ก ก tools and techniques for enterprise risk management ... อกสารขึ้น web...
TRANSCRIPT
ก�����������ก����� � Tools and Techniques for Enterprise Risk Management (ERM)
��� � (6C�V��7]�= � COSO ERM V=R ISO ERM/
012������ JSUUCd@= �=�6F��;
�C;@DEC5�9FGF� 31 >F;�J> 2554 �=� 10:45 P 12:15 ;. E2 � @�. 301, 302, 307 >E���G��=C�A��>4�56�8 G3�@�R7C;G�8
7C9?9� 41;�8��7C�AS�ก�7 JUR@�U��4�56�8V=Rก���CWF >E���G��=C�A��>4�56�8
COSO
Internal Control
ERM Integrated Framework
Application Technique
ISO 31000
Guide 73 ( Terminology )
ISO 31000 - Principle and Guideline
- Principle
- Framework
- Process
ISO 31010 - Risk Assessment Technique
ERM Framework Comparison
Conclusion
History of COSO’s ERM
Financial
Collapse
Financial
Frauds
Poor
Internal/
External
Audit
Sponsored by
The American Institute of Certified Public Accountants
The Institute of Internal Auditors
The Financial Executive Institute
The American Accounting Association
The Institute of Management Accountants
The Committee of Sponsoring
Organization of the Treadway
Commission
Th
e T
rea
dw
ay
Co
mm
ission
Re
po
rt
Th
e In
tern
al C
on
trol-In
teg
rate
d
Fra
me
wo
rk
Th
e E
nte
rprise
Risk
Ma
na
ge
me
nt -
Inte
gra
ted
Fra
me
wo
rk
Co with
Price/
Waterhouse
COSO VS. ISO 31000
Internal Control
1992
ERM Integrated
Framework
1994
Application
Technique
2004
Guide 73
2002
ISO 31000
2009
ISO 31010
2010
COSO ISO 31000
COSO Internal Control Framework
Monitoring
Information &
Communications
Control Activities
Risk Assessment
Control Environment
Financia
l
Reporting
Complia
nces
Operatio
ns
Entities or
Activities
From COSO Internal Control to ERM Framework
COSO ERM Framework
Strate
gic
Operatio
ns
Reporting
Complia
nce
Risk Management Objectives
Ris
k C
om
po
ne
nts
Entity & Unit Level
Component
Risk is the possibility that an event will occur and
adversely affect the achievement of objectives.
Opportunity is the possibility that an event
will occur and positively affect the achievement of
objectives.
COSO Definition of Risk
• A process, ongoing and flowing through an entity
• Effected by people at every level of an organization
• Applied in strategy setting
• Applied across the enterprise, at every level and unit, and
includes taking an entity level portfolio view of risk
• Designed to identify potential events affecting the entity and
manage risk within its risk appetite
• Able to provide reasonable assurance to an entity’s
management and board
• Geared to the achievement of objectives in one or more
separate but overlapping categories – it is a means to an end, not
an end in itself
COSO Definition of ERM
COSO Definition of ERM
Value is maximized when management sets strategy and objectives to
strike an optimal balance between
● Aligning risk appetite and strategy
● Enhancing risk response decisions
● Reducing operational surprises and losses
● Identifying and managing cross-enterprise risks
● Providing integrated responses to multiple risks
● Seizing opportunities
COSO ERM Encompasses
COSO enterprise risk management framework is geared to
achieving an entity’s objectives in four categories:
• Strategic – high-level goals, aligned with and supporting its
mission
• Operations – effective and efficient use of its resources
• Reporting – reliability of reporting
• Compliance – compliance with applicable laws and
regulations.
COSO Achievement of Objectives
• Internal Environment – The internal environment encompasses the
tone of an organization, and sets the basis for how risk is viewed and
addressed by an entity’s people, including risk management philosophy
and risk appetite, integrity and ethical values, and the environment in
which they operate.
• Objective Setting – Objectives must exist before management can
identify potential events affecting their achievement. Enterprise risk
management ensures that management has in place a process to set
objectives and that the chosen objectives support and align with the
entity’s mission and are consistent with its risk appetite.
• Event Identification – Internal and external events affecting
achievement of an entity’s objectives must be identified, distinguishing
between risks and opportunities. Opportunities are channeled back to
management’s strategy or objective-setting processes.
COSO Components of ERM
COSO Components of ERM
• Risk Assessment – Risks are analyzed, considering likelihood and
impact, as a basis for determining how they should be managed. Risks are
assessed on an inherent and a residual basis.
