《COSOERM企业风险管理框架》由会员分享,可在线阅读,更多相关《COSOERM企业风险管理框架(49页珍藏版)》请在金锄头文库上搜索。
1、xxEnterprise Risk Management Integrated FrameworkTodays organizations are concerned about:RiskManagementGovernanceControlAssurance(andConsulting)ERM Defined:“ a process, effected by an entitys board of directors, management and other personnel, applied in strategy setting and across the enterprise,
2、designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”Source: COSO Enterprise Risk Management Integrated Framework. 2004. COSO.Why ERM Is Important Underlyingp
3、rinciples:Everyentity,whetherfor-profitornot,existstorealizevalueforitsstakeholders.Valueiscreated,preserved,orerodedbymanagementdecisionsinallactivities,fromsettingstrategytooperatingtheenterpriseday-to-day.Why ERM Is Important ERMsupportsvaluecreationbyenablingmanagementto:Dealeffectivelywithpoten
4、tialfutureeventsthatcreateuncertainty.Respondinamannerthatreducesthelikelihoodofdownsideoutcomesandincreasestheupside.This COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management.Enterprise Risk Management
5、Integrated Framework The ERM FrameworkEntity objectives can be viewed in thecontext of four categories:Strategic OperationsReportingComplianceThe ERM FrameworkERM considers activities at all levelsof the organization:Enterprise-levelDivision orsubsidiaryBusiness unitprocesses Enterpriseriskmanagemen
6、trequiresanentitytotakeaportfolio viewofrisk. The ERM FrameworkManagementconsidershowindividualrisksinterrelate.Managementdevelopsaportfolioviewfromtwoperspectives:-Businessunitlevel-EntitylevelThe ERM FrameworkTheeightcomponentsoftheframeworkareinterrelated The ERM FrameworkInternal EnvironmentEsta
7、blishesaphilosophyregardingriskmanagement.Itrecognizesthatunexpectedaswellasexpectedeventsmayoccur.Establishestheentitysriskculture.Considersallotheraspectsofhowtheorganizationsactionsmayaffectitsriskculture.Objective SettingIsappliedwhenmanagementconsidersrisksstrategyinthesettingofobjectives.Forms
8、theriskappetiteoftheentityahigh-levelviewofhowmuchriskmanagementandtheboardarewillingtoaccept.Risktolerance,theacceptablelevelofvariationaroundobjectives,isalignedwithriskappetite.Event IdentificationDifferentiatesrisksandopportunities.Eventsthatmayhaveanegativeimpactrepresentrisks.Eventsthatmayhave
9、apositiveimpactrepresentnaturaloffsets(opportunities),whichmanagementchannelsbacktostrategysetting.Event IdentificationInvolvesidentifyingthoseincidents,occurringinternallyorexternally,thatcouldaffectstrategyandachievementofobjectives.Addresseshowinternalandexternalfactorscombineandinteracttoinfluen
10、cetheriskprofile.Risk AssessmentAllowsanentitytounderstandtheextenttowhichpotentialeventsmightimpactobjectives.Assessesrisksfromtwoperspectives:-Likelihood-ImpactIsusedtoassessrisksandisnormallyalsousedtomeasuretherelatedobjectives.Risk AssessmentEmploysacombinationofbothqualitativeandquantitativeri
11、skassessmentmethodologies.Relatestimehorizonstoobjectivehorizons.Assessesriskonbothaninherentandaresidualbasis.Risk ResponseIdentifiesandevaluatespossibleresponsestorisk.Evaluatesoptionsinrelationtoentitysriskappetite,costvs.benefitofpotentialriskresponses,anddegreetowhicharesponsewillreduceimpactan
12、d/orlikelihood.Selectsandexecutesresponsebasedonevaluationoftheportfolioofrisksandresponses.Control ActivitiesPoliciesandproceduresthathelpensurethattheriskresponses,aswellasotherentitydirectives,arecarriedout.Occurthroughouttheorganization,atalllevelsandinallfunctions.Includeapplicationandgeneralin
