全面风险管理框架-2

Applying

COSO’sEnterprise

RiskManagement

—IntegratedFramework•September

29,

2004第一页

，共五十页。Today

’s

organizations

areconcerned

about

:•Risk

Management•Governance•

Control•

Assurance(and

Consulting)第二页,共五十页。ERMDefined:“…aprocess,efectedbyanentity"sboardofdirectors,managementandotherpersonnel,appliedinstrategysettingandacrosstheenterprise,designedtoidentifypotentialeventsthatmayafecttheentity,andmanageriskstobewithinitsriskappetite,toprovidereasonableassuranceregardingtheachievementofentityobjectives.”Source:COSOEnterpriseRiskManagement–IntegratedFramework.2004.COSO.第三页,共五十页。WhyERMIsImportantUnderlyingprinciples:•Everyentity,whetherfor-profitornot,existstorealizevalueforitsstakeholders.•Valueiscreated,preserved,orerodedbymanagementdecisionsinallactivities,fromsettingstrategytooperatingtheenterpriseday-to-day.第四页,共五十页。Why

ERM

Is

ImportantERM

supports

value

creation

by

enabling

management

to:•

Deal

effectivelywithpotential

future

events

that

createuncertainty.•

Respond

in

a

manner

that

reduces

the

likelihood

of

downside

outcomes

andincreases

theupside.第五页,共五十页。Enterprise

Risk

Management—

Integrated

FrameworkThisCOSOERM

framework

defines

essentialcomponents,

suggests

a

common

language,and

provides

clear

direction

and

guidance

forenterpriseriskmanagement.第六页,共五十页。The

ERM

FrameworkEntity

objectives

can

be

viewed

in

thecontext

of

four

categories:•Strategic•

Operations•Reporting•

Compliance第七页,共五十页。The

ERM

FrameworkERMconsiders

activitiesatalllevels

oftheorganization:•

Enterprise-level•

Division

orsubsidiary•Business

unit

processes第八页,共五十页。The

ERM

FrameworkEnterprise

risk

management

requires

an

entity

to

take

a

portfolio

view

ofrisk.第九页,共五十页。The

ERM

Framework•Management

consider

s

howindividualrisks

interrelate.•Management

develops

a

portfolio

view

from

two

perspectives

:-

Business

unit

level-

Entity

level第十页,共五十页。The

ERM

FrameworkThe

eight

componentsof

the

frameworkare

interrelated

…第十一页,共五十页。InternalEnvironment•Establishesaphilosophyregardingriskmanagement.Itrecognizesthatunexpectedaswellasexpectedeventsmayoccur.•Establishestheentity’sriskculture.•Considersallotheraspectsofhowtheorganization’sactionsmayaffectitsriskculture.第十二页,共五十页。Objective

