ENTERPRISE RISK MANAGEMENT (ERM) 1 (c) Mikhail Slobodian

ENTERPRISE RISK MANAGEMENT (ERM) 1 (c) Mikhail Slobodian 2015

2 THE INTERNATIONAL STANDARDS FOR RISK MANAGEMENT ISO Guide 73:2009 “Risk Management. Vocabulary” ISO 31000:2009 “Principles and Guidelines on Implementation” ISO 31010:2009 “Risk Management. Risk Assessment Techniques” 2 (c) Mikhail Slobodian 2015

3 DEFINITION OF RISK The definition set out in ISO Guide 73 is that risk is the “effect of uncertainty on objectives”. An effect may be positive, negative or a deviation from the expected, and that risk is often described by an event, a change in circumstances or a consequence. This definition links risks to objectives. Therefore, this definition of risk can most easily be applied when the objectives of the organisation are comprehensive and fully stated. Even when fully stated, the objectives themselves need to be challenged and the assumptions on which they are based should be tested, as part of the risk management process. A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf 3 (c) Mikhail Slobodian 2015

4 INTRODUCTION TO RISK MANAGEMENT A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf Risk management is coordinated activities to direct and control an organization with regard to risk. Risk management is an increasingly important business driver and stakeholders have become much more concerned about risk. Risk may be a driver of strategic decisions, it may be a cause of uncertainty in the organisation or it may simply be embedded in the activities of the organisation. An enterprise-wide approach to risk management enables an organisation to consider the potential impact of all types of risks on all processes, activities, stakeholders, products and services. 4 (c) Mikhail Slobodian 2015

5 ENTERPRISE RISK MANAGEMENT Risk Management (ISO 31000) is based on process approach … … as one of the main principles of Quality Management (ISO 9000). 5 (c) Mikhail Slobodian 2015

6 INTRODUCTION TO RISK MANAGEMENT A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf For all types of organisations, there is a need to understand the risks being taken when seeking to achieve objectives and attain the desired level of reward. Organisations need to understand the overall level of risk embedded within their processes and activities. It is important for organisations to recognise and prioritise significant risks and identify the weakest critical controls. When setting out to improve risk management performance, the expected benefits of the risk management initiative should be established in advance. The outputs from successful risk management include compliance, assurance and enhanced decision-making. These outputs will provide benefits by way of improvements in the efficiency of operations, effectiveness of tactics and the efficacy of the strategy of the organisation. 6 (c) Mikhail Slobodian 2015

Enterprise Risk Management (ERM) is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. ENTERPRISE RISK MANAGEMENT (ERM) Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf 7 (c) Mikhail Slobodian 2015

Enterprise risk management is: A process, ongoing and flowing through an entity Effected by people at every level of an organization Applied in strategy-setting Applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk Designed to identify potential events affecting the entity and manage risk within its risk appetite Able to provide reasonable assurance to an entity’s management and board Geared to the achievement of objectives in one or more separate but overlapping categories – it is “a means to an end, not an end in itself.” ENTERPRISE RISK MANAGEMENT (ERM) Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf 8 (c) Mikhail Slobodian 2015

ERM is a multidirectional, iterative process in which almost any component can and does influence another: Internal Environment – The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. Objective Setting – Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite. COMPONENTS OF ERM Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf 9 (c) Mikhail Slobodian 2015

Event Identification – Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes. Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis. Risk Response – Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite. COMPONENTS OF ERM Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf 10 (c) Mikhail Slobodian 2015

Control Activities – Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. Information and Communication – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity. Monitoring – The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both. COMPONENTS OF ERM Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf 11 (c) Mikhail Slobodian 2015

Limitations result from the realities that human judgment in decision making can be faulty, decisions on responding to risk and establishing controls need to consider the relative costs and benefits, breakdowns can occur because of human failures such as simple errors or mistakes, controls can be circumvented by collusion of two or more people, and management has the ability to override enterprise risk management decisions. LIMITATIONS OF ERM 12 Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf (c) Mikhail Slobodian 2015

