Professional Documents
Culture Documents
RiskManagementFramework Chapter4
RiskManagementFramework Chapter4
net/publication/355978926
CITATIONS READS
0 5,373
1 author:
Sonjai Kumar
Fortune Institute of International Business New Delhi India
114 PUBLICATIONS 20 CITATIONS
SEE PROFILE
All content following this page was uploaded by Sonjai Kumar on 07 November 2021.
Seizing opportunities
3
COSO Cube- One Side
COSO has covered objectives under four
categories
Strategic – high-level goals, aligned with and
supporting its mission
Operations – effective and efficient use of its
resources
Reporting – reliability of reporting
Compliance – compliance with applicable laws and
regulations.
Reporting and Compliance objectives are within
the control of the management
Strategy and Operations exposed to external
events and not in the control of management
4
Second Side of the Cube
Under COSO eight components of ERM
1. Internal Environment: Tone of an organization, and how
risk is viewed and addressed by the organization, including risk
management philosophy and risk appetite
2. Objective Setting
3. Event identification-Internal and external events affecting
achievement of objectives must be identified, distinguishing
between risks and opportunities
4. Risk Assessment Risks are analyzed, considering likelihood
and impact,
5. Risk Response-avoiding, accepting, reducing, or sharing risk
6. Control Activities: Policies and procedures are established
and implemented
7. Information and Communication- Relevant information is
identified, captured, and communicated in a form and timeframe
8. Monitoring
5
Third side of Cube
ERM Consider activities at all level of
organization
Enterprise Level
Division
Business Unit Level
Subsidiary level
6
Limitation of Risk Management
COSO mention that risk management has limitations result from
human judgment in decision making, decisions on responding to
risk, simple errors or mistakes, controls can be circumvented and
management has the ability to override enterprise risk management
decisions.
”Barring in the countries where Covid-19 reached in January and
February, the world was waiting to spread the fire further and it
did,” commented Sonjai Kumar, CMIRM, Global Ambassador, IRM
India. “Why don’t our risk management frameworks have buttons
which prompt taking immediate actions rather than leaving the
actions for the decision makers?”
”It’s like having an immediate sprinkler system as soon as a fire is
visible or smoke is there. If we need to protect the world for the next
disaster that may come anytime in the presence of global warming,
we need to tighten up the risk management framework that
everyone must agree as a part of national constitution. The losses to
human life and economic cost are enormous, we have to have a
sprinkler system and decision making cannot be left to choice.”
7
Closing Remark on COSO 2004
It can be seen that the various components of
risk management that we have covered in first
three modules have rearrangement in the
COSO 2004 framework. It is important to
know what is covered in different framework
so that lack of awareness should not cause any
knowledge discomfort.
8
COSO 2017 Framework-1
The new COSO 2017 version is now called Enterprise Risk Management—Integrating with
Strategy and Performance, highlights the importance of strategy-setting and performance.
The Framework, is organized into five easy-to-understand components replacing the Cube
9
COSO 2017 Framework-2
10
COSO 2017 Framework-3
4. Review and Revision: Assess how well the enterprise risk management
components are functioning over time and in light of substantial changes, and
what revisions are needed.
This principle in 2004 Cube was covered under Risk Response and Control
Activities
5. Information, Communication, and Reporting: Enterprise risk
management requires sharing necessary information, from both internal and
external sources, which flows up, down, and across the organization.
11
COSO 2017 Framework-4
The five components in the Framework are split into manageable 20 principles.
Most of these principles are derived from the descriptions given in the previous
slide. Adhering to these principles can provide management and the board with
a reasonable expectation that the organization will able to manage the risks
associated with its strategy and business objectives.
12
13
ISO 31000 2009
Definition of risk in ISO 31000 “effect of uncertainty on
objectives of organization”
ISO 31000 risk management framework provides the guidance
to perform the risk management in an effective and efficient
manner.
ISO 31000 International Standard can be used by any public,
private or community enterprise, association, group or
individual.
