KPMG给某制造业公司做的风险管理指导书Risk Management Guide (NXPowerLite)

1、 risk management guideline siemens limited chinaoverviewappendix aa1) z-circular “risk management in the company” (z cr 20/99)a2) siemens risk policy principlesappendix btools for risk identification and risk evaluation1. siemens risk categorization- siemens risk categorization- risk definitions2. r

2、isk questionnaire- siemens risk questionnaire3. risk workshop methodologyappendix crisk reporting of regional companiesappendix aa1) z-circular “risk management in the company” (z cr 20/99)a2) siemens risk policy principles appendix btools for risk identification and risk evaluation1. siemens risk c

3、ategorization the basis for risk identification is a company-wide risk categorization model. this ensures that all known entrepreneurial risks can be taken into consideration and that the same systematic approach is used within the whole company. this improves risk communication and at the same time

4、 allows the identification of possible cumulative effects between different business units.this standard risk categorization model is sufficiently generic to accommodate the diverse businesses within the siemens group. it is used as a template for developing specific risk categorization models to fi

5、t the precise nature of the individual business units and the environment in which they operate. when modifying the standard risk categorization, the risk categories and the general structure of the risk types (including the numbering) should not be changed, but risks can be added. the modifications

6、 should be carried out at group or company level and not individually for every business unit in order to allow an encompassing risk analysis.the siemens risk categorization model and definitions for the risk types included are explained below. - siemens risk categorization- risk definitionsupdates

7、can be obtained from the corporate risk management homepage: https:/intranet.cf.siemens.de/sapportal/2. risk questionnairethe evaluation of risks and risk handling measures can be supported using a risk questionnaire which is based on the siemens risk categorization model. the standard questionnaire

8、 is not supposed to be understood as a comprehensive check list which includes all potential risks but as a guide to identifying risks. before the questionnaire is used, it should therefore be established whether it is suitable for the particular business or if group or company specific modification

9、s need to be carried out. risk evaluation by means of risk questionnaires is carried out using the criteria of impact and probability (before and after risk handling measures) as well as the degree of implementation/the effectiveness of the measures / specific systems for risk handling. along with t

10、he evaluation, all essential risks should be described for the specific business and also existing/planned measures should be described.risks are evaluated both before and after risk handling measures. the evaluation of risks before measures identifies the generic risk situation of the business unit

11、 and thus helps to prioritize areas on which risk measures need to focus. the evaluation of risks after measures shows whether the risk position of the business unit - taking measures into account - is acceptable or whether additional or different measures are necessary.to simplify the evaluation, i

12、mpact, probability and degree of implementation are rated on a scale of 1-5. these scales represent quantitative ranges and ensure comparability between different business units (e.g. divisions of a group).the scale 1-5 reflects the following standard ranges for impact (in eur), probability and degr

13、ee of implementation/effectiveness. impactprobabilitydegree of implementation/ effectiveness1 < 2'5 eur 0 - 5%very low 0 - 20%2 2'6 10 eur 5 - 20%low20 - 40%3 11 - 25' eur20 - 40%medium40 - 60%4 25 - 50 eur40 - 60%high60 - 80%5 > 50' eur60 - 100%very high80 - 100%the ranges for

14、 the probability and degree of implementation/effectiveness should not be changed but the impact in eur has to be adjusted according to the size of the business unit in order to ensure comparability. the risks should be evaluated in a differentiated way which encompasses the whole scale.the ranges f

15、or the impact in eur should be set in such a way that the different business units of an organizational unit (e.g. divisions within a group) can be summarized into a group risk portfolio for risk reporting. evaluating risks and risk handling measures by means of scales and ranges helps to simplify t

16、he risk assessment and risk analysis. however, for risk reporting, the essential risks (in particular the financial impact) should be quantified in more detail and split up into fiscal years.example of evaluation conceptthe procedure for evaluating risks and risk handling measures can be illustrated

17、 as follows:it is assumed that a division receives an important part from one supplier only (risk type: dependency risk). the deliveries are made in a just-in-time concept without stocking. if the supplier fails to deliver, the production comes to a halt within one day. if the supplier fails tempora

18、rily or permanently, new suppliers have to identified and contracts have to be concluded, which will take around four weeks. the sales impact of a four-week production stop is estimated to be 160 eur. the damage caused by supplier failure (impact before risk handling measures) can now be estimated b

