ENTERPRISE RISK MANAGEMENT (ERM) 1 (c) Mikhail Slobodian 2015
THE INTERNATIONAL STANDARDS FOR RISK MANAGEMENT ü ü ü ISO Guide 73: 2009 “Risk Management. Vocabulary” ISO 31000: 2009 “Principles and Guidelines on Implementation” ISO 31010: 2009 “Risk Management. Risk Assessment Techniques” 2 (c) Mikhail Slobodian 2015
DEFINITION OF RISK The definition set out in ISO Guide 73 is that risk is the “effect of uncertainty on objectives”. An effect may be positive, negative or a deviation from the expected, and that risk is often described by an event, a change in circumstances or a consequence. This definition links risks to objectives. Therefore, this definition of risk can most easily be applied when the objectives of the organisation are comprehensive and fully stated. Even when fully stated, the objectives themselves need to be challenged and the assumptions on which they are based should be tested, as part of the risk management process. 3 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
INTRODUCTION TO RISK MANAGEMENT Risk management is coordinated activities to direct and control an organization with regard to risk Risk management is an increasingly important business driver and stakeholders have become much more concerned about risk. Risk may be a driver of strategic decisions, it may be a cause of uncertainty in the organisation or it may simply be embedded in the activities of the organisation. An enterprise-wide approach to risk management enables an organisation to consider the potential impact of all types of risks on all processes, activities, stakeholders, products and services. 4 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
ENTERPRISE RISK MANAGEMENT Risk Management (ISO 31000) is based on process approach … 5 … as one of (c) Mikhail Slobodian 2015 the main principles of Quality Management (ISO 9000).
INTRODUCTION TO RISK MANAGEMENT For all types of organisations, there is a need to understand the risks being taken when seeking to achieve objectives and attain the desired level of reward. Organisations need to understand the overall level of risk embedded within their processes and activities. It is important for organisations to recognise and prioritise significant risks and identify the weakest critical controls. When setting out to improve risk management performance, the expected benefits of the risk management initiative should be established in advance. The outputs from successful risk management include compliance, assurance and enhanced decision-making. These outputs will provide benefits by way of improvements in the efficiency of operations, effectiveness of 6 tactics and the efficacy of. A the strategy of. Risk Management (ERM) and the requirements of ISO 31000 // the organisation. structured approach to Enterprise (c) Mikhail Slobodian 2015 www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
ENTERPRISE RISK MANAGEMENT (ERM) Enterprise Risk Management (ERM) is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. 7 (c) Mikhail Slobodian 2015 Guide to Enterprise Risk Management. FAQ // http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
ENTERPRISE RISK MANAGEMENT (ERM) Enterprise risk management is: ü A process, ongoing and flowing through an entity ü Effected by people at every level of an organization ü Applied in strategy-setting ü Applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk ü Designed to identify potential events affecting the entity and manage risk within its risk appetite ü Able to provide reasonable assurance to an entity’s management and board ü Geared to the achievement of objectives in one or more separate but overlapping categories – it is “a means to an end, 8 not an end in itself. ” Guide to Enterprise Risk Management. FAQ // (c) Mikhail Slobodian 2015 http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
COMPONENTS OF ERM is a multidirectional, iterative process in which almost any component can and does influence another: ü Internal Environment – The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. ü Objective Setting – Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are 9 consistent with its risk appetite. Guide to Enterprise Risk Management. FAQ // (c) Mikhail Slobodian 2015 http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
COMPONENTS OF ERM ü Event Identification – Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes. ü Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis. ü Risk Response – Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite. 10 (c) Mikhail Slobodian 2015 Guide to Enterprise Risk Management. FAQ // http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
COMPONENTS OF ERM ü Control Activities – Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. ü Information and Communication – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity. ü Monitoring – The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both. 11 (c) Mikhail Slobodian 2015 Guide to Enterprise Risk Management. FAQ // http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
LIMITATIONS OF ERM Limitations result from the realities that human judgment in decision making can be faulty, decisions on responding to risk and establishing controls need to consider the relative costs and benefits, breakdowns can occur because of human failures such as simple errors or mistakes, controls can be circumvented by collusion of two or more people, and management has the ability to override enterprise risk management decisions. 12 (c) Mikhail Slobodian 2015 Guide to Enterprise Risk Management. FAQ // http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
