Understanding Enterprisewide Risk Management ERM Juan Carlos B' Robles Risk Management Partner Punon - PowerPoint PPT Presentation

Loading...

PPT – Understanding Enterprisewide Risk Management ERM Juan Carlos B' Robles Risk Management Partner Punon PowerPoint presentation | free to view - id: 2555c7-NDZlY



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Understanding Enterprisewide Risk Management ERM Juan Carlos B' Robles Risk Management Partner Punon

Description:

ERM can only provide reasonable assurance. COSO ERM Framework ... Technology. Information. Development Stage. Ad Hoc. Repeatable. Defined. Managed. Optimized ... – PowerPoint PPT presentation

Number of Views:296
Avg rating:3.0/5.0
Slides: 52
Provided by: acp2
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Understanding Enterprisewide Risk Management ERM Juan Carlos B' Robles Risk Management Partner Punon


1
Understanding Enterprise-wide Risk Management
(ERM)Juan Carlos B. RoblesRisk Management
PartnerPunongbayan Araullo
2
Contents
  • What is Risk?
  • Risk Management Frameworks
  • COSO ERM
  • The ERM Funnel
  • ERM and Corporate Governance
  • The Role of Auditors in ERM
  • What ERM Looks Like

3
What is Risk?
  • Risk is the probability that a disaster will
    happen (D).
  • Risk is the possibility of suffering from harm or
    loss (D).
  • Risk is a factor, thing, element, or course
    involving uncertain danger (D)
  • Risk is the chance that an investment's actual
    return will be less than expected (IB).
  • Risk is the possibility that an event will occur
    and adversely affect the achievement of an
    objective (COSO).
  • Risk is the likelihood that another thing could
    happen or not happen while trying to do something
    or while doing nothing at all (JBR).

4
What is Risk?
  • Risk is the probability that a disaster will
    happen (D).
  • Risk is the possibility of suffering from harm or
    loss (D).
  • Risk is a factor, thing, element, or course
    involving uncertain danger (D).
  • Risk is the chance that an investment's actual
    return will be less than expected (IB).
  • Risk is the possibility that an event will occur
    and adversely affect the achievement of an
    objective (COSO).
  • Risk is the likelihood that another thing could
    happen or not happen while trying to do something
    or while doing nothing at all (JBR).

5
Risk Management Frameworks
  • Australian/New Zealand Standards Risk Management
    Framework (AU/NZS 4360)
  • Bank for International Settlements, Basel
    Committee on Banking Supervision (Basel II),
    International Convergence of Capital Measurement
    and Capital Standards A Revised Framework.
  • Committee of Sponsoring Organizations of the
    Treadway Commission (COSO) Enterprise Risk
    ManagementIntegrated Framework.
  • Generic Risk Management Frameworks

6
Risk Management Frameworks
  • Australian/New Zealand Standards Risk Management
    Framework (AU/NZS 4360)
  • Bank for International Settlements, Basel
    Committee on Banking Supervision (Basel II),
    International Convergence of Capital Measurement
    and Capital Standards A Revised Framework.
  • Committee of Sponsoring Organizations of the
    Treadway Commission (COSO) Enterprise Risk
    ManagementIntegrated Framework.
  • Generic Risk Management Frameworks

7
COSO ERM
  • Enterprise Risk Management is a process, effected
    by an entity's board of directors, management and
    personnel, applied in strategy setting and across
    the enterprise, designed to identify potential
    events that may affect the entity and manage risk
    to be within its risk appetite, to provide
    reasonable assurance regarding the achievement of
    entity objectives (COSO ERM).

8
COSO ERM
  • Key Points
  • ERM begins with strategy.
  • ERM is a process, effected by people.
  • ERM encompasses the entire organization.
  • Risks represent uncertain events that can
    threaten the company's success.
  • Risks do not need to be completely mitigated.
  • A structured and disciplined approach is
    necessary.
  • ERM can only provide reasonable assurance.

9
COSO ERM Framework

10
Risk Management Frameworks(Generic)
  • Mitigate
  • Finance
  • Identify
  • Evaluate

4. Keep Ahead
  • Quantity Impacts
  • Contain
  • Finance
  • Identify Risk Factors
  • Prioritize Risk Factors
  • Profile Risk Opportunities
  • Monitor Change
  • Risk Factors
  • Environment
  • Organization
  • Cycle, as necessary

3. Manage
  • Analyze Opportunities
  • Develop Plan
  • Implement

11
Risk Management Frameworks(Generic)
  • Identify risks based on Bank generic model
  • Create risk awareness
  • Detect and understand origin of possible threats
    and opportunities (risk drivers)
  • Identify risk holders (functional and/or
    divisional managers)
  • Assess significance and likelihood of risks
  • Design actual risk map

1. Identify
2. Source
3. Measure
12
Risk Management Frameworks(Generic)
  • Decide on options for risk management strategies
  • Design target risk map
  • Ensure that key risks are reflected in business
    plan and action is taken
  • Assess value added from improving risk/taking on
    opportunities
  • Continuous consideration of risk profile and
    control procedures
  • Regular reporting on key risks

