《COSO_ERM企业风险管理框架.pptx》由会员分享,可在线阅读,更多相关《COSO_ERM企业风险管理框架.pptx(49页珍藏版)》请在taowenge.com淘文阁网|工程机械CAD图纸|机械工程制图|CAD装配图下载|SolidWorks_CaTia_CAD_UG_PROE_设计图分享下载上搜索。
1、Applying COSOsEnterprise Risk Management Integrated FrameworkSeptember29,2004Todays organizations are concerned about:RiskManagementGovernanceControlAssurance(andConsulting)ERM Defined:“a process,effected by an entitys board of directors,management and other personnel,applied in strategy setting and
2、 across the enterprise,designed to identify potential events that may affect the entity,and manage risks to be within its risk appetite,to provide reasonable assurance regarding the achievement of entity objectives.”Source:COSO Enterprise Risk Management Integrated Framework.2004.COSO.Why ERM Is Imp
3、ortant Underlyingprinciples:Everyentity,whetherfor-profitornot,existstorealizevalueforitsstakeholders.Valueiscreated,preserved,orerodedbymanagementdecisionsinallactivities,fromsettingstrategytooperatingtheenterpriseday-to-day.Why ERM Is Important ERMsupportsvaluecreationbyenablingmanagementto:Dealef
4、fectivelywithpotentialfutureeventsthatcreateuncertainty.Respondinamannerthatreducesthelikelihoodofdownsideoutcomesandincreasestheupside.This COSO ERM framework defines essential components,suggests a common language,and provides clear direction and guidance for enterprise risk management.Enterprise
5、Risk Management Integrated Framework The ERM FrameworkEntity objectives can be viewed in thecontext of four categories:Strategic OperationsReportingComplianceThe ERM FrameworkERM considers activities at all levelsof the organization:Enterprise-levelDivision orsubsidiaryBusiness unitprocesses Enterpr
6、iseriskmanagementrequiresanentitytotakeaportfolio viewofrisk.The ERM FrameworkManagementconsidershowindividualrisksinterrelate.Managementdevelopsaportfolioviewfromtwoperspectives:-Businessunitlevel-EntitylevelThe ERM FrameworkTheeightcomponentsoftheframeworkareinterrelated The ERM FrameworkInternal
7、EnvironmentEstablishesaphilosophyregardingriskmanagement.Itrecognizesthatunexpectedaswellasexpectedeventsmayoccur.Establishestheentitysriskculture.Considersallotheraspectsofhowtheorganizationsactionsmayaffectitsriskculture.Objective SettingIsappliedwhenmanagementconsidersrisksstrategyinthesettingofo
8、bjectives.Formstheriskappetiteoftheentityahigh-levelviewofhowmuchriskmanagementandtheboardarewillingtoaccept.Risktolerance,theacceptablelevelofvariationaroundobjectives,isalignedwithriskappetite.Event IdentificationDifferentiatesrisksandopportunities.Eventsthatmayhaveanegativeimpactrepresentrisks.Ev
9、entsthatmayhaveapositiveimpactrepresentnaturaloffsets(opportunities),whichmanagementchannelsbacktostrategysetting.Event IdentificationInvolvesidentifyingthoseincidents,occurringinternallyorexternally,thatcouldaffectstrategyandachievementofobjectives.Addresseshowinternalandexternalfactorscombineandin
10、teracttoinfluencetheriskprofile.Risk AssessmentAllowsanentitytounderstandtheextenttowhichpotentialeventsmightimpactobjectives.Assessesrisksfromtwoperspectives:-Likelihood-ImpactIsusedtoassessrisksandisnormallyalsousedtomeasuretherelatedobjectives.Risk AssessmentEmploysacombinationofbothqualitativean
11、dquantitativeriskassessmentmethodologies.Relatestimehorizonstoobjectivehorizons.Assessesriskonbothaninherentandaresidualbasis.Risk ResponseIdentifiesandevaluatespossibleresponsestorisk.Evaluatesoptionsinrelationtoentitysriskappetite,costvs.benefitofpotentialriskresponses,anddegreetowhicharesponsewil
