COSOERM企业风险管理框架PPT课件.ppt

xxEnterpriseRiskManagement IntegratedFramework 1 Today sorganizationsareconcernedabout RiskManagementGovernanceControlAssurance andConsulting 2 ERMDefined aprocess effectedbyanentity sboardofdirectors managementandotherpersonnel appliedinstrategysettingandacrosstheenterprise designedtoidentifypotentialeventsthatmayaffecttheentity andmanageriskstobewithinitsriskappetite toprovidereasonableassuranceregardingtheachievementofentityobjectives Source COSOEnterpriseRiskManagement IntegratedFramework 2004 COSO 3 WhyERMIsImportant Underlyingprinciples Everyentity whetherfor profitornot existstorealizevalueforitsstakeholders Valueiscreated preserved orerodedbymanagementdecisionsinallactivities fromsettingstrategytooperatingtheenterpriseday to day 4 WhyERMIsImportant ERMsupportsvaluecreationbyenablingmanagementto Dealeffectivelywithpotentialfutureeventsthatcreateuncertainty Respondinamannerthatreducesthelikelihoodofdownsideoutcomesandincreasestheupside 5 ThisCOSOERMframeworkdefinesessentialcomponents suggestsacommonlanguage andprovidescleardirectionandguidanceforenterpriseriskmanagement EnterpriseRiskManagement IntegratedFramework 6 TheERMFramework Entityobjectivescanbeviewedinthecontextoffourcategories StrategicOperationsReportingCompliance 7 TheERMFramework ERMconsidersactivitiesatalllevelsoftheorganization Enterprise levelDivisionorsubsidiaryBusinessunitprocesses 8 Enterpriseriskmanagementrequiresanentitytotakeaportfolioviewofrisk TheERMFramework 9 Managementconsidershowindividualrisksinterrelate Managementdevelopsaportfolioviewfromtwoperspectives Businessunitlevel Entitylevel TheERMFramework 10 Theeightcomponentsoftheframeworkareinterrelated TheERMFramework 11 InternalEnvironment Establishesaphilosophyregardingriskmanagement Itrecognizesthatunexpectedaswellasexpectedeventsmayoccur Establishestheentity sriskculture Considersallotheraspectsofhowtheorganization sactionsmayaffectitsriskculture 12 ObjectiveSetting Isappliedwhenmanagementconsidersrisksstrategyinthesettingofobjectives Formstheriskappetiteoftheentity ahigh levelviewofhowmuchriskmanagementandtheboardarewillingtoaccept Risktolerance theacceptablelevelofvariationaroundobjectives isalignedwithriskappetite 13 EventIdentification Differentiatesrisksandopportunities Eventsthatmayhaveanegativeimpactrepresentrisks Eventsthatmayhaveapositiveimpactrepresentnaturaloffsets opportunities whichmanagementchannelsbacktostrategysetting 14 EventIdentification Involvesidentifyingthoseincidents occurringinternallyorexternally thatcouldaffectstrategyandachievementofobjectives Addresseshowinternalandexternalfactorscombineandinteracttoinfluencetheriskprofile 15 RiskAssessment Allowsanentitytounderstandtheextenttowhichpotentialeventsmightimpactobjectives Assessesrisksfromtwoperspectives Likelihood ImpactIsusedtoassessrisksandisnormallyalsousedtomeasuretherelatedobjectives 16 RiskAssessment Employsacombinationofbothqualitativeandquantitativeriskassessmentmethodologies Relatestimehorizonstoobjectivehorizons Assessesriskonbothaninherentandaresidualbasis 17 RiskResponse Identifiesandevaluatespossibleresponsestorisk Evaluatesoptionsinrelationtoentity sriskappetite costvs benefitofpotentialriskresponses anddegreetowhicharesponsewillreduceimpactand orlikelihood Selectsandexecutesresponsebasedonevaluationoftheportfolioofrisksandresponses 18 ControlActivities Policiesandproceduresthathelpensurethattheriskresponses aswellasotherentitydirectives arecarriedout Occurthroughouttheorganization atalllevelsandinallfunctions Includeapplicationandgeneralinformationtechnologycontrols 19 Managementidentifies captures andcommunicatespertinentinformationinaformandtimeframethatenablespeopletocarryouttheirresponsibilities Communicationoccursinabroadersense flowingdown across anduptheorganization Information Communication 20 Monitoring EffectivenessoftheotherERMcomponentsismonitoredthrough Ongoingmonitoringactivities Separateevaluations Acombinationofthetwo 21 InternalControl Astrongsystemofinternalcontrolisessentialtoeffectiveenterpriseriskmanagement 22 ExpandsandelaboratesonelementsofinternalcontrolassetoutinCOSO s controlframework Includesobjectivesettingasaseparatecomponent Objectivesarea prerequisite forinternalcontrol Expandsthecontrolframework s FinancialReporting and RiskAssessment RelationshiptoInternalControl IntegratedFramework 23 ERMRoles Responsibilities ManagementTheboardofdirectorsRiskofficersInternalauditors 24 InternalAuditors