ก ก Tools and Techniques for Enterprise Risk Management (ERM)

Similar documents
Enterprise Risk Management Integrated Framework

MEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework

Master Class: Construction Health and Safety: ISO 31000, Risk and Hazard Management - Standards

Energize Your Enterprise Risk Management

Risk Management Policy

Applying COSO s Enterprise Risk Management Integrated Framework

BERGRIVIER MUNICIPALITY. Risk Management Risk Appetite Framework

ENTERPRISE RISK MANAGEMENT POLICY FRAMEWORK

Business Auditing - Enterprise Risk Management. October, 2018

Risk Management Framework

Applying COSO s Enterprise Risk Management Integrated Framework. September 29, 2004

Practical aspects of determining and applying a risk appetite for SMEs

Risk Management: Principles, Methodologies and Techniques. Peter Getugi Internal Audit Manager ILRI

Thirty-Second Board Meeting Risk Management Policy

Economic Capital 4.14 Solvency II and Basel II and III Regulatory Standards 4.19 NAIC Own Risk and Solvency Assessment (ORSA) 4.23 Summary 4.

Section Defining Risk Management. 11. Principles of Risk Management

Delivering Clarity to Credit Unions Through Expertise and Experience

UNITED NATIONS JOINT STAFF PENSION FUND. Enterprise-wide Risk Management Policy

The ISO standard on risk management

ENTERPRISE RISK MANAGEMENT (ERM) POLICY Republic Glass Holdings Corporation. Purpose. Goals

ENTERPRISE RISK MANAGEMENT (ERM) The Conceptual Framework

There are many definitions of risk and risk management.

Companion Policy CP to National Instrument Certification of Disclosure in Issuers Annual and Interim Filings.

CITY OF JOHANNESBURG METROPOLITAN MUNICIPALITY GROUP RISK AND ASSURANCE SERVICES GROUP RISK MANAGEMENT POLICY

COMPANION POLICY CP TO NATIONAL INSTRUMENT CERTIFICATION OF DISCLOSURE IN ISSUERS ANNUAL AND INTERIM FILINGS TABLE OF CONTENTS

Executive Board Annual Session Rome, May 2015 POLICY ISSUES ENTERPRISE RISK For approval MANAGEMENT POLICY WFP/EB.A/2015/5-B

M_o_R (2011) Foundation EN exam prep questions

Understanding Enterprise Risk Management: An Overview

ISO/IEC INTERNATIONAL STANDARD. Information technology Security techniques Information security risk management

Best Practices in ENTERPRISE RISK MANAGEMENT. [ Managing Risks Holistically ]

ENTERPRISE RISK MANAGEMENT (ERM) GOVERNANCE POLICY PEDERNALES ELECTRIC COOPERATIVE, INC.

Risk Evaluation, Treatment and Reporting

1st Capacity Building Seminar on Enterprise Risk Management

1. Define risk. Which are the various types of risk?

Risk Management at the Deutsche Bundesbank March 2011

Approved by: Diocesan Council 17 December 2015

An Overview of the Enterprise Risk Management Process

Procedures for Management of Risk

Product Recall Risk Assessment By Tony Munns. Product recall is a key area of risk for today s company. With greater focus

How Internal Audit Can Help Promote Effective ERM

0470_022817_03_chap01.fm Page 11 Wednesday, September 8, :29 PM. Part I The basics of project risk management

CORPORATE RISK MANAGEMENT POLICY

GOV : Enterprise Risk Management Policy

Risk Management Policy

RISK MANAGEMENT FRAMEWORK

Risk Management Relevance to PAS 55 (ISO 55000) Deciding on processes to implement risk management

Risk Management in Italy: State of the art and perspectives. PMI Rome Italy Chapter

Enterprise Risk Management Sources. Universe. Tolerance. Appetite

LCS International, Inc. PMP Review. Chapter 6 Risk Planning. Presented by David J. Lanners, MBA, PMP

Risk Management Procedure

Kidsafe NSW Risk Management Plan. August 2014

RISK MANAGEMENT POLICY Dublin & Dun Laoghaire ETB May 2016

West Coast District Municipality. Risk Management Policy

APPENDIX 1. Transport for the North. Risk Management Strategy

An Introductory Presentation for ECU Staff

7/25/2013. Presented by: Erike Young, MPPA, CSP, ARM. Chapter 2. Root Cause Analysis

