COSO_ERM企业风险管理框架ppt.ppt

ApplyingCOSO sEnterpriseRiskManagement IntegratedFramework September29 2004 Today sorganizationsareconcernedabout RiskManagementGovernanceControlAssurance andConsulting ERMDefined aprocess effectedbyanentity sboardofdirectors managementandotherpersonnel appliedinstrategysettingandacrosstheenterprise designedtoidentifypotentialeventsthatmayaffecttheentity andmanageriskstobewithinitsriskappetite toprovidereasonableassuranceregardingtheachievementofentityobjectives Source COSOEnterpriseRiskManagement IntegratedFramework 2004 COSO WhyERMIsImportant Underlyingprinciples Everyentity whetherfor profitornot existstorealizevalueforitsstakeholders Valueiscreated preserved orerodedbymanagementdecisionsinallactivities fromsettingstrategytooperatingtheenterpriseday to day WhyERMIsImportant ERMsupportsvaluecreationbyenablingmanagementto Dealeffectivelywithpotentialfutureeventsthatcreateuncertainty Respondinamannerthatreducesthelikelihoodofdownsideoutcomesandincreasestheupside ThisCOSOERMframeworkdefinesessentialcomponents suggestsacommonlanguage andprovidescleardirectionandguidanceforenterpriseriskmanagement EnterpriseRiskManagement IntegratedFramework TheERMFramework Entityobjectivescanbeviewedinthecontextoffourcategories StrategicOperationsReportingCompliance TheERMFramework ERMconsidersactivitiesatalllevelsoftheorganization Enterprise levelDivisionorsubsidiaryBusinessunitprocesses Enterpriseriskmanagementrequiresanentitytotakeaportfolioviewofrisk TheERMFramework Managementconsidershowindividualrisksinterrelate Managementdevelopsaportfolioviewfromtwoperspectives Businessunitlevel Entitylevel TheERMFramework Theeightcomponentsoftheframeworkareinterrelated TheERMFramework InternalEnvironment Establishesaphilosophyregardingriskmanagement Itrecognizesthatunexpectedaswellasexpectedeventsmayoccur Establishestheentity sriskculture Considersallotheraspectsofhowtheorganization sactionsmayaffectitsriskculture ObjectiveSetting Isappliedwhenmanagementconsidersrisksstrategyinthesettingofobjectives Formstheriskappetiteoftheentity ahigh levelviewofhowmuchriskmanagementandtheboardarewillingtoaccept Risktolerance theacceptablelevelofvariationaroundobjectives isalignedwithriskappetite EventIdentification Differentiatesrisksandopportunities Eventsthatmayhaveanegativeimpactrepresentrisks Eventsthatmayhaveapositiveimpactrepresentnaturaloffsets opportunities whichmanagementchannelsbacktostrategysetting EventIdentification Involvesidentifyingthoseincidents occurringinternallyorexternally thatcouldaffectstrategyandachievementofobjectives Addresseshowinternalandexternalfactorscombineandinteracttoinfluencetheriskprofile RiskAssessment Allowsanentitytounderstandtheextenttowhichpotentialeventsmightimpactobjectives Assessesrisksfromtwoperspectives Likelihood ImpactIsusedtoassessrisksandisnormallyalsousedtomeasuretherelatedobjectives RiskAssessment Employsacombinationofbothqualitativeandquantitativeriskassessmentmethodologies Relatestimehorizonstoobjectivehorizons Assessesriskonbothaninherentandaresidualbasis RiskResponse Identifiesandevaluatespossibleresponsestorisk Evaluatesoptionsinrelationtoentity sriskappetite costvs benefitofpotentialriskresponses anddegreetowhicharesponsewillreduceimpactand orlikelihood Selectsandexecutesresponsebasedonevaluationoftheportfolioofrisksandresponses ControlActivities Policiesandproceduresthathelpensurethattheriskresponses aswellasotherentitydirectives arecarriedout Occurthroughouttheorganization atalllevelsandinallfunctions Includeapplicationandgeneralinformationtechnologycontrols Managementidentifies captures andcommunicatespertinentinformationinaformandtimeframethatenablespeopletocarryouttheirresponsibilities Communicationoccursinabroadersense flowingdown across anduptheorganization Information Communication Monitoring EffectivenessoftheotherERMcomponentsismonitoredthrough Ongoingmonitoringactivities Separateevaluations Acombinationofthetwo InternalControl Astrongsystemofinternalcontrolisessentialtoeffectiveenterpriseriskmanagement ExpandsandelaboratesonelementsofinternalcontrolassetoutinCOSO s controlframework Includesobjectivesettingasaseparatecomponent Objectivesarea prerequisite forinternalcontrol Expandsthecontrolframework s FinancialReporting and RiskAssessment RelationshiptoInternalControl IntegratedFramework ERMRoles Responsibilities ManagementTheboardofdirectorsRiskofficersInternalauditors InternalAuditors