Professional Documents
Culture Documents
188.enterprise Risk Management
188.enterprise Risk Management
Purpose
concerned about:
• Risk Management
• Governance
• Control
• Assurance (and Consulting)
Why ERM Is Important
Underlying principles:
management …
•… to effectively deal with
uncertainty and associated risk
and opportunity, and thereby
enhance its capacity to build
value.
•
A dynamic process that includes
…
– Identification of potential events that may impact
objectives
– Risk assessment and response
– Consideration of risks in formulation of strategy
– Application across the entity
– Managing risk is to be within the entity’s risk appetite
– A portfolio view of risks at the entity-level is taken
– Monitoring the performance of ERM
ERM provides enhanced
capabilities to …
•… align risk appetite and strategy;
link growth, risk, and return;
enhance risk-response decisions;
minimise operational surprises and
losses; identify and manage cross-
enterprise risks; provide integrated
responses to multiple risks; seize
opportunities; and rationalise capital.
Some “new” concepts in the ERM
Framework
– Events and risks
– Applying risk management in strategy
setting
– Risk appetite and risk tolerance
– Portfolio view
Events and risk
Risk Tolerances
Management
• Provides enhanced capability to:
– Align risk appetite and strategy
– Link growth, risk and return
– Enhance risk response decisions
– Minimize operational surprises and losses
– Identify and manage cross-enterprise risks
– Provide integrated Reponses to multiple
risks
– Seize opportunities
– Rationalize capital
Definition
Integrated Framework
• Internal environment
• Objective setting
• Event identification
• Risk assessment
• Risk response
• Control activities
• Information and communication
• Monitoring
The ERM Framework
• Strategic
• Operations
• Reporting
• Compliance
The ERM Framework
• Information
• Strategic and Integrated
Systems
• Communication
Monitoring component
Integrated Framework
• Expands and elaborates on elements
of internal control as set out in COSO’s
“control framework.”
FES
ERM ERM Commodity
Manager Manager Risk Mg.
Director
Process Risks
• Operations Risk
• Empowerment Risk
• Information Processing / Technology Risk
• Integrity Risk
• Financial Risk
Process
Identification Control It Level
Share or Activity
Measurement Transfer It Level
Diversify or
Prioritization Avoid It
Entity Level
Key questions:
• Options available:
- Accept = monitor
- Avoid = eliminate (get out of situation)
- Reduce = institute controls
- Share = partner with someone
(e.g. insurance)
I
M Share Mitigate & Control
P
A Low Risk Medium Risk
C
T
Accept Control
Assessment
High Medium Risk High Risk
• Loss of phones • Credit risk
Loss of computers Customer has a long wait
I
• •
• Customer can’t get through
M • Customer can’t get answers
P
A Low Risk Medium Risk
C
Fraud • Entry errors
T •
• Lost transactions • Equipment obsolescence
• Employee morale • Repeat calls for same problem
Process
Control Risk Control
Objective Activity
• Perform analysis
- Risks are being properly addressed
- Controls are working to mitigate risks
Management Oversight &
Periodic Review
• Accountability for risks
• Ownership
• Updates
-Changes in business objectives
- Changes in systems
- Changes in processes