13、formationtechnologycontrols.Managementidentifies,captures,andcommunicatespertinentinformationinaformandtimeframethatenablespeopletocarryouttheirresponsibilities.Communicationoccursinabroadersense,flowingdown,across,anduptheorganization.Information & CommunicationMonitoringEffectivenessoftheotherERMc
14、omponentsismonitoredthrough:Ongoingmonitoringactivities.Separateevaluations.Acombinationofthetwo.Internal ControlAstrongsystemofinternalcontrolisessentialtoeffectiveenterpriseriskmanagement.ExpandsandelaboratesonelementsofinternalcontrolassetoutinCOSOs“controlframework.”Includesobjectivesettingasase
15、paratecomponent.Objectivesarea“prerequisite”forinternalcontrol.Expandsthecontrolframeworks “FinancialReporting”and“RiskAssessment.”Relationship to Internal Control Integrated FrameworkERM Roles & ResponsibilitiesManagementTheboardofdirectorsRiskofficersInternalauditorsInternal AuditorsPlayanimportan
16、troleinmonitoringERM,butdoNOThaveprimaryresponsibilityforitsimplementationormaintenance.Assistmanagementandtheboardorauditcommitteeintheprocessby:-Monitoring-Evaluating-Examining-Reporting-RecommendingimprovementsVisittheguidancesectionofTheIIAsWebsiteforTheIIAspositionpaper,“RoleofInternalAuditings
17、inEnterpriseRiskManagement.”Internal Auditors2010.A1Theinternalauditactivitysplanofengagementsshouldbebasedonariskassessment,undertakenatleastannually.2120.A1Basedontheresultsoftheriskassessment,theinternalauditactivityshouldevaluatetheadequacyandeffectivenessofcontrolsencompassingtheorganizationsgo
18、vernance,operations,andinformationsystems.2210.A1Whenplanningtheengagement,theinternalauditorshouldidentifyandassessrisksrelevanttotheactivityunderreview.Theengagementobjectivesshouldreflecttheresultsoftheriskassessment.Standards1.Organizationaldesignofbusiness2.EstablishinganERMorganization3.Perfor
19、mingriskassessments4.Determiningoverallriskappetite5.Identifyingriskresponses6.Communicationofriskresults7.Monitoring8.Oversight&periodicreviewbymanagementKey Implementation FactorsOrganizational DesignStrategiesofthebusinessKeybusinessobjectivesRelatedobjectivesthatcascadedowntheorganizationfromkey
20、businessobjectivesAssignmentofresponsibilitiestoorganizationalelementsandleaders(linkage)Example: LinkageMissionToprovidehigh-qualityaccessibleandaffordablecommunity-basedhealthcareStrategic ObjectiveTobethefirstorsecondlargest,full-servicehealthcareproviderinmid-sizemetropolitanmarketsRelated Objec
21、tiveToinitiatedialoguewithleadershipof10topunder-performinghospitalsandnegotiateagreementswithtwothisyearEstablish ERMDetermineariskphilosophySurveyriskcultureConsiderorganizationalintegrityandethicalvaluesDeciderolesandresponsibilitiesExample: ERM OrganizationERM DirectorVice President andChief Ris
22、k OfficerCorporate Credit Risk ManagerInsurance Risk ManagerERMManagerERMManagerStaffStaffStaffFES Commodity Risk Mg.DirectorRiskassessmentistheidentificationandanalysisofriskstotheachievementofbusinessobjectives.Itformsabasisfordetermininghowrisksshouldbemanaged.Assess RiskEnvironmental RisksCapita
23、lAvailabilityRegulatory,Political,andLegalFinancialMarketsandShareholderRelationsProcess RisksOperationsRiskEmpowermentRiskInformationProcessing/TechnologyRiskIntegrityRiskFinancialRiskInformation for Decision MakingOperationalRiskFinancialRiskStrategicRiskExample: Risk ModelSource: Business Risk As
