coso enterprise risk management framework ... · pwc | coso enterprise risk management...

COSO Enterprise Risk Management Framework-Integrating Strategy and Performance

Presentatie voor RBB

Den Bosch, November 2017

www.pwc.com

PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC

Agenda

2

How to obtain a copy of the new Framework and obtain more information

More information4

What are the key changes? What do the components and principles mean?

2 What is new?

1

Who is COSO and what is the COSO ERM Framework?

Introducing COSO

COSO recognises the growing expectation of organisations to manage, in an

integrated and cohesive manner, risks emanating from across an enterprise.

Robert B. Hirth Jr., COSO Chair

What are key messages and take aways from ERM@work?

Concluding3


Why update the ERM framework now?

3

• Boards are expecting more from their organization’s ERM practices and capabilities

• Stakeholders are seeking greater transparency and accountability

• Business environments are increasingly complex, technologically driven, and global

• There is a need to incorporate lessons learned from recent events and the bar is rising

• Risk professionals are looking for a more up to date resource describing ERM concepts

• The range of ERM practices continues to evolve

Since 2004, the market has continued to evolve and the COSO Framework is evolving with it.

PwC | COSO Enterprise Risk Management – Integrating with Strategy and Performance

Introducing COSO ERM

www.pwc.com


What is a company (really!) asking for…

Companies are not looking for (enterprise) risk management on itself, companies are looking for the following benefits:

- Reduce surprises and losses

- Reduce performance variability

- Improve resource deployment

- Identify and manage entity wide risks

- Increase the range of opportunities

Since the recent publication of COSO ERM, many clients have already been asking PwC where to begin…

5


COSO’s history – The Treadway Commission

6

Committee Of Sponsoring Organizations (COSO) of the Treadway Commission was formed as a joint initiative to combat corporate fraud. COSO is supported by five supporting organizations:

Target audience:

1. Directors2. Supervisors3. Auditors4. Specialists: finance, control, risk, compliance, etc5. Management

COSO Mission

To provide thought leadership through the development of comprehensive

frameworks and guidance on enterprise risk management, internal control and fraud deterrence designed to improve

organizational performance and governance and to reduce the extent of

fraud in organizations.


COSO and PwC have collaborated on frameworks and publications for 25 years

COSO’s 2004 Enterprise Risk Management-Integrated Framework is one of the world’s most widely used risk management frameworks.

www.coso.org

2004

Other COSO publications authored by PwC

2017 Publication

7

2013 Internal Control – Integrated Framework Executive Summary

2013 Internal Control – Integrated Framework

2012 Understanding and Communicating Risk Appetite

2006 Internal Control over Financial Reporting Guidance for Smaller Public Companies

1992 Internal Control – Integrated Framework


Other risk management standards

8

Standard Financial

services

(N=57)

Profit

sector

(N=251)

Non-profit

(N=251)

2014

None 10,5 49,1 45,4 51,3

COSO 64,9 29,3 20,3 26,3

INK/EFQM 10,5 12,0 31,5 20,4

ISO 31000 17,5 4,4 12,0 12,0

6Sigma 5,3 11,2 3,6 8,0

Basel 63,2 0,1 1,2 0,7

M_o_R 3,5 14,3 4,4 4,6

Aus/NZL 1,8 0,1 1,2 0,7

OCEG 1,8 10,0 0,4 0,4

AIRMIC 1,8 - 0,4 0,3

Other 19,3 5,1 12,0 11,7

Standards and/or frameworks may be internally developed or based on external publicly accessible standards / frameworks such as:

• Basel II / III – issued by the Basel Committee on Banking Supervision

• AS/NZS 4360:2004 Risk Management – the Australian standard for RM

• ABIB

• Turnbull

• ISO 73/31000

• Open Compliance & Ethics Group (OCEG)

• M_o_R

• AIRMIC

http://www.standards.com.au/catalogue/Script/search.asp

http://www.standards.com.au/catalogue/Script/search.asp

http://www.oceg.org/Default.aspx

http://www.oceg.org/Default.aspx


• There is often a ‘siloed’

approach to risk that is

separate from the day to

day management of an

organisation.

• Risk management is

perceived as an

incremental activity

performed by those

independent of the

business.

• The lack of integration can

contribute to difficulties

engaging with the business,

the ability to gain and offer

insight and ultimately curbs

the value that ERM can

offer.

