Risk Management
The IAA must evaluate risk exposures relating to the organization's governance, operations, and information systems regarding the:
- Achievement of the organization's strategic objectives - Reliability and integrity of financial and operational information - Effectiveness and efficiency of operations and programs - Safeguarding of assets - Compliance with laws, regulations, policies, procedures and contracts
The organization evaluates alternative strategies and their effects on the risk profile (Strategy and Objective Setting Principle)
- Approaches to evaluating the strategy include SWOT analysis, competitor analysis, and scenario analysis. - The organization must evaluate: the strategy's alignment with its mission, vision, core values, and risk appetite; implications of the chosen strategy (risks, opportunities, and effects on the risk profile) - Strategy should be changed if it fails to create, realize, or prevent value.
Assessing ERM
- COSO ERM framework provides criteria for assessing whether the organization's ERM culture, capabilities, and practices together effectively manage risks to strategy and business objectives. - When the components, principles, and supporting controls are present and functioning, ERM is reasonable expected to manage risks effectively and to help create, preserve and realize value. Present means the components, principles, and controls exist in the design and implementation of ERM to achieve objective. Functioning means that components, principles, and controls continue to operate to achieve objectives.
Value is
- Created when the benefits obtained from the resources used exceed their costs. - Preserved when the value of resources used is sustained - Realized when the benefits are transferred to stakeholders - Eroded when management's strategy does not produce expected results or management does not perform day-to-day tasks
Maturity Model Approach
- Determines where risk management process is on the maturity curve and evaluates whether it is progressing as expected, adds value, and meets organizational needs. - Example Maturity Model: Capability Maturity Model (CMM) levels in order of maturity: Level 1: Initial: Few processes are defined Level 2: Repeatable: Basic processes are established Level 3: Defined: Standards are developed Level 4: Managed: Performance measures are defined Level 5: Optimizing: Continuous improvement is enabled. - Capability Maturity Model Integration (CMMI) Development V2.0: focuses on organizational performance at each maturity level. levels in order of maturity: Level 0: Incomplete: Whether work can be completed is not known Level 1: Initial: Work can be completed, but not on time or within budget Level 2: Managed: Projects are planned, implemented, managed and monitored. Level 3: Defined: Standards for projects are defined throughout organization Level 4: Quantitatively Managed: Organization quantifies performance improvement goals to meet stakeholder needs. Level 5: Optimizing: Organization pursues continuous improvement, responds to change, and innovates. Critical aspect of the maturity model approach: risk management performance and progress in executing the risk management plan should be linked with a performance measurement system the consists of: - performance standards - criteria on how the standards can be satisfied - method of comparing actual performance with each standard - method of recording and reporting performance and improvements in performance - periodic independent verification of management's assessment.
Supporting Aspect components of COSO ERM framework
- Governance and Culture - Information, Communication and Reporting
The Organization Attracts, Develops, and Retains Capable Individuals (Governance and Culture principle)
- Management is responsible for defining the human capital necessary (the needed competencies) to achieve strategy and business objectives - The human resources function assists management in developing competency requirements through processes that attract, train, mentor, evaluate, reward and retain competent individuals. - Contingency plans should be developed to prepare for succession. These plans train selected personnel to assume responsibilities vital to ERM. An example is training a risk manager to assume the position of risk officer.
Performance Principles: Identifies risk that affect the performance of strategy and business objectives
- Should identify risks that disrupt operations and affect the reasonable expectation of achieving strategy and business objectives - new, emerging, and changing risks are identified. (Ex: risks resulting from changes in business objectives or the business context) - The organization also identifies opportunities. These are actions or potential actions that create or alter goals or approaches for the creation, preservation, or realization of value. They differ from positive events, occurrences in which performance exceeds the original target. Risk identification methods and approaches: - Day-to-day activities (budgeting, business planning, reviewing customer complaints) - Simple questionnaires - Facilitated workshops - Interviews - Data tracking Risk opportunity identification should be comprehensive across all levels and functions of the entity.
