What is ERM? (cont`d)

advertisement
ERM 101
Lisanne Sison
Director ERM
Bickmore
What is ERM?
Enterprise Risk Management (ERM) is defined
by the Committee of Sponsoring
Organizations (COSO) as “a process, effected
by an entity’s board of directors, management
and other personnel, applied in strategysetting and across the enterprise, designed to
identify potential events that may affect the
entity, and manage risk to be within its risk
appetite, to provide reasonable assurance
regarding the achievement of entity
objectives.”
What is ERM?
Enterprise Risk Management (ERM) is defined
by the Committee of Sponsoring
Organizations (COSO) as “a process, effected
by an entity’s board of directors, management
and other personnel, applied in strategysetting and across the enterprise, designed to
identify potential events that may affect the
entity, and manage risk to be within its risk
appetite, to provide reasonable assurance
regarding the achievement of entity
objectives.”
What is ERM? (cont’d)
To help assist with the implementation of the ERM process, COSO
developed the ERM Integrated Framework (2004), also known as the
COSO Cube. This cube is an update to the initial COSO I framework
developed in 1992:
What is ERM? (cont’d)
These are the high level goals that
are aligned with and support the
institution’s mission.
What is ERM? (cont’d)
Relate to the ongoing
management process and daily
activities of the organization.
What is ERM? (cont’d)
Relates to the protection of the
organization’s assets and quality
of financial reporting.
What is ERM? (cont’d)
Relates to the organization’s
adherence to applicable laws and
regulations.
What is ERM? (cont’d)
The Internal Environment
relates to the general
culture, values and
environment in which an
organization or entity
operates (e.g. – Tone at the
top)
What is ERM? (cont’d)
Objective Setting relates to
the process management
uses to set its strategic goals
and objectives. Establishes
the organization’s risk
appetite and risk tolerance.
What is ERM? (cont’d)
Event Identification is the
process by which an
organization identifies
events that influence
strategy and objectives, or
could affect an
organization’s ability to
achieve its objectives.
What is ERM? (cont’d)
Risk Assessment relates to
the organization’s process
of evaluating the impact
and likelihood of events,
and prioritizing related
risks.
What is ERM? (cont’d)
Risk Response relates to
determining how
management will respond
to the risks an organization
faces. Will they avoid the
risk, share the risk, or
mitigate the risk through
updated practices and
policies.
What is ERM? (cont’d)
Control Activities represent
policies and procedures
that an institution
implements to address the
risks the organization
chooses to accept.
What is ERM? (cont’d)
Information and
Communication relate to
those practices that ensure
that the right information is
communicated at the right
time to the right people.
What is ERM? (cont’d)
Monitoring consists of
ongoing evaluations to
ensure controls are
functioning as designed,
and taking corrective action
to enhance control activities
if needed.
ERM Life Cycle
Goal
Culture setting
Internal
Environment
Objective
Setting
Evaluate
Performance
Implement
Confirm
Evaluate next
Identify and options steps
prioritize risks
Event
Identification
Risk
Assessment
Risk
Response
Control
Activities
Information &
Communication
Monitoring
What is ERM? (cont’d)
Each of these components are
considered at multiple levels of
the organization, rather than
within a single function, unit, or
department.
ERM…
• Provides a comprehensive and systematic
approach to more proactive and holistic risk
management
• Provides a common lexicon of risk terminology,
and provides direction and guidance for
implementing ERM
• Requires that organizations examine their
complete portfolio of risks, consider how those
risks interrelate, and that management develops
an appropriate risk mitigation approach to
address these risks in a manner that is consistent
with the organization’s strategy and risk appetite
ERM is not…
• A silver bullet to prevent risks from
occurring
• A methodology or a checklist of items
that need to be completed that guarantee
results
• The only way organizations can take a
more proactive approach to managing
risk
Other Frameworks
CoCo – Stands for “Criteria of Control” and
is a risk management tool developed by
the Canadian Institute of Chartered
Accountants to assist managers and
internal auditors in designing, assessing,
and reporting on control systems of an
organization
Other Frameworks (cont’d)
Cadbury Report – Published in 1992, this report
sets out recommendations on the arrangement of
company boards and accounting systems to
mitigate corporate governance risks and failures.
Recommendations focus primarily on practices
related to transparency and accountability at the
top levels of an organization, (e.g. – Board of
Directors members) rather than in throughout
organization as a whole.
Other Frameworks (cont’d)
Australian and New Zealand Standard on Risk
Management (AS/NZS 4360:2004, or ASNZS) –
Considered by some to be the gold standard
for all other risk management standards.
The ASNZS is widely used internationally, and
is desirable for its simplicity. (Where the
original draft of the COSO ERM Model ran
about 154 pages, the ASNZS is only 23 pages.)
Other Frameworks (cont’d)
Below is a diagram of the ASNZS framework:
Other Frameworks (cont’d)
ISO 31000:2009 – Developed by the International
Organization for Standardization (ISO) and based
off the AS/NZS, ISO 31000 provides principles and
generic guidelines on risk management. Provides a
universally recognized paradigm for practitioners
and companies employing risk management
processes across different industries, subject
matters and regions.
ISO 31000 is defined as “a process that provides
confidence that planned objectives will be achieved
within an acceptable degree of residual risk.”
ISO 31000 Framework Overview
Where’s the Value???
• The biggest value in each
of these frameworks lay
in their promotion of
continuous improvement,
diligent management
practices and ongoing
monitoring.
Relevance (cont’d)
• Organizations are increasingly looking to
expand their risk management functions
to help reduce potential future losses
through:
– Improved monitoring and reporting
– Better risk identification and response
– More risk-based decision making
Relevance (cont’d)
Based on a recent survey conducted by Towers Watson, the table
below illustrates motivating factors to improving various risk
management activities in the near term
Relevance (cont’d)
A survey conducted by RIMS and Marsh titled “Excellence in Risk
Management VI (2009)”, lists the main barriers to adopting a
more strategic approach to risk management as follows:
Questions?
Lisanne Sison
Bickmore
lsison@bickmore.net
(916) 244-1119
Download