Enterprise Risk Management Ivan Pham, CPA, CIA, CISA, CFE November 20th, 2014 Content Introduction Current ERM Frameworks Who is responsible? COSO ERM Framework ISO 31000 Anti-Fraud Framework Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/2014 – số 04B-2014 Tp.HCM, 20-21/11/2014 Introduction Risk a potential future event that prevents an organisation from achieving its objectives Threat Risk of loss or something bad happening Uncertain Outcome Opportunity Loss Risk of not meeting expectations Risk of opportunity loss or something good not happening Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/2014 – số 04B-2014 Tp.HCM, 20-21/11/2014 What CEOs and senior management are saying about risk… Lessons from the financial crisis 92% agree that information about risk is either Important or critical to their long-term success But only CEOs recognize the importance of risk information to the success of their organizations…1 23% of them believe they have comprehensive information about risk to their business …but lack actionable information to allow for effective risk decisions with clarity and confidence1 • 58% - Inability to effectively model global risk early enough • 65% - Over focus on short-term goals as opposed to emerging risks • 67% - Short-term priorities don’t override long-term goals is a top challenge • 79% - Receiving the right information at the right time is a top challenge • 44% - Relied too much on quantitative modeling, obscuring a broader perspective of risk ERM is really about adopting good business practices ERM Misconceptions: Hinders doing ‘real business’, i.e taking risks Promotes a conservative business mindset Is just to introduce and implement controls A granular operational exercise A software implementation exercise Is effective via a checklist Can be obtained ‘off the shelf’ Something you can set & forget One person show “Doable” in a day Precise rocket science ERM – the Truth : Encourages the pursuit of business objectives by proactively identifying and managing risks Helps minimise uncertainty and maximise opportunities for an enterprise Forms a key part of strategy planning and decision making A process that is integrated within all other key processes of the organisation Goes beyond controls, compliance procedures and audits Addresses organisation-wide key stakeholders goals An audit of existing frameworks, controls and processes Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/2014 – số 04B-2014 Tp.HCM, 20-21/11/2014 The value of risk management is that it gets the right information to the right people at the right time for decisive appropriate actions Escalation and delegation Executive and Board focus “Growth and Change” Management focus “Operating Performance” Front-line focus “Compliance/ Internal controls” • • • • Typical volume of risk information managed Strategic risks High exposure risks Risk scenarios Confidence in process below • Factors that influence “Business As Usual” performance • Portfolio risk management • Optimise risk management process • Control of escalation and delegation of risk management • • • • Task/ process focused risk management Focus on efficiency and reliability Simple tools and output Progressively stabilise risk profile and then focus on effectiveness of controls and monitoring Current ERM Frameworks Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/2014 – số 04B-2014 Tp.HCM, 20-21/11/2014 Current ERM Frameworks The two most commonly used sources of guidance on effective risk management frameworks are: • Enterprise Risk Management Integrated Framework published by the Committee of Sponsoring Organizations of the Treadway Commission (“COSO”) • Australia/New Zealand Standard on Risk Management (AS/NZS 4360) COSO Elements similarities AS/NZS 4360 Elements Internal Environment Establish Context Objective Setting Identify Risks Event Identification Analyse Risks Risk Assessment Evaluate Risks Risk Response Control Activities Information and Communication Monitoring Treat Risks Monitor and Review Communicate and Consult The ISO 31000 Standard is the latest ERM standard • Published in Nov 2009 – it is the ‘current’ global standard in risk management • Seeks to provide a universally recognised guideline to replace the myriad of existing standards and methodologies that differ between industries, subject matters and regions • Provides a generic framework for identifying, analysing, evaluating, treating, monitoring and communicating risk • Is seen as an update to the COSO ERM Framework and the AS/NZS ERM Standard - ISO 31000 is said to better explain concepts and terms but does not alter the fundamentals presented in COSO or AS/NZS 10 Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/2014 – số 04B-2014 Tp.HCM, 20-21/11/2014 Who is responsible? 11 It’s Everybody’s job, but he thought Somebody would it ‘Who’s to blame?’ is a question on many people’s lips these days • If risk management has failed, why has it done so? We believe that it’s because most companies have relied too heavily on risk models that are necessarily limited, rather than making everyone personally accountable for managing risk It’s only when risk management is an integral element of day-to-day business that you will get the results that you want, within the risk parameters that you can live with 12 Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/2014 – số 04B-2014 Tp.HCM, 20-21/11/2014 How to ensure that risk management is part of the daily activities of everyone in your organisation Focus on personal accountability: Spell out the responsibility, authority and accountability of every individual in the organisation Hold your business units accountable: Get the managers of your business units to assess the maturity of their risk processes, rectify any flaws and sign off on the risks they’ve assumed Lead from the front: Show your business unit managers that you’re serious about risk management by regularly reviewing key risks, rewarding those who manage risks well and punishing those who don’t Re-focus your risk management function: Reposition your risk management function to the job it’s supposed to be doing – i.e., providing information, advice and assurance 13 Everyone has a role to play in managing risks A company’s business units: • Should be responsible for the decisions they take, how their employees behave and the effectiveness of the controls they use Senior management’s job: • provide visible support for the business units and individual employees alike, and thus to reinforce their efforts • By insisting that they pay constant attention to key risks – and rewarding or punishing their performance accordingly – it sets the tone for the entire organisation The risk management function’s role: • By contrast, is to design a risk framework, develop risk models and identify and interpret new laws and stakeholder expectations; • to help the business units understand the risks they’re taking and how best to mitigate them; and • to assist the company in staying on course by periodically checking that it’s taking the right steps to manage the risks it faces 14 Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/2014 – số 04B-2014 Tp.HCM, 20-21/11/2014 Risk management is everyone’s responsibility – introducing the lines of defence model Board Oversight Internal Audit Risk Management Unknown Risks • Front Line Staff Known Risks 3rd Line 2nd Line • 1st Line • • • • Policies & Procedures • Loss Data • Training Risk Profile Risk & Controls Assessment • Internal control testing Standard procedures: Important for front line Teach Check compliance Design process with front line Risk Management: Assists top management in decision making – identify risks, measure exposures, mitigate and report Internal Audit: Assurance to Board on the quality of internal control system Helps to reduce risk of loss and reputational damage 15 For Vietnam – Start by placing ERM under the CFO to leverage on knowledge of controls and reporting ERM Oversight ERM Monitoring Structure – based on levels of defense model BOD/ Audit Committee • On a bi-annual basis review ERM Report received from CEO/CFO, ensure that all areas of risk have been considered and that all HIGH and MEDIUM risks identified are being appropriately managed/ mitigated Audit Committee/ Supervisory Board Risk Owners Day-to-day Management of Risks Key roles: Board of Directors/ Commissioners CEO Direct Reports Risk Coordinators/ Action Plan owners CEO Board of Management Heads of Departments Internal Audit Risk Owners • Coordinate and oversee/ manage development and implementation of action plans to mitigate HIGH and MEDIUM risks CFO Risk Coordinators/ Action Plan Owners • Implement the relevant action plans • Participate in bi-annual risk discussion with the ERM function ERM Function ERM Function • Provide advice and guidance to assist in inculcating a risk management culture • Prepare all ERM related reports required • Facilitate discussions with Risk Owners on the implementation status of action plans Independent Assurance 16 Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/2014 – số 04B-2014 Tp.HCM, 20-21/11/2014 Main types of risk a business is likely to face To what extent does your organisation’s risk management framework cover the above classes of risk? How much effort is devoted to each area? Is the balance right? 17 The COSO ERM framework 18 Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/2014 – số 04B-2014 Tp.HCM, 20-21/11/2014 The COSO definition of ERM – Enterprise Risk Management is a process, effected by an entity’s board of directors and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives – Event - an incident or occurrence, from sources internal or external to an entity, that could affect the implementation of strategy or achievement of objectives – Risk - the possibility that an event will occur and adversely affect the achievement of objectives – Opportunity - the possibility that an event will occur and positively affect the achievement of objectives 19 The COSO ERM framework – Three Foundational Aspects – Starts with objectives: • Strategic, Operations, Reporting and Compliance – Applies to activities at all levels of the organization – Has eight interrelated Components – Key ERM concepts: • Events and risks, Risk appetite and risk tolerance, Portfolio view, Assess AND Manage 20 Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/2014 – số 04B-2014 Tp.HCM, 20-21/11/2014 10 Components of Enterprise Risk Management Internal Environment – Management sets a philosophy regarding risk and establishes a risk appetite The internal environment sets the basis for how risk and control are viewed and addressed by an entity’s people The core of any business is its people – their individual attributes, including integrity, ethical values, and competence – and the environment in which they operate Definition from COSO ERM Framework Sept 04 25 Components