Common Process components of COSO ERM framework
- Strategy and Objective-Setting - Performance - Review and Revision
Responsibilities for Risk Management
- The board: responsible for overseeing risk management and has overall responsibility for ensuring that risks are managed and the risk management system is effective. - Management: responsible for setting the organization's risk attitude (an organization's approach to assess and eventually pursue, retain, take, or turn away from risk. Management also identifies and manages risks. - The Internal Audit Activity: responsible for providing assurance regarding the entire risk management system.
The organization demonstrates commitment to Core Values (Governance and Culture principle)
- The organization's core values should be reflected in all its actions and decisions - The tone of the organization is manner in which core values are communicates across the organization - When risk-aware culture and tone are aligned, stakeholders have confidence that the organization is abiding by its core values.
Two Most important sources of information for ongoing assessments of the adequacy of Risk Responses
- Those closest to the activities. The manager of an operating unit is in the best position to monitor the effects of the chosen risk response strategies - The audit function. Operating managers may not always be objectives about the risks facing their units, especially is they helped design a particular response strategy. Analyzing risks and responses are among the normal responsibilities for internal auditors.
Organization established Operating Structures (Governance and Culture principle)
- describes how the entity is organizes and carries out its day-to-day tasks - aligned with entity's legal structure and management structure - Legal structure: determines how entity operates (single legal entity, multiple, distinct legal entities) - Management structure: established reporting lines (direct vs secondary), roles, responsibilities. Management is responsible for clearly defining roles and responsibilities. Factors to consider when establishing and evaluating operating structures include the entity's: - strategy and business objectives, including related risks. - nature, size, and geographic distribution - assignment of authority, responsibility, accountability at all levels - types of reporting lines and communication channels - reporting requirements (financial, tax, regulatory, contractual)
The organization Defines the Desired Culture (Government and Culture Principle)
- the board and management are responsible for defining culture - shaped by internal and external factors - Internal factors: level of judgment and autonomy allowed to personnel, standards and rules, the reward system in place - External factors: legal requirements and expectations of stakeholders (customers and investors) - The organization's definition of culture determines its placement on the culture spectrum, ranges from risk averse to risk aggressive.
Factors considered in selecting and implementing risk responses:
- they should be chosen for, or adapted to, the business context - Costs and benefits should be proportionate to the severity of the risk and its priority (there is no direct correlation between the severity of a risk and the cost of the response to that risk) (some risks require the creation of elaborate control structures) - They should further comply with obligations (industry standards) and achievement of expectations (mission, vision, stakeholder expectations) - Bring risk within risk appetite and result in performance outcomes within tolerance - Risk responses should reflect the severity Control activities are designed and implemented to ensure risk responses are carried out.
Steps of Risk Management Process
1) Context 2) Identify Risk 3) Assess and Prioritize risks identified 4) Response 5) Monitor response
COSO ERM Components
1) Governance and Culture: mission, visions, core values - mission, vision, core values 2) Strategy & Objective-Setting: strategy development - strategy development 3) Performance: business objective formulation - business objective formulation 4) Review & Revision: implementation and performance - implementation and performance 5) Information, Communication, and Reporting: enhanced value - enhanced value
Risk Management Process Steps includes
1) Identification of context 2) Risk identification 3) Risk assessment and prioritization (risk analysis) 4) Risk response 5) Risk monitoring Risk management processes may be formal or informal, quantitative or subjective, or embedded in business units or centralized. They are designed to fit the organization's culture, management style and objectives. EX: a small entity may use an informal risk committee. the IAA determines that the methods chosen are comprehensive and appropriate for the organization.
ISO 31000 Three Approaches to Providing Assurance regarding the Entire Risk Management System
1) Key principles approach: evaluates whether risk management principles are in practice. Determines whether the risk management principles are in place (integrated, structured, comprehensive, customized). 2) Process Element approach: evaluates whether the risk management elements have been put into practice. Determines whether certain elements (formal risk identification, formal risk analysis, risk evaluation) have been implemented. 3) Maturity Model approach: based on the principle that effective risk management processes develop and improve with time as value is added at each phase in the maturation process. The basic principle is that risk management must add value.
