COSO_ERM企业风险管理框架

1、ApplyingCOSOsEnterpriseRiskEnterpriseRiskManagementManagementIntegratedIntegratedFrameworkFrameworkSeptember29,2004TheInstituteofInternalAuditorsTheInstituteofInternalAuditorsTodaysorganizationsareconcernedabTodaysorganizationsareconcernedabout:out: RiskManagement Governance Control Assurance(andCon

2、sulting)ERMDefined:ERMDefined:aprocess,effectedbyanentitysboardofdirectors,managementandotherpersonnel,appliedinstrategysettingandacrosstheenterprise,designedtoidentifypotentialeventsthatmayaffecttheentity,andmanageriskstobewithinitsriskappetite,toprovidereasonableassuranceregardingtheachievementofe

3、ntityobjectives.z,Source:COSOEnterpriseRiskManacjement-IntegratedFramework.2004.COSO.苗WhyERMIsImportantWhyERMIsImportantUnderlyingprinciples: Everyentity,whetherfor-profitornot,existstorealizevalueforitsstakeholders. Valueiscreated,preserved,orerodedbymanagementdecisionsinallactivities,fromsettingst

4、rategytooperatingtheenterpriseday-to-day.觎WhyERMIsImportantWhyERMIsImportantERMsupportsvaluecreationbyenablingmanagementto: Dealeffectivelywithpotentialfutureeventsthatcreateuncertainty. Respondinamannerthatreducesthelikelihoodofdownsideoutcomesandincreasestheupside.觑EnterpriseRiskManagementEnterpri

5、seRiskManagementIntegrateIntegrated dFrameworkFrameworkThisCOSOERMframeworkdefinesessentialcomponents,suggestsacommonlanguage,andprovidescleardirectionandguidanceforenterpriseriskmanagement.TheERMFrameworkTheERMFrameworkEntityobjectivescanbeviewedinthecontextoffourcategories: Strategic Operations Re

6、porting ComplianceTheERMFrameworkTheERMFrameworkERMconsidersactivitiesatalllevelsoftheorganization: Enterprise-level Divisionorsubsidiary BusinessunitprocessesTheERMFrameworkTheERMFrameworkEnterpriseriskmanagementrequiresanentitytotakeaportfolioviewofrisk,44TheERMFrameworkTheERMFramework Managementc

7、onsidershowindividualrisksinterrelate. Managementdevelopsaportfolioviewfromtwoperspectives:-Businessunitlevel-Entitylevel觎TheERMFrameworkTheERMFrameworkTheeightcomponentsoftheframeworkareinterrelated.InternalEnvironmentInternalEnvironment Establishesaphilosophyregardingriskmanagement.Itrecognizestha

8、tunexpectedaswellasexpectedeventsmayoccur, Establishestheentitysriskculture. Considersallotheraspectsofhowtheorganizationsactionsmayaffectitsriskculture.觎ObjectiveSettingObjectiveSetting Isappliedwhenmanagementconsidersrisksstrategyinthesettingofobjectives. Formstheriskappetiteoftheentityahigh-level

9、viewofhowmuchriskmanagementandtheboardarewillingtoaccept. Risktolerance,theacceptablelevelofvariationaroundobjectives,isalignedwithriskappetite.EventIdentificationEventIdentification Differentiatesrisksandopportunities. Eventsthatmayhaveanegativeimpactrepresentrisks. Eventsthatmayhaveapositiveimpact

10、representnaturaloffsets(opportunities),whichmanagementchannelsbacktostrategysetting.觎EventIdentificationEventIdentification Involvesidentifyingthoseincidents,occurringinternallyorexternally,thatcouldaffectstrategyandachievementofobjectives. Addresseshowinternalandexternalfactorscombineandinteracttoi

11、nfluencetheriskprofile.44RiskAssessmentRiskAssessment Allowsanentitytounderstandtheextenttowhichpotentialeventsmightimpactobjectives. Assessesrisksfromtwoperspectives:-Likelihood-Impact Isusedtoassessrisksandisnormallyalsousedtomeasuretherelatedobjectives.44RiskAssessmentRiskAssessment Employsacombi

