ก�����������ก����� � Tools and Techniques for Enterprise Risk Management (ERM)

��� � (6C�V��7]�= � COSO ERM V=R ISO ERM/

012������ JSUUCd@= �=�6F��;

�C;@DEC5�9FGF� 31 >F;�J> 2554 �=� 10:45 P 12:15 ;. E2 � @�. 301, 302, 307 >E���G��=C�A��>4�56�8 G3�@�R7C;G�8

7C9?9� 41;�8��7C�AS�ก�7 JUR@�U��4�56�8V=Rก���CWF >E���G��=C�A��>4�56�8

COSO

Internal Control

ERM Integrated Framework

Application Technique

ISO 31000

Guide 73 ( Terminology )

ISO 31000 - Principle and Guideline

- Principle

- Framework

- Process

ISO 31010 - Risk Assessment Technique

ERM Framework Comparison

Conclusion

History of COSO’s ERM

Financial

Collapse

Financial

Frauds

Poor

Internal/

External

Audit

Sponsored by

The American Institute of Certified Public Accountants

The Institute of Internal Auditors

The Financial Executive Institute

The American Accounting Association

The Institute of Management Accountants

The Committee of Sponsoring

Organization of the Treadway

Commission

Th

e T

rea

dw

ay

Co

mm

ission

Re

po

rt

Th

e In

tern

al C

on

trol-In

teg

rate

d

Fra

me

wo

rk

Th

e E

nte

rprise

Risk

Ma

na

ge

me

nt -

Inte

gra

ted

Fra

me

wo

rk

Co with

Price/

Waterhouse

COSO VS. ISO 31000

Internal Control

1992

ERM Integrated

Framework

1994

Application

Technique

2004

Guide 73

2002

ISO 31000

2009

ISO 31010

2010

COSO ISO 31000

COSO Internal Control Framework

Monitoring

Information &

Communications

Control Activities

Risk Assessment

Control Environment

Financia

l

Reporting

Complia

nces

Operatio

ns

Entities or

Activities

From COSO Internal Control to ERM Framework

COSO ERM Framework

Strate

gic

Operatio

ns

Reporting

Complia

nce

Risk Management Objectives

Ris

k C

om

po

ne

nts

Entity & Unit Level

Component

Risk is the possibility that an event will occur and

adversely affect the achievement of objectives.

Opportunity is the possibility that an event

will occur and positively affect the achievement of

objectives.

COSO Definition of Risk

• A process, ongoing and flowing through an entity

• Effected by people at every level of an organization

• Applied in strategy setting

• Applied across the enterprise, at every level and unit, and

includes taking an entity level portfolio view of risk

• Designed to identify potential events affecting the entity and

manage risk within its risk appetite

• Able to provide reasonable assurance to an entity’s

management and board

• Geared to the achievement of objectives in one or more

separate but overlapping categories – it is a means to an end, not

an end in itself

COSO Definition of ERM

COSO Definition of ERM

Value is maximized when management sets strategy and objectives to

strike an optimal balance between

● Aligning risk appetite and strategy

● Enhancing risk response decisions

● Reducing operational surprises and losses

● Identifying and managing cross-enterprise risks

● Providing integrated responses to multiple risks

● Seizing opportunities

COSO ERM Encompasses

COSO enterprise risk management framework is geared to

achieving an entity’s objectives in four categories:

• Strategic – high-level goals, aligned with and supporting its

mission

• Operations – effective and efficient use of its resources

• Reporting – reliability of reporting

• Compliance – compliance with applicable laws and

regulations.

COSO Achievement of Objectives

• Internal Environment – The internal environment encompasses the

tone of an organization, and sets the basis for how risk is viewed and

addressed by an entity’s people, including risk management philosophy

and risk appetite, integrity and ethical values, and the environment in

which they operate.

• Objective Setting – Objectives must exist before management can

identify potential events affecting their achievement. Enterprise risk

management ensures that management has in place a process to set

objectives and that the chosen objectives support and align with the

entity’s mission and are consistent with its risk appetite.

• Event Identification – Internal and external events affecting

achievement of an entity’s objectives must be identified, distinguishing

between risks and opportunities. Opportunities are channeled back to

management’s strategy or objective-setting processes.

COSO Components of ERM

COSO Components of ERM

• Risk Assessment – Risks are analyzed, considering likelihood and

impact, as a basis for determining how they should be managed. Risks are

assessed on an inherent and a residual basis.

• Risk Response – Management selects risk responses – avoiding,

accepting, reducing, or sharing risk – developing a set of actions to align

risks with the entity’s risk tolerances and risk appetite.

