企业风险管理框架.

1、14中国培训师大联盟www.china-XXEnterprise RiskManagement IntegratedFrameworkThe Institute of Internal AuditorsTodays organizations areconcerned about:Risk ManagementGove m anceCon trolAssurance (and Con suiting)“a process, effected by an entitys boardof directors, management and otherpersonnel, applied in st

2、rategy setting andacross the enterprise, designed to identifypotential events that may affect the entity,and manage risks to be within its riskappetite, to provide reasonable assuranceregarding the achievement of entityobjectivesSource: COSO Enterprise Risk Management一Integrated Framework. 2004. COS

3、O.Why ERM Is ImportantUnderlying principles: Every entity, whether for-profit or not,exists to realize value for its stakeholders Value is created, preserved, or eroded bymanagement decisions in all activities, fromsetting strategy to operating the enterpriseday-to-day.Why ERM Is ImportantERM suppor

4、ts value creation by enablingmanagement to: Deal effectively with potential future eventsthat create uncertainty. Respond in a manner that reduces thelikelihood of downside outcomes andincreases the upside Enterprise Risk Management Integrated FrameworkThis COSO ERM framework defines essentialcompon

5、ents, suggests a common Ianguage,and provides clear direction and guidance forenterprise risk management. Enterprise-levelEv1The ERM FrameworkEntity objectives can be viewed in the contextof four categories:The ERM FrameworkEnterprise risk management Strat| Even 11 dujnif ioiHonRiskAssiRUkRcjControl

6、 JInfoimatlon & iMonilThe ERM FrameworkERM considers activities at all levelsoftheInternal EnvironmentInternal Environmentrequires an entity to take a portfolioview of risk 4The ERM FrameworkManagement considers how individualrisks interrelate Management develops a portfolio viewfrom two perspec

7、tives:-Business unit level-Entity levelThe ERM FrameworkThe eight comp on entsof the frameworkare interrelated Internal Environment Establishes a philosophy regarding riskmanagement It recognizes thatunexpected as well as expected events mayoccur Establishes the entitys risk culture Considers all ot

8、her aspects of how theorganizations actions may affect its risk culture4Objective Setting Is applied when management considers risksstrategy in the setting of objectives Forms the risk appetite of the entity ahigh-level view of how much risk managementand the board are willing to accept Risk toleran

9、ce, the acceptable level of variationaround objectives, is aligned with risk appetite Event Identification Differentiates risks and opportunities Events that may have a negative impactrepresent risks Events that may have a positive impactrepresent natural offsets (opportunities), whichmanagement cha

10、nnels back to strategy setting Event Identification In volves ide ntifying those in cidents, occurringinternally or externally, that could affectstrategy and achievement of objectives Addresses how internal and external factorscom bine and in teract toin flue nee the risk profile 4Risk Assessment Al

11、lows an entity to understand the extent towhich potential events might impact objectives Assesses risks from two perspectives:-Likelihood-Impact Is used to assess risks and is normally also usedto measure the related objectives 4Risk Assessment Employs a combination of both qualitative andquantitati

12、ve risk assessment methodologies Relates time horizons to objective horiz ons. Assesses risk on both an in here nt and aresidual basis Risk Response Identifies and evaluates possible responses torisk Evaluates options in relation to entitys riskappetite, cost vs. ben efit ofpotential risk responses,

13、 and degree to which aresponse will reduce impact and/or likelihood Selects and executes response based onevaluation of the portfolio of risks andresponses Control Activities Policies and procedures that help ensure thatthe risk responses, as well as other entitydirectives, are carried out. Occur th

14、roughout the organization, at all levelsand in all functions. Include application and general informationtech no logy controls Information & Communication Management identifies, captures, andcommunicates pertinent in formation in a formand timeframe that enables people to carry outtheirresp on s

15、ibilities Communication occurs in a broader sense,flowing down, across, and up the organization 4MonitoringEffectiveness of the other ERM components ismonitored through: On going monitori ng activities Separate evaluations A combination of the two.Internal ControlA strong system of internal control

16、isessential to effective enterprise riskmanagement.Relationship to Internal Control Integrated FrameworkExpands and elaborates on elements of internal4control as set out in COSOs control framework.z,Includes objective setting as a separate component Objectives are a prerequisite for internalcontrol.

