P5 structures and process of ERM 2.2

structure and process

  • Created by: mumuna
  • Created on: 23-05-13 15:48

definition - enterprise-wide risk management

The IIA's International Standards define a risk as "the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood." most organisations, risk management is concerned with positive and negative aspects of risk. It can be applied holistically, and also be used on specific activities, from the strategic to the operational. In organisations, risk management is central to good governance. Enterprise risk management (ERM) describes what happens when organisations put in place a structured, continuous process to identify, manage and respond to risk. ERM is about culture and beh - All play role but board has overall responsibility for ensuring that risks are managed. In practice,the board will delegate the operation of the risk management framework to the management team, who will be responsible for completing the activities below. management are primary responsibility for identifying risks and managing them lies.  There may be a separate function that co-ordinates and project-manages these activities and brings to bear specialist skills and knowledge.

1 of 24

structures and roles of board etc

elements of orgnisation are responsible for various aspects of risk. BOARD OR SM seen as responsible for operational mgmt supported by functional experts

Board has key role to ensure internal control effectivee in mangeing risk in the way it has approval for determining polices on internal control

  • nature and extend of risk taking by co
  • risk appetite - tolerance to high risk and how much taken
  • likehood risk materilising - probability risk occurs
  • cost of particular controls & benefit - no point spending more than if risk occurred
  • Ability to reduce within acceptable levels

Board key responsibilities

  • Top level ownership of ERM, review corporate risk register and profile of org
  • ownership on policy, defending high level risk appetite
  • take action and decision re: risk
  • delegation to AC/ risk committee/ hold mgmt to account for complying with and operating RM process
2 of 24

structures and roles of BOARDs and NEDs, CRO etc

  • Board in additon to embedded process shoudl regularly review internal control to see how key risks managed
  • do annual assesment of situation to preare statement for annual report and accounts to shareholders.


  • Questionning risk assessment by risk mgmt champion and board for balanced assessment esp accuracy and financial information, control, system of RM.  whether robust andd defencisble and made us of IA & EA work


  • ensure integrity of rm information
  • do risk assessment
  • promote good practise
3 of 24

structures and roles of risk committee

Risk Commitee - help manage key risk org faces:

  • ERM ensures risk considered across whole org and monitoring and escalation exist to identify most critical threats or opportuniities
  • BUT not defined in UKCG code for listed companies or those in other sectors as mandatory

HMT orange book defines committee with executive authorit to take action to manage risk

Main role includes:

  • oversee implementation of RM policy
  •  develop ERM culture 
  • identify and report to baord on risk threat/opporunity
  • monitor and review how well managed
  • promote use/best practice
4 of 24

structures and roles of mgmt and IA

Important role in ERM to implement board polices on risk and control

they identify risks faced

operate and monitory system of control which implements board policy

mgmt do this by:

  • decide risk response
  • assess probability of threat and impact
  • interpret board policy and use in operations

Internal audit add value thru RBIA providing

  • objective assuraance that RM & IC operate effectively
  • provide assurace major business risk manged adequately
  • RM process
  • review high risk areas
  • reliable and appropriate assessment of risk and reporting risk and control status
5 of 24

structures and roles other assurance etc

External audit has interest in effective rm process esp: - how it relatesl to financial management - where there is going concern and form opinion as to truth and fairness of financial statements There are range of other functional experits to support ERM: Health & Safety Security  Insurance - financial loss prevention Compliance Finance, HR & IT have own apporach but should be rolled into overall ERM framework

6 of 24

benefit of ERM

Greater likelihood of achieving those objectives - as risk id, assesed and managed appropriately Consolidated reporting of disparate risks at board level; allow high leve decisions at right leve to account for current and future expectations Improved understanding of the key risks and their wider implications; as risk fed in mechanism and all assess consistently Identification and sharing of cross business risks; as consistent methodology and approach for comparison to be considered Greater management focus on the issues that really matter; as roles defined re issue escalated and action are appropriate Fewer surprises or crises; as properr methodology ensures risk review and response adapted as circumstances change More focus internally on doing the right things in the right way due to following process ensure consistency of approach

7 of 24

benefit of ERM Pt 2

Increased likelihood of change initiatives being achieved; due to consistent approach & developmen of knowledge  or risk and managing those Capability to take on greater risk for greater reward - due to consistency in identifiying e.g risk and managing them, understing operational environment and More informed risk-taking and decision-making awarenes of what ahead re achivement of obj makes informed obj decisions based on that information.

