ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated...
-
Upload
shannon-henry -
Category
Documents
-
view
220 -
download
0
Transcript of ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated...
![Page 1: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/1.jpg)
ENTERPRISE RISK MANAGEMENT
![Page 2: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/2.jpg)
Purpose
• Develop a conceptually sound framework
• Provide integrated principles• Common terminology• Practical implementation guidance• Develop or benchmark ERM
process
![Page 3: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/3.jpg)
Relevance
• Every entity strives to add value in the face of uncertainty
• Value—stakeholders derive recognizable benefits that they value.
• Uncertainty emanates from an inability to precisely determine the likelihood that potential events will occur and the associated outcomes.
![Page 4: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/4.jpg)
Today’s organizations are
concerned about:
• Risk Management• Governance• Control• Assurance (and Consulting)
![Page 5: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/5.jpg)
Why ERM Is Important
Underlying principles:
• Every entity, whether for-profit or not, exists to realize value for its stakeholders.
• Value is created, preserved, or eroded by management decisions in all activities, from setting strategy to operating the enterprise day-to-day.
![Page 6: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/6.jpg)
Why ERM Is Important
ERM supports value creation by enabling management to:
• Deal effectively with potential future events that create uncertainty.
• Respond in a manner that reduces the likelihood of downside outcomes and increases the upside.
![Page 7: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/7.jpg)
ERM provides a framework for
management …
•… to effectively deal with uncertainty and associated risk and opportunity, and thereby enhance its capacity to build value.•
![Page 8: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/8.jpg)
A dynamic process that includes
…
– Identification of potential events that may impact objectives
– Risk assessment and response – Consideration of risks in formulation of strategy– Application across the entity– Managing risk is to be within the entity’s risk appetite– A portfolio view of risks at the entity-level is taken– Monitoring the performance of ERM
![Page 9: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/9.jpg)
ERM provides enhanced
capabilities to …
•… align risk appetite and strategy; link growth, risk, and return; enhance risk-response decisions; minimise operational surprises and losses; identify and manage cross-enterprise risks; provide integrated responses to multiple risks; seize opportunities; and rationalise capital.
![Page 10: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/10.jpg)
Some “new” concepts in the ERM
Framework– Events and risks– Applying risk management in strategy
setting– Risk appetite and risk tolerance– Portfolio view
![Page 11: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/11.jpg)
Events and risk
– Event is an incident or occurrence that could affect the implementation of strategy or achievement of objectives.
– Distinguish risk and opportunity
– Risk is the possibility that an event will occur and adversely affect the achievement of objectives.
• Events that may have a positive impact represent natural offsets or opportunities.
– Risks are measured using the same unit of measure as the related objectives.
– Time horizons are specified and aligned with objectives
![Page 12: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/12.jpg)
Applied in strategy setting
– Enterprise risk management is applied in strategy setting, in which management considers risks relative to alternative strategies.
– For instance, a university seeks to offer high-quality educational opportunities to students within the state, nation and worldwide. • Strategy A: Focus predominantly on campuses structures• Strategy B: Focus more at off-campus sites• Strategy C: Develop new interactive distance education• Strategy D: Develop a mix of the above.
– What additional risks levels or types of risks will arise with each choice?
![Page 13: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/13.jpg)
Relating mission, objectives,
appetite and tolerance
MissionTo be the leading producer of premium household products in the regions in which we operate
Strategic ObjectivesTo be in the top quartile of product sales for retailers of our products
MeasuresMarket Share
StrategyExpand production of our top-five selling retail products
Risk Appetite• Accepts that the
company will consume large amounts of capital investing in new assets, people and process
• Accepts that competition could increase (e.g. through predatory pricing, etc) as we seeks to increase market share, thereby reducing profit margins
• Does not accept erosion of product quality
Related Objectives• Increase production of Unit X by
15% in the next 12 months• Increase new staff by 200 (net)
across all manufacturing divisions
• Maintain product quality of 4.0 sigma
Measures• Units of Production • Number of staff hired• Product quality by sigma
Risk TolerancesTolerances – Acceptable Range
23% – 30%+10,000 / - 7,500+ 20 / - 154.0 – 4.5 sigma
Target25 Percentile150,000 units200 staff4.0 sigma
MeasureMarket shareUnits of productionNumber of staff hired (net)Product quality index
![Page 14: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/14.jpg)
Taking a portfolio view
– Enterprise risk management requires an entity to take a portfolio view of risk.
– Management considers how individual risks interrelate.
– Management develops a portfolio view from two perspectives:• Business unit • Entity
Corporate
Marketing R&D Legal Sales
For instance your university, can you explain how a:
• 10% loss teaching faculty would effect the faculty and the overall university
• 15% increase in research funding would effect the overall university
• Shift in education delivery mechanisms from classroom based learning to interactive distance learning effects the overall university
![Page 15: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/15.jpg)
Benefits of Enterprise Risk
Management• Provides enhanced capability to:
– Align risk appetite and strategy– Link growth, risk and return– Enhance risk response decisions– Minimize operational surprises and losses– Identify and manage cross-enterprise risks– Provide integrated Reponses to multiple
risks– Seize opportunities– Rationalize capital
![Page 16: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/16.jpg)
Definition
– Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
![Page 17: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/17.jpg)
This COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management.