This International Standard can be applied throughout the
life of an organization,
There are three key building blocks of ISO 31000 standards;
they are
Principles,
Framework and
Process
14
ISO 31000 Components
There three building blocks are
15
ISO 31000- 11 Principles
1. Risk management creates and protects value;
2. Risk management is an integral part of all organizational
processes;
3. Risk management is part of decision making;
4. Risk management explicitly addresses uncertainty;
5. Risk management is systematic, structured and timely;
6. Risk management is based on the best available information;
7. Risk management is tailored;
8. Risk management takes human and cultural factors into account;
9. Risk management is transparent and inclusive;
10. Risk management is dynamic, iterative and responsive to change;
11. Risk management facilitates continual improvement of the
organization.
16
ISO 31000- 5 Framework
1. Mandate and commitment: The first component of framework talks
the organization is to give mandate for adoption and implementation of
risk management within the organization.
2. Design of framework for managing risk: the company need to ensure
that the Company understand the risk, set up risk management policies,
set accountability etc
3. Implementing risk management: where the company is to actually
implement the risk management process within the Company
4. Monitoring and review of the framework: This is a mechanism to
create monitoring performance to perform the feedback look.
5. Continual improvement of the framework: to complete the feedback
loop of monitoring exercise.
17
ISO 31000 Process
Risk management process is similar to risk identification, measurement, management,
monitoring and reporting. Different nomenclature identification, analysis, evaluation,
treatment, and in the side is the monitoring and communication.
Under Establishing the context: the organization articulates its objectives, defines the
external and internal parameters to be taken into account when managing risk, and sets the
scope and risk criteria for the remaining process.
18
ISO 31000 2018-Principles
1. The definition of risk is retained as “effect of uncertainty on objective”
2. Some of the principles of risk management have been changed, while
many are retained. Now 8 principles and one principle of creating and
protecting value has come in the center.
ISO 2009 Principles Changed to Red One in 2018
Risk management creates and protects value; Centre
Risk management is an integral part of all organizational processes;
Risk management is part of decision making;
Risk management explicitly addresses uncertainty;
Risk management is systematic, structured and timely; Tweaked to
Structured and Comprehensive
Risk management is based on the best available information;
Risk management is tailored; - Renamed as Customised
Risk management takes human and cultural factors into account;
Risk management is transparent and inclusive;
Risk management is dynamic, iterative and responsive to change;
Risk management facilitates continual improvement of the organization.
19
ISO 31000 2018-Principles
20
ISO 31000 2018-Framework
Leadership and Commitment
In ISO 31000 2009, the framework started with
Mandate and Commitment. In 2018, this is changed
to Leadership and Commitment. This is a very
important change as it needs to ensure that the
management takes the buy-in on the development
of risk management.
Integration
Integration of risk management within the
organization is a necessary condition for ERM.
Design
During 2009, this was design of risk management
framework, in 2018; this item is divided into five
parts as
Understanding the organization and its context
Articulating risk management commitment
Assigning organizational roles, authorities,
responsibilities and accountabilities
Allocating resources
Establishing communication and consultation
Implementation
This is same as in 2009 about the implementation
of risk management
Evaluation& Improvement
During 2009 this was under one category of review
and monitor
21
ISO 31000 2018-Process
Process has remained the
same except addition of
recording and reporting
which was inherently
assumed under
communication.
22
Summary
23
24
Risk Appetite in the Context of Business
The COSO defines risk appetite as:
28
Enhance Value and Natural Tension
Enhancing Values
The third approach the COSO has recommended is
developing the appetite not only for downside risk but
also for upside risk to enhance the value.
Natural Tension
COSO has defined Natural tension in risk appetite in
such a situation where one appetite statement appears to
support a decision while conflicting with another
statement.
For example if a company is willing to accept more risk to
grow its customer base, but wants to keep the same gross
margin while maintaining the current amount of risk to
its profit margin
29
Stakeholders
Setting risk appetite in the context of different
stakeholders such as shareholder, customers,
regulator, environment, health hazard etc.
For example, in the pursuit of industrial
development, the Companies may have added
shareholder’s value but destroyed the environmental
value.
Customer’s risk appetite to be in center
Nokia’s example of not considering customer’s
demand
30
Validating Risk Appetite
COSO have discussed following validating appetite approaches
Back testing the assumptions
Comparing with peer companies and industries data
Looking at emerging trend
What if analysis
These approach is quite similar to approach used in actuarial to test the
assumptions taken in pricing or setting assumption for new products where data is
very scanty.
Risk appetite is how much risk that you will take to fulfill you objective. That is,
how much deviation that you can bear from your central assumption.