8 of 24

risk types - operational, reputational, financial

Reputational    Financial - e.g credit risk, liquidity, market risk, investment risk   Strategic - internal but relate to external factors e.g. change of gov - where org want to go   Operation (non-financial) - back office functiion auch as HR - staff recruitment, human erro, security Legal threat of litigation Project risk of human, cost, quality

9 of 24

structures and roles of IA con't - ASSURANCE

Internal auditing is an independent, objective assurance and consulting activity. Its core role with regard to ERM is to provide objective assurance to the board on the effectiveness of risk management Assurance role  review MANAGEMENT OF KEY RISKS evaluate REPORTING OF KEY RISKS evaluate RISK MANAGEMENT PROCESS give assurance RISK CORRECTLY EVALUATION give assurance on RIKS MANAGEMENT PROCESSES  

10 of 24

structures and roles of IA con't - ASSURANCE

Internal auditing is an independent, objective assurance and consulting activity. Its core role with regard to ERM is to provide objective assurance to the board on the effectiveness of risk management Assurance role  review MANAGEMENT OF KEY RISKS evaluate REPORTING OF KEY RISKS evaluate RISK MANAGEMENT PROCESS give assurance RISK CORRECTLY EVALUATION give assurance on RIKS MANAGEMENT PROCESSES  

11 of 24

structures and roles of IA con't - CONSULTANCY

CONSULTING ROLE IA UNDERTAKES WITH SAFEGUARDS TO ENSURE ITS INDEPENDENCE AND OBJECTIVITY IS MAINTAINED Making available to management tools and techniques used by internal auditing toanalyze risks and controls;  Being a champion for introducing ERM into the organization, leveraging its expertise in risk management and control and its overall knowledge of the organization;2ND LINE   Providing advice, facilitating workshops, coaching the organization on risk and control and promoting the development of a common language, framework and understanding;  Acting as the central point for coordinating, monitoring and reporting on risks;  and Supporting managers as they work to identify the best way to mitigate a risk. IA CAN PROVIDE CONSULTING SO LONG AS NO ROLE MANAGING RISKS

12 of 24


Safeguards Internal auditing may extend its involvement in ERM, as shown in Figure 1, provided certain conditions apply. The conditions are: It should be clear that management remains responsible for risk management. The nature of internal auditor’s responsibilities should be documented in the internal audit charter and approved by the audit committee. Internal auditing should not manage any of the risks on behalf of management. Internal auditing should provide advice, challenge and support to management’s decision making, as opposed to taking risk management decisions themselves. Internal auditing cannot also give objective assurance on any part of the ERM  framework for which it is responsible. Such assurance should be provided by other suitably qualified parties.  Any work beyond the assurance activities should be recognized as a consulting engagement and the implementation standards related to such engagements should be followed.

13 of 24

conclusion on ERM

Risk management is a fundamental element of corporate governance. Management is responsible for establishing and operating the risk management framework on behalf of the board. Enterprise-wide risk management brings many benefits as a result of its structured, consistent and coordinated approach. Internal auditor’s core role in relation to ERM should be to provide assurance to management and to the board on the effectiveness of risk management. When internal auditing extends its activities beyond this core role, it should apply certain safeguards, including treating the engagements as consulting services and, therefore, applying all relevant Standards. In this way, internal auditing will protect its independence and the objectivity of its assurance services. Within these constraints, ERM can help raise the profile and increase the effectiveness of internal auditing.

14 of 24

Risk framework, process, maturity, response - Defs

Risk Management Framework: The totality of the structures, methodology, procedures and definitions that an organization has chosen to use to implement its risk management processes. Risk Management Processes: Processes to identify, assess, manage, and control potential events or situations, to provide reasonable assurance regarding the achievement of the organization’s objectives. Risk Maturity: The extent to which a robust risk management approach has beenadopted and applied, as planned, by management across the organization to identify, assess, decide on responses to and report on opportunities and threats that affect the achievement of the organization’s objectives. Risk Responses: The means by which an organization elects to manage individual risks. The main categories are to tolerate the risk; to treat it by reducing its impact orlikelihood; to transfer it to another organization or to terminate the activity creating it.Internal controls are one way of treating a risk.

15 of 24

Risk and Risk appetite - definitions

Risk: The possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. Risk Appetite: The level of risk that an organization is willing to accept.