Information, Communication, and Reporting: The organization must capture, process, manage (organize, store), and communicate timely and relevant information to identify risks that could affect the strategy and business objectives
1) Leverages its information systems to support ERM - Data are raw facts collectible for analysis, use, of reference. Information is processed, organized, and structured data about a fact of circumstance. Information systems transform data (risk data) into relevant information (risk information) - Information is relevant if it helps the organization be more agile in decision making, giving it a competitive advantage. - Structured data: well organized, easily searchable (spreadsheets, public indexes, database file). Unstructured data: unorganized lack a predefined patted (work processing documents, videos, photos, email messages) - Information systems must be adaptable to change. 2) The organization uses communication channels to support ERM - Management communicates the organizations strategy and business objective to internal and external stakeholders - Communications between management and the board should include continual discussion about risk appetite - Organization should adopt open communication channels to allow risk info to be sent and received both ways (to and from personnel or suppliers) - Communication methods include written documents (policies and procedures), electronic messages (email), public events or forums (town hall meetings), informal or spoken communications (one-on-one discussions). - The board may hold formal quarterly meetings or call extraordinary meetings (special meeting to discuss urgent matters) 3) Organization reports on risk, culture, and performance at multiple levels and across the entity - Purpose of reporting is to support personnel in their understanding of the relationships among risk, culture, and performance; Decision making related to setting strategy and objectives, governance, day-to-day operations. -Reporting combines qual&quan risk information, with greater emphasis on information that supports forward-looking decisions. - Management is responsible for implementing controls to ensure reports are accurate, complete and clear. - Frequency of reporting is based on the severity and priority of risk - Reports on culture may be communicated, among other means, in surveys and lessons-learned analysis - Key indicators of risk should be reported with key performance indicators to emphasize the relationship of risk and performance.
Review and Revision: organization reviews and revises its current ERM capabilities and practices based on changes in strategy and business objectives.
1) Organization identifies and assesses changes that may substantially affect strategy and business objective - Changed in organization business context and culture - Changes can be internal or external 2) Organization reviews entity performance results and considers risk - Performance results that deviate from target performance or tolerance (unidentified risks, improperly assessed risks, new risks, opportunities to accept more risks, need to revise target performance/tolerance) 3) Organization pursues the improvement of ERM - Continually improve ERM at all levels, even if actual performance aligns with target performance or tolerance - Methods of identifying areas of improvement include continual or separate evaluations and peer comparisons (reviews of industry peers).
Three Lines of Management Responsibility (Defense)
1) Principal owners of risk. They manage performance and risk taken to achieve strategy and objectives. 2) Supporting (business-enabling) functions. ex- a risk officer or centralized coordinator. This level of management provides guidance on performance and ERM requirements, evaluates adherence to standards, and challenges the first line to take prudent risks. 3) Assurance function: internal auditing. The internal auditor audits (or reviews) ERM, identifies issues and improvements, and informs the board and executives of matters needing resolution.
Facilitated Workshop and Interviews (Method Used in Risk Identification)
A facilitator leads a discussion group consisting of management, staff and other stakeholders through a structured process of conversation and exploration about potential events
Step 1: Identification of context
A precondition to risk identification is identifying the significant contexts within which risks should be managed. Context Includes: - Laws and regulations - Capital projects - Business processes - Technology - Market risk - Organizations
ISO 31000- Principles, Framework*, and Process
A risk management framework is set of components that includes leadership and commitment, integration, design, implementation, evaluation, and improvement of risk management. Components: 1) The board and senior management demonstrate leadership and commitment by implementing the framework's components; adopting a policy that established a risk management plan or approach; committing resources to risk management; and assigning accountability, authority, and responsibility at each organization level 2) The integration of the framework into all facets of an organization, including its objectives, structure, governance, and culture, is a dynamic process. All personnel in the organization are responsible for managing risks. 3) The design of the framework involves the following: - Understanding the organization and its context - Articular commitment to risk management - Assigning and communicating authorities, responsibilities, and accountabilities for risk management roles at all levels - Allocating resources (people, experience, processes, info systems) to support risk management while recognizing the limitations of existing resources - Establishing communication and consultation 4) The implementation of framework can be achieved by developing a plan; identifying decisions making processes; modifying decision making processes as change occurs; and ensuring stakeholders' understanding of, and engagement with, the organization's risk management arrangement. 5) The evaluation of the framework's effectiveness involves measuring performance against expectations 6) The improvement of the framework is through monitoring and updating the framework in response to changes thereby enhancing organizational performance.