PlayanimportantroleinmonitoringERM butdoNOThaveprimaryresponsibilityforitsimplementationormaintenance Assistmanagementandtheboardorauditcommitteeintheprocessby Monitoring Evaluating Examining Reporting Recommendingimprovements 25 2020 1 27 26 VisittheguidancesectionofTheIIA sWebsiteforTheIIA spositionpaper RoleofInternalAuditing sinEnterpriseRiskManagement InternalAuditors 27 2010 A1 Theinternalauditactivity splanofengagementsshouldbebasedonariskassessment undertakenatleastannually 2120 A1 Basedontheresultsoftheriskassessment theinternalauditactivityshouldevaluatetheadequacyandeffectivenessofcontrolsencompassingtheorganization sgovernance operations andinformationsystems 2210 A1 Whenplanningtheengagement theinternalauditorshouldidentifyandassessrisksrelevanttotheactivityunderreview Theengagementobjectivesshouldreflecttheresultsoftheriskassessment Standards 28 OrganizationaldesignofbusinessEstablishinganERMorganizationPerformingriskassessmentsDeterminingoverallriskappetiteIdentifyingriskresponsesCommunicationofriskresultsMonitoringOversight periodicreviewbymanagement KeyImplementationFactors 29 OrganizationalDesign StrategiesofthebusinessKeybusinessobjectivesRelatedobjectivesthatcascadedowntheorganizationfromkeybusinessobjectivesAssignmentofresponsibilitiestoorganizationalelementsandleaders linkage 30 Example Linkage Mission Toprovidehigh qualityaccessibleandaffordablecommunity basedhealthcareStrategicObjective Tobethefirstorsecondlargest full servicehealthcareproviderinmid sizemetropolitanmarketsRelatedObjective Toinitiatedialoguewithleadershipof10topunder performinghospitalsandnegotiateagreementswithtwothisyear 31 EstablishERM DetermineariskphilosophySurveyriskcultureConsiderorganizationalintegrityandethicalvaluesDeciderolesandresponsibilities 32 Example ERMOrganization ERMDirector VicePresidentandChiefRiskOfficer CorporateCreditRiskManager InsuranceRiskManager ERMManager ERMManager Staff Staff Staff FESCommodityRiskMg Director 33 Riskassessmentistheidentificationandanalysisofriskstotheachievementofbusinessobjectives Itformsabasisfordetermininghowrisksshouldbemanaged AssessRisk 34 EnvironmentalRisksCapitalAvailabilityRegulatory Political andLegalFinancialMarketsandShareholderRelationsProcessRisksOperationsRiskEmpowermentRiskInformationProcessing TechnologyRiskIntegrityRiskFinancialRiskInformationforDecisionMakingOperationalRiskFinancialRiskStrategicRisk Example RiskModel 35 Source BusinessRiskAssessment 1998 TheInstituteofInternalAuditors RiskAnalysis 36 DETERMINERISKAPPETITE Riskappetiteistheamountofrisk onabroadlevel anentityiswillingtoacceptinpursuitofvalue Usequantitativeorqualitativeterms e g earningsatriskvs reputationrisk andconsiderrisktolerance rangeofacceptablevariation 37 Keyquestions Whatriskswilltheorganizationnotaccept e g environmentalorqualitycompromises Whatriskswilltheorganizationtakeonnewinitiatives e g newproductlines Whatriskswilltheorganizationacceptforcompetingobjectives e g grossprofitvs marketshare DETERMINERISKAPPETITE 38 QuantificationofriskexposureOptionsavailable Accept monitor Avoid eliminate getoutofsituation Reduce institutecontrols Share partnerwithsomeone e g insurance Residualrisk unmitigatedrisk e g shrinkage IDENTIFYRISKRESPONSES 39 Impactvs Probability Control Share Mitigate Control Accept HighRisk MediumRisk MediumRisk LowRisk Low High High IMPACT PROBABILITY 40 Low High High IMPACT PROBABILITY HighRisk MediumRisk MediumRisk LowRisk Example CallCenterRiskAssessment LossofphonesLossofcomputers CreditriskCustomerhasalongwaitCustomercan tgetthroughCustomercan tgetanswers EntryerrorsEquipmentobsolescenceRepeatcallsforsameproblem FraudLosttransactionsEmployeemorale 41 ControlRiskControlObjectiveActivity CompletenessMaterialAccrualoftransactionopenliabilitiesnotrecordedInvoicesaccruedafterclosing Issue InvoicesgotofieldandAPisnotawareofliability Example AccountsPayableProcess 42 Dashboardofrisksandrelatedresponses visualstatusofwherekeyrisksstandrelativetorisktolerances FlowchartsofprocesseswithkeycontrolsnotedNarrativesofbusinessobjectiveslinkedtooperationalrisksandresponsesListofkeyriskstobemonitoredorusedManagementunderstandingofkeybusinessriskresponsibilityandcommunicationofassignments CommunicateResults 43 Monitor CollectanddisplayinformationPerformanalysis Risksarebeingproperlyaddressed Controlsareworkingtomitigaterisks 44 AccountabilityforrisksOwnershipUpdates Changesinbusinessobjectives Changesinsystems Changesinprocesses Management