1 Bölgesel Rekabet Edebilirlik Operasyonel Programı’nın Uygulanması için Kurumsal Kapasitenin Oluşturulmasına Yönelik Teknik Yardım Technical Assistance on Institutional Building for the Implementation of RCOP in Turkey This project is co-financed by the European Union and the Republic of Turkey Risk management – Principles, Legal basis and Best practices Todor Yankulov,

2 This project is co-financed by the European Union and the Republic of Turkey 1.Risk Management purposes and principles 2.Risk Management in EC Regulations 3.Risk Management Best practices Content

3 This project is co-financed by the European Union and the Republic of Turkey Every entity, whether for-profit or not, exists to realize value for its stakeholders. All entities face uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. Risk management enables management to effectively deal with uncertainty and associated risk, enhancing the capacity to build value. Why Risk Management

4 This project is co-financed by the European Union and the Republic of Turkey Supporting strategic and operational planning Objectives are more likely to be achieved Damaging things will not happen or are less likely to happen Beneficially things will be or are more likely to be achieved Supporting effective use of resources Promoting continuous improvement Why Risk Management

5 This project is co-financed by the European Union and the Republic of Turkey “…a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” ERM COSO Framework Risk Management Definition

6 This project is co-financed by the European Union and the Republic of Turkey A process related with the objectives Dynamic process Process applied at every level of the organization Dealing with potential events Complex but not complicated Close cooperation wit Internal Audit function Risk Management principles

7 This project is co-financed by the European Union and the Republic of Turkey Able to provide reasonable assurance to an entity’s management and board of directors regarding the achievement of objectives Applied in strategy setting There must be objectives at place before identifying risks Objective related process

8 This project is co-financed by the European Union and the Republic of Turkey Important objective concepts Strategic and operational objectives must be consistent with each other Clearly defined goals - more easily identified risks Written down in relevant internal documents Clearly communicated and understood by all the staff Objective related process

9 This project is co-financed by the European Union and the Republic of Turkey Objectives are S.M.A.R.T. Specific – clearly specified, not general Measurable - units of accuracy, timeliness, quality, quantity, etc. used to determine progress and achievement. Attainable - the objective could be achieved with the available resources Relevant/Realistic - an objective that the goal-setter is willing and able to work towards Time-bound - a time frame, a target date is needed Objective related process

10 This project is co-financed by the European Union and the Republic of Turkey Linked to the constantly changing environment It is performed at a permanent basis in time and reflects the changes Continuous monitoring and updating Dynamic process

11 This project is co-financed by the European Union and the Republic of Turkey A process, ongoing and flowing through an entity Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk Effected by people at every level of an organization Applied at every level of the organization

12 This project is co-financed by the European Union and the Republic of Turkey Risk - the possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood. Facing uncertainty Subjectivity has to be accepted How big is the fear of the uncertainty / the appetite for opportunities – risk appetite Dealing with potential events

13 This project is co-financed by the European Union and the Republic of Turkey Covering multiple structures, policies and people Clear and effective procedures are needed Avoid unnecessary labeling – not to much terminology Complex but not complicated

14 This project is co-financed by the European Union and the Republic of Turkey IPPF 2120 – Risk Management - The internal audit activity must evaluate the effectiveness and contribute to the improvement of risk management processes. IPPF 2120.A2 – The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk. IPPF 2120.C3 – When assisting management in establishing or improving risk management processes, internal auditors must refrain from assuming any management responsibility by actually managing risks. Close cooperation wit Internal Audit function

15 This project is co-financed by the European Union and the Republic of Turkey Understanding and commitment by management and employees To have strategic planning in the organization Strategic Plan to be developed into operational plans Resources to be provided, including the necessary information The internal auditor shall assess the risk management, identify and evaluate significant risks, support the board without taking responsibility or participating directly in management Conditions for successful risk management

16 This project is co-financed by the European Union and the Republic of Turkey Commission Regulation (EC) No 718/2007 Art. 11, p. 2 - the management and control systems set up in the beneficiary country shall provide for effective controls in at least the areas set out in the Annex. Annex 1 - Planning/risk management (planning of interventions) Legal Basis

17 This project is co-financed by the European Union and the Republic of Turkey Annex 1 - Planning/risk management (planning of interventions) Risk identification, assessment and management— ensuring that risks are identified and management, in particular that adequate control resources are applied in all areas, in function of the significance of different risks they mitigate. Legal Basis

18 This project is co-financed by the European Union and the Republic of Turkey Annex 1 - Planning/risk management (planning of interventions) Objective setting and allocation of resources against objectives — ensuring that appropriate (and measurable) objectives at output and impact level are established at all levels and understood throughout the organisation; ensuring that resources are appropriately allocated against those objectives respecting transparent sound financial management principles; ensuring that responsibility for those objectives is clear. Legal Basis

19 This project is co-financed by the European Union and the Republic of Turkey Annex 1 - Planning/risk management (planning of interventions) Planning of the implementation process — ensuring clear planning of steps needed to deliver objectives — including timing and responsibility for each step, and critical path analyses where necessary. Legal Basis

20 This project is co-financed by the European Union and the Republic of Turkey Issued by international professional (standardization) organizations Not obligatory but accepted by professionals (some cases receive official recognition by legal acts) ERM COSO Framework, Risk Management Standards (UK), ISO Framework Best practices frameworks

21 This project is co-financed by the European Union and the Republic of Turkey This COSO ERM framework defines essential components, suggests a common language, and provides clear direction and guidance for enterprise risk management. ERM COSO Framework

22 This project is co-financed by the European Union and the Republic of Turkey Eight components - all are interrelated ERM COSO Framework

23 This project is co-financed by the European Union and the Republic of Turkey Entity objectives can be viewed in the context of four categories: ERM COSO Framework

24 This project is co-financed by the European Union and the Republic of Turkey ERM considers activities at all levels of the organization: ERM COSO Framework

25 This project is co-financed by the European Union and the Republic of Turkey Establishes a philosophy regarding risk management. It recognizes that unexpected as well as expected events may occur. Establishes the entity’s risk culture. Considers all other aspects of how the organization’s actions may affect its risk culture. ERM Internal Environment

26 This project is co-financed by the European Union and the Republic of Turkey Is applied when management considers risks strategy in the setting of objectives. Forms the risk appetite of the entity — a high-level view of how much risk management and the board are willing to accept. Risk tolerance, the acceptable level of variation around objectives, is aligned with risk appetite. ERM Objective Setting

27 This project is co-financed by the European Union and the Republic of Turkey Policies and procedures that help ensure that the risk responses, as well as other entity directives, are carried out. Occur throughout the organization, at all levels and in all functions. Include application and general information technology controls. ERM Control Activities

28 This project is co-financed by the European Union and the Republic of Turkey Management identifies, captures, and communicates pertinent information in a form and timeframe that enables people to carry out their responsibilities. Communication occurs in a broader sense, flowing down, across, and up the organization. ERM Information & Communication

29 This project is co-financed by the European Union and the Republic of Turkey Effectiveness of the other ERM components is monitored through: Ongoing monitoring activities. Separate evaluations. A combination of the two. ERM Monitoring

30 This project is co-financed by the European Union and the Republic of Turkey Thank you for your attention! Questions/Discussions