enterprise risk management chapter one prepared by: raval, fichadia raval fichadia john wiley &...
TRANSCRIPT
Enterprise Risk Management
Chapter One
Prepared by: Raval, Fichadia
Raval • FichadiaRaval • FichadiaJohn Wiley & Sons, Inc. 2007
Environment
exists within an
Business
Strategy
Business model
is driven by
Systemis a
is built upon a
influences
should manage
Risks
that emerge from
Chapter One Objectives1. Describe the nature and characteristics of business.
2. Interpret the role of external environment and internal processes in achieving business objectives.
3. Explain the relationship between a business and its information systems.
4. Comprehend industry risk, business strategy risk, business process risk, and business outcomes risk.
5. Describe the nature and role of information systems assurance.
6. Understand management’s role in information systems assurance..
It’s all about Risk Risk can be described as the difference between
business objectives and actual performance.
Risk = Objectives – Actual performance
Objectives- What you thought you would achieve.
Actual performance- What you actually achieved.
How is eBay managing risk?
eBay’s core capability: auctioning platform To manage risk of slow growth or heavy
competition from Google, eBay wants to diversify.
Through its online reach, eBay plans to connect local users with local businesses.
eBay’s first move into the local market is a way to manage its business risk.
Enterprise Risk Management
Enterprise risk management (ERM) is a process, effected by an entity’s board of directors, management, and other personnel, applied in strategic setting and across the enterprise, designed to:
Identify potential events that may affect the entity, and
Manage risk to be within its appetite To provide reasonable assurance regarding the
achievement of entity objectives.
Business environment
Business enterprise
Business system
Strategyis driven by
impacts
is represented by
Business risk
produces
Control risk
produces
produces
Enterprise risk management
addresses
addresses
Financial, Operational, or Compliance(control risk)
Company considers subscribing corporate credit cards for the first time
Efficiency of transaction processing, effective accountability, and lower cash need.
Credit card abuse, fraud
Net impact is positive on the company
Corporate card use policy. Credit card transaction reporting and monitoring of card use
Unauthorized or excessive use of creditPersonal use of company credit card
Absence of credit card generates bureaucracy and hinders efficiency, thus suffocates growth
Was the expected efficiency realized? Did accountability process for expenditures improve? Was
the reduction in daily cash need same as expected?
Potential event
Bundled opportunities
and risks
can be viewed as
Risk (and opportunity) assessment
warrants
Risk (and opportunity)
response
leads to
Environment or Strategy(business risk)
which impacts
Actual performance compared to expectations
Example: First time issue of corporate credit card
It is a potential event – a decision that the company needs to make
Both risk and opportunity: Risk: Potential for fraud, abuse Opportunity: Transaction processing efficiency,
accountability, reduced need for cash disbursements Risk category: Control risk – mainly financial Risk response: Credit Card Use Policy Decision to use corporate credit cards Assurance: Do the benefits materialize? Are risks
managed well?
Risk Components in Enterprise Risk
Business risk from enviornment and strategy Business enviornment risk Business strategy risk
Control risk from systems and operations Business process risk
Financial performance risk Operational risk Compliance and financial reporting risk
Environment
Strategy
People (Organization)
Process(Operations)
Technology(Information
systems)
Outcomes
Co
ntr
ol r
isk
in b
usi
nes
s sy
stem
sB
usi
nes
s ri
sk in
en
viro
nm
ent
and
str
ateg
y
En
terp
rise
ris
k m
anag
emen
t
Business risk from enviornment and strategy
Business environment risk emerges from the very nature of industry and its enviornment.
Business strategy risk emanates from ineffective or poorly executed strategy. A company’s business model should be aligned to
its strategy.
Control risk from systems and operations
Business process Is a series of related activities or tasks that collectively add
value. Is one critical member of the triad: processes, structure,
and information. Business process risk is an internal risk of
mismanagement of a critical process. This is a risk that is mostly within the company’s control.
Financial performance risk Operational risk Compliance and financial reporting risk
Business Processes and Information Systems Within a structure, people add value through processes. Processes can be at top-, mid-, or micro-levels. They
can be classified also by function (procurement, human resource, etc.) or by long term impact (strategic, tactical, operational).
Processes allow a business to create predictability in behavior.
Processes are intertwined with information processing. People in a process use information and at the same time, generate additional data.
Thus, business processes, supported by organization structure, depend on information systems. They also generate inputs for the information systems.
The triad – structure, processes, and information – warrants control.
Business model
chosen by the firm
Influences the triad. To manage risk,
the triad should be
subject to control and
security. This is management’s
responsibility.
Business model
ManagementControl and security
is comprised of
Information
Structure Process
warrant actions for
by
Information Systems Assurance
Assurance: To establish with little doubt the state of something.
Seeking assurance would require that objectives of assurance are determined first.
Assurance requires systematic investigation of processes and their results.
Information system assurance refers to seeking assurance on any aspect of an information system Example: An assurance that information assets are
protected from an external or internal threat.
IS assurance is critical to most companies.
Because business processes are closely intertwined with information systems processes. Therefore, doing business and keeping information
systems running smoothly needs to happen concurrently.
Because of business model of the firm links its systems to the outside world.
Because information systems are complex and integrated, such in the case of enterprise resource planning (ERP).
Assurance and Risk Management One can seek assurance for any situation (or event) that
entails risk. Security and control of information assets is about
managing risk. In fact, it can be argued that in most cases such
assurance is a component of overall plan for control and security of information assets.
An effective assurance service should meet the following criteria: The provider must have knowledge of the field involved. There should be specific criteria for evaluation of the situation. The provider must be independent of the situation and should
conduct a separate investigation.
An IS Assurance Approach
1. Outline assurance objectives.2. Obtain a solid grasp of the context of assurance.
Systems, processes, structure, types of transactions, information outputs.
3. Analyze the nature and types of risks involved.4. Assess relevant control and security measures in
place.5. Conduct tests of effectiveness for these measures.6. Analyze findings to grasp how well the risks are
mitigated.7. Provide a report of objectives, evidence, findings,
and conclusions.
Management’s Role in IS Assurance
Risk management is the responsibility of top management.
To mitigate risk, the management should implement a control system. A key purpose of a control system is to ensure that
behaviors and decisions of people are consistent with the entity’s objectives.
A control system has several layers: Management control system System controls Application controls
Environment
exists within an
Business
Strategy
Business model
is driven by
Systemis a
is built upon a
influences
should manage
Risks
that emerge from