Written from the perspective of the business

9

• The Framework endeavors

to removes risk ‘jargon’ and

adopts the language of

business to discuss

concepts and practices

• By using the same

language, the Framework

hopes to promote

acceptance and adoption of

ERM by the organization

Note: In practice, ERM often

refers to a team, department

or as a part of the ‘lines of

defense’ however, in the

Framework it is discussed in

the context of an

organisation’s culture,

capabilities and practices used

to manage risk

The Framework was written from the perspective of the business to facilitate the integration of ERM and support acceptance and adoption by the business

Inset a quotable quote…


Reasons for the implementation of the COSO (ERM) framework

1. COSO is the first worldwide acknowledged framework for IC

2. Industry and geographically independent

3. Voluntarily instead of obligatory

4. Comprehensive, including practical implementation techniques

5. Is most referred to

6. Most other frameworks are based on COSO

7. Rapidly the most accepted standard for ERM

10


What’s new?

www.pwc.com


Introducing the 10 key changes to the 2017 Framework

Greater emphasis on culture–reflecting the changing demands and expectations of today’s markets, helping your organization make responsible risk decisions

Coming soon: Compendium of Examples–highlighting the implementation of principles across a variety of industries and entity types

Explores management of risk at all altitudes of the organization–from entity level through to procedural level risks, making ERM more than just an isolated view of risk in the business.

Written from the perspective of the business–risk management concepts are discussed in terms of helping an organization create value, enabling you to realize true benefits from ERM

A focus on integrating risk management–linking risk with strategy setting and day-to-day activities, helping you to use ERM principles to support the creation, realization, and preservation of value

A new framework structure–five components and twenty principles that align to the business lifecycle, making to risk conversation more intuitive for you

Addresses the evolving role of technology–in influencing an organization’s strategy, business context and how it manages risk

Deeper discussions on challenging topics–such as risk appetite and the portfolio view of risk

Explores the different benefits of ERM–from loss mitigation through to strategic advisor and how they inform the design of a Framework

Suite of new graphics highlighting the relationship between risk and performance demonstrating a new way

identify and assess the relationship between the amount of risk and the level of performance

12

PwC | COSO Enterprise Risk Management – Integrating with Strategy and PerformancePwC 13

• Strategic blunders account for a majority of the losses in shareholder value compared to operational events, incidents or compliance failures

• Research suggests that organisations are looking to strengthen the integration between strategy and enterprise risk management

The strategy setting process is a critical area of integration for enterprise risk management

81% of the greatest losses in

shareholder value since 2002 were

attributable to ‘strategic blunders’

*U.S. public companies around the world with at least US$1 billion in enterprise

value on January 1, 2002 (1,053 companies met these criteria). Dann, Le Merle

and Pencavel, “The Lesson in Lost Value” Strategy+Business, November, 2012

Focus on integrating risk and strategy


COSO – From cube to string

14

2004 COSO ERM Graphic Updated 2017 COSO ERM Graphic


The new framework emphasizes the value cycle

15

• The figure illustrates strategy in the context of mission, vision, and core values, and as a driver of an entity’s overall direction and performance

• Integrating ERM with business activities and processes results in better information that supports improved decision-making and leads to enhanced performance

• The updated Framework enhances the conversation of risk across the whole value cycle of a company


Mission, Vision and Core Values

16

Describes what do you strive to be and how do you want to conduct business.

The mission and vision:• Provide a view from up high about the acceptable types

and amount of risk;• Help establish boundaries;• Focus on how decisions may effect strategy.

Core Values are considered in the context of the culture the entity wishes to embrace.

“An organization that understands its mission and vision can set strategies that will yield the desired risk profile”

Example: healthcare provider


Strategy, Business objectives & Performance

17

Three dimensions regarding the relationship between Risk and Strategy:

1. Risk of: Possibility of strategy and business objectives not aligning

2. Risk from: Implications from the strategy chosen

3. Risk to: Risk to strategy and performance

Example HC provider: If strategy would be to focus on being the best specialist services provider, it would probably not be successful in providing a comprehensive range of patient services (mission).

Example HC provider: What is the type and amount of risk the organization is potentially exposed to, having adopted this strategy? What are the assumptions underlying this strategy, and would changes to these assumptions have little or great impact on achieving the strategy?