• Risk Response – Management selects risk responses – avoiding,
accepting, reducing, or sharing risk – developing a set of actions to align
risks with the entity’s risk tolerances and risk appetite.
• Control Activities – Policies and procedures are established and
implemented to help ensure the risk responses are effectively carried out.
• Information and Communication – Relevant information is
identified, captured, and communicated in a form and timeframe that
enable people to carry out their responsibilities.
• Monitoring – The entirety of enterprise risk management is monitored
and modifications made as necessary. Monitoring is accomplished
through ongoing management activities, separate evaluations, or both.
Event Identification
Event Categories
External Factors Internal Factors
Event Identification
Event Categories
External Factors Internal Factors
COSO Approach to Identify Risk Events
SWOT Analysis
Scenario Analysis
Using Technology
Value Chain Analysis
Risk Assessment Techniques
Risk Assessment Analysis Chart
1 2 3 4 5 6 7 8 9
9
8
7
6
5
4
3
2
1
Likelihood
Sig
nif
ica
nt
I II
IVIII
R-1
R-6R-3
R-4
R-2
R-5
Risk Appetite Map
Low Medium High
Likelihood
Imp
act
Low
Me
diu
m
H
igh
Within Risk
Appetite
Exceeding Risk
Appetite
Risk Response and Control
Risk Response
Risk Control
Key Points in COSO ERM
Comments on COSO 1/
1. The COSO process starts with the internal environment, not the
external ones and this fails to reflect the influence that the
business environment, regulatory conditions, and external
stakeholders have on the risks an organization faces, its
organizational culture, and how they influence its risk appetite
and risk treatment priorities.
2. Stakeholders, particularly external ones, are not mentioned and
stakeholders’ objectives and their influence on decisions about
the significance of levels and types of risk are omitted.
3. COSO ERM says that risks are described as events, and events are
described and illustrated by examples of sudden, acute
occurrences. There is no appreciation of the slow changes in
circumstance and situation that give rise to some of the most
critical risks.
4. COSO measures risk in terms of the probability of an event and its
“typical” consequences. However, we will not always get the
“typical” consequences every time an event occurs.
Comments on COSO 2/
5. Throughout the document, the term ‘risk likelihood’ is used, but
risk does not have a likelihood. Likelihood is one of the attributes
used to measure the level of risk.
6. While there are some concessions to what are called
‘opportunities’, in COSO ERM risks are mostly about losses and
risk treatment (response) is about reducing the likelihood and
severity of losses. The COSO document is not mature enough to
explain that risk is just the effect of uncertainty in what you set
out to achieve and that outcomes can be beneficial.
7. The COSO is the whole thinking about ‘risk responses’, ‘control
activities’ and ‘monitoring’ most confusing and confused and
most people who read and try to use the code do as well.
8. The problems with the concept of inherent risk are well-known
and the COSO document does not explain why you need to use
this artificial, theoretical state where no controls exist, to justify
tolerating the present level of risk or doing something more to
modify it.
Comments on COSO 3/
9. The whole area of risk appetite and what COSO ERM calls risk
tolerance is handled in a mechanistic and naive way. The thought
that before you even do a risk assessment, a board can identify
the material risks and tell you how much they are prepared to
tolerate puts them on a par with the Gods.
10. The greatest sin is that the COSO document confuses and mixes
up the framework (the organizational structures, policies, and
arrangements put in place to promote, integrate and improve the
management of risk) with the process used for risk management,
particularly that used for risk assessment, risk treatment and
monitor and review.
Grant Purdy
Risk – Effect
of uncertainty
on objectives
Event
Consequence
Likelihood
Uncertainty
Probability
Frequency
Level of risk
Risk source
Hazard
Vulnerability
Risk management – coordinated activities to direct and control and
organization with regard to risk
Risk management policy External context Internal context Risk profile
Risk management framework Risk management plan Risk appetite Risk
attitude Risk owner Risk management audit Exposure Resilience
Risk management process– systematic application of management policies ,procedures and practices to the tasks of communicating , consultation ,establishing the context ,identifying , analyzing , evaluating , treating , monitoring and reviewing risk
Risk assessment Risk identification Risk analyzing Monitoring Review
Risk register
Risk evaluation – process of comparing the results of analysis against risk criteria to determine whether the level of risk is acceptable or tolerable (part of risk management process)
Risk criteria Risk tolerance Risk
aversion Risk matrix Risk aggregation
Stakeholder– those people and organizations who can affect, be affected , or perceive themselves to be affected by a decision or activity
Communication and Consultation
Risk perception Risk reporting
Risk treatment– process of developing, selecting , and implementing measures to modify risk ( part of risk management process )
Control Risk sharing Risk financing Risk retention Risk acceptance Risk
avoidance Residual risk Risk mitigation
Risk is Effect of uncertainty on objectives .
