ENTERPRISE RISK MANAGEMENT – ppt download
Presentation on theme: “ENTERPRISE RISK MANAGEMENT”— Presentation transcript:
1
ENTERPRISE RISK MANAGEMENT
2
Purpose Develop a conceptually sound framework
Provide integrated principles Common terminology Practical implementation guidance Develop or benchmark ERM process
3
Relevance Every entity strives to add value in the face of uncertainty
Value—stakeholders derive recognizable benefits that they value. Uncertainty emanates from an inability to precisely determine the likelihood that potential events will occur and the associated outcomes.
4
Today’s organizations are concerned about:
Risk Management Governance Control Assurance (and Consulting)
5
Why ERM Is Important Underlying principles:
Every entity, whether for-profit or not, exists to realize value for its stakeholders. Value is created, preserved, or eroded by management decisions in all activities, from setting strategy to operating the enterprise day-to-day. Value is created by informed and inspired management decisions in all spheres of an entity’s activities, from strategy setting to operations. Entities failing to recognize the risks they face, from external or internal sources, and to manage them effectively can destroy value – in absolute or relative terms – for shareholders and other stakeholders, including the community and society at large. For companies, shareholders realize value when they recognize value creation and benefit from share-value growth. For governmental entities, value is realized when constituents recognize receipt of valued services at acceptable cost. Enterprise risk management: Facilitates management’s ability deal effectively with potential future events that create uncertainty. Provides the mechanisms to respond in a manner that reduces the likelihood of downside outcomes and increases the upside Enhances the ability to communicate value creation and preservation programs and goals, communicate with stakeholders, and deliver as planned, with few surprises.
6
Why ERM Is Important ERM supports value creation by enabling management to: Deal effectively with potential future events that create uncertainty. Respond in a manner that reduces the likelihood of downside outcomes and increases the upside. Value is created by informed and inspired management decisions in all spheres of an entity’s activities, from strategy setting to operations. Entities failing to recognize the risks they face, from external or internal sources, and to manage them effectively can destroy value – in absolute or relative terms – for shareholders and other stakeholders, including the community and society at large. For companies, shareholders realize value when they recognize value creation and benefit from share-value growth. For governmental entities, value is realized when constituents recognize receipt of valued services at acceptable cost. Enterprise risk management: Facilitates management’s ability deal effectively with potential future events that create uncertainty. Provides the mechanisms to respond in a manner that reduces the likelihood of downside outcomes and increases the upside Enhances the ability to communicate value creation and preservation programs and goals, communicate with stakeholders, and deliver as planned, with few surprises.
7
ERM provides a framework for management …
… to effectively deal with uncertainty and associated risk and opportunity, and thereby enhance its capacity to build value. Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. One of the lessons learned in the Assess phase was that most participants favored a definition that is broader than their current risk management initiative. Most definitions reviewed contained terms and phrases such as identification, assessment and response. Many definitions also mentioned monitoring. In this way, the COSO definition is consistent with other definitions. In addition, the COSO definition builds on these points and sets out that Risks is considered in the formulation of strategy Risk management is applied at every level and unit of the entity A portfolio view of risks throughout the enterprise is taken
8
A dynamic process that includes …
Identification of potential events that may impact objectives Risk assessment and response Consideration of risks in formulation of strategy Application across the entity Managing risk is to be within the entity’s risk appetite A portfolio view of risks at the entity-level is taken Monitoring the performance of ERM Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. One of the lessons learned in the Assess phase was that most participants favored a definition that is broader than their current risk management initiative. Most definitions reviewed contained terms and phrases such as identification, assessment and response. Many definitions also mentioned monitoring. In this way, the COSO definition is consistent with other definitions. In addition, the COSO definition builds on these points and sets out that Risks is considered in the formulation of strategy Risk management is applied at every level and unit of the entity A portfolio view of risks throughout the enterprise is taken
9
ERM provides enhanced capabilities to …
… align risk appetite and strategy; link growth, risk, and return; enhance risk-response decisions; minimise operational surprises and losses; identify and manage cross-enterprise risks; provide integrated responses to multiple risks; seize opportunities; and rationalise capital. Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. One of the lessons learned in the Assess phase was that most participants favored a definition that is broader than their current risk management initiative. Most definitions reviewed contained terms and phrases such as identification, assessment and response. Many definitions also mentioned monitoring. In this way, the COSO definition is consistent with other definitions. In addition, the COSO definition builds on these points and sets out that Risks is considered in the formulation of strategy Risk management is applied at every level and unit of the entity A portfolio view of risks throughout the enterprise is taken
10
Some “new” concepts in the ERM Framework
Events and risks Applying risk management in strategy setting Risk appetite and risk tolerance Portfolio view
