Cayman Islands Society of Professional Accountants
Enterprise Risk Management
March 19, 2015
Dr. Sandra B. Richtermeyer, CPA, CMA
What is Risk Management?
2
“Risk management is a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise,
designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the
achievement of entity objectives.”
Source: The Committee of Sponsoring Organizations of the Treadway Commission (COSO)
Risk Management: The Big Picture
Communication
Jl
Internal Control
Strategy Risk
Describing Approach to Risk Management
• Benefits
• Characteristics
• Approaches & processes
Strategic Goals
• Must align with the mission, overall objectives, vision, and values
• Must be clear & concise
• Foundation for risk planning and solid internal controls
Foundation
Key Organizational Concepts
Mission Vision Values Strategy Metrics
Performance Evaluation
The Big Picture
Governance
Enterprise Risk Management
Internal Control
Relationships!! Key
Enterprise Risk Management
(ERM) Framework
What does risk management encompass?
• Aligning risk appetite and strategy
• Enhancing risk response decisions
• Reducing operational surprises and losses
• Identifying and managing multiple and cross- organizational risks
• Seizing opportunities
• Improving deployment of capital
Benefits of Risk Management
• Achieve the entity’s performance targets
• Achieve the entity’s profitability targets
• Prevent loss of resources
• Ensure compliance with laws and regulations
• Avoid damage to entity’s reputation
It helps the management and board of an
organization achieve its goals avoid pitfalls and
surprises along the way!
Risk management is a process,
ongoing and flowing through
an entity…
Key Risk Concepts: Risk Management
An Intentional Process
10
Effected by people
Applied in strategic context Applied across the enterprise
Designed to identify events potentially affecting the entity Intended to manage risk within an entity’s risk appetite Provides reasonable assurance
Geared to achievement of objectives
Risk Management: Linking with the Achievement of Objectives
Types of objectives:
• Strategic – high level goals, aligned with and supporting its mission
• Operations – effective and efficient use of resources
• Reporting – reliability of reporting
• Compliance – applicable laws and regulations
These four categories are distinct, but overlapping
One objective can fall into more than one category
Key Concepts: The COSO Enterprise Risk
Management Framework – Cube Representation
Components of Enterprise Risk Management
• Internal environment
• Objective setting
• Event identification
• Risk assessment
• Risk response
• Control activities
• Information and communication
• Monitoring
Front of the cube!
Key Concepts: The COSO Enterprise Risk
Management Framework – Cube Representation
Effectiveness of Risk Management
• Effectiveness is a judgment
• Are the 8 risk management components present and functioning effectively?
• Are there material weaknesses?
• Have the risk needs been considered within
the entity’s risk appetite?
Limitations of Risk Management
• Human judgment can be faulty
• Risk management decisions need to consider the cost vs.
the benefits
• Human failures – errors, mistakes
• Controls can be overridden by collusion between two or more people
• Management has the ability to override ERM decisions
• Culture is critical
If these limitations exist, the board and management cannot have absolute assurance that the entity’s
objectives are being considered
Risk Management Encompasses Internal Control
• Internal control is an integral part of enterprise risk management
• Internal controls make risk management more robust
• Internal controls can help with
conceptualization of risk management
Relationships Between ERM and Internal Control
18
Governance
Enterprise Risk Management
Internal Control
Key Concepts: Frameworks for Internal Controls and Risk Management
Linking the COSO Internal Control Integrated Framework with the COSO Enterprise Risk Management Framework
Expanded into 3 components
Internal Control Framework ERM Framework
Roles and Responsibilities for Risk Management
• Everyone in the organization has some responsibility
• Board is ultimately responsible
– Without board oversight, risk management will fail or be suboptimal
• Senior management team
• All levels of management
• For global organizations, consider ways to
communicate responsibilities in a way that
supports cultural or educational differences
Relationships Between Governance and ERM
Governance
Enterprise Risk Management
Internal Control
Roles and Responsibilities for Risk Management
External entities play an important role in how an entity implements overall risk management:
• Regulators
• Customers
• Vendors
• Overall supply chain
• Professional organizations
Key Risk Concepts: Risk Management
Fundamental Characteristics
A portfolio view of risks at the entity level
Identification of potential events that may impact objectives
Risk identification, prioritization, and response
Managing risk within the entity’s risk appetite
High-level goals aligned to mission
Reliability of entity’s reports
Effective and efficient use of resources
Key Risk Concepts: Types of ERM Risks
24
Effective and efficient use of resources
Strategic
Operations
Reporting
Compliance
Key Risk Concepts: Effective Risk Management Strategies
Develop
Risk-based Culture Controls
Identify
(internal / external)
Risks
Link
Objectives & Values
Objectives Value
26
Key Risk Concepts: A Process Overview
Identification of Potential events that may impact objectives and
values
Risk Assessment and Response
Consideration of Risk in Formation
of Strategy
Application Across the
Entity
Manage Risk Within the Entity’s
Risk Appetite
Take a Portfolio View of Risks at the Entity-level
Monitor Performance
of ERM
Discussion Question
What areas do you believe have primary responsibility for risk management?