13 PRINCIPLES OF RISK MANAGEMENT A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf Risk management is a central part of the strategic management of any organisation. It is the process whereby organisations methodically address the risks attached to their activities. A successful risk management initiative should be proportionate to the level of risk in the organisation, aligned with other corporate activities, comprehensive in its scope, embedded into routine activities and dynamic by being responsive to changing circumstances. The focus of risk management is the assessment of significant risks and the implementation of suitable risk responses. The objective is to achieve maximum sustainable value from all the activities of the organisation. 13 (c) Mikhail Slobodian 2015

14 PRINCIPLES OF RISK MANAGEMENT A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf Risk management enhances the understanding of the potential upside and downside of the factors that can affect an organisation. It increases the probability of success and reduces both the probability of failure and the level of uncertainty associated with achieving the objectives of the organisation. 14 (c) Mikhail Slobodian 2015

15 RISK MANAGEMENT PRINCIPLES (ISO 31000) Risk management creates and protects value. Risk management contributes to the demonstrable achievement of objectives and improvement of performance in, for example, human health and safety, security, legal and regulatory compliance, public acceptance, environmental protection, product quality, project management, efficiency in operations, governance and reputation. Risk management is an integral part of all organizational processes. Risk management is not a stand-alone activity that is separate from the main activities and processes of the organization. Risk management is part of the responsibilities of management and an integral part of all organizational processes, including strategic planning and all project and change management processes. 15 (c) Mikhail Slobodian 2015

16 Risk management is part of decision making. Risk management helps decision makers make informed choices, prioritize actions and distinguish among alternative courses of action. Risk management explicitly addresses uncertainty. Risk management explicitly takes account of uncertainty, the nature of that uncertainty, and how it can be addressed. Risk management is systematic, structured and timely. A systematic, timely and structured approach to risk management contributes to efficiency and to consistent, comparable and reliable results. RISK MANAGEMENT PRINCIPLES (ISO 31000) 16 (c) Mikhail Slobodian 2015

17 Risk management is based on the best available information. The inputs to the process of managing risk are based on information sources such as historical data, experience, stakeholder feedback, observation, forecasts and expert judgement. However, decision makers should inform themselves of, and should take into account, any limitations of the data or modelling used or the possibility of divergence among experts. Risk management is tailored. Risk management is aligned with the organization's external and internal context and risk profile. Risk management takes human and cultural factors into account. Risk management recognizes the capabilities, perceptions and intentions of external and internal people that can facilitate or hinder achievement of the organization's objectives. RISK MANAGEMENT PRINCIPLES (ISO 31000) 17 (c) Mikhail Slobodian 2015

18 Risk management is transparent and inclusive.Appropriate and timely involvement of stakeholders and, in particular, decision makers at all levels of the organization, ensures that risk management remains relevant and up-to-date. Involvement also allows stakeholders to be properly represented and to have their views taken into account in determining risk criteria. Risk management is dynamic, iterative and responsive to change. Risk management continually senses and responds to change. As external and internal events occur, context and knowledge change, monitoring and review of risks take place, new risks emerge, some change, and others disappear. Risk management facilitates continual improvement of the organization. Organizations should develop and implement strategies to improve their risk management maturity alongside all other aspects of their organization. RISK MANAGEMENT PRINCIPLES (ISO 31000) 18 (c) Mikhail Slobodian 2015

THE FIVE BROAD CATEGORIES OF ASSETS REPRESENTING SOURCES OF VALUE 19 Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf (c) Mikhail Slobodian 2015

CATEGORIES OF POTENTIAL FUTURE EVENTS THAT MIGHT BE CONSIDERED DURING A RISK ASSESSMENT 20 Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf (c) Mikhail Slobodian 2015

THE VALUE PROPOSITION OF ERM Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf 21 (c) Mikhail Slobodian 2015

