企业风险管理框架

《企业风险管理框架》由会员分享，可在线阅读，更多相关《企业风险管理框架（29页珍藏版）》请在装配图网上搜索。

1、14中国培训师大联盟www.china-XXEnterprise RiskManagement IntegratedFrameworkThe Institute of Internal AuditorsTodays organizations areconcerned about:Risk ManagementGove m anceCon trolAssurance (and Con suiting)“a process, effected by an entitys boardof directors, management and otherpersonnel, applied in st

2、rategy setting andacross the enterprise, designed to identifypotential events that may affect the entity,and manage risks to be within its riskappetite, to provide reasonable assuranceregarding the achievement of entityobjectivesSource: COSO Enterprise Risk Management一Integrated Framework. 2004. COS

3、O.Why ERM Is ImportantUnderlying principles: Every entity, whether for-profit or not,exists to realize value for its stakeholders Value is created, preserved, or eroded bymanagement decisions in all activities, fromsetting strategy to operating the enterpriseday-to-day.Why ERM Is ImportantERM suppor

4、ts value creation by enablingmanagement to: Deal effectively with potential future eventsthat create uncertainty. Respond in a manner that reduces thelikelihood of downside outcomes andincreases the upside Enterprise Risk Management Integrated FrameworkThis COSO ERM framework defines essentialcompon

5、ents, suggests a common Ianguage,and provides clear direction and guidance forenterprise risk management. Enterprise-levelEv1The ERM FrameworkEntity objectives can be viewed in the contextof four categories:The ERM FrameworkEnterprise risk management Strat| Even 11 dujnif ioiHonRiskAssiRUkRcjControl

6、 JInfoimatlon & iMonilThe ERM FrameworkERM considers activities at all levelsoftheInternal EnvironmentInternal Environmentrequires an entity to take a portfolioview of risk 4The ERM FrameworkManagement considers how individualrisks interrelate Management develops a portfolio viewfrom two perspective

7、s:-Business unit level-Entity levelThe ERM FrameworkThe eight comp on entsof the frameworkare interrelated Internal Environment Establishes a philosophy regarding riskmanagement It recognizes thatunexpected as well as expected events mayoccur Establishes the entitys risk culture Considers all other

8、aspects of how theorganizations actions may affect its risk culture4Objective Setting Is applied when management considers risksstrategy in the setting of objectives Forms the risk appetite of the entity ahigh-level view of how much risk managementand the board are willing to accept Risk tolerance,

9、the acceptable level of variationaround objectives, is aligned with risk appetite Event Identification Differentiates risks and opportunities Events that may have a negative impactrepresent risks Events that may have a positive impactrepresent natural offsets (opportunities), whichmanagement channel

10、s back to strategy setting Event Identification In volves ide ntifying those in cidents, occurringinternally or externally, that could affectstrategy and achievement of objectives Addresses how internal and external factorscom bine and in teract toin flue nee the risk profile 4Risk Assessment Allows

11、 an entity to understand the extent towhich potential events might impact objectives Assesses risks from two perspectives:-Likelihood-Impact Is used to assess risks and is normally also usedto measure the related objectives 4Risk Assessment Employs a combination of both qualitative andquantitative r

12、isk assessment methodologies Relates time horizons to objective horiz ons. Assesses risk on both an in here nt and aresidual basis Risk Response Identifies and evaluates possible responses torisk Evaluates options in relation to entitys riskappetite, cost vs. ben efit ofpotential risk responses, and

13、 degree to which aresponse will reduce impact and/or likelihood Selects and executes response based onevaluation of the portfolio of risks andresponses Control Activities Policies and procedures that help ensure thatthe risk responses, as well as other entitydirectives, are carried out. Occur throug

14、hout the organization, at all levelsand in all functions. Include application and general informationtech no logy controls Information & Communication Management identifies, captures, andcommunicates pertinent in formation in a formand timeframe that enables people to carry outtheirresp on sibilitie

15、s Communication occurs in a broader sense,flowing down, across, and up the organization 4MonitoringEffectiveness of the other ERM components ismonitored through: On going monitori ng activities Separate evaluations A combination of the two.Internal ControlA strong system of internal control isessent

16、ial to effective enterprise riskmanagement.Relationship to Internal Control Integrated FrameworkExpands and elaborates on elements of internal4control as set out in COSOs control framework.z,Includes objective setting as a separate component Objectives are a prerequisite for internalcontrol.Expands

17、the control frameworks FinancialReporting and Risk AssessmeERM Roles & ResponsibilitiesMan ageme ntThe board of directorsRisk officersInternal auditorsInternal Auditors Play an important role in monitoring ERM, butdo NOT have primary responsibility for itsimplementation or maintenance. Assist manage

18、ment and the board or auditcommittee in the process by:-Monitoring - Evaluating-Examining - Reporting Recommending improvementsInternal AuditorsVisit the guidanee section of The IIAs Website for The IIAs position paper, Role ofInternal Auditings in Enterprise RiskManagement.,zStandards2010.Al 一The i