11
Events and risk Event is an incident or occurrence that could affect the implementation of strategy or achievement of objectives. Distinguish risk and opportunity Risk is the possibility that an event will occur and adversely affect the achievement of objectives. Events that may have a positive impact represent natural offsets or opportunities. Risks are measured using the same unit of measure as the related objectives. Time horizons are specified and aligned with objectives An event is an incident or occurrence emanating from internal or external sources that could affect implementation of strategy or achievement of objectives. Events may have positive or negative impacts, or both. identifies potential events affecting an entity’s ability to successfully implement strategy and achieve objectives. The framework views entity objectives in the context of three categories: Operations – These pertain to the effectiveness and efficiency of the entity’s operations, including performance and profitability goals and safeguarding resources against loss. They vary based on management’s choices about structure and performance. Reporting – relating to the effectiveness of the entity’s reporting. This includes both internal and external reporting and may be comprised of financial or non-financial information. Compliance – relating to the entity’s compliance with applicable laws and regulations Internal and external factors: myriad of external and internal factors influence events could potentially affect strategy implementation and achievement of objectives. Economic, environmental, political, social and technology are examples of external factors. Infrastructure, personnel, process, structural and technology are examples of internal factors.
12
Applied in strategy setting
Enterprise risk management is applied in strategy setting, in which management considers risks relative to alternative strategies. For instance, a university seeks to offer high-quality educational opportunities to students within the state, nation and worldwide. Strategy A: Focus predominantly on campuses structures Strategy B: Focus more at off-campus sites Strategy C: Develop new interactive distance education Strategy D: Develop a mix of the above. What additional risks levels or types of risks will arise with each choice? For instance, a university board and management seek to be in the top quartile of the university rankings. What risks are you willing to accept to be in the top quartile of the university rankings. For instance: Would the university prefer to focus on the risks of maintaining a higher faculty count or limiting student levels in order manage the faculty/student ratio? “Turn-away” qualified students in order to maintain a higher student selectivity ? “Invest” a large amount of cash in new facilities that result in fixed capacity or invest in new, but perhaps unproved technologies, required to deploy distance learning?
13
Relating mission, objectives, appetite and tolerance
To be the leading producer of premium household products in the regions in which we operate Strategic Objectives To be in the top quartile of product sales for retailers of our products Measures Market Share Strategy Expand production of our top-five selling retail products Risk Appetite Accepts that the company will consume large amounts of capital investing in new assets, people and process Accepts that competition could increase (e.g. through predatory pricing, etc) as we seeks to increase market share, thereby reducing profit margins Does not accept erosion of product quality Related Objectives Increase production of Unit X by 15% in the next 12 months Increase new staff by 200 (net) across all manufacturing divisions Maintain product quality of 4.0 sigma Measures Units of Production Number of staff hired Product quality by sigma Risk Tolerances Measure Market share Units of production Number of staff hired (net) Product quality index Target 25 Percentile 150,000 units 200 staff 4.0 sigma Tolerances – Acceptable Range 23% – 30% +10,000 / – 7,500 + 20 / – 15 4.0 – 4.5 sigma
14
Taking a portfolio view
Enterprise risk management requires an entity to take a portfolio view of risk. Management considers how individual risks interrelate. Management develops a portfolio view from two perspectives: Business unit Entity For instance your university, can you explain how a: 10% loss teaching faculty would effect the faculty and the overall university 15% increase in research funding would effect the overall university Shift in education delivery mechanisms from classroom based learning to interactive distance learning effects the overall university Where potential events are not directly related, management assesses them individually, and then forms its portfolio view as a composite of individual risks. Where risks are likely to occur at the same time within each business unit, management assesses and groups identified events into common categories. Business unit level – Each manager responsible for a business unit, function, process or other activity develops a composite assessment of risks Entity level – Management considers interrelated risk from an entity-wide portfolio perspective. Risk may exist in different business units that are within the individual risk appetite of the units. But taken together, the risk exceeds the risk appetite of the entity as a whole. For instance your university, can you explain how a: 10% loss teaching faculty would effect the faculty and the overall university 15% increase in research funding would effect the overall university Shift in education delivery mechanisms from classroom based learning to interactive distance learning effects the overall university
15
Benefits of Enterprise Risk Management
Provides enhanced capability to: Align risk appetite and strategy Link growth, risk and return Enhance risk response decisions Minimize operational surprises and losses Identify and manage cross-enterprise risks Provide integrated Reponses to multiple risks Seize opportunities Rationalize capital
16
Definition Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
17
Enterprise Risk Management — Integrated Framework
This COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management.