If Long term interest rate assumption (say 15 years) is 6%, then what is your risk
appetite ?
This could be say 0.75% up or down.
When you price the product you test the sensitivity of the results such as profit
margin of interest rate is to be 6.75% or 5.25% and see whether the margin is still
within the profit margin appetite or not. If not, then re-design the product.
How you set 6% interest rate assumption and risk apppetite?
31
Scanty Data, Emerging trend and What if
analysis
If you Company does not have own company experience where you want to enter
into a new market, then you look at the industry data or data of those companies
who already have these products
Looking at emerging trend is very important because past data may or may not be
relevance, so a credibility factor is used to give amount of weightage to current and
past data.
Initially, more weight is assigned to the past data and slowly the reliance on
emerging experience is increased as new information start coming
Life insurance is a long term business and lots of risk management techniques are
used in setting different assumptions. To price a product, you need, interest rate,
mortality, expense, lapses, taxes assumptions etc,
What if, is another strong risk management tool to check whether you can stay
within your risk appetite or not. For example, the company want to test that how
much interest rate to fall, so that there margin will turn out to be zero.
So you know that for next 15 years time, when today’s interest rate is 7% and you
have priced at 6% and 0% margin will be at 4.5% interest rate, then you know when
to take a decision on your product.
32
Risk Tolerance
Risk appetite is a broad-based description of the desired level of risk that an
entity will take in pursuit of its mission.
Risk tolerance reflects the acceptable variation in outcomes related to specific
performance measures linked to objectives the entity seeks to achieve.
Risk tolerance is the level of risk that an organization can accept per individual
risk,
For example, you will take a risk up to the risk appetite of Rs.200 Cr, say for five
total risks of the Company, however, for each individual risk the tolerance range is
plus and minus 10%, but overall risk should remain within Rs.200 Cr.
If for each of the five risks, the individual capital allocated is Rs.40 Cr, then the
tolerance range is between Rs. 36 Cr to 44 Cr, however, the total risk should not
breach the overall risk appetite limit of Rs.200 Cr.
33
34
Three Lines of Defense
The goal for any organization is to achieve its business objectives.
Need to create a right structure that can facilitate taking appropriate risks and
managing them. Such structure is three lines of defense model.
Three lines of defense model help in segregating the roles and responsibilities
Everyone in an organization has some responsibility for internal control, but to
help assure that essential duties are performed as intended, the Model brings
clarity to specific roles and responsibilities.
Three lines of defense help in effective operation, reduction in gaps and avoid
unnecessary duplication of effort.
35
Three Lines of Defense Structure
36
First Line of Defense
The first line of defence is the business and process owners who facilitate
achievement of business objectives by managing risks.
The first line owns the risk, design and execution of the organization’s controls to
respond to those risks.
The first line is responsible for
Day-to-day risk management decision making
Risk identification, assessment, mitigation, monitoring and management
Effective implementation of risk management framework including reporting and escalation
Examples of first line of defence are Sales, Marketing, Finance, Operations,
Investments, Strategy, HR, etc.
37
Second Line of Defense
The second line of defence help the Typical role of second line of defence are:
management through expertise, process ➢Review and challenge first line work
excellence, and management monitoring ➢Oversight of risk and its appetite
alongside the first line to help ensure that ➢Develop risk management framework
risk and control are effectively managed. ➢Independent reporting and escalation
➢Provide specialist advice and training
The second line of defence functions
are separate from the first line of Examples of Second Line of defense are
defence but are still under the control ➢Risk Management
and direction of senior management ➢Information Security
➢Physical Security
The second line an oversight function
➢Quality
➢Health and Safety
➢Compliance etc
38
Third Line of Defense
40
41
Importance of Risk Management Policies
Reactive mindset: In many organizations, risk
management is a reactive exercise process where
the company acts when crisis happen and then
they start formulating risk management practices
Policies are not useful: Company believes that
policies and procedures are merely for
documentation purpose
Defining policies: Risk Management Policies are
high level document that define principles and
objectives on what is covered under the given
document
42
Importance of Risk Management
Policies-2
Advantages of risk management policies are
giving direction to the Company as how to handle
each of the risks
Risk Management Framework Policy- Overall way
to manage the risk
Individual policies are based upon the line of
business
Written down content help implementing risk
management practices
43
View publication stats