Process Flow Analysis (Method Used in Risk Identification)
A single business process, such as vendor authorization and payment, is studied in isolation to identify the events that affect its inputs, tasks, responsibilities and outputs
Risk Response
An action taken to bring identified risks within the organization's risk appetite An action, or set of actions, taken by management to achieve a desired risk management strategy. A residual risk profile includes risk responses.
Risk officer
An organization may designate a risk officer as a centralized coordinating point to facilitate risk management across the entire enterprise. This risk officer is commonly referred to as a centralized coordinator. - The work of a risk officer often extends beyond one specific area because the officer will have the necessary resources to work across many segments or divisions. An enterprise risk management (ERM) program is most effective when led by a centralized coordinator, such as a risk officer. This person facilitates ERM by working with other managers in establishing effective risk management in their areas.
Other methods for Identifying Risks
Brainstorming, SWOT analysis, Scenario analysis (what-if)
The organization establishes Business Objectives that align with and support strategy (Strategy and Objective Setting Principle).
Business Objectives are: Specific Measurable Observable Obtainable - Business objectives may relate to, among others, financial performance, operational excellence, or compliance obligations. - Performance measures, targets, and tolerances (the range of acceptable variation in performance) are established to evaluate the achievement of objectives.
The organization analyzes Business Context and its effect on the risk profile (Strategy and Objective setting Principle)
Business context pertains to the relationships, events, trends and other factors that influence the org's strategy and business objectives. Internal Environment: capital (assets), people (skills, attitudes), processes (tasks, policies, procedures), technology (adapted technology) External Environment: political (government intervention and influence), economic (interest rates and credit), social (consumers preferences and demographics), legal (laws, regulations, industry standards), environmental (climate change) Business Context may be: Dynamic: new, emerging, and changing risks can appear at any time (low barriers of entry allow new competitors to emerge) Complex: context may have interdependencies and interconnections (transnational company has several operating units around the world, each with unique external environmental factors) Unpredictable: change occurs rapidly and in unanticipated ways (currency fluctuations) - The effect of business context on the risk profile may be analyzed based on past, present, and future present.
Performance Principle: The organization identifies and selects Risk Responses, recognizing that risk may be managed but not eliminated. Risks should be managed within the business context and objectives, performance targets, and risk appetite.
Categories of Risk Response: 1. Acceptance (retention): No action is taken to alter the severity of the risk. Acceptance is appropriate when the risk is within the risk appetite. This term is synonymous with self-insurance. 2. Avoidance: Action is taken to remove the risk. Avoidance typically suggests no response would reduce the risk to an acceptable level. For example, the risk of pipeline sabotage can be avoided by selling the pipeline. 3. Pursuit: Action is taken to accept the increased risk to improve performance without exceeding acceptable tolerance. 4. Reduction (mitigation): Action is taken to reduce the severity of the risk so that it is within the target residual risk profile and risk appetite. For example, the risk of systems penetration can be reduced by maintaining an effective information security function within the entity. (relocating) 5. Sharing (transfer): Action is taken to reduce the severity of the risk by transferring a portion of the risk to another party. Examples are insurance; hedging; joint ventures; outsourcing; and contractual agreements with customers, vendors, or other business partners.
