implimenting enterprise risk management(erm); a process overview
DESCRIPTION
IMPLIMENTING ENTERPRISE RISK MANAGEMENT(ERM); A PROCESS OVERVIEW. BY Hussein k. Isingoma Cisa, CISM, CRISC, Fcca,cia, cpA. Introduction . All organizations exist to provide value to shareholders and stakeholders - PowerPoint PPT PresentationTRANSCRIPT
BYHUSSE IN K . I S INGOMA
C I SA , C I SM , C R I S C , F C C A , C I A , C PA
ISACA- KAMPALA 24th April 2013
1
IMPLIMENTING ENTERPRISE RISK MANAGEMENT(ERM); A PROCESS OVERVIEW
Introduction
All organizations exist to provide value to shareholders and
stakeholders
Every organisation needs to determine how much uncertainty it should
accept in seeking to create value or deliver service
Uncertainty has the potential to enhance or erode value
Organisations have growing concerns about a broader spectrum of
risks
For many organizations, risk management is rapidly developing into a
more forward looking, enterprise-wide approachISACA- KAMPALA 24th April 2013
2
Contd…..
Risk Management(RM) is about systematically identifying and actively managing risks
to the business
Its about increasing the likelihood of success by minimising threats and maximising
opportunities
Its being in control and being seen to be !
Recent World Disasters and Scandals bear the hallmarks of failure in Risk Management
Process; identification, assessment of risks etc
The downturn in the global economy raises important questions about how
organisations conduct their business – and particularly about how they assess and
manage risk
ISACA- KAMPALA 24th April 2013
3
Fukushima Nuclear Disaster Financial/Sovereign Debt Crisis
Tokyo Electric Power Company(TEPCO) failed to prevent the disaster not because a large tsunami was unanticipated, but because they were reluctant to invest time, effort and money in protecting against a natural disaster considered unlikely.
The utility and regulatory bodies were overly confident that events beyond the scope of their assumptions would not occur and were not aware that measures to avoid the worst situation were actually full of holes
The U.S. Financial Crisis Inquiry Commission concluded in January 2011 that the crisis was avoidable and was caused by: Widespread failures in financial
regulation, including the Federal Reserve’s failure to stem the tide of toxic mortgages;
Dramatic breakdowns in corporate governance including too many financial firms acting recklessly and taking on too much risk
Characterized by high-risk lending and borrowing practices
World Disasters and Scandals. What Happened ??
ISACA- KAMPALA
4
24th April 2013
ERM-Definition Core Elements of Risk Management Framework
A structured, consistent and continuous process across the whole organization for: Identifying Assessing Deciding on responses And reporting on opportunities and
threats that affect the achievement of its objectives
(IIA-Definition)
Board/Executive Commitment&
context setting
Risk Identification
Risk Assessment
Risk Response
Monitoring & Reporting
Enterprise Risk Management(ERM)
ISACA- KAMPALA
5
24th April 2013
COSO-ERM Framework
ISACA- KAMPALA 24th April 2013
6
Deloitte East Africa ERM Survey
1st Baseline survey on the state of ERM in the Financial Services
Industry(FSI)- Banking, Insurance, Securities, Real Estate and
Investment Management.
Implementation of ERM is fairly limited with only 31% of companies
surveyed having fully implemented ERM programme
23% had their Risk Appetite both quantitatively and Qualitatively
defined
Top rated challenges during ERM Implementation included; integrating
risk data across the organization(70%) and having the appropriate risk
management skills(64%) ISACA- KAMPALA 24th April 2013
7
Assessing Risk Maturity
Risk Maturity is the extent to which a robust RM approach has been adopted and applied as planned
Assessment of your Organization's Risk Maturity is a critical input in the effective implementation of ERM
It provides a baseline upon which the organization's risk assurance strategies and activities will be determined
Risk Maturity assessment is about understanding how well the business risks are being managed
It involves determining and obtaining the information necessary to carry out the assessment defining the methods of obtaining the information and getting evidence to substantiate the assessment.
ISACA- KAMPALA 24th April 2013
8
9
Risk Maturity Levels
Risk AwareScattered silo based approach to RMScattered
Defined • Strategy,
policies in place, Risk Appetite defined
ManagedEnterprise approach to RM developed & communicated
EnabledRM & IC’s fully embedded into operations
Risk NaïveNo formal approach developed for RMN
ISACA-KAMPALA
ERM-Process Overview
ISACA- KAMPALA 24th April 2013
10
Board/Executive Commitment& context setting
Risk Identification
Risk Assessment
Risk Response
Monitoring & Reporting
Drivers of ERM
ERM
Corporate Scandals and
Disasters
Regulatory Action; Laws
Industry Initiatives e.g
Standards
Best Practices-Control, Risk
Frameworks etc
ISACA- KAMPALA 24th April 2013
11
1. Setting the Context for RM.
Senior Management plays a critical role in establishing and communicating the foundation against which RM decisions are to be taken throughout the business. The roles include:
Strategic direction and goals
Appetite for risk
Risk Management framework
Roles and responsibilities
ISACA- KAMPALA 24th April 2013
12
RI- Methods RI-Tools
One to one interviews
Brainstorming
Round table discussions
Interactive Workshops
Questionnaires
SWOT Analysis
PESTLE Analysis
Scenario Planning
Stakeholder Analysis
2. Risk Identification(RI)
ISACA-KAMPALA
13
24th April 2013
How to Make RI Successful Effective RI Should be….