Example HC provider: Objective is to deliver high quality care, therefore the organization considers risks relating to employee capability, medical care treatment, healthcare legislation reform, access to electronic health records, etc.


Enhanced performance

18

• There is always risk associated with a target of performance!

• The amount of uncertainty that exists is related to the amount of risk to performance:• E.g. agriculture producers are uncertain about their ability to produce enough to meet

customer demands and profitability targets;• Airlines are uncertain about their ability to operate all flights on their schedule.

Relation risk & performance

= Risk Profile

Considering Risk Appetite and

Acceptable Variation in Performance


The new Framework adopts a components and principles structure

20


Component 1: Governance & Culture (1)

21

• Governance and culture together form the basis for all other components of ERM.

• Governance determines the ‘tone’, indicates the importance of ERM and ensures adequate supervision.

• Culture includes ethical values, desired behaviour, and understanding of risk within the entity.

Exercises Board

Risk Oversight

The board of directors provides oversight of the strategy and carries out governance

responsibilities to support management in achieving strategy and business objectives.1

Establishes

Operating

Structures

The organization establishes operating structures in the pursuit of strategy and business

objectives.2

Defines Desired

Culture

The organization defines the desired behaviours that characterize the entity’s desired

culture.3

Demonstrates

Commitment to

Core Values

The organization demonstrates a commitment to the entity’s core values.4

Attracts, Develops,

and Retains

Capable Individuals

The organization is committed to building human capital in alignment with the strategy and

business objectives.5

Component 1 consists of the following principles:


Component 1: Governance & Culture (2)

22

1. Exercises Board

Risk Oversight

• Aansprakelijkheid

en

verantwoordelijk-

heid van hoger

management

• Deskundigheid,

ervaring en kennis

van de business

• Onafhankelijkheid

van hoger

management

• Goed begrip van

de waarde die

ERM toevoegt

3. Defines Desired

Culture

• Cultuur

karakteristieken

• Gewenst gedrag

• Cultuur spectrum

• In lijn brengen van

fundamentele

waarden,

besluitvorming en

gedrag

2. Establishes

Operating Structures

• Operating model

• Rapportage lijnen

• ERM structuur

• Rechten, rollen en

verantwoordelijk-

heden

5. Attracts, Develops,

and Retains Capable

Individuals

• Vaststellen en

evalueren van

benodigde

competenties

• Aantrekken,

trainen,

begeleiden,

beoordelen en

behouden van

werknemers

• Beloningen

• Successie-

planning

4. Demonstrates

Commitment to Core

Values

• Fundamentele

waarden

• Risicobewuste

cultuur creëren

• Gedrags-

standaarden in lijn

met cultuur

• Open

communicatie

• Evalueren en

managen van

afwijkingen


Managing culture in organizations

23

Constraint

Control

Compliance

Contract

Commit

Discipline

Support

Trust

Dialogue?

Aligned?

Walk the talk?Moments that

matter?What to improve?

Stake-holders, environ-

ment

Identity, brand

promise, strategy

Governance risk, control

Desired Culture

Symbols and decisions

Behavior

Systems and structures

Actual Culture

Sustainably successful organizations are characterized by a strong similarity between the actual and the desired culture. These are organizations that have embedded core values to their daily actions.


De waarde van een zinvolle risicodialoog

24

A meaningful risk dialogue indicates:

• The importance of diversity

• The importance of the right attitude and being “competent”

• The importance of out of the box thinking (e.g. beyond organizational boundaries)

• Appreciation of (risk) culture (challenge, chronic unease)

• Awareness of human limitations*

Risk dialogue:

Continuous dialogue, discussion and debate within organizations, resulting in a better

understanding of complexity by decision makers and internal supervisors.


Risicocultuur en risk appetite

25

Risk culture is linked to the conversation of management’s attitude towards

risk taking

Risk Averse Risk Neutral Risk Aggressive


Component 2: Strategy & Objective-Setting (1)

26

• ERM is integrated into the strategic plan.

• The understanding of business context is required to assess internal and external factors (and their impact on risk).

• Determining the risk appetite is part of strategy planning/determination.


