Erm tm 10

ENTERPRISE RISK MANAGEMENT ISO 31000 - 2009

MOHAMAD HASSAN AK., MAFIS, QIA, CRMP, CRMA

ERM - ISO 31000

GETTING STARTED

Start ERM Implementation

Building a Framework

Obtain Mandate & Commitment

Design Framework

Implement, Monitor, &

Improve System

IA Role

in getting started

Building a Framework

a set of components that provide the foundations

and organizational arrangements for designing,

implementing, monitoring, reviewing, and

continually improving risk management

throughout the organization

Building a Framework

Design Framework

Implement ERM System

Monitor & Review ERM

System

Continuously Improve ERM

System

Obtain ERM Mandate and Commitment

Obtain ERM Mandate & Commitment

Define & endorse the risk management policy

Ensure organization’s culture and RM policy aligned

Align RM object. with organization object. & strategies

Determine RM performance align with performance indicators organization

Assign accountabilities & responsibilities at appropriate levels within organization

Ensure necessary resources are allocated to risk management

Ensure legal and regulatory compliance

Communicate benefits of risk management to shareholders

Ensure framework for managing risk continues to remain appropriate

Some Considerations

Why are we choosing implement ERM at this time?

Where do we start? What is our scope

for implementation?

What outcome do we expect?

What does success look like?

How will we roll ERM out

enterprisewide?

Design ERM Framework D

esig

nin

g

Fram

ewo

rks

Understand the organization, its business, & context for ERM

Determine organizational positioning of ERM

Develop risk management policy

Assign accountability and authority

Allocate resources

Establish internal & external reporting mechanisms

Link ERM to performance appraisal process

Understanding organization, business, & context ERM

• External Factors:

– Social and cultural, political, legal, regulatory, financial, technological, economic, natural, & competitive environment (international, national, regional, or local).

– Key driver and trends affecting the objectives of the organization.

– Relationship with, and perception and values of, external stakeholders.

Understanding organization, business, & context ERM

• Internal Factors:

– Governance, organizational structure, roles, & responsibilities.

– Policies, objectives, and strategies in place to achieve them.

– Capabilities & knowledge (capital, time, people, processes, systems, and technologies).

– Information systems, information flows, & decision making process.

– Relationship with, and perceptions and values of, internal stakeholders.

– Organizational cultures.

– Standards, guidelines, and models adopted.

Determine organizational positioning of ERM

• No single best practices

• Challenges in perception:

– ERM reports too low; therefore no have senior management full commitment.

– ERM focuses primarily on financial reporting risks and excludes other important areas of risk.

• Establish a risk committee

• Key considerations:

– Reporting line should be high enough

– Sufficient span of responsibility to oversee ERM activities

– Report directly to the board

Develop Risk Management Policy

• Important elements include in policy:

– Overall rationale and objectives for, and commitment to, implementing an effective ERM System.

– Governance responsibilities, include tone and attitude board.

– Application/scope across the organization

– Framework used that provide support ERM approach

– Authority and responsibilities for overseeing and executing ERM System

– Commitment of Resources

– Key terms and definitions

– Limit and risk tolerance levels

– Risk management performance measures and metrics

– Expectations & practices to periodically review and update.

Implement, Monitor, & Improve

ERM System

Implement

Monitor

Improve

INTERNAL AUDIT’S ROLE IN

GETTING STARTED

• More experience, skill, & organizational perspective.

• Understand value ERM & push to get implementation.

• Steps to avoid impairment objectivity: (1) well-understood situation & agreed, (2) involve appropriate member of management as much as possible, (3) formal plan should be developed, & (4) hired outside resource for assurance

Lead

ERM Implementation

• Implementing ERM; knowledge of a good ERM system looks like.

• Conducting risk assessment; identifying, analyzing, & evaluating risks.

• Considering risk treatment options.

• Designing risk management activities.

• Determining next steps to make ERM sustainable.

Play Prominent

Role

INTERNAL AUDIT’S ROLE IN

GETTING STARTED

• Advisory services of ERM

• Facilitation of ERM Workshops

• Instructional Services

• Coaching management risk management process

• Championing establishment of ERM

Provide

Consulting

Support

• Giving assurance of risk management process

• Giving assurance that risks correctly evaluated

• Review management of Keys Risks

• Evaluating reporting of key risks

• Evaluating risk management process

Provide

Assurance Implementation