• Control Activities – Policies and procedures are established and

implemented to help ensure the risk responses are effectively carried out.

• Information and Communication – Relevant information is

identified, captured, and communicated in a form and timeframe that

enable people to carry out their responsibilities.

• Monitoring – The entirety of enterprise risk management is monitored

and modifications made as necessary. Monitoring is accomplished

through ongoing management activities, separate evaluations, or both.

Event Identification

Event Categories

External Factors Internal Factors

Event Identification

Event Categories

External Factors Internal Factors

COSO Approach to Identify Risk Events

SWOT Analysis

Scenario Analysis

Using Technology

Value Chain Analysis

Risk Assessment Techniques

Risk Assessment Analysis Chart

1 2 3 4 5 6 7 8 9

9

8

7

6

5

4

3

2

1

Likelihood

Sig

nif

ica

nt

I II

IVIII

R-1

R-6R-3

R-4

R-2

R-5

Risk Appetite Map

Low Medium High

Likelihood

Imp

act

Low

Me

diu

m

H

igh

Within Risk

Appetite

Exceeding Risk

Appetite

Risk Response and Control

Risk Response

Risk Control

Key Points in COSO ERM

Comments on COSO 1/

1. The COSO process starts with the internal environment, not the

external ones and this fails to reflect the influence that the

business environment, regulatory conditions, and external

stakeholders have on the risks an organization faces, its

organizational culture, and how they influence its risk appetite

and risk treatment priorities.

2. Stakeholders, particularly external ones, are not mentioned and

stakeholders’ objectives and their influence on decisions about

the significance of levels and types of risk are omitted.

3. COSO ERM says that risks are described as events, and events are

described and illustrated by examples of sudden, acute

occurrences. There is no appreciation of the slow changes in

circumstance and situation that give rise to some of the most

critical risks.

4. COSO measures risk in terms of the probability of an event and its

“typical” consequences. However, we will not always get the

“typical” consequences every time an event occurs.

Comments on COSO 2/

5. Throughout the document, the term ‘risk likelihood’ is used, but

risk does not have a likelihood. Likelihood is one of the attributes

used to measure the level of risk.

6. While there are some concessions to what are called

‘opportunities’, in COSO ERM risks are mostly about losses and

risk treatment (response) is about reducing the likelihood and

severity of losses. The COSO document is not mature enough to

explain that risk is just the effect of uncertainty in what you set

out to achieve and that outcomes can be beneficial.

7. The COSO is the whole thinking about ‘risk responses’, ‘control

activities’ and ‘monitoring’ most confusing and confused and

most people who read and try to use the code do as well.

8. The problems with the concept of inherent risk are well-known

and the COSO document does not explain why you need to use

this artificial, theoretical state where no controls exist, to justify

tolerating the present level of risk or doing something more to

modify it.

Comments on COSO 3/

9. The whole area of risk appetite and what COSO ERM calls risk

tolerance is handled in a mechanistic and naive way. The thought

that before you even do a risk assessment, a board can identify

the material risks and tell you how much they are prepared to

tolerate puts them on a par with the Gods.

10. The greatest sin is that the COSO document confuses and mixes

up the framework (the organizational structures, policies, and

arrangements put in place to promote, integrate and improve the

management of risk) with the process used for risk management,

particularly that used for risk assessment, risk treatment and

monitor and review.

Grant Purdy

6. ISO 31010

November,2009

Risk – Effect

of uncertainty

on objectives

Event

Consequence

Likelihood

Uncertainty

Probability

Frequency

Level of risk

Risk source

Hazard

Vulnerability

Risk management – coordinated activities to direct and control and

organization with regard to risk

Risk management policy External context Internal context Risk profile

Risk management framework Risk management plan Risk appetite Risk

attitude Risk owner Risk management audit Exposure Resilience

Risk management process– systematic application of management policies ,procedures and practices to the tasks of communicating , consultation ,establishing the context ,identifying , analyzing , evaluating , treating , monitoring and reviewing risk

Risk assessment Risk identification Risk analyzing Monitoring Review

Risk register

Risk evaluation – process of comparing the results of analysis against risk criteria to determine whether the level of risk is acceptable or tolerable (part of risk management process)

Risk criteria Risk tolerance Risk

aversion Risk matrix Risk aggregation

Stakeholder– those people and organizations who can affect, be affected , or perceive themselves to be affected by a decision or activity

Communication and Consultation

Risk perception Risk reporting

Risk treatment– process of developing, selecting , and implementing measures to modify risk ( part of risk management process )

Control Risk sharing Risk financing Risk retention Risk acceptance Risk

avoidance Residual risk Risk mitigation

Risk is Effect of uncertainty on objectives .