RELATIONSHIPS BETWEEN THE RISK MANAGEMENT PRINCIPLES, FRAMEWORK AND PROCESS (ISO 31000) 22 (c) Mikhail Slobodian 2015

23 NATURE AND IMPACT OF RISK A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf Risks can impact an organisation in the short, medium and long term. These risks are related to operations, tactics and strategy, respectively. Strategy sets out the long-term aims of the organisation, and the strategic planning horizon for an organisation will typically be 3, 5 or more years. Tactics define how an organisation intends to achieve change. Therefore, tactical risks are typically associated with projects, mergers, acquisitions and product developments. Operations are the routine activities of the organisation. 23 (c) Mikhail Slobodian 2015

Risk appetite is the amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the entity’s risk management philosophy, and in turn influences the entity’s culture and operating style. Many entities consider risk appetite qualitatively, with such categories as high, medium or low, while others take a quantitative approach, reflecting and balancing goals for growth, return and risk. A company with a higher risk appetite may be willing to allocate a large portion of its capital to such high-risk areas as newly emerging markets. In contrast, a company with a low risk appetite might limit its short-term risk of large losses of capital by investing only in mature, stable markets. RISK APPETITE Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf 24 (c) Mikhail Slobodian 2015

Risk tolerance is the acceptable level of variation relative to achievement of a specific objective, and often is best measured in the same units as those used to measure the related objective. RISK TOLERANCE 25 Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf (c) Mikhail Slobodian 2015

Risk appetite is strategic. The organization’s business model provides an important context for assessing risk appetite by clarifying the activities the entity undertakes, who its customers are, what its products are, and how and in which markets it conducts business. A thorough understanding of an organization’s business objectives, strategy and operations is very useful when articulating the risks it chooses to accept and the risks it chooses to avoid as it creates value. As the enterprise executes its strategy, it creates and increases its exposure to uncertainty. Therefore, business objectives and strategies provide the context for understanding the risks the enterprise chooses to undertake. Risk appetite also can set boundaries around opportunity-seeking behavior, which impacts the entity’s objectives and strategies. RISK APPETITE & RISK TOLERANCE OF AN ORGANIZATION 26 Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf (c) Mikhail Slobodian 2015

Risk appetite relates primarily to the business model whereas risk tolerance relates primarily to the entity’s objectives. An organization’s risk appetite reflects both its capacity to bear risk as well as a broader understanding of the level of risk that it can safely assume and successfully manage for an extended period of time. Risk appetite is the extent to which an organization exposes its capital and sources of value to the exploitation of strategic opportunities and retention of performance variability and loss exposure. RISK APPETITE & RISK TOLERANCE OF AN ORGANIZATION 27 Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf (c) Mikhail Slobodian 2015

Every organization has a risk appetite whether it acknowledges it explicitly or not. Risk appetite is expressed through an entity’s actions or inactions. It represents executive management’s “view of the world,” which drives their strategic choices. It is inherent in the organization’s strategy and in the execution of that strategy, in the form of both risks taken and risks avoided. Management considers risk appetite when defining objectives, formulating strategy, allocating resources, setting risk tolerances and developing risk management capabilities. The board considers risk appetite when it approves management actions. If articulated explicitly, risk appetite provides overall direction for risk management and is grounded during the objective-setting process. RISK APPETITE & RISK TOLERANCE OF AN ORGANIZATION 28 Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf (c) Mikhail Slobodian 2015

While risk appetite is strategic, risk tolerance is tactical. Risk tolerance is defined within the context of the related objective using the metrics in place to measure performance against that objective. Risk tolerances set the boundaries of performance variability. Once tolerances are set, performance measures are monitored to ensure that performance is managed within those boundaries. Thus risk tolerances are used to ensure that performance variability is reduced to an acceptable level. RISK APPETITE & RISK TOLERANCE OF AN ORGANIZATION 29 Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf (c) Mikhail Slobodian 2015