17、Expands the control frameworks FinancialReporting and Risk AssessmeERM Roles & ResponsibilitiesMan ageme ntThe board of directorsRisk officersInternal auditorsInternal Auditors Play an important role in monitoring ERM, butdo NOT have primary responsibility for itsimplementation or maintenance. A

18、ssist management and the board or auditcommittee in the process by:-Monitoring - Evaluating-Examining - Reporting Recommending improvementsInternal AuditorsVisit the guidanee section of The IIAs Website for The IIAs position paper, Role ofInternal Auditings in Enterprise RiskManagement.,zStandards20

19、10.Al 一The internal audit activitys plan ofengagements should be based on a risk assessment,undertaken at least annually 2120.Al 一Basedontheresultsoftheriskassessment,theinternalauditactivityshouldevaluate the adequacy and effectiveness of controlsencompassingtheorganizationsgovernance,operations, a

20、nd information systems.2210.Al - When planning the engagement, the internal auditor shouldidentify and assess risks relevant to the activity under review Theengagementobjectivesshouldreflecttheresultsoftheriskassessment Key Implementation Factors1. Organizational design of business2. Establishing an

21、 ERM organization3. Performing risk assessments4. Determining overall risk appetJte5. Identifying risk responses6. Communication of risk results7. Monitoring8 Oversight & periodic review by managementTHEProfessionalPracticesOrganizational Design Strategies of the business Key business objectives

22、 Related objectives that cascade down theorganization from key business objectives Assignment of responsibilities toorganizational elements and leaders (linkage)Example: LinkageMission一To provide high-quality accessibleand affordable community- based health careStrategic Objective一To be the first or

23、second largest, full-service health careprovider in mid-size metropolitan marketsRelated Objective一To initiate dialoguewith leadership of 10 top under- performinghospitals and negotiate agreements with twothis year Determine a risk philosophy Survey risk culture Consider organizational integrity and

24、 ethicalvalues Decide roles and responsibilitiesExample: ERM Organization4Assess RiskRisk assessment is theidentification and analysis of risksto the achievement of businessobjectives It forms a basis fordetermining how risks should beman aged.Example: Risk ModelEnvironmental RisksCapital Availabili

25、tyRegulatory, Political, and LegalFinancial Markets and Shareholder RelationsProcess RisksOperations RiskEmpowerment RiskIn formati on Processi ng / Tech no logy RiskIntegrity RiskFinancial RiskInformation for Decision MakingOperational RiskFinancial RiskStrategic Risk4Source: Business Risk Assessme

26、nt. 1998 - The Institute of Internal AuditorsDETERMINE RISK APPETITE Risk appetite is the amount of risk on abroad level an entity is willing to accept inpursuit of value Use quantitative or qualitative terms (e.g earnings at risk vs. reputation risk), andconsider risk toleranee (range of acceptable

27、variation)DETERMINE RISK APPETITEKey questions: What risks will the organization not accept?(e.g. environmental or quality compromises) What risks will the organization take on newinitiatives?(e.g. new product lines) What risks will the organization accept forcompeting objectives?(e.g. gross profit

28、vs. market share?)4IDENTIFY RISK RESPONSES Quantification of risk exposure Options available:-Accept = monitor-Avoid = eliminate(get out of situation)-Reduce = institute controls-Share = part ner with some one(e.g. insurance) Residual risk(unmitigated risk - e.g. shrinkage)Impact vs. ProbabilityHigh

29、ShareMedium RiskHicjh RiskMitigate & ControlLow RiskMedium RiskAcceptControlLowPROBABILITYHighExample: Call Cen ter RiskAssessmentHighMedium RiskLoss of phonesLoss of computersLowRiskFraudLost transactionsEmployee moraleLowHiqh RiskCredit riskCustomer has a long waitCustomer cant get throughCust

30、omer cant get answersMedium RiskEntry errorsEquipment obsolescence Repeatcalls for same problemPROBABILITYHighExample:Accounts PayableProcessCon trolActivityAccrual of open liabilitiesInvoices accruedafter closingIssue: Invoices go to field and AP is not aware of liability.Communicate ResultsDashboa

31、rd of risks and related responses (visualstatus of where key risks stand relative to risktolerances)Flowcharts of processes with key controls notedNarratives of business objectives linked toControlObjectiveCompletenessRiskMaterialtransactoperational risks and responsesList of key risks to be monitor

32、ed or used Management understanding of key business riskresponsibility and communication of assignmentsCollect and display informationPerform analysis-Risks are being properly addressed-Controls are working to mitigate risks4Management Oversight & PeriodicReviewAccountability for risksOwnershipUpdates Changes in business objectives-Changes in syste