Setting•Is

applied

when

management

considers

risks

strategy

in

the

setting

of

objectives.•Forms

the

risk

appetite

of

the

entity

—

a

high-level

view

of

how

much

riskmanagement

and

the

board

are

willing

toaccept.•

Risk

tolerance,

the

acceptable

level

ofvariation

around

objectives,

is

alignedwithrisk

appetite.第十三页,共五十页。•Differentiates

risks

and

opportunities.•

Events

that

may

have

a

negative

impact

representrisks.•Events

that

may

have

a

positive

impactrepresentnatural

offsets(opportunities),whichmanagement

channels

back

to

strategysetting.Event

Identification第十四页,共五十页。Event

Identification•Involves

identifying

those

incidents,occurring

internally

or

externally,

that

could

affect

strategy

and

achievement

ofobjectives.•

Addresses

how

internal

and

external

factorscombine

and

interact

to

influence

the

risk

profile.第十五页,共五十页。Risk

Assessment•

Allows

an

entity

to

understand

the

extent

to

which

potential

events

might

impactobjectives.•

Assesses

risks

from

two

perspectives:-

Likelihood-

Impact•

Is

used

to

assess

risks

and

is

normallyalso

used

to

measure

the

relatedobjectives.第十六页,共五十页。Risk

Assessment•

Employs

a

combination

of

both

qualitative

and

quantitative

risk

assessmentmethodologies.•

Relates

time

horizons

to

objective

horizons.•

Assesses

risk

on

both

an

inherent

and

a

residualbasis.第十七页,共五十页。RiskResponse•Identifiesandevaluatespossibleresponsestorisk.•Evaluatesoptionsinrelationtoentity’sriskappetite,costvs.benefitofpotentialriskresponses,anddegreetowhicharesponsewillreduceimpactand/orlikelihood.•Selectsandexecutesresponsebasedonevaluationoftheportfolioofrisksandresponses.第十八页,共五十页。•Policiesandproceduresthathelpensurethattheriskresponses,aswellasotherentitydirectives,arecarriedout.•Occurthroughouttheorganization,atalllevelsandinallfunctions.•Includeapplicationandgeneralinformationtechnologycontrols.第十九页,共五十页。ControlActivitiesInformation

&

Communication•

Management

identifies,

captures,andcommunicates

pertinent

information

in

a

formand

timeframe

that

enables

people

to

carry

out

theirresponsibilities.•Communication

occurs

in

a

broader

sense,flowing

down,

across,

and

upthe

organization.第二十页,共五十页。MonitoringEffectiveness

of

the

other

ERM

components

is

monitored

through

:•

Ongoing

monitoring

activities.•

Separate

evaluations.•

A

combination

of

the

two.第二十一页,共五十页。Internal

ControlA

strong

system

of

internalcontrol

is

essential

to

effective

enterpriserisk

management.第二十二页,共五十页。RelationshiptoInternalControlExpandsandelaboratesonelementsofinternalcontrolassetoutinCOSO’s“controlframework.”•Includesobjectivesettingasaseparatecomponent.Objectivesarea“prerequisite”forinternalcontrol.•Expandsthecontrolframework’s“FinancialReporting”and“RiskAssessment.”—•

IntegratedFramework第二十三页,共五十页。ERM

Roles

&

Responsibilities•Management•

The

board

of

directors•

Risk

officers•Internal

auditors第二十四页,共五十页。InternalAuditors•PlayanimportantroleinmonitoringERM,butdoNOThaveprimaryresponsibilityforitsimplementationormaintenance.•Assistmanagementandtheboardorauditcommitteeintheprocessby:-Monitoring-Evaluating-Examining-Reporting-Recommendingimprovements第二十五页,共五十页。InternalAuditorsVisittheguidancesectionofTheIIA’sWebsiteforTheIIA’spositionpaper,“RoleofInternalAuditing’sinEnterpriseRiskManagement.”第二十六页,共五十页。•2010.A1–Theinternalauditactivity’splanofengagementsshouldbebasedonariskassessment,undertakenatleastannually.•2120.A1–Basedontheresultsoftheriskassessment,theinternalauditactivityshouldevaluatetheadequacyandeffectivenessofcontrolsencompassingtheorganization’sgovernance,operations,andinformationsystems.•2210.A1–Whenplanningtheengagement,theinternalauditorshouldidentifyandassessrisksrelevanttotheactivityunderreview.Theengagementobjectivesshouldreflecttheresultsoftheriskassessment.Standards第二十七页,共五十页。Key

Implementation

Factors1.Organizational

design

ofbusiness2.Establishing

an

ERM

organization3.Performing

risk

assessments4.Determining

overallrisk

appetite5.Identifyingrisk

responses6.Communication

of

risk

results7.Monitoring8.Oversight

&

periodic

reviewby

management第二十八页,共五十页。•Strategiesofthebusiness•Keybusinessobjectives•Relatedobjectivesthatcascadedowntheorganizationfromkeybusinessobjectives•Assignmentofresponsibilitiestoorganizationalelementsandleaders(linkage)第二十九页,共五十页。Organizational

DesignExample:Linkage•Mission–Toprovidehigh-qualityaccessibleandaffordablecommunity-basedhealthcare•StrategicObjective–Tobethefirstorsecondlargest,full-servicehealthcareproviderinmid-sizemetropolitanmarkets•RelatedObjective–Toinitiatedialoguewithleadershipof10topunder-performinghospitalsandnegotiateagreementswithtwothisyear第三十页,共五十页。EstablishERM•Determineariskphilosophy•Surveyriskculture•Considerorganizationalintegrityandethicalvalues•Deciderolesandresponsibilities第三十一页,共五十页。Example:ERM