4. Evaluate
5. Manage
6. Monitor
13
COSO ERM - Components

Encompasses the tone of an organization sets
the basis for how risk is viewed and addressed by
an entitys people, including risk management
philosophy and risk appetite, integrity and
ethical values, and the environment in which they
operate
14
COSO ERM - Components
Objectives must exist before management can
identify potential events affecting their
achievement. ERM ensures that management has in
place a process to set objectives and that the
chosen objectives support and align with the
entitys mission and are consistent with its risk
appetite.
15
COSO ERM - Components
Internal and external events affecting
achievement of an entitys objectives are
identified. Risks are distinguished from
opportunities. Opportunities are channeled back
to managements strategy or objective-setting
processes.
16
COSO ERM - Components
Risks are analyzed, considering likelihood and
impact, as a basis for determining how they
should be managed. Risks are assessed on an
inherent and a residual basis.
17
COSO ERM - Components
Management selects risk responses avoiding,
accepting, reducing, or sharing risk developing
a set of actions to align risks with the entitys
risk tolerances and risk appetite
18
COSO ERM - Components
Policies and procedures are established and
implemented to help ensure the risk responses are
effectively carried out.
19
COSO ERM - Components
Relevant information is identified, captured, and
communicated in a form and timeframe that enable
people to carry out their responsibilities.
Effective communication also occurs in a broader
sense, flowing down, across, and up the entity.
20
COSO ERM - Components
The entirety of ERM is monitored and
modifications made as necessary. Monitoring is
accomplished through ongoing management
activities, separate evaluations , or both.
21
The ERM Funnel
  • Business Model
  • Strategic Objectives
  • Annual Goals
  • Risk Appetite
  • Strategy
  • Earnings
  • Organizational
  • Culture
  • Structure

22
The ERM FunnelStrategic Objectives
  • Examples
  • Strategic Objective A Earnings Growth Enhance
    shareholder value by consistently delivering
    operating earnings growth by 25.
  • Strategic Objective B Market Share Penetrate
    60 of the top 1,000 schools and 40 of the next
    tier of 1,500 schools.
  • Strategic Objective C Reputation Be
    recognized by educators and school institutions
    as a significant contributor to the advancement
    of education.
  • Strategic Objective D People Achieve a
    ranking in the top 50 of Business World
    Magazine's "Best Companies to Work for".
  • Overall Question What represent success for the
    Company?

23
The ERM FunnelRisk Assessment
  • Create Risk Universe
  • Business risk models
  • Accounting and consulting firms
  • Professional and industry associations
  • Brainstorming with members of management
  • Risk-oriented sites in the internet
  • Overall question What are the barriers for
    achieving success?

24
The ERM FunnelRisk Tolerance Matrix

25
The ERM FunnelRisk Assessment
  • Link Risks to Strategic Objectives

26
The ERM FunnelRisk Assessment
  • Create Business Risk Model

27
The ERM FunnelRisk Analysis
  • Map/Depict the Risk Relationships
  • Risk Analysis listing
  • Risk Analysis Diagram
  • Risk Analysis Map

28
The ERM FunnelRisk Analysis
  • Example Risk Analysis listing
  • Core Risk
  • Direct drivers
  • Indirect drivers
  • External risks
  • Reputation Risk
  • Product Failure Risk
  • Outsourcing Risk
  • Process execution Risk
  • Customer Satisfaction Risk
  • Policies Procedures Risk
  • Consumer Preference Risk
  • Legal Regulatory Risk
  • Environmental Risk
  • Integrity Risk

29
The ERM FunnelRisk Analysis
  • Example Risk Analysis Diagram

External Risks
Indirect Drivers
Direct Drivers
Core Risks
Outsourcing
Product Failure
Process Execution
Policies Procedures
Customer Satisfaction
Reputation
Consumer Preference
Environmental
Legal Regulatory
Integrity
30
The ERM FunnelRisk Analysis
  • Example Risk Analysis Map - Earnings Growth
    Risk

Economy
31
The ERM FunnelRisk Analysis
  • Assess and Prioritize Risks
  • Scoring
  • Nine-box matrix
  • Scattergraph

32
The ERM FunnelRisk Analysis
  • Example Nine-box matrix

S I G N I F I C A N C E
High
Medium
Low
Low
High
Medium
LIKELIHOOD
33
The ERM FunnelRisk Analysis
  • Example Updated Risk Analysis Map - Earnings
    Growth Risk

Economy
34
The ERM FunnelRisk Strategy Stage
  • Next Steps
  • Link risks to processes (risk/process matrix)
  • Identify the initial actions (start/stop/change)
  • Identify potential audit projects
  • Develop (SMART) risk management action plans /
    strategies

35
Risk Strategy Stage
  • Risk management action plans / strategies
  • Avoid the risk
  • Transfer the risk
  • Reduce the risk
  • Accept the risk
  • (Exploit the risk)

36
The ERM FunnelRisk Infrastructure
  • Capabilities
  • Strategies
  • Processes
  • People
  • Technology
  • Information
  • Development Stage
  • Ad Hoc
  • Repeatable
  • Defined
  • Managed
  • Optimized

37
The ERM FunnelRisk Infrastructure
  • Example Risk Infrastructure Matrix Processes

38
The ERM Funnel
  • Business Model
  • Strategic Objectives
  • Annual Goals
  • Risk Appetite
  • Strategy
  • Earnings
  • Organizational
  • Culture
  • Structure

39
ERM and Corporate Governance
  • Corporate Governance Defined
  • Corporate governance is the process carried out
    by the board of directors and its related
    committees, on behalf of and for the benefit of
    the company's stakeholders, to provide direction,
    authority, and oversight to management.

