SlideShare ist ein Scribd-Unternehmen logo

Entetrprise risk management process

Als PPTX, PDF herunterladen
Rabin K. Acharya PhD (MPhil,MBA,MPA,MA)
Rabin K. Acharya PhD (MPhil,MBA,MPA,MA)

Enterprise Risk Managament

Business
1 von 50
The Risk Management Process
The Risk Management Process • The Drivers • Risk Analysis • Risk Identification by Source • Risk Impact • Risk Assessment • Risk Control and Treatment • Internal Audit
KEY DRIVERS FOR ENTERPRISE RISK MANAGEMENT
Key Drivers for Enterprise Risk Management • Risk Management Strategy • Risk Ownership • Risk Management Competency • Decision Making • Daily Operations • Continuous Monitoring • Periodic Monitoring
Risk Management Strategy • The first step before starting with all the concepts that come with risk management such as identification, analysis, and mitigation, is to decide on the risk management priorities of the organization. • Along with the priorities, companies also need to gain a better understanding of the following: – Their business objective – The approach they want to take toward risk management – The risk governance structure they want to create – Size and complexity of their business model
Risk Ownership • The person who executes risk responses is often the one who gets assigned with ownership of the risk. This is not just about accountability. • There are two aspects to risk management: – Head of risk management function: • His role is to communicate, coordinate, and administer all the risk management policies and processes of the company. He is also in charge of identifying and mitigating material risks by the risk owners – Risk owner: • He is the one who is actually in charge of managing risks and reports to the head responsible for a risk management function in an organization • The risk owner should not be held responsible for monitoring the effectiveness of the risk response. His job is to make sure the risk response is adjusted within the risk appetite of the domain he is in charge of.
Risk Management Competency • There are four types of responsibilities that come with risk management, which are: – People in charge of risk governance – People in charge of risk management – People in charge of risk responses – People in charge of reporting how effective the risk responses were • All four profiles in risk management need to be trained appropriately so that they have the right skillset and experience to perform their job roles effectively.
Decision Making • Making mistakes in the strategy formulation phase itself can have a big impact on how effective the risk management process is. • A lot of risk management efforts are usually focused on risks during and after the implementation of ERM but forget the mistakes and risks in the strategic choices made beforehand. • Risk management should be applied while the decision-making stage is underway so that all employees have a thorough understanding of the risks that come with each decision they make.
Daily Operations • The risk management platform should be enterprise- wide. This means it has to include all day-to-day operations as well to ensure effective and efficient execution. • In fact, risk management procedures and policies should become a part of training for all new employees so that they join the company with an appropriate risk culture. • 66% of executives believe that the biggest priority for financial institutions with an enterprise risk management solution is the collaboration between business units and the risk management function.
Continuous Monitoring • Depending on the size and functions of the business organizations, there should be processes in place that are continuously monitoring the performance of the enterprise risk management system. • This will make sure reports on risk responses are going to risk owners and people in charge of risk governance in a timely manner. • This is a very important key driver because it ensures that the company stays within their risk appetite and is always in line with all the regulatory policies.
Periodic Monitoring • The biggest challenge for companies when it comes to compliance is “continuing regulatory change”. • To ensure compliance with all the policies and procedures, there needs to be an internal audit with enough resources and skills that monitors all processes periodically. • The internal audit unit needs to have direct access to the Audit Committee to ensure everything is done above board.
Periodic Monitoring • There has to be a collaboration between the internal audit unit and the risk management unit. • It is very important for the internal audit unit to understand all key risk areas to improve their reviews. • The risk management unit needs to work with the internal audit department to make sure that all the necessary actions are being taken on time and their accuracy.
Culture and Board Oversight • There has to be a proper risk culture created across the organization to ensure the effective implementation of risk management. • The upper management and the board of directors need to work together to create different guidelines so that there is a strong risk culture environment created in the company.
CONCLUSION Effective risk management can only take place when all departments of the company are trained to assess and manage risks. They need to work together to ensure the company achieves its business objectives on time and stays compliant throughout. These drivers are important pillars of a successful enterprise risk management implementation.
RISK ANALYSIS
Continued… • Risk analysis is the process of assessing the likelihood of an adverse event occurring within the corporate, government, or environmental sector. • Risk analysis is the study of the underlying uncertainty of a given course of action and refers to the uncertainty of forecasted cash flow streams, the variance of portfolio or stock returns, the probability of a project's success or failure, and possible future economic states. • Risk analysts often work in tandem with forecasting professionals to minimize future negative unforeseen effects.
Continued… • Risk analysis is the process of assessing the likelihood of an adverse event occurring within the corporate, government, or environmental sector. • Risk can be analysed using several approaches including those that fall under the categories of quantitative and qualitative. • Risk analysis is still more of an art than a science.
Understanding Risk Analysis • A risk analyst starts by identifying what could go wrong. • The negative events that could occur are then weighed against a probability metric to measure the likelihood of the event occurring • Finally, risk analysis attempts to estimate the extent of the impact that will be made if the event happens.
Quantitative Risk Analysis • Risk analysis can be quantitative or qualitative. • Under quantitative risk analysis, a risk model is built using simulation or deterministic statistics to assign numerical values to risk. • Inputs that are mostly assumptions and random variables are fed into a risk model. • For any given range of input, the model generates a range of output or outcome. • The model is analyzed using graphs, scenario analysis, and/or sensitivity analysis by risk managers to make decisions to mitigate and deal with the risks.
Quantitative Risk Analysis Continued .. • A Monte Carlo simulation can be used to generate a range of possible outcomes of a decision made or action taken. • The simulation is a quantitative technique that calculates results for the random input variables repeatedly, using a different set of input values each time. • The resulting outcome from each input is recorded, and the final result of the model is a probability distribution of all possible outcomes. • The outcomes can be summarized on a distribution graph showing some measures of central tendency such as the mean and median, and assessing the variability of the data through standard deviation and variance. • The outcomes can also be assessed using risk management tools such as scenario analysis and sensitivity tables. • A scenario analysis shows the best, middle, and worst outcome of any event. • Separating the different outcomes from best to worst provides a reasonable spread of insight for a risk manager.
Qualitative Risk Analysis • Qualitative risk analysis is an analytical method that does not identify and evaluate risks with numerical and quantitative ratings. • Qualitative analysis involves a written definition of the uncertainties, an evaluation of the extent of the impact (if the risk ensues), and countermeasure plans in the case of a negative event occurring. • Examples of qualitative risk tools include SWOT Analysis, Cause and Effect diagrams, Decision Matrix, Game Theory, etc. • A firm that wants to measure the impact of a security breach on its servers may use a qualitative risk technique to help prepare it for any lost income that may occur from a data breach.
RISK IDENTIFICATION BY SOURCE
Identifying risks is a key step in a proactive risk management process. Source Description Risk registers and risk reports Provide a foundation for evaluating existing risks and their potential risk to an objective. Issues log Record of issues faced and the actions taken to resolve them. Any issues that were formally identified as risks should be analysed. Audit reports Independent view of adherence to regulatory guidelines including a review of compliance preparations, security policies, access controls and management of risks. Business Impact Analysis (BIA) Detailed risk analysis that examines the nature and extent of disruptions and the likelihood of the resulting consequences. Internal & external reviews Reviews undertaken to evaluate the suitability, adequacy and effectiveness of the department’s systems, and to look for improvement opportunities.
Continued… SWOT analysis: (Strength, Weakness, Opportunity Threats) Commonly used as a planning tool for analysing a business, its resources and its environment by looking at internal strengths and weaknesses; and opportunities and threats in the external environment PESTLE (Political, Economic, Sociological, Technological, Legal, Environmental) Commonly used as a planning tool to identify and categorise threats in the external environment (political, economic, social, technological, legal, environmental) Brainstorming Creative technique to gather risks spontaneously by group members. Group members verbally identify risks in a ‘no wrong answer’ environment. This technique provides the opportunity for group members to build on each other’s ideas Scenario analysis Uses possible (often extreme) future events to anticipate how threats and opportunities might develop. Surveys/Questionna ires Gather data on risks. Surveys rely on the questions asked.
