SlideShare ist ein Scribd-Unternehmen logo

STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter

D
Dion K Hamilton
1 von 3
Downloaden Sie, um offline zu lesen
Risk Management Newsletter What Is Your Risk Management IQ? Risk Management Overview As the global economic crisis and the subsequent recovery lingers on, many organizations have been forced to ponder the many risks lurking in their corridors, or in their data center, or with third party service providers. Perhaps it was an adverse event by one of their competitors that made the news and ended up becoming a public relations nightmare. Or maybe it was an emerging industry trend that got the Board of Directors’ attention? Maybe it is a new technological innovation that has the potential to be a disruptive competitive force? Perhaps it was a minor operational issue that escalated to catastrophic levels. Whatever the motivating factor, it appears that the discipline of risk management has come of age or at least, it has become part of the conversation in today’s organizations. But then, why are so many organizations hesitant to fully embrace enterprise risk management or ERM as it is frequently called. Believe me! There is a significant difference between risk management and enterprise risk management (ERM). Risk management denotes a single risk mitigation activity. What is Enterprise Risk Management (ERM)? In contrast, ERM is a comprehensive and holistic enterprise- wide risk management activity. ERM is not an ad-hoc decision to conduct a risk assessment of the operational risks within your financial services enterprise after hearing about the recent incident with a leading capital markets firm whose trading platform went down unexpectedly. ERM is not conducting a one-off risk assessment of your data security after hearing about the multiple cyberattacks endured by some large Fortune 500 companies. ERM is rather, a centralized framework of procedures, tools, and methodologies that are used to identify, prioritize, remediate and monitor organizational risks and challenges. The primary objective of ERM is to provide timely and relevant risk data and the related control mechanisms in order to facilitate management decisions. These decisions are made by the Board of directors, executive management and other stakeholders regarding the outcome of the risk mitigation strategies that were used in accordance with the risk appetite of the organization. Risk Frameworks The first step in designing and implementing a formal ERM program is to identify a risk management framework that will serve as a foundation for identifying and evaluating information. The next step is to develop an implementation plan. D. K. Hamilton Table 1.2—COSO-ERM Framework Table 1.1—Risk Management Overview 18 February 2015 Volume 2015-01-001
While there are many risk management frameworks available in the market, the most prevalent ones are ISO 31000 and COSO- ERM. COSO-ERM is a framework that assists the user with classifying the risk management activities into four domains: (1) Strategic; (2) Compliance & Legal; (3) Operational; and (4) Reporting. ISO 31000 is a framework that is used to facilitate the development and implementation of an ERM program. ERM Approach & Methodology ISO 31000 categorizes the core risk management activities into the following four phases: 1. Risk Identification 2. Risk Prioritization 3. Risk Mitigation 4. Risk Reporting Risk Identification Risk Identification is the first phase of the risk management process and it involves identifying the risks and opportunities within a business organization, or a governmental institution, a non-governmental entity, or a project. This process may be initiated by a management surveys or by live, interactive workshops. In my opinion, the latter are more effective since they usually involves having members of management in a single setting with a facilitator. The objective is to obtain direct input from various levels of management as to the population of risks and opportunities within the organization. The key to success of this process is to either have the implementation of the program supported by the highest levels of management or a very influential person or group within the organization. Risk Prioritization Next, the risk population will have to be systematically evaluated in order to prioritize the risks in terms of magnitude. The magnitude of the risk is determined by what we call the threat risk profile. The threat risk profile of each risk is a quantitative measure that is determined by the likelihood of a specific threat occurring and the business impact (should the threat indeed occur). For illustrative purposes, we have chosen a four-tiered threat risk profile, which include the following risk classes, in order of severity: • Class IV (Red)—Severe • Class III (Orange)—Moderate • Class II (Yellow)—Low • Class I (Green)—Very Low Risk Mitigation The third step is to develop and implement a risk mitigation strategy in accordance with the organization’s risk appetite. The graphic above illustrates that there are four generally- accepted risk mitigation strategies that organizations may use: 1. Avoiding Risk—changing or re-designing the business process in order to change the risk pattern. 