of Enterprise Risk Management Objective Setting – Objectives must exist before management can identify potential events affecting their achievement Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite Definition from COSO ERM Framework Sept 04 26 Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/2014 – số 04B-2014 Tp.HCM, 20-21/11/2014 13 Components of Enterprise Risk Management Event Identification – Potential events that might have an impact on the entity must be identified Event identification involves identifying potential events from internal or external sources affecting achievement of objectives It includes distinguishing between events that represent risks, those representing opportunities, and those that may be both Opportunities are channeled back to management’s strategy or objective-setting processes Definition from COSO ERM Framework Sept 04 27 Components of Enterprise Risk Management Risk Assessment – Identified risks are analyzed in order to form a basis for determining how they should be managed Risks are associated with objectives that may be affected Risks are assessed on both an inherent and a residual basis, with the assessment considering both risk likelihood and impact Definition from COSO ERM Framework Sept 04 28 Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/2014 – số 04B-2014 Tp.HCM, 20-21/11/2014 14 Components of Enterprise Risk Management Risk Response – Personnel identify and evaluate possible responses to risks, which include avoiding, accepting, reducing, and sharing risk Management selects a set of actions to align risks with the entity’s risk tolerances and risk appetite Definition from COSO ERM Framework Sept 04 29 Components of Enterprise Risk Management Control Activities – Policies and procedures are established and executed to help ensure the risk responses management selects are effectively carried out Definition from COSO ERM Framework Sept 04 30 Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/2014 – số 04B-2014 Tp.HCM, 20-21/11/2014 15 Components of Enterprise Risk Management Information and Communication – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities Information is needed at all levels of an entity for identifying, assessing, and responding to risk Effective communication also occurs in a broader sense, flowing down, across, and up the entity Personnel receive clear communications regarding their role and responsibilities Definition from COSO ERM Framework Sept 04 31 Components of Enterprise Risk Management Monitoring – The entirety of enterprise risk management is monitored, and modifications made as necessary In this way, it can react dynamically, changing as conditions warrant Monitoring is accomplished through ongoing management activities, separate evaluations of enterprise risk management, or a combination of the two Definition from COSO ERM Framework Sept 04 32 Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/2014 – số 04B-2014 Tp.HCM, 20-21/11/2014 16 ISO 31000 33 What is ISO 3100 - Risk Management? ISO 31000 • Came out in November 2009 • Prepared by the ISO Technical Management Board Working Group on risk management • International Standard • Provides principles and generic guidelines on Risk Management 34 Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/2014 – số 04B-2014 Tp.HCM, 20-21/11/2014 17 Risk Defined in ISO 31000 The effect of uncertainty on objectives Risks can have positive or negative outcomes 35 ISO 31000 – Principles, Implementation Framework & Process a) Creates Value b) Integral part of organizational process c) Part of decision making d) Explicitly addresses uncertainty e) Systematic, structured and timely f) Based on the best available information g) Tailored h) Takes human and cultural factors into account i) Transparent and inclusive j) Dynamic, iterative and responsive to change k) Facilitates continual improvement and enhancement of the organization Mandate & Commitment Design of framework for managing risk Continual improvement of the framework Implementing risk management Monitoring and review of the framework Risk Management Process Establishing the context Risk Assessment Monitoring and review Implementation Framework Communication and consultation Principles Risk Identification Risk Analysis Risk Evaluation Risk Treatment 36 Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/2014 – số 04B-2014 Tp.HCM, 20-21/11/2014 18 Risk Management Process Risk Management Process Communication & Consultation - should facilitate truthful, relevant, accurate and Establishing the context confidentiality and personal privacy Risk Identification Risk Analysis Risk Evaluation Monitoring and review Communication and consultation understandable exchanges of information, while respecting Risk Assessment - should take place during all stages of the risk management process using existing organization communication channels and methods Risk Treatment 37 Risk Management Process Risk Management Process Establishing the Context - Articulate the organization’s objectives Establishing the context - the external and internal environment in which the Risk Identification Risk Analysis Risk Evaluation Monitoring and review Communication and consultation - Establish the external and internal context Risk Assessment organization seeks to achieve its objectives - Establish the context of the risk management (RM) process - define the goals and objectives of the RM activities - define the