2/26/2014
1
Presented by:
Erike Young, MPPA, CSP, ARM
1
Chapter 2
Enterprise Risk Management in an Organization
2/26/2014
2
Top-Down/Bottom-up Approaches to ERM
2/26/2014
3
Top-Down/Bottom-up Approaches to ERM
Top-Down/Bottom-up Approaches to ERM
• Traditional approach to risk management is a bottom-up approach – Information about risk is collected through
organization’s business operations • Injury data, inspections, org charts, industry, etc..
– Disadvantages • 1st major disadvantage May not identify critical
emerging risks – Harder to detect waste, fraud, abuse, shortcuts
• 2nd disadvantage – process may be perceived as bureaucratic – Based on lagging data
2/26/2014
4
Top-Down/Bottom-up Approaches to ERM
• Top-Down Approach
– Senior management decides which risks pose a significant threat or opportunity for the organization
– Advantage
• Provides high-level view of the entire organization and the risks that are central to meeting organization objectives
– Disadvantages
• Dependence on reports from middle management to senior management
• Limited view of risks that may be percolating in various areas of the organization
Building Blocks of Bottom-up and Top-Down ERM
2/26/2014
5
Building Blocks of Bottom-up and Top-Down ERM
Risk Maturity Model • Risk Maturity Model (RMM) used to evaluate development of ERM
program and levels of maturity
• Main purpose of RMM is to evaluate or improve business processes
• Typically five levels of maturity based upon Carnegie Mellon Model – Ad-hoc – No formal risk management process and little awareness of the
concept
– Initial – Basic risk management processes with no attempt at ERM
– Defined – Formal risk management process, at least for project management
– Managed – Quantitative metrics for identification, assessment, and response to risk
– Optimizing – Ongoing improvement to the risk management process and a robust organizational risk culture
2/26/2014
6
Risk Maturity Model
• RIMS Risk Maturity Model (self-assessment tool) seven attributes of an ERM Program – ERM based approach
– ERM process management
– Risk Appetite management
– Root cause discipline
– Uncovering risks
– Performance management
– Business resiliency and sustainability
2/26/2014
7
Risk Maturity Model
• Other Models – Broker developed
• AON, Marsh
– Credit Rating • Standard and Poor’s
• Other uses for RMM – Balanced scorecards
– Benchmarking
Key Organizational Functions Related to ERM
Need for alignment
2/26/2014
8
Chapter 3
Enterprise Risk Management Framework and Process
2/26/2014
9
Modeling an ERM Framework and Process
• Risk Management Framework – A foundation for applying the risk management process
throughout the organization
• Risk management programs should be built on a framework that best aligns with their operations – Many risk management frameworks will share common
components.
– Components should be adapted to organization’s objectives and operations
• Primary Purpose of Framework – Integrate risk management throughout the organization
ERM Framework and Process Model
• Common elements – Framework Model
• Lead and establish • Align and integrate • Allocate resources • Communicate and report
– Process Model • Scan environment • Identify risks • Analyze risks • Treat risks • Monitor and Assure
2/26/2014
10
Components of a Risk Management Framework
• Lead and Establish Accountability
– Techniques use to establish accountability
• Identify risk owners and their roles in the organization
• Establish Key Performance Indicators (KPI)
• Establish Key Risk Indicators (KRI) and use them to evaluate performance
• Develop risk criteria to evaluate the significance of risks
2/26/2014
11
Components of a Risk Management Framework
• Lead and Establish Accountability – Risk Owner
• An individual accountable for the identification, assessment, treatment, and monitoring of risks in a specific environment.
– KPI • Financial or nonfinancial measurement that defines how
successfully an organization is progressing toward its long-term goals.
– KRI • A tool used by an organization to measure the uncertainty of
meeting a strategic business objective.
