资源描述
Click to edit Master title style,Click to edit Master text styles,Second level,Third level,Fourth level,Fifth level,*,Applying COSOs,Enterprise Risk Management Integrated Framework,September 29,2004,Today,sorganizationsareconcernedabout:,RiskManagement,Governance,Control,Assurance(andConsulting),ERMDefined:,“,aprocess,effectedbyanentitysboardofdirectors,managementandotherpersonnel,appliedinstrategysettingandacrosstheenterprise,designedtoidentifypotentialeventsthatmayaffecttheentity,andmanageriskstobewithinitsriskappetite,toprovidereasonableassuranceregardingtheachievementofentityobjectives.,”,”,Source:,COSO EnterpriseRiskManagement IntegratedFramework,.2004.COSO.,WhyERM Is Important,Underlying principles:,Everyentity,whetherfor-profitornot,existstorealizevalueforitsstakeholders.,Valueiscreated,preserved,or eroded,bymanagement decisionsinallactivities,fromsetting strategy to operatingtheenterpriseday-to-day.,WhyERM Is Important,ERMsupportsvaluecreationbyenablingmanagementto:,Dealeffectivelywithpotentialfutureeventsthatcreateuncertainty.,Respondinamannerthatreducesthelikelihoodofdownsideoutcomesandincreasestheupside.,ThisCOSOERMframeworkdefinesessentialcomponents,suggestsacommonlanguage,andprovidescleardirectionandguidanceforenterpriseriskmanagement.,EnterpriseRiskManagement,IntegratedFramework,TheERMFramework,Entityobjectivescanbeviewedinthe,contextoffourcategories:,Strategic,Operations,Reporting,Compliance,TheERMFramework,ERMconsidersactivitiesatalllevels,oftheorganization:,Enterprise-level,Division or,subsidiary,Business unit,processes,Enterpriseriskmanagementrequiresan entityto take a,portfolioview,of risk.,The ERM Framework,Managementconsidershowindividual risks interrelate.,Managementdevelopsa portfolio view from twoperspectives:,-Businessunitlevel,-Entity level,The ERM Framework,The eightcomponents,of the framework,are interrelated,The ERM Framework,Internal Environment,Establishes a philosophyregardingriskmanagement.Itrecognizesthatunexpected aswellas expected events may occur.,Establishestheentitysrisk culture.,Considers all otheraspectsof how the organizations actions may affectitsrisk culture.,Objective Setting,Is applied whenmanagement considersrisks strategyin the setting of objectives.,Forms the risk appetiteof the entity a high-levelview ofhowmuch risk management and the boardarewillingto accept.,Risktolerance,theacceptable levelofvariation aroundobjectives,isalignedwithrisk appetite.,Event Identification,Differentiates risksandopportunities.,Events thatmayhavea negativeimpact representrisks.,Events thatmayhavea positiveimpact representnaturaloffsets(opportunities),whichmanagement channelsbacktostrategysetting.,Event Identification,Involvesidentifyingthose incidents,occurringinternally or externally,that couldaffectstrategyandachievementofobjectives.,Addresses how internal and externalfactorscombineandinteracttoinfluence the risk profile.,RiskAssessment,Allows an entitytounderstand the extent towhich potentialeventsmight impactobjectives.,Assessesrisks fromtwoperspectives:,-Likelihood,-,Impact,Is usedto assess risksandis normallyalsoused tomeasuretherelatedobjectives.,RiskAssessment,Employsa combination ofboth qualitative and quantitative riskassessment methodologies.,Relatestimehorizons toobjective horizons.,Assessesrisk onboth aninherent and aresidualbasis.,Risk Response,Identifies and evaluatespossible responses to risk.,Evaluates optionsin relationto entitysrisk appetite,cost vs.benefit of potential risk responses,and degreeto which a response willreduce impact and/or likelihood.,Selects andexecutes responsebasedon evaluation of the portfolioof risks and responses.,Control Activities,Policies andproceduresthat help ensure that the riskresponses,as well as other entitydirectives,are carriedout.,Occurthroughout the organization,at alllevelsand in allfunctions.,Include application andgeneral information technologycontrols.,Management,identifies,captures,and communicates pertinentinformationin aform and timeframethatenables people tocarryout their responsibilities.,Communication occurs ina broader sense,flowingdown,across,andup the organization.,Information&Communication,Monitoring,Effectiveness of the other ERMcomponentsis monitoredthrough:,Ongoing monitoringactivities.,Separate evaluations.,A combination of the two.,Internal Control,A strong system ofinternal,control is essential toeffective,enterprise risk management.,Expands andelaborates on elementsof internalcontrol as set outin COSOs“control framework.,”,”,Includes objectivesetting asa separate component.Objectives area“prerequisite”for internalcontrol.,Expandsthecontrolframeworks,“,FinancialReporting”and,“,“RiskAssessment.,”,”,Relationshipto,InternalControl,IntegratedFramework,ERMRoles&Responsibilities,Management,Theboardofdirectors,Riskofficers,Internalauditors,InternalAuditors,PlayanimportantroleinmonitoringERM,butdoNOThaveprimaryresponsibilityforitsimplementationormaintenance.,Assistmanagementandtheboardorauditcommitteeintheprocessby
展开阅读全文