ENTERPRISE RISK MANAGEMENT ISO 31000 - 2009 MOHAMAD HASSAN AK., MAFIS, QIA, CRMP, CRMA
ENTERPRISE RISK MANAGEMENT ISO 31000 - 2009
MOHAMAD HASSAN AK., MAFIS, QIA, CRMP, CRMA
ERM - ISO 31000
GETTING STARTED
Start ERM Implementation
Building a Framework
Obtain Mandate & Commitment
Design Framework
Implement, Monitor, &
Improve System
IA Role
in getting started
Building a Framework
a set of components that provide the foundations
and organizational arrangements for designing,
implementing, monitoring, reviewing, and
continually improving risk management
throughout the organization
Building a Framework
Design Framework
Implement ERM System
Monitor & Review ERM
System
Continuously Improve ERM
System
Obtain ERM Mandate and Commitment
Obtain ERM Mandate & Commitment
Define & endorse the risk management policy
Ensure organization’s culture and RM policy aligned
Align RM object. with organization object. & strategies
Determine RM performance align with performance indicators organization
Assign accountabilities & responsibilities at appropriate levels within organization
Ensure necessary resources are allocated to risk management
Ensure legal and regulatory compliance
Communicate benefits of risk management to shareholders
Ensure framework for managing risk continues to remain appropriate
Some Considerations
Why are we choosing implement ERM at this time?
Where do we start? What is our scope
for implementation?
What outcome do we expect?
What does success look like?
How will we roll ERM out
enterprisewide?
Design ERM Framework D
esig
nin
g
Fram
ewo
rks
Understand the organization, its business, & context for ERM
Determine organizational positioning of ERM
Develop risk management policy
Assign accountability and authority
Allocate resources
Establish internal & external reporting mechanisms
Link ERM to performance appraisal process
Understanding organization, business, & context ERM
• External Factors:
– Social and cultural, political, legal, regulatory, financial, technological, economic, natural, & competitive environment (international, national, regional, or local).
– Key driver and trends affecting the objectives of the organization.
– Relationship with, and perception and values of, external stakeholders.
Understanding organization, business, & context ERM
• Internal Factors:
– Governance, organizational structure, roles, & responsibilities.
– Policies, objectives, and strategies in place to achieve them.
– Capabilities & knowledge (capital, time, people, processes, systems, and technologies).
– Information systems, information flows, & decision making process.
– Relationship with, and perceptions and values of, internal stakeholders.
– Organizational cultures.
– Standards, guidelines, and models adopted.
Determine organizational positioning of ERM
• No single best practices
• Challenges in perception:
– ERM reports too low; therefore no have senior management full commitment.
– ERM focuses primarily on financial reporting risks and excludes other important areas of risk.
• Establish a risk committee
• Key considerations:
– Reporting line should be high enough
– Sufficient span of responsibility to oversee ERM activities
– Report directly to the board
Develop Risk Management Policy
• Important elements include in policy:
– Overall rationale and objectives for, and commitment to, implementing an effective ERM System.
– Governance responsibilities, include tone and attitude board.
– Application/scope across the organization
– Framework used that provide support ERM approach
– Authority and responsibilities for overseeing and executing ERM System
– Commitment of Resources
– Key terms and definitions
– Limit and risk tolerance levels
– Risk management performance measures and metrics
– Expectations & practices to periodically review and update.
Implement, Monitor, & Improve
ERM System
Implement
Monitor
Improve
INTERNAL AUDIT’S ROLE IN
GETTING STARTED
• More experience, skill, & organizational perspective.
• Understand value ERM & push to get implementation.
• Steps to avoid impairment objectivity: (1) well-understood situation & agreed, (2) involve appropriate member of management as much as possible, (3) formal plan should be developed, & (4) hired outside resource for assurance
Lead
ERM Implementation
• Implementing ERM; knowledge of a good ERM system looks like.
• Conducting risk assessment; identifying, analyzing, & evaluating risks.
• Considering risk treatment options.
• Designing risk management activities.
• Determining next steps to make ERM sustainable.
Play Prominent
Role
INTERNAL AUDIT’S ROLE IN
GETTING STARTED
• Advisory services of ERM
• Facilitation of ERM Workshops
• Instructional Services
• Coaching management risk management process
• Championing establishment of ERM
Provide
Consulting
Support
• Giving assurance of risk management process
• Giving assurance that risks correctly evaluated
• Review management of Keys Risks
• Evaluating reporting of key risks
• Evaluating risk management process
Provide
Assurance Implementation