1. Accounting / finance
2. Risk management group 3. Legal
4. Compliance 5. Internal audit 6. Unsure
How can this vary by culture or business model?
28
Key Risk Concepts: ERM Enhances Management Capabilities
Align risk appetite
Link growth, risk and return
Enhance risk responses decisions
Minimize operational surprises and losses
Identify and manage cross-enterprise risk Provide integrated responses to multiple risks Seize opportunities
Rationalize capital
Key Risk Concepts: ERM Benefits to Management
Promotes awareness of existing risk Establishes common risk language
Illustrates risk interrelationships and impacts
Enables development of more precise risk information Enhances ability to Identify risk in a timely manner Increases confidence to seize opportunities inherent in potential future events
Remember….
Manage risk within and across business units
Key Risk Concepts:
Characteristics of Effective ERM
Must be owned and led by the board and senior management
Encompasses entire business with connection between functional areas
Strategies address a full spectrum of risks
Processes augment conventional emphasis on probability by also weighing vulnerability
Does not solely consider single events, but considers scenarios and interaction between risks
Key Risk Concepts: Characteristics of Effective ERM
Effective risk management
• Is a key element of the organizational culture
• Focuses not solely on risk avoidance, but also value creation
• Enables entity to take a portfolio view of risk
Key Risk Concepts: Basic ERM Process
32
Objectives
Events Responses
Key Risk Concepts: The Highs and the Lows
High Impact / Low Likelihood
Low Impact /
Low Likelihood Low Impact / High Likelihood
High Impact / High Likelihood
Risk
Examples from our conversation (from audience during session)
• High impact – high likelihood – data security breach,
foreign regulation, health and safety, foreign competition, competition, substitute products, climate change
• High impact – low likelihood – airport tower loses communication, security at airport, terrorism, staff turnover, public register of ownership, technology downtown, internet down
• Low impact – high likelihood – petty cash, tropical storm, staff turnover
• Low impact – low likelihood – ??? Audience did not offer many examples in this category! (discussion centered on other three areas above)
Key Risk Concepts:
What are the BIG Risks?
Failure to identify and pursue opportunities
Lack of intelligence about marketplace and competitor
actions IT System
Failures
Attracting Capital
Key Risk Concepts:
Board Oversight and ERM – 4 Critical Roles!
36
1. Understand the entity’s risk philosophy and concur with the entity’s risk appetite
2. Know the extent to which management has established effective enterprise risk management of the organization
3. Review the entities portfolio of risk and consider it against the entity’s risk appetite
4. Be apprised of the most significant risks and whether management is responding appropriately
Source: Effective Enterprise Risk Oversight – Role of the Board of Directors, 2009. COSO www.coso.org
Risk Process Considerations
Moving thru the framework….
Internal Environment
Implementation Strategies
• Risk management philosophy statement
• Risk appetite – describe and communicate
• Board of directors – regularly include on agenda
• Integrity and ethical values – code of conduct, make sure personnel are aware and that the code is “alive” in the organization
• Commitment to competence - be clear on how the leaders in the organization support this
• Organizational structure – must be clear and understood throughout the organization
• Assignment of authority and responsibility – air for clarity and understanding in terms of roles
• Human resource (HR) standards – HR goals are transparent and available to all personnel
Internal Environment Follow-up - from our conversation…indicators of a healthy culture (responses from participants during session)
A healthy culture is key to the Internal Environment component of the ERM Framework
• Staff retention
• Environmental responsible
• Personnel climate survey
• Adherence to policy at acceptable levels
• Increased incident reporting
• Employees are proud
• Communication style
• Leadership style
• Reward and recognition
• Staff development
• Team building
• Staff orientation
Can you test for a healthy culture?
Risk-Related Culture Survey Sample Items Use Scale of 1-5
• The leaders of my area set a positive example for ethical conduct
• I understand the entity’s overall mission and strategy
• Disciplinary action is taken against those who engage in professional misconduct
• Turnover of personnel has not significantly affected our ability to achieve objectives
• The leaders in my department are open to communication about risk
• The leaders in my department are open to bad news
Code of Conduct
Sample of Key items for Inclusion
• Letter from chief executive
• Goals and philosophy
• Conflicts of interest
– Sign-offs – Discussion
• Gifts and gratuities
• Transparency
A best practice in reviewing your code of conduct – benchmark with similar entities and/or
aspirational entities!
Moving thru the framework….
Objective Setting
• Strategic objectives
• Related objectives
– Operations – Reporting – Compliance
• Overlap of objectives
• Achievement of objectives
• Risk appetite
• Risk tolerances
Moving thru the framework….