18
Components Internal environment Objective setting Event identification
Risk assessment Risk response Control activities Information and communication Monitoring
19
The ERM Framework The eight components of the framework
are interrelated …
20
The ERM Framework Entity objectives can be viewed in the
context of four categories: Strategic Operations Reporting Compliance
21
The ERM Framework ERM considers activities at all levels
of the organization: Enterprise-level Division or subsidiary Business unit processes
22
Internal Environment Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur. Establishes the entity’s risk culture. Considers all other aspects of how the organization’s actions may affect its risk culture.
23
Internal Environment Risk Management Philosophy Risk Culture
Board of Directors Integrity and Ethical Values Commitment to Competence Management’s Philosophy and Operating Style Risk Appetite Organizational Structure Assignment of Authority and Responsibility Human Resource Policies and Practices
24
Objective Setting Is applied when management considers risks strategy in the setting of objectives. Forms the risk appetite of the entity — a high-level view of how much risk management and the board are willing to accept. Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite.
25
Objective Setting Strategic Objectives Related Objectives
Selected Objectives Risk Appetite Risk Tolerance
26
Event identification component
Identify those incidents, occurring internally or externally, that could affect strategy and achievement of objectives. Addresses how internal and external factors combine and interact to influence its risk profile. Distinguish risk and opportunity An event is an incident or occurrence emanating from internal or external sources that could affect implementation of strategy or achievement of objectives. Events may have positive or negative impacts, or both. identifies potential events affecting an entity’s ability to successfully implement strategy and achieve objectives. The framework views entity objectives in the context of three categories: Operations – These pertain to the effectiveness and efficiency of the entity’s operations, including performance and profitability goals and safeguarding resources against loss. They vary based on management’s choices about structure and performance. Reporting – relating to the effectiveness of the entity’s reporting. This includes both internal and external reporting and may be comprised of financial or non-financial information. Compliance – relating to the entity’s compliance with applicable laws and regulations Internal and external factors: myriad of external and internal factors influence events could potentially affect strategy implementation and achievement of objectives. Economic, environmental, political, social and technology are examples of external factors. Infrastructure, personnel, process, structural and technology are examples of internal factors.
27
Event Identification Differentiates risks and opportunities.
Events that may have a negative impact represent risks. Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting.
28
Event Identification Events
Factors Influencing Strategy and Objectives Methodologies and Techniques Event Interdependencies Event Categories Risks and Opportunities
29
Risk assessment component
Allows an entity to understand the extent to which potential events might impact objectives. Assesses risks from two perspectives – likelihood and impact. The unit of measure used to assess risks should be the same or congruent to measure used for the achievement of objectives. Employs a combination of both qualitative and quantitative risk assessment methodologies. Time horizons are related to objective time horizons. Assesses risk on both an inherent and residual basis. Assessment allows an entity to consider the extent to which potential events might have an impact on achievement of objectives. Considers both inherent and residual risk in risk assessment. Inherent risk is the risk to an entity in the absence of any actions management might take to alter either the risk’s likelihood or impact. Residual risk is what remains after management responds to the risk Likelihood considers the possibility that a given event will occur, while the second, impact, considers its effect. Sometimes the words take on more specific meanings, with “likelihood” expressing the possibility that a given event will occur in qualitative terms such as high, medium and low, or other judgmental scales; whereas “probability” may be used to express a quantitative measure as a percentage, frequency of occurrence or other numerical metric. Estimates of risk likelihood and impact often are determined using data from past observable events, which may provide a more objective basis than entirely subjective estimates. Management uses performance measures in determining the extent to which objectives are being achieved. The same unit of measure should normally be used when considering the potential impact of a risk to achievement of a specified objective Quantitative techniques typically bring more precision, and are used in more complex and sophisticated activities; however, some circumstances do not lend themselves to their use. Managements often use qualitative assessment techniques when potential likelihood and impact are low, where risks do not lend themselves to quantification or when sufficient credible data required for quantitative assessments either is not practicably available or obtaining the data is not cost-effective.