responsibilities - define the processes to be managed Risk Treatment - Define the risk criteria for the process - e.g Impact & Likelihood 38 Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/2014 – số 04B-2014 Tp.HCM, 20-21/11/2014 19 Risk Management Process Risk Management Process Risk Identification - Generate a comprehensive list of risks based on those events Establishing the context delay the achievement of objectives Risk Identification Risk Analysis Risk Evaluation Monitoring and review Communication and consultation that might create, enhance, prevent, degrade, accelerate or Risk Assessment - “The organization should apply risk identification tools and techniques that are suited to its objectives and capabilities, and to the risks faced.” (ISO 31000: 5.4.2) Risk Treatment 39 Risk Management Process Risk Management Process Risk Analysis - involves consideration of the causes and sources of risk, their Establishing the context those consequences can occur Risk Identification Risk Analysis Risk Evaluation Monitoring and review Communication and consultation positive and negative consequences, and the likelihood that Risk Assessment - Factors that affect consequences and likelihood should be identified - Risk is analyzed by determining consequences and their likelihood, and other attributes of risk - It is also important to consider the interdependencies of Risk Treatment different risks and their sources 40 Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/2014 – số 04B-2014 Tp.HCM, 20-21/11/2014 20 Risk Management Process Risk Management Process Risk Evaluation - the purpose of Risk Evaluation is to assist in making decisions Establishing the context treatment evaluation Risk Identification Risk Analysis Risk Evaluation Monitoring and review Communication and consultation about which risks need treatment and the priority of Risk Assessment - The steps in Risk Evaluation are: - Examine each risk in the risk register and compare the risk level against criteria - Decide whether risk treatment is required - Prioritize treatments Risk Treatment - Decisions should be made in accordance with legal, regulatory and other requirements 41 Risk Management Process Risk Management Process Risk Treatment - involves selecting one or more options for modifying risks, and implementing those options - Risk Treatment is a cyclical process: Assess a risk treatment; Decide whether residual risk levels are tolerable; If not tolerable, Risk Assessment Risk Identification Risk Analysis Risk Evaluation Monitoring and review Communication and consultation Establishing the context generate a new risk treatment and Assess the effectiveness of the risk treatment - Treatment options are not mutually exclusive and can include: - Avoid the risk - Take or increase the risk - Remove the risk source Risk Treatment - Change the likelihood - Change the consequence - Share the risk with another party - Retain the risk by informed decision 42 Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/2014 – số 04B-2014 Tp.HCM, 20-21/11/2014 21 Risk Management Process Risk Management Process Monitoring & Review - Should be a planned part of the RM Process and involve Establishing the context - Responsibilities should be clearly defined Risk Identification Risk Analysis Risk Evaluation Monitoring and review Communication and consultation regular checking and surveillance Risk Assessment - Lessons learned from events, changes, trends, successes and failures are analyzed - Changes in the external or internal context should be considered as soon as they occur - Identify emerging risks Risk Treatment 43 Anti-Fraud Framework 44 Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/2014 – số 04B-2014 Tp.HCM, 20-21/11/2014 22 Global Economic Crime Survey 2014 Financial Services Fraud Statistics 45% 57% of Financial Services organisations have suffered economic crime during the survey period, compared to only 34% across all other industries of FS organisations report that External fraudsters are still the main perpetrators of economic crime >50% 78% FS respondents who have experienced economic crime during the survey period report an increase in the number of occurrences and the financial value of economic crime, mainly in Asia Pacific region of FS internal frauds are committed by junior staff and middle management 45 Global Economic Crime Survey 2014 Financial Services Fraud Statistics Asset misappropriation remains the primary type of economic crime reported by FS organisations– not unexpected for a sector which processes money, and given the low cost of conversion for fraudsters Top types of economic crime experienced by the FS sector 46 Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/2014 – số 04B-2014 Tp.HCM, 20-21/11/2014 23 Global Economic Crime Survey 2014 What can organisations to prevent and detect fraud? Economic crime detection methods in FS organisations (% FS respondents) • Our survey asked about fraud risk assessments (“FRAs”) and the results reveal a surprising number of FS organisations still not carry any out • Over 50% of respondents from FS organisations that did not carry out any FRAs fail to see the correlation between fraud, working conditions, organisational culture and the effectiveness of corporate controls • Fraud Risk Management (FRM) remains the most effective method in fraud detection (17% of serious frauds experienced by FS respondents were detected this way 47 How Fraud happens? The