Risk Management Framework

6/16/2017
International Risk Management Frameworks

35
1. ISO 31000: 2009 Risk Management - Practices and

Guidelines
2. OCEG “Red Book” 2.0: 2009 GRC Capability Model
3. BS 31100: 2008 Code of Practice for Risk Management
4. COSO: 2004 Enterprise Risk Management - Integrated
Framework
5. FERMA: 2002 A Risk Management Standard
6. SOLVENCY II: 2016 Risk Management for the Insurance
Industry
7. King Report on Corporate Governance for South Africa
8. Australia/New Zealand Standard 4360: Risk
Management
35
© 2017 Starz Risk Solutions Limited Jun-17
Risk Management Framework

36
© 2017 Starz Risk Solutions Limited ISO31000

Jun-17
18
6/16/2017
Value Centric Enterprise Risk Management

37
Prevent Adding Value

Losses
(aligning strategy, processes, people, technology and
knowledge to Avoid surprises)
Risk Management Framework

38
 The risk management) framework is not intended to

prescribe a management system, but rather to assist
the organisation to integrate risk management into
its overall management system.
19
6/16/2017
Risk Management Policy and Plan

39
 Risk Management Policy:- Statement of the overall

intentions and direction of an organisation related
to risk management
 Risk Management Plan:- Scheme within the risk
management framework specifying the approach,
the management components and resources to be
applied to the management of risk
Continuous Improvement of the ISO 31000

Framework for risk management
40
20
6/16/2017
Implementing ERM
41
Agree on ERM business Create risk categories Identify risk in each

model with owners and users category
Build an ERM Implement process Develop standard

knowledge warehouse manually management process
41
Identify the relevant journey elements

42
EWRM
Value Proposition
INCREASING RISK MANAGEMENT CAPABILITIES
Categories of ERM Journey Elements

FOUNDATION ELEMENTS PROCESS ENHANCEMENT
ELEMENTS ELEMENTS
Adopt Establish Assess risk Design/ Quantify Improve Establish

Continuously
common oversight and and develop implement improve multiple risks enterprise sustainable
language governance strategies capabilities enterprise- performance competitive
wide advantage
A “journey element” consists of the processes, people, reports, methodologies, technology,

or a combination thereof, integrated within the ERM solution to achieve the expected
outcomes specified in the business case
Protiviti
21
6/16/2017
© 2017 Starz Risk Solutions Limited

Jun-17
43
How it will be carried out
Elements of infrastructure
44
People and
Business Policies Business Processes
organisation
Management
Systems and data methodologies
reports
44
22
6/16/2017
Implementing the ERM Framework

45
Implementing a Central Risk Function

46
Identify accountability and Create a central risk Create risk categories with
responsibility structure function owners and users
Structure hazard,
Set up external scanning Establish internal scanning
compliance and internal
capability capability
controls
46
23
6/16/2017
Typical Risk Governance Model

47
Board of • Ultimate risk management oversight

Directors
• Establish policies and tolerances
Management • Review and reports on significant risk issues
Committees • Controls risk functions and infrastructure
• Engage risks assessments at directed frequency

Business Area • Own management of risk treatment
Managers • Report on exposure or action in business areas
The risk management function enables executive management and risk owners to carry out their
respective responsibilities
Broadleaf’s approach to implementation of RM

48
 Achieve an unequivocal Executive and Board mandate with a full appreciation of the changes
required at all levels of the organisation.
 Develop a carefully tailored framework, based on ISO 31000 risk management framework,
principles, and process as well as the organisation’s context and structure necessary for ERM to
be implemented and sustained.
 Workshop and develop a strategic risk management plan to implement the framework utilizing
practical tools and best practice methods
 Develop and gain senior management agreement on a set of performance base standards to
codify the framework and its implementation plan.
 Create a tailored risk management information system, that enforces accountability for risks,
controls and tasks, supports control assurance and enables risk management performance
management and reporting.
 Cause Champions to be appointed within the organisation and trained to create the
confidence, skills and local management support needed for roll-out
 Help Champions engage local management and implement the framework and risk
management plan, generating risk registers, etc.
 Establish a process and structure for RM performance management and reporting, including
committees and review groups, and performance measures.
 Periodically, review, benchmark and revise the framework.
24
6/16/2017
Capability Maturity Model

49
Limitations to Risk Management

Limitations
Involve of the board of directors • Not enough cooperation
and high level management • Low qualification
• Lack of independence to make a decision
• Not transparent
Formulate risk management policy and • Policies/ procedures not match with risks
procedures • Underdevelopment Infrastructure
• Rigid to implement
• Communication failure
Establish a unit to operate • Lack of adequate structure
risk management • Staff has less experience
• Lack of independence
Set up risk management • No follow up and control system
system • Not enough risk assessment/ management
instruments
• Database and IT system
50 © 2017 Starz Risk Solutions Limited Jun-17
25
6/16/2017
51 Appendix 1:
An Exposition on Enterprise Risk Management