RISK APPETITE & RISK TOLERANCE OF AN ORGANIZATION 30 Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf (c) Mikhail Slobodian 2015 Risk tolerance may be reflected differently for different types of objectives, including objectives relating to earnings variability, interest rate exposure, compliance with laws and regulations and the acquisition, development and retention of people. Risk tolerance related to all of these objectives is expressed differently. In effect, risk tolerances address the question, “How much variability are we willing to accept as we pursue a given business objective?” Guidance on this question is important as it helps managers assess their exposure in terms of the downside risks they are empowered to accept as they seek upside performance. As managers pursue opportunities for growth and new sources of profitability, risk tolerances and limits are an effective tool for countering pressures on them to succeed and produce results. (c) Mikhail Slobodian 2015

31 RISK ARCHITECTURE, STRATEGY AND PROTOCOLS A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf 31 (c) Mikhail Slobodian 2015

(c) Mikhail Slobodian 2015 32 RISK MANAGEMENT PROCESS A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf The risk management process can be presented as a list of coordinated activities. There are alternative descriptions of this process, but the components listed below are usually present: ranking or evaluation of risks responding to significant risks: tolerate treat transfer terminate resourcing controls reaction planning reporting and monitoring risk performance reviewing the risk management framework 32

33 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf Recognition and ranking of risks together form the risk assessment activity. ISO 31000 uses the phrase ‘risk treatment' to include all of the 4Ts included under the heading ‘risk response'. The scope of risk responses available for hazard risks includes the options of tolerate, treat, transfer or terminate the risk or the activity that gives rise to the risk. For many risks, these responses may be applied in combination. For opportunity risks, the range of available options includes exploiting the risk. Reaction planning includes business continuity planning and disaster recovery planning. RISK MANAGEMENT PROCESS 33 (c) Mikhail Slobodian 2015

34 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf ISO 31000 describes the components of a risk management implementation framework. It includes the essential steps in the implementation and ongoing support of the risk management process. The initial component of the ISO 31000 framework is “mandate and commitment” by the Board and this is followed by: design of framework implement risk management monitor and review framework improve framework FRAMEWORK FOR MANAGING RISK 34 (c) Mikhail Slobodian 2015

35 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf ISO 31000 describes a framework for implementing risk management, rather than a framework for supporting the risk management process. An organisation will describe its framework for supporting risk management by way of the risk architecture, strategy and protocols for the organisation. The risk strategy should set out the objectives that risk management activities in the organisation are seeking to achieve. Finally, the risk protocols describe the procedures by which the strategy will be implemented and risks managed. FRAMEWORK FOR MANAGING RISK 35 (c) Mikhail Slobodian 2015

36 FRAMEWORK FOR MANAGING RISK BASED ON ISO 31000 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf 36 (c) Mikhail Slobodian 2015

37 RISK MANAGEMENT PROCESS BASED ON ISO 31000 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf 37 (c) Mikhail Slobodian 2015

38 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf Risk identification establishes the exposure of the organisation to risk and uncertainty. This requires an intimate knowledge of the organisation, the market in which it operates, the legal, social, political and cultural environment in which it exists, as well as an understanding of strategic and operational objectives. This will include knowledge of the factors critical to success and the threats and opportunities related to the achievement of objectives. It should be approached in a methodical way to ensure that all value-adding activities within the organisation have been evaluated and all the risks flowing from these activities defined. RISK ASSESSMENT 38 (c) Mikhail Slobodian 2015

39 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf The result of the risk analysis can be used to produce a risk profile that gives a rating of significance to each risk and provides a tool for prioritising risk treatment efforts. This ranks the relative importance of each identified risk. This process allows the risks to be mapped to the business area affected, describes the primary control mechanisms in place and indicates where the level of investment in controls might be increased, decreased or reapportioned. RISK ASSESSMENT 39 (c) Mikhail Slobodian 2015

A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf 40 RISK ASSESSMENT TECHNIQUES 40 (c) Mikhail Slobodian 2015

41 RISK ASSESSMENT TECHNIQUES A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf 41 (c) Mikhail Slobodian 2015

42 RISK CLASSIFICATION SYSTEMS A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf An important part of analysing a risk is to determine the nature, source or type of impact of the risk. Evaluation of risks in this way may be enhanced by the use of a risk classification system. Risk classification systems are important because they enable an organisation to identify accumulations of similar risks. A risk classification system will also enable an organisation to identify which strategies, tactics and operations are most vulnerable. 42 (c) Mikhail Slobodian 2015