PRINCIPLES OF RISK MANAGEMENT Risk management is a central part of the strategic management of any organisation. It is the process whereby organisations methodically address the risks attached to their activities. A successful risk management initiative should be proportionate to the level of risk in the organisation, aligned with other corporate activities, comprehensive in its scope, embedded into routine activities and dynamic by being responsive to changing circumstances. The focus of risk management is the assessment of significant risks and the implementation of suitable risk responses. The objective is to achieve maximum sustainable value from all the activities of the organisation. 13 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
PRINCIPLES OF RISK MANAGEMENT Risk management enhances the understanding of the potential upside and downside of the factors that can affect an organisation. It increases the probability of success and reduces both the probability of failure and the level of uncertainty associated with achieving the objectives of the organisation. 14 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
RISK MANAGEMENT PRINCIPLES (ISO 31000) 1. Risk management creates and protects value. Risk management contributes to the demonstrable achievement of objectives and improvement of performance in, for example, human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, product quality, project management, efficiency in operations, governance and reputation. 2. Risk management is an integral part of all organizational processes. Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization. Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management 15 processes. (c) Mikhail Slobodian 2015
RISK MANAGEMENT PRINCIPLES (ISO 31000) 3. Risk management is part of decision making. Risk management helps decision makers make informed choices, prioritize actions and distinguish among alternative courses of action. 4. Risk management explicitly addresses uncertainty. Risk management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed. 5. Risk management is systematic, structured and timely. A systematic, timely and structured approach to risk management contributes to efficiency and to consistent, comparable and reliable results. 16 (c) Mikhail Slobodian 2015
RISK MANAGEMENT PRINCIPLES (ISO 31000) 6. Risk management is based on the best available information. The inputs to the process of managing risk are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts and expert judgement. However, decision makers should inform themselves of, and should take into account, any limitations of the data or modelling used or the possibility of divergence among experts. 7. Risk management is tailored. Risk management is aligned with the organization's external and internal context and risk profile. 8. Risk management takes human and cultural factors into account. Risk management recognizes the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the organization's 17 objectives. (c) Mikhail Slobodian 2015
RISK MANAGEMENT PRINCIPLES (ISO 31000) 9. Risk management is transparent and inclusive. Appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the organization, ensures that risk management remains relevant and up-to-date. Involvement also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria. 10. Risk management is dynamic, iterative and responsive to change. Risk management continually senses and responds to change. As external and internal events occur, context and knowledge change, monitoring and review of risks take place, new risks emerge, some change, and others disappear. 11. Risk management facilitates continual improvement of the organization. Organizations should develop and implement strategies to improve their risk management maturity alongside 18 all Slobodian 2015 (c) Mikhail other aspects of their organization.
THE FIVE BROAD CATEGORIES OF ASSETS REPRESENTING SOURCES OF VALUE 19 (c) Mikhail Slobodian 2015 Guide to Enterprise Risk Management. FAQ // http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
CATEGORIES OF POTENTIAL FUTURE EVENTS THAT MIGHT BE CONSIDERED DURING A RISK ASSESSMENT 20 (c) Mikhail Slobodian 2015 Guide to Enterprise Risk Management. FAQ // http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
THE VALUE PROPOSITION OF ERM 21 (c) Mikhail Slobodian 2015 Guide to Enterprise Risk Management. FAQ // http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
RELATIONSHIPS BETWEEN THE RISK MANAGEMENT PRINCIPLES, FRAMEWORK AND PROCESS (ISO 31000) 22 (c) Mikhail Slobodian 2015
NATURE AND IMPACT OF RISK Risks can impact an organisation in the short, medium and long term. These risks are related to operations, tactics and strategy, respectively. Strategy sets out the long-term aims of the organisation, and the strategic planning horizon for an organisation will typically be 3, 5 or more years. Tactics define how an organisation intends to achieve change. Therefore, tactical risks are typically associated with projects, mergers, acquisitions and product developments. Operations are the routine activities of the organisation. 23 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
RISK APPETITE Risk appetite is the amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the entity’s risk management philosophy, and in turn influences the entity’s culture and operating style. Many entities consider risk appetite qualitatively, with such categories as high, medium or low, while others take a quantitative approach, reflecting and balancing goals for growth, return and risk. A company with a higher risk appetite may be willing to allocate a large portion of its capital to such high-risk areas as newly emerging markets. In contrast, a company with a low risk appetite might limit its short-term risk of large losses of capital by investing only in mature, stable markets. 24 (c) Mikhail Slobodian 2015 Guide to Enterprise Risk Management. FAQ // http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
