2/26/2014

1

Presented by:

Erike Young, MPPA, CSP, ARM

1

Chapter 2

Enterprise Risk Management in an Organization

2/26/2014

2

Top-Down/Bottom-up Approaches to ERM

2/26/2014

3

Top-Down/Bottom-up Approaches to ERM

Top-Down/Bottom-up Approaches to ERM

• Traditional approach to risk management is a bottom-up approach – Information about risk is collected through

organization’s business operations • Injury data, inspections, org charts, industry, etc..

– Disadvantages • 1st major disadvantage May not identify critical

emerging risks – Harder to detect waste, fraud, abuse, shortcuts

• 2nd disadvantage – process may be perceived as bureaucratic – Based on lagging data

2/26/2014

4

Top-Down/Bottom-up Approaches to ERM

• Top-Down Approach

– Senior management decides which risks pose a significant threat or opportunity for the organization

– Advantage

• Provides high-level view of the entire organization and the risks that are central to meeting organization objectives

– Disadvantages

• Dependence on reports from middle management to senior management

• Limited view of risks that may be percolating in various areas of the organization

Building Blocks of Bottom-up and Top-Down ERM

2/26/2014

5

Building Blocks of Bottom-up and Top-Down ERM

Risk Maturity Model • Risk Maturity Model (RMM) used to evaluate development of ERM

program and levels of maturity

• Main purpose of RMM is to evaluate or improve business processes

• Typically five levels of maturity based upon Carnegie Mellon Model – Ad-hoc – No formal risk management process and little awareness of the

concept

– Initial – Basic risk management processes with no attempt at ERM

– Defined – Formal risk management process, at least for project management

– Managed – Quantitative metrics for identification, assessment, and response to risk

– Optimizing – Ongoing improvement to the risk management process and a robust organizational risk culture

2/26/2014

6

Risk Maturity Model

• RIMS Risk Maturity Model (self-assessment tool) seven attributes of an ERM Program – ERM based approach

– ERM process management

– Risk Appetite management

– Root cause discipline

– Uncovering risks

– Performance management

– Business resiliency and sustainability

2/26/2014

7

Risk Maturity Model

• Other Models – Broker developed

• AON, Marsh

– Credit Rating • Standard and Poor’s

• Other uses for RMM – Balanced scorecards

– Benchmarking

Key Organizational Functions Related to ERM

Need for alignment

2/26/2014

8

Chapter 3

Enterprise Risk Management Framework and Process

2/26/2014

9

Modeling an ERM Framework and Process

• Risk Management Framework – A foundation for applying the risk management process

throughout the organization

• Risk management programs should be built on a framework that best aligns with their operations – Many risk management frameworks will share common

components.

– Components should be adapted to organization’s objectives and operations

• Primary Purpose of Framework – Integrate risk management throughout the organization

ERM Framework and Process Model

• Common elements – Framework Model

• Lead and establish • Align and integrate • Allocate resources • Communicate and report

– Process Model • Scan environment • Identify risks • Analyze risks • Treat risks • Monitor and Assure

2/26/2014

10

Components of a Risk Management Framework

• Lead and Establish Accountability

– Techniques use to establish accountability

• Identify risk owners and their roles in the organization

• Establish Key Performance Indicators (KPI)

• Establish Key Risk Indicators (KRI) and use them to evaluate performance

• Develop risk criteria to evaluate the significance of risks

2/26/2014

11

Components of a Risk Management Framework

• Lead and Establish Accountability – Risk Owner

• An individual accountable for the identification, assessment, treatment, and monitoring of risks in a specific environment.

– KPI • Financial or nonfinancial measurement that defines how

successfully an organization is progressing toward its long-term goals.

– KRI • A tool used by an organization to measure the uncertainty of

meeting a strategic business objective.