2. Sharing and Transferring Risk—mitigating the risk by entering into 3rd parties contractual relationships who accept and share part of the risk (e.g. insurance, outsourcing, etc.) 3. Diversifying Risk—risk mitigation by allocating the risk over a number of separate operations (e.g. using multiple vendors for critical supply chain products and materials). 4. Accepting & Controlling Risk—the organization decides to allow and manage certain risks and designs and implements control activities aimed at reducing the risk to an acceptable and tolerable level. For the population of risks that the organization chooses to accept and control, the next step is to design and implement the control mechanisms. But first, the organization must conduct an assessment of the current environment to identify the controls that already exist to mitigate the risks. The COSO Integrated Framework of 2013 (COSO 2013) is a good internal control framework that is ideal for facilitating the design, evaluation, and monitoring of internal controls. It is categorized into five categories and seventeen control principles. The control categories are: (1) Control Environment; (2) Risk Assessment; (3) Control Activities; (4) Information & Communication; and (5) Monitoring. See Table 1.4 below for a summary of the key elements of the COSO 2013 framework. RISK IDENTIFICATION RISK PRIORITISATION RISK MITIGATION RISK REPORTING Table 1.3—Summary of Risk Mitigation Strategies
Risk Reporting & Monitoring The last phase is to report on the status of the ERM activities, and monitor the risk profiles for any significant changes that may require remediation. Now, there are many tools available to facilitate reporting (e.g. Excel, DOMO, GRC System, etc.), however it is often best if all ERM activity is tracked and monitored via a centralized business application having robust reporting capabilities. Alternatively, you could use a GRC application and import the data into a separate reporting application. You and your organization must decide on the frequency of the periodic ERM reporting activities (e.g. monthly, quarterly, annually, etc.). Regardless of the frequency of reporting, the ERM reports must be consistent and tailored to the specific audience. As an illustrative example and best practice, there should be an executive dashboard that is available and distributed to the executive management; quarterly and annual updates from the business to the board; and monthly risk roundtables by the various functional areas. Risk Updates Finally, on an annual basis, the existing risk profile must be reviewed and evaluated to determine any changes therein. The review should also encompass an evaluation of the lower rated risks to ensure that their profiles have not changed. Last but not least, an action plan should be developed and implemented to remediate the highest level risks (e.g. Top 10 Risks, Top 5 Risks & Top 5 Opportunities, etc.). Benefits of a Risk Management Program There are many benefits to developing and implementing a formal ERM program, one of which is an overall improvement in the risk awareness culture of the organization. The mere process of going through the ERM implementation exercise improves the overall risk awareness from the Board of Directors, to executive management, down through the tactical level, and finally to the business operations. The most significant benefit, however would be if members of the organization would view ERM as something more than a compliance-oriented, “check-the-box” exercise. Other noteworthy benefits to ERM include:  Strategic Decision-management Tool—useful to assist members of an organization with executing the overall strategy of the organization, project, etc. while minimizing risks and maximizing opportunities.  Improvement in Risk Culture—develops or enhances the risk culture within an organization.  Integrated Risk Management Approach—a key benefit of an ERM program is that when implemented managed, and monitored correctly, the organizational benefits from having a standardized methodology and approach for remediation of: 1. Risk Catalog—the existence of an enterprise-wide Risk Catalog whereby all organizational risks and the corresponding opportunities are identified, prioritized, tested, remediated, and tracked and monitored in a clear and consistent manner ensures that everyone throughout the organization “speaks the same risk language”. 2. GRC Application—a central repository system to record, track, monitor and report all risks and opportunities; record and track the current control activities and management actions (future controls) will enhance the overall operational efficiency and cost effectiveness of the program. 3. Internal Control Framework—the adoption of a uniform internal control framework (e.g. COSO 2013, Basel, etc.) ensures that all control activities are standardized and designed in a cohesive manner.  Governance Risks, and Compliance Cost Savings-- an ERM program that is centrally managed using a GRC system may results in significant cost savings due to the elimination of redundant risk and compliance efforts from multiple risk and compliance activities; and separate evaluations (External audits, internal audits, regulatory reviews, etc.). 0 3 17 17 0 2 4 6 8 10 12 14 16 18 Class I Class II Class III Class IV No.ofRisks Risk Management Class Threat Risk Profile Table 1.5—Threat Risk Profile Table 1.4—Summary of COSO Integrated Framework (2013)

Empfohlen

Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...
Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...
Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...WolfPAC - Integrated Risk Management
 
51_operational_risk
51_operational_risk51_operational_risk
51_operational_riskHafeez Farooq
 
Enterprise Risk Management White Paper
Enterprise Risk Management White PaperEnterprise Risk Management White Paper
Enterprise Risk Management White PaperShadowlit Ndou Sidija
 
Erm Presentation Bsw Approach & Methodology
Erm Presentation Bsw Approach & MethodologyErm Presentation Bsw Approach & Methodology
Erm Presentation Bsw Approach & Methodologysteinkamps6
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820สปสช นครสวรรค์
 
Risk Management Frameworks
Risk Management FrameworksRisk Management Frameworks
Risk Management FrameworksDaniel Kapellmann Zafra
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk ManagementContinuity and Resilience
 
Audit, control and enterprise wide risk management
Audit, control and enterprise wide risk managementAudit, control and enterprise wide risk management
Audit, control and enterprise wide risk managementpeterObakozuwa
 

Empfohlen

Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...
Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...
Why Community-based Financial Institutions Should Practice Enterprise Risk Ma...WolfPAC - Integrated Risk Management
 
51_operational_risk
51_operational_risk51_operational_risk
51_operational_riskHafeez Farooq
 
Enterprise Risk Management White Paper
Enterprise Risk Management White PaperEnterprise Risk Management White Paper
Enterprise Risk Management White PaperShadowlit Ndou Sidija
 
Erm Presentation Bsw Approach & Methodology
Erm Presentation Bsw Approach & MethodologyErm Presentation Bsw Approach & Methodology
Erm Presentation Bsw Approach & Methodologysteinkamps6
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820สปสช นครสวรรค์
 
Risk Management Frameworks
Risk Management FrameworksRisk Management Frameworks
Risk Management FrameworksDaniel Kapellmann Zafra
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk ManagementContinuity and Resilience
 
Audit, control and enterprise wide risk management
Audit, control and enterprise wide risk managementAudit, control and enterprise wide risk management
Audit, control and enterprise wide risk managementpeterObakozuwa
 
COSO ERM Topology
COSO ERM TopologyCOSO ERM Topology
COSO ERM TopologyJason Rusch - CISSP CGEIT CISM CISA GNSA
 
A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...Hassan Zaitoun
 
Advanced Risk Management - Elsam Management Consultants
Advanced Risk Management - Elsam Management ConsultantsAdvanced Risk Management - Elsam Management Consultants
Advanced Risk Management - Elsam Management ConsultantsEMAC Consulting Group
 
CISSPills #3.03
CISSPills #3.03CISSPills #3.03
CISSPills #3.03Pierluigi Falcone, CISSP, CISM, CCSK, SABSA Foundation
 
Enterprise Risk Management for the Digital Transformation Age
Enterprise Risk Management for the Digital Transformation AgeEnterprise Risk Management for the Digital Transformation Age
Enterprise Risk Management for the Digital Transformation AgeCareer Communications Group
 
Risk management
Risk managementRisk management
Risk managementLepipi
 
Incorporating Risk Management into BCP
Incorporating Risk Management into BCPIncorporating Risk Management into BCP
Incorporating Risk Management into BCPRon Andrews
 
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...prosenzw69
 
A to Z of Risk Management
A to Z of Risk ManagementA to Z of Risk Management
A to Z of Risk ManagementMark Conway
 
Coso erm frmwrk
Coso erm frmwrkCoso erm frmwrk
Coso erm frmwrkRavinder Kumar Bhan
 
ERM overview
ERM overviewERM overview
ERM overviewHisham Haridy MBA, PMP®, RMP®, SP®
 
ERM Presentation
ERM PresentationERM Presentation
ERM PresentationH Contrex
 
Operational risk: the new frontier
Operational risk: the new frontierOperational risk: the new frontier
Operational risk: the new frontierMichel Rochette
 
Risk Management in Business
Risk Management in BusinessRisk Management in Business
Risk Management in Businesspaperpublications3
 
Case study in Enterprise Risk Management
Case study in Enterprise Risk ManagementCase study in Enterprise Risk Management
Case study in Enterprise Risk ManagementChris Teniswood
 
Task 1 entreprise risk management
Task 1 entreprise risk managementTask 1 entreprise risk management
Task 1 entreprise risk managementBoga Khurairi
 
Common failures of risk management
Common failures of risk management Common failures of risk management
Common failures of risk management Surajit Datta
 
RM Maturity Level Development 2002
RM Maturity Level Development 2002RM Maturity Level Development 2002
RM Maturity Level Development 2002Scott Gunderson, CSP, ARM
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksAronson LLC
 
B288
B288B288
B288performanceweb
 
Steadfast Investor Day Presentation - Statewide Insurance
Steadfast Investor Day Presentation - Statewide InsuranceSteadfast Investor Day Presentation - Statewide Insurance
Steadfast Investor Day Presentation - Statewide InsuranceStatewide Insurance Brokers
 
Senior Education
Senior EducationSenior Education
Senior EducationSummerpair77
 

Weitere ähnliche Inhalte

Was ist angesagt?

A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...Hassan Zaitoun
 
Advanced Risk Management - Elsam Management Consultants
Advanced Risk Management - Elsam Management ConsultantsAdvanced Risk Management - Elsam Management Consultants
Advanced Risk Management - Elsam Management ConsultantsEMAC Consulting Group
 
Enterprise Risk Management for the Digital Transformation Age
Enterprise Risk Management for the Digital Transformation AgeEnterprise Risk Management for the Digital Transformation Age
Enterprise Risk Management for the Digital Transformation AgeCareer Communications Group
 
Risk management
Risk managementRisk management
Risk managementLepipi
 
Incorporating Risk Management into BCP
Incorporating Risk Management into BCPIncorporating Risk Management into BCP
Incorporating Risk Management into BCPRon Andrews
 
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...prosenzw69
 
A to Z of Risk Management
A to Z of Risk ManagementA to Z of Risk Management
A to Z of Risk ManagementMark Conway
 
ERM Presentation
ERM PresentationERM Presentation
ERM PresentationH Contrex
 
Operational risk: the new frontier
Operational risk: the new frontierOperational risk: the new frontier
Operational risk: the new frontierMichel Rochette
 
Case study in Enterprise Risk Management
Case study in Enterprise Risk ManagementCase study in Enterprise Risk Management
Case study in Enterprise Risk ManagementChris Teniswood
 
Task 1 entreprise risk management
Task 1 entreprise risk managementTask 1 entreprise risk management
Task 1 entreprise risk managementBoga Khurairi
 
Common failures of risk management
Common failures of risk management Common failures of risk management
Common failures of risk management Surajit Datta
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksAronson LLC
 

Was ist angesagt? (20)

COSO ERM Topology
COSO ERM TopologyCOSO ERM Topology
COSO ERM Topology
 
A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...
 
Advanced Risk Management - Elsam Management Consultants
Advanced Risk Management - Elsam Management ConsultantsAdvanced Risk Management - Elsam Management Consultants
Advanced Risk Management - Elsam Management Consultants
 
CISSPills #3.03
CISSPills #3.03CISSPills #3.03
CISSPills #3.03
 
Enterprise Risk Management for the Digital Transformation Age
Enterprise Risk Management for the Digital Transformation AgeEnterprise Risk Management for the Digital Transformation Age
Enterprise Risk Management for the Digital Transformation Age
 
Risk management
Risk managementRisk management
Risk management
 
Incorporating Risk Management into BCP
Incorporating Risk Management into BCPIncorporating Risk Management into BCP
Incorporating Risk Management into BCP
 
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
 
A to Z of Risk Management
A to Z of Risk ManagementA to Z of Risk Management
A to Z of Risk Management
 
Coso erm frmwrk
Coso erm frmwrkCoso erm frmwrk
Coso erm frmwrk
 
ERM overview
ERM overviewERM overview
ERM overview
 
ERM Presentation
ERM PresentationERM Presentation
ERM Presentation
 
Operational risk: the new frontier
Operational risk: the new frontierOperational risk: the new frontier
Operational risk: the new frontier
 
Risk Management in Business
Risk Management in BusinessRisk Management in Business
Risk Management in Business
 
Case study in Enterprise Risk Management
Case study in Enterprise Risk ManagementCase study in Enterprise Risk Management
Case study in Enterprise Risk Management
 
Task 1 entreprise risk management
Task 1 entreprise risk managementTask 1 entreprise risk management
Task 1 entreprise risk management
 
Common failures of risk management
Common failures of risk management Common failures of risk management
Common failures of risk management
 
RM Maturity Level Development 2002
RM Maturity Level Development 2002RM Maturity Level Development 2002
RM Maturity Level Development 2002
 
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging RisksC-Suite’s Guide to Enterprise Risk Management and Emerging Risks
C-Suite’s Guide to Enterprise Risk Management and Emerging Risks
 
B288
B288B288
B288
 

Andere mochten auch

Steadfast Investor Day Presentation - Statewide Insurance
Steadfast Investor Day Presentation - Statewide InsuranceSteadfast Investor Day Presentation - Statewide Insurance
Steadfast Investor Day Presentation - Statewide InsuranceStatewide Insurance Brokers
 
Blog corporativo final
Blog corporativo finalBlog corporativo final
Blog corporativo finaltilzayined
 
Amicus Brief ABC Charters v. Bronson
Amicus Brief ABC Charters v. BronsonAmicus Brief ABC Charters v. Bronson
Amicus Brief ABC Charters v. BronsonDaniel Zim
 
Sk kisi-kisi-un-tahun-pelajaran-2014-2015
Sk kisi-kisi-un-tahun-pelajaran-2014-2015Sk kisi-kisi-un-tahun-pelajaran-2014-2015
Sk kisi-kisi-un-tahun-pelajaran-2014-2015aoisora90
 
Steadfast QBE General and Products Liability Policy
Steadfast QBE General and Products Liability PolicySteadfast QBE General and Products Liability Policy
Steadfast QBE General and Products Liability PolicyStatewide Insurance Brokers
 
Boron isotope Ratio as a paleo pH proxy
Boron isotope Ratio as a paleo pH proxyBoron isotope Ratio as a paleo pH proxy
Boron isotope Ratio as a paleo pH proxyMOHD TARIQUE
 

Andere mochten auch (16)

Steadfast Investor Day Presentation - Statewide Insurance
Steadfast Investor Day Presentation - Statewide InsuranceSteadfast Investor Day Presentation - Statewide Insurance
Steadfast Investor Day Presentation - Statewide Insurance
 
Senior Education
Senior EducationSenior Education
Senior Education
 
observer review
observer reviewobserver review
observer review
 
WomensHealth_ITN0515
WomensHealth_ITN0515WomensHealth_ITN0515
WomensHealth_ITN0515
 
Blog corporativo final
Blog corporativo finalBlog corporativo final
Blog corporativo final
 
Salon Cover Insurance PDS
Salon Cover Insurance PDSSalon Cover Insurance PDS
Salon Cover Insurance PDS
 
Amicus Brief ABC Charters v. Bronson
Amicus Brief ABC Charters v. BronsonAmicus Brief ABC Charters v. Bronson
Amicus Brief ABC Charters v. Bronson
 
Limousine Insurance Proposal Form, Lumley
Limousine Insurance Proposal Form, LumleyLimousine Insurance Proposal Form, Lumley
Limousine Insurance Proposal Form, Lumley
 
3455 BK LAYOUT_3
3455 BK LAYOUT_33455 BK LAYOUT_3
3455 BK LAYOUT_3
 
QBE Steadfast Wording PDS
QBE Steadfast Wording PDSQBE Steadfast Wording PDS
QBE Steadfast Wording PDS
 
Sk kisi-kisi-un-tahun-pelajaran-2014-2015
Sk kisi-kisi-un-tahun-pelajaran-2014-2015Sk kisi-kisi-un-tahun-pelajaran-2014-2015
Sk kisi-kisi-un-tahun-pelajaran-2014-2015
 
0603 Tanulmány bevezető DH
0603 Tanulmány bevezető DH0603 Tanulmány bevezető DH
0603 Tanulmány bevezető DH
 
Ansvar Faith Insurance Proposal Form
Ansvar Faith Insurance Proposal FormAnsvar Faith Insurance Proposal Form
Ansvar Faith Insurance Proposal Form
 
Summer Magazine 2016
Summer Magazine 2016Summer Magazine 2016
Summer Magazine 2016
 
Steadfast QBE General and Products Liability Policy
Steadfast QBE General and Products Liability PolicySteadfast QBE General and Products Liability Policy
Steadfast QBE General and Products Liability Policy
 
Boron isotope Ratio as a paleo pH proxy
Boron isotope Ratio as a paleo pH proxyBoron isotope Ratio as a paleo pH proxy
Boron isotope Ratio as a paleo pH proxy
 

Ähnlich wie STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter

Enterprise Risk Management (ERM); From theory to practice
Enterprise Risk Management (ERM); From theory to practiceEnterprise Risk Management (ERM); From theory to practice
Enterprise Risk Management (ERM); From theory to practiceSegun Ogunwale
 
Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)deeptica
 
Implementing an Enterprise Risk Management Program | Cyberroot Risk Advisory
Implementing an Enterprise Risk Management Program | Cyberroot Risk AdvisoryImplementing an Enterprise Risk Management Program | Cyberroot Risk Advisory
Implementing an Enterprise Risk Management Program | Cyberroot Risk AdvisoryCR Group
 
Implementing an Enterprise Risk Management program (2022 updates).pdf
Implementing an Enterprise Risk Management program (2022 updates).pdfImplementing an Enterprise Risk Management program (2022 updates).pdf
Implementing an Enterprise Risk Management program (2022 updates).pdfRobert Serena, FSA, CFA, CPCU
 
DISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docx
DISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docxDISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docx
DISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docxmadlynplamondon
 
Risck intelligence in the energy and resources industry
Risck intelligence in the energy and resources industry Risck intelligence in the energy and resources industry
Risck intelligence in the energy and resources industry Franco Ferrario
 
An approach to erm in the insurance industry apria 2002 rama warrier&preeti
An approach to erm in the insurance industry apria 2002 rama warrier&preetiAn approach to erm in the insurance industry apria 2002 rama warrier&preeti
An approach to erm in the insurance industry apria 2002 rama warrier&preetiRama Warrier
 
Discussion1From time to time most organizations make improvement.docx
Discussion1From time to time most organizations make improvement.docxDiscussion1From time to time most organizations make improvement.docx
Discussion1From time to time most organizations make improvement.docxmadlynplamondon
 
Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk managementAnu Damodaran
 
Enterprise risk management-Yashvanth G Nayak
Enterprise risk management-Yashvanth G NayakEnterprise risk management-Yashvanth G Nayak
Enterprise risk management-Yashvanth G NayakYashavanth Nayak
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk ManagementAnu Damodaran
 
Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk managementkris489049
 
CHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docx
CHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docxCHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docx
CHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docxketurahhazelhurst
 
Building an invisible framework for risk management
Building an invisible framework for risk managementBuilding an invisible framework for risk management
Building an invisible framework for risk managementhallowedblasphe76
 
Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2
Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2
Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2Tim Leech
 
Risk and Control Self Assessment - IRM India Affiliate
Risk and Control Self Assessment - IRM India AffiliateRisk and Control Self Assessment - IRM India Affiliate
Risk and Control Self Assessment - IRM India AffiliateIRM India Affiliate
 

Ähnlich wie STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter (20)

Enterprise Risk Management (ERM); From theory to practice
Enterprise Risk Management (ERM); From theory to practiceEnterprise Risk Management (ERM); From theory to practice
Enterprise Risk Management (ERM); From theory to practice
 
Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)
 
Erm whitepaper (2)
Erm whitepaper (2)Erm whitepaper (2)
Erm whitepaper (2)
 
Implementing an Enterprise Risk Management Program | Cyberroot Risk Advisory
Implementing an Enterprise Risk Management Program | Cyberroot Risk AdvisoryImplementing an Enterprise Risk Management Program | Cyberroot Risk Advisory
Implementing an Enterprise Risk Management Program | Cyberroot Risk Advisory
 
Implementing an Enterprise Risk Management program (2022 updates).pdf
Implementing an Enterprise Risk Management program (2022 updates).pdfImplementing an Enterprise Risk Management program (2022 updates).pdf
Implementing an Enterprise Risk Management program (2022 updates).pdf
 
DISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docx
DISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docxDISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docx
DISUSSION-1RE Chapter 15 Embedding ERM into Strategic Planning.docx
 
Risck intelligence in the energy and resources industry
Risck intelligence in the energy and resources industry Risck intelligence in the energy and resources industry
Risck intelligence in the energy and resources industry
 
An approach to erm in the insurance industry apria 2002 rama warrier&preeti
An approach to erm in the insurance industry apria 2002 rama warrier&preetiAn approach to erm in the insurance industry apria 2002 rama warrier&preeti
An approach to erm in the insurance industry apria 2002 rama warrier&preeti
 
grc-today-oct-2015
grc-today-oct-2015grc-today-oct-2015
grc-today-oct-2015
 
Discussion1From time to time most organizations make improvement.docx
Discussion1From time to time most organizations make improvement.docxDiscussion1From time to time most organizations make improvement.docx
Discussion1From time to time most organizations make improvement.docx
 
COSO ERM
COSO ERMCOSO ERM
COSO ERM
 
Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk management
 
Enterprise risk management-Yashvanth G Nayak
Enterprise risk management-Yashvanth G NayakEnterprise risk management-Yashvanth G Nayak
Enterprise risk management-Yashvanth G Nayak
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk Management
 
Risk management standard 030820
Risk management standard 030820 Risk management standard 030820
Risk management standard 030820
 
Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk management
 
CHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docx
CHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docxCHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docx
CHAPTER 34Turning Crisis into OpportunityBuilding an ERM.docx
 
Building an invisible framework for risk management
Building an invisible framework for risk managementBuilding an invisible framework for risk management
Building an invisible framework for risk management
 
Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2
Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2
Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2
 
Risk and Control Self Assessment - IRM India Affiliate
Risk and Control Self Assessment - IRM India AffiliateRisk and Control Self Assessment - IRM India Affiliate
Risk and Control Self Assessment - IRM India Affiliate
 

STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter

  • 1. Risk Management Newsletter What Is Your Risk Management IQ? Risk Management Overview As the global economic crisis and the subsequent recovery lingers on, many organizations have been forced to ponder the many risks lurking in their corridors, or in their data center, or with third party service providers. Perhaps it was an adverse event by one of their competitors that made the news and ended up becoming a public relations nightmare. Or maybe it was an emerging industry trend that got the Board of Directors’ attention? Maybe it is a new technological innovation that has the potential to be a disruptive competitive force? Perhaps it was a minor operational issue that escalated to catastrophic levels. Whatever the motivating factor, it appears that the discipline of risk management has come of age or at least, it has become part of the conversation in today’s organizations. But then, why are so many organizations hesitant to fully embrace enterprise risk management or ERM as it is frequently called. Believe me! There is a significant difference between risk management and enterprise risk management (ERM). Risk management denotes a single risk mitigation activity. What is Enterprise Risk Management (ERM)? In contrast, ERM is a comprehensive and holistic enterprise- wide risk management activity. ERM is not an ad-hoc decision to conduct a risk assessment of the operational risks within your financial services enterprise after hearing about the recent incident with a leading capital markets firm whose trading platform went down unexpectedly. ERM is not conducting a one-off risk assessment of your data security after hearing about the multiple cyberattacks endured by some large Fortune 500 companies. ERM is rather, a centralized framework of procedures, tools, and methodologies that are used to identify, prioritize, remediate and monitor organizational risks and challenges. The primary objective of ERM is to provide timely and relevant risk data and the related control mechanisms in order to facilitate management decisions. These decisions are made by the Board of directors, executive management and other stakeholders regarding the outcome of the risk mitigation strategies that were used in accordance with the risk appetite of the organization. Risk Frameworks The first step in designing and implementing a formal ERM program is to identify a risk management framework that will serve as a foundation for identifying and evaluating information. The next step is to develop an implementation plan. D. K. Hamilton Table 1.2—COSO-ERM Framework Table 1.1—Risk Management Overview 18 February 2015 Volume 2015-01-001
  • 2. While there are many risk management frameworks available in the market, the most prevalent ones are ISO 31000 and COSO- ERM. COSO-ERM is a framework that assists the user with classifying the risk management activities into four domains: (1) Strategic; (2) Compliance & Legal; (3) Operational; and (4) Reporting. ISO 31000 is a framework that is used to facilitate the development and implementation of an ERM program. ERM Approach & Methodology ISO 31000 categorizes the core risk management activities into the following four phases: 1. Risk Identification 2. Risk Prioritization 3. Risk Mitigation 4. Risk Reporting Risk Identification Risk Identification is the first phase of the risk management process and it involves identifying the risks and opportunities within a business organization, or a governmental institution, a non-governmental entity, or a project. This process may be initiated by a management surveys or by live, interactive workshops. In my opinion, the latter are more effective since they usually involves having members of management in a single setting with a facilitator. The objective is to obtain direct input from various levels of management as to the population of risks and opportunities within the organization. The key to success of this process is to either have the implementation of the program supported by the highest levels of management or a very influential person or group within the organization. Risk Prioritization Next, the risk population will have to be systematically evaluated in order to prioritize the risks in terms of magnitude. The magnitude of the risk is determined by what we call the threat risk profile. The threat risk profile of each risk is a quantitative measure that is determined by the likelihood of a specific threat occurring and the business impact (should the threat indeed occur). For illustrative purposes, we have chosen a four-tiered threat risk profile, which include the following risk classes, in order of severity: • Class IV (Red)—Severe • Class III (Orange)—Moderate • Class II (Yellow)—Low • Class I (Green)—Very Low Risk Mitigation The third step is to develop and implement a risk mitigation strategy in accordance with the organization’s risk appetite. The graphic above illustrates that there are four generally- accepted risk mitigation strategies that organizations may use: 1. Avoiding Risk—changing or re-designing the business process in order to change the risk pattern. 