12、lreduceimpactand/orlikelihood.Selectsandexecutesresponsebasedonevaluationoftheportfolioofrisksandresponses.Control ActivitiesPoliciesandproceduresthathelpensurethattheriskresponses,aswellasotherentitydirectives,arecarriedout.Occurthroughouttheorganization,atalllevelsandinallfunctions.Includeapplicat
13、ionandgeneralinformationtechnologycontrols.Managementidentifies,captures,andcommunicatespertinentinformationinaformandtimeframethatenablespeopletocarryouttheirresponsibilities.Communicationoccursinabroadersense,flowingdown,across,anduptheorganization.Information&CommunicationMonitoringEffectivenesso
14、ftheotherERMcomponentsismonitoredthrough:Ongoingmonitoringactivities.Separateevaluations.Acombinationofthetwo.Internal ControlAstrongsystemofinternalcontrolisessentialtoeffectiveenterpriseriskmanagement.ExpandsandelaboratesonelementsofinternalcontrolassetoutinCOSOs“controlframework.”Includesobjectiv
15、esettingasaseparatecomponent.Objectivesarea“prerequisite”forinternalcontrol.Expandsthecontrolframeworks“FinancialReporting”and“RiskAssessment.”Relationship to Internal Control Integrated FrameworkERM Roles&ResponsibilitiesManagementTheboardofdirectorsRiskofficersInternalauditorsInternal AuditorsPlay
16、animportantroleinmonitoringERM,butdoNOThaveprimaryresponsibilityforitsimplementationormaintenance.Assistmanagementandtheboardorauditcommitteeintheprocessby:-Monitoring-Evaluating-Examining-Reporting-RecommendingimprovementsVisittheguidancesectionofTheIIAsWebsiteforTheIIAspositionpaper,“RoleofInterna
17、lAuditingsinEnterpriseRiskManagement.”Internal Auditors2010.A1Theinternalauditactivitysplanofengagementsshouldbebasedonariskassessment,undertakenatleastannually.2120.A1Basedontheresultsoftheriskassessment,theinternalauditactivityshouldevaluatetheadequacyandeffectivenessofcontrolsencompassingtheorgan
18、izationsgovernance,operations,andinformationsystems.2210.A1Whenplanningtheengagement,theinternalauditorshouldidentifyandassessrisksrelevanttotheactivityunderreview.Theengagementobjectivesshouldreflecttheresultsoftheriskassessment.Standards1.Organizationaldesignofbusiness2.EstablishinganERMorganizati
19、on3.Performingriskassessments4.Determiningoverallriskappetite5.Identifyingriskresponses6.Communicationofriskresults7.Monitoring8.Oversight&periodicreviewbymanagementKey Implementation FactorsOrganizational DesignStrategiesofthebusinessKeybusinessobjectivesRelatedobjectivesthatcascadedowntheorganizat
20、ionfromkeybusinessobjectivesAssignmentofresponsibilitiestoorganizationalelementsandleaders(linkage)Example:LinkageMissionToprovidehigh-qualityaccessibleandaffordablecommunity-basedhealthcareStrategic ObjectiveTobethefirstorsecondlargest,full-servicehealthcareproviderinmid-sizemetropolitanmarketsRela
21、ted ObjectiveToinitiatedialoguewithleadershipof10topunder-performinghospitalsandnegotiateagreementswithtwothisyearEstablish ERMDetermineariskphilosophySurveyriskcultureConsiderorganizationalintegrityandethicalvaluesDeciderolesandresponsibilitiesExample:ERM OrganizationERM DirectorVice President andC
22、hief Risk OfficerCorporate Credit Risk ManagerInsurance Risk ManagerERMManagerERMManagerStaffStaffStaffFES Commodity Risk Mg.DirectorRiskassessmentistheidentificationandanalysisofriskstotheachievementofbusinessobjectives.Itformsabasisfordetermininghowrisksshouldbemanaged.Assess RiskEnvironmental Ris