Analyzes Business

Context The organization considers potential effects of business context on risk profile.6

Defines Risk

Appetite

The organization defines risk appetite in the context of creating, preserving, and realizing

value.7

Evaluates

Alternative

Strategies

The organization evaluates alternative strategies and potential impact on risk profile.8

Formulates

Business

Objectives

The organization considers risk while establishing the business objectives at various levels

that align and support strategy.9


Component 2: Strategy & Objective-Setting (2)

27

8. Evaluates Alternative

Strategies

• Implicaties van de

gekozen strategie

begrijpen

• Strategie in lijn

brengen met de risk

appetite

• Strategiewijzigingen

maken

7. Defines Risk Appetite

• Risk appetite

vaststellen

• Risk appetite

verwoorden

• Vaststellen doel,

range, boven- en

ondergrens

• Risk appetite

cascaderen en

toepassen

9. Formulates Business

Objectives

• Business doelen

vaststellen

• Business doelen in lijn

brengen met de

strategie

• Implicaties van de

gekozen doelen

begrijpen

• Categoriseren van

doelen

• Prestatie indicatoren,

targets en risico

tolerantie

6. Analyzes Business

Context

• Business context =

dynamisch, complex &

onvoorspelbaar

• Rekening houden met

interne en externe

omgevingen en

stakeholders


The business context defines the risk profile…

28

FOUNDATION / STATE PARTICIPATION

MONOPOLIST

REGULATED ON SEVERAL THEMES

SENSITIVE TO FRAUD

ACTIVE IN NL ONLY

OFF-LINE MARKET ONLY

LIMITED/PUBLIC COMPANY

MARKET PARTY

REGULATED ONSEVERAL THEMES

SENSITIVE TO FRAUD

ACTIVE IN NL AND OUTSIDE NL?

OFF-LINE AND ON-LINE MARKET

…And therefor influences the risk appetite

Now:

?

??

Future:


An example: Risk appetite

29

Now

Very Low(1)

Very High(5)

High(4)

Medium(3)

Low (2)

Future

(untill privatization)

(after privatization)

3

3

Strategic

Service

Reputation

Financial

Compliance

Very Low (1) Very High (5)High (4)Medium (3)Low (2)

Impact on realization of strategic

goals and competitiveness

Impact on quality of service (client

satisfaction)

Impact on reputation and / or

relationship with external stakeholders

Impact on profit and loss statement

and / or balance.

Impact in form of penalties imposed

by supervisor or supervisory pressure

3 3

3 3

3 3

3

3 3

3


Risk appetite nader ‘vertaald’

30

• “Risicomanagementcriteria”:

o Waarderingscriteria

o Duidelijke grens voor het nemen van (aanvullende) risk management maatregelen (i.p.v. top 5 of top 10)

o Wanneer welke risicostrategie

o Eventueel onderscheid naar risicotype

o Risicotolerantie (KRI’s)

• Maar ook “operationele criteria”:

o Procuratieschema

o Investeringscriteria

o Tendercriteria

o Dashboard criteria (kleurcodes)

o Ranges rondom doelen

o Etc.

Risk appetite (risicobereidheid):

“De hoeveelheid risico (per type), op een hoog abstractieniveau, die een organisatie bereid is te nemen in het nastreven van waardecreatie.”

42% heeft de risicobereidheid bepaald

Risicobereidheid karakteristieken Percentage

Kwalitatief bepaald 77,0

Kwantitatief bepaald 68,2

Specifiek bepaald voor één of

meerdere risicogroepen

48,2

Risicobereidheid vastgelegd 66,2

Risicobereidheid gecommuniceerd 61,0


Component 3: Performance (1)

31

• Identification and assessment of risks which are threatening the realization of strategy

• Prioritization of risk based on size / severity and in line with the risk appetite.

• Selecting van “risk responses” and monitoring performance

• In this manner, the organization develops a “portfolio view” of the total amount of risks to which the organization is exposed.


Identifies Risk The organization identifies risk that impact the performance of strategy and business

objectives.10

Assesses Severity

of Risk The organization assesses the severity of risk.11

Prioritizes Risks The organization prioritizes risks as a basis for selecting responses to risks.12

Implements Risk

Responses The organization identifies and selects risk responses.13

Develops Portfolio

View The organization develops and evaluates a portfolio view of risk.14


Component 3: Performance (2)

32

10. Identifies Risk

• Risicoregister

• Identificeren van

risico’s d.m.v. data

analyse,

interviews,

workshops, proces

analyse, etc.