Standards and Frameworks
What is a Standard?
52
 A primary standard (or “recognized” standard) is an

established norm or requirement, usually a formal
document that establishes criteria, methods, processes
and practices under the jurisdiction of an international,
regional or national standards body.
 In contrast, a custom, convention, guidance document,

company product, corporate standard, etc. that may be
developed outside of a recognized standards setting body but
which becomes generally accepted and dominant is often
called a de facto standard.
Source: RIMS (2012)
26
6/16/2017
What is a Framework?
Framework (frām’wûrk’) n.
1. A structure for supporting or enclosing something, esp. a
skeletal support used as the basis in something being
constructed
2. an external work platform; a rig.
3. A basic arrangement, form, or system: “social structure is a

stronger framework for behavior than national feeling.”
(Stanley Kaufman)
53
Source: The American Heritage Dictionary, Second Edition, 1982
Standards Hierarchy
54
27
6/16/2017
Why Use Standards?

55
 Set of benchmarked tools and processes

 Systematically identify risks and problems
 Problem-solving and decision-making tools
 Inclusive process
 Specialized training
 Establishes operational controls/procedures
 Measurable/verifiable goals and methods for accomplishing
identified objectives
 Protect reputation and brand
 Model for continual improvement
 Proactively improve organizational resilience and sustainability
Enterprise Risk Management — COSO

56
Integrated Framework
 The framework is a three dimensional cube with the following
components:
Entity & Unit level components
Risk Management
Objectives
Risk components
 The COSO ERM framework defines essential components, suggests a

common language, and provides clear direction and guidance for 56
enterprise risk management.
28
6/16/2017
The ERM Framework

57
 Entity objectives can be viewed in the context of

four categories:
 Strategic - high-level goals, aligned with and

supporting our mission
 Operations – effective and efficient use of our
resources
 Reporting - reliability of reporting
 Compliance – compliance with applicable laws and

regulations 57
The ERM Framework

58
 ERM considers activities at all levels of the

organization:
 Enterprise-level
 Division or subsidiary
 Business unit processes
58
29
6/16/2017
The ERM Framework

59
 Enterprise risk management requires an entity to

take a portfolio view of risk.
 Management considers how individual risks

interrelate.
 Management develops a portfolio view from two

perspectives:
 Business unit level
 Entity level
59
60
The eight
components of
the framework
are
interrelated
…
30
6/16/2017
OCEG “Red Book” 2.0: 2009

61
 The Open Compliance and Ethics Group (OCEG)

helps organizations drive principled performance
by providing standards, tools and resources that
enhance corporate culture and integrate
governance, risk management, compliance, internal
control and ethics processes.
 It integrates and aligns governance, risk
management and compliance (GRC) efforts.

62
 OCEG describes its “framework for principled

performance” in two parts:
 the Red Book, which contains the overview and principles of
the GRC capability model, and
 the Burgundy Book, which contains “procedures and
assessment criteria to facilitate management and evaluation
of a GRC system.”
 It focuses on the application of GRC methods “by which
[the enterprise] establishes and stays within the
boundaries it will observe while driving toward its
[financial and nonfinancial] objectives.”
31
6/16/2017

63
 The approach is comprehensive and prescriptive in

identifying accountabilities, as well as the parts of the
organization and processes needed to be included in the
GRC model.
 It assumes certain universal outcomes:
 achievement of business objectives
 enhancement of the organizational culture
 increase in stakeholder confidence
 preparation and protection of the organization
 prevention, detection and reduction of adversity
 motivation and inspiration of desired conduct
 improvement in responsiveness and efficiency
 optimization of economic and social value
32
6/16/2017

66
 The role of risk management is minimized to the

measurement of events, primarily for purposes of
mitigation and control.
 Its focus on enabling technology leads the
practitioner to consider the measurement of risk on
historic events as a predictor of future events,
which is not conducive to the identification of
emerging risks.
33
6/16/2017