RISK TOLERANCE Risk tolerance is the acceptable level of variation relative to achievement of a specific objective, and often is best measured in the same units as those used to measure the related objective. 25 (c) Mikhail Slobodian 2015 Guide to Enterprise Risk Management. FAQ // http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
RISK APPETITE & RISK TOLERANCE OF AN ORGANIZATION Risk appetite is strategic. The organization’s business model provides an important context for assessing risk appetite by clarifying the activities the entity undertakes, who its customers are, what its products are, and how and in which markets it conducts business. A thorough understanding of an organization’s business objectives, strategy and operations is very useful when articulating the risks it chooses to accept and the risks it chooses to avoid as it creates value. As the enterprise executes its strategy, it creates and increases its exposure to uncertainty. Therefore, business objectives and strategies provide the context for understanding the risks the enterprise chooses to undertake. Risk appetite also can set boundaries around opportunity-seeking behavior, which impacts the entity’s objectives and Enterprise Risk Management. FAQ // strategies 26. Guide to (c) Mikhail Slobodian 2015 http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
RISK APPETITE & RISK TOLERANCE OF AN ORGANIZATION Risk appetite relates primarily to the business model whereas risk tolerance relates primarily to the entity’s objectives. An organization’s risk appetite reflects both its capacity to bear risk as well as a broader understanding of the level of risk that it can safely assume and successfully manage for an extended period of time. Risk appetite is the extent to which an organization exposes its capital and sources of value to the exploitation of strategic opportunities and retention of performance variability and loss exposure. 27 (c) Mikhail Slobodian 2015 Guide to Enterprise Risk Management. FAQ // http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
RISK APPETITE & RISK TOLERANCE OF AN ORGANIZATION Every organization has a risk appetite whether it acknowledges it explicitly or not. Risk appetite is expressed through an entity’s actions or inactions. It represents executive management’s “view of the world, ” which drives their strategic choices. It is inherent in the organization’s strategy and in the execution of that strategy, in the form of both risks taken and risks avoided. Management considers risk appetite when defining objectives, formulating strategy, allocating resources, setting risk tolerances and developing risk management capabilities. The board considers risk appetite when it approves management actions. If articulated explicitly, risk appetite provides overall direction for risk management and is grounded during the 28 objective-setting process. Guide to Enterprise Risk Management. FAQ // (c) Mikhail Slobodian 2015 http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
RISK APPETITE & RISK TOLERANCE OF AN ORGANIZATION While risk appetite is strategic, risk tolerance is tactical. Risk tolerance is defined within the context of the related objective using the metrics in place to measure performance against that objective. Risk tolerances set the boundaries of performance variability. Once tolerances are set, performance measures are monitored to ensure that performance is managed within those boundaries. Thus risk tolerances are used to ensure that performance variability is reduced to an acceptable level. 29 (c) Mikhail Slobodian 2015 Guide to Enterprise Risk Management. FAQ // http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
RISK APPETITE & RISK TOLERANCE OF AN ORGANIZATION Risk tolerance may be reflected differently for different types of objectives, including objectives relating to earnings variability, interest rate exposure, compliance with laws and regulations and the acquisition, development and retention of people. Risk tolerance related to all of these objectives is expressed differently. In effect, risk tolerances address the question, “How much variability are we willing to accept as we pursue a given business objective? ” Guidance on this question is important as it helps managers assess their exposure in terms of the downside risks they are empowered to accept as they seek upside performance. As managers pursue opportunities for growth and new sources of profitability, risk tolerances and limits are an effective tool for 30 Guide to Enterprise Risk Management. countering pressures on them to succeed and produce results. FAQ // (c) Mikhail Slobodian 2015 http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
RISK ARCHITECTURE, STRATEGY AND PROTOCOLS 31 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
RISK MANAGEMENT PROCESS The risk management process can be presented as a list of coordinated activities. There alternative descriptions of this process, but the components listed below are usually present: ü ranking or evaluation of risks ü responding to significant risks: ð tolerate ð treat ð transfer ð terminate ü resourcing controls ü reaction planning ü reporting and monitoring risk performance 32 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // (c) Mikhail Slobodian 2015 the risk management framework www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf ü reviewing