INTERNAL AUDIT AND OPERATIONAL RISK T A C K L I N G T O D A Y S E M E R G I N G R I S K S T O G E T H E R

University Risk Management Policy

ERM Benchmark Survey Report A report on PACICC's third ERM benchmarking survey

CERTIFICATION AND INTERNAL CONTROL REGIME FOR CROWN CORPORATIONS

Prince2 Foundation.exam.160q

Presented by. Kristina Narvaez. President of ERM Strategies, LLC

AN INTRODUCTION TO RISK CONSIDERATION

RISK MANAGEMENT STANDARDS FOR P5M

DRAFT SAINT LUCIA NATIONAL STANDARD DNS/ISO 31000: 2009 RISK MANAGEMENT PRINCIPLES AND GUIDELINES (ISO 31000: 2009, IDT) Stage 40 Enquiry Stage

Risk Management Policy Adopted by:

Policy No. Contact Brian Orpin Version 3.0 Issue Date 28/11/2014 Telephone Review Date IA Date 09/08/2013

AFERM Best Practices: Guideposts, Risk Registers and a Maturity Model

The Evolution of Risk Management and The Risk Management Process

RISK MANAGEMENT. Budgeting, d) Timing, e) Risk Categories,(RBS) f) 4. EEF. Definitions of risk probability and impact, g) 5. OPA

ENTERPRISE RISK MANAGEMENT Framework

Risk Management. Seminar June Compiled by: Raaghieb Najjaar, Yaeesh Yasseen & Rashied Small

D7 Risk Management Policy

PRINCIPLES FOR RISK MANAGEMENT IN NORGES BANK INVESTMENT MANAGEMENT LAID DOWN BY THE EXECUTIVE BOARD 10 JUNE 2009, LAST AMENDED 21 NOVEMBER 2018

Enterprise Risk Management

Risk Management Plan for the <Project Name> Prepared by: Title: Address: Phone: Last revised:

PRESENTATION TO CLASS 2 CREDIT UNIONS, BY DIRECTORS GLOBAL & BY BPS RESOLVER

Risk Management Policy

Draft Guideline. Corporate Governance. Category: Sound Business and Financial Practices. I. Purpose and Scope of the Guideline. Date: November 2017

Certified Enterprise Risk Professional (CERP) Test Content Outline

RISK ASSESSMENT IN SHIP OPERATIONS

Risk Management Plan PURPOSE: SCOPE:

The Country Risk Manager as Chief Risk Officer for the Government. Swiss Re, 3 June 2014

RISK MANAGEMENT POLICY October 2015

Risk Management. Webinar - July 2017

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE. Nepal Rastra Bank Bank Supervision Department. August 2012 (updated July 2013)

PRINCE2-PRINCE2-Foundation.150q

Risk Management Policy. Apollo Hospitals. Risk Management Policy

EFFECTIVE TECHNIQUES IN RISK MANAGEMENT. Joseph W. Mayo, PMP, RMP, CRISC September 27, 2011

ENTERPRISE RISK MANAGEMENT (ERM) POLICY

FIRMA Nashville Tennessee April 21, 2015

The Importance Of Risk Management In An Organizations

PRINCE2. Number: PRINCE2 Passing Score: 800 Time Limit: 120 min File Version:

Project Risk Management. Prof. Dr. Daning Hu Department of Informatics University of Zurich

USF System Compliance & Ethics Program. Risk Assessment Process. Enterprise-Wide Risk Assessment

LONDON BOROUGH OF ENFIELD RISK MANAGEMENT STRATEGY

Risk Management: Assessing and Controlling Risk

Enterprise Risk Management. Contents are subject to change. For the latest updates visit

Operational Risk Management

PRINCIPLES FOR RISK MANAGEMENT IN NORGES BANK INVESTMENT MANAGEMENT

Transcription:

ก ก Tools and Techniques for Enterprise Risk Management (ERM) COSO ERM ISO ERM 31 2554 10:45 12:15.. 301, 302, 307 ก ก

COSO Internal Control ERM Integrated Framework Application Technique ISO 31000 Guide 73 ( Terminology ) ISO 31000 - Principle and Guideline -Principle -Framework -Process ISO 31010 - Risk Assessment Technique ERM Framework Comparison Conclusion

History of COSO s ERM Financial Collapse Financial Frauds Poor Internal/ External Audit Sponsored by The American Institute of Certified Public Accountants The Institute of Internal Auditors The Financial Executive Institute The American Accounting Association The Institute of Management Accountants The Committee of Sponsoring Organization of the Treadway Commission The Treadway Commission Report The Internal Control-Integrated Framework The Enterprise Risk Management - Integrated Framework Co with Price/ Waterhouse

COSO VS. ISO 31000 COSO ISO 31000 Internal Control 1992 Guide 73 2002 ERM Integrated Framework 1994 ISO 31000 2009 Application Technique 2004 ISO 31010 2010 COSO Internal Control Framework Operations Compliances Monitoring Information & Communications Control Activities Financial Reporting Risk Assessment Control Environment Entities or Activities

