT IF THERE IS NO ERM 14 2 CHAPTER 2 REVIEW OF LITERATURE 15 2.1 - DEFINING RISK, RISK ASSESSMENT, RISK TOLERANCE AND RISK APPETITE AND EVENT 16 2.2 INDUSTRY SPECIFIC EXAMPLES 26 2.3 HEALTH CARE ORGANIZATION 30 2.4 AEROSPACE SUPPLIER 31 2.5 - INTERNATIONAL REGULATORY FRAMEWORK FOR BANKS (BASEL III) 32 3 CHAPTER 3 EXPLORATION COMMENT ON ERM 33 3.1 - RISK MAPPING 33 3.2 - THE CAPABILITY MATURITY MODEL 37 3.3 - RISK MANAGEMENT SOFTWARE PRODUCTS TO ASSIST COMPANIES WITH IMPLEMENTING ERM 40 3.4 ADVANTAGES 42 3.5 SUITABILITY 44 3.6 LIMITATIONS 45 CONCLUSION 47 REFERENCES 48 5. Page 5 of 48 TABLE OF TABLES No. TABLE NAME PAGE NO Table 1 DIFFERENCE BETWEEN RISK MANAGEMENT, BUSINESS RISK MANAGEMENT AND ENTERPRISE RISK MANAGEMENT 23 Table 2 TRADITIONAL RM V/S ERM: ESSENTIAL DIFFERENCES 23 Table 3 EFFECTIVE WAY FOR AN ORGANIZATION TO CONDUCT A RISK ASSESSMENT 26 Table 4 STRATEGIC DRIVERS OF RISK IN HIGHER EDUCATION 27 Table 5 OPERATIONAL AND COMPLIANCE RISK DRIVERS IN HIGHER EDUCATION 28 Table 6 LIST OF RISKS SEPARATED BY CATEGORY 29 Table 7 A RISK MODEL 34 Table 8 SUMMARY OF CAPABILITIES AROUND MANAGING PROCUREMENT RISK 37 Table 9 PRIORITIZATIONS OF FUNCTIONALITY 41 6. Page 6 of 48 TABLE OF FIGURES No. FIGURE NAME PAGE NO Fig.1 THE COSO ENTERPRISE RISK MANAGEMENT FRAMEWORK 13 Fig.2 CONSOLIDATED RISK PROFILE 33 Fig.3 A RISK DRIVERS MAP 35 Fig.4 A BASELINE OVERSIGHT STRUCTURE TO UNDERSTAND HOW POTENTIAL ELEMENTS ARE INTEGRATED WITHIN THE EXISTING ORGANIZATION 36 Fig.5 KEY QUESTIONS A BUSINESS CASE MUST ADDRESS 44 7. Page 7 of 48 EXECUTIVE SUMMARY ENTERPRISE RISK MANAGEMENT (ERM) is a strategy organizations can use to manage the variety of strategic, market, credit, operational and financial risks they confront. ERM calls for high-level oversight of risks on a portfolio basis, rather than discrete management by different risk overseers. ERM has given rise to a question: Who should head the risk management process internal audit or a chief risk officer? Some believe internal audit should take a back seat to preserve the checks and balances the audit function provides. Others say risk leadership should depend on what a company is comfortable with. Using ERM enables an entity to assess risk across the enterprise instead of looking at it on a per-project basis. ERM also gives the company a means to assess the controls in place to handle each risk and identify any gaps. This consistent approach also offers businesses an opportunity to determine authority and responsibility and allocate resources appropriately. To Extract Risk Data, Many Organizations use business intelligence software. Many packages feature "traffic-light" systems that show a red light if risk exceeds acceptable levels. The chief risk officer then can "drill down" to see the reasons and make more informed decisions. Overall responsibility for enterprise risk is changing because of new standards from the Institute of Internal Auditors. They require the internal audit function in a company to monitor and evaluate the effectiveness of the organization's risk management and control systems. ERM can help CPAs (Certified Public Accountants) determine the right amount of capital companies should direct toward risk by gathering or otherwise polling risk overseers to identify the threats to the organization, their financial impact and the effectiveness of risk mitigation options. By mapping major risks on a matrix, companies can align their business processes to ensure they are routinely collecting and storing related information in a database the chief risk officer or executive risk committee can monitor. This will make it easier to identify exception risks extending beyond the company's tolerance or threshold levels. 8. Page 8 of 48 OBJECTIVE To understand what Enterprise Risk Management is, why it is important for any business and how it can be measured. To know whether by measuring and managing the risks consistently and systematically can a company strengthen its ability to carry out its strategic plan. To understand the methods/ tools used by firms to manage Enterprise Risk. To study the processes and challenges in implementing Enterprise Risk Management and to identify how much risk can be retained and how much should be laid off. 9. Page 9 of 48 CHAPTER 1 INTRODUCTION Enterprise Risk Management (ERM) is a data intensive process that measures all of a company's risks. Enterprise Risk Management (ERM) is an integrated approach to enterprise-wide risk management intended to protect and increase value for all parties with an interest in the organization. Businesses have always faced a variety of risks, but these are times when the pace of change and the resulting consequences to a business seem to be greater than ever. Example: 1. Globalization has increased exposure to international events 2. The need for increased and escalated efficiency, innovation and differentiation 3. Cost of strategic error is rising in the global marketplace 4. Understanding and responding to customer wants in this demanding era of increasingly focused niche markets 5. Outsourcing raises questions about clarifying the retention and transfer of risk 6. The unthinkable can happen 7. Due to highly publicized public fiascos and high demands on certifying officers, financial reporting is now a significant risk area as companies focus on sustainability of their disclosure process and internal control structure At most institutions today, the responsibility for enterprise risk management ultimately falls to the chief executive officer since many of the senior people in the company who manage risk on a day-to-day basis already report to him or her, including the CFO and chief lending or credit officer. But institutions need to consider appointing a chief risk officer and forming a management level risk committee." The risk management function should be as independent as possible. However, true independence would require the use of parallel structures where one team of individuals would be responsible for a business unit like small business banking or an activity like regulatory compliance, while a separate team of individuals would be focused solely on 10. Page 10 of 48 managing risk. "To be successful, the business units must view the risk management function as a partner and a facilitator, rather than being in charge of saying no. There is a danger, if ERM looks interchangeable with internal audit, that the business units will view it as either an impediment or redundant, but one size does not fit all." 1.1 BACKGROUND Enterprise Risk Management is a relatively new term that is quickly becoming viewed as the ultimate approach to risk management. Risk management has been practiced for thousands of years. One can imagine a risk manager burning a fire at night to keep wild animals away. Lenders learned to reduce the risk of loan defaults by limiting the amount loaned to any one individual and by restricting loans to those considered most likely to repay them. Individuals and firms learned to manage the risk of fire through the choice of building materials and safety practices, or after the introduction of fire insurance, by shifting it to an insurer. Robert Mehr and Bob Hedges are widely acclaimed as the fathers of risk management. They enumerated the following steps for the risk management process: Identifying loss exposures Measuring loss exposures Evaluating the different methods for handling risk assumption Risk transfer Risk reduction Selecting a method Monitoring results Initially, the risk management process focused on what has been termed pure risks. Pure risks are those in which there is either a loss or no loss. A typical example of a pure risk is that your house may burn down or be hit by an earthquake. If none of these occur then you are in the no loss position. Beginning in the 1970s, financial risk became an important source of uncertainty for firms and, shortly thereafter, tools for handling finan