Event Identification
• Events
• Influencing factors
• Event identification techniques – event inventories, output from planning process, triggers, workshops, interviews,
diagrams, lead indicators, analysis of past losses
• Interdependencies – always consider how one event can trigger another
• Event categories – economic, natural environment,
political, infrastructure, personnel, process, technology, social, technological
• Distinguishing risks and opportunities – look at both negative and positive outcomes
Moving thru the framework….
Risk Assessment
• Context for risk assessment
• Inherent risk – risk if there are no controls
• Residual risk – risk after controls are implemented
• Estimate likelihood and impact
• Assessment techniques – benchmarking, using probability models
• Consider relationships between events
Key Concepts: Frameworks for Internal Controls and Risk Management
Linking the COSO Internal Control Integrated Framework with the COSO Enterprise Risk Management Framework
Expanded into 3 components
Internal Control Framework ERM Framework
Four Key Principles of the COSO Internal Control Framework Related to Risk Assessment
50
1. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
2. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
3. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
4. The organization identifies and assesses changes that could significantly impact the system of internal control.
50
Operations Objectives
Reflects management’s choices
Considers tolerances for risk
Includes operations and financial performance goals
Forms a basis for committing of resources
Four Key Principles of the COSO Internal Control
Framework Related to Risk Assessment
52
Reporting Objectives
External financial reporting objectives
Complies with applicable accounting standards
Considers materiality
Reflects entity activities
External non-financial reporting objectives
Complies with externally established standards and frameworks
Considers the required level of precision
Reflects entity activities
52
Four Key Principles of the COSO Internal Control
Framework Related to Risk Assessment
Reporting Objectives Internal financial reporting objectives
Reflects management’s choices
Considers the required level of precision
Reflects entity activities
Compliance Objectives
Reflects external laws and regulations
Considers tolerances for risk
Four Key Principles of the COSO Internal Control
Framework Related to Risk Assessment
Characteristics
(Points of Focus)Associated With Each of the Four Key Principles of Risk Assessment
54
Identifies and Analyzes Risk
Includes entity, subsidiary, division, operating unit and functional levels
Analyzes internal and external factors
Involves appropriate levels of management
Estimates significance of risks identified
Determines how to respond to risks
54
Four Key Principles of the COSO Internal Control
Framework Related to Risk Assessment
Characteristics
(Points of Focus)Associated With Each of the Four Key Principles of Risk Assessment
Assesses Fraud Risk
Considers various types of fraud
Assesses incentives and pressures
Assesses opportunities
Assesses attitudes and rationalizations
Four Key Principles of the COSO Internal Control
Framework Related to Risk Assessment
Characteristics
(Points of Focus)Associated With Each of the Four Key Principles of Risk Assessment
56
Identifies and
Analyzes Significant Change
Assesses changes in the external environment
Assesses changes in the business model
Assesses changes in leadership
56
Four Key Principles of the COSO Internal Control
Framework Related to Risk Assessment
Process Considerations: Determine Risk Appetite
Quantitative or Qualitative
Earnings at risk
Reputation at risk
Risk Tolerance
Range of acceptable variation
Process Considerations:
Establish a Portfolio View of Key Risks
58
Impact
Likelihood
Process Considerations:
What is the level of your risk appetite?
Impact
Process Considerations: Identify Risk Responses
60
Impact
Likelihood
Options Available to Quantify Risk Exposure
Process Considerations: Impact Versus Probability
PROBABILITY
Low High
I M
P A C T
High
Low Risk
High Risk
Medium Risk Medium Risk
Accept
Share Mitigate &
Control
Control
Risk Response
• Evaluating possible responses
– Risk likelihood and impact – Assessing costs vs. benefits
– Opportunities in response options
• Selected responses
• Portfolio view
Moving thru the framework….
Control Activities
• Integration with risk response
• Types of control activities – top level reviews, activity management, information processing, physical controls, performance indicators,
segregation of duties
• Policies and procedures – in writing, well- communicated, integrated in culture
• Controls over information systems – general controls, application controls
• Entity specific controls
Moving thru the framework….
Information and Communication
• Using relevant quality information to support the functioning of risk management processes
• Internally communicating information necessary for the functioning of internal control
• Externally communicating information
regarding matters affecting the functioning of
internal control
Moving thru the framework….
Monitoring
• The entity selects, develops and performs ongoing and/or separate evaluations to
ascertain whether the components of internal control are present and functioning
• The entity evaluates and communicates internal control deficiencies in a timely
manner to those parties responsible for taking
corrective action
Moving thru the framework….
Process Considerations: Common Risk Management Failures
70
Less than robust risk management implementation
Not a management or board priority:
ineffective board oversight Failure to anticipate and respond to
changed internal and external environment
Reckless risk taking:
Compensation not aligned with risk management
Overconfidence:
Failure to recognize and prioritize
“remote” risks
Process Considerations: Key Implementation Factors
Organizational design of the
business
1 2
Establishing an ERM organization
3
Performing risk assessments 4
Determining overall risk appetite
5
Identifying risk responses
6
Communication of risk results