RISK MANAGEMENT PROCESS Recognition and ranking of risks together form the risk assessment activity. ISO 31000 uses the phrase ‘risk treatment' to include all of the 4 Ts included under the heading ‘risk response'. The scope of risk responses available for hazard risks includes the options of tolerate, treat, transfer or terminate the risk or the activity that gives rise to the risk. For many risks, these responses may be applied in combination. For opportunity risks, the range of available options includes exploiting the risk. Reaction planning includes business continuity planning and disaster recovery planning. 33 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
FRAMEWORK FOR MANAGING RISK ISO 31000 describes the components of a risk management implementation framework. It includes the essential steps in the implementation and ongoing support of the risk management process. The initial component of the ISO 31000 framework is “mandate and commitment” by the Board and this is followed by: ü design of framework ü implement risk management ü monitor and review framework ü improve framework 34 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
FRAMEWORK FOR MANAGING RISK ISO 31000 describes a framework for implementing risk management, rather than a framework for supporting the risk management process. An organisation will describe its framework for supporting risk management by way of the risk architecture, strategy and protocols for the organisation. The risk strategy should set out the objectives that risk management activities in the organisation are seeking to achieve. Finally, the risk protocols describe the procedures by which the strategy will be implemented and risks managed. 35 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
FRAMEWORK FOR MANAGING RISK BASED ON ISO 31000 36 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
RISK MANAGEMENT PROCESS BASED ON ISO 31000 37 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
RISK ASSESSMENT Risk identification establishes the exposure of the organisation to risk and uncertainty. This requires an intimate knowledge of the organisation, the market in which it operates, the legal, social, political and cultural environment in which it exists, as well as an understanding of strategic and operational objectives. This will include knowledge of the factors critical to success and the threats and opportunities related to the achievement of objectives. It should be approached in a methodical way to ensure that all value-adding activities within the organisation have been evaluated and all the risks flowing from these activities defined. 38 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
RISK ASSESSMENT The result of the risk analysis can be used to produce a risk profile that gives a rating of significance to each risk and provides a tool for prioritising risk treatment efforts. This ranks the relative importance of each identified risk. This process allows the risks to be mapped to the business area affected, describes the primary control mechanisms in place and indicates where the level of investment in controls might be increased, decreased or reapportioned. 39 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
RISK ASSESSMENT TECHNIQUES Technique Brief description Use of structured questionnaires and Questionnaires and checklists to collect information to assist checklists with the recognition of the significant risks Collection and sharing of ideas and Workshops and discussion of the events that could impact brainstorming the objectives, stakeholder expectations or key dependencies Physical inspections of premises and Inspections and audits activities and audits of compliance with established systems and procedures Analysis of processes and operations Flowcharts and within the organisation to identify critical 40 dependency analysis A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 components www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf// that are key to success (c) Mikhail Slobodian 2015
RISK ASSESSMENT TECHNIQUES Technique HAZOP and FMEA approaches SWOT and PESTLE analyses Brief description Hazard and Operability (HAZOP) studies and Failure Modes Effects Analysis (FMEA) are quantitative technical failure analysis techniques Strengths Weaknesses Opportunities Threats (SWOT) and Political Economic Social Technological Legal Environmental (PESTLE) analyses offer structured approaches to risk recognition 41 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
RISK CLASSIFICATION SYSTEMS An important part of analysing a risk is to determine the nature, source or type of impact of the risk. Evaluation of risks in this way may be enhanced by the use of a risk classification system. Risk classification systems are important because they enable an organisation to identify accumulations of similar risks. A risk classification system will also enable an organisation to identify which strategies, tactics and operations are most vulnerable. 42 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
RISK CLASSIFICATION SYSTEMS Risk classification systems are usually based on the division of risks into those related to financial control, operational efficiency, reputational exposure and commercial activities. However, there is no risk classification system that is universally applicable to all types of organisations. This may be especially true for organisations operating in the public sector and those involved in the delivery of services to the public. There are many risk classification systems available and the one selected will depend on the size, nature and complexity of the organisation. ISO 31000 does not recommend a specific risk classification system and each organisation will need to develop the system most appropriate to the range of risks that it faces. 43 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