19、nternal audit activitys plan ofengagements should be based on a risk assessment,undertaken at least annually 2120.Al 一Basedontheresultsoftheriskassessment,theinternalauditactivityshouldevaluate the adequacy and effectiveness of controlsencompassingtheorganizationsgovernance,operations, and informati

20、on systems.2210.Al - When planning the engagement, the internal auditor shouldidentify and assess risks relevant to the activity under review Theengagementobjectivesshouldreflecttheresultsoftheriskassessment Key Implementation Factors1. Organizational design of business2. Establishing an ERM organiz

21、ation3. Performing risk assessments4. Determining overall risk appetJte5. Identifying risk responses6. Communication of risk results7. Monitoring8 Oversight & periodic review by managementTHEProfessionalPracticesOrganizational Design Strategies of the business Key business objectives Related objecti

22、ves that cascade down theorganization from key business objectives Assignment of responsibilities toorganizational elements and leaders (linkage)Example: LinkageMission一To provide high-quality accessibleand affordable community- based health careStrategic Objective一To be the first orsecond largest,

23、full-service health careprovider in mid-size metropolitan marketsRelated Objective一To initiate dialoguewith leadership of 10 top under- performinghospitals and negotiate agreements with twothis year Determine a risk philosophy Survey risk culture Consider organizational integrity and ethicalvalues D

24、ecide roles and responsibilitiesExample: ERM Organization4Assess RiskRisk assessment is theidentification and analysis of risksto the achievement of businessobjectives It forms a basis fordetermining how risks should beman aged.Example: Risk ModelEnvironmental RisksCapital AvailabilityRegulatory, Po

25、litical, and LegalFinancial Markets and Shareholder RelationsProcess RisksOperations RiskEmpowerment RiskIn formati on Processi ng / Tech no logy RiskIntegrity RiskFinancial RiskInformation for Decision MakingOperational RiskFinancial RiskStrategic Risk4Source: Business Risk Assessment. 1998 - The I

26、nstitute of Internal AuditorsDETERMINE RISK APPETITE Risk appetite is the amount of risk on abroad level an entity is willing to accept inpursuit of value Use quantitative or qualitative terms (e.g earnings at risk vs. reputation risk), andconsider risk toleranee (range of acceptablevariation)DETERM

27、INE RISK APPETITEKey questions: What risks will the organization not accept?(e.g. environmental or quality compromises) What risks will the organization take on newinitiatives?(e.g. new product lines) What risks will the organization accept forcompeting objectives?(e.g. gross profit vs. market share

28、?)4IDENTIFY RISK RESPONSES Quantification of risk exposure Options available:-Accept = monitor-Avoid = eliminate(get out of situation)-Reduce = institute controls-Share = part ner with some one(e.g. insurance) Residual risk(unmitigated risk - e.g. shrinkage)Impact vs. ProbabilityHighShareMedium Risk

29、Hicjh RiskMitigate & ControlLow RiskMedium RiskAcceptControlLowPROBABILITYHighExample: Call Cen ter RiskAssessmentHighMedium RiskLoss of phonesLoss of computersLowRiskFraudLost transactionsEmployee moraleLowHiqh RiskCredit riskCustomer has a long waitCustomer cant get throughCustomer cant get answer

30、sMedium RiskEntry errorsEquipment obsolescence Repeatcalls for same problemPROBABILITYHighExample:Accounts PayableProcessCon trolActivityAccrual of open liabilitiesInvoices accruedafter closingIssue: Invoices go to field and AP is not aware of liability.Communicate ResultsDashboard of risks and rela

31、ted responses (visualstatus of where key risks stand relative to risktolerances)Flowcharts of processes with key controls notedNarratives of business objectives linked toControlObjectiveCompletenessRiskMaterialtransactoperational risks and responsesList of key risks to be monitored or used Managemen

32、t understanding of key business riskresponsibility and communication of assignmentsCollect and display informationPerform analysis-Risks are being properly addressed-Controls are working to mitigate risks4Management Oversight & PeriodicReviewAccountability for risksOwnershipUpdates Changes in busine

33、ss objectives-Changes in systems -Changes inprocessesInternal auditors can add valueby: Reviewing critical control systems and riskmanagement processes Performing an effectiveness review ofmanagements risk assessments and the in ternal con trols Providing advice in the design and improvementof contr

34、ol systems and risk mitigationstrategies Internal auditors can add valueby: Implementing a risk-based approach toplanning and executing the internal auditprocess Ensuring that internal auditings resources aredirected at those areas most important to theorganization.Challenging the basis of managemen

35、ts riskassessments and evaluating the adequacy andeffectiveness of risktreatmInternal auditors can add valueby: Facilitating ERM workshops Defining risk tolerances where none have bee nidentified, based on in ter nal auditingsexperience, judgment, and consultation withmanagement For more informationOn COSOzsEnterprise Risk Management Integrated Framework,visitwww.coso.orgorwww.theiia.orgXXEnterprise RiskManagement IntegratedFrameworkThis presentationwas producedbyThe Institute of Internal Auditors