Event Inventories (Method Used in Risk Identification)
Certain events are common to particular industries. Software is available the provides lists that can be used as a starting point for event identification.
Who has ultimate ownership responsibility of the Enterprise Risk Management, provides leadership and direction to senior managers, and monitors the entity's overall risk activities to its risk appetite
Chief Executive Officer (CEO) - Will also influence the composition and conduct of the board,. - If any problems arise with the organization's risk appetite, the CEO will also take any measures to adjust the alignment to better suit the organization.
The IAA must evaluate the effectiveness and contribute to the improvement of risk management processes
Conformance demonstrated in: - Charter: describes the roles and responsibilities regarding risk management. - the internal audit plan - minutes of meetings in which internal audit recommendations were discussed - internal audit risk assessments - internal audit action plans addresses risks
Performance
ERM practices that support the organization's decision in pursuit of value. Consists of identifying, assessing, prioritizing, responding to, and developing a portfolio view of risk.
Management (RSM)
Ensures that sound risk management processes are functioning.
Enterprise Risk Management- Integrating with Strategy and Performance
Framework that complements, and incorporates some concepts of, the COSO internal control framework.
Governance and Culture
Governance sets the organization's tone and established responsibilities for ERM. Culture relates to the desired behaviors, values, and overall understanding about risk help by personnel within the organization. 1) Board exercises risk oversight. - board may delegate risk oversight responsibilities to a board committee (risk committee) - management has day-to-day responsibility for managing performance and risks taken to achieve strategy and business 2) The organization establishes operation structures 3) The organization defines the desired culture 4) The organization demonstrates commitment to core value 5) The organization attracts, develops, and retains capable individuals
Boards (RSM)
Have an oversight function. They determine that risk management processes are in place, adequate and effective. Risk management is a key responsibility of senior management and the board.
Turnbull Risk Managment Framework
In contrast with ISO 31000 principle-based approach, The Turnbull risk management framework emphasis is on internal control, the assessment of its effectiveness, and risk analysis.
Inherent Risk
Inherent risk is the risk that exists in the absence of management actions to alter its severity, that is, a risk response in the form of acceptance or pursuit. The risk in the absence of management actions to alter its severity; Management determines the response to inherent risk. - Actual residual risk remains after management actions to alter its severity. It should not exceed target residual risk
Internal risk factors at entity level
Interruptions in automated systems, the quality of personnel hired, the level of training provided
Leading event indicators and escalation triggers (Method Used in Risk Identification)
Leading event indicators are measures that provide insight into potential events. Escalation trigger, also known as a threshold trigger, is a condition that a leading event indicator must satisfy before the potential event is escalated to management. Potential Event: Manufacturing equipment breakdown, resulting in decreases in production Leading Event Indicator: Maintenance Request Escalation Trigger: two maintenance requests outside of regularly scheduled maintenance within a 3-month period
Qualitative Risk Methods
Lists of all risks, risk ranking, risk maps - Heat Maps: present risk levels by color; risks that have same likelihood (remote, unlikely, possible, likely, certain) and impact (negligible, low, medium, high, extreme) or fall in the same range of severity (combined assessment) are assigned to the same color - Matrix risk maps: plot risks on a chart with a likelihood on one axis and an impact on the other axis
Step 3: Risk Assessment and Prioritization
May be formal or informal. Involves assessing the significance of an event, assessing the event's likelihood and considering the means of managing the risk - Results of assessing the likelihood and impact are used to prioritize risks and product decision-making information
Risk Assessment Methods
May be qualitative or quantitative
Step 4: Risk Response
Means by which an organization elects to manage individual risks - risk responses align risks with the organization's risk appetite (level of risk organization is willing to accept)
Risk Modeling (Risk Assessment and Prioritization)
Method of risk assessment and prioritization - Risk modeling ranks and validates risk priorities when setting the priorities of engagements in the audit plan - Risk factors may be weighted based on professional judgment to determine their relative significance, but the weights need not be quantified. Open channels of communication with senior management and the board are necessary to ensure the audit plan is based on the appropriate risk assessments and audit priorities. The audit plan should be reevaluated as needed.