Risk is the possibility that an event will occur and

adversely affect the achievement of objectives.

COSO

ISO

31000

COSO

ISO

31000

Targe

t

Principle Framework Process

• Creates and protects value

• Integral part of organizational processes

• Part of decision making

• Explicitly addresses uncertainty

• Systematic, structured and timely.

• Based on the best available information.

• Tailored

• Takes human & cultural factors into account

• Transparent & inclusive

• Dynamic , iterative & responsive to change

• Facilitates continual improvement & enhancement of the

organization

Mandate &

Commitment

Design of

Framework for

Managing Risk

Implement Risk

Management

Monitor &

Review of the

Framework

Continual

Improvement

of Framework

Risk assessment

Communication and

consultation

Monitoringand

Review

Establish the context

Risk identification

Risk analysis

Risk evaluation

Risk treatment

Commit & mandatePolicy statement

Risk management planAssurance plan

StandardsProcedures/Guidelines

Measure & reviewControl assuranceRM plan progress

Governance reportingBenchmarking

Performance criteria

Communicate & trainCommunication and

Reporting planTraining strategy

RM Network

Allocate & organizeRisk & audit committee

Exec RM committeeRM working group

Manager , RMRM champion

Risk & control owners

Strategic process

Strategic process

Str

ate

gic

pro

cess

Str

ate

gic

pro

cess

RM information systemRisk registers

Treatment planAssurance plan

Reporting template

Tactical process

Principal benefits of risk assessment technique include

● Understanding the risk and its potential impact upon objectives

● Providing information for decision makers

● Contributing to the understanding of risks, in order to assist in selection of

treatment options

● Identifying the important contributors to risks and weak links in systems

and organizations

● Comparing of risks in alternative systems, technologies or approaches

● Communicating risks and uncertainties

● Assisting with establishing priorities

● Contributing towards incident prevention based upon post-incident

investigation

● Selecting different forms of risk treatment

● Meeting regulatory requirements

● Providing information that will help evaluate whether the risk should be

accepted when compared with pre-defined criteria

● Assessing risks for end-of-life disposal.

• Risk identification;

• Risk analysis – consequence analysis;

• Risk analysis – qualitative, semi-quantitative or

quantitative probability estimation;

• Risk analysis – assessing the effectiveness of any

existing controls;

• Risk analysis – estimation the level of risk;

• Risk evaluation.

Applicability of Tools Used for Risk Assessment

Applicability of Tools Used for Risk Assessment

• Complexity of the problem and the methods needed to

analyze it

• The nature and degree of uncertainty of the risk

assessment based on the amount of information

available and what is required to satisfy objectives,

• The extent of resources required in terms of time and

level of expertise, data needs or cost,

• Whether the method can provide a quantitative output.

How to Select Risk Assessment Technique

What makes ISO 31000 Different from COSO

• First, the Risk Management Framework must be continually improved

using the well known quality improvement cycle of Design, Implement,

Monitor and Review, and Improve, also know as Plan-Do-Check-Act cycle.

• Second, the framework must be comprehensive with accountability for

all risks - everyone in the organization will be able to tell ,what risks they

own, what controls they are responsible for, and the current status of those

controls, trends and current status of the risks, and the expected effects on

the objectives concerned.

• Third, all decision making in the organization has explicit consideration

of risk, as evidenced by documentation of decisions. This expectation of

evidence is embedded in the framework.

• Fourth, continuous communications and reporting that is highly visible

covers internal and external stakeholders as appropriate and talks about

performance indicators for risk management is part of the framework.

• Fifth, risk management is a core element of the organization’s

management processes including governance. Risk management is

regarded as essential by the organization’s culture.

Criteria and Associated Measures in ISO 31000

Comparison between COSO and ISO 31000

Dr. Roland Franz Erben Risk Management

Standards

* Both standards exclude business continuity/crisis management but ISO mentions

this topic in ISO22399

*

COSO or ISO 31000 ,Which One is Suitable for You ?

ISO 31000 Terminology , Principle and ISO 22399

Design Your Tailored-made ERM Framework

Strate

gic

Finance

Mark

eting

Operatio

n

Mandate & Commitment

Risk – Effect of uncertainty on objectives

Design of Framework for managing Risk

Continual Improvement of

Framework

Implement Risk Management

Monitor & Review of the Framework

May be better ?

Nattapol_chavalit@hotmail.com