12. Prioritizes Risks

• Criteria opstellen

voor

risicoprioritering

• Risicoprioritering

in lijn met de risk

appetite

11. Assesses Severity

of Risk

• Meten van de

impact van risico’s

• Beoordelen van

risico’s d.m.v.

kwalitatieve en/of

kwantitatieve

benadering

• (Grafisch)

presenteren van

risicobeoordeling

14. Develops Portfolio

View

• 4 niveaus:

minimale

integratie,

beperkte

integratie,

gedeeltelijke

integratie en

volledige integratie

• Analyseren van

portfolio view

d.m.v. kwalitatieve

en/of kwantitatieve

technieken

13. Implements Risk

Responses

• 5 categorieën:

accepteren,

vermijden,

nastreven,

reduceren en

overdragen

• Selecteren van

risk response aan

de hand van

factoren zoals

business context,

kosten vs.

opbrengsten, risk

appetite, etc.


Prioritizing risks

33

1. AdaptabilityThe capacity to adapt and respond to risks.

• e.g. responding to changing demographics such as age of the population.

2. ComplexityThe scope and nature of a risk to the entity’s success.

• Interdependency of risks will typically increase complexity.

3. VelocityThe speed at which a risk impacts an entity.

• This may move the entity away from the acceptable variation in performance

4. PersistenceHow long a risk impacts an entity.

• e.g. immediacy of disrupted operations versus long-term reputational impact.

5. RecoveryThe capacity of an entity to return to the acceptable variation in performance.

• e.g. continuing to function after a severe natural disaster.

By the use of 5 criteria:


Risk Responses

34

Doel: resterend risico binnen gewenste risicotolerantie brengen

Vijf risk respons categorieën:• Accepteren (“accept”)

• Vermijden (“avoid”)

• Nastreven (“pursue”)

• Reduceren (“reduce”)

• Overdragen (“share”)

Reduce

Omgaan met risico vereist aanpassing van:

• Organisatie

• Mensen & Relaties

• Richting

• Uitvoering

• Monitoring

Pursue

• Aannemen groeistrategieën

• Uitbreiden activiteiten

• Ontwikkeling nieuwe

producten en diensten

Share

• Verzekeren

• Delen (JV, allianties, partnerships)

• Contracteren (outsource, toewijzen)

• Diversificatie / spreiden

• Hedge

Avoid

• Staken activiteiten

• Uit de markt terugtrekken

• Desinvesteren

• Doelen veranderen

• Schaal verkleinen

Accept

• Opzettelijk najagen

• Totale acceptatie

• Financier de consequentie

• Hou rekening met onzekerheid

Management hanteert een organisatiebrede, of portfolio, kijk op risico om te bepalen of het

restrisico overeenkomt met de gewenste risk appetite van de organisatie.


De key risks

35

High

Avoid

Med

Reduces

and/or

share

Impact

Low

Accept

Low Medium

Likelihood

High

Key risks

1

23 4

5

6

7

8

9

12

10

11• Objective is to drive

action and allocation of resources

• Begin to define – at a high level - the organizational risk response strategy

PracticalConsiderations

Note: Risks are evaluated on likelihood and impact here – certain risks may warrant more complex or quantitative risk measurement models

Note: mapping on the strategy map provides an

explicit insight in how risks potentially impact the objectives and strategy


Mappen van risico’s op de strategiekaart

May, 2013

3

Kwalitatief personeel vasthouden

Krapte arbeidsmarkt

Innovatieniveau

Beschikbaarheid IT

Onhygiënisch handelenToenemende volumenormen

Financieringssystematiek

Uitwisseling patiëntinformatie

Privacywetgeving

Agressie in de zorgEindverantwoordelijkheid multidisciplinaire ziektebeelden

Collectieve toetsing specialisten

Toenemende werkdruk

…

…

…

…


Component 4: Review & Revision (1)

37

• Changes in the internal and external environment can ensure that the chosen strategy is no longer optimal.

• By evaluating performance, an organization can determine how well the ERM components function over time and under influence of significant changes.

• Organizations can systematically identify and implement improvements in their ERM by continuously evaluating.