DETAILED RISK DESCRIPTION DESCRIPTIO Risk assessment involves the identification of risks followed by their evaluation or ranking. It is important to have a template for recording appropriate information about each risk. The objective of a template is to enable the information to be recorded in a table, risk register, spreadsheet or a computerbased system. Although a simple description of a risk is sometimes sufficient, there are circumstances where a detailed risk description may be required in order to facilitate a comprehensive risk assessment process. 44 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
DETAILED RISK DESCRIPTION DESCRIPTIO The consequences of a risk materialising may be negative (hazard risks), positive (opportunity risks) or may result in greater uncertainty. Organisations need to establish appropriate definitions for the different levels of likelihood and consequences associated with these different risks. Risk ranking can be quantitative, semi-quantitative or qualitative in terms of the likelihood of occurrence and the possible consequences or impact. Organisations will need to define their own measures of likelihood of occurrence and consequences. 45 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
DETAILED RISK DESCRIPTION DESCRIPTIO № Name Description 1 Name or title of risk Unique identifier or risk index Scope of risk and details of possible 2 Scope of risk events, including description of the events, their size, type and number Classification of risk, timescale of 3 Nature of risk potential impact and description as hazard, opportunity or uncertainty Stakeholders, both internal and external, 4 Stakeholders and their expectations Likelihood and magnitude of event and 5 Risk evaluation possible impact or consequences should the risk materialise at current level of 46 31000 // A structured approach to Enterprise Risk Management (ERM) and the requirements ISO (c) Mikhail Slobodian 2015 www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
DETAILED RISK DESCRIPTION DESCRIPTIO № 6 7 8 Name Description Previous incidents and prior loss Loss experience of events related to the risk Loss potential and anticipated financial impact of the risk Target for control of risk and desired level Risk tolerance, appetite or attitude of performance Risk attitude, appetite, tolerance or limits for the risk Existing control mechanisms and activities Risk response, Level of confidence in existing controls treatment and Procedures for monitoring and review of controls risk performance 47 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
DETAILED RISK DESCRIPTION DESCRIPTIO № 9 Name Potential for risk improvement Strategy and 10 policy developments Description Potential for cost-effective risk improvement or modification Recommendations and deadlines for implementation Responsibility for implementing any improvements Responsibility for developing strategy related to the risk Responsibility for auditing compliance with controls 48 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
RISK TREATMENT Risk treatment is presented in ISO 31000 as the activity of selecting and implementing appropriate control measures to modify the risk. Risk treatment includes as its major element, risk control (or mitigation), but extends further to, for example, risk avoidance, risk transfer and risk financing. Any system of risk treatment should provide efficient and effective internal controls. Effectiveness of internal control is the degree to which the risk will either be eliminated or reduced by the proposed control measures. The cost-effectiveness of internal control relates to the cost of implementing the control compared to the risk reduction benefits achieved. 49 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
RISK TREATMENT Compliance with laws and regulations is not an option. An organisation must understand the applicable laws and must implement a system of controls that achieves compliance. One method of obtaining financial protection against the impact of risks is through risk financing, including insurance. However, it should be recognised that some losses or elements of a loss may be uninsurable, such as uninsured costs and damage to employee morale and the reputation of the organisation. 50 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
FEEDBACK MECHANISMS ISO 31000 recognises the importance of feedback by way of two mechanisms. These are monitoring and review of performance and communication and consultation. Monitoring and review ensures that the organisation monitors risk performance and learns from experience. Communication and consultation is presented in ISO 31000 as part of the risk management process, but it may also be considered to be part of the supporting framework. Reporting and disclosure are only very briefly mentioned in ISO 31000 and they are not included in the process. Also, the monitoring and review feedback activities set out in ISO 31000 do not explicitly mention the tasks of monitoring risk performance and reviewing the risk management framework. 51 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
SECTIONS OF A RISK MANAGEMENT POLICY ü Risk management and internal control objectives (governance) ü Statement of the attitude of the organisation to risk (risk strategy) ü Description of the risk aware culture or control environment ü Level and nature of risk that is acceptable (risk appetite) ü Risk management organisation and arrangements (risk architecture) ü Details of procedures for risk recognition and ranking (risk assessment) ü List of documentation for analysing and reporting risk (risk protocols) ü Risk mitigation requirements and control mechanisms 52 (risk response) A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // (c) Mikhail Slobodian 2015 www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