Continued… One-on-one interviews Discussions with stakeholders to identify/explore risk areas and detailed or sensitive information about the risk. Stakeholder analysis Process of identifying individuals or groups who have a vested interest in the objectives and ascertaining how to engage with them to better understand the objective and its associated uncertainties Working groups Useful to surface detailed information about the risks i.e. source, causes, consequences, stakeholder impacted, existing controls Corporate knowledge History of risks provide insight into future threats or opportunities through: • Experiential knowledge – collection of information that a person has obtained through their experience. • Documented knowledge – collection of information or data that has been documented about a particular subject. • Lessons learned – knowledge that has been organised into information that may be relevant to the different areas within the organisation.
Continuation… Process analysis An approach that helps improve the performance of business activities by analysing current processes and making decisions on new improvements. Other jurisdictions Issues experienced and risks identified by other jurisdictions should be identified and evaluated. If it can happen to them, it can happen here.
What information should we collect during the risk identification step? • Identifying risks involves considering what, when, why, where and how things can happen. More specifically:
What are the sources of risk or threat the things which have the inherent potential to harm or facilitate harm. What could happen events or incidents that could occur whereby the source of risk or threat has an impact on the achievement of objectives. Where the physical locations/assets where the event could occur or where the direct or indirect consequences may be experienced. When specific times or time periods when the event is likely to occur and/or the consequences realised. How the manner or method in which the risk event or incident could occur. Causes what are the direct and indirect factors that create the source of risk or threat. Business consequences what would be the impact on objectives if the risk was realised. Business areas/stakeholders affected what parts of the organisation and what stakeholders might be involved or impacted? Existing controls a preliminary review of existing controls should be undertaken to identify o What controls currently exist to minimise the likelihood and consequences of each risk? o What vulnerabilities exist that could undermine the effectiveness of the controls?
Risk Impact • Health and Safety • Quality of Life • Sustainability • Financial • Time • Reputation
Basic form of the Risk Impact/Probability Chart Low impact/low probability Risks in the bottom left corner are low level, and you can often ignore them. Low impact/high probability Risks in the top left corner are of moderate importance – if these things happen, you can cope with them and move on. However, you should try to reduce the likelihood that they'll occur. High impact/low probability Risks in the bottom right corner are of high importance if they do occur, but they're very unlikely to happen. For these, however, you should do what you can to reduce the impact they'll have if they do occur, and you should have contingency plans in place just in case they do. High impact/high probability Risks towards the top right corner are of critical importance. These are your top priorities, and are risks that you must pay close attention to.
RISK CONTROL AND TREATMENT
Risk Controls • Risk control is a plan-based business strategy that aims to identify, assess, and prepare for any dangers, hazards, and other potentials for disaster—both physical and figurative—that may interfere with an organization's operations and objectives.
Risk Controls • There are three main types of internal controls: – detective, – preventative, and – corrective. • Controls are typically policies and procedures or technical safeguards that are implemented to prevent problems and protect the assets of an organization. • All organizations are subject to threats occurring that unfavourably impact the organization and affect asset loss. From innocent but costly mistakes, to fraudulent manipulation, risks are present in every business. Regardless of why it transpires, controls need to be established to avoid or minimize loss to the organization. • There are also limitations to these controls to consider, making it essential to have on-going reviews and monitoring of your system.
Detective internal controls • Detective internal controls are those controls that are used after the fact of a discretionary event. Think of Sherlock Holmes, walking onto the scene of an event, trying to piece together what happened. • What caused the event to occur? • What process failed that allowed the event to occur? • Is there a policy that can be implemented to keep the event from happening again in the future? • Some examples of detective controls are internal audits, reviews, reconciliations, financial reporting, financial statements, and physical inventories.
Preventative internal controls • Preventative internal controls are those controls put in place to avert a negative event from occurring. For example, most applications have checks and balances built-in to avoid or minimize entering incorrect information. There are also physical controls or administrative preventive controls, such as segregation of duties that are routinely performed by companies. • Assigning one person to write checks, and another staff member to authorize the payments, are segregation of duties that fall under the umbrella of preventative controls from an administrative standpoint. Others, like video surveillance or posting security guards at entry points verifying ID credentials and restricting access, are illustrative of physical safeguards. • Training programs, drug testing, firewalls, computer and server backups are all types of preventative internal controls that avoid asset loss and undesirable events from occurring.
Corrective internal controls • Corrective internal controls are typically those controls put in place after the detective internal controls discover a problem. These controls could include disciplinary action, reports filed, software patches or modifications, and new policies prohibiting practices such as employee tailgating. They are usually put into place after discovering the reasons why they occurred in the first place.
Limitations of internal controls • Unfortunately, processes and control activities are not perfect, and mistakes and problems will be found. An on- going review and analysis of the internal controls should be part of any organization’s regular processes. • When a problem occurs, it should be documented and reviewed by those who can take the corrective actions discussed above and improve the system. • There will always be limitations with humans involved. • People make mistakes and will often find weaknesses in the control procedures, whether by accident or with intent. • It’s important to keep this in mind when considering internal controls.
RISK TREATMENT
Risk Treatment Strategy • Avoidance • Reduction • Transfer • Acceptance • Sharing
Residual Risk The residual risk is the amount of risk or danger associated with an action or event remaining after natural or inherent risks have been reduced by risk controls. The general formula to calculate residual risk is where the general concept of risk is or, alternatively. residual risks are not particularly worrying, organizations cannot completely ignore them and should address them through: Identification of relevant governance, risk, and compliance requirements. • Recognition of existing risks. • Determination of the strengths and weaknesses of the organization’s control framework. • Planning for appropriate contingencies. Secondary Risk A secondary risk can be defined as a risk created by the response to another risk. In other words, the secondary risk is a consequence of dealing with the original risk.
What is the difference between secondary and residual risks? • Secondary risks are those that occur as a direct result of implementing a risk response. • On the other hand, it is expected that the residual risks will remain after the expected risk response. • The emergency plan is used to manage primary or secondary risks. • The backup plan is used to manage residual risks. Note that if an identified risk occurs, the emergency plan is implemented and, if it becomes ineffective, the reserve plan is implemented. • If residual risks and secondary risks do not require a response plan, they will be monitored as they occur.
INTERNAL AUDIT
What is an Internal Audit? • Internal audits evaluate a company’s internal controls, including its corporate governance and accounting processes. • These audits ensure compliance with laws and regulations and help to maintain accurate and timely financial reporting and data collection. • Internal audits also provide management with the tools necessary to attain operational efficiency by identifying problems and correcting lapses before they are discovered in an external audit.
Continuation.. • An internal audit offers risk management and evaluates the effectiveness of a company’s internal controls, corporate governance, and accounting processes. • Internal audits provide Management and Board of Directors with a value-added service where flaws in a process may be caught and corrected prior to external audits. • The tax/governance rules holds management responsible for their financial statements by requiring senior corporate officers to certify in writing that the financials are accurately presented
Internal Audit Process • Internal auditors generally identify a department, gather an understanding of the current internal control process, conduct fieldwork testing, follow up with department staff about identified issues, prepare an official audit report, review the audit report with management, and follow up with management and the board of directors as needed to ensure recommendations have been implemented.
Assessment Techniques • Assessment techniques ensure an internal auditor gathers a full understanding of the internal control procedures and whether employees are complying with internal control directives. • To avoid disrupting the daily workflow, auditors begin with indirect assessment techniques, such as reviewing flowcharts, manuals, departmental control policies or other existing documentation. • If documented procedures are not being followed, direct discussion with department staff may be necessary.
Analysis Techniques • Auditing fieldwork procedures can include transaction matching, physical inventory count, audit trail calculations, and account reconciliation as is required by law. • Analysis techniques may test random data or target specific data, if an auditor believes an internal control process needs to be improved.
Reporting Procedures • Internal audit reporting includes a formal report and may include a preliminary or memo-style interim report. • An interim report typically includes sensitive or significant results the auditor thinks the board of directors needs to know right away. • The final report includes a summary of the procedures and techniques used for completing the audit, a description of audit findings, and suggestions for improvements to internal controls and control procedures. • The formal report is reviewed with management and recommendations for improvement are discussed. • Follow up after a period of time is necessary to ensure the new recommendations have been implemented and have improved operating efficiency.
Questions