Assesses

Substantial Change

The organization identifies and assesses changes that may substantially effect strategy and

business objectives.15

Reviews Risk and

Performance The organization reviews entity performance results and considers risk.16

Pursues

Improvement in

ERM

The organization pursues improvement of enterprise risk management.17


Component 4: Review & Revision (2)

38

15. Assesses Substantial

Change

• Veranderingen in de

interne omgeving

• Veranderingen in de

externe omgeving

17. Pursues Improvement in

ERM

• Nastreven van

verbeteringen

(bruikbaarheid en

efficiëntie) in ERM

• Continue evaluatie

16. Reviews Risk and

Performance

• Prestaties beoordelen

• Beoordelen en

aanpassen van doelen,

strategie, cultuur, risk

appetite, etc. indien

targets niet behaald

worden


Feedback gedurende het proces zorgt voor continue verbetering van (omgaan met) risico’s en RM

39

Controlimplementatie

Risicoanalyse

Controldesign

Controlverbetering

Controlevaluatie

Controlmonitoring

Risico-elementen als onderdeel van de management cyclus:

RM kan op verschillende niveaus worden toegepast:

• Groepsniveau• Regio niveau• Vestiging niveau• Project niveau• Proces niveau• IT niveau• Afdeling niveau

Om de doelstellingen te realiseren:

• Strategisch• Operationeel• Rapportage• Compliance


Component 5: Information, Communication, & Reporting (1)

40

• Communication = het continuous process of obtaining and sharing information

• Management uses relevant and qualitatively good information from internal and external sources to support ERM.

• The organization uses information systems to capture, process and manage data in information.


Leverages

Information and

Technology

The organization leverages the entity’s information systems to support enterprise risk

management.18

Communicates

Risk Information The organization uses communication channels to support enterprise risk management.19

Reports on Risk,

Culture, and

Performance

The organization reports on risk, culture, and performance at multiple levels and across the

entity.20


Component 5: Information, Communication, & Reporting (2)

41

18. Leverages Information

and Technology

• Relevante informatie

gebruiken

• Data analyse

• Kwaliteit van informatie

bewaken

• Categoriseren van

informatie

• Data management

• Geavanceerde

technologieën gebruiken

20. Reports on Risk, Culture,

and Performance

• Identificeren gebruikers

• Verschillende typen

rapportages

• Rapporteren aan de

Board

• KPI’s en KRI’s

• Frequentie: dagelijks,

maandelijks, per

kwartaal, etc.

19. Communicate Risk

Information

• Communiceren met

stakeholders

• Communiceren met de

Board

• Diverse

communicatievormen en

methoden


Een gemeenschappelijke risicotaal

42

• Standaard risicocategorieën en definities (risicomodel) ter bevordering van

ondubbelzinnige risicocommunicatie

29. Capacity risk Insufficient resources threatens the firm’s ability to meet customer demands, or excess capacity threatens the firm’s ability to generate competitive profit margins.

30. Leadership risk The firm’s people are not being effectively led, which may result in a lack of direction, customer focus, motivation to perform, management credibility and trust throughout the firm.

31. Management fraud risk Intentional misstatement of financial statements or misrepresentation of the firm’s capabilities or intentions may adversely affect external stakeholders’ decisions.

Event An incident or occurrence, from sources internal or external to an entity, that affects achievement of objectives.

Inherent risk The risk to an entity in the absence of any actions management might take to alter either the risk’s likelihood or impact.

Risk tolerance The acceptable variation relative to the achievement of an objective.

• Gemeenschappelijk begrip van risicomanagement termen om misinterpretaties in de

uitvoering van risicomanagement processen te voorkomen


KRI’s verschillen van KPI’s

43

Performance indicators (KPI’s)

• Focussen op behaalde resultaten;

• Worden gebruikt voor het monitoren van operationele efficiëntie; alarmbellen gaan af als de indicatoren een vooraf vastgestelde grens overschrijden.

Risk indicators (KRI’s)

• Focussen op risico tracking, zijn ontworpen om continue risico’s te monitoren en om waarschuwingen af te geven als een risico toeneemt en/of beheersmaatregelen niet functioneren;

• Zijn over het algemeen meer proactief, KRI’s focussen zich op het “waarom” en helpen bij het identificeren van zwakheden voordat een probleem zich voordoet.

