ก ก Tools and Techniques for Enterprise Risk Management (ERM) COSO ERM ISO ERM 31 2554 10:45 12:15.. 301, 302, 307 ก ก
COSO Internal Control ERM Integrated Framework Application Technique ISO 31000 Guide 73 ( Terminology ) ISO 31000 - Principle and Guideline -Principle -Framework -Process ISO 31010 - Risk Assessment Technique ERM Framework Comparison Conclusion
History of COSO s ERM Financial Collapse Financial Frauds Poor Internal/ External Audit Sponsored by The American Institute of Certified Public Accountants The Institute of Internal Auditors The Financial Executive Institute The American Accounting Association The Institute of Management Accountants The Committee of Sponsoring Organization of the Treadway Commission The Treadway Commission Report The Internal Control-Integrated Framework The Enterprise Risk Management - Integrated Framework Co with Price/ Waterhouse
COSO VS. ISO 31000 COSO ISO 31000 Internal Control 1992 Guide 73 2002 ERM Integrated Framework 1994 ISO 31000 2009 Application Technique 2004 ISO 31010 2010 COSO Internal Control Framework Operations Compliances Monitoring Information & Communications Control Activities Financial Reporting Risk Assessment Control Environment Entities or Activities
From COSO Internal Control to ERM Framework COSO ERM Framework Risk Management Objectives Strategic Operations Reporting Compliance Risk Components Entity & Unit Level Component
COSO Definition of Risk Riskis the possibility that an event will occur and adversely affect the achievement of objectives. Opportunityis the possibility that an event will occur and positively affect the achievement of objectives. COSO Definition of ERM A process, ongoing and flowing through an entity Effected by people at every level of an organization Applied in strategy setting Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk Designed to identify potential events affecting the entity and manage risk within its risk appetite Able to provide reasonable assurance to an entity s management and board Geared to the achievement of objectives in one or more separate but overlapping categories it is a means to an end, not an end in itself
COSO Definition of ERM Value is maximized when management sets strategy and objectives to strike an optimal balance between COSO ERM Encompasses Aligning risk appetite and strategy Enhancing risk response decisions Reducing operational surprises and losses Identifying and managing cross-enterprise risks Providing integrated responses to multiple risks Seizing opportunities
COSO Achievement of Objectives COSO enterprise risk management framework is geared to achieving an entity s objectives in four categories: Strategic high-level goals, aligned with and supporting its mission Operations effective and efficient use of its resources Reporting reliability of reporting Compliance compliance with applicable laws and regulations. COSO Components of ERM Internal Environment The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. Objective Setting Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity s mission and are consistent with its risk appetite. Event Identification Internal and external events affecting achievement of an entity s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management s strategy or objective-setting processes.
COSO Components of ERM Risk Assessment Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis. Risk Response Management selects risk responses avoiding, accepting, reducing, or sharing risk developing a set of actions to align risks with the entity s risk tolerances and risk appetite. Control Activities Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. Information and Communication Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Monitoring The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both. Event Identification Event Categories External Factors Internal Factors
Event Identification Event Categories External Factors Internal Factors COSO Approach to Identify Risk Events SWOT Analysis Scenario Analysis Using Technology Value Chain Analysis
Risk Assessment Techniques Risk Assessment Analysis Chart Significant 9 8 7 6 5 4 3 2 1 R-6 R-1 R-4 I III R-3 R-2 R-5 II IV 1 2 3 4 5 6 7 8 9 Likelihood
Risk Appetite Map Impact Low Medium High Within Risk Appetite Exceeding Risk Appetite Low Medium High Likelihood Risk Response and Control Risk Response Risk Control
Key Points in COSO ERM Comments on COSO 1/ 1. The COSO process starts with the internal environment, not the external ones and this fails to reflect the influence that the business environment, regulatory conditions, and external stakeholders have on the risks an organization faces, its organizational culture, and how they influence its risk appetite and risk treatment priorities. 2. Stakeholders, particularly external ones, are not mentioned and stakeholders objectives and their influence on decisions about the significance of levels and types of risk are omitted. 3. COSO ERM says that risks are described as events, and events are described and illustrated by examples of sudden, acute occurrences. There is no appreciation of the slow changes in circumstance and situation that give rise to some of the most critical risks. 4. COSO measures risk in terms of the probability of an event and its typical consequences. However, we will not always get the typical consequences every time an event occurs.