OrganizationFESCommodityRisk

Mg.DirectornsuranceRiskManagerERMDirectorCorporateC

re

itRiskManagerERMManagerERMManager Chief

Risk

Officer

StaffStaffStaffVicePresidentand第三十二页,共五十页。dIAssessRiskRiskassessmentistheidentificationandanalysisofriskstotheachievementofbusinessobjectives.Itformsabasisfordetermininghowrisksshouldbemanaged.第三十三页,共五十页。Example:RiskModelEnvironmental

Risks•

CapitalAvailability•Regulatory,Political,

and

Legal•Financial

Markets

and

Shareholder

RelationsProcess

Risks•Operations

Risk•Empowerment

Risk•Information

Processing

/

Technology

Risk•Integrity

Risk•Financial

RiskInformation

for

Decision

Making•

OperationalRisk•

FinancialRisk•

Strategic

Risk第三十四页,共五十页。RRiisskkAAnnaallyyssiissRiskManagementRiskMonitoringRiskAssessmentControl

ItShareor

TransferItDiversifyor

Avoid

ItProcessLevelActivityLevelEntityLevelIdentificationMeasurementPrioritizationSource:BusinessRiskAssessment.1998–TheInstituteofInternalAuditors第三十五页,共五十页。DETERMINERISKAPPETITE•Riskappetiteistheamountofrisk—onabroadlevel—anentityiswillingtoacceptinpursuitofvalue.•Usequantitativeorqualitativeterms(e.g.earningsatriskvs.reputationrisk),andconsiderrisktolerance(rangeofacceptablevariation).第三十六页,共五十页。DETERMINERISKAPPETITEKeyquestions:•Whatriskswilltheorganizationnotaccept?(e.g.environmentalorqualitycompromises)•Whatriskswilltheorganizationtakeonnewinitiatives?(e.g.newproductlines)•Whatriskswilltheorganizationacceptforcompetingobjectives?(e.g.grossprofitvs.marketshare?)第三十七页,共五十页。•Quantificationofriskexposure•Optionsavailable:-Accept=monitor-Avoid=eliminate(getoutofsituation)-Reduce=institutecontrols-Share=partnerwithsomeone(e.g.insurance)•Residualrisk(unmitigatedrisk–e.g.shrinkage)IDENTIFY

RISK

RESPONSES第三十八页,共五十页。Share

Mitigate

&ControlLow

Risk

MediumRiskHighIMPACTLowImpactvs.ProbabilityPROBABILITY

HighMedium

Risk

High

RiskControlAccept第三十九页,共五十页。Medium

RiskHigh

Risk•Loss

of

phones•Loss

of

computers•

Credit

risk•

Customer

has

a

long

wait•Customer

can

’t

get

through•

Customer

can

’t

get

answersMedium

Risk•

Fraud•

Lost

transactions•

Employee

morale•

Entry

errors•Equipment

obsolescence•Repeat

calls

for

same

problemExample:CallCenterRiskAssessmentHighIMPACTLowPROBABILITY

HighLow

Risk第四十页,共五十页。RiskMaterialtransactionnot

recordedInvoices

accruedControlActivityAccrual

ofopen

liabilitiesProcessControlObjectiveCompletenessExample:

AccountsPayableIssue:Invoicesgo

to

field

and

APis

not

aware

of

liability.after

closing第四十一页,共五十页。Communicate

Results•Dashboard

of

risks

and

related

responses(visual

status

ofwhere

key

risks

stand

relative

to

risk

tolerances)•Flowcharts

of

processes

with

key

controls

noted•Narratives

of

business

objectives

linked

to

operational

risks

and

responses•List

of

key

risks

to

be

monitored

or

used•Management

understanding

of

key

business

riskresponsibility

and

communication

of

assignments第四十二页,共五十页。Monitor•

Collect

and

display

information•

Perform

analysis-

Risks

are

being

properly

addressed-

Controls

are

working

to

mitigate

risks第四十三页,共五十页。Management

Oversight

&Periodic

Review•

Accountability

forrisks•Ownership•Updates-

Changes

in

business

objectives-

Changes

in

systems-

Changes

in

processes第四十四页,共五十页。Internal

auditors

can

addvalue

by

:Reviewing

critic