43 RISK CLASSIFICATION SYSTEMS A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf Risk classification systems are usually based on the division of risks into those related to financial control, operational efficiency, reputational exposure and commercial activities. However, there is no risk classification system that is universally applicable to all types of organisations. This may be especially true for organisations operating in the public sector and those involved in the delivery of services to the public. There are many risk classification systems available and the one selected will depend on the size, nature and complexity of the organisation. ISO 31000 does not recommend a specific risk classification system and each organisation will need to develop the system most appropriate to the range of risks that it faces. 43 (c) Mikhail Slobodian 2015

44 DETAILED RISK DESCRIPTION A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf Risk assessment involves the identification of risks followed by their evaluation or ranking. It is important to have a template for recording appropriate information about each risk. The objective of a template is to enable the information to be recorded in a table, risk register, spreadsheet or a computer-based system. Although a simple description of a risk is sometimes sufficient, there are circumstances where a detailed risk description may be required in order to facilitate a comprehensive risk assessment process. 44 (c) Mikhail Slobodian 2015

45 DETAILED RISK DESCRIPTION A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf The consequences of a risk materialising may be negative (hazard risks), positive (opportunity risks) or may result in greater uncertainty. Organisations need to establish appropriate definitions for the different levels of likelihood and consequences associated with these different risks. Risk ranking can be quantitative, semi-quantitative or qualitative in terms of the likelihood of occurrence and the possible consequences or impact. Organisations will need to define their own measures of likelihood of occurrence and consequences. 45 (c) Mikhail Slobodian 2015

46 DETAILED RISK DESCRIPTION A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf 46 (c) Mikhail Slobodian 2015

47 DETAILED RISK DESCRIPTION A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf 47 (c) Mikhail Slobodian 2015

48 DETAILED RISK DESCRIPTION A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf 48 (c) Mikhail Slobodian 2015

49 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf Risk treatment is presented in ISO 31000 as the activity of selecting and implementing appropriate control measures to modify the risk. Risk treatment includes as its major element, risk control (or mitigation), but extends further to, for example, risk avoidance, risk transfer and risk financing. Any system of risk treatment should provide efficient and effective internal controls. Effectiveness of internal control is the degree to which the risk will either be eliminated or reduced by the proposed control measures. The cost-effectiveness of internal control relates to the cost of implementing the control compared to the risk reduction benefits achieved. RISK TREATMENT 49 (c) Mikhail Slobodian 2015

50 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf Compliance with laws and regulations is not an option. An organisation must understand the applicable laws and must implement a system of controls that achieves compliance. One method of obtaining financial protection against the impact of risks is through risk financing, including insurance. However, it should be recognised that some losses or elements of a loss may be uninsurable, such as uninsured costs and damage to employee morale and the reputation of the organisation. RISK TREATMENT 50 (c) Mikhail Slobodian 2015

51 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf ISO 31000 recognises the importance of feedback by way of two mechanisms. These are monitoring and review of performance and communication and consultation. Monitoring and review ensures that the organisation monitors risk performance and learns from experience. Communication and consultation is presented in ISO 31000 as part of the risk management process, but it may also be considered to be part of the supporting framework. Reporting and disclosure are only very briefly mentioned in ISO 31000 and they are not included in the process. Also, the monitoring and review feedback activities set out in ISO 31000 do not explicitly mention the tasks of monitoring risk performance and reviewing the risk management framework. FEEDBACK MECHANISMS 51 (c) Mikhail Slobodian 2015

52 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf Risk management and internal control objectives (governance) Statement of the attitude of the organisation to risk (risk strategy) Description of the risk aware culture or control environment Level and nature of risk that is acceptable (risk appetite) Risk management organisation and arrangements (risk architecture) Details of procedures for risk recognition and ranking (risk assessment) List of documentation for analysing and reporting risk (risk protocols) Risk mitigation requirements and control mechanisms (risk response) SECTIONS OF A RISK MANAGEMENT POLICY 52 (c) Mikhail Slobodian 2015