Comments on COSO 2/ 5. Throughout the document, the term risk likelihood is used, but risk does not have a likelihood. Likelihood is one of the attributes used to measure the level of risk. 6. While there are some concessions to what are called opportunities, in COSO ERM risks are mostly about losses and risk treatment (response) is about reducing the likelihood and severity of losses. The COSO document is not mature enough to explain that risk is just the effect of uncertainty in what you set out to achieve and that outcomes can be beneficial. 7. The COSO is the whole thinking about risk responses, control activities and monitoring most confusing and confused and most people who read and try to use the code do as well. 8. The problems with the concept of inherent risk are well-known and the COSO document does not explain why you need to use this artificial, theoretical state where no controls exist, to justify tolerating the present level of risk or doing something more to modify it. Comments on COSO 3/ 9. The whole area of risk appetite and what COSO ERM calls risk tolerance is handled in a mechanistic and naive way. The thought that before you even do a risk assessment, a board can identify the material risks and tell you how much they are prepared to tolerate puts them on a par with the Gods. 10. The greatest sin is that the COSO document confuses and mixes up the framework (the organizational structures, policies, and arrangements put in place to promote, integrate and improve the management of risk) with the process used for risk management, particularly that used for risk assessment, risk treatment and monitor and review. Grant Purdy
6. ISO 31010 November,2009
Risk Effect of uncertainty on objectives Event Consequence Likelihood Uncertainty Probability Frequency Level of risk Risk source Hazard Vulnerability Risk management coordinated activities to direct and control and organization with regard to risk Risk management policy External context Internal context Risk profile Risk management framework Risk management plan Risk appetite Risk attitude Risk owner Risk management audit Exposure Resilience Risk evaluation process of comparing the results of analysis against risk criteria to determine whether the level of risk is acceptable or tolerable (part of risk management process) Risk criteria Risk tolerance Risk aversion Risk matrix Risk aggregation Stakeholder those people and organizations who can affect, be affected, or perceive themselves to be affected by a decision or activity Communication and Consultation Risk perception Risk reporting Risk management process systematic application of management policies,procedures and practices to the tasks of communicating, consultation,establishing the context,identifying, analyzing, evaluating, treating, monitoring and reviewing risk Risk assessment Risk identification Risk analyzing Monitoring Review Risk register Risk treatment process of developing, selecting, and implementing measures to modify risk ( part of risk management process ) Control Risk sharing Risk financing Risk retention Risk acceptance Risk avoidance Residual risk Risk mitigation COSO ISO 31000 Riskis the possibility that an event will occur and adversely affect the achievement of objectives. Risk is Effect of uncertainty on objectives. ISO 31000 Targe t COSO
Principle Framework Process Creates and protects value Integral part of organizational processes Part of decision making Explicitly addresses uncertainty Systematic, structured and timely. Based on the best available information. Tailored Takes human & cultural factors into account Transparent & inclusive Dynamic, iterative & responsive to change Facilitates continual improvement & enhancement of the organization
Mandate & Commitment Design of Framework for Managing Risk Continual Improvement of Framework Implement Risk Management Monitor & Review of the Framework Communication and consultation Establish the context Risk assessment Risk identification Risk analysis Monitoring and Review Risk evaluation Risk treatment
Commit & mandate Policy statement Risk management plan Assurance plan Standards Procedures/Guidelines Strategic process Tactical process Communicate & train Communication and Reporting plan Training strategy RM Network Strategic process Strategic process Measure & review Control assurance RM plan progress Governance reporting Benchmarking Performance criteria RM information system Risk registers Treatment plan Assurance plan Reporting template Strategic process Allocate & organize Risk & audit committee Exec RM committee RM working group Manager, RM RM champion Risk & control owners Principal benefits of risk assessment technique include Understanding the risk and its potential impact upon objectives Providing information for decision makers Contributing to the understanding of risks, in order to assistin selection of treatment options Identifying the important contributors to risks and weak linksin systems and organizations Comparing of risks in alternative systems, technologies or approaches Communicating risks and uncertainties Assisting with establishing priorities Contributing towards incident prevention based upon post-incident investigation Selecting different forms of risk treatment Meeting regulatory requirements Providing information that will help evaluate whether the riskshould be accepted when compared with pre-defined criteria Assessing risks for end-of-life disposal.
Risk identification; Risk analysis consequence analysis; Risk analysis qualitative, semi-quantitative or quantitative probability estimation; Risk analysis assessing the effectiveness of any existing controls; Risk analysis estimation the level of risk; Risk evaluation. Applicability of Tools Used for Risk Assessment
Applicability of Tools Used for Risk Assessment How to Select Risk Assessment Technique Complexity of the problem and the methods needed to analyze it The nature and degree of uncertainty of the risk assessment based on the amount of information available and what is required to satisfy objectives, The extent of resources required in terms of time and level of expertise, data needs or cost, Whether the method can provide a quantitative output.
What makes ISO 31000 Different from COSO Criteria and Associated Measures in ISO 31000 First, the Risk Management Framework must be continually improved using the well known quality improvement cycle of Design, Implement, Monitor and Review, and Improve, also know as Plan-Do-Check-Act cycle. Second, the framework must be comprehensive with accountability for all risks - everyone in the organization will be able to tell,what risks they own, what controls they are responsible for, and the current status of those controls, trends and current status of the risks, and the expected effects on the objectives concerned. Third, all decision making in the organization has explicit consideration of risk, as evidenced by documentation of decisions. This expectation of evidence is embedded in the framework. Fourth, continuous communications and reporting that is highly visible covers internal and external stakeholders as appropriate and talks about performance indicators for risk management is part of the framework. Fifth, risk management is a core element of the organization s management processes including governance. Risk management is regarded as essential by the organization s culture.
Comparison between COSO and ISO 31000 * Dr. Roland Franz Erben Risk Management Standards * Both standards exclude business continuity/crisis management but ISO mentions this topic in ISO22399 COSO or ISO 31000,Which One is Suitable for You?
Design Your Tailored-made ERM Framework Mandate & Commitment May be better? Design of Framework for managing Risk Strategic Finance Marketing Operation Implement Risk Management Risk Effect of uncertainty on objectives Continual Improvement of Framework ISO 31000 Terminology, Principle and ISO 22399 Monitor & Review of the Framework Nattapol_chavalit@hotmail.com