Performance Principle: Organization develops and evaluates its Portfolio View of Risk
Portfolio view of Risk: consists of risk identification, assessment, prioritization, and response Risk Views with different levels of risk integration: - Risk view (minimal integration): risks are identified and assessed. Emphasis is on the event, not the business objective - Risk category view (limited integration): Identified and assessed risks are categorized, eg. based on operating structure - Risk profile view (partial integration): risks are linked to business objectives they affect, and any dependencies between objectives are identified and assessed. For example, an objective of increased sales may depend on an objective to introduce a new product line. - Portfolio view (full integration): this composite view of risks related to entity-wide strategy and business objectives and their effect on Entity performance. At the top level, greater emphasis is on strategy. Thus, responsibility for business objectives and specific risks cascades through the entity. Portfolio view of risk: Management determines whether the entity's residual risk profile (risk profile inclusive of risk response) aligns with overall risk appetite. Qualitative (benchmarking, scenario analysis, stress testing) and Quantitative (statistical analysis) may be used to evaluate how changes in risk may affect the portfolio view of risk.
ISO 31000- Principles*, Framework, and Process
Principle-based approach to risk management. Its principles are the foundation for risk management. They also communicate the characteristics, value, and purpose of effective and efficient risk management. Value creation and protection are the purposes of risk management. Principles: 1) Integrated: Risk management is integrated into all organizational activities 2) Structured and Comprehensive: The risk management approach needs to be structured and comprehensive. 3) Customized: The risk management framework and process should be customized to the organizational objectives. 4) Inclusive: Appropriate involvement of stakeholders enables informed risk management. 5) Dynamic: Risk management foresees, recognizes, and reacts to changing risks. 6) Best Available Information: Risk management considers past, current, and future information and any related limitations of such information. 7) Human and cultural factors: Human behavior and culture affect all facets and each level of risk management. 8) Continual Improvement: Learning and experience constantly improve risk management.
Risk Management
Process to identify, assess, manage and control potential events or situations to provide reasonable assurance regarding the achievement of the organization's objectives The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management process. Risk Management is a key responsibility of senior management and the board.
Questionnaires and surveys (Method Used in Risk Identification)
Responses can be evaluated to identify potential events
ISO 31000- Principles, Framework, and Process*
Risk Management Processes consists of the following elements: 1) To improve understanding of risks and decisions made, communication to raise awareness and consultation to obtain feedback and information require ongoing, structured coordination with stakeholders. 2) The scope, context, and criteria should be established to customize risk management. Includes defining the scope of risk management process, understanding its external and internal context, and defining risk criteria. - context of risk management process derives from understanding of the specific external and internal environment of organization 3) Risk assessment is the Process of identifying, analyzing, and evaluating risk. - Risk identification finds risks that can contribute to or prevent achieving organizational objectives: For Ex: It considers risk indicators and consequences and their effects on objectives - Risk analysis: examines the nature, characteristics, and level of risk. It considers such factors as likelihood of events and consequences, control effectiveness, and confidence level. - Risk evaluation: supports decision making by comparing defined risk criteria with the outcome of risk analysis and determining whether any action is required. 4) Risk Treatment is a repetitive process of selecting risk treatments (accept, avoid, reduce, share or pursue), implementing the treatment, assessing the treatment's effectiveness, determining whether the residual risk is acceptable, and adopting another treatment if the first is unacceptable. 5) Monitoring and Review: should occur in all phases of risk management process to improve its quality and effectiveness. 6) Recording and reporting of the risk management process and its results should be facilitated to communicate and improve risk management activities, support decisions, and enhance communications with stakeholders.
Step 5: Risk Monitoring
Risk Monitoring: Tracks identified risks Evaluates current risk response plans Monitors Residual Risks Identifies new risks
Integrating strategy setting and performance
Risk must be considered in setting strategy, business objectives, performance targets, and tolerance. Strategy: communicates how the organization will achieve its mission and vision and apply its core values Business objectives: steps taken to achieve the strategy Tolerance: range of acceptable variation in performance results.