30
Risk Assessment Inherent and Residual Risk Likelihood and Impact
Methodologies and Techniques Correlation
31
Risk response component
Identifies and evaluates possible responses to risk. Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential risk responses and degree to which a response will reduce impact and/or likelihood. Assessment of and response to risks are integral components of ERM; which specific response is selected is not. Selects and executes its response based on evaluation of the portfolio of risks and responses. Responses fit within the following categories: Avoidance – Action is taken to exit the activities that create risks. Reduction – Action is taken to reduce the risk likelihood or impact, or both. Sharing – Action is taken to reduce either the likelihood or impact of a risk by transferring or otherwise sharing a portion of the risk. Acceptance – No action is taken to affect either the likelihood or impact. In evaluating response options, management considers the affect on both likelihood and impact, and understands that a response might affect risk likelihood and impact differently. In evaluating alternative responses, management determines their potential effect typically using units of measure for the objective and associated risks as established in the risk assessment component Any of several responses may bring residual risk in line with risk tolerances, and sometimes a combination of responses provides the optimum result. Similarly, certain responses will affect the risk of multiple potential events. Resources always have constraints, and entities must consider the relative costs and benefits of establishing acceptable risk response options. Once the effects of alternative risk responses have been evaluated, management decides how to manage the risk. While management strives to select the best response option, enterprise risk management does not ensure that the best response is taken – only that the response or combination of responses bring expected risk likelihood and impact within risk tolerances. management considers the aggregate effect of its risk responses across the entity. Many entities have multiple business units, each with similar risks, and each unit may appropriately choose a different risk response, as long as the response results in the unit’s residual risk being within its risk tolerances.
32
Responses Fit Within The Following Categories:
Avoidance – Action is taken to exit the activities that create risks. Reduction – Action is taken to reduce the risk likelihood or impact, or both. Sharing – Action is taken to reduce either the likelihood or impact of a risk by transferring or otherwise sharing a portion of the risk. Acceptance – No action is taken to affect either the likelihood or impact.
33
Risk Response Identify Risk Responses Evaluate Possible Risk Responses
Select Responses Portfolio View
34
Control Activities Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out. Occur throughout the organization, at all levels and in all functions. Include application and general information technology controls.
35
Control Activities Integration with Risk Response
Types of Control Activities General Controls Application Controls Entity Specific
36
Information & Communication
Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities. Communication occurs in a broader sense, flowing down, across, and up the organization.
37
Information and Communication
Strategic and Integrated Systems Communication
38
Monitoring component Monitors the ongoing effectiveness of the other enterprise risk management components through: Ongoing monitoring activities Separate evaluations A combination of the two Monitoring helps determine the effectiveness of the processes, technologies and personnel executing enterprise risk management. The entity establishes minimum standards for each component of enterprise risk management. The entity’s performance against these standards can then be monitored objectively. Monitoring can be done in two ways: through ongoing activities or separate evaluations. Enterprise risk management mechanisms usually are structured to monitor themselves on an ongoing basis, at least to some degree. Ongoing monitoring is built into the normal, recurring operating activities of an entity. Ongoing monitoring is performed on a real-time basis, reacts dynamically to changing conditions and is ingrained in the entity. As a result, it is more effective than separate evaluations. The greater the degree and effectiveness of ongoing monitoring, the lesser need for separate evaluations. The frequency of separate evaluations is a matter of management’s judgment. In making that determination, consideration is given to the nature and degree of changes occurring, from both internal and external events, and their associated risks; the competence and experience of the personnel implementing risk responses and related controls; and the results of the ongoing monitoring. Usually, some combination of ongoing monitoring and separate evaluations will ensure that enterprise risk management maintains its effectiveness over time. Deficiencies in an entity’s enterprise risk management may surface from many sources, including the entity’s ongoing monitoring procedures, separate evaluations and external parties. All enterprise risk management deficiencies that affect the entity’s ability to develop and implement its strategy and to achieve its established objectives should be reported to those who can take necessary action, as discussed in the next section
39
Relationship with internal control
ERM expands and elaborates on elements of internal control as set out in COSO’s Internal Control – Integrated Framework (IC-IF).
