Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 1 Chapter 4 Risk Management
Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 2 Chapter 4 Learning Objectives Define risk and enterprise risk management. Discuss the different dimensions of the Committee of Sponsoring Organizations of the Treadway Commission’s Enterprise Risk Management - Integrated Framework. Discuss the different dimensions of ISO 31000:2009(E): Risk management - Principles and guidance Articulate the relationship between governance and enterprise risk management. Describe the different roles the internal audit function can play in enterprise risk management. Evaluate the impact of enterprise risk management on internal audit activities.
What is risk? Risk – the possibility that an event will occur and adversely affect the achievement of an objective Because each organization has somewhat different strategies and objectives, each organization will also face different types of risks. Risk does not represent the most likely outcome but rather a range of possible outcomes. In 2004, COSO published its ERM – Integrated Framework (Rubik’s Cube) Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 3
Enterprise Risk Management (ERM) a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 4
ERM is a process, ongoing and flowing through an entity. TF ERM is effected by the BOD and CEO only. TF ERM is applied across the enterprise, at every level and unit, and included an entity-level portfolio view of risk. TF ERM is able to provide absolute assurance to management and the BOD TF Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 5
Which of the following is NOT a potential value driver for implementing ERM? a. Financial results will improve in the short run b. There will be fewer surprises from year-to-year c. There will be better information available to make risk decisions d. An organization’s risk appetite can be better aligned with strategic planning e. Critical assets can be deployed more effectively Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 6
Components of ERM: (RQ 5) 1. Internal environment is influenced by risk management philosophy, risk appetite, BOD, integrity and ethical values, commitment to competence, organizational structure, assignment of authority and responsibility, human resource standards. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 7
According to COSO ERM, all of the following are elements of an entity’s internal environment EXCEPT for: a. Setting organizational objectives b. Establishing the risk appetite c. Developing human resource standards d. Assigning authority and responsibility e. Having predominantly independent directors on the board Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 8
Components of ERM: (RQ 5) 2. Objective setting – objectives are aligned with the entity’s risk appetite, which drives risk tolerance levels for the entity. Recall that there are 4 types of objectives: (RQ4) Strategic Objectives: High level goals that are aligned with and support the organization’s mission. Operations Objectives: Broad goals promoting the effective and efficient use of resources Reporting Objectives: Goals focusing on the reliability of reporting (both internal and external). Compliance Objectives: Goals enforcing compliance with applicable laws and regulations Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 9
Components of ERM: (RQ 5) 3. Event Identification – External factors include economic, natural environment, political social, technological; Internal factors include infrastructure, personnel, process and technology Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 10
Components of ERM: (RQ 5) 4. Risk Assessment – Management assesses events from two perspectives – likelihood and impact – and normally uses a combination of qualitative and quantitative methods. Inherent risk is “gross risk” before any management actions while residual risk is the “net risk” after appropriate controls have been put into place. Risk assessment should be applied first to inherent risks. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 11
Components of ERM: (RQ 5) A generic business risk framework looks at four types of risk: Strategic Risks – risks that relate to doing the wrong things Operating Risks – risks that relate to doing the right things Financial Risks – risks that relate to losing financial resources or incurring unacceptable liabilities Information Risks – Risks that relate to inaccurate or non-relevant information, unreliable systems and inaccurate or misleading reports Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 12
Components of ERM: (RQ 5) 5. Risk Response – Terminate, treat, transfer, take. (RQ 6) In considering its response, management assesses the effect on risk likelihood and impact, as well as costs and benefits, selecting a risk response that brings residual risk within desired risk tolerances. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 13
Example Dr. Heath has a 22 year old step-son who has wrecked four cars in four years. She is dissatisfied with this situation and has come to you for advice. You recognize the risk that her step-son’s driving entails. What four responses to this risk can you think of to help Dr. Heath with this situation? List one from each of the four categories of risk response - terminate (avoidance), treat (reduction), transfer (sharing), and (take) acceptance. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 14
Which of the following is NOT an example of a risk-sharing strategy? a. outsourcing a non-core, high risk area b. selling a non-strategic business unit c. hedging against interest rate fluctuations d. buying an insurance policy to protect against adverse weather Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 15
Components of ERM: (RQ 5) 6. Control Activities – are the policies and procedures that help ensure that management’s risk responses are carried out; they include top level reviews, direct functional or activity management, information processing, physical controls, performance indicators, segregation of duties. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 16
Components of ERM: (RQ 5) 7. Information and Communication – Pertinent information must be identified, captured, and communicated in a form and time frame that will enable personnel to carry out their responsibilities. Examples - policy manuals, memorandum, s, bulletin board notices… Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 17
Components of ERM: (RQ 5) 8. Monitoring – involves assessing the presence and functioning of ERM components over time. It is accomplished through on-going monitoring or separate evaluations. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 18
Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 19 Exhibit 4-2
Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 20 Exhibit 4-3
Example Mary is a junior in high school and lives 5 miles from school. She knows that if she attends every summer weights session, she will gain the respect of the coach. Summer weights are at 6:00 a.m. Mary’s car is old and the gas gauge has started to mess up. She is never quite sure how much gas she has in the tank once the gauge reads less than a quarter of a tank of gas. She fills up the car often in order to avoid running out of gas. It is very important to Mary that she make the varsity volleyball team. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 21
Example What is Mary’s objective? What is Mary’s strategy? What is the risk that threatens the achievement of Mary’s objective? What control has Mary put in place to mitigate the risk? Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 22
Roles and Responsibilities of ERM: 1. Board of Directors: the BOD provides oversight by knowing the extent to which management has established effective ERM in the organization, being aware of and concurring with the entity’s risk appetite, reviewing the entity’s portfolio view of risk and considering it against the entity’s risk appetite, being apprised of the most significant risks and whether management is responding appropriately. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 23
Roles and Responsibilities of ERM: 2. Management is responsible for all activities of an entity, including ERM. The CEO has ultimate responsibility for ERM. One of the most important aspects of this responsibility is ensuring the presence of a positive internal environment. The CEO sets the tone at the top, influences the composition and conduct of the board, provides leadership and direction to senior managers, and monitors the entity’s overall risk activities in relation to its risk appetite. Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 24
Roles and Responsibilities of ERM: 3. Risk officer – has the resources to help effect ERM across the organization 4. Financial executives – implement the controls 5. Internal Auditors – plays a key role in evaluating the effectiveness of – and recommending improvements to – ERM Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 25
Roles and Responsibilities of ERM: 6. Other Entity Personnel – ERM is, to some degree, the responsibility of everyone in an entity 7. External Auditors – provide a unique, independent, and objective view that can contribute to an entity’s achievement of its external financial reporting objectives, as well as other objectives 8. Legislators and Regulators – through requirements to establish risk management mechanisms or systems of internal controls or through examinations of particular entities Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 26
Who is responsible for implementing ERM? a. the chief financial officer b. the chief internal auditor c. the chief compliance officer d. the external auditor e. management throughout the organization Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 27
Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 28
Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 29 Exhibit 4-4
Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 30 Exhibit 4-1
Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 31 Exhibit 4-5
Copyright: Internal Auditing: Assurance and Advisory Services, by The Institute of Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, Florida U.S.A. 32 Add slides as desired