53 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf Allocation of risk management roles and responsibilities Risk management training topics and priorities Criteria for monitoring and benchmarking of risks Allocation of appropriate resources to risk management Risk activities and risk priorities for the coming year SECTIONS OF A RISK MANAGEMENT POLICY 53 (c) Mikhail Slobodian 2015

54 RISK ARCHITECTURE OF A LARGE PUBLIC LIMITED COMPANY A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf 54 (c) Mikhail Slobodian 2015

Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf A BASELINE OVERSIGHT STRUCTURE 55 (c) Mikhail Slobodian 2015

Everyone in an entity has some responsibility for enterprise risk management: The Board of Directors provides an oversight role, with emphasis on understanding the priority risks, approving risk management policies for critical risks and determining that risk responses for those risks are effective. This oversight activity may also be carried out by the audit committee, by a risk management committee (if there is one) and by other committees (such as the finance committee). ROLES AND RESPONSIBILITIES Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf 56 (c) Mikhail Slobodian 2015

The Chief Executive Officer (CEO) is the “comprehensive risk executive.” He/she is ultimately responsible for ERM priorities, strategies and policies, and acts as the final enforcer on such matters as aligning objectives, strategies and risk appetite, eliminating gaps and overlaps in risk management responsibilities and authorities, and resolving significant internal conflicts. The Risk Management Executive Committee and other risk management oversight structure components are designed to support the CEO’s delegation of these responsibilities. The CEO also ensures the ERM implementation is applied in strategy-setting. ROLES AND RESPONSIBILITIES 57 Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf (c) Mikhail Slobodian 2015

The Risk Management Executive Committee (RMEC) coordinates decision-making. For example, it recommends risk tolerances and profiles to the CEO and board in the context of the enterprise’s business strategy. It evaluates risk measurement methodologies. It establishes capital allocation frameworks. It develops enterprisewide and specific risk policies and limit structures. It assigns owners of significant risks. It evaluates the effectiveness of the infrastructure in place for managing specific risks and ensures that necessary improvements are made to close any gaps. ROLES AND RESPONSIBILITIES 58 Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf (c) Mikhail Slobodian 2015

The Chief Risk Officer (CRO) is a member of the RMEC and reports either to the CEO or to a ranking senior executive. The CRO oversees the business risk management function (see below) and is a key champion of ERM. The CRO may also have authority for managing selected risks on an enterprisewide basis. He or she should chair the RMEC and have a reporting relationship to the board. The CRO should also facilitate the integration of risk assessment and management into the normal, ongoing strategic and business planning processes of the organization. ROLES AND RESPONSIBILITIES 59 Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf (c) Mikhail Slobodian 2015

To bring the top of the organization and its business units and their activities together, a Business Risk Management Function (BRMF) provides “enabling frameworks.” These tools are the common language that facilitates the collection, analysis and synthesis of data and reporting of exposures and results of the process on an aggregate enterprisewide basis. The BRMF usually reports to a senior executive (i.e., a CRO) and/or the RMEC. Its charter is typically defined by the designated senior executive and/or RMEC and is approved by the organization’s executive committee. ROLES AND RESPONSIBILITIES 60 Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf (c) Mikhail Slobodian 2015

Reporting to the RMEC (or to the CRO), the Program Management function provides the oversight necessary to ensure effective integration and coordination of multiple projects conducted over the ERM journey life cycle. For relatively simple ERM solutions, this function will be unnecessary. For more complex solutions, ERM may be achieved in stages over time in the form of multiple, related projects. In such instances, a program management discipline may be needed. ROLES AND RESPONSIBILITIES 61 Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf (c) Mikhail Slobodian 2015

