Professional Documents
Culture Documents
_CMA Part 2 Sec D PPT 1 - Risk Management
_CMA Part 2 Sec D PPT 1 - Risk Management
Risk Management
Section D
1
Copyright Reserved By EMERGE Management Training Center - CMA Review
Risk
2
Copyright Reserved By EMERGE Management Training Center - CMA Review
Value at Risk
• Maximum loss within a given period of time and
given a specified probability.
• Quantifies market risk and its prospective.
• Characteristics:
Application - -any portfolio – mark to market
performance - not applicable to real estate or
illiquid.
Time frame / Horizon – specified period of time,
day, week and month.
Base currency – any currency
Measurement – summarized portfolio market risk
3
with a single number.
Copyright Reserved By EMERGE Management Training Center - CMA Review
Method
Historical – assumes history repeats itself.
4
Copyright Reserved By EMERGE Management Training Center - CMA Review
Hazard: Natural Disaster
5
Copyright Reserved By EMERGE Management Training Center - CMA Review
COSO type of Risk
• Strategic
• Operational
• Reporting
• Compliance
6
Copyright Reserved By EMERGE Management Training Center - CMA Review
Process
• Risk Assessment
• Risk Identification
• Risk Response
• Risk Management
7
Copyright Reserved By EMERGE Management Training Center - CMA Review
Risk Assessment
• Forward-looking
• Anything that can prevent organizational
objectives.
• Can be internal / external
• Could defeat internal control structure
• Compromise assets
• Diminish financial viability
• Quantitative and qualitative factors to prioritize
• Maximum possible loss
• Function of management attitude to risk:
– Averse – Seeker - Neutral 8
Copyright Reserved By EMERGE Management Training Center - CMA Review
Risk Identification
As many threats without evaluation
9
Copyright Reserved By EMERGE Management Training Center - CMA Review
Tools used:
• Checklists
• Flowcharts
• Scenario
• Value Chain
• Business Process
• Systems Engineering
• Process
• Computed Cash Flow
• Projected earnings
• EPS – Projection 10
Copyright Reserved By EMERGE Management Training Center - CMA Review
Risk Response
• Impact – How much.
• Likelihood – probability or chance in
frequency.
12
Copyright Reserved By EMERGE Management Training Center - CMA Review
Risk Management
•Implement risk management process
•Avoid risks
•Prepare to accept residual risk
•Process of Risk Management
Determine company’s tolerance for risk
Evaluate risk process
Implement appropriate risk management process
Monitor risk exposure and strategy
•Identify role & responsibility of key individuals
and establish hierarchy for decision making. 13
Copyright Reserved By EMERGE Management Training Center - CMA Review
Enterprise Risk Management
• To create, protect and enhance shareholder value
by managing the uncertainties that could either
negatively or positively influence achievement of
the organization’s objectives.
• Stronger internal controls, more effective corporate
governance, and implementation of ERM can lead
to improved stability, reaction time, and increased
shareholder value.
• Instead of managing risk in many individual silos,
ERM takes an integrated and holistic perspective
on risks facing an organization. 14
Copyright Reserved By EMERGE Management Training Center - CMA Review
Basic Components found in most ERM
15
Copyright Reserved By EMERGE Management Training Center - CMA Review
An effective ERM implementation requires an
organizational context that includes
these characteristics:
16
Copyright Reserved By EMERGE Management Training Center - CMA Review
Applying COSO’s
Integrated Framework
17
Copyright Reserved By EMERGE Management Training Center - CMA Review
Today’s organizations are
concerned about:
• Risk Management
• Governance
• Control
• Assurance (and Consulting)
18
Copyright Reserved By EMERGE Management Training Center - CMA Review
ERM Defined:
“… a process, effected by an entity's
board of directors, management and
other personnel, applied in strategy
setting and across the enterprise,
designed to identify potential events that
may affect the entity, and manage risks
to be within its risk appetite, to provide
reasonable assurance regarding the
achievement of entity objectives.”
19
Copyright Reserved By EMERGE Management Training Center - CMA Review
Why ERM Is Important
Underlying principles:
21
Copyright Reserved By EMERGE Management Training Center - CMA Review
Enterprise Risk Management —
Integrated Framework
22
Copyright Reserved By EMERGE Management Training Center - CMA Review
The ERM Framework
23
Copyright Reserved By EMERGE Management Training Center - CMA Review
The ERM Framework
24
Copyright Reserved By EMERGE Management Training Center - CMA Review
The ERM Framework
25
Copyright Reserved By EMERGE Management Training Center - CMA Review
The ERM Framework
26
Copyright Reserved By EMERGE Management Training Center - CMA Review
The ERM Framework
27
Copyright Reserved By EMERGE Management Training Center - CMA Review
Internal Environment
• Establishes a philosophy regarding risk
management. It recognizes that
unexpected as well as expected events
may occur.
28
Copyright Reserved By EMERGE Management Training Center - CMA Review
Objective Setting
• Is applied when management considers
risks strategy in the setting of
objectives.
• Forms the risk appetite of the entity —
a high-level view of how much risk
management and the board are willing
to accept.
• Risk tolerance, the acceptable level of
variation around objectives, is aligned
with risk appetite.
29
Copyright Reserved By EMERGE Management Training Center - CMA Review
Event Identification
• Differentiates risks and opportunities.
• Events that may have a negative impact represent
risks.
• Events that may have a positive impact represent
natural offsets (opportunities), which management
channels back to strategy setting.
• Involves identifying those incidents, occurring
internally or externally, that could affect strategy
and achievement of objectives.
• Addresses how internal and external factors
combine and interact to influence the risk profile.
