Beruflich Dokumente
Kultur Dokumente
CHAPTER 4
Risk Management
Risk is the possibility that an event will occur and adversely affect the achievement of an objective.
Risk begins with strategy formulation and objective setting. Risk does not represent a single point estimate. Risks may relate to risk mitigation or exploiting opportunities Risks are inherent in all aspects of life.
2
Business Risks
Risks that are those specifically associate with organizations conducting a form of business: uncertainties regarding threats to the achievement of business objectives. The extensive business risks need to be addressed through ERM.
9/10/2013
Enterprise risk management is a process, effected by an entitys board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
4
Internal environment Objective setting Event identification Risk assessment Risk response Control activities Information and communication Monitoring
5
Objective Setting
Objectives are set a the strategic level, establishing a basis for operations, reporting, and compliance objectives. Objectives with specific RISK TOLERANCE
9/10/2013
Risk Management Philosophy - a set of shared beliefs and attitudes characterizing how the entity considers risk in everything it does, from strategy development and implementation to its day-to-day activities. Risk Appetite - the amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It is a guidepost in strategy setting. Risk Tolerance represents the acceptable levels of variation relative to the achievement of objectives. It aligns with risk appetite. Tolerance levels will relate to specific outcomes. 7
The vehicle MasterCard use to define appetite is one that expresses risk appetite through tolerance ranges for several key performance measures
9/10/2013
Event Identification
Economic events Natural environment events Political events Social events Technological events
10
Risk Assessment
Risks are assessed on both an inherent and residual basis. Inherent Risk (Gross Risk) is the level of risk (potential impact and corresponding likelihood) without giving consideration to the risk management activities, which include controls that are designed to manage the risk. Residual Risk (Net Risk) is the remaining level of risk after such controls are executed. This is sometimes referred to as net risk. 11
Impact Likelihood Other criteria may include: Speed of onset Controllability Speed of reaction Interdependencies with other risks Monitorability Third-party impact
12
9/10/2013
Reduction
Sharing
Acceptance Avoidance
Control Activities
Policies/Procedures that help ensure that managements risk responses are carried out
Executive review Direct management activities Information processing controls Physical controls Performance indicators Segregation of duties
14
Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities.
15
9/10/2013
Monitoring
16
A systematic and continual process for assessing significant risks facing the enterprise Risks that are most consequential to tank organizations ability to
Execute its strategy Achieve its business objectives Build and protect values
17
2. 3. 4.
5.
6.
7.
Achieve a deep understanding of the strategy of the organization, Gather views and data on strategic risks, Prepare a preliminary Strategic Risk Profile, Validate and finalize the Strategic Risk Profile, Develop a Strategic Risk Management Action Plan, Communicate the Strategic Risk Profile and Strategic Risk Management Action Plan, Implement the Strategic Risk Management Action Plan. 18
9/10/2013
How to ensure that the internal audit plan supports the overall business objectives? Consider adopting a well-planned audit rotation program
19
The internal audit functions audit plan should be designed based on an assessment of risk and exposures that may affect the organization to provide management with
Information to mitigate the negative consequences associated with accomplishing the organizations objectives, An assessment of the effectiveness of managements risk management activities.
20
Educate the board and management on the benefits of implementing ERM. Perform or facilitate an enterprise-wide risk assessment Determine the boards and/or managements risk tolerance levels Report to the audit committee on the accuracy and completeness of managements risk communications. Outline key procedures that management should consider if they do decide to implement ERM. 21
9/10/2013
evaluating risk management processes evaluating the reporting of key risks reviewing the management of key risks giving assurance on the risk management processes giving assurance that risks are correctly evaluated facilitating identification & evaluation to risks coaching management in responding to risks coordinating ERM activities consolidating the reporting on risks maintaining & developing the ERM framework Championing establishment of ERM Developing ERM strategy for board approval
22
Setting the risk appetite. Imposing risk management processes. Management assurance on risks. Taking decisions on risk responses. Implementing risk responses on managements behalf. Accountability for risk management.
23
Establishing [ERM] policies, Framing authority and accountability for [ERM] in business units. Promoting [ERM] competence throughout the entity Guiding integration of [ERM] with other business planning and management activities. Establishing a common risk management language that includes measures around likelihood and impact, and common risk categories. Facilitating managers development of reporting protocols Reporting to the chief executive on progress and outliers and recommending action as needed.
24