Empfohlen

Risk management
Risk managementRisk management
Risk managementbadar214118
 
Risk management process
Risk management processRisk management process
Risk management processeduCBA
 
Risk management
Risk managementRisk management
Risk managementManish Tiwari
 
Risk management
Risk managementRisk management
Risk managementRajuPrasad33
 
What is the role of a risk management ppt
What is the role of a risk management pptWhat is the role of a risk management ppt
What is the role of a risk management pptAD Baj
 
Risk Management
Risk ManagementRisk Management
Risk Managementysshah
 
Risk management
Risk managementRisk management
Risk managementAbhi Kalyan
 
Enterprise risk management-Yashvanth G Nayak
Enterprise risk management-Yashvanth G NayakEnterprise risk management-Yashvanth G Nayak
Enterprise risk management-Yashvanth G NayakYashavanth Nayak
 

Empfohlen

Risk management
Risk managementRisk management
Risk managementbadar214118
 
Risk management process
Risk management processRisk management process
Risk management processeduCBA
 
Risk management
Risk managementRisk management
Risk managementManish Tiwari
 
Risk management
Risk managementRisk management
Risk managementRajuPrasad33
 
What is the role of a risk management ppt
What is the role of a risk management pptWhat is the role of a risk management ppt
What is the role of a risk management pptAD Baj
 
Risk Management
Risk ManagementRisk Management
Risk Managementysshah
 
Risk management
Risk managementRisk management
Risk managementAbhi Kalyan
 
Enterprise risk management-Yashvanth G Nayak
Enterprise risk management-Yashvanth G NayakEnterprise risk management-Yashvanth G Nayak
Enterprise risk management-Yashvanth G NayakYashavanth Nayak
 
Risk management
Risk managementRisk management
Risk managementAglaia Connect
 
Critical role of_risk_assessment_in_international_projects_en
Critical role of_risk_assessment_in_international_projects_enCritical role of_risk_assessment_in_international_projects_en
Critical role of_risk_assessment_in_international_projects_enVyacheslav Guzovsky
 