40
Relationship to Internal Control — Integrated Framework
Expands and elaborates on elements of internal control as set out in COSO’s “control framework.” Includes objective setting as a separate component. Objectives are a “prerequisite” for internal control. Expands the control framework’s “Financial Reporting” and “Risk Assessment.” Some differences include (note not all as time is limited): The choice made by management and its implementation is part of management’s broader role, and are not part of ERM The Internal Control – Integrated Framework specified the three objective categories of operations, external financial reporting and compliance. Enterprise risk management also specifies three objective categories – operations, reporting, and compliance. The reporting category expands the scope of financial reporting as defined in the Internal Control – Integrated Framework to include a broader array of reporting, Event identification – ERM considers potential events, defining an event as an incident, or series of incidents emanating from internal or external sources that could affect the implementation of strategy and achievement objectives. ERM also considers alternatives in setting strategy, identifies events using a combination of techniques that consider both past and potential future events as well as emerging trends, considers what triggers events and groups potential events into risk categories.
41
Key Implementation Factors
Organizational design of business Establishing an ERM organization Performing risk assessments Determining overall risk appetite Identifying risk responses Communication of risk results Monitoring Oversight & periodic review by management
42
Organizational Design
Strategies of the business Key business objectives Related objectives that cascade down the organization from key business objectives Assignment of responsibilities to organizational elements and leaders (linkage)
43
Example: Linkage Mission – To provide high-quality accessible and affordable community-based health care Strategic Objective – To be the first or second largest, full-service health care provider in mid-size metropolitan markets Related Objective – To initiate dialogue with leadership of 10 top under-performing hospitals and negotiate agreements with two this year
44
Establish ERM Determine a risk philosophy Survey risk culture
Consider organizational integrity and ethical values Decide roles and responsibilities
45
Example: ERM Organization
Vice President and Chief Risk Officer Insurance Risk Manager ERM Director Corporate Credit Risk Manager FES Commodity Risk Mg. Director ERM Manager ERM Manager Staff Staff Staff
46
Assess Risk Risk assessment is the identification and analysis of risks to the achievement of business objectives. It forms a basis for determining how risks should be managed.
47
Example: Risk Model Environmental Risks Capital Availability
Regulatory, Political, and Legal Financial Markets and Shareholder Relations Process Risks Operations Risk Empowerment Risk Information Processing / Technology Risk Integrity Risk Financial Risk Information for Decision Making Operational Risk Strategic Risk
48
Risk Analysis Risk Management Monitoring Assessment Control It
Share or Transfer It Diversify or Avoid It Risk Management Process Level Activity Entity Level Monitoring Identification Measurement Prioritization Assessment Source: Business Risk Assessment – The Institute of Internal Auditors
49
DETERMINE RISK APPETITE
Risk appetite is the amount of risk — on a broad level — an entity is willing to accept in pursuit of value. Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable variation).
50
DETERMINE RISK APPETITE
Key questions: What risks will the organization not accept? (e.g. environmental or quality compromises) What risks will the organization take on new initiatives? (e.g. new product lines) What risks will the organization accept for competing objectives? (e.g. gross profit vs. market share?)
51
IDENTIFY RISK RESPONSES
Quantification of risk exposure Options available: – Accept = monitor – Avoid = eliminate (get out of situation) – Reduce = institute controls – Share = partner with someone (e.g. insurance) Residual risk (unmitigated risk – e.g. shrinkage)
52
Impact vs. Probability High I M P A C T Low PROBABILITY High
Medium Risk High Risk I M P A C T Share Mitigate & Control Low Risk Medium Risk Accept Control Low PROBABILITY High
53
Example: Call Center Risk Assessment
High Medium Risk High Risk Loss of phones Loss of computers Credit risk Customer has a long wait Customer can’t get through Customer can’t get answers I M P A C T Low Risk Medium Risk Fraud Lost transactions Employee morale Entry errors Equipment obsolescence Repeat calls for same problem Low PROBABILITY High
54
Example: Accounts Payable Process
Control Risk Control Objective Activity Completeness Material Accrual of transaction open liabilities not recorded Invoices accrued after closing Issue: Invoices go to field and AP is not aware of liability.
55
Communicate Results Dashboard of risks and related responses (visual status of where key risks stand relative to risk tolerances) Flowcharts of processes with key controls noted Narratives of business objectives linked to operational risks and responses List of key risks to be monitored or used Management understanding of key business risk responsibility and communication of assignments
56
Monitor Collect and display information Perform analysis
– Risks are being properly addressed – Controls are working to mitigate risks
57
Management Oversight & Periodic Review
Accountability for risks Ownership Updates – Changes in business objectives – Changes in systems – Changes in processes