19、y multiplying the sales volume with the average gross margin of e.g. 25%. thus the impact on ebit of this risk can be estimated by multiplying the expected sales loss with the gross margin: sales loss of 4 weeks 160 eur * 25% = 40 eur impact on ebit. according to the above mentioned standard evaluat

20、ion scales, the impact before risk handling measures would be rated as 4.there is a long term relationship with the supplier and in the past there were only a few and short supply delays. however it is known that the supplier runs currently at full production levels and is currently switching produc

21、tion processes. thus the probability before risk handling measures that this supplier will fail to deliver is estimated to be 20% and thus rated as 2.measures for risk handling are for example setting up a second source or preparation of master agreements with other suppliers. with these risk handli

22、ng measures, a delivery failure by the main supplier can then be compensated relatively easily by the second source or other suppliers within the master agreement. as a result there is a maximum potential production stop of one week. however the second source has not yet been fully set up. the secon

23、d supplier will be eligible next quarter and the first potential deliveries are expected in 6 months. the degree of implementation of this risk handling measure will thus be rated as 3 which corresponds to medium (40-60%).the impact on ebit taking into account fully implemented measures corresponds

24、to a production halt of one week. thus the approximate impact on ebit is 40 eur * 25% = 10 eur. as a result the impact after measures is rated as 2. since most of the supply is still coming from a single supplier, the probability of occurrence is more or less unchanged. according to the evaluation s

25、cheme above, the probability is rated as 2 (20%).the standard risk questionnaire which is based on the risk categorization model is shown below:- siemens risk questionnaireupdates can be obtained from the corporate risk management homepage: https:/intranet.cf.siemens.de/sapportal/3. risk workshop me

26、thodologygoals of the risk workshopa common problem when identifying risks is that some risks may go across the whole value chain of an organizational unit or that the effect of a risk may crystallize somewhere else than its cause. for instance, some risks have their cause within research and develo

27、pment, purchasing or production while their impact is measured within the sales department.based on these situation, zff 4 developed the method of risk workshops, in which the risk identification and evaluation is carried out jointly by a group of participants from different functions of a business

28、unit. the participants therefore have in-depth knowledge about the business situation and value chain processes. the main objectives of risk workshops are to:· improve risk transparency and promote a common understanding of risks;· identify and record key risks with the participation of al

29、l key functions and risk responsibles of the respective business unit:· assess the significance of these risks for the achievement of the business targets, in particular ebit;· identify and evaluate existing / planned risk handling measures and develop new measures;· generate the rele

30、vant information for risk reportingin particular, improving risk transparency and a common understanding of the risks within a business unit can only be achieved by risk workshops and the active participation of all relevant function managers in a business unit. the risk workshops also meet the lega

31、l requirements of the statuary auditors for a bottom-up process of risk assessment. procedure within the risk workshopthe risk analysis procedure within a risk workshop consists of two steps:step 1: preselection of risks by means of risk questionairesin the first step of the risk analysis, the risk

32、questionaire helps to identify relevant risks in the business unit. therefore the risk questionaires are sent to the various participants in the respective business unit and answered individually by the different participants. the participants should come from different functions and together they s

33、hould cover all important areas of the business unit.in order to achieve a methodically sound risk evaluation it is advisable to have a kick off meeting to introduce participants to the objectives, procedures and evaluation concept of the risk questionaires and risk workshops. on the basis of the ri

34、sk questionaires returned, several analysis can be carried out. the key risks, as well as the risks with the most diverse ratings among the participants, can be filtered out.these risks, including the business specific description of risks and measures by the participants, are part of the risk works

35、hop. thus the risk questionnaire is not only guidance for systematic risk identification and evaluation but also a filter for identifying the key risks which are subsequently discussed and analyzed in greater detail in the risk workshop with the relevant business and process representatives. therefo

36、re the risk workshop can be carried out in a short time without losing relevant information.step 2: conducting risk workshopson the basis of the analysis of the risk questionaires, the risk workshop is conducted. the risk workshop generally involves the participants who answered the questionaires, i

37、.e. the representatives of all essential functions and relevant units and eventually representatives of specialist departments.in the risk assessment workshop, the individual assessments of the participants are compared, potential discrepancies are discussed and the key risks are jointly quantified