Risk is the possibility that an event will occur and
adversely affect the achievement of objectives.
COSO
ISO
31000
COSO
ISO
31000
Targe
t
Principle Framework Process
• Creates and protects value
• Integral part of organizational processes
• Part of decision making
• Explicitly addresses uncertainty
• Systematic, structured and timely.
• Based on the best available information.
• Tailored
• Takes human & cultural factors into account
• Transparent & inclusive
• Dynamic , iterative & responsive to change
• Facilitates continual improvement & enhancement of the
organization
Mandate &
Commitment
Design of
Framework for
Managing Risk
Implement Risk
Management
Monitor &
Review of the
Framework
Continual
Improvement
of Framework
Risk assessment
Communication and
consultation
Monitoringand
Review
Establish the context
Risk identification
Risk analysis
Risk evaluation
Risk treatment
Commit & mandatePolicy statement
Risk management planAssurance plan
StandardsProcedures/Guidelines
Measure & reviewControl assuranceRM plan progress
Governance reportingBenchmarking
Performance criteria
Communicate & trainCommunication and
Reporting planTraining strategy
RM Network
Allocate & organizeRisk & audit committee
Exec RM committeeRM working group
Manager , RMRM champion
Risk & control owners
Strategic process
Strategic process
Str
ate
gic
pro
cess
Str
ate
gic
pro
cess
RM information systemRisk registers
Treatment planAssurance plan
Reporting template
Tactical process
Principal benefits of risk assessment technique include
● Understanding the risk and its potential impact upon objectives
● Providing information for decision makers
● Contributing to the understanding of risks, in order to assist in selection of
treatment options
● Identifying the important contributors to risks and weak links in systems
and organizations
● Comparing of risks in alternative systems, technologies or approaches
● Communicating risks and uncertainties
● Assisting with establishing priorities
● Contributing towards incident prevention based upon post-incident
investigation
● Selecting different forms of risk treatment
● Meeting regulatory requirements
● Providing information that will help evaluate whether the risk should be
accepted when compared with pre-defined criteria
● Assessing risks for end-of-life disposal.
• Risk identification;
• Risk analysis – consequence analysis;
• Risk analysis – qualitative, semi-quantitative or
quantitative probability estimation;
• Risk analysis – assessing the effectiveness of any
existing controls;
• Risk analysis – estimation the level of risk;
• Risk evaluation.
Applicability of Tools Used for Risk Assessment
Applicability of Tools Used for Risk Assessment
• Complexity of the problem and the methods needed to
analyze it
• The nature and degree of uncertainty of the risk
assessment based on the amount of information
available and what is required to satisfy objectives,
• The extent of resources required in terms of time and
level of expertise, data needs or cost,
• Whether the method can provide a quantitative output.
How to Select Risk Assessment Technique
What makes ISO 31000 Different from COSO
• First, the Risk Management Framework must be continually improved
using the well known quality improvement cycle of Design, Implement,
Monitor and Review, and Improve, also know as Plan-Do-Check-Act cycle.
• Second, the framework must be comprehensive with accountability for
all risks - everyone in the organization will be able to tell ,what risks they
own, what controls they are responsible for, and the current status of those
controls, trends and current status of the risks, and the expected effects on
the objectives concerned.
• Third, all decision making in the organization has explicit consideration
of risk, as evidenced by documentation of decisions. This expectation of
evidence is embedded in the framework.
• Fourth, continuous communications and reporting that is highly visible
covers internal and external stakeholders as appropriate and talks about
performance indicators for risk management is part of the framework.
• Fifth, risk management is a core element of the organization’s
management processes including governance. Risk management is
regarded as essential by the organization’s culture.
Criteria and Associated Measures in ISO 31000
Comparison between COSO and ISO 31000
Dr. Roland Franz Erben Risk Management
Standards
* Both standards exclude business continuity/crisis management but ISO mentions
this topic in ISO22399
*
COSO or ISO 31000 ,Which One is Suitable for You ?
ISO 31000 Terminology , Principle and ISO 22399
Design Your Tailored-made ERM Framework
Strate
gic
Finance
Mark
eting
Operatio
n
Mandate & Commitment
Risk – Effect of uncertainty on objectives
Design of Framework for managing Risk
Continual Improvement of
Framework
Implement Risk Management
Monitor & Review of the Framework
May be better ?