Enterprise Risk Management —
Integrated Framework
![Page 18: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/18.jpg)
Components
• Internal environment• Objective setting• Event identification• Risk assessment• Risk response• Control activities• Information and communication• Monitoring
![Page 19: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/19.jpg)
The eight componentsof the frameworkare interrelated …
The ERM Framework
![Page 20: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/20.jpg)
The ERM Framework
Entity objectives can be viewed in thecontext of four categories:
• Strategic • Operations• Reporting• Compliance
![Page 21: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/21.jpg)
The ERM Framework
ERM considers activities at all levelsof the organization:
• Enterprise-level• Division or
subsidiary• Business unit
processes
![Page 22: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/22.jpg)
Internal Environment
• Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur.
• Establishes the entity’s risk culture.
• Considers all other aspects of how the organization’s actions may affect its risk culture.
![Page 23: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/23.jpg)
• Risk Management Philosophy • Risk Culture• Board of Directors• Integrity and Ethical Values• Commitment to Competence• Management's Philosophy and Operating
Style• Risk Appetite• Organizational Structure• Assignment of Authority and
Responsibility• Human Resource Policies and Practices
Internal Environment
![Page 24: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/24.jpg)
Objective Setting• Is applied when management considers
risks strategy in the setting of objectives.
• Forms the risk appetite of the entity — a high-level view of how much risk management and the board are willing to accept.
• Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite.
![Page 25: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/25.jpg)
Objective Setting• Strategic Objectives • Related Objectives • Selected Objectives • Risk Appetite • Risk Tolerance
![Page 26: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/26.jpg)
Event identification component
– Identify those incidents, occurring internally or externally, that could affect strategy and achievement of objectives.
– Addresses how internal and external factors combine and interact to influence its risk profile.
– Distinguish risk and opportunity
![Page 27: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/27.jpg)
Event Identification
• Differentiates risks and opportunities.
• Events that may have a negative impact represent risks.
• Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting.
![Page 28: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/28.jpg)
Event Identification
• Events • Factors Influencing Strategy
and Objectives • Methodologies and Techniques • Event Interdependencies • Event Categories • Risks and Opportunities
![Page 29: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/29.jpg)
Risk assessment component
– Allows an entity to understand the extent to which potential events might impact objectives.
– Assesses risks from two perspectives – likelihood and impact.
– The unit of measure used to assess risks should be the same or congruent to measure used for the achievement of objectives.
– Employs a combination of both qualitative and quantitative risk assessment methodologies.
– Time horizons are related to objective time horizons.
– Assesses risk on both an inherent and residual basis.
![Page 30: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/30.jpg)
Risk Assessment• Inherent and Residual Risk • Likelihood and Impact • Methodologies and Techniques • Correlation
![Page 31: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/31.jpg)
Risk response component
– Identifies and evaluates possible responses to risk.
– Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential risk responses and degree to which a response will reduce impact and/or likelihood.
– Assessment of and response to risks are integral components of ERM; which specific response is selected is not.
– Selects and executes its response based on evaluation of the portfolio of risks and responses.
![Page 32: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/32.jpg)
Responses Fit Within The Following
Categories:Avoidance – Action is taken to exit the activities that create risks.
Reduction – Action is taken to reduce the risk likelihood or impact, or both.
Sharing – Action is taken to reduce either the likelihood or impact of a risk by transferring or otherwise sharing a portion of the risk.
Acceptance – No action is taken to affect either the likelihood or impact.
![Page 33: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/33.jpg)
Risk Response
• Identify Risk Responses • Evaluate Possible Risk
Responses • Select Responses • Portfolio View
![Page 34: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/34.jpg)
Control Activities
• Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out.
• Occur throughout the organization, at all levels and in all functions.
• Include application and general information technology controls.
![Page 35: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/35.jpg)
Control Activities
• Integration with Risk Response • Types of Control Activities • General Controls • Application Controls • Entity Specific
![Page 36: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/36.jpg)
• Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities.
• Communication occurs in a broader sense, flowing down, across, and up the organization.
Information & Communication
![Page 37: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/37.jpg)
Information and Communication
• Information • Strategic and Integrated
Systems • Communication
![Page 38: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/38.jpg)
Monitoring component
– Monitors the ongoing effectiveness of the other enterprise risk management components through: • Ongoing monitoring activities• Separate evaluations• A combination of the two
![Page 39: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/39.jpg)
Relationship with internal control
![Page 40: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/40.jpg)
• Expands and elaborates on elements of internal control as set out in COSO’s“control framework.”
• Includes objective setting as a separate component. Objectives are a “prerequisite” for internal control.
• Expands the control framework’s “Financial Reporting” and “Risk Assessment.”
