Professional Documents
Culture Documents
The standard provides the principles and guidelines for managing any form of risk in a systematic, transparent and credible manner and within any scope
and context.
Eleven characteristics of risk management
Take the Organization's context into consideration when managing risk. Context means both external context (for
example its political, social, regulatory, legal and financial environment) and internal context (for example
governance, organisational structure, roles and accountabilities) as well as the main drivers and trends that could
have an impact on the Organisation achieving its objectives.
Having risk owners with ‘accountability, authority and appropriate competence for managing risk’.
Establishing risk management policy.
Embedding and integrating risk management into all of the Organisations practices and processes by establishing
an enterprise-wide risk management function.
Closely aligned with your culture are the organisation's core values, such as individual ownership and accountability,
integrity, teamwork and collaboration, communications, and a commitment to excellence.
For example, reporting to your board on risk, progress with the risk management plan and how well
the risk management policy is being followed; and reviewing of the effectiveness of the risk
management framework from time to time. (4.5).
Once the risk management framework has been in operation for a period, each Organisation should
consider how the framework, policy and plan can be improved (continual improvement of the
framework 4.6).
Consider your organization's context when you define the scope of its risk
management program, formulate its risk management policy, and when you establish
its risk criteria. Context would include things such as the size and scale of your
Organisation, which activities you carry out, your location, experience, changes in your
operating environment etc.
2. COSO: 2004 Enterprise Risk Management - Integrated Framework (The Committee of Sponsoring Organizations ")
In COSO ERM organisations are recommended to introduce ERM to achieve a better connection between risk monitoring and the development
and protection of the organization's value creation.
COSO’s goal is to improve the quality of financial reporting through a focus on corporate governance, ethical practices, and internal control.
It defines ERM as “a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and
across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives.”
1. Internal environment
2. Objective setting
3. Event identification
4. Risk assessment
5. Risk response
6. Control activities
7. Information and communication
8. Monitoring.
Enterprise risk management is not strictly a serial process, where one component affects only the next. It is a multidirectional, iterative process
in which almost any component can and does influence another.
Entity's Objectives:
Strategic
Operations
Reporting
Compliance.
ERM considers activities at all levels of the organization:
• Enterprise-level
• Division or subsidiary
• Business unit processes
COSO framework
Internal environment
Enterprise Risk
Framework application
Internal environment
• Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur.
• Considers all other aspects of how the organization’s actions may affect its risk culture.
Objective setting
• Forms the risk appetite of the entity — a high-level view of how much risk management and the board are willing to accept.
• Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite.
i.e.: Minimize the number of students on academic probation for multiple terms
Event identification
• Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy
setting.
• Allows an entity to understand the extent to which potential events might impact objectives.
- Likelihood
- Impact
• Is used to assess risks and is normally also used to measure the related objectives.
• Assesses risk on both an inherent and a residual basis.( Inherent Risk: The risk that an activity would pose if no controls or other
mitigating factors were in place (the gross risk or risk before controls) Residual Risk: The risk that remains after controls are taken
into account (the net risk or risk after controls).
• )
i.e.: High
Risk response
• Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will
reduce impact and/or likelihood.
• Selects and executes response based on evaluation of the portfolio of risks and responses.
i.e.:
Reduce
Avoid
Control activities
• Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out.
i.e:
Advising videos
• Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out
their responsibilities.
• Communication occurs in a broader sense, flowing down, across, and up
the organization.
Monitoring
• Separate evaluations.
i.e.:
Annual survey
*-+*-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-*
Tasks to complete
Internal environment
Risk assessment
Monitoring
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_
7. Monitoring
Organizational Design
• Related objectives that cascade down the organization from key business objectives
Example:
• Strategic Objective – To be the first or second largest, full-service health care provider in mid-size metropolitan markets
• Related Objective – To initiate dialogue with leadership of 10 top under-performing hospitals and negotiate agreements with two this
year
Establish ERM
Assess Risk
• Risk assessment is the identification and analysis of risks to the achievement of business objectives. It forms a basis for determining
how risks should be managed.
Environmental Risks
– Capital Availability
– Operations Risk
– Empowerment Risk
– Integrity Risk
– Financial Risk
– Operational Risk
– Financial Risk
– Strategic Risk
Risk Analysis
Process
Identification Control It
Level
Share or Activity
Measurement
Transfer It Level
Diversify or
Prioritization Entity Level
Avoid It
www.theiia.org
• Risk appetite is the amount of risk — on a broad level — an entity is willing to accept in pursuit of value.
• Use quantitative or qualitative terms (e.g. earnings at risk vs. reputation risk), and consider risk tolerance (range of acceptable
variation).
Key questions:
• What risks will the organization not accept? (e.g. environmental or quality compromises)
• What risks will the organization take on new initiatives? (e.g. new product lines)
• What risks will the organization accept for competing objectives? (e.g. gross profit vs. market share?)
• Options available:
- Accept = monitor
I
M Share Mitigate & Control
P
A Low Risk Medium Risk
C
T
Accept Control
www.theiia.org
Example: Call Center Risk
Assessment
High Medium Risk High Risk
• Loss of phones • Credit risk
Loss of computers Customer has a long wait
I • •
www.theiia.org
Communicate Results
Monitor
• Perform analysis
• Ownership
• Updates
- Changes in systems
- Changes in processes
Internal Control
A strong system of internal control is essential to effective enterprise risk management.
risk is “the possibility of loss”; risk can be divided into risk (downside) or opportunity (upside); and may be internal, external or both.
Risk comes from not knowing what you're doing. (Warren Buffett)
Successful organizations have learned that the higher the risk, the more necessary it is to engage everyone's commitment and
intelligence. (Margaret Wheatley)
Control Activities
• The policies and procedures that help ensure that management directives are carried out.
• Help ensure that the necessary actions are taken to address risks during the achievement of company objectives.
• Every entity, whether for-profit or not, exists to realize value for its stakeholders.
• Value is created, preserved, or eroded by management decisions in all activities, from setting strategy to
operating the enterprise day-to-day.