From COSO Internal Control to ERM Framework COSO ERM Framework Risk Management Objectives Strategic Operations Reporting Compliance Risk Components Entity & Unit Level Component

COSO Definition of Risk Riskis the possibility that an event will occur and adversely affect the achievement of objectives. Opportunityis the possibility that an event will occur and positively affect the achievement of objectives. COSO Definition of ERM A process, ongoing and flowing through an entity Effected by people at every level of an organization Applied in strategy setting Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk Designed to identify potential events affecting the entity and manage risk within its risk appetite Able to provide reasonable assurance to an entity s management and board Geared to the achievement of objectives in one or more separate but overlapping categories it is a means to an end, not an end in itself

COSO Definition of ERM Value is maximized when management sets strategy and objectives to strike an optimal balance between COSO ERM Encompasses Aligning risk appetite and strategy Enhancing risk response decisions Reducing operational surprises and losses Identifying and managing cross-enterprise risks Providing integrated responses to multiple risks Seizing opportunities

COSO Achievement of Objectives COSO enterprise risk management framework is geared to achieving an entity s objectives in four categories: Strategic high-level goals, aligned with and supporting its mission Operations effective and efficient use of its resources Reporting reliability of reporting Compliance compliance with applicable laws and regulations. COSO Components of ERM Internal Environment The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. Objective Setting Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity s mission and are consistent with its risk appetite. Event Identification Internal and external events affecting achievement of an entity s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management s strategy or objective-setting processes.

COSO Components of ERM Risk Assessment Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis. Risk Response Management selects risk responses avoiding, accepting, reducing, or sharing risk developing a set of actions to align risks with the entity s risk tolerances and risk appetite. Control Activities Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. Information and Communication Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Monitoring The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both. Event Identification Event Categories External Factors Internal Factors

Event Identification Event Categories External Factors Internal Factors COSO Approach to Identify Risk Events SWOT Analysis Scenario Analysis Using Technology Value Chain Analysis

Risk Assessment Techniques Risk Assessment Analysis Chart Significant 9 8 7 6 5 4 3 2 1 R-6 R-1 R-4 I III R-3 R-2 R-5 II IV 1 2 3 4 5 6 7 8 9 Likelihood

Risk Appetite Map Impact Low Medium High Within Risk Appetite Exceeding Risk Appetite Low Medium High Likelihood Risk Response and Control Risk Response Risk Control

Key Points in COSO ERM Comments on COSO 1/ 1. The COSO process starts with the internal environment, not the external ones and this fails to reflect the influence that the business environment, regulatory conditions, and external stakeholders have on the risks an organization faces, its organizational culture, and how they influence its risk appetite and risk treatment priorities. 2. Stakeholders, particularly external ones, are not mentioned and stakeholders objectives and their influence on decisions about the significance of levels and types of risk are omitted. 3. COSO ERM says that risks are described as events, and events are described and illustrated by examples of sudden, acute occurrences. There is no appreciation of the slow changes in circumstance and situation that give rise to some of the most critical risks. 4. COSO measures risk in terms of the probability of an event and its typical consequences. However, we will not always get the typical consequences every time an event occurs.

Comments on COSO 2/ 5. Throughout the document, the term risk likelihood is used, but risk does not have a likelihood. Likelihood is one of the attributes used to measure the level of risk. 6. While there are some concessions to what are called opportunities, in COSO ERM risks are mostly about losses and risk treatment (response) is about reducing the likelihood and severity of losses. The COSO document is not mature enough to explain that risk is just the effect of uncertainty in what you set out to achieve and that outcomes can be beneficial. 7. The COSO is the whole thinking about risk responses, control activities and monitoring most confusing and confused and most people who read and try to use the code do as well. 8. The problems with the concept of inherent risk are well-known and the COSO document does not explain why you need to use this artificial, theoretical state where no controls exist, to justify tolerating the present level of risk or doing something more to modify it. Comments on COSO 3/ 9. The whole area of risk appetite and what COSO ERM calls risk tolerance is handled in a mechanistic and naive way. The thought that before you even do a risk assessment, a board can identify the material risks and tell you how much they are prepared to tolerate puts them on a par with the Gods. 10. The greatest sin is that the COSO document confuses and mixes up the framework (the organizational structures, policies, and arrangements put in place to promote, integrate and improve the management of risk) with the process used for risk management, particularly that used for risk assessment, risk treatment and monitor and review. Grant Purdy