40
ERM and Corporate Governance
  • Corporate Governance Defined
  • The Key Points embedded in the definition are
  • Corporate governance is the responsibility of the
    board.
  • The board governs and provides direction in
    behalf of stakeholders.
  • The board defines the tolerance levels or limits
    that will guide management in decision making.
  • The board grants authority to senior management
    to conduct business within the tolerance levels.
  • The board oversees the company's business to
    ensure the stakeholders interest are protected.

41
ERM and Corporate GovernanceThe Corporate
Governance Cycle
STAKEHOLDERS
Board of Directors
Senior Management
Risk Owners
42
The Roles of Auditors in ERM
  • Assurance Activities
  • As part of the corporate governance cycle, the
    auditors should
  • Evaluate whether the risk management activities
    are designed effectively.
  • Determine whether the risk management activities
    are operating as designed.
  • Evaluate whether the risk owner's assertions to
    senior management regarding risk management
    performance is accurate.
  • Evaluate whether the information provided by
    senior management to the board is complete and
    accurate.
  • Assess whether the tolerance information is
    communicated down from the board and senior
    management in a timely and effective manner.
  • Identify any governance or risk areas that
    currently are not covered by a focused risk
    management process.

43
The Roles of Auditors in ERM
  • Core Roles
  • Giving assurance on risk management processes
  • Giving assurance that risks are correctly
    evaluated
  • Evaluating risk management processes
  • Evaluating the reporting of key risks
  • Reviewing the management of key risks

44
The Roles of Auditors in ERM
  • Legitimate Roles with Safeguards
  • Facilitating identification and evaluation of
    risks
  • Coaching management in responding to risks
  • Coordinating ERM activities
  • Consolidating the reporting on risks
  • Maintaining and developing the ERM framework
  • Championing establishment of ERM
  • Developing risk management strategy for board
    approval

45
The Roles of Auditors in ERM
  • Roles that Auditors should not Undertake
  • Setting the risk appetite
  • Imposing risk management processes
  • Management assurance on risks
  • Taking decisions on risk responses
  • Implementing risk responses on management's
    behalf
  • Accountability for risk management

46
The Roles of Auditors in ERM
47
What ERM Looks Like
  • ERM will never be exactly the same in any two
    companies. To be useful, it must fit a companys
    strategic direction, organization, and culture.
  • ERM can fit a company with little formality in
    management style or one with highly structured
    management processes. Inherent in all ERM
    processes, however, is the discipline in the
    process, and that it operates throughout the
    organization.
  • ERM initially was called enterprise-wide risk
    management the wide was dropped for
    convenience, but the concept remains. If it
    doesnt have the requisite discipline, scope, and
    function throughout an organization, we call it
    risk management but not enterprise risk
    management.

48
What ERM Looks Like
  • Company 1 (financial services)
  • To fit with its face-to-face management
    approach, and to avoid unnecessary administrative
    activity, this companys management decided to
    deal with risk in its monthly management
    meetings. A limited portion of each meeting is
    devoted to identifying new, emerging risks and
    related opportunities, with qualitative analysis
    and actions taken then and there to manage the
    risks or to seize the opportunities, except for
    those requiring further analysis where
    assignments are made for subsequent follow-up.
    This process is in place at all management
    levels, and risks and related actions are
    reported upstream through normal in-person
    communications. One manager is tasked with
    tracking significant risks and actions, and
    providing a portfolio view of risk to the CEO and
    the board.

49
What ERM Looks Like
  • Company 2 (consumer products)
  • This companys management decided that somewhat
    more structure was needed, and began the ERM
    process in the annual strategic planning and
    budgeting process. The process was brought to the
    entire organization, where identified risks and
    opportunities are considered as part of the
    ongoing management process, and recorded on a
    simple, one-page template. Most risks are
    analyzed qualitatively, although quantitative
    techniques are used where needed. The template
    serves as a focal point for managers at every
    level, as well as an upstream communications
    mechanism to track risk and action plans on an
    ongoing basis.

50
What ERM Looks Like
  • Company 3 (financial institution)
  • This organization uses sophisticated methodology
    to identify and assess risk. The corporate center
    takes the lead in risk analysis, quantitatively
    assessing credit, market, interest rate,
    liquidity, and other risk categories. Operational
    risks are considered by managers throughout the
    organization, and software is used to communicate
    risk-related information, including summarization
    where appropriate, establishing accountabilities
    for agreed-upon actions to manage the risks, and
    developing portfolio information for senior
    management and the board for making capital
    allocation decisions.

51
(No Transcript)
About PowerShow.com