Business Units are the line operations of the enterprise with specific objectives, strategies, markets, customers and products. Successful business units know their competition, their customers, their opportunities and their risks. They manage and monitor operations to generate revenues, satisfy customers, increase quality, compress cycle time and reduce costs. They offer products and services to targeted market segments at a price sufficient to cover the related costs and risks and generate acceptable risk-adjusted returns for shareholders. They report their activities to the CEO and executive committee. ROLES AND RESPONSIBILITIES 62 Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf (c) Mikhail Slobodian 2015

A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf 63 DRIVERS OF RISK MANAGEMENT 63 (c) Mikhail Slobodian 2015

64 RISK MANAGEMENT CHECKLIST Risk architecture Statement produced that sets out risk responsibilities and lists the risk-based matters reserved for the Board Risk management responsibilities allocated to an appropriate management committee Arrangements are in place to ensure the availability of appropriate competent advice on risks and controls Risk aware culture exists within the organisation and actions are in hand to enhance the level of risk maturity Sources of risk assurance for the Board have been identified and validated A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf 64 (c) Mikhail Slobodian 2015

65 RISK MANAGEMENT CHECKLIST Risk strategy Risk management policy produced that describes risk appetite, risk culture and philosophy Key dependencies for success identified, together with the matters that should be avoided Business objectives validated and the assumptions underpinning those objectives tested Significant risks faced by the organisation identified, together with the critical controls required Risk management action plan established that includes the use of key risk indicators, as appropriate Necessary resources identified and provided to support the risk management activities A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf 65 (c) Mikhail Slobodian 2015

(c) Mikhail Slobodian 2015 66 RISK MANAGEMENT CHECKLIST Risk protocols Appropriate risk management framework identified and adopted, with modifications as appropriate Suitable and sufficient risk assessments completed and the results recorded in an appropriate manner Procedures to include risk as part of business decision-making established and implemented Details of required risk responses recorded, together with arrangements to track risk improvement recommendations Incident reporting procedures established to facilitate identification of risk trends, together with risk escalation procedures Business continuity plans and disaster recovery plans established and regularly tested A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf 66

67 RISK MANAGEMENT CHECKLIST Arrangements in place to audit the efficiency and effectiveness of the controls in place for significant risks Arrangements in place for mandatory reporting on risk, including reports on at least the following: Risk appetite, tolerance and constraints Risk architecture and risk escalation procedures Risk aware culture currently in place Risk assessment arrangements and protocols Significant risks and key risk indicators Critical controls and control weaknesses Sources of assurance available to the Board A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf 67 (c) Mikhail Slobodian 2015

Reduce unacceptable performance variability: ERM assists management with evaluating the likelihood and impact of major events developing responses to either prevent those events from occurring or manage their impact on the entity if they do occur. Most companies focus on traditional risks that have been known for some time. Few companies have a systematic process for anticipating new and emerging risks. Therefore, many companies often learn of critical risks too late or by accident, spawning the “fire fighting” and crisis management which drains resources and creates new vulnerabilities. THE FUNDAMENTAL REASONS FOR IMPLEMENTING ERM 68 Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf (c) Mikhail Slobodian 2015

The strategic lens of ERM broadens the traditional risk management focus on low-probability and catastrophic risks to a more expansive view on reducing the risk of erosion of critical sources of enterprise value. ERM assists management with improving the consistency of operating performance by increasing the emphasis on reducing earnings volatility, avoiding earnings-related surprises, and managing key performance indicator (KPI) shortfalls. ERM improves the management of increasing risk mitigation costs and the success rate of achieving business objectives. THE FUNDAMENTAL REASONS FOR IMPLEMENTING ERM 69 Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf (c) Mikhail Slobodian 2015

Align and integrate varying views of risk management: There are many silos within organizations with a point of view on managing risk, e.g., treasury, insurable risk, environtment, health and safety, IT, and within business units. Silo mentality inhibits efficient allocation of resources and management of common risks, enterprisewide. When there are multiple functions managing multiple risks, there is a need for a common framework. For example, some organizations are: Assessing the need for a chief risk officer (CRO), including that individual’s role, authority and reporting lines Integrating risk management into critical management activities, e.g., strategy-setting, business planning, capital expenditure and M&A due diligence and integration processes THE FUNDAMENTAL REASONS FOR IMPLEMENTING ERM 70 Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf (c) Mikhail Slobodian 2015