6. ISO 31010 November,2009

Risk Effect of uncertainty on objectives Event Consequence Likelihood Uncertainty Probability Frequency Level of risk Risk source Hazard Vulnerability Risk management coordinated activities to direct and control and organization with regard to risk Risk management policy External context Internal context Risk profile Risk management framework Risk management plan Risk appetite Risk attitude Risk owner Risk management audit Exposure Resilience Risk evaluation process of comparing the results of analysis against risk criteria to determine whether the level of risk is acceptable or tolerable (part of risk management process) Risk criteria Risk tolerance Risk aversion Risk matrix Risk aggregation Stakeholder those people and organizations who can affect, be affected, or perceive themselves to be affected by a decision or activity Communication and Consultation Risk perception Risk reporting Risk management process systematic application of management policies,procedures and practices to the tasks of communicating, consultation,establishing the context,identifying, analyzing, evaluating, treating, monitoring and reviewing risk Risk assessment Risk identification Risk analyzing Monitoring Review Risk register Risk treatment process of developing, selecting, and implementing measures to modify risk ( part of risk management process ) Control Risk sharing Risk financing Risk retention Risk acceptance Risk avoidance Residual risk Risk mitigation COSO ISO 31000 Riskis the possibility that an event will occur and adversely affect the achievement of objectives. Risk is Effect of uncertainty on objectives. ISO 31000 Targe t COSO

Principle Framework Process Creates and protects value Integral part of organizational processes Part of decision making Explicitly addresses uncertainty Systematic, structured and timely. Based on the best available information. Tailored Takes human & cultural factors into account Transparent & inclusive Dynamic, iterative & responsive to change Facilitates continual improvement & enhancement of the organization

Mandate & Commitment Design of Framework for Managing Risk Continual Improvement of Framework Implement Risk Management Monitor & Review of the Framework Communication and consultation Establish the context Risk assessment Risk identification Risk analysis Monitoring and Review Risk evaluation Risk treatment

Commit & mandate Policy statement Risk management plan Assurance plan Standards Procedures/Guidelines Strategic process Tactical process Communicate & train Communication and Reporting plan Training strategy RM Network Strategic process Strategic process Measure & review Control assurance RM plan progress Governance reporting Benchmarking Performance criteria RM information system Risk registers Treatment plan Assurance plan Reporting template Strategic process Allocate & organize Risk & audit committee Exec RM committee RM working group Manager, RM RM champion Risk & control owners Principal benefits of risk assessment technique include Understanding the risk and its potential impact upon objectives Providing information for decision makers Contributing to the understanding of risks, in order to assistin selection of treatment options Identifying the important contributors to risks and weak linksin systems and organizations Comparing of risks in alternative systems, technologies or approaches Communicating risks and uncertainties Assisting with establishing priorities Contributing towards incident prevention based upon post-incident investigation Selecting different forms of risk treatment Meeting regulatory requirements Providing information that will help evaluate whether the riskshould be accepted when compared with pre-defined criteria Assessing risks for end-of-life disposal.

Risk identification; Risk analysis consequence analysis; Risk analysis qualitative, semi-quantitative or quantitative probability estimation; Risk analysis assessing the effectiveness of any existing controls; Risk analysis estimation the level of risk; Risk evaluation. Applicability of Tools Used for Risk Assessment

Applicability of Tools Used for Risk Assessment How to Select Risk Assessment Technique Complexity of the problem and the methods needed to analyze it The nature and degree of uncertainty of the risk assessment based on the amount of information available and what is required to satisfy objectives, The extent of resources required in terms of time and level of expertise, data needs or cost, Whether the method can provide a quantitative output.

What makes ISO 31000 Different from COSO Criteria and Associated Measures in ISO 31000 First, the Risk Management Framework must be continually improved using the well known quality improvement cycle of Design, Implement, Monitor and Review, and Improve, also know as Plan-Do-Check-Act cycle. Second, the framework must be comprehensive with accountability for all risks - everyone in the organization will be able to tell,what risks they own, what controls they are responsible for, and the current status of those controls, trends and current status of the risks, and the expected effects on the objectives concerned. Third, all decision making in the organization has explicit consideration of risk, as evidenced by documentation of decisions. This expectation of evidence is embedded in the framework. Fourth, continuous communications and reporting that is highly visible covers internal and external stakeholders as appropriate and talks about performance indicators for risk management is part of the framework. Fifth, risk management is a core element of the organization s management processes including governance. Risk management is regarded as essential by the organization s culture.

Comparison between COSO and ISO 31000 * Dr. Roland Franz Erben Risk Management Standards * Both standards exclude business continuity/crisis management but ISO mentions this topic in ISO22399 COSO or ISO 31000,Which One is Suitable for You?

Design Your Tailored-made ERM Framework Mandate & Commitment May be better? Design of Framework for managing Risk Strategic Finance Marketing Operation Implement Risk Management Risk Effect of uncertainty on objectives Continual Improvement of Framework ISO 31000 Terminology, Principle and ISO 22399 Monitor & Review of the Framework Nattapol_chavalit@hotmail.com

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback