User:Burundi Librestez~enwiki/Sandbox

GNU LIBRARY GENERAL PUBLIC LICENSE Version 2, August 2008 Copyright © 2008  ., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA Enterprise risk management From Wikipedia, the free encyclopedia (Redirected from Enterprise Risk Management) Jump to: navigation, search In business, enterprise risk management (ERM) includes the methods and processes used by organizations to manage risks (or seize opportunities) related to the achievement of their objectives. ERM provides a framework for risk management, which typically involves identifying particular events or circumstances relevant to the organization's objectives (risks and opportunities), assessing them in terms of likelihood and magnitude of impact, determining a response strategy, and monitoring progress. By identifying and proactively addressing risks and opportunities, business enterprises protect and create value for their stakeholders, including owners, employees, customers, regulators, and society overall.

ERM can also be described as a risk-based approach to managing an enterprise, integrating concepts of strategic planning, operations management, and internal control. ERM is evolving to address the needs of various stakeholders, who want to understand the broad spectrum of risks facing complex organizations to ensure they are appropriately managed. Regulators and debt rating agencies have increased their scrutiny on the risk management processes of companies.

Contents [hide] 1 ERM frameworks defined 1.1 COSO ERM framework 1.2 RIMS risk maturity model for enterprise risk management 2 Current issues in ERM 2.1 Sarbanes-Oxley Act requirements 2.2 NYSE corporate governance rules 2.3 ERM and corporate debt ratings 3 The role of internal audit in ERM 4 Implementing an ERM program 4.1 Goals of an ERM program 4.2 Typical risk functions 4.3 Common challenges in ERM implementation 5 Companies Increasingly Focusing on ERM 6 ERM Credentials 6.1 The Chartered Enterprise Risk Analyst (CERA) Credential 7 References 8 See also

[edit] ERM frameworks defined Two important ERM frameworks are COSO and RIMS. Each describes an approach for identifying, analyzing, responding to, and monitoring risks or opportunities, within the internal and external environment facing the enterprise. Management selects a risk response strategy for specific risks identified and analyzed, which may include:

Avoidance: exiting the activities giving rise to risk Reduction: taking action to reduce the likelihood or impact related to the risk Share or insure: transferring or sharing a portion of the risk, to reduce it Accept: no action is taken, due to a cost/benefit decision Monitoring is typically performed by management as part of its internal control activities, such as review of analytical reports or management committee meetings with relevant experts, to understand how the risk response strategy is working and whether the objectives are being achieved.

[edit] COSO ERM framework The COSO "Enterprise Risk Management-Integrated Framework" published in 2004[1] defines ERM as: "A process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."

The COSO ERM Framework has eight Components and four objectives categories. It is an expansion of the COSO Internal Control-Integrated Framework published in 1992 and amended in 1994. The eight components - additional components highlighted - are:

Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information and Communication Monitoring The four objectives categories - additional components highlighted - are:

Strategy - high-level goals, aligned with and supporting the organization's mission Operations - effective and efficient use of resources Financial Reporting - reliability of operational and financial reporting Compliance - compliance with applicable laws and regulations

[edit] RIMS risk maturity model for enterprise risk management Enterprise risk management (ERM) as defined by the Risk and Insurance Management Society (RIMS) is the culture, processes and tools to identify strategic opportunities and reduce uncertainty. ERM is a comprehensive view of risk from both operational and strategic perspectives and is a process that supports the reduction of uncertainty and promotes the exploitation of opportunities.

According to the RIMS Risk Maturity Model for ERM[2], the following seven core competencies, or attributes, measure how well enterprise risk management is embraced by management and ingrained within the organization. A maturity level is determined for each attribute and ERM maturity is determined by the weakest link.

1. ERM-based approach - Degree of executive support for an ERM-based approach within the corporate culture. This goes beyond regulatory compliance across all processes, functions, business lines, roles and geographies. Degree of integration, communication and coordination of internal audit, information technology, compliance, control and risk management.

2. ERM process management - Degree of weaving the ERM Process into business processes and using ERM Process steps to identify, analyze, evaluate, mitigate and monitor. Degree of incorporating qualitative methods supported by quantitative methods, analysis, tools.

3. Risk appetite management – Degree of understanding the risk-reward tradeoffs within the business. Accountability within leadership and policy to guide decision-making and attack gaps between perceived and actual risk. Risk appetite defines the boundary of acceptable risk and risk tolerance defines the variation of measuring risk appetite that management deems acceptable.

4. Root cause discipline - Degree of discipline applied to measuring a problem’s root cause and binding events with their process sources to drive the reduction of uncertainty, collection of information and measurement of the controls’ effectiveness. The degree of risk from people, external environment, systems, processes and relationships is explored.

5. Uncovering risks - Degree of quality and penetration coverage of risk assessment activities in documenting risks and opportunities. Degree of collecting knowledge from employee expertise, databases and other electronic files (such as Microsoft Word, Excel, etc) to uncover dependencies and correlation across the enterprise.