67
 This framework provides a unique focus on

investigations, technology and remediation.
 This approach tends to be most closely aligned
with security practices (e.g., codes of conduct) and
compliance (i.e., controls), while appearing to be
most suited for the largest of organizations in which
human and technological resources are abundant.
Reflection
68
Explain how you would apply this framework in your

organisation. How does it compare with the
ISO31000 and COSO 2004.
__________________________________________
__________________________________________
__________________________________________
__________________________________________
__________________________________________
______________________________
34
6/16/2017
69 BS 31100: 2008
BS 31100: 2008
70
 British Standards Institution (or BSI), is the national

standards body of the United Kingdom.
 The BS 31100: 2008 is a general risk management
standard that provides a basis for understanding,
developing, implementing and maintaining
proportionate and effective risk management
throughout an organization, in order to enhance the
organization’s likelihood of achieving its objectives.
35
6/16/2017
BS 31100
71
 The BSI 31100 describes how risk management

embodies a framework and process that enable
any organization to proactively manage
uncertainty in a systematic manner at all levels
within the organization; from strategic to
operational perspectives
BS31100
72
36
6/16/2017
BS 31100
73
 BS 31100 is intended for use by anyone with

responsibility for any of the following:
 Ensuring an organization achieves its objectives
 Ensuring risks are proactively managed in specific
areas or activities
 Overseeing risk management in an organization
 Providing assurance on the effectiveness of an
organization’s risk management
 Reporting to stakeholders through disclosures in annual
financial statements, corporate governance reports and
corporate social responsibility reports
BS 31100
74
 The BSI 31100 pays particular attention to the

benefits of using a risk maturity model to improve
an organization’s risk management capability.
 It describes how this type of planning tool contains
the fundamental elements of effective risk
management processes and depicts the
evolutionary path from ad hoc to mature,
repeatable processes.
37
6/16/2017
75 FERMA: 2002
FERMA: 2002
76
 FERMA: 2002 is a risk management standard

adopted by the Federation of European Risk
Management Associations.
 It was created by the Institute of Risk Management

(IRM), the Association of Insurance and Risk
Managers (AIRMIC) and ALARM, the National
Forum for Risk Management in the Public Sector.
38
6/16/2017
FERMA: 2002
77
 The standard sets out a strategic process, starting with an

organization’s overall objectives and aspirations, through to
the identification, evaluation and mitigation of risk, and
finally the transfer of some of that risk to an insurer.
 FERMA: 2002 adopts the definition of risk as the
combination of “the probability of an event and its
consequences.”
 The standard is careful to emphasize the view that in any
risk-related circumstance there are “opportunities for
benefit (upside) or threats to success (downside).”
 Management of these opportunities and threats is described
as a key part of any organization’s strategic planning.
FERMA: 2002
78
 Risk management is described as the methodical

process of identifying all risks to achieving objectives
and then applying risk treatments that add “maximum
sustainable value to the organization.”
 Because the process of risk management addresses
the entire organization through the risk identification
process, it must be integrated as part of the
organization’s culture. This includes assigning
responsibility for managing risks as a part of the job
description of managers and employees to promote
operational efficiency at all levels.
39
6/16/2017
FERMA: 2002
FERMA: 2002
80
 The standard states that risk treatment practices, at a

minimum, should be consistent with the effective,
efficient operation of the organization; should have
effective internal controls; and should comply with all
applicable laws and regulations.
 It defines the roles of various groups within the
organization, as well as their responsibilities for
communicating and monitoring risks.
 It also identifies specific roles for the board, business
units, the risk management unit and internal audit
40
6/16/2017
FERMA: 2002 Roles and Responsibilities

81
Functional role Responsibilities

Board Overall direction of the risk management process,
including strategic risk management, and for creating the
environment and the structures for risk management to
operate effectively
Business units Managing day-to-day risks, for promoting risk awareness
within their operations, and for incorporating risk
management into the planning, as well as operational
aspects, of their work
Risk management Building a risk aware culture, setting policy and strategy for
units risk management, and being the primary champion of risk
management at the strategic and operational level
Internal audit Focusing on significant risks identified by management
and auditing the risk management processes across the
organization; providing assurance on the management of
risk and give active support and involvement in the risk
management process
FERMA: 2002
82
 It similar to ISO 31000 and COSO: 2004, in that it

highlights the importance of a risk management
monitoring process as a tool for continuous improvement.
 Specific to the FERMA standard are the inclusion of
regular audits of compliance with risk management
policies and standards, assurance that there are
appropriate risk treatments in place and that the
treatment procedures are understood and followed, in
order to determine whether the intended results were
efficiently obtained.
41
6/16/2017
83 Solvency II
© 2017 Starz Risk Solutions Limited