PlayanimportantroleinmonitoringERM butdoNOThaveprimaryresponsibilityforitsimplementationormaintenance Assistmanagementandtheboardorauditcommitteeintheprocessby Monitoring Evaluating Examining Reporting Recommendingimprovements 2020 3 19 26 可编辑 VisittheguidancesectionofTheIIA sWebsiteforTheIIA spositionpaper RoleofInternalAuditing sinEnterpriseRiskManagement InternalAuditors 2010 A1 Theinternalauditactivity splanofengagementsshouldbebasedonariskassessment undertakenatleastannually 2120 A1 Basedontheresultsoftheriskassessment theinternalauditactivityshouldevaluatetheadequacyandeffectivenessofcontrolsencompassingtheorganization sgovernance operations andinformationsystems 2210 A1 Whenplanningtheengagement theinternalauditorshouldidentifyandassessrisksrelevanttotheactivityunderreview Theengagementobjectivesshouldreflecttheresultsoftheriskassessment Standards OrganizationaldesignofbusinessEstablishinganERMorganizationPerformingriskassessmentsDeterminingoverallriskappetiteIdentifyingriskresponsesCommunicationofriskresultsMonitoringOversight periodicreviewbymanagement KeyImplementationFactors OrganizationalDesign StrategiesofthebusinessKeybusinessobjectivesRelatedobjectivesthatcascadedowntheorganizationfromkeybusinessobjectivesAssignmentofresponsibilitiestoorganizationalelementsandleaders linkage Example Linkage Mission Toprovidehigh qualityaccessibleandaffordablecommunity basedhealthcareStrategicObjective Tobethefirstorsecondlargest full servicehealthcareproviderinmid sizemetropolitanmarketsRelatedObjective Toinitiatedialoguewithleadershipof10topunder performinghospitalsandnegotiateagreementswithtwothisyear EstablishERM DetermineariskphilosophySurveyriskcultureConsiderorganizationalintegrityandethicalvaluesDeciderolesandresponsibilities Example ERMOrganization ERMDirector VicePresidentandChiefRiskOfficer CorporateCreditRiskManager InsuranceRiskManager ERMManager ERMManager Staff Staff Staff FESCommodityRiskMg Director Riskassessmentistheidentificationandanalysisofriskstotheachievementofbusinessobjectives Itformsabasisfordetermininghowrisksshouldbemanaged AssessRisk EnvironmentalRisksCapitalAvailabilityRegulatory Political andLegalFinancialMarketsandShareholderRelationsProcessRisksOperationsRiskEmpowermentRiskInformationProcessing TechnologyRiskIntegrityRiskFinancialRiskInformationforDecisionMakingOperationalRiskFinancialRiskStrategicRisk Example RiskModel Source BusinessRiskAssessment 1998 TheInstituteofInternalAuditors RiskAnalysis DETERMINERISKAPPETITE Riskappetiteistheamountofrisk onabroadlevel anentityiswillingtoacceptinpursuitofvalue Usequantitativeorqualitativeterms e g earningsatriskvs reputationrisk andconsiderrisktolerance rangeofacceptablevariation Keyquestions Whatriskswilltheorganizationnotaccept e g environmentalorqualitycompromises Whatriskswilltheorganizationtakeonnewinitiatives e g newproductlines Whatriskswilltheorganizationacceptforcompetingobjectives e g grossprofitvs marketshare DETERMINERISKAPPETITE QuantificationofriskexposureOptionsavailable Accept monitor Avoid eliminate getoutofsituation Reduce institutecontrols Share partnerwithsomeone e g insurance Residualrisk unmitigatedrisk e g shrinkage IDENTIFYRISKRESPONSES Impactvs Probability Control Share Mitigate Control Accept HighRisk MediumRisk MediumRisk LowRisk Low High High IMPACT PROBABILITY Low High High IMPACT PROBABILITY HighRisk MediumRisk MediumRisk LowRisk Example CallCenterRiskAssessment LossofphonesLossofcomputers CreditriskCustomerhasalongwaitCustomercan tgetthroughCustomercan tgetanswers EntryerrorsEquipmentobsolescenceRepeatcallsforsameproblem FraudLosttransactionsEmployeemorale ControlRiskControlObjectiveActivity CompletenessMaterialAccrualoftransactionopenliabilitiesnotrecordedInvoicesaccruedafterclosing Issue InvoicesgotofieldandAPisnotawareofliability Example AccountsPayableProcess Dashboardofrisksandrelatedresponses visualstatusofwherekeyrisksstandrelativetorisktolerances FlowchartsofprocesseswithkeycontrolsnotedNarrativesofbusinessobjectiveslinkedtooperationalrisksandresponsesListofkeyriskstobemonitoredorusedManagementunderstandingofkeybusinessriskresponsibilityandcommunicationofassignments CommunicateResults Monitor CollectanddisplayinformationPerformanalysis Risksarebeingproperlyaddressed Controlsareworkingtomitigaterisks AccountabilityforrisksOwnershipUpdates Changesinbusinessobjectives Changesinsystems Changesinprocesses ManagementOversig