– Risk Criteria • Information used as a basis for measuring the significance of
a risk
Components of a Risk Management Framework
• Align and Integrate – Align risk management with an organization’s
objectives and integration of risk management process • Aligned at both strategic and operational level
– After alignment developed, integrate into operational processes • Strategic planning
• Performance management
• Process Management
• Internal Control
• Compliance
• Governance
2/26/2014
12
Components of a Risk Management Framework
• Allocate Resources
– Commitment to risk management is willingness to allocate resources necessary to effectively implement process throughout organization
– Typical resource needs are training and adaptation of systems
– CFO must determine appropriate capital allocation and risk characteristics of the organization’s business units or products
Components of a Risk Management Framework
• Communicate and Report – Senior management must effectively communicate
the purpose and importance of risk management process to the entire organization
– Communication across organizational functions is necessary for the design of an effective risk management process
– Allows for ongoing monitoring and improvement – Reporting information at different levels
• Senior management receive executive summaries • Managers receive more detailed reports regarding areas of
responsibility • Emerging risks should also be included
2/26/2014
13
Risk Management Policy
• Clear risk management policy statement will help obtain buy-in from managers and employees
• Should address key elements of risk management framework
2/26/2014
14
Designing and Implementing an ERM Framework and Process
• Gap Analysis – Compare organization’s existing risk management
framework and processes against an international standard to identify gaps
• Evaluation of Internal and External Env. – Internal
• Understand organizations objectives and risk appetite
• Evaluate org structure and major categories of risk in each area to map risks
• Evaluate resources needed to implement and maintain framework and program (equipment, systems, people)
• Identify communication channels both formal and informal
Designing and Implementing an ERM Framework and Process
• Evaluation of Internal and External Env. (cont)
– External
• External environment includes these factors – Economic
– Political
– Legal and regulatory
– Technology
– Natural
– Competitive landscape
• Evaluate operations using key risk factors as a guide
2/26/2014
15
Designing and Implementing an ERM Framework and Process
• Integration into Existing Processes
– Key factors to successful integration
• Align risk management objectives and policy with organization’s overall objectives and risk appetite
• Use existing processes
– Critical component of integration is assigning responsibility and accountability for risk management within each functional area
• Usually department heads (risk owners)
Designing and Implementing an ERM Framework and Process
• Commitment of Resources
– Categories of necessary resources
• Technology, including equipment and systems – Enterprise Risk Management Information System
• Administrative persons
• Specialists, either internal or external
• Analysis
• Training
2/26/2014
16
Designing and Implementing an ERM Framework and Process
• Communication and Reporting – Communicating
• Communicating RM policy is key step in integration process. The more senior leader the better
• Training is key element of communicating – UC Risk Summit
• Communication should be more than just metrics, but should also discuss how well culture is adapting
– Reporting • Provide timely and relevant information regarding key
metrics to managers for areas of responsibility
• Tie risk metrics to financial reporting results
Designing and Implementing an ERM Framework and Process
• Monitoring and Improvement
– Process improvement cycle
• Plan, Do, Check, Act
• Also known as Deming cycle
2/26/2014
17
ERM vs. Traditional Risk Management Process
• ERM provides broader approach to risk
• Traditional risk management is hazard focused
• ERM provides cycles for continuous improvement
– Systems based
• ERM applies to all operations and risks
ERM vs. Traditional Risk Management Process
• ERM
– Five major steps in ERM process
• Scan environment
• Identify risks
• Analyze risks
• Treat risks
• Monitor and assure
– Steps can occur concurrently, as well as sequentially
2/26/2014
18
ISO 31000:2009 Risk Management –
Principles and Guidelines
• Based on Australian and New Zealand RM Standard
• Scope – Applies to all operations and most activities of an
organization – All type of risks, both positive and/or negative
• Not intended to produce uniformity
– Emphasis is on tailoring its process and framework to each organization
ISO 31000
2/26/2014
19
ISO 31000 Page 3.16
ISO 31000 Risk Criteria
2/26/2014
20
ISO 31000
• Process – Risk Assessment
• Risk Identification • Risk Analysis • Risk Evaluation
– Risk Treatment – Risk Monitoring and Review
• I am extremely savvy in Money – Identify, Analyze, examine/evaluate, Select,
Implement, Monitor
COSO ERM – Integrated Framework
• 1992 – COSO published framework for evaluation of internal control
• 2004 – Updated to ERM – Integrated Framework
– Developed to meet Sarbanes-Oxley Act
2/26/2014
21
COSO
Review page 3.21 – Interrelated components
COSO Cube
2/26/2014
22
Applying the Risk Management Process
• Review pages 3.25-3.32