SECTIONS OF A RISK MANAGEMENT POLICY ü ü ü Allocation of risk management roles and responsibilities Risk management training topics and priorities Criteria for monitoring and benchmarking of risks Allocation of appropriate resources to risk management Risk activities and risk priorities for the coming year 53 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
RISK ARCHITECTURE OF A LARGE PUBLIC LIMITED COMPANY 54 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
A BASELINE OVERSIGHT STRUCTURE 55 (c) Mikhail Slobodian 2015 Guide to Enterprise Risk Management. FAQ // http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
ROLES AND RESPONSIBILITIES Everyone in an entity has some responsibility for enterprise risk management: ü The Board of Directors provides an oversight role, with emphasis on understanding the priority risks, approving risk management policies for critical risks and determining that risk responses for those risks are effective. This oversight activity may also be carried out by the audit committee, by a risk management committee (if there is one) and by other committees (such as the finance committee). 56 (c) Mikhail Slobodian 2015 Guide to Enterprise Risk Management. FAQ // http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
ROLES AND RESPONSIBILITIES ü The Chief Executive Officer (CEO) is the “comprehensive risk executive. ” He/she is ultimately responsible for ERM priorities, strategies and policies, and acts as the final enforcer on such matters as aligning objectives, strategies and risk appetite, eliminating gaps and overlaps in risk management responsibilities and authorities, and resolving significant internal conflicts. The Risk Management Executive Committee and other risk management oversight structure components are designed to support the CEO’s delegation of these responsibilities. The CEO also ensures the ERM implementation is applied in strategy-setting. 57 (c) Mikhail Slobodian 2015 Guide to Enterprise Risk Management. FAQ // http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
ROLES AND RESPONSIBILITIES ü The Risk Management Executive Committee (RMEC) coordinates decision-making. For example, it recommends risk tolerances and profiles to the CEO and board in the context of the enterprise’s business strategy. It evaluates risk measurement methodologies. It establishes capital allocation frameworks. It develops enterprisewide and specific risk policies and limit structures. It assigns owners of significant risks. It evaluates the effectiveness of the infrastructure in place for managing specific risks and ensures that necessary improvements are made to close any gaps. 58 (c) Mikhail Slobodian 2015 Guide to Enterprise Risk Management. FAQ // http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
ROLES AND RESPONSIBILITIES ü The Chief Risk Officer (CRO) is a member of the RMEC and reports either to the CEO or to a ranking senior executive. The CRO oversees the business risk management function (see below) and is a key champion of ERM. The CRO may also have authority for managing selected risks on an enterprisewide basis. He or she should chair the RMEC and have a reporting relationship to the board. The CRO should also facilitate the integration of risk assessment and management into the normal, ongoing strategic and business planning processes of the organization. 59 (c) Mikhail Slobodian 2015 Guide to Enterprise Risk Management. FAQ // http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
ROLES AND RESPONSIBILITIES ü To bring the top of the organization and its business units and their activities together, a Business Risk Management Function (BRMF) provides “enabling frameworks. ” These tools are the common language that facilitates the collection, analysis and synthesis of data and reporting of exposures and results of the process on an aggregate enterprisewide basis. The BRMF usually reports to a senior executive (i. e. , a CRO) and/or the RMEC. Its charter is typically defined by the designated senior executive and/or RMEC and is approved by the organization’s executive committee. 60 (c) Mikhail Slobodian 2015 Guide to Enterprise Risk Management. FAQ // http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
ROLES AND RESPONSIBILITIES ü Reporting to the RMEC (or to the CRO), the Program Management function provides the oversight necessary to ensure effective integration and coordination of multiple projects conducted over the ERM journey life cycle. For relatively simple ERM solutions, this function will be unnecessary. For more complex solutions, ERM may be achieved in stages over time in the form of multiple, related projects. In such instances, a program management discipline may be needed. 61 (c) Mikhail Slobodian 2015 Guide to Enterprise Risk Management. FAQ // http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
ROLES AND RESPONSIBILITIES ü Business Units are the line operations of the enterprise with specific objectives, strategies, markets, customers and products. Successful business units know their competition, their customers, their opportunities and their risks. They manage and monitor operations to generate revenues, satisfy customers, increase quality, compress cycle time and reduce costs. They offer products and services to targeted market segments at a price sufficient to cover the related costs and risks and generate acceptable risk-adjusted returns for shareholders. They report their activities to the CEO and executive committee. 62 (c) Mikhail Slobodian 2015 Guide to Enterprise Risk Management. FAQ // http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
DRIVERS OF RISK MANAGEMENT 63 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