Risk management
Risk managementRisk management
Risk managementVineet Maheshwari
 
Risk Overview & Risk management
Risk Overview & Risk managementRisk Overview & Risk management
Risk Overview & Risk managementSubhendu Datta
 
Enterprise risk & risk management - I
Enterprise risk & risk management - IEnterprise risk & risk management - I
Enterprise risk & risk management - IDr. Shiv S Tripathi
 
Risk Assessment vs. Risk Management in Manufacturing
Risk Assessment vs. Risk Management in ManufacturingRisk Assessment vs. Risk Management in Manufacturing
Risk Assessment vs. Risk Management in ManufacturingContentAssets
 
Risk Management
Risk ManagementRisk Management
Risk ManagementM.T.H Group
 
Public Sector Enterprise Risk Management
Public Sector Enterprise Risk ManagementPublic Sector Enterprise Risk Management
Public Sector Enterprise Risk ManagementDr David Hancock
 
Risk Management Best Practices
Risk Management Best PracticesRisk Management Best Practices
Risk Management Best PracticesPMILebanonChapter
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop Ersoy AKSOY
 
Risk Management Fundamentals
Risk Management FundamentalsRisk Management Fundamentals
Risk Management Fundamentalsmikaelastafrace
 
Risk management
Risk managementRisk management
Risk managementbaderali2141
 
Risk management
Risk managementRisk management
Risk managementAbbasFadhil12
 
PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000
PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000
PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000PECB
 
The Purpose of Holistic Risk Management
The Purpose of Holistic Risk ManagementThe Purpose of Holistic Risk Management
The Purpose of Holistic Risk ManagementCorporater
 
Risk management
Risk managementRisk management
Risk managementMahmoud Shaqria
 
Risk Management
Risk ManagementRisk Management
Risk Managementcgeorgeo
 
Introduction to Core Assessments
Introduction to Core AssessmentsIntroduction to Core Assessments
Introduction to Core AssessmentsResolver Inc.
 
Risk management models - Core Consulting
Risk management models - Core ConsultingRisk management models - Core Consulting
Risk management models - Core ConsultingCORE Consulting
 
Fundamentals Of Risk Management
Fundamentals Of Risk ManagementFundamentals Of Risk Management
Fundamentals Of Risk ManagementDr David Hancock
 
Coso erm
Coso ermCoso erm
Coso ermluisrobles_cl
 
Coso erm
Coso ermCoso erm
Coso ermHumberto Omar Valverde Taborga
 

Weitere ähnliche Inhalte

Was ist angesagt?

Critical role of_risk_assessment_in_international_projects_en
Critical role of_risk_assessment_in_international_projects_enCritical role of_risk_assessment_in_international_projects_en
Critical role of_risk_assessment_in_international_projects_enVyacheslav Guzovsky
 
Risk Overview & Risk management
Risk Overview & Risk managementRisk Overview & Risk management
Risk Overview & Risk managementSubhendu Datta
 
Enterprise risk & risk management - I
Enterprise risk & risk management - IEnterprise risk & risk management - I
Enterprise risk & risk management - IDr. Shiv S Tripathi
 
Risk Assessment vs. Risk Management in Manufacturing
Risk Assessment vs. Risk Management in ManufacturingRisk Assessment vs. Risk Management in Manufacturing
Risk Assessment vs. Risk Management in ManufacturingContentAssets
 
Public Sector Enterprise Risk Management
Public Sector Enterprise Risk ManagementPublic Sector Enterprise Risk Management
Public Sector Enterprise Risk ManagementDr David Hancock
 
Risk Management Best Practices
Risk Management Best PracticesRisk Management Best Practices
Risk Management Best PracticesPMILebanonChapter
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop Ersoy AKSOY
 
Risk Management Fundamentals
Risk Management FundamentalsRisk Management Fundamentals
Risk Management Fundamentalsmikaelastafrace
 
PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000
PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000
PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000PECB
 
The Purpose of Holistic Risk Management
The Purpose of Holistic Risk ManagementThe Purpose of Holistic Risk Management
The Purpose of Holistic Risk ManagementCorporater
 
Risk Management
Risk ManagementRisk Management
Risk Managementcgeorgeo
 
Introduction to Core Assessments
Introduction to Core AssessmentsIntroduction to Core Assessments
Introduction to Core AssessmentsResolver Inc.
 
Risk management models - Core Consulting
Risk management models - Core ConsultingRisk management models - Core Consulting
Risk management models - Core ConsultingCORE Consulting
 
Fundamentals Of Risk Management
Fundamentals Of Risk ManagementFundamentals Of Risk Management
Fundamentals Of Risk ManagementDr David Hancock
 

Was ist angesagt? (20)

Risk management
Risk managementRisk management
Risk management
 
Critical role of_risk_assessment_in_international_projects_en
Critical role of_risk_assessment_in_international_projects_enCritical role of_risk_assessment_in_international_projects_en
Critical role of_risk_assessment_in_international_projects_en
 
Risk management
Risk managementRisk management
Risk management
 
Risk Overview & Risk management
Risk Overview & Risk managementRisk Overview & Risk management
Risk Overview & Risk management
 
Enterprise risk & risk management - I
Enterprise risk & risk management - IEnterprise risk & risk management - I
Enterprise risk & risk management - I
 
Risk Assessment vs. Risk Management in Manufacturing
Risk Assessment vs. Risk Management in ManufacturingRisk Assessment vs. Risk Management in Manufacturing
Risk Assessment vs. Risk Management in Manufacturing
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Public Sector Enterprise Risk Management
Public Sector Enterprise Risk ManagementPublic Sector Enterprise Risk Management
Public Sector Enterprise Risk Management
 
Risk Management Best Practices
Risk Management Best PracticesRisk Management Best Practices
Risk Management Best Practices
 
IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop IIA Facilitated Risk Workshop
IIA Facilitated Risk Workshop
 
Risk Management Fundamentals
Risk Management FundamentalsRisk Management Fundamentals
Risk Management Fundamentals
 
Risk management
Risk managementRisk management
Risk management
 
Risk management
Risk managementRisk management
Risk management
 
PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000
PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000
PECB Webinar: An Integrated QMS EMS OHSAS System Using ISO 31000
 
The Purpose of Holistic Risk Management
The Purpose of Holistic Risk ManagementThe Purpose of Holistic Risk Management
The Purpose of Holistic Risk Management
 
Risk management
Risk managementRisk management
Risk management
 
Risk Management
Risk ManagementRisk Management
Risk Management
 
Introduction to Core Assessments
Introduction to Core AssessmentsIntroduction to Core Assessments
Introduction to Core Assessments
 
Risk management models - Core Consulting
Risk management models - Core ConsultingRisk management models - Core Consulting
Risk management models - Core Consulting
 
Fundamentals Of Risk Management
Fundamentals Of Risk ManagementFundamentals Of Risk Management
Fundamentals Of Risk Management
 

Ähnlich wie Entetrprise risk management process

Manajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSOManajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSODina Pramudianti
 
mr neeraj - day 1 - compliance
mr neeraj - day 1 - compliancemr neeraj - day 1 - compliance
mr neeraj - day 1 - complianceNeeraj Verma
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk ManagementNikhil Soni
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptxdotco
 
COSO ERM Framework
COSO ERM FrameworkCOSO ERM Framework
COSO ERM Frameworkssuser6ea258
 
Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Sadia Razzaq
 
12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt
12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt
12_BUSINESS RISK ufuhf isbifb MANAGEMENT.pptbillugamma06
 
Software Engineering Topic: Risk Management
Software Engineering Topic: Risk ManagementSoftware Engineering Topic: Risk Management
Software Engineering Topic: Risk ManagementNavya Francis
 
Chapter 1 risk management (3)
Chapter 1 risk management (3)Chapter 1 risk management (3)
Chapter 1 risk management (3)rafeeqameen
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk managementG3 intelligence Ltd
 

Ähnlich wie Entetrprise risk management process (20)

Coso erm
Coso ermCoso erm
Coso erm
 
Coso erm
Coso ermCoso erm
Coso erm
 
Manajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSOManajemen Risiko Menurut COSO
Manajemen Risiko Menurut COSO
 
COSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORECOSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORE
 
COSO_ERM.ppt
COSO_ERM.pptCOSO_ERM.ppt
COSO_ERM.ppt
 
mr neeraj - day 1 - compliance
mr neeraj - day 1 - compliancemr neeraj - day 1 - compliance
mr neeraj - day 1 - compliance
 
Information Security Risk Management
Information Security Risk ManagementInformation Security Risk Management
Information Security Risk Management
 
crisc_wk_3.pptx
crisc_wk_3.pptxcrisc_wk_3.pptx
crisc_wk_3.pptx
 
Board Skills for Sport – risk
Board Skills for Sport – riskBoard Skills for Sport – risk
Board Skills for Sport – risk
 
COSO ERM Framework
COSO ERM FrameworkCOSO ERM Framework
COSO ERM Framework
 
Creating Value Through Enterprise Risk Management
Creating Value Through Enterprise Risk Management Creating Value Through Enterprise Risk Management
Creating Value Through Enterprise Risk Management
 
Risk management ppt 111p (training module)
Risk management ppt 111p (training module)Risk management ppt 111p (training module)
Risk management ppt 111p (training module)
 
12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt
12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt
12_BUSINESS RISK ufuhf isbifb MANAGEMENT.ppt
 
Software Engineering Topic: Risk Management
Software Engineering Topic: Risk ManagementSoftware Engineering Topic: Risk Management
Software Engineering Topic: Risk Management
 
Card Processing Risks.pptx
Card Processing Risks.pptxCard Processing Risks.pptx
Card Processing Risks.pptx
 
CISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk ManagementCISSP Chapter 1 Risk Management
CISSP Chapter 1 Risk Management
 
Presentation_20110802213554
Presentation_20110802213554Presentation_20110802213554
Presentation_20110802213554
 
Chapter 1 risk management (3)
Chapter 1 risk management (3)Chapter 1 risk management (3)
Chapter 1 risk management (3)
 
Hoover.2016 Texas Bankers CFO Conference
Hoover.2016 Texas Bankers CFO ConferenceHoover.2016 Texas Bankers CFO Conference
Hoover.2016 Texas Bankers CFO Conference
 
Practical approach to security risk management
Practical approach to security risk managementPractical approach to security risk management
Practical approach to security risk management
 

Kürzlich hochgeladen

The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...Aggregage
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756dollysharma2066
 
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...lizamodels9
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityEric T. Tung
 
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...Anamikakaur10
 
Falcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business PotentialFalcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business PotentialFalcon investment
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noidadlhescort
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...amitlee9823
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableSeo
 
Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptxnandhinijagan9867
 
PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPanhandleOilandGas
 
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876dlhescort
 
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...allensay1
 
Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Centuryrwgiffor
 
Whitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
Whitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLWhitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
Whitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLkapoorjyoti4444
 
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceEluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceDamini Dixit
 
Call Girls In Nangloi Rly Metro ꧂…….95996 … 13876 Enjoy ꧂Escort
Call Girls In Nangloi Rly Metro ꧂…….95996 … 13876 Enjoy ꧂EscortCall Girls In Nangloi Rly Metro ꧂…….95996 … 13876 Enjoy ꧂Escort
Call Girls In Nangloi Rly Metro ꧂…….95996 … 13876 Enjoy ꧂Escortdlhescort
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfAdmir Softic
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwaitdaisycvs
 

Kürzlich hochgeladen (20)

The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
The Path to Product Excellence: Avoiding Common Pitfalls and Enhancing Commun...
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
Call Girls From Pari Chowk Greater Noida ❤️8448577510 ⊹Best Escorts Service I...
 
How to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League CityHow to Get Started in Social Media for Art League City
How to Get Started in Social Media for Art League City
 
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...
Call Now ☎️🔝 9332606886🔝 Call Girls ❤ Service In Bhilwara Female Escorts Serv...
 
Falcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business PotentialFalcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business Potential
 
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service NoidaCall Girls In Noida 959961⊹3876 Independent Escort Service Noida
Call Girls In Noida 959961⊹3876 Independent Escort Service Noida
 
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
Call Girls Electronic City Just Call 👗 7737669865 👗 Top Class Call Girl Servi...
 
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service AvailableCall Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
Call Girls Ludhiana Just Call 98765-12871 Top Class Call Girl Service Available
 
Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptx
 
PHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation FinalPHX May 2024 Corporate Presentation Final
PHX May 2024 Corporate Presentation Final
 
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
Cheap Rate Call Girls In Noida Sector 62 Metro 959961乂3876
 
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
Call Girls Service In Old Town Dubai ((0551707352)) Old Town Dubai Call Girl ...
 
Famous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st CenturyFamous Olympic Siblings from the 21st Century
Famous Olympic Siblings from the 21st Century
 
Whitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
Whitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRLWhitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
Whitefield CALL GIRL IN 98274*61493 ❤CALL GIRLS IN ESCORT SERVICE❤CALL GIRL
 
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort ServiceEluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
Eluru Call Girls Service ☎ ️93326-06886 ❤️‍🔥 Enjoy 24/7 Escort Service
 
Falcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in indiaFalcon Invoice Discounting platform in india
Falcon Invoice Discounting platform in india
 
Call Girls In Nangloi Rly Metro ꧂…….95996 … 13876 Enjoy ꧂Escort
Call Girls In Nangloi Rly Metro ꧂…….95996 … 13876 Enjoy ꧂EscortCall Girls In Nangloi Rly Metro ꧂…….95996 … 13876 Enjoy ꧂Escort
Call Girls In Nangloi Rly Metro ꧂…….95996 … 13876 Enjoy ꧂Escort
 
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdfDr. Admir Softic_ presentation_Green Club_ENG.pdf
Dr. Admir Softic_ presentation_Green Club_ENG.pdf
 
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai KuwaitThe Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
The Abortion pills for sale in Qatar@Doha [+27737758557] []Deira Dubai Kuwait
 

Entetrprise risk management process

  • 2. The Risk Management Process • The Drivers • Risk Analysis • Risk Identification by Source • Risk Impact • Risk Assessment • Risk Control and Treatment • Internal Audit
  • 3. KEY DRIVERS FOR ENTERPRISE RISK MANAGEMENT
  • 4. Key Drivers for Enterprise Risk Management • Risk Management Strategy • Risk Ownership • Risk Management Competency • Decision Making • Daily Operations • Continuous Monitoring • Periodic Monitoring
  • 5. Risk Management Strategy • The first step before starting with all the concepts that come with risk management such as identification, analysis, and mitigation, is to decide on the risk management priorities of the organization. • Along with the priorities, companies also need to gain a better understanding of the following: – Their business objective – The approach they want to take toward risk management – The risk governance structure they want to create – Size and complexity of their business model
  • 6. Risk Ownership • The person who executes risk responses is often the one who gets assigned with ownership of the risk. This is not just about accountability. • There are two aspects to risk management: – Head of risk management function: • His role is to communicate, coordinate, and administer all the risk management policies and processes of the company. He is also in charge of identifying and mitigating material risks by the risk owners – Risk owner: • He is the one who is actually in charge of managing risks and reports to the head responsible for a risk management function in an organization • The risk owner should not be held responsible for monitoring the effectiveness of the risk response. His job is to make sure the risk response is adjusted within the risk appetite of the domain he is in charge of.
  • 7. Risk Management Competency • There are four types of responsibilities that come with risk management, which are: – People in charge of risk governance – People in charge of risk management – People in charge of risk responses – People in charge of reporting how effective the risk responses were • All four profiles in risk management need to be trained appropriately so that they have the right skillset and experience to perform their job roles effectively.
  • 8. Decision Making • Making mistakes in the strategy formulation phase itself can have a big impact on how effective the risk management process is. • A lot of risk management efforts are usually focused on risks during and after the implementation of ERM but forget the mistakes and risks in the strategic choices made beforehand. • Risk management should be applied while the decision-making stage is underway so that all employees have a thorough understanding of the risks that come with each decision they make.
  • 9. Daily Operations • The risk management platform should be enterprise- wide. This means it has to include all day-to-day operations as well to ensure effective and efficient execution. • In fact, risk management procedures and policies should become a part of training for all new employees so that they join the company with an appropriate risk culture. • 66% of executives believe that the biggest priority for financial institutions with an enterprise risk management solution is the collaboration between business units and the risk management function.
  • 10. Continuous Monitoring • Depending on the size and functions of the business organizations, there should be processes in place that are continuously monitoring the performance of the enterprise risk management system. • This will make sure reports on risk responses are going to risk owners and people in charge of risk governance in a timely manner. • This is a very important key driver because it ensures that the company stays within their risk appetite and is always in line with all the regulatory policies.
  • 11. Periodic Monitoring • The biggest challenge for companies when it comes to compliance is “continuing regulatory change”. • To ensure compliance with all the policies and procedures, there needs to be an internal audit with enough resources and skills that monitors all processes periodically. • The internal audit unit needs to have direct access to the Audit Committee to ensure everything is done above board.
  • 12. Periodic Monitoring • There has to be a collaboration between the internal audit unit and the risk management unit. • It is very important for the internal audit unit to understand all key risk areas to improve their reviews. • The risk management unit needs to work with the internal audit department to make sure that all the necessary actions are being taken on time and their accuracy.
  • 13. Culture and Board Oversight • There has to be a proper risk culture created across the organization to ensure the effective implementation of risk management. • The upper management and the board of directors need to work together to create different guidelines so that there is a strong risk culture environment created in the company.
  • 14. CONCLUSION Effective risk management can only take place when all departments of the company are trained to assess and manage risks. They need to work together to ensure the company achieves its business objectives on time and stays compliant throughout. These drivers are important pillars of a successful enterprise risk management implementation.
  • 16. Continued… • Risk analysis is the process of assessing the likelihood of an adverse event occurring within the corporate, government, or environmental sector. • Risk analysis is the study of the underlying uncertainty of a given course of action and refers to the uncertainty of forecasted cash flow streams, the variance of portfolio or stock returns, the probability of a project's success or failure, and possible future economic states. • Risk analysts often work in tandem with forecasting professionals to minimize future negative unforeseen effects.
  • 17. Continued… • Risk analysis is the process of assessing the likelihood of an adverse event occurring within the corporate, government, or environmental sector. • Risk can be analysed using several approaches including those that fall under the categories of quantitative and qualitative. • Risk analysis is still more of an art than a science.
  • 18. Understanding Risk Analysis • A risk analyst starts by identifying what could go wrong. • The negative events that could occur are then weighed against a probability metric to measure the likelihood of the event occurring • Finally, risk analysis attempts to estimate the extent of the impact that will be made if the event happens.
  • 19. Quantitative Risk Analysis • Risk analysis can be quantitative or qualitative. • Under quantitative risk analysis, a risk model is built using simulation or deterministic statistics to assign numerical values to risk. • Inputs that are mostly assumptions and random variables are fed into a risk model. • For any given range of input, the model generates a range of output or outcome. • The model is analyzed using graphs, scenario analysis, and/or sensitivity analysis by risk managers to make decisions to mitigate and deal with the risks.
  • 20. Quantitative Risk Analysis Continued .. • A Monte Carlo simulation can be used to generate a range of possible outcomes of a decision made or action taken. • The simulation is a quantitative technique that calculates results for the random input variables repeatedly, using a different set of input values each time. • The resulting outcome from each input is recorded, and the final result of the model is a probability distribution of all possible outcomes. • The outcomes can be summarized on a distribution graph showing some measures of central tendency such as the mean and median, and assessing the variability of the data through standard deviation and variance. • The outcomes can also be assessed using risk management tools such as scenario analysis and sensitivity tables. • A scenario analysis shows the best, middle, and worst outcome of any event. • Separating the different outcomes from best to worst provides a reasonable spread of insight for a risk manager.
  • 21. Qualitative Risk Analysis • Qualitative risk analysis is an analytical method that does not identify and evaluate risks with numerical and quantitative ratings. • Qualitative analysis involves a written definition of the uncertainties, an evaluation of the extent of the impact (if the risk ensues), and countermeasure plans in the case of a negative event occurring. • Examples of qualitative risk tools include SWOT Analysis, Cause and Effect diagrams, Decision Matrix, Game Theory, etc. • A firm that wants to measure the impact of a security breach on its servers may use a qualitative risk technique to help prepare it for any lost income that may occur from a data breach.
  • 23. Identifying risks is a key step in a proactive risk management process. Source Description Risk registers and risk reports Provide a foundation for evaluating existing risks and their potential risk to an objective. Issues log Record of issues faced and the actions taken to resolve them. Any issues that were formally identified as risks should be analysed. Audit reports Independent view of adherence to regulatory guidelines including a review of compliance preparations, security policies, access controls and management of risks. Business Impact Analysis (BIA) Detailed risk analysis that examines the nature and extent of disruptions and the likelihood of the resulting consequences. Internal & external reviews Reviews undertaken to evaluate the suitability, adequacy and effectiveness of the department’s systems, and to look for improvement opportunities.
  • 24. Continued… SWOT analysis: (Strength, Weakness, Opportunity Threats) Commonly used as a planning tool for analysing a business, its resources and its environment by looking at internal strengths and weaknesses; and opportunities and threats in the external environment PESTLE (Political, Economic, Sociological, Technological, Legal, Environmental) Commonly used as a planning tool to identify and categorise threats in the external environment (political, economic, social, technological, legal, environmental) Brainstorming Creative technique to gather risks spontaneously by group members. Group members verbally identify risks in a ‘no wrong answer’ environment. This technique provides the opportunity for group members to build on each other’s ideas Scenario analysis Uses possible (often extreme) future events to anticipate how threats and opportunities might develop. Surveys/Questionna ires Gather data on risks. Surveys rely on the questions asked.
  • 25. Continued… One-on-one interviews Discussions with stakeholders to identify/explore risk areas and detailed or sensitive information about the risk. Stakeholder analysis Process of identifying individuals or groups who have a vested interest in the objectives and ascertaining how to engage with them to better understand the objective and its associated uncertainties Working groups Useful to surface detailed information about the risks i.e. source, causes, consequences, stakeholder impacted, existing controls Corporate knowledge History of risks provide insight into future threats or opportunities through: • Experiential knowledge – collection of information that a person has obtained through their experience. • Documented knowledge – collection of information or data that has been documented about a particular subject. • Lessons learned – knowledge that has been organised into information that may be relevant to the different areas within the organisation.