Fraud Triangle The Fraud Diamond 48 Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/2014 – số 04B-2014 Tp.HCM, 20-21/11/2014 24 PwC Anti-Fraud Framework 49 Methodologies Prevent Detect Response Continue improvement & remediation Tone, direction & reinforcement from the top Corporate ownership Operating framework Organisational compliance focus & compliance KPIs • Risk assessment • Training program • Policies & procedures communication • Declaration • • • • Forensically focused audits Third party due diligence Transaction monitoring Compliance control • • • • Incident investigation processes Consequences Enterprise case management Insurance Compliance and ethics helpdesk function decision support Staff support • Integration with personnel processes • Leave requirements • Integration with business processes • Compliance reviews • Whistleblower hotline • Reporting mechanism • Results of investigation are visible • Failure to achieve compliance has consequences 50 Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/2014 – số 04B-2014 Tp.HCM, 20-21/11/2014 25 Fraud Risk Assessment A process where risks are identified, analyzed, and strategy is developed to manage or mitigate those risks Four Step Process – Financial Statement Manipulation Disclosure 1.Scheme and event identification Sr Mgmt or Employees with Significant Financial Reporting Role 2.Significance & likelihood assessment 3.Linkage to mitigating controls 4.Reassessment and identification of areas requiring follow-up or remediation Aiding & Abetting Misappropriation of Assets Unauthorized Receipts & Expenditures •Fraud Risk Management for Bank PwC 51 Anti fraud programmes and controls Fraud Strategy Fraud Policy Does your company have a clear strategy that co-ordinates on-going activities for the prevention and detection of fraud? Do your employees understand the company’s position with regard to what would constitute fraudulent behaviour and the penalties for this behaviour? Code of Conduct Monitoring Are there adequate procedures in place to ensure that, on a regular and continuing basis, senior management consider the effectiveness of, for example, the whistleblowing policy and consider whether the risk assessment and therefore mitigating controls require amendment or update? Fraud Strategy Fraud Policy Code of Conduct Has your company set out the behaviours, for example in relation to gift and hospitality, expected from its employees? If so, are they asked periodically to confirm that they understand and abide by this policy in writing? Oversight Whistleblowing Policy Does your company have in place adequate oversight with regard to mitigation of fraud risk? For example, does Internal Audit or the Audit Committee have a remit to discuss fraud issues with senior management on a regular basis? Have you provided a communication channel for your employees to express their concerns regarding the behaviour of colleagues or external parties (in their Dealings with your company)? Fraud Risk Mitigation Considerations Awareness Fraud Response Plan Does your company have a documented plan in the event that there is a suspicion of fraudulent activity including, for example who should manage such an investigation? Does your company provide fraud Awareness training for its employees, for example as part of an induction, and is this training supported with regular updates or other promotional campaigns? Risk assessment Communication Does your company have a communication plan for key policies regarding fraud, such as the employee code of conduct, both at Induction and regularly throughout their employment? Electronic Data Mining Control activities Has your company considered, documented and assigned responsibility for the key internal and external fraud risks? If so, does fraud risk assessment consider all categories of fraud? Did its production involve all grades of employee? and did it cover all aspects of the companies activities? In its production, was specific thought given to what attitudes, incentives and opportunities exist to commit fraud across the company? Electronic Data Mining Control activities Does you company utilise electronic data mining across its electronic system, such as finance to prevent and detect fraud? Has your company considered and documented (including a remedial plan if necessary) whether key internal and external fraud risks are mitigated by existing controls? 52 Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/2014 – số 04B-2014 Tp.HCM, 20-21/11/2014 26 www.pwc.com.vn Enterprise Risk Management Ivan Pham Associate Director PwC Advisory Services Direct Line: +84 (8) 3823.0796 ext 1611 Mobile: +84 (9) 3848.2239 Email: ivan.pham@vn.pwc.com 53 Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/2014 – số 04B-2014 Tp.HCM, 20-21/11/2014 27 ... emerging risks Risk Treatment 43 Anti -Fraud Framework 44 Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/20 14 – số 04B-20 14 Tp.HCM, 20-21/11/20 14 22 Global Economic Crime Survey 20 14 Financial Services Fraud. .. interdependencies of Risk Treatment different risks and their sources 40 Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/20 14 – số 04B-20 14 Tp.HCM, 20-21/11/20 14 20 Risk Management Process Risk Management Process Risk. .. coordinating the risk management process 24 Lớp CNKT: số 04A-2015 Hà Nội, 06-07/11/20 14 – số 04B-20 14 Tp.HCM, 20-21/11/20 14 12 Components of Enterprise Risk Management Internal Environment – Management