Performance Principle: Prioritizing risk at all levels
Risk prioritization enables the organization to optimize that allocation of its limited resources. In addition to severity (impact and likelihood), the following factors are considered when prioritizing risk: - Agreed-upon criteria - Risk Appetite - The importance of affected business objectives - The organizational level(s) affected Agreed-upon Criteria: used to evaluate the characteristics of risk and to determine the entity's capacity to respond appropriately. Higher priority is given to risks that most affect the criteria. Ex Criteria: - Complexity: nature and scope of risk; interdependence of risk - Velocity: speed at which risk affects the entity - Persistence: how long a risk affects the entity, including time it takes the entity to recover - Adaptability: entity's capacity to adjust and respond to risks - Recovery: entity's capacity (not the time) to return to tolerance Higher priority is also assigned to risks that approach of exceed the risk appetite, cause performance levels to approach the outer limits of tolerance, or affect the entire entity or occur at the entity level.
Management's view of IAA's role in risk management process
Role is determined by senior management and the board. Thier view on internal auditing's role is determined by factors such as culture of the organization, ability of the internal audit staff, and local conditions and customs.
Internal Audit Activity's role in risk management
Senior management and board decides this. Based on organization culture, abilities of the IAA staff, and local conditions and customs. The role may range from no role; to auditing the process as part of the audit plan; to active, continuous support and involvement in the process; to managing and coordinating the process - But assuming management responsibilities and the threat to the IAA independence must be fully discussed and board-approved
Performance Principle: Organization Assesses the severity of the risk
Severity: measure of such considerations as impact, likelihood, and the time to recover from events. Risk severity may vary across multiple levels. The organization should reassess severity whenever triggering events occur, such as changed in business context and risk appetite. Impact: result or effect of the risk. may be positive or negative Likelihood: possibility that an event may occur. may be expressed qualitatively (remote probability) or quantitatively (75% probability), or in terms of frequency (once ever 6 months) time horizon: should be identical to that of the related strategy or business objective. Ex: the risk affecting a strategy that takes 2 years to achieve should be assessed over the same period. Qualitative methods: more efficient and less costly that quantitative methods. (interviews, surveys, benchmarking) Quantitative methods: more precise that qualitative methods. (decision trees, modeling- probabilistic and non-probabilistic, Monte Carlo simulation)
Step 2: Risk Identification
Should be performed at every level of the entity (entity-level, division, business unit) relevant to the identified context(s) Risk Identification should consider past events (trends) and future possibilities.
Strategy and Objective Setting: ERM Component
Strategy must support the organization's mission, vision and core values. The integration of ERM with strategy setting helps to understand the risk profile related to strategy and business objectives. Four principles related to Strategy and Objective Setting: - The organization analyzes business context and its effect on the risk profile - The organization defines risk appetite - The organization evaluates alternative strategies and their effects on the risk profile - The organization establishes business objectives that align with and support strategy
Internal Auditors should review the means of physically safeguarding assets from lossess arising from.. Exposure to the elements
The IAA must evaluate risk exposures relating to governance, operations, and information systems regarding the... EX: safeguarding of assets. - Internal auditors revaluate risk exposure arising from theft, fire, improper or illegal activities, and exposure to the elements.
ERM Roles
The board provides oversight of ERM culture, capacities and practices. Certain board committees may be formed for this purpose: - Audit committee (often required by regulators) - Risk committee that directly oversees ERM - Executive compensation committee - Nomination or governance committee that oversees selection of directors and executives Management has overall responsibility for ERM and is generally responsible for the day-to-day managing of risk, including the implementation and development of the COSO ERM framework - within management, the CEO has ultimate responsibility for ERM and achievement of strategy and business objectives
Loss Flow Analysis (Method Used in Risk Identification)
The losses associated with adverse events in the past can be used to make predictions. And example is matching workers' compensation claims with frequency of accidents
Controls (Risk Response)
actions taken by management to manage risk and ensure risk responses are carried out Control Risk: risk that controls fail to effectively manage controllable risks.
