Enterprise Risk Management (ERM) ‘Integrated Framework’ IMPLEMENTATION Conducting Risk Assessments FUNDAMENTALS & ROLES • • • • • • • The Fundamentals COSO Enterprise Risk Management Role of Executive Management Role of the Director Role of the Chief Risk Officer Risk Management Oversight Structure Role of Internal Audit IMPLEMENTATION • • • • • • • • Risk Management Vision and Objectives Conducting Risk Assessments Getting Started – Set the Foundation Building & Enhancing Capabilities Building a Compelling Business Case Making it Happen Relevance to Sarbanes-Oxley Compliance Other Questions Conducting Risk Assessments What is the relationship between risk assessment and risk management? Risk assessment is the process of identifying, sourcing and evaluating individual risks and the interrelationships between risks Materiality  evaluation of available data and the application of judgment to determine the significance of potential future events Probability  likelihood of their occurrence Action planning  leads to formulation of risk responses Conducting Risk Assessments Risk management is objective-setting, event identification and risk assessment within framework policies processes competencies reporting methodologies systems Conducting Risk Assessments What is the relationship between risk assessment and performance assessment? Risk assessment is a forward-looking activity applied to future possible events to identify the potential impact on the achievement of objectives and the likelihood of occurrence over a defined time horizon Performance assessment is a retrospective activity applied to evaluate the performance of a unit, a process or a function against a pre-determined target or standard over a stated period of time Objective  pre-defined target or standard Conducting Risk Assessments What are the components of an effective objective statement and why are objectives important to an effective risk assessment? Realistic Understandable Measurable Believable Actionable used to set the target or goal of an organization, business unit, process or function Conducting Risk Assessments What is the difference between an event and a risk? event is “an incident or occurrence, from sources internal or external to an entity, that affects achievement of objectives.” risk is “the possibility that an event will occur and adversely affect the achievement of objectives.” positive impact = opportunity negative impact = a risk  threat Conducting Risk Assessments Why doesn’t COSO’s definition of risk incorporate the notion that risk includes upside as well as downside? COSO concluded that broadening the definition of risk to include the potential for “upside” would cloud the concepts and frustrate a primary objective of the framework to provide a common language for ERM Conducting Risk Assessments How we articulate the concept of “inherent risk” so that it can be effectively used as risk assessment criteria? “the risk to an entity in the absence of any actions management might take to alter either the risk’s likelihood or impact.” “residual risk” current policies and procedures are considered during the assessment risk should be assessed on a residual risk basis after considering risk responses selected to mitigate the significant risks 10 Conducting Risk Assessments 29 30 Conducting Risk Assessments 31 Conducting Risk Assessments 32 Conducting Risk Assessments 33 Conducting Risk Assessments What are the common mistakes and pitfalls during the risk assessment process? Lack of clarification and common understanding of the meaning or definition of risk Not including all stakeholders Not considering or giving appropriate weight to knowledgeable positions 34 Conducting Risk Assessments Facilitated Risk Workshop PITFALLS Setting unclear or unrealistic objectives Failing to structure the meeting agenda for success Placing too little emphasis on discussion Letting technology glitches distract the process Not getting everyone involved Not creating a “safe” and open environment Failing to clarify roles and responsibilities Poor facilities 35 Conducting Risk Assessments Ground Rules for a Risk Assessment Lack of participant understanding of how to apply assessment criteria consistently Confusion over inherent risk Confusion over time horizon Not acknowledging that the future is inherently unknowable Overlooking external environment events because of a perception that they are outside of management’s control Ignoring the interrelationships among risks 36 Conducting Risk Assessments How we identify, understand and apply interrelationships among risks? a risk drivers map 37 38 Conducting Risk Assessments Critical events related to multiple risk categories Will the occurrence of one event, either individually or in combination with other events, cause another event to happen or, alternatively, affect, impact or contribute to the severity of another event? Through refinement of this cause-effect analysis, management can select the most critical events (the ones shaded in the previous illustration) and focus additional attention on understanding them understanding of potential future events to source why, how and where the entity’s risks originate lays a foundation for developing measurement and monitoring tools addressing risk through a portfolio view 39 Conducting Risk Assessments What is the appropriate level of depth when assessing risk? If risks are assessed at too high a level, it is difficult to identify the precise issue and management will be unable to decide what to after the assessment is completed At the same time, if the assessment is conducted at too granular a level, the “big picture” issues get lost in a sea of details and it will be difficult to complete the risk assessment in a reasonable amount of time 40 Conducting Risk Assessments Who should participate during the risk assessment process? entity level executive management individuals with specific knowledge of unique business risks, issues and operations unit level unit management key process owners 41 Conducting Risk Assessments How is risk assessment related to risk quantification and should risk quantification be used during risk assessment? improved and is more robust when risks are quantified can be monitored against management’s established risk tolerance 42 Conducting Risk Assessments Is there value in using qualitative information when assessing risk? YES qualitative information is often directional at best (i.e., it serves as a pointer to specific areas for further investigation and analysis) and is not effective in driving management decisions related events occur so infrequently and, if and when they occur, they are subject to such a wide range of possible outcomes in terms of severity that it is difficult, if not impossible, to quantify them managers closest to the source of the risk are the individuals best positioned to understand its nature and root causes 43 ... ROLES • • • • • • • The Fundamentals COSO Enterprise Risk Management Role of Executive Management Role of the Director Role of the Chief Risk Officer Risk Management Oversight Structure Role of... Conducting Risk Assessments What is the relationship between risk assessment and risk management? Risk assessment is the process of identifying, sourcing and evaluating individual risks and the... factors in the framework Environment risk Process risk Information for decision-making risk 11 Conducting Risk Assessments 12 Conducting Risk Assessments Environment risk arises when external forces