Get the right people involved
Brief them adequately Give them the right tools Think outside the box Have a meaningful
definition of risk(distinction between Risk and problem!)
Comprehensive Complete Honest Covering all relevant business
activities Entailing training and
awareness activities
Contd..
ISACA-KAMPALA
14
24th April 2013
Risk Register
The output of a risk identification process is the Risk Register. Its role is to: Capture all major business risks in one place So they can be compared, contrasted and combined So they are given the attention at the right level in the
organisationTypically, there could be multiple risk registers;
Corporate risks Divisional, country, functional risks Project risks etc
ISACA- KAMPALA 24th April 2013
15
3. Assessing and Prioritizing Risks
The measures in place to control risk the effectiveness of controls The likelihood of risk occurrence The impact of risk if it did occur Significance of risk
Risk Significance is a product of the likelihood of occurrence and the impact if it did
Assessment scales are used to determine likelihood and impact Assessment scale levels depend on the organisation’s risk maturity ISACA- KAMPALA 24th April 2013
16
It involves ascertaining:
Contd…..Risk Assessment Scales(5-level)
Level Probability Descriptor
Probability of occurrence
Impact Descriptor
Impact
1Rare Very low(VL) Insignificant Very low(VL)
2Unlikely Low(L) Minor Low(L)
3Possible Moderate(M) Moderate Moderate(M)
4Likely High(H) Major High(H)
5Almost certain Very high(VH) Catastrophic(VH) Very high(VH)
ISACA- KAMPALA 24th April 2013
17
Contd….Risk Map- 3 Level Risk Significance Scale
(High, Medium, Low)
ISACA- KAMPALA 24th April 2013
18
Contd…..
The risk assessment matrix is a key way of establishing and communicating risk appetite
Risk Appetite: The amount of risk that an entity is willing to accept in pursuit of its mission.
It confirms what level of risk is acceptable and which risks are significant and should be reported upwards
Inherent risk Exposure before any controls
Residual risk Exposure after controls are in place and are operating ISACA- KAMPALA 24th April 2013
19
Risk Appetite
impact
Likelihood
Inherent Risk
Response
Residual Risk
Risk appetite
20
ISACA- KAMPALA 24th April 2013
4. Risk Response
ImpactContingency Plans Manage actively
Review periodically Good house keeping
Likelihood
21
ISACA- KAMPALA 24th April 2013
Risk Response Options-4 T’s
Risk response
Management
Transfer
Terminate
Treat
Passive Management
Tolerate
Response
Management options
Options (4 T’s)
2222
5. Monitoring and Reporting
The role of risk monitoring is:
To check that risk responses are in place and working as
intended
To check the risk status; no unwelcome surprises
To ensure risks are considered at the right level
Provide assurance to management that risks are being
managed in the way approved
ISACA- KAMPALA 24th April 2013
23
ERM- Benefits
Business objectives more likely to be met Focus on issues or activities that count Fewer shocks and surprises Early warning of problems Effective use of resources More focused and viable strategies; informs future strategy
development Clarity on risk appetite and freedom to act Facilitates meaningful disclosure Enhanced organizational learning ISACA- KAMPALA 24th April 2013
24
ERM Implementation Challenges
Organizational silos and outdated information systems prevent many enterprises from adequately sharing information(silos vs Enterprise).
Risk Maturity. The extent to which robust RM approach has been adopted and applied.
Organizational culture. An organization that delivers only ‘good news’ results into poor quality decisions based on a ‘sanitized version of
reality’
Costs affect operations and investment decisions Misalignment of risk management strategy with the overall business
strategy Inadequate skills and competences in Risk Management
ISACA- KAMPALA 24th April 2013
25
Contd…
Internal Control environment Risk Management philosophy and operating style Risk appetite Human resource policies and practices Assignment of authority and responsibility
Failure to strike a clear balance between the hard and soft sides of RM
ISACA- KAMPALA 24th April 2013
26
Wayforward on ERM Implementation
Organizational review to ensure better structures, C-level Risk executives with visibility and oversight
Risk awareness across the organization Investment in modern information systems and technologies to
enhance information sharing and organizational learning Training, retention and sourcing of RM subject matter experts Determining and communicating the business appetite for risk Establish organizational risk and control policies( Risk Policy) Carry out risk maturity assessment as a baseline for ERM
implementation
ISACA- KAMPALA 24th April 2013
27
Contd….
Balance between the hard and soft sides of RM
Seamlessly integrate RM thinking and practices into strategic planning and day to day activities of the organisation.
How ??? Risk Assess the strategic options Communicate risk appetite for key risks Establish Key Performance Indicators(KPIs) to track progress of
mitigation Include risk status reporting at Management and Board Levels Continuously check the business risk profile
ISACA- KAMPALA 24th April 2013
28
ConclusionHow Competent is your Organization Vs Risk Appetite ?
Risk Taker
Gambler Winner
Risk Averse
Loser Also-Ran
Low Competence High Competence
ISACA- KAMPALA 24th April 2013
29