– Risk Criteria • Information used as a basis for measuring the significance of

a risk

Components of a Risk Management Framework

• Align and Integrate – Align risk management with an organization’s

objectives and integration of risk management process • Aligned at both strategic and operational level

– After alignment developed, integrate into operational processes • Strategic planning

• Performance management

• Process Management

• Internal Control

• Compliance

• Governance

2/26/2014

12

Components of a Risk Management Framework

• Allocate Resources

– Commitment to risk management is willingness to allocate resources necessary to effectively implement process throughout organization

– Typical resource needs are training and adaptation of systems

– CFO must determine appropriate capital allocation and risk characteristics of the organization’s business units or products

Components of a Risk Management Framework

• Communicate and Report – Senior management must effectively communicate

the purpose and importance of risk management process to the entire organization

– Communication across organizational functions is necessary for the design of an effective risk management process

– Allows for ongoing monitoring and improvement – Reporting information at different levels

• Senior management receive executive summaries • Managers receive more detailed reports regarding areas of

responsibility • Emerging risks should also be included

2/26/2014

13

Risk Management Policy

• Clear risk management policy statement will help obtain buy-in from managers and employees

• Should address key elements of risk management framework

2/26/2014

14

Designing and Implementing an ERM Framework and Process

• Gap Analysis – Compare organization’s existing risk management

framework and processes against an international standard to identify gaps

• Evaluation of Internal and External Env. – Internal

• Understand organizations objectives and risk appetite

• Evaluate org structure and major categories of risk in each area to map risks

• Evaluate resources needed to implement and maintain framework and program (equipment, systems, people)

• Identify communication channels both formal and informal

Designing and Implementing an ERM Framework and Process

• Evaluation of Internal and External Env. (cont)

– External

• External environment includes these factors – Economic

– Political

– Legal and regulatory

– Technology

– Natural

– Competitive landscape

• Evaluate operations using key risk factors as a guide

2/26/2014

15

Designing and Implementing an ERM Framework and Process

• Integration into Existing Processes

– Key factors to successful integration

• Align risk management objectives and policy with organization’s overall objectives and risk appetite

• Use existing processes

– Critical component of integration is assigning responsibility and accountability for risk management within each functional area

• Usually department heads (risk owners)

Designing and Implementing an ERM Framework and Process

• Commitment of Resources

– Categories of necessary resources

• Technology, including equipment and systems – Enterprise Risk Management Information System

• Administrative persons

• Specialists, either internal or external

• Analysis

• Training

2/26/2014

16

Designing and Implementing an ERM Framework and Process

• Communication and Reporting – Communicating

• Communicating RM policy is key step in integration process. The more senior leader the better

• Training is key element of communicating – UC Risk Summit

• Communication should be more than just metrics, but should also discuss how well culture is adapting

– Reporting • Provide timely and relevant information regarding key

metrics to managers for areas of responsibility

• Tie risk metrics to financial reporting results

Designing and Implementing an ERM Framework and Process

• Monitoring and Improvement

– Process improvement cycle

• Plan, Do, Check, Act

• Also known as Deming cycle

2/26/2014

17

ERM vs. Traditional Risk Management Process

• ERM provides broader approach to risk

• Traditional risk management is hazard focused

• ERM provides cycles for continuous improvement

– Systems based

• ERM applies to all operations and risks

ERM vs. Traditional Risk Management Process

• ERM

– Five major steps in ERM process

• Scan environment

• Identify risks

• Analyze risks

• Treat risks

• Monitor and assure

– Steps can occur concurrently, as well as sequentially

2/26/2014

18

ISO 31000:2009 Risk Management –

Principles and Guidelines

• Based on Australian and New Zealand RM Standard

• Scope – Applies to all operations and most activities of an

organization – All type of risks, both positive and/or negative

• Not intended to produce uniformity

– Emphasis is on tailoring its process and framework to each organization

ISO 31000

2/26/2014

19

ISO 31000 Page 3.16

ISO 31000 Risk Criteria

2/26/2014

20

ISO 31000

• Process – Risk Assessment

• Risk Identification • Risk Analysis • Risk Evaluation

– Risk Treatment – Risk Monitoring and Review

• I am extremely savvy in Money – Identify, Analyze, examine/evaluate, Select,

Implement, Monitor

COSO ERM – Integrated Framework

• 1992 – COSO published framework for evaluation of internal control

• 2004 – Updated to ERM – Integrated Framework

– Developed to meet Sarbanes-Oxley Act

2/26/2014

21

COSO

Review page 3.21 – Interrelated components

COSO Cube

2/26/2014

22

Applying the Risk Management Process

• Review pages 3.25-3.32