Key Performance Indicators

• Aantal transacties per seconde

• Kostenbesparing in proces X

• Opbrengstengroei voor business unit Y

Key Risk Indicators

•Transactievolume vs. optimale capaciteit

• Fouten in proces X

• Verliezen door fraude voor business unit Y

23% heeft KRI’s opgenomen in

de rapportage


Risk Reporting: example Key Risk Indicators

44

Key Risks

Risk Drivers

• Avg. days of Inv. (material)

• Slow-moving % (3M)

• $ Disposal value

• Lead time (imported)

• Material Shortage %

• % Cost saving on purchasing

• Material cost % (to Total cost)

Over-supplied High CostFraud/

Embezzlement

Increase of

Slow-moving items

Excess order

$ potential slow-moving (1M)

• Automated order %

• Excess order %

• (needed vs. ordered)

Inaccuracy of BOM

BOM error %

Delay of new product project

Pre-order $ before

mass-production

Discontinued items

% of items with sharp dropped

value

Late Delivery

% on time delivery (imported)

Dependency on

specific suppliers

• Sole Vendor item %

• % Concentration of suppliers)

Inconsistency suppliers

(bankrupt, pulled out, …)

# of halted/suspended

Frequent changes to

Production Plans

% variability of production plan

Overload at Purchasing

• % of new item registered

• % of item w/o registered

• unit price

Increase of market price of

raw material

Limited ways for cost saving

Unit cost variability

• % cost savings by types

(negotiating, development of

new vendors, sources, etc)

• % Geographical proportion

of sources

Limited information/negotiation

• Cost gap among divisions

• Turn over % at purchasing

• % of certified member

Insufficient supplier

management

Supplier assessment

results

Preferential purchasing

• # of suppliers with sharp

increase of order volume/$

• Changes of pre-defined

Quotas

• Abnormal increase unit price

• Change of terms of payment

Fictitious supplier

Duplicated

invoices

Conflicts of interest

Lagging

Leading

Unstable supplies


Concluding

www.pwc.com


Practical ideas for how to get started…

46

Insert date here

Aligning Culture

• Secure board and senior management endorsement for implementing or enhancing the Enterprise Risk Management Framework

• Incorporate risk management expectations into training and incentives to enhance consistency in decision-making

• Communicate and clarify roles and responsibilities for risk management

3) Prioritize the initiatives and resources required to implement or enhance existing cultures, capabilities and practices

2) Determine the desired integration of enterprise risk management within the organisation

• Invest in tools, templates or technology that support risk management activities and decision-making

• Include third party providers and vendors in discussions on risk and performance

• Encourage discussion of entity’s risk appetite and profile within governance forums and as part of management decision-making

1) Identify the benefits being sought from ERM by your organization

• Evaluate whether current practices align with desired integration and achieve benefits sought from ERM

• Review risk identification, assessment, prioritization and response processes for opportunities for enhancement

• Analyse reporting practices for opportunities to further integrate with performance reporting

Augmenting Capabilities

Enhancing Practices

Percentage of respondents that stated implementation

of effective ERM Frameworks as the most common challenge in deriving its expected benefits


Risicomanagement: hoe laat ik het werken

47

• Existence : is a adequate system/approach available?

• Communication : is it conveyed to relevant people?

• Understanding : do they understand it?

• Support : does management support the implementation?

• Monitoring : is there an effective process for monitoring it?

• Enforcement : has management a plan in place for enforcing it?


De menselijke maat telt

48

Echter de menselijk maat is leidend voor het succesvol toepassen van

risicomanagement. De belangrijkste aandachtspunten zijn:

• Groepsprocessen zijn de sleutel tot een kwalitatief goed risicoprofiel, dialoog

en actiegerichtheid liggen daaraan ten grondslag;

• Communiceer over risico’s en de wijze hoe ermee wordt omgegaan;

• Zorg voor verantwoordelijkheid, aanspreekbaarheid en eigenaarschap van

risico’s;

• Risicomanagement kan als bedreigend worden ervaren; de transparantie

leidt tot kwetsbaarheid en biedt zicht op performance;

• Zorg voor een RM taal.

Een kwalitatief goede uitvoering van risicomanagement lijkt gebaat bij

en richt zich veelal op een sterke instrumentele benadering!