6. Performance management - Degree of executing vision and strategy, working from financial, customer, business process and learning and growth perspectives, such as Kaplan’s balanced scorecard, or similar approach. Degree of exposure to uncertainty, or potential deviations from plans or expectations.

7. Business resiliency and sustainability – Extent to which the ERM Process’s sustainability aspects are integrated into operational planning. This includes evaluating how planning supports resiliency and value. The degree of ownership and planning beyond recovering technology platforms. Examples include vendor and distribution dependencies, supply chain disruptions, dramatic market pricing changes, cash flow volatility, business liquidity, etc.

[edit] Current issues in ERM The risk management processes of U.S. corporations are under increasing regulatory and private scrutiny. Risk is an essential part of any business. Properly managed, it drives growth and opportunity. But today the stakes are higher than ever. Executives struggle with business pressures that may be partly or completely beyond their immediate control, such as distressed financial markets; mergers, acquisitions and restructurings; disruptive technology change; geopolitical instabilities; and the rising price of energy.

Towers Perrin partnered with the Economist Intelligence Unit on a research study that involved a cross-industry group of 1,452 senior executives of midsize and large companies in all regions of the world.[3]

[edit] Sarbanes-Oxley Act requirements Section 404 of the Sarbanes-Oxley Act of 2002 required U.S. publicly-traded corporations to utilize a control framework in their internal control assessments. Many opted for the COSO Internal Control Framework, which includes a risk assessment element. In addition, new guidance issued by the Securities and Exchange Commission (SEC) and PCAOB in 2007 placed increasing scrutiny on top-down risk assessment and included a specific requirement to perform a fraud risk assessment.[4] Fraud risk assessments typically involve identifying scenarios of potential (or experienced) fraud, related exposure to the organization, related controls, and any action taken as a result.

[edit] NYSE corporate governance rules The New York Stock Exchange requires the Audit Committees of its listed companies to "discuss policies with respect to risk assessment and risk management." The related commentary continues: "While it is the job of the CEO and senior management to assess and manage the company’s exposure to risk, the audit committee must discuss guidelines and policies to govern the process by which this is handled. The audit committee should discuss the company’s major financial risk exposures and the steps management has taken to monitor and control such exposures. The audit committee is not required to be the sole body responsible for risk assessment and management, but, as stated above, the committee must discuss guidelines and policies to govern the process by which risk assessment and management is undertaken. Many companies, particularly financial companies, manage and assess their risk through mechanisms other than the audit committee. The processes these companies have in place should be reviewed in a general manner by the audit committee, but they need not be replaced by the audit committee."[5]

[edit] ERM and corporate debt ratings Standard & Poor's (S&P), the debt rating agency, plans to include a series of questions about risk management in its company evaluation process. This will rollout to financial companies in 2007.[6] The results of this inquiry is one of the many factors considered in debt rating, which has a corresponding impact on the interest rates lenders charge companies for loans or bonds.[7] On May 7, 2008 S&P also announced that it would begin including an ERM assessment in its ratings for non-financial companies starting in 2009[8], with initial comments in its reports during Q4 2008.[9]

[edit] The role of internal audit in ERM In addition to information technology audit, Internal Auditors play an important role in evaluating the risk management processes of an organization and advocating their continued improvement. However, to preserve its organizational independence and objective judgment, Internal Audit professional standards indicate the function should not take any direct responsibility for making risk management decisions for the enterprise or managing the risk management function. [10]

Internal auditors typically perform an annual risk assessment of the enterprise, to develop a plan of audit engagements for the upcoming year. This plan is updated at various frequencies in practice. This typically involves review of the various risk assessments performed by the enterprise (e.g., strategic plans, competitive benchmarking, and SOX top-down risk assessment), consideration of prior audits, and interviews with a variety of senior management. It is designed for identifying audit projects, not to identify, prioritize, and manage risks directly for the enterprise.

[edit] Implementing an ERM program

[edit] Goals of an ERM program Organizations by nature manage risks and have a variety of existing specialized departments or functions ("risk functions") that identify and manage particular risks. However, each risk function varies in capability and how it coordinates with other risk functions. A central goal and challenge of ERM is improving this capability and coordination, while integrating the output to provide a unified picture of risk for stakeholders and improving the organization's ability to manage the risks effectively.

[edit] Typical risk functions The primary risk functions in large corporations that may participate in an ERM program typically include:

Strategic planning - identifies external threats and competitive opportunities, along with strategic initiatives to address them Marketing - understands the target customer to ensure product/service alignment with customer requirements Compliance & Ethics - monitors compliance with code of conduct and directs fraud investigations Accounting / Financial compliance - directs the Sarbanes-Oxley Section 302 and 404 assessment, which identifies financial reporting risks Law Department - manages litigation and analyzes emerging legal trends that may impact the organization Insurance - ensures the proper insurance coverage for the organization Treasury - ensures cash is sufficient to meet business needs, while managing risk related to commodity pricing or foreign exchange Operational Quality Assurance - verifies operational output is within tolerances Operations management - ensures the business runs day-to-day and that related barriers are surfaced for resolution Credit - ensures any credit provided to customers is appropriate to their ability to pay Customer service - ensures customer complaints are handled promptly and root causes are reported to operations for resolution Internal audit - evaluates the effectiveness of each of the above risk functions and recommends improvements