Linking risk management to more efficient capital allocation and risk transfer decisions Increasing transparency by developing quantitative and qualitative measures of risks and risk management performance Aggregating common risk exposures across multiple business units with the objective of understanding the greatest threats to enterprise value and formulating an integrated risk response THE FUNDAMENTAL REASONS FOR IMPLEMENTING ERM 71 Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf (c) Mikhail Slobodian 2015

Build confidence of investment community and stakeholders: As institutional investors, rating agencies and regulators talk more about the importance of risk management in their assessments of companies, management may be requested to disclose and comment on the organization’s capabilities for understanding and managing risk to enable stakeholders to make informal assessments as to whether returns are adequate in relation to the risks undertaken. As companies increase the transparency of their risks and risk management capabilities, and improve the maturity of their capabilities around managing critical risks, management will be able to articulate more effectively how well they are handling existing and emerging industry issues. THE FUNDAMENTAL REASONS FOR IMPLEMENTING ERM 72 Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf (c) Mikhail Slobodian 2015

Enhance corporate governance: ERM and corporate governance are inextricably linked. Each augments the other. ERM strengthens board oversight, forces an assessment of existing senior management-level oversight structures, clarifies risk management roles and responsibilities, sets risk management authorities and boundaries, and effectively communicates risk responses in support of key business objectives. All of these activities are germane to good governance. By the same token, effective governance sets the tone for: understanding risks and risk management capabilities aligning risk appetite with the entity’s opportunity-seeking behavior. THE FUNDAMENTAL REASONS FOR IMPLEMENTING ERM 73 Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf (c) Mikhail Slobodian 2015

(c) Mikhail Slobodian 2015 Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf Successfully respond to a changing business environment: As the business environment continues to change and the pace of change accelerates, organizations must become better at identifying, prioritizing and planning for risk. ERM assists management with evaluating the assumptions underlying the existing business model, the effectiveness of the strategies around executing that model, and the information available for decision-making. ERM drives management to identify alternative future scenarios, evaluate the likelihood and severity of those scenarios, identify priority risks and improve the organization’s capabilities around managing those risks. As the environment changes, new risks emerge and are escalated in a timely manner for action and possible disclosure. These activities impact resource allocation for the organization as a whole. THE FUNDAMENTAL REASONS FOR IMPLEMENTING ERM 74

Align strategy and corporate culture: ERM helps management create risk awareness and an open, positive culture with respect to risk and risk management. In such an environment, individuals can raise issues without fear of retribution. With respect to matters of enterprisewide importance, ERM often centralizes policy-setting and creates focus, discipline and control. It clarifies the distinction between risk-taking and risk-avoidance behaviors, improves tools for quantifying risk exposures, increases accountability for managing risks across the enterprise and facilitates timely identification of changes in an entity’s risk profile. ERM encourages balance in both the entrepreneurial activities and control activities of the organization, so that neither one is too disproportionately strong relative to the other. THE FUNDAMENTAL REASONS FOR IMPLEMENTING ERM 75 Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf (c) Mikhail Slobodian 2015

76 ERM IMPLEMENTATION SUMMARY A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf 76 (c) Mikhail Slobodian 2015

77 ERM IMPLEMENTATION SUMMARY A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf 77 (c) Mikhail Slobodian 2015

78 ERM IMPLEMENTATION SUMMARY A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf 78 (c) Mikhail Slobodian 2015

79 ERM IMPLEMENTATION SUMMARY A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000 // www.ferma.eu/app/uploads/2011/10/a-structured-approach-to-erm.pdf 79 (c) Mikhail Slobodian 2015

IMPLEMENTATION OF ERM 80 Guide to Enterprise Risk Management. FAQ // http://www.protiviti.com/en-US/Documents/Resource-Guides/ProtivitiERM_FAQGuide.pdf (c) Mikhail Slobodian 2015