12、nationofbothqualitativeandquantitativeriskassessmentmethodologies. Relatestimehorizonstoobjectivehorizons. Assessesriskonbothaninherentandaresidualbasis.RiskResponseRiskResponse Identifiesandevaluatespossibleresponsestorisk. Evaluatesoptionsinrelationtoentitysriskappetite,costvs.benefitofpotentialri

13、skresponses,anddegreetowhicharesponsewillreduceimpactand/orlikelihood. Selectsandexecutesresponsebasedonevaluationoftheportfolioofrisksandresponses.备&ControlActivitiesControlActivities Policiesandproceduresthathelpensurethattheriskresponses,aswellasotherentitydirectives,arecarriedout. Occurthrou

14、ghouttheorganization,atalllevelsandinallfunctions. Includeapplicationandgeneralinformationtechnologycontrols.觊Information&CommunicationInformation&Communication Managementidentifies,captures,andcommunicatespertinentinformationinaformandtimeframethatenablespeopletocarryouttheirresponsibilitie

15、s. Communicationoccursinabroadersense,flowingdown,across,anduptheorganization.觊MonitoringMonitoringEffectivenessoftheotherERMcomponentsismonitoredthrough: Ongoingmonitoringactivities. Separateevaluations. Acombinationofthetwo.InternalControlInternalControlAstrongsystemofinternalcontrolisessentialtoe

16、ffectiveenterpriseriskmanagement.RelationshiptoRelationshiptoInternalControlInternalControlIntIntegratedFrameworkegratedFrameworkExpandsandelaboratesonelementsofinternalcontrolassetoutinCOSOscontrolframework.z,Includesobjectivesettingasaseparatecomponent.Objectivesareaprerequisite7forinternalcontrol

17、.ExpandsthecontrolframeworksFinancialReportingandRiskAssessment/觑ERMRoles&ResponsibilitiesERMRoles&Responsibilities Management Theboardofdirectors Riskofficers InternalauditorsInternalAuditorsInternalAuditors PlayanimportantroleinmonitoringERM,butdoNOThaveprimaryresponsibilityforitsimplement

18、ationormaintenance. Assistmanagementandtheboardorauditcommitteeintheprocessby:-Monitoring-Evaluating-Examining-Reporting-Recommendingimprovements觑InternalAuditorsInternalAuditorsVisittheguidancesectionofTheIIAsWebsiteforTheIIAspositionpaper,RoleofInternalAuditingsinEnterpriseRiskManagement.,zStandar

19、dsStandards 2010.Al2010.Al- -Theinternalauditactivitysplanofengagementsshouldbebasedonariskassessment,undertakenatleastannually. 2120.Al2120.Al- -Basedontheresultsoftheriskassessment,theinternalauditactivityshouldevaluatetheadequacyandeffectivenessofcontrolsencompassingtheorganizationsgovernance,ope

20、rations,andinformationsystems. 2210.Al2210.Al- -Whenplanningtheengagement,theinternalauditorshouldidentifyandassessrisksrelevanttotheactivityunderreview.Theengagementobjectivesshouldreflecttheresultsoftheriskassessment.KeyImplementationFactorsKeyImplementationFactors1.Organizationaldesignofbusiness2

21、. EstablishinganERMorganization3. Performingriskassessments4. Determiningoverallriskappetite5. Identifyingriskresponses6. Communicationofriskresults7. Monitoring8. Oversight&periodicreviewbymanagement3434TKTK ProfessionalProfessionalPracticesPracticesOrganizationalDesignOrganizationalDesign Stra

22、tegiesofthebusiness Keybusinessobjectives Relatedobjectivesthatcascadedowntheorganizationfromkeybusinessobjectives Assignmentofresponsibilitiestoorganizationalelementsandleaders(linkage)44Example:LinkageExample:Linkage MissionMission- -Toprovidehigh-qualityaccessibleandaffordablecommunitybasedhealth