38、and defined specifically for the business unit. in addition, the risk handling measures for the identified key risks are described and assessed according to their effectiveness and implementation status. alternative risk handling mechanisms are considered as part of this process.results of the risk

39、workshopsthe results of the risk workshops are the identification of the essential risks before and after measures, a specific description of these risks as well as a description and evaluation of the key risk handling measures. thus the risk workshop is a sound basis for risk reporting. the figure

40、below demonstrates the output of the risk workshop.the particular value of the risk workshop lies in the cross-functional discussion of risks and risk handling measures. in this respect there is a common picture of the risk situation of a business unit, priorities can be set clearly and a cross-func

41、tional approach to risk handling measures can be adopted. as a result, risk workshops are improving risk awareness and risk transparencies to a great extent.support for the risk workshop using the risk analysis workshop toolin order to simplify the analysis of the risk questionaires and the preparat

42、ion of the risk workshop, there is an excel based raws tool (risk analysis and workshop tool). this tool has the following features:· automatic import of risk questionaires (including risk evaluation, business specific-risk descriptions, as well as the description of risk handling measures) as

43、the basis for the analysis;· analysis of risk questionaires using standard analyses, e.g. top risks over all risk categories, top risks within risk categories as well as the individual risk assessment per risk;· visualization of the results as a basis for discussion in the risk workshop;&#

44、183; data entry of new risk evaluations which are agreed on in the risk workshop. the advantage of the raws tool is therefore its assistance in analyzing risk questionnaires and in conducting the risk workshop itself.the raws tool is flexible enough to be used in different business units. therefore

45、the risk questionaires and the ranges of the eur impact can be adapted for each business unit. different languages can also be selected (german/english).the raws tool and a comprehensive user documentation can be obtained on the corporate risk management homepage (https:/intranet.cf.siemens.de/sappo

46、rtal/). password protected access for the download of the raws-tool can be obtained via the group risk manager.appendix c risk reporting of regional companies1. general regulation of risk reporting by the regional companiesthe risk reporting of the consolidated regional companies is addressed direct

47、ly to the groups. the groups have to set up regulations concerning risk management and risk reporting together with the regional companies. zf provides only recommendations that are laid out in the following point 2.concerning central risks of the consolidated regional companies, the regional compan

48、ies should directly report to zf. the respective regulations are mentioned in point 3.the procedure of risk identification and evaluation as well as risk reporting in the regional companies should follow the risk management methodology by zff 4. this methodology is also presented in this guideline.2

49、. risk reporting of the regional companies to the groupsfor the group specific risks in the regional company, the regional company has to report directly to the respective group.herefore zf provides the following recommendations (which correspond to the risk reporting regulations for the groups to z

50、f except for the thresholds and the top 5 rule):2.1. annual risk reporting of the regional companies to the groupsall risks per group within the regional companies with a threshold value of > 10 eur (impact on ebit after risk handling measures) have to be reported to the groups as part of the pla

51、n. in case there are no risks above the threshold, a negative confirmation has to be given to the groups. if there are more than 5 risks per group > 10 eur, only the 5 key risks have to be reported to the group by the regional company.the risk report format of the regional companies corresponds w

52、ith the format of the groups in the budget / plan and is enclosed in the appendix.the risk reporting in the regional companies should - like in the groups - be supported by risk questionaires and if possible risk workshops for the main business units of the regional company.2.2. risk reporting durin

53、g the fiscal yearthe annual risk reports of the regional companies have to be updated and reported to the respective group at least semi-annually. the updates of the risk reports of the regional companies should include:· continuation and changes of risks already reported (description follows a

54、nnual risk reporting format);· new risks that have to be reported due to the threshold regulation (description follows annual risk reporting format) risks which have occurred since the beginning of the fiscal year are reported in the regular monthly and quarterly reporting by the regional compa

55、ny to the groups.the timescale for the intra-annual risk reporting is (as in the plan) the current fiscal year (in plan = budget year) and the following year.the format for the intra-annual risk report follows the format of the annual risk report.within the regional companies, the intra-annual updat

56、e of the risk report should be supported by adequate internal reporting procedures within the regional company.2.3 immediate risk reporting independently of the annual risk reporting and the intra-annual update, major changes in risks, the appearance of essential new risks and the occurrence of essenti