RISK MANAGEMENT CHECKLIST Risk architecture ü Statement produced that sets out risk responsibilities and lists the risk-based matters reserved for the Board ü Risk management responsibilities allocated to an appropriate management committee ü Arrangements are in place to ensure the availability of appropriate competent advice on risks and controls ü Risk aware culture exists within the organisation and actions are in hand to enhance the level of risk maturity ü Sources of risk assurance for the Board have been identified and validated 64 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
RISK MANAGEMENT CHECKLIST Risk strategy ü Risk management policy produced that describes risk appetite, risk culture and philosophy ü Key dependencies for success identified, together with the matters that should be avoided ü Business objectives validated and the assumptions underpinning those objectives tested ü Significant risks faced by the organisation identified, together with the critical controls required ü Risk management action plan established that includes the use of key risk indicators, as appropriate ü Necessary resources identified and provided to support the 65 risk management activities (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
RISK MANAGEMENT CHECKLIST Risk protocols ü Appropriate risk management framework identified and adopted, with modifications as appropriate ü Suitable and sufficient risk assessments completed and the results recorded in an appropriate manner ü Procedures to include risk as part of business decision-making established and implemented ü Details of required risk responses recorded, together with arrangements to track risk improvement recommendations ü Incident reporting procedures established to facilitate identification of risk trends, together with risk escalation procedures ü Business continuity plans and disaster recovery plans 66 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // (c) Mikhail Slobodian 2015 and regularly tested www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf established
RISK MANAGEMENT CHECKLIST ü Arrangements in place to audit the efficiency and effectiveness of the controls in place for significant risks ü Arrangements in place for mandatory reporting on risk, including reports on at least the following: ð Risk appetite, tolerance and constraints ð Risk architecture and risk escalation procedures ð Risk aware culture currently in place ð Risk assessment arrangements and protocols ð Significant risks and key risk indicators ð Critical controls and control weaknesses ð Sources of assurance available to the Board 67 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
THE FUNDAMENTAL REASONS FOR IMPLEMENTING ERM ü Reduce unacceptable performance variability: ERM assists management with Þ evaluating the likelihood and impact of major events Þ developing responses to either prevent those events from occurring or manage their impact on the entity if they do occur. Most companies focus on traditional risks that have been known for some time. Few companies have a systematic process for anticipating new and emerging risks. Therefore, many companies often learn of critical risks too late or by accident, spawning the “fire fighting” and crisis management which drains resources and creates new vulnerabilities. 68 (c) Mikhail Slobodian 2015 Guide to Enterprise Risk Management. FAQ // http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
THE FUNDAMENTAL REASONS FOR IMPLEMENTING ERM The strategic lens of ERM broadens the traditional risk management focus on low-probability and catastrophic risks to a more expansive view on reducing the risk of erosion of critical sources of enterprise value. ERM assists management with improving the consistency of operating performance by increasing the emphasis on reducing earnings volatility, avoiding earnings-related surprises, and managing key performance indicator (KPI) shortfalls. ERM improves the management of increasing risk mitigation costs and the success rate of achieving business objectives. 69 (c) Mikhail Slobodian 2015 Guide to Enterprise Risk Management. FAQ // http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
THE FUNDAMENTAL REASONS FOR IMPLEMENTING ERM ü Align and integrate varying views of risk management: There are many silos within organizations with a point of view on managing risk, e. g. , treasury, insurable risk, environtment, health and safety, IT, and within business units. Silo mentality inhibits efficient allocation of resources and management of common risks, enterprisewide. When there are multiple functions managing multiple risks, there is a need for a common framework. For example, some organizations are: Þ Assessing the need for a chief risk officer (CRO), including that individual’s role, authority and reporting lines Þ Integrating risk management into critical management activities, e. g. , strategy-setting, business planning, capital expenditure and M&A due diligence and integration 70 processes Guide to Enterprise Risk Management. FAQ // (c) Mikhail Slobodian 2015 http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
THE FUNDAMENTAL REASONS FOR IMPLEMENTING ERM Þ Linking risk management to more efficient capital allocation and risk transfer decisions Þ Increasing transparency by developing quantitative and qualitative measures of risks and risk management performance Þ Aggregating common risk exposures across multiple business units with the objective of understanding the greatest threats to enterprise value and formulating an integrated risk response 71 (c) Mikhail Slobodian 2015 Guide to Enterprise Risk Management. FAQ // http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