[edit] Common challenges in ERM implementation Various consulting firms offer suggestions for how to implement an ERM program.[11] Common topics and challenges include[12]:

Identifying executive sponsors for ERM. Establishing a common risk language or glossary. Describing the entity's risk appetite (i.e., risks it will and will not take) Identifying and describing the risks in a "risk inventory". Implementing a risk-ranking methodology to prioritize risks within and across functions. Establishing a risk committee and or Chief Risk Officer (CRO) to coordinate certain activities of the risk functions. Establishing ownership for particular risks and responses. Demonstrating the cost-benefit of the risk management effort. Developing action plans to ensure the risks are appropriately managed. Developing consolidated reporting for various stakeholders. Monitoring the results of actions taken to mitigate risk. Ensuring efficient risk coverage by internal auditors, consulting teams, and other evaluating entities. Developing a technical ERM framework for enterprise resource planning (ERP) platforms in large enterprises (such as SAP AG or Oracle Corporation).

[edit] Companies Increasingly Focusing on ERM It is clear that companies recognize ERM as a critical management issue. This is demonstrated through the prominence assigned to ERM within organizations and the resources devoted to building ERM capabilities. In a 2008 survey by Towers Perrin[13], at most life insurance companies, responsibility for ERM resides within the C-suite. Most often, the chief risk officer (CRO) or the chief financial officer (CFO) is in charge of ERM, and these individuals typically report directly to the chief executive officer. From their vantage point, the CRO and CFO are able to look across the organization and develop a perspective on the risk profile of the firm and how that profile matches its risk appetite. They act as drivers to improve skills, tools and processes for evaluating risks and to weigh various actions to manage those exposures. Companies are also actively enhancing their ERM tools and capabilities. Three quarters of responding companies said they have tools for specifically monitoring and managing enterprise-wide risk. These tools are used primarily for identifying and measuring risk and for management decision making. Respondents also reported that they have made good progress in building their ERM capabilities in certain areas.

In this study, more than 80% of respondents reported that they currently have adequate or better controls in place for most major risks. In addition, about 60% currently have a coordinated process for risk governance and include risk management in decision making to optimize risk adjusted returns.

[edit] ERM Credentials

[edit] The Chartered Enterprise Risk Analyst (CERA) Credential The Chartered Enterprise Risk Analyst (CERA) Credential [14] encompasses the most comprehensive and rigorous demonstration of enterprise risk management expertise available. Developed in response to the growing field of enterprise risk management, the CERA credential is the first new professional credential to be introduced by the Society of Actuaries (SOA) since 1949.

The CERA credential is founded in the same rigorous process through which actuaries earn their other credentials. CERAs are trained to apply both qualitative and quantitative insights to risk management, focusing on how operational risk, investment risk, strategic risk and reputational risk collectively impact an organization. Therefore, CERAs are qualified for such positions as risk analyst, risk manager and chief risk officer.

CERAs work in environments beyond insurance, reinsurance and the consulting markets, including broader financial services, energy, transportation, media, technology, manufacturing and healthcare.

Professionals need to spend approximately three to four years to complete the curriculum that combines basic actuarial science, ERM principles and professionalism. To earn the CERA credential, candidates must take five exams, fulfill an educational experience requirement, complete one online course, and attend one in-person course on professionalism.

The CERA credential curriculum includes:

Probability Financial mathematics Financial economics Micro and macro economics Construction of risk models Advanced finance and enterprise risk management Operational risk Professionalism All CERAs are members of the Society of Actuaries, the largest professional actuarial organization in the world. It is dedicated to serving its 19,000 members, and the public. The SOA's vision is for actuaries to be recognized as the leading professionals in the modeling and management of financial risk and contingent events. The SOA is committed to education, research and the profession.

[edit] References ^ COSO ERM Executive Summary ^ Risk and Insurance Management Society (RIMS) ^ Risk and Opportunity White Paper May 2008 ^ PCAOB Auditing Standard No 5 ^ NYSE Listing Standards Part 7d ^ S&P Ratings - Treasury & Risk Article ^ S&P ERM for Financial Institutions ^ S&P ERM FAQs ^ S&P ERM Announcement ^ Role of Internal Auditing in ERM ^ ERM Implementation Advice ^ ERM Frequently Asked Questions ^ Embedding Enterprise Risk Management ^ The Chartered Enterprise Risk Analyst (CERA) Credential

[edit] See also Benefit risk Cost risk credit risk Information quality management market risk Operational risk management Optimism bias Risk adjusted return on capital ISA 400 Risk Assessments and Internal Control SOX 404 top-down risk assessment Retrieved from "http://en.wikipedia.org/wiki/Enterprise_risk_management" Categories: Actuarial science | Auditing | Information technology audit