  • 26. Continuation… Process analysis An approach that helps improve the performance of business activities by analysing current processes and making decisions on new improvements. Other jurisdictions Issues experienced and risks identified by other jurisdictions should be identified and evaluated. If it can happen to them, it can happen here.
  • 27. What information should we collect during the risk identification step? • Identifying risks involves considering what, when, why, where and how things can happen. More specifically:
  • 28. What are the sources of risk or threat the things which have the inherent potential to harm or facilitate harm. What could happen events or incidents that could occur whereby the source of risk or threat has an impact on the achievement of objectives. Where the physical locations/assets where the event could occur or where the direct or indirect consequences may be experienced. When specific times or time periods when the event is likely to occur and/or the consequences realised. How the manner or method in which the risk event or incident could occur. Causes what are the direct and indirect factors that create the source of risk or threat. Business consequences what would be the impact on objectives if the risk was realised. Business areas/stakeholders affected what parts of the organisation and what stakeholders might be involved or impacted? Existing controls a preliminary review of existing controls should be undertaken to identify o What controls currently exist to minimise the likelihood and consequences of each risk? o What vulnerabilities exist that could undermine the effectiveness of the controls?
  • 29. Risk Impact • Health and Safety • Quality of Life • Sustainability • Financial • Time • Reputation
  • 30.
  • 31. Basic form of the Risk Impact/Probability Chart Low impact/low probability Risks in the bottom left corner are low level, and you can often ignore them. Low impact/high probability Risks in the top left corner are of moderate importance – if these things happen, you can cope with them and move on. However, you should try to reduce the likelihood that they'll occur. High impact/low probability Risks in the bottom right corner are of high importance if they do occur, but they're very unlikely to happen. For these, however, you should do what you can to reduce the impact they'll have if they do occur, and you should have contingency plans in place just in case they do. High impact/high probability Risks towards the top right corner are of critical importance. These are your top priorities, and are risks that you must pay close attention to.
  • 32. RISK CONTROL AND TREATMENT
  • 33. Risk Controls • Risk control is a plan-based business strategy that aims to identify, assess, and prepare for any dangers, hazards, and other potentials for disaster—both physical and figurative—that may interfere with an organization's operations and objectives.
  • 34. Risk Controls • There are three main types of internal controls: – detective, – preventative, and – corrective. • Controls are typically policies and procedures or technical safeguards that are implemented to prevent problems and protect the assets of an organization. • All organizations are subject to threats occurring that unfavourably impact the organization and affect asset loss. From innocent but costly mistakes, to fraudulent manipulation, risks are present in every business. Regardless of why it transpires, controls need to be established to avoid or minimize loss to the organization. • There are also limitations to these controls to consider, making it essential to have on-going reviews and monitoring of your system.
  • 35. Detective internal controls • Detective internal controls are those controls that are used after the fact of a discretionary event. Think of Sherlock Holmes, walking onto the scene of an event, trying to piece together what happened. • What caused the event to occur? • What process failed that allowed the event to occur? • Is there a policy that can be implemented to keep the event from happening again in the future? • Some examples of detective controls are internal audits, reviews, reconciliations, financial reporting, financial statements, and physical inventories.
  • 36. Preventative internal controls • Preventative internal controls are those controls put in place to avert a negative event from occurring. For example, most applications have checks and balances built-in to avoid or minimize entering incorrect information. There are also physical controls or administrative preventive controls, such as segregation of duties that are routinely performed by companies. • Assigning one person to write checks, and another staff member to authorize the payments, are segregation of duties that fall under the umbrella of preventative controls from an administrative standpoint. Others, like video surveillance or posting security guards at entry points verifying ID credentials and restricting access, are illustrative of physical safeguards. • Training programs, drug testing, firewalls, computer and server backups are all types of preventative internal controls that avoid asset loss and undesirable events from occurring.
  • 37. Corrective internal controls • Corrective internal controls are typically those controls put in place after the detective internal controls discover a problem. These controls could include disciplinary action, reports filed, software patches or modifications, and new policies prohibiting practices such as employee tailgating. They are usually put into place after discovering the reasons why they occurred in the first place.
  • 38. Limitations of internal controls • Unfortunately, processes and control activities are not perfect, and mistakes and problems will be found. An on- going review and analysis of the internal controls should be part of any organization’s regular processes. • When a problem occurs, it should be documented and reviewed by those who can take the corrective actions discussed above and improve the system. • There will always be limitations with humans involved. • People make mistakes and will often find weaknesses in the control procedures, whether by accident or with intent. • It’s important to keep this in mind when considering internal controls.
  • 40. Risk Treatment Strategy • Avoidance • Reduction • Transfer • Acceptance • Sharing
  • 41. Residual Risk The residual risk is the amount of risk or danger associated with an action or event remaining after natural or inherent risks have been reduced by risk controls. The general formula to calculate residual risk is where the general concept of risk is or, alternatively. residual risks are not particularly worrying, organizations cannot completely ignore them and should address them through: Identification of relevant governance, risk, and compliance requirements. • Recognition of existing risks. • Determination of the strengths and weaknesses of the organization’s control framework. • Planning for appropriate contingencies. Secondary Risk A secondary risk can be defined as a risk created by the response to another risk. In other words, the secondary risk is a consequence of dealing with the original risk.
  • 42. What is the difference between secondary and residual risks? • Secondary risks are those that occur as a direct result of implementing a risk response. • On the other hand, it is expected that the residual risks will remain after the expected risk response. • The emergency plan is used to manage primary or secondary risks. • The backup plan is used to manage residual risks. Note that if an identified risk occurs, the emergency plan is implemented and, if it becomes ineffective, the reserve plan is implemented. • If residual risks and secondary risks do not require a response plan, they will be monitored as they occur.
  • 44. What is an Internal Audit? • Internal audits evaluate a company’s internal controls, including its corporate governance and accounting processes. • These audits ensure compliance with laws and regulations and help to maintain accurate and timely financial reporting and data collection. • Internal audits also provide management with the tools necessary to attain operational efficiency by identifying problems and correcting lapses before they are discovered in an external audit.
  • 45. Continuation.. • An internal audit offers risk management and evaluates the effectiveness of a company’s internal controls, corporate governance, and accounting processes. • Internal audits provide Management and Board of Directors with a value-added service where flaws in a process may be caught and corrected prior to external audits. • The tax/governance rules holds management responsible for their financial statements by requiring senior corporate officers to certify in writing that the financials are accurately presented
  • 46. Internal Audit Process • Internal auditors generally identify a department, gather an understanding of the current internal control process, conduct fieldwork testing, follow up with department staff about identified issues, prepare an official audit report, review the audit report with management, and follow up with management and the board of directors as needed to ensure recommendations have been implemented.
  • 47. Assessment Techniques • Assessment techniques ensure an internal auditor gathers a full understanding of the internal control procedures and whether employees are complying with internal control directives. • To avoid disrupting the daily workflow, auditors begin with indirect assessment techniques, such as reviewing flowcharts, manuals, departmental control policies or other existing documentation. • If documented procedures are not being followed, direct discussion with department staff may be necessary.
  • 48. Analysis Techniques • Auditing fieldwork procedures can include transaction matching, physical inventory count, audit trail calculations, and account reconciliation as is required by law. • Analysis techniques may test random data or target specific data, if an auditor believes an internal control process needs to be improved.
  • 49. Reporting Procedures • Internal audit reporting includes a formal report and may include a preliminary or memo-style interim report. • An interim report typically includes sensitive or significant results the auditor thinks the board of directors needs to know right away. • The final report includes a summary of the procedures and techniques used for completing the audit, a description of audit findings, and suggestions for improvements to internal controls and control procedures. • The formal report is reviewed with management and recommendations for improvement are discussed. • Follow up after a period of time is necessary to ensure the new recommendations have been implemented and have improved operating efficiency.

Hinweis der Redaktion

  1. Companies should also have an assessment of all the required roles that need to be assigned for effective risk management. This will help in giving out responsibility both in-house and when outsourced.