THE FUNDAMENTAL REASONS FOR IMPLEMENTING ERM ü Build confidence of investment community and stakeholders: As institutional investors, rating agencies and regulators talk more about the importance of risk management in their assessments of companies, management may be requested to disclose and comment on the organization’s capabilities for understanding and managing risk to enable stakeholders to make informal assessments as to whether returns are adequate in relation to the risks undertaken. As companies increase the transparency of their risks and risk management capabilities, and improve the maturity of their capabilities around managing critical risks, management will be able to articulate more effectively how well they are handling existing and emerging industry issues. 72 (c) Mikhail Slobodian 2015 Guide to Enterprise Risk Management. FAQ // http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
THE FUNDAMENTAL REASONS FOR IMPLEMENTING ERM ü Enhance corporate governance: ERM and corporate governance are inextricably linked. Each augments the other. ERM strengthens board oversight, forces an assessment of existing senior management-level oversight structures, clarifies risk management roles and responsibilities, sets risk management authorities and boundaries, and effectively communicates risk responses in support of key business objectives. All of these activities are germane to good governance. By the same token, effective governance sets the tone for: Þ understanding risks and risk management capabilities Þ aligning risk appetite with the entity’s opportunity-seeking behavior. 73 (c) Mikhail Slobodian 2015 Guide to Enterprise Risk Management. FAQ // http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
THE FUNDAMENTAL REASONS FOR IMPLEMENTING ERM ü Successfully respond to a changing business environment: As the business environment continues to change and the pace of change accelerates, organizations must become better at identifying, prioritizing and planning for risk. ERM assists management with evaluating the assumptions underlying the existing business model, the effectiveness of the strategies around executing that model, and the information available for decision-making. ERM drives management to identify alternative future scenarios, evaluate the likelihood and severity of those scenarios, identify priority risks and improve the organization’s capabilities around managing those risks. As the environment changes, new risks emerge and are escalated in a timely manner for action and possible disclosure. These activities 74 Guide to Enterprise Risk Management. impact resource allocation http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf// for the organization as a whole. FAQ (c) Mikhail Slobodian 2015
THE FUNDAMENTAL REASONS FOR IMPLEMENTING ERM ü Align strategy and corporate culture: ERM helps management create risk awareness and an open, positive culture with respect to risk and risk management. In such an environment, individuals can raise issues without fear of retribution. With respect to matters of enterprisewide importance, ERM often centralizes policy-setting and creates focus, discipline and control. It clarifies the distinction between risk-taking and risk-avoidance behaviors, improves tools for quantifying risk exposures, increases accountability for managing risks across the enterprise and facilitates timely identification of changes in an entity’s risk profile. ERM encourages balance in both the entrepreneurial activities and control activities of the organization, so that neither one is too disproportionately strong relative to the other. 75 (c) Mikhail Slobodian 2015 Guide to Enterprise Risk Management. FAQ // http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
ERM IMPLEMENTATION SUMMARY Concepts / Tools and techniques Activity Planning and designing Identify intended benefits of the 1. enterprise risk management initiative and gain Board mandate Plan the scope of the ERM initiative 2. and develop common language of risk Establish the risk management 3. strategy, framework, and the roles and responsibilities Benefits of ERM Embedding risk management Upside of risk Stakeholder expectations Risk management policy Risk architecture 76 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
ERM IMPLEMENTATION SUMMARY Concepts / Tools and techniques Activity Implementing and benchmarking Adopt suitable risk assessment 4. procedures and an agreed risk classification system Establish risk significance 5. benchmarks and undertake risk assessments Determine risk appetite and risk 6. tolerance levels, and evaluate the existing controls (c) Mikhail Slobodian 2015 Risk description Risk classification systems Risk assessment techniques Benchmark tests of significance Risk register Risk appetite 77 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
ERM IMPLEMENTATION SUMMARY Concepts / Tools and techniques Activity Measuring and monitoring Ensure cost-effectiveness of existing 7. controls and introduce improvements Embed risk aware culture and align 8. risk management with other management tasks Risk improvement plans BCP and DRP Control environment Risk communications 78 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
ERM IMPLEMENTATION SUMMARY Concepts / Tools and techniques Activity Learning and reporting 9. Monitor and review risk performance indicators to measure ERM contribution Report risk performance in line with 10. legal and other obligations, and monitor improvement Audit plan and risk reviews Sources of risk assurance Risk reporting Legal requirements 79 (c) Mikhail Slobodian 2015 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www. ferma. eu/app/uploads/2011/10/a-structured-approach-to-erm. pdf
IMPLEMENTATION OF ERM 80 (c) Mikhail Slobodian 2015 Guide to Enterprise Risk Management. FAQ // http: //www. protiviti. com/en-US/Documents/Resource-Guides/Protiviti. ERM_FAQGuide. pdf
Скачать презентацию ENTERPRISE RISK MANAGEMENT ERM 1 c Mikhail Slobodian
03 - Enterprise Risk Management.ppt