24、sessment. 1998 The Institute of Internal AuditorsControl ItShare orTransfer ItDiversify orAvoid ItRiskManagementProcessLevelActivityLevelEntity LevelRiskMonitoring IdentificationMeasurementPrioritizationRiskAssessmentRisk AnalysisDETERMINE RISK APPETITERiskappetiteistheamountofriskonabroadlevelanent
25、ityiswillingtoacceptinpursuitofvalue.Usequantitativeorqualitativeterms(e.g.earningsatriskvs.reputationrisk),andconsiderrisktolerance(rangeofacceptablevariation).Keyquestions:Whatriskswilltheorganizationnotaccept?(e.g. environmental or quality compromises)Whatriskswilltheorganizationtakeonnewinitiati
26、ves?(e.g. new product lines)Whatriskswilltheorganizationacceptforcompetingobjectives? (e.g. gross profit vs. market share?)DETERMINE RISK APPETITEQuantificationofriskexposureOptionsavailable:-Accept=monitor-Avoid=eliminate(get out of situation)-Reduce=institutecontrols-Share=partnerwithsomeone(e.g.
27、insurance)Residualrisk(unmitigated risk e.g. shrinkage)IDENTIFY RISK RESPONSESImpact vs. ProbabilityControlShareMitigate & ControlAcceptHigh RiskMedium RiskMedium RiskLow RiskLowHighHighIMPACTPROBABILITYLowHighHighIMPACTPROBABILITYHigh RiskMedium RiskMedium RiskLow RiskExample: Call Center Risk Asse
28、ssmentLossofphonesLossofcomputersCreditriskCustomerhasalongwaitCustomercantgetthroughCustomercantgetanswersEntryerrorsEquipmentobsolescenceRepeatcallsforsameproblemFraudLosttransactionsEmployeemoraleControlRiskControlObjectiveActivityCompletenessMaterialAccrualoftransactionopenliabilitiesnotrecorded
29、InvoicesaccruedafterclosingIssue: Invoices go to field and AP is not aware of liability.Example: Accounts Payable ProcessDashboardofrisksandrelatedresponses(visualstatusofwherekeyrisksstandrelativetorisktolerances)FlowchartsofprocesseswithkeycontrolsnotedNarrativesofbusinessobjectiveslinkedtooperati
30、onalrisksandresponsesListofkeyriskstobemonitoredorusedManagementunderstandingofkeybusinessriskresponsibilityandcommunicationofassignmentsCommunicate ResultsMonitorCollectanddisplayinformationPerformanalysis-Risksarebeingproperlyaddressed-ControlsareworkingtomitigaterisksAccountabilityforrisksOwnersh
31、ipUpdates-Changesinbusinessobjectives-Changesinsystems-ChangesinprocessesManagement Oversight & Periodic Review Internal auditors can add value by:Reviewingcriticalcontrolsystemsandriskmanagementprocesses.Performinganeffectivenessreviewofmanagementsriskassessmentsandtheinternalcontrols.Providingadvi
32、ceinthedesignandimprovementofcontrolsystemsandriskmitigationstrategies.Implementingarisk-basedapproachtoplanningandexecutingtheinternalauditprocess.Ensuringthatinternalauditingsresourcesaredirectedatthoseareasmostimportanttotheorganization.Challengingthebasisofmanagementsriskassessmentsandevaluating
33、theadequacyandeffectivenessofrisktreatmentstrategies.Internal auditors can add value by:FacilitatingERMworkshops.Definingrisktoleranceswherenonehavebeenidentified,basedoninternalauditingsexperience,judgment,andconsultationwithmanagement.Internal auditors can add value by:For more informationOnCOSOsEnterprise Risk Management Integrated Framework,visitwww.coso.orgorwww.theiia.orgThispresentationwasproducedbyxxEnterprise Risk Management Integrated Framework