Opportunity
any action or potential action that creates or alters goals or approaches for the creation, preservation, or realization of value.
Enterprise Risk Management (ERM)
based on the premise that every organization exists to provide value for its stakeholders. Attempts to approach an organization as a whole instead of focusing on any specific area or risk. The culture, capabilities, and practices, integrated with strategy-setting and performance, the organizations rely on to manage risk in creating, preserving, and realizing value.
Practices
collective methods used to manage risk
Risk Profile
composite view of the types, severity, and interdependencies of risks related to a specific strategy or business objective and their effect on performance - May be created at any level (entity, division, operating unit, function) or aspect (product, service ore geography) of the organization
Risk Inventory
consists of all identified risk that affect strategy and business objectives
Risk Appetite
consists of the amount and types of risk the organization is willing to accept in pursuit of value. Among others, Risk Appetite should be considered in: - Aligning with Development of Strategy - Aligning with business objectives - Prioritizing Risks - Implementing Risk Response
Culture
consists of the attitudes, behaviors, and understanding about risk, both positive and negative, that influence the decisions of management and personnel and reflect the mission, vision, and core values of the organization.
Quantitative Risk Methods
include probabilistic models. Some organizations focus on earnings at risk by examining how variables influence earnings.
Risk Modeling in a Consulting Service
is done by ranking the engagement's potential to (1) Improve management of risk (2) Add value (3) Improve the organizations operations - Senior management assigns a weight to each item based on organization's objectives - The engagements with the appropriate weighted values are included in the annual audit plan
Risk Committee (Risk Response)
is large or complex entities, senior management may appoint a risk committee to review the risks identified by the various operating units and create a response plan - All personnel must be aware of the importance of the risk response appropriate to the levels of the entity.
Target Residual Risk
is the risk the entity prefers to assume knowing that management has acted or will act to alter its severity.
Who determines the level of risks acceptable to the organization?
management and the board
Risk Capacity
maximum amount of risk that the organization can assume
Internal Audit Activity (RSM)
may be directed to examine, evaluate, report or recommend improvements. It also has a consulting role in identifying, evaluating, implementing risk management methods and controls. The CAE must understand management and the board's expectations of the IAA in risk management. The understanding is codified in the charters of the IAA and the board. If the organization has no formal risk management process, the CAE has formal discussions with management and the board about their obligations for understanding, managing and monitoring risk.
Vision
organization's aspirations for what it intends to achieve over time
Mission
organization's core purpose
Risk
possibility of an event occurring that will have an impact on the achievement of objectives. Measured in terms of impact and likelihood Risks may be financial, operational, legal or regulatory, or strategic.
COSO ERM framework
provides a bases for coordinating and integrating all of an organization's risk management activities. Effective integration 1) Improves decision making and 2) Enhances performance
The organization defines Risk Appetite (Strategy and Objective Setting principle)
risk appetite: the amount of risk it is willing to accept in pursuit of value - The organization considers its missions, vision, culture, prior strategies, and risk capacity (the maximum risk it can assume) to set its risk appetite - In setting risk appetite, the optimal balance of opportunity and risk is sought: risk appetite is rarely set above risk capacity. - Risk appetite may be expressed qualitatively (low, moderate, high) or quantitatively (as a percentage of a financial amount). But it should reflect how risk assessment results are expressed. - The board approves the risk appetite, and management communicates it throughout the organization.
Residual Risk (Risk Response)
risk that remains after risk responses are executed
Portfolio View
similar to risk profile; Difference is that it is a composite view of the risks related to entity-wide strategy and business objectives and their effects on entity performance.
Capacities
skills needed to carry out the entity's mission and vision
External Risk factors at the entity level
technological changes and changes in customer wants and expectations
Core Values
the organization's essential beliefs about what is acceptable or unacceptable