2. Sharing and Transferring Risk—mitigating the risk by entering into 3rd parties contractual relationships who accept and share part of the risk (e.g. insurance, outsourcing, etc.) 3. Diversifying Risk—risk mitigation by allocating the risk over a number of separate operations (e.g. using multiple vendors for critical supply chain products and materials). 4. Accepting & Controlling Risk—the organization decides to allow and manage certain risks and designs and implements control activities aimed at reducing the risk to an acceptable and tolerable level. For the population of risks that the organization chooses to accept and control, the next step is to design and implement the control mechanisms. But first, the organization must conduct an assessment of the current environment to identify the controls that already exist to mitigate the risks. The COSO Integrated Framework of 2013 (COSO 2013) is a good internal control framework that is ideal for facilitating the design, evaluation, and monitoring of internal controls. It is categorized into five categories and seventeen control principles. The control categories are: (1) Control Environment; (2) Risk Assessment; (3) Control Activities; (4) Information & Communication; and (5) Monitoring. See Table 1.4 below for a summary of the key elements of the COSO 2013 framework. RISK IDENTIFICATION RISK PRIORITISATION RISK MITIGATION RISK REPORTING Table 1.3—Summary of Risk Mitigation Strategies
  • 3. Risk Reporting & Monitoring The last phase is to report on the status of the ERM activities, and monitor the risk profiles for any significant changes that may require remediation. Now, there are many tools available to facilitate reporting (e.g. Excel, DOMO, GRC System, etc.), however it is often best if all ERM activity is tracked and monitored via a centralized business application having robust reporting capabilities. Alternatively, you could use a GRC application and import the data into a separate reporting application. You and your organization must decide on the frequency of the periodic ERM reporting activities (e.g. monthly, quarterly, annually, etc.). Regardless of the frequency of reporting, the ERM reports must be consistent and tailored to the specific audience. As an illustrative example and best practice, there should be an executive dashboard that is available and distributed to the executive management; quarterly and annual updates from the business to the board; and monthly risk roundtables by the various functional areas. Risk Updates Finally, on an annual basis, the existing risk profile must be reviewed and evaluated to determine any changes therein. The review should also encompass an evaluation of the lower rated risks to ensure that their profiles have not changed. Last but not least, an action plan should be developed and implemented to remediate the highest level risks (e.g. Top 10 Risks, Top 5 Risks & Top 5 Opportunities, etc.). Benefits of a Risk Management Program There are many benefits to developing and implementing a formal ERM program, one of which is an overall improvement in the risk awareness culture of the organization. The mere process of going through the ERM implementation exercise improves the overall risk awareness from the Board of Directors, to executive management, down through the tactical level, and finally to the business operations. The most significant benefit, however would be if members of the organization would view ERM as something more than a compliance-oriented, “check-the-box” exercise. Other noteworthy benefits to ERM include:  Strategic Decision-management Tool—useful to assist members of an organization with executing the overall strategy of the organization, project, etc. while minimizing risks and maximizing opportunities.  Improvement in Risk Culture—develops or enhances the risk culture within an organization.  Integrated Risk Management Approach—a key benefit of an ERM program is that when implemented managed, and monitored correctly, the organizational benefits from having a standardized methodology and approach for remediation of: 1. Risk Catalog—the existence of an enterprise-wide Risk Catalog whereby all organizational risks and the corresponding opportunities are identified, prioritized, tested, remediated, and tracked and monitored in a clear and consistent manner ensures that everyone throughout the organization “speaks the same risk language”. 2. GRC Application—a central repository system to record, track, monitor and report all risks and opportunities; record and track the current control activities and management actions (future controls) will enhance the overall operational efficiency and cost effectiveness of the program. 3. Internal Control Framework—the adoption of a uniform internal control framework (e.g. COSO 2013, Basel, etc.) ensures that all control activities are standardized and designed in a cohesive manner.  Governance Risks, and Compliance Cost Savings-- an ERM program that is centrally managed using a GRC system may results in significant cost savings due to the elimination of redundant risk and compliance efforts from multiple risk and compliance activities; and separate evaluations (External audits, internal audits, regulatory reviews, etc.). 0 3 17 17 0 2 4 6 8 10 12 14 16 18 Class I Class II Class III Class IV No.ofRisks Risk Management Class Threat Risk Profile Table 1.5—Threat Risk Profile Table 1.4—Summary of COSO Integrated Framework (2013)