23、ksCapitalAvailabilityRegulatory,Political,andLegalFinancialMarketsandShareholderRelationsProcess RisksOperationsRiskEmpowermentRiskInformationProcessing/TechnologyRiskIntegrityRiskFinancialRiskInformation for Decision MakingOperationalRiskFinancialRiskStrategicRiskExample:Risk ModelSource:Business R
24、isk Assessment.1998 The Institute of Internal AuditorsControl ItShare orTransfer ItDiversify orAvoid ItRiskManagementProcessLevelActivityLevelEntity LevelRiskMonitoring IdentificationMeasurementPrioritizationRiskAssessmentRisk AnalysisDETERMINE RISK APPETITERiskappetiteistheamountofriskonabroadlevel
25、anentityiswillingtoacceptinpursuitofvalue.Usequantitativeorqualitativeterms(e.g.earningsatriskvs.reputationrisk),andconsiderrisktolerance(rangeofacceptablevariation).Keyquestions:Whatriskswilltheorganizationnotaccept?(e.g.environmental or quality compromises)Whatriskswilltheorganizationtakeonnewinit
26、iatives?(e.g.new product lines)Whatriskswilltheorganizationacceptforcompetingobjectives?(e.g.gross profit vs.market share?)DETERMINE RISK APPETITEQuantificationofriskexposureOptionsavailable:-Accept=monitor-Avoid=eliminate(get out of situation)-Reduce=institutecontrols-Share=partnerwithsomeone(e.g.i
27、nsurance)Residualrisk(unmitigated risk e.g.shrinkage)IDENTIFY RISK RESPONSESImpact vs.ProbabilityControlShareMitigate&ControlAcceptHigh RiskMedium RiskMedium RiskLow RiskLowHighHighIMPACTPROBABILITYLowHighHighIMPACTPROBABILITYHigh RiskMedium RiskMedium RiskLow RiskExample:Call Center Risk Assessment
28、LossofphonesLossofcomputersCreditriskCustomerhasalongwaitCustomercantgetthroughCustomercantgetanswersEntryerrorsEquipmentobsolescenceRepeatcallsforsameproblemFraudLosttransactionsEmployeemoraleControlRiskControlObjectiveActivityCompletenessMaterialAccrualoftransactionopenliabilitiesnotrecordedInvoic
29、esaccruedafterclosingIssue:Invoices go to field and AP is not aware of liability.Example:Accounts Payable ProcessDashboardofrisksandrelatedresponses(visualstatusofwherekeyrisksstandrelativetorisktolerances)FlowchartsofprocesseswithkeycontrolsnotedNarrativesofbusinessobjectiveslinkedtooperationalrisk
30、sandresponsesListofkeyriskstobemonitoredorusedManagementunderstandingofkeybusinessriskresponsibilityandcommunicationofassignmentsCommunicate ResultsMonitorCollectanddisplayinformationPerformanalysis-Risksarebeingproperlyaddressed-ControlsareworkingtomitigaterisksAccountabilityforrisksOwnershipUpdate
31、s-Changesinbusinessobjectives-Changesinsystems-ChangesinprocessesManagement Oversight&Periodic Review Internal auditors can add value by:Reviewingcriticalcontrolsystemsandriskmanagementprocesses.Performinganeffectivenessreviewofmanagementsriskassessmentsandtheinternalcontrols.Providingadviceinthedes
32、ignandimprovementofcontrolsystemsandriskmitigationstrategies.Implementingarisk-basedapproachtoplanningandexecutingtheinternalauditprocess.Ensuringthatinternalauditingsresourcesaredirectedatthoseareasmostimportanttotheorganization.Challengingthebasisofmanagementsriskassessmentsandevaluatingtheadequac
33、yandeffectivenessofrisktreatmentstrategies.Internal auditors can add value by:FacilitatingERMworkshops.Definingrisktoleranceswherenonehavebeenidentified,basedoninternalauditingsexperience,judgment,andconsultationwithmanagement.Internal auditors can add value by:For more informationThispresentationwasproducedbyApplying COSOsEnterprise Risk Management Integrated Framework