30
Copyright Reserved By EMERGE Management Training Center - CMA Review
Risk Assessment
• Allows an entity to understand the extent to which
potential events might impact objectives.
• Assesses risks from two perspectives:
- Likelihood
- Impact
• Is used to assess risks and is normally also used to
measure the related objectives.
• Employs a combination of both qualitative and
quantitative risk assessment methodologies.
• Relates time horizons to objective horizons.
• Assesses risk on both an inherent and a residual basis.
31
Copyright Reserved By EMERGE Management Training Center - CMA Review
Risk Response
• Identifies and evaluates possible
responses to risk.
• Evaluates options in relation to entity’s
risk appetite, cost vs. benefit of
potential risk responses, and degree to
which a response will reduce impact
and/or likelihood.
• Selects and executes response based on
evaluation of the portfolio of risks and
responses.
32
Copyright Reserved By EMERGE Management Training Center - CMA Review
Control Activities
• Policies and procedures that help ensure
that the risk responses, as well as other
entity directives, are carried out.
33
Copyright Reserved By EMERGE Management Training Center - CMA Review
Information & Communication
• Management identifies, captures, and
communicates pertinent information in
a form and timeframe that enables
people to carry out their responsibilities.
34
Copyright Reserved By EMERGE Management Training Center - CMA Review
Monitoring
• Separate evaluations.
35
Copyright Reserved By EMERGE Management Training Center - CMA Review
Internal Control
36
Copyright Reserved By EMERGE Management Training Center - CMA Review
Relationship to Internal Control —
Integrated Framework
• Expands and elaborates on elements
of internal control as set out in COSO’s
“control framework.”
37
Copyright Reserved By EMERGE Management Training Center - CMA Review
ERM Roles & Responsibilities
• Management
• Risk officers
• Internal auditors
38
Copyright Reserved By EMERGE Management Training Center - CMA Review
Internal Auditors
• Play an important role in monitoring
ERM, but do NOT have primary
responsibility for its implementation
or maintenance.
39
Copyright Reserved By EMERGE Management Training Center - CMA Review
Internal Auditors
40
Copyright Reserved By EMERGE Management Training Center - CMA Review
Standards
• 2010.A1 – The internal audit activity’s plan
of engagements should be based on a risk
assessment, undertaken at least annually.
41
Copyright Reserved By EMERGE Management Training Center - CMA Review
Key Implementation Factors
1. Organizational design of business
2. Establishing an ERM organization
3. Performing risk assessments
4. Determining overall risk appetite
5. Identifying risk responses
6. Communication of risk results
7. Monitoring
8. Oversight & periodic review
by management
42
Copyright Reserved By EMERGE Management Training Center - CMA Review
Organizational Design
45
Copyright Reserved By EMERGE Management Training Center - CMA Review
Example: ERM Organization
FES
ERM ERM Commodity
Manager Manager Risk Mg.
Director
46
Copyright Reserved By EMERGE Management Training Center - CMA Review
Assess Risk
47
Copyright Reserved By EMERGE Management Training Center - CMA Review
Example: Risk Model
Environmental Risks
• Capital Availability
• Regulatory, Political, and Legal
• Financial Markets and Shareholder Relations
Process Risks
• Operations Risk
• Empowerment Risk
• Information Processing / Technology Risk
• Integrity Risk
• Financial Risk
Process
Identification Control It
Level
Share or Activity
Measurement
Transfer It Level
Diversify or
Prioritization Entity Level
Avoid It
50
Copyright Reserved By EMERGE Management Training Center - CMA Review
DETERMINE RISK APPETITE
Key questions:
• What risks will the organization not
accept?
(e.g. environmental or quality compromises)
51
Copyright Reserved By EMERGE Management Training Center - CMA Review
IDENTIFY RISK RESPONSES
• Options available:
- Accept = monitor
- Avoid = eliminate (get out of situation)
- Reduce = institute controls
- Share = partner with someone
(e.g. insurance)
52
Copyright Reserved By EMERGE Management Training Center - CMA Review
Impact vs. Probability
I
M Share Mitigate & Control
P
A Low Risk Medium Risk
C
T
Accept Control
Assessment
High Medium Risk High Risk
• Loss of phones • Credit risk
Loss of computers Customer has a long wait
I
• •
• Customer can’t get through
M • Customer can’t get answers
P
A Low Risk Medium Risk
C
Fraud
• Entry errors
T
•
• Lost transactions
• Equipment obsolescence
• Employee morale
• Repeat calls for same problem
Process
Control Risk Control
Objective Activity
55
Copyright Reserved By EMERGE Management Training Center - CMA Review
Communicate Results
• Dashboard of risks and related responses
(visual status of where key risks stand relative
to risk tolerances)
• Flowcharts of processes with key controls
noted
• Narratives of business objectives linked to
operational risks and responses
• List of key risks to be monitored or used
• Management understanding of key business
risk responsibility and communication of
assignments
56
Copyright Reserved By EMERGE Management Training Center - CMA Review
Monitor
• Perform analysis
- Risks are being properly addressed
- Controls are working to mitigate risks
57
Copyright Reserved By EMERGE Management Training Center - CMA Review
Management Oversight &
Periodic Review
• Accountability for risks
• Ownership
• Updates
- Changes in business
objectives
- Changes in systems
- Changes in processes
58
Copyright Reserved By EMERGE Management Training Center - CMA Review
Internal auditors can add value
by:
• Reviewing critical control systems and
risk management processes.
On COSO’s
Enterprise Risk Management
— Integrated Framework,
visit
www.coso.org
or
www.theiia.org
61
Copyright Reserved By EMERGE Management Training Center - CMA Review