You are on page 1of 8

9/10/2013

CHAPTER 4
Risk Management

Definition of Risk by COSO

Risk is the possibility that an event will occur and adversely affect the achievement of an objective.

Risk begins with strategy formulation and objective setting. Risk does not represent a single point estimate. Risks may relate to risk mitigation or exploiting opportunities Risks are inherent in all aspects of life.
2

Business Risks

Risks that are those specifically associate with organizations conducting a form of business: uncertainties regarding threats to the achievement of business objectives. The extensive business risks need to be addressed through ERM.

9/10/2013

COSO Defines ERM as

Enterprise risk management is a process, effected by an entitys board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
4

Integrated ERM Components


Internal environment Objective setting Event identification Risk assessment Risk response Control activities Information and communication Monitoring
5

Objective Setting

Objectives are set a the strategic level, establishing a basis for operations, reporting, and compliance objectives. Objectives with specific RISK TOLERANCE

must be aligned with the organizations RISK APPETITE.

9/10/2013

Internal Environment is Influenced by

Risk Management Philosophy - a set of shared beliefs and attitudes characterizing how the entity considers risk in everything it does, from strategy development and implementation to its day-to-day activities. Risk Appetite - the amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It is a guidepost in strategy setting. Risk Tolerance represents the acceptable levels of variation relative to the achievement of objectives. It aligns with risk appetite. Tolerance levels will relate to specific outcomes. 7

MasterCards Risk Appetite

The vehicle MasterCard use to define appetite is one that expresses risk appetite through tolerance ranges for several key performance measures

Revenue growth, EPS, market share

Risk Appetite Measures

Quantitative Risk Appetite measures

Appetite for Earning Volatility

Qualitative Risk Appetite measures

Appetite for business activities outside core competencies

Zero Tolerance Risk

Appetite for regulatory mis-compliance


9

9/10/2013

Event Identification

Economic events Natural environment events Political events Social events Technological events
10

Risk Assessment

Risks are assessed on both an inherent and residual basis. Inherent Risk (Gross Risk) is the level of risk (potential impact and corresponding likelihood) without giving consideration to the risk management activities, which include controls that are designed to manage the risk. Residual Risk (Net Risk) is the remaining level of risk after such controls are executed. This is sometimes referred to as net risk. 11

Risk Assessment focused on


Impact Likelihood Other criteria may include: Speed of onset Controllability Speed of reaction Interdependencies with other risks Monitorability Third-party impact
12

9/10/2013

Types of Risk Response

Reduction

Reduce risk likelihood or impact Implementation controls Transferring a portion of risk

Sharing

Acceptance Avoidance

Exiting / divesting of the risky activities Dropping a product line


13

Control Activities

Policies/Procedures that help ensure that managements risk responses are carried out

Executive review Direct management activities Information processing controls Physical controls Performance indicators Segregation of duties

14

Information & Communication

Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities.

15

9/10/2013

Monitoring

The entirety of ERM is monitored To make modifications as necessary.

16

Making Strategic Risk Assessment

A systematic and continual process for assessing significant risks facing the enterprise Risks that are most consequential to tank organizations ability to

Execute its strategy Achieve its business objectives Build and protect values
17

Steps for Conducting a Strategic Risk Assessment


1.

2. 3. 4.

5.

6.

7.

Achieve a deep understanding of the strategy of the organization, Gather views and data on strategic risks, Prepare a preliminary Strategic Risk Profile, Validate and finalize the Strategic Risk Profile, Develop a Strategic Risk Management Action Plan, Communicate the Strategic Risk Profile and Strategic Risk Management Action Plan, Implement the Strategic Risk Management Action Plan. 18

9/10/2013

How to Develop the Annual Internal Audit Plan

How to ensure that the internal audit plan supports the overall business objectives? Consider adopting a well-planned audit rotation program

Focus on significant changes in the system

19

Link the Audit Plan to Risks & Exposures

The internal audit functions audit plan should be designed based on an assessment of risk and exposures that may affect the organization to provide management with

Information to mitigate the negative consequences associated with accomplishing the organizations objectives, An assessment of the effectiveness of managements risk management activities.

20

IA Supports the ERM Journey

Educate the board and management on the benefits of implementing ERM. Perform or facilitate an enterprise-wide risk assessment Determine the boards and/or managements risk tolerance levels Report to the audit committee on the accuracy and completeness of managements risk communications. Outline key procedures that management should consider if they do decide to implement ERM. 21

9/10/2013

Maintain IAs Independence & Objectivity while Supporting ERM

Core IA roles in regard to ERM


evaluating risk management processes evaluating the reporting of key risks reviewing the management of key risks giving assurance on the risk management processes giving assurance that risks are correctly evaluated facilitating identification & evaluation to risks coaching management in responding to risks coordinating ERM activities consolidating the reporting on risks maintaining & developing the ERM framework Championing establishment of ERM Developing ERM strategy for board approval

Legitimate IA roles with safeguards

22

Roles IA should NOT undertake


Setting the risk appetite. Imposing risk management processes. Management assurance on risks. Taking decisions on risk responses. Implementing risk responses on managements behalf. Accountability for risk management.

23

Responsibilities of Risk Officer


Establishing [ERM] policies, Framing authority and accountability for [ERM] in business units. Promoting [ERM] competence throughout the entity Guiding integration of [ERM] with other business planning and management activities. Establishing a common risk management language that includes measures around likelihood and impact, and common risk categories. Facilitating managers development of reporting protocols Reporting to the chief executive on progress and outliers and recommending action as needed.
24

You might also like