16 of 24

Risk Policy and contents

define an org's approach to risk mgmt, attitude and appetite for risk defines overall responsibility for policy for risk review and reporting essential par o an org's ERM framework content  rm and ic objective - governance statment of attiude of org to risk - risk strategy description of risk aware culture or control environment level and nature of risk that is acceptable - risk appetite rm organisation and arrangements - risk architecture details of procedures for recognition and ranking - risk assessment list of docs for anlaysing and reporting risk - protocols risk mitigation requirements and control mechanism - risk response allocations of risk mgmt role and responsibilities training topics and priorities criteria for monitoring and benchmarking  allocation appropriate resource risk activities and priorities for coming

17 of 24

risk identification

first formal process in developing org risk register/provile - complete list of risk id by mgmt that may impact on achievement of objectives effective if risk identification is set in contex of org environment, sectork, strategy and overall attitude to risk Process: checklist benchmarking vulnerability assessment scenario planning Exercises to help id risk  Questionnaires Brainstorming CRSA workshops  

18 of 24

Risk analysis

|IA definitin: systematic use of available information to determine the likelihood of specfified events occuring and the magnitude of their consequence i.e. impact Likelihood or probability Impact or consequence Objective to distinguish majory from minor risk and provide data to assist mgmt of risks To do risk analysis there are 3 approaches Quantitative - which give scientific and measurable output. considered better as it can be qualitifed and is not subjective. But if no measure exist this approach is not warranted e.g the timeliness of managment information reported to finance, a week in advance, a day in advance or after event. if no record exist cannot measure.  Adv -  ranks risks, easy to focus and prioritise, risk can be plotted no. of audit completed to budget, appeal to managen style Disadv - complex,time consuming, result contrary to common sense may ignore, require verification

19 of 24

Risk analysis - qualitative & hybrid

Qualitation is usually narrative and considers inputs identified e.g Low Medium and high - may be insufficient details or complex advantge - use immediately, intuitive, quick to provide, give prioritisation, right feeling in terms of commons sent  disadvan - subject by nature, open to contention, turn off to quantitative style, if many high catergories , further priortisation required   Hybrid is a mixture of both Adv - best of both worlds Disa - costly, time consuming, little benefit if not credible e.g. conflicting results.

20 of 24

Risk evaluation

IIA definition process used to determing risk management priorities by comparing level of risk against predetermined standardar, target risk levsl or other criteria. SEE IRM booklet Key consideration - cost effectiveness of response or strategies evaluation before managemnt action - without considering any risk response org my have in place (Inherent risk) or after any risk response is in place (residual risk)  difference between inherent and residual risk equate to effectiveness Look at threshold to compare inherent with resideual - if risk residual above risk appetite then consider options to control needed to reduce risk and improve response. Output drives tolerance Risk appetite varie to to range of factors - org size, sector, industry, culture, critical stakeholder, competition, qulity, products, service, regulator  E.g risk and reward intrinsically linked. - private sect drive by profit to take risk to achieve linked reward. public sector way of vfm and being perceived as wasteful thus appetite drawn to low leve risk with problem free results

21 of 24

Assurance & organisational learning

define as: delivery of opinion or conclusion regarding credbility of disclosed information and process that delivers information or regading reliability of process Effective RM will ensure monitoring and reporting - which varies but involes regular formal report - risk register should be updated with old removed and new risk or priorities included as required completion return - completed at regular intervals in format required, evidence based, timely sufficien, accurate to enable effective decision making management information face to face updates organisational learning  if event happen e.e. create system to implement well managed contingency plan. these plans help ensure essential business can continue oer restart in event of disaster

22 of 24

risk management assurance

One of the key requirements of the board or its equivalent is to gain assurance that risk management processes are working effectively and that key risks are being managed to an acceptable level. It is likely that assurance will come from different sources. Of these, assurance from management is fundamental. This should be complemented by the provision of objective assurance, for which the internal audit activity is a key source. Other sources include external auditors and independent specialist reviews. Internal auditors will normally provide assurances on three areas: Risk management processes, both their design and how well they are working; Management of those risks classified as ‘key’, including the effectiveness of the controls and other responses to them; and Reliable

23 of 24

embedding RM in org

End target for organisation. RM should be integral part of routine management activities Requires significnt  time, resouce,  But when considered effective use of resouce approach have longer term benefits on effectiveness of RM process and approval of mitigation of risk as approved by board and in light of org objectives Benefits of embedded ERM include: less surprises and fire fighting reduced bureaucracy, duplication and gaps more considered risk taking with thoough out opportunities seized Improved decison making - approval in place to manage risk Speed - as soon as risk id - they are borogh to mgr attention 

24 of 24


No comments have yet been made

Similar Other resources:

See all Other resources »