Concluderend

49

• COSO ERM is een manier, niet een doel op zich

• COSO ERM is niet limitatief

• COSO ERM dient gezien te worden als een verbeteringscyclus; niet

als ogenblikkelijke perfectie

• COSO ERM verschaft geen ‘one-size-fits-all’ oplossing

• COSO ERM is niet verplicht; je kan het doen op je eigen manier


More information

www.pwc.com


Staying involved

Access the Framework at the COSO ERM Spark!-website (internal use only)

51

View videos, blogs and articles at www.pwc.com/coso-erm

Thomas R. Malthusstraat 5P.O. Box 96161006 GC AmsterdamThe NetherlandsT: +31 (0)88 792 7665 M: +31 (0)6 51 22 52 [email protected]

Marcel PrinsenbergSenior Director Risk Consulting

Thomas R. Malthusstraat 5P.O. Box 96161006 GC AmsterdamThe NetherlandsT: +31 (0)88 792 46 18 M: +31 (0)6 22 93 91 [email protected]

Roy van der SluisManager Risk Consulting

http://www.pwc.com/coso-erm


Compendium of Examples

52

A compendium of examples is also being developed. The proposed compendium will illustrate:

• All principles

• A variety of entity sizes from global through to national, regional, and local entities

• A variety of industry types

• Actual company practices and be augmented with expected practices in select areas, as needed

• Written from the perspective of the business

Examples:

• Governance in a higher education institution

• Culture in a government entity

• Culture in a financial services company

• Strategy and objective-setting in an energy company

• Strategy and objective-setting in a not-for-profit entity

• Performance in a consumer products company

• Performance in a technology company

• Review and revision in an industrial products company

• Risk information in a healthcare company

Coming Soon….

Coming Soon


Bijlagen

www.pwc.com


Explores the benefits of ERM

54

Management can

anticipate the

risks that would

affect

performance and

put in place the

actions needed to

minimize

disruption and

maximize

opportunity

Improve

management’s

ability to identify

risks and

establish

appropriate

responses,

reducing

surprises and

related costs or

losses

Management

identifies and

manages these

entity-wide risks

to sustain and

improve

performance

By considering all

possibilities, both

positive and

negative aspects

of risk,

management can

identify new

opportunities and

associated

challenges

Increasing the range of opportunities

Reducing performance variability

Increasing positive outcomes

Improving resource deployment

• Enterprise risk management frameworks are as varied as the organizations they support.

• In their infancy, many frameworks focus on increasing positive outcomes and identifying entity-wide risks.

• Boards, senior management and stakeholders are increasingly expecting ERM to reduce performance variability, improve resource deployment and enhance enterprise resilience.

• This will often require that the capabilities and practices of an organization to evolve in line with increasing expectations.

• The effectiveness of an enterprise risk management Framework is founded on fostering, designing and implementing the culture, capabilities and practices that align to intended benefits.

• A more detailed discussion of the benefits of ERM can be found in the COSO Executive Summary

Risk information

enables

management, in

the face of finite

resources, to

prioritize resource

deployment and

enhance

resource

allocation

Identify and manage risks entity-wide

Enhancing enterprise resilience

Enhance

management’s

ability to

anticipate and

respond to

change, not only

to survive but

also to evolve

and thrive


Explores managing risk at all altitudes of the organization

55

The Framework highlights that risks emanate and must be managed at all levels of the organization. The Framework explores how risks can manifest at multiple levels within an organization with some risks directly impacting the entity strategy while others impacting business objectives.

The Framework also addresses how risks can change in severity and prioritization at different levels of the organization and how the impacts of correlation and diversification are considered when analyzing the risk profile of portfolio view of risk.

• Risk frameworks should ensure existing risk identification and assessment practices account for risks occurring at different levels of the organization

• Risk capabilities should account for how risk ratings and responses may exist and change at different altitudes within an organization

• Management should designate appropriate roles and responsibilities for the management of risk and execution of risk responses

Entity Level Business Objective 1

Business Objective 2


Risk 1 Risk 3 Risk 4

Entity Strategy

Risk 2

Entity Level Business Objective 2



32Where to next?

Encourage your risk professionals to:

• Sync with the language of business in your organisation

• Understand how organisation creates, realises and preserves value and the supporting assumptions

• Develop a clear understanding of where ERM is integrated

Challenge your organisation to not:

• View ERM simply as a function, team or department

• Consider ERM to be a stand alone, periodic risk assessment or heat map

• View GRC technology as the entire approach for implementing ERM

coso enterprise risk management framework ... · pwc | coso enterprise risk management...

Documents