84
SOLVEN CY II: 2014

 Solvency II is a regulatory standard came into effect on
insurance companies located or doing business in the
European Union by January 1, 2016.
 The economic principles for the measurement of assets
and liabilities associated with Solvency II are outlined in
three pillars as described below.
 Quantitative requirements (for example, the amount of
capital an insurer should hold)
 Requirements for the governance and risk management of
insurers, as well as for the effective supervision of insurers
 Disclosure and transparency requirements
Jun-17
42
6/16/2017
Solvency II
85
 Solvency II takes a “three lines of defence” approach to

protecting the organization against risk through
appropriate governance. The three lines are:
1. Risk management. The daily activity of board and
management in identifying, assessing, managing and
reporting risk.
2. Risk oversight. The review process starting at the board (or
board risk committee), executive committees such as credit,
ALM and operational through to the chief risk officer, and
on to business unit risk officers.
3. Risk assurance. The audit process, starting at the audit
committee of the board and may include compliance
activity.
Capability maturity model

86
 Its a tool for assisting management in thinking more

clearly about such questions as:
 How capable do we want our risk management to be
as we improve our policies, processes and measures for
each of our priority risks?
 Do we want to vary rigour and robustness of our risk
treatment activities by risk?
 Do we rely on a few well-qualified individuals to
manage a particular risk in and ad hoc manner and
regularly put out fires? Or do we improve or
capabilities? 86
43
6/16/2017
Capability Maturity Model

87
Application in Practice
88
 Management must decide how much added capability is

needed to achieve the selected risk treatment (desired state)
 The objective is to select and design capabilities that provide
the ‘best fit’ with the core competencies that would be
reasonably expected of an organisation executing the
enterprise’s business model and strategy.
 Desired state vary by risk
 Once the current and desired state is identified and
documented, management has to evaluate the expected costs
and benefits of increasing risk management capabilities.
 Actionable steps to close the gaps become integral part of
the management’s business plan.
88
44
6/16/2017
Why take a staged approach

89
 It is systematic from change enablement perspective, i.e.

Its least disruptive to the firm and is more in line with the
change readiness of its personnel.
 The deployment capability maturity with managing
software solutions has proven that a staged approach
increases the chance s of a successful implementation.
 The entity’s change management plan should address
how the enterprise transitions from the current state and
how quickly.
 Using the six elements of infrastructure and capability
maturity model to facilitate this planning.
89
Exercise
90
 Identify the stage your organisation is at in

implementing ERM, list the capabilities you have to
put in place and steps you have to follow to attain
your desired state.
90
45
6/16/2017
91 Comparing Standards
Comparing Standards
92
46
6/16/2017
Similarities Among the Standards

93
All require:
 Adoption of an enterprise approach, with executive level
sponsorship and defined accountabilities
 Structured process steps, oversight and reporting of the
identified risks
 Understanding and accountability for defining risk appetite
and acceptable tolerance boundaries
 Formal documentation of risks in risk assessment activities
 Establishment and communication of risk management

process goals and activities
 Monitored treatment plans
Comparing Standards
94
 ISO 31000 put the emphasis squarely on risk

management as a strategic discipline for making risk-
adjusted decisions, rather than a compliance-based
function.
 In the ISO 31000 there is little discussion of a portfolio
view and interrelated dependencies that risks may have
on an organization’s objectives as is contained in RIMS
RMM attribute Risk Appetite
 The OCEG ‘Red book’ 2:0 2009 Capability Model
relies heavily on an integrated technology platform as
an enabling tool to identify and assess risk for
prevention and/or remediation purposes.
47
6/16/2017
Comparing standards
95
 COSO more than any framework places a greater

degree of responsibility on the board, requiring not
only that the Board support ERM, but have direct
involvement in the ERM process.
 However, the COSO framework’s ERM components and
associated Application Techniques do not speak to root
cause analysis or business resiliency and sustainability.
 The FERMA 2002 standard describes necessary
component parts of an ERM framework. These
components represent “best practice[s] against which
organizations can measure themselves.”
Summary
96
 Standards and guidelines tend to be conceptual

with little guidance on practical implementation
 There are more similarities than differences among
standards and guidance documents
 Elements in each of the standards and/or guidelines
may be useful or adaptable for specific
organizations
48
6/16/2017
Benefits of Using Recognized Standards

97
 Set of benchmark tools and processes

 Systematically identify risks and obstacles
 Problem-solving and decision-making tools
 Inclusive process
 Specialized training
 Establishes operational controls/procedures
 Measurable/verifiable goals and methods for accomplishing
identified objectives
 Protect reputation and brand
 Model for continual improvement
 Proactively improve organizational resiliency and sustainability
98 End of Slides
49

Risk Management Framework

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Risk Management Framework

Uploaded by

Copyright:

Available Formats

6/16/2017

International Risk Management Frameworks

1. ISO 31000: 2009 Risk Management - Practices and

© 2017 Starz Risk Solutions Limited Jun-17