Relationship to Internal Control —
Integrated Framework
![Page 41: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/41.jpg)
1. Organizational design of business2. Establishing an ERM organization3. Performing risk assessments4. Determining overall risk appetite5. Identifying risk responses6. Communication of risk results7. Monitoring8. Oversight & periodic review
by management
Key Implementation Factors
![Page 42: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/42.jpg)
Organizational Design
• Strategies of the business
• Key business objectives
• Related objectives that cascade down the organization from key business objectives
• Assignment of responsibilities to organizational elements and leaders (linkage)
![Page 43: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/43.jpg)
Example: Linkage• Mission – To provide high-quality
accessible and affordable community-based health care
• Strategic Objective – To be the first or second largest, full-service health care provider in mid-size metropolitan markets
• Related Objective – To initiate dialogue with leadership of 10 top under-performing hospitals and negotiate agreements with two this year
![Page 44: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/44.jpg)
Establish ERM
• Determine a risk philosophy
• Survey risk culture
• Consider organizational integrity and ethical values
• Decide roles and responsibilities
![Page 45: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/45.jpg)
Example: ERM Organization
ERM DirectorERM
Director
Vice President andChief Risk Officer
Vice President andChief Risk Officer
Corporate Credit Risk Manager
Corporate Credit Risk Manager
Insurance Risk Manager
Insurance Risk Manager
ERMManager
ERMManager
ERMManager
ERMManager
StaffStaff StaffStaffStaffStaff
FES Commodity
Risk Mg.Director
FES Commodity
Risk Mg.Director
![Page 46: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/46.jpg)
Risk assessment is the identification and analysis of risks to the achievement of business objectives. It forms a basis for determining how risks should be managed.
Assess Risk
![Page 47: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/47.jpg)
Environmental Risks• Capital Availability• Regulatory, Political, and Legal• Financial Markets and Shareholder Relations
Process Risks• Operations Risk• Empowerment Risk• Information Processing / Technology Risk• Integrity Risk• Financial Risk
Information for Decision Making• Operational Risk• Financial Risk• Strategic Risk
Example: Risk Model
![Page 48: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/48.jpg)
Source: Business Risk Assessment. 1998 – The Institute of Internal Auditors
Control It
Share orTransfer It
Diversify orAvoid It
RiskManagement
ProcessLevel
ActivityLevel
Entity Level
RiskMonitoring
Identification
Measurement
Prioritization
RiskAssessment
Risk Analysis
![Page 49: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/49.jpg)
DETERMINE RISK APPETITE
• Risk appetite is the amount of risk — on a broad level — an entity is willing to accept in pursuit of value.
• Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable variation).
![Page 50: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/50.jpg)
Key questions:
• What risks will the organization not accept? (e.g. environmental or quality compromises)
• What risks will the organization take on new initiatives? (e.g. new product lines)
• What risks will the organization accept for competing objectives? (e.g. gross profit vs. market share?)
DETERMINE RISK APPETITE
![Page 51: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/51.jpg)
• Quantification of risk exposure
• Options available:- Accept = monitor- Avoid = eliminate (get out of situation)
- Reduce = institute controls- Share = partner with someone
(e.g. insurance)
• Residual risk (unmitigated risk – e.g. shrinkage)
IDENTIFY RISK RESPONSES
![Page 52: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/52.jpg)
Impact vs. Probability
Control
Share Mitigate & Control
Accept
High Risk
Medium Risk
Medium Risk
Low Risk
Low
High
High
IMPACT
PROBABILITY
![Page 53: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/53.jpg)
Low
High
High
IMPACT
PROBABILITY
High Risk
Medium Risk
Medium Risk
Low Risk
Example: Call Center Risk
Assessment
• Loss of phones• Loss of computers
• Credit risk• Customer has a long wait• Customer can’t get through• Customer can’t get answers
• Entry errors • Equipment obsolescence• Repeat calls for same problem
• Fraud• Lost transactions• Employee morale
![Page 54: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/54.jpg)
Control Risk Control Objective Activity
Completeness Material Accrual of transaction open liabilities not recorded
Invoices accrued after closing
Issue: Invoices go to field and AP is not aware of liability.
Example: Accounts Payable
Process
![Page 55: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/55.jpg)
• Dashboard of risks and related responses (visual status of where key risks stand relative to risk tolerances)
• Flowcharts of processes with key controls noted
• Narratives of business objectives linked to operational risks and responses
• List of key risks to be monitored or used
• Management understanding of key business risk responsibility and communication of assignments
Communicate Results
![Page 56: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/56.jpg)
Monitor
• Collect and display information
• Perform analysis- Risks are being properly addressed- Controls are working to mitigate risks
![Page 57: ENTERPRISE RISK MANAGEMENT. Purpose Develop a conceptually sound framework Provide integrated principles Common terminology Practical implementation guidance.](https://reader036.fdocuments.net/reader036/viewer/2022062314/56649d975503460f94a81013/html5/thumbnails/57.jpg)
• Accountability for risks
• Ownership
• Updates- Changes in business
objectives- Changes in systems- Changes in processes
Management Oversight &
Periodic Review