23、care StrategicObjectiveStrategicObjective- -Tobethefirstorsecondlargest,full-servicehealthcareproviderinmid-sizemetropolitanmarketsRelatedObjectiveRelatedObjective- -Toinitiatedialoguewithleadershipof10topunder-performinghospitalsandnegotiateagreementswithtwothisyear Determineariskphilosophy Surveyr

24、iskculture Considerorganizationalintegrityandethicalvalues Deciderolesandresponsibilities融Example:ERMOrganizationExample:ERMOrganizationAssessRiskAssessRiskRiskassessmentistheidentificationandanalysisofriskstotheachievementofbusinessobjectives.Itformsabasisfordetermininghowrisksshouldbemanaged.“觎Exa

25、mple:RiskModelExample:RiskModelEnvironmentalRisksEnvironmentalRisks CapitalAvailability Regulatory,Political,andLegal FinancialMarketsandShareholderRelationsProcessRisksProcessRisks OperationsRisk EmpowermentRisk InformationProcessing/TechnologyRisk IntegrityRisk FinancialRiskInformationforDecisionM

26、akingInformationforDecisionMaking OperationalRisk FinancialRisk StrategicRiskRiskAnalysisRiskAnalysis Riskappetiteistheamountofriskonabroadlevelanentityiswillingtoacceptinpursuitofvalue. Usequantitativeorqualitativeterms(e.g.earningsatriskvs.reputationrisk),andconsiderrisktolerance(rangeofacceptable

27、variation).DETERMINERISKAPPETITEDETERMINERISKAPPETITEKeyquestions: Whatriskswilltheorganizationnotaccept?(e.g.environmentalorqualitycompromises) Whatriskswilltheorganizationtakeonnewinitiatives?(e.g.newproductUnes) Whatriskswilltheorganizationacceptforcompetingobjectives?(e.g.grossprofitvs.marketsha

28、re?)44IDENTIFYRISKRESPONSESIDENTIFYRISKRESPONSES Quantificationofriskexposure Optionsavailable:- Accept=monitor- Avoid=eliminate(getoutofsituation)- Reduce=institutecontrols- Share=partnerwithsomeone(e.g.insurance)Residualrisk(unmitigatedrisk-e.g.shrinkage)觎HighMediumRiskHiqhRiskLOW Lossofphones Los

29、sofcomputersLowRisk Fraud Losttransactions Employeemorale Creditrisk Customerhasalongwait Customercantgetthrough.Customercan/tgetanswersMediumRisk.Entryerrors Equipmentobsolescence RepeatcallsforsameproblemPROBABILITYPROBABILITYHighImpactvs.ProbabilityImpactvs.ProbabilityExample:CallCenterRiskAssess

30、mentExample:CallCenterRiskAssessmentHighMediumRiskHiqhRiskShareShareMitigate&ControlMitigate&ControlAcceptAcceptLowRiskControlControlMediumRiskLowPROBABILITYPROBABILITYHighExample:AccountsPayableProcessExample:AccountsPayableProcessControlActivityAccrualofopenliabilitiesInvoicesaccruedafterc

31、losingIssue:InvoicesgotofieldandAPisnotawareofliability.CommunicateResultsCommunicateResults Dashboardofrisksandrelatedresponses(visualstatusofwherekeyrisksstandrelativetorisktolerances) Flowchartsofprocesseswithkeycontrolsnoted Narrativesofbusinessobjectiveslinkedtooperationalrisksandresponses List

32、ofkeyriskstobemonitoredorused Managementunderstandingofkeybusinessriskresponsibilityandcommunicationofassignments CollectanddisplayinformationControlObjectiveCompletenessRiskMaterialtransactionnotrecorded PerformanalysisRisksarebeingproperlyaddressedControlsareworkingtomitigaterisks1414ManagementOversight&PeriodicReviewManagementOversight&PeriodicReview Accountabilityforrisks Ownership Updates-Changesinbusinessobjectives- Changesinsystems- Changesinprocesses觎Internalauditorscanaddvalueby:Internalauditorscanaddvalueby: Reviewingcriticalcontrolsystemsandriskmanagementprocesses. Perf