Enterprise Risk Management

CursusGood Governance

Leidraad naar CommissariaatVerhouding tussen commissarissen en acountants

Steven Martina17 Januari 2009

Enterprise Risk Management

“… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.”

Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.

The COSO Framework

The COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management.

The ERM Framework

ERM considers activities at all levelsof the organization:

• Enterprise-level• Division or

subsidiary• Business unit

processes

The ERM Framework

Entity objectives can be viewed in thecontext of four categories:

• Strategic • Operations• Reporting• Compliance

The eight componentsof the frameworkare interrelated …

The ERM Framework

Internal Environment

• Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur.

• Establishes the entity’s risk culture.

• Considers all other aspects of how the organization’s actions may affect its risk culture.

Objective Setting

• Is applied when management considers risks strategy in the setting of objectives.

• Forms the risk appetite of the entity — a high-level view of how much risk management and the board are willing to accept.

• Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite.

Event Identification

• Differentiates risks and opportunities.

• Events that may have a negative impact represent risks.

• Events that may have a positive impact represent natural offsets (opportunities), which management channels back to strategy setting.

Event Identification

• Involves identifying those incidents, occurring internally or externally, that could affect strategy and achievement of objectives.

• Addresses how internal and external factors combine and interact to influence the risk profile.

Risk Assessment

• Allows an entity to understand the extent to which potential events might impact objectives.

• Assesses risks from two perspectives:- Likelihood- Impact

• Is used to assess risks and is normally also used to measure the related objectives.

Risk Assessment

• Employs a combination of both qualitative and quantitative risk assessment methodologies.

• Relates time horizons to objective horizons.

• Assesses risk on both an inherent and a residual basis.

Kern Vragen Risk Assessment

1. Waar/Wat kunnen we verbeteren? Waar wringt de schoen? Wat gaat er fout?

2. Welk proces betreft het?3. Waar lopen we risico’s? Wat is het risico? 4. Wat is de oorzaak?5. Wat zijn de gevolgen bij ongewijzigd beleid?6. Hoe kunnen we het risico kwalificeren? 7. Hoe kunnen we het risico het beste beheersen?8. Wat moeten we daarvoor doen?9. Hoe is de kosten / baten verhouding?10. Hoe kunnen we de vereiste actie het beste aansturen?

Probability / Impact

L H

L

H

CI-VERA 2009 Curacao Accountants in

Business17

IMPACT

MARKETPOSITION

REPUTATION

GROWTH

EBITDALoss less than

1% compared to

budget

Loss between 1% and 10%compared to

budget

Loss more than 10%

compared to budget

Drop from nr.3 to nr.5 position

Drop from nr.3 to nr.4 position

Remaining market position

Excessive negative press;

regulator sanction

Limited negative press;

regulator warning

No negative press

Losing less than 1% growth target

Losing between 1 and 3%

growth target

Losing more than 3%

growth target

SCORE1 2 3 4 5 6 7 8 9 10

LOW MEDIUM HIGH

RISK IMPACT ASSESSMENTRISK IMPACT ASSESSMENT

Risk Response

• Identifies and evaluates possible responses to risk.

• Evaluates options in relation to entity’s risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or likelihood.

• Selects and executes response based on evaluation of the portfolio of risks and responses.

Control Activities

• Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out.

• Occur throughout the organization, at all levels and in all functions.

• Include application and general information technology controls.

Information & Communication

• Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities.

• Communication occurs in a broader sense, flowing down, across, and up the organization.

Monitoring

Effectiveness of the other ERM components is monitored through:

• Ongoing monitoring activities.

• Separate evaluations.

• A combination of the two.

22

Risk Management (the embedding)

Monitoring

Information and Communication

Control Activities

Risk Response

Risk Assessment

Event Identification

Objective Setting

Internal Environment

STRATE

GIC

OPERATI

ONS

REPO

RTIN

G

COM

PLIA

NCE

EN

TIT

Y - LE

VEL

DIV

ISIO

N

BU

SIN

ESS U

NIT

SU

BSID

IAR

Y

SWOT/PEST6 SiGMA

6 SiGMA

Risk appetite

Co2/GhGSOX

L. Hubbard (ed.)

Corp. Planning

feed backCustomer

BSC

Performancesystem

TQM COSOproject EH&S

Loss Preventiion

Newsletters +websites

. IA

.Budget + Profit Plan

Policies + Procedures Guides

Internal AuditCOBIT for ITContinuous monitoring

ERP

Risico-indeling

Extern Environment

•Externe criminaliteit•Zakelijke omgeving

Fatum

Internal Control Environment

Strategic Risks Operational Risks Financial Risks

• Concentratie • Krediet • Liquiditeit • Interest • Valuta • Mismatch • Solvabiliteit • Verz. tech. reservering. • Herverzekering• Fiscaal

•Externe verslaglegging

• Interne informatie voorziening

•Strategie ontwikkeling•Strategie planning•Strategische sturing

•Processen• ICT•Projectmanagement• Info beveiliging• Interne fraude•Compliance•Klachtenmanagement•Juridisch•Veiligheid•Business continuity

•Cultuur intern•Risicomanagement (quality)•Org. Structuur•Personeel (quality)

Reporting Risks

ERM – Risk Hierarchy

REPUTATIONAL RISK

STRATEGIC RISK

MARKET RISK CREDIT RISK OPERATIONAL RISK

RM can/should be about more than audit

“Risk management equals buying reinsurance”→ Risk transfer via reinsurance

“Decision making across firm is linked to building economic value”→ Risk adjusted resource allocation at all levels

Value added for insurer

Stages of development

Insurance & Compliance Risk-return optimisationCore risk management

“Regulators are demanding risk

management activities” → Over-reliance on ‘checklists’, false sense of security

“We need to know the economic impact of our largest risks”→ Specific risk quantification “We need a

sustainable process for monitoring all our risks”

→ Qualitative RM

“Risk needs to be quantified comprehensively”→ Over-control by centralized risk management, initial quant models too primitive

“Shareholders demand a risk/return framework”→ Risk and growth appetite defined, risk dynamically measured and aggregated properlyI

IV

VI

VII

II

III V

CI-VERA 2009 Curacao Accountants in

Business26

VORVOR

VOCVOC

VOBVOB

De chaotische werkelijkheid

• In werkelijkheid een bizar en chaotisch geheel van activiteiten

• Anticiperend op de positieve en negatieve aspecten van risico

• Allerlei risico indelingen• Ontelbare verschillende perspectieven

– Soms goed op elkaar aansluitend– Soms ook niet– Soms elkaar zelfs onderling uitsluitend

THE PROCESS

AuditCommittee

MT

Internal Audit

External Audit

Risk Sessions

Risk Corrective

Action

ManagementConsideredin Control

RiskAssessment

Initiation Assessment Monitoring Control

Probability ImpactL M H L M H

Impact >= “M” Probability >= “M”In Control ?

yes

no

yes

no

no

yes

Risk Life CycleRequest

30

RISK AND REWARD ARE INSEPARABLE. THE TWO TOGETHER MAKE A PERFORMANCE VALUABLE OR NOT!

31

Most Risks do have a Reward!