Enterprise Risk Management

Chapter One

Prepared by: Raval, Fichadia

Raval • FichadiaRaval • FichadiaJohn Wiley & Sons, Inc. 2007

Environment

exists within an

Business

Strategy

Business model

is driven by

Systemis a

is built upon a

influences

should manage

Risks

that emerge from

Chapter One Objectives1. Describe the nature and characteristics of business.

2. Interpret the role of external environment and internal processes in achieving business objectives.

3. Explain the relationship between a business and its information systems.

4. Comprehend industry risk, business strategy risk, business process risk, and business outcomes risk.

5. Describe the nature and role of information systems assurance.

6. Understand management’s role in information systems assurance..

It’s all about Risk Risk can be described as the difference between

business objectives and actual performance.

Risk = Objectives – Actual performance

Objectives- What you thought you would achieve.

Actual performance- What you actually achieved.

How is eBay managing risk?

eBay’s core capability: auctioning platform To manage risk of slow growth or heavy

competition from Google, eBay wants to diversify.

Through its online reach, eBay plans to connect local users with local businesses.

eBay’s first move into the local market is a way to manage its business risk.

Enterprise Risk Management

Enterprise risk management (ERM) is a process, effected by an entity’s board of directors, management, and other personnel, applied in strategic setting and across the enterprise, designed to:

Identify potential events that may affect the entity, and

Manage risk to be within its appetite To provide reasonable assurance regarding the

achievement of entity objectives.

Business environment

Business enterprise

Business system

Strategyis driven by

impacts

is represented by

Business risk

produces

Control risk

produces

produces

Enterprise risk management

addresses

addresses

Financial, Operational, or Compliance(control risk)

Company considers subscribing corporate credit cards for the first time

Efficiency of transaction processing, effective accountability, and lower cash need.

Credit card abuse, fraud

Net impact is positive on the company

Corporate card use policy. Credit card transaction reporting and monitoring of card use

Unauthorized or excessive use of creditPersonal use of company credit card

Absence of credit card generates bureaucracy and hinders efficiency, thus suffocates growth

Was the expected efficiency realized? Did accountability process for expenditures improve? Was

the reduction in daily cash need same as expected?

Potential event

Bundled opportunities

and risks

can be viewed as

Risk (and opportunity) assessment

warrants

Risk (and opportunity)

response

leads to

Environment or Strategy(business risk)

which impacts

Actual performance compared to expectations

Example: First time issue of corporate credit card

It is a potential event – a decision that the company needs to make

Both risk and opportunity: Risk: Potential for fraud, abuse Opportunity: Transaction processing efficiency,

accountability, reduced need for cash disbursements Risk category: Control risk – mainly financial Risk response: Credit Card Use Policy Decision to use corporate credit cards Assurance: Do the benefits materialize? Are risks

managed well?

Risk Components in Enterprise Risk

Business risk from enviornment and strategy Business enviornment risk Business strategy risk

Control risk from systems and operations Business process risk

Financial performance risk Operational risk Compliance and financial reporting risk

Environment

Strategy

People (Organization)

Process(Operations)

Technology(Information

systems)

Outcomes

Co

ntr

ol r

isk

in b

usi

nes

s sy

stem

sB

usi

nes

s ri

sk in

en

viro

nm

ent

and

str

ateg

y

En

terp

rise

ris

k m

anag

emen

t

Business risk from enviornment and strategy

Business environment risk emerges from the very nature of industry and its enviornment.

Business strategy risk emanates from ineffective or poorly executed strategy. A company’s business model should be aligned to

its strategy.

Control risk from systems and operations

Business process Is a series of related activities or tasks that collectively add

value. Is one critical member of the triad: processes, structure,

and information. Business process risk is an internal risk of

mismanagement of a critical process. This is a risk that is mostly within the company’s control.

Financial performance risk Operational risk Compliance and financial reporting risk

Business Processes and Information Systems Within a structure, people add value through processes. Processes can be at top-, mid-, or micro-levels. They

can be classified also by function (procurement, human resource, etc.) or by long term impact (strategic, tactical, operational).

Processes allow a business to create predictability in behavior.

Processes are intertwined with information processing. People in a process use information and at the same time, generate additional data.

Thus, business processes, supported by organization structure, depend on information systems. They also generate inputs for the information systems.

The triad – structure, processes, and information – warrants control.

Business model

chosen by the firm

Influences the triad. To manage risk,

the triad should be

subject to control and

security. This is management’s

responsibility.

Business model

ManagementControl and security

is comprised of

Information

Structure Process

warrant actions for

by

Information Systems Assurance

Assurance: To establish with little doubt the state of something.

Seeking assurance would require that objectives of assurance are determined first.

Assurance requires systematic investigation of processes and their results.

Information system assurance refers to seeking assurance on any aspect of an information system Example: An assurance that information assets are

protected from an external or internal threat.

IS assurance is critical to most companies.

Because business processes are closely intertwined with information systems processes. Therefore, doing business and keeping information

systems running smoothly needs to happen concurrently.

Because of business model of the firm links its systems to the outside world.

Because information systems are complex and integrated, such in the case of enterprise resource planning (ERP).

Assurance and Risk Management One can seek assurance for any situation (or event) that

entails risk. Security and control of information assets is about

managing risk. In fact, it can be argued that in most cases such

assurance is a component of overall plan for control and security of information assets.

An effective assurance service should meet the following criteria: The provider must have knowledge of the field involved. There should be specific criteria for evaluation of the situation. The provider must be independent of the situation and should

conduct a separate investigation.

An IS Assurance Approach

1. Outline assurance objectives.2. Obtain a solid grasp of the context of assurance.

Systems, processes, structure, types of transactions, information outputs.

3. Analyze the nature and types of risks involved.4. Assess relevant control and security measures in

place.5. Conduct tests of effectiveness for these measures.6. Analyze findings to grasp how well the risks are

mitigated.7. Provide a report of objectives, evidence, findings,

and conclusions.

Management’s Role in IS Assurance

Risk management is the responsibility of top management.

To mitigate risk, the management should implement a control system. A key purpose of a control system is to ensure that

behaviors and decisions of people are consistent with the entity’s objectives.

A control system has several layers: Management control system System controls Application controls

Environment

exists within an

Business

Strategy

Business model

is driven by

Systemis a

is built upon a

influences

should manage

Risks

that emerge from