990 likes | 1.45k Views
Internal Audit core role with regard to ERM. Internal Audit core role with regard to ERM . Presentation prepared by Joseph S. Samaha Member of the AICPA – IIA – IMA – LACPA – AOCPA Quality Management Systems- Internal Auditing Sworn by Lebanese Courthouses since 1984
E N D
Internal Audit core role with regard to ERM
Internal Audit core role with regard to ERM Presentation prepared by Joseph S. Samaha Member of the AICPA – IIA – IMA – LACPA – AOCPA Quality Management Systems- Internal Auditing Sworn by Lebanese Courthouses since 1984 To the LACPA CPE program – May 2007
Avian Flue High Probability, Limited Impact Human Pandemic Low Probability,Massive Impact
Currency fluctuation:Opportunity or Threat? Budget Rate Concern Time To Reconsider +2.88% Several professional opinions says that Euro will reach probably by the end of the year 2007 the rate vs the US Dollar of 1.5 13.6 % higher than 31/12/2006 rate
Biggest Risk you may face is not taking one The connection between value creation and risk management >>Risk creates opportunity, >>Opportunity creates value, >>Value ultimately creates shareholder wealth. The critical question has become how best to manage risks to extract that value. Activities are becoming increasingly sophisticated in pricing,isolating,and transferring risks.
Biggest Risk you may face is not taking one The connection between value creation and risk management To understand risk,we must explore two streams : one is subjective probability, the other is operationalism. Where they meet,we can understand risk. In all types of understanding, there is the potential for events and consequences that constitute opportunities for benefit (upside), or threats to success (downside).
Biggest Risk you may face is not taking one The connection between value creation and risk management We may distinguish between measurableuncertainty-which calls more for “risk”-and the unmeasurable one-which calls to “uncertainty”. Debates are related to subjective versus objective interpretations of probability: Objective interpretations,probabilities are real, while Subjective interpretations,probabilities are human beliefs.
Biggest Risk you may face is not taking one The connection between value creation and risk management The second factor to understand risk is the understanding of the operationalism. The operationalism is a philosophy introduced by Percy Bridgman in his 1927 work“ The Logic of Modern Physics”.He suggested that we formally define a concept by specifying a set of operations through which that concept is experienced .This definition could be meangful only if refers to experiences. Albert Einstein proposed that :”If two observers are moving relative to each other,their experiences of time will differ;” In a common release of IRM & AIRMIC , “Operational– these concern the day-to-day issues that the organisation is confronted with as it strives to deliver its startegic objectives”- -Risk Management Standards in the UK– released on sept 2002
What is Risk ? Risk can be defined as the combination of the probability of an event and its consequences . (ISO/IEC Guide 73).
Impact vs. Probability High Medium Risk High Risk I M P A C T Share Mitigate & Control Low Risk Medium Risk Accept Control Low High PROBABILITY
Example: Call Center Risk Assessment High Medium Risk High Risk • Loss of phones • Loss of computers • Credit risk • Customer has a long wait • Customer can’t get through • Customer can’t get answers I M P A C T Low Risk Medium Risk • Entry errors • Equipment obsolescence • Repeat calls for same problem • Lost transactions • Employee morale Low PROBABILITY High
Issues Overview Impact 5 3 4 High 6 8 2 1 7 14 13 12 11 Moderate 16 15 Low 17 Probability of risk completion Low Moderate High • The reconciliation between the current account with … and the balance due to… / Agent on the MGA has never been performed • Accounting software shows some weaknesses • Authorization process for payment should be improved • The bank reconciliations are not correctly prepared and up-to-date • The company did not contract insurance policies against major risks • The agency does not apply the rate of exchange mentioned in Mira for invoicing • Customer invoices are issued when the payment is received • Credit risk management is not totally satisfactory • Freights and Owner’s dues are not deposited into a separate bank account • Payroll deduction (social security, …) verification is not documented by the consultant • IT equipment is not secured enough and data is not sufficiently protected against risk of loss • Cash custodian has access to the accounting software • Asset rentals from the previous company are not documented by a formal contract • P&L sent to Head Office does not match with the trial balance • There is no check list of controls for people leaving the company
What is Risk Management ? Risk management is a central part of any organisation’s strategic management. It is the process whereby organisations methodically address the risks attaching to their activities with the goal of achieving sustained benefit within each activity and across the portfolio of all activities. The focus of good risk management is the identification and treatment of these risks.
Entreprise Risk Management- ERM Enterprise risk management is defined by COSO (2002) as — a process, effected by an entity’s board of directors, management, and other personnel, comprising internal control and applied in strategy and across theenterprise, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: • Effectiveness and efficiency of operations • Reliability of financial reporting • Compliance with applicable laws and regulations The board of directorsis responsible for overseeing management’s design and operation of ERM. Managementis responsible for the design and operation of an entity’s enterprise risk management, and all personnelhave some responsibility for successful execution of ERM. The IA is typically responsible for evaluations of the effectiveness of the ERM.
What is ERM ? ERM is a : • structured, • consistent and, • continuous process across the whole organisation for: • identifying, • assessing, • deciding on responses to, • and reporting on opportunities and threats that affect the achievement of its objectives.
What is Threat? Threats are possibilities and at any point in time there are many possibilities (and combinations of possibilities) leading to problems in assessing and reporting on ranges of possible outcomes. A second problem is risks can change rapidly and possible changes must be identified. Third, threats can’t be fully evaluated even after the passage of time because some don’t materialize and others arise but are prevented or mitigated by control activities. Finally, there is no natural measurement process and point in time for risk measurement ( as there is in measuring a sale, the purchase of an asset, or incurrence of a liability or expense).
Some Strategic Risks • Partnership Interaction • Public Opinion • Sustainability of resources • Human Resources Management • Laws Regulations & Rules • Measurement strategies • Market Competition • Currencies major fluctuation
Some Operationals Risks • Availabilty of funds • Compliance with authorities • Efficiency of process • Integrity of parties involved (Employees-Suppliers-Customers) Fraud-Illegal acts • Human Ressources • IT • Financial
Some Project Risks • Technical • Development/Implementation • Developments/implementation process • formality proportionate with the scope • of project • Project size (large = Complex) • Dynamic business environment • Management • Adequate business case for project • Project decisions are based on risk management • Experience of Project Managers matched to project magnitude/complexity • Shared accountabilities between multiple stakeholders
Usual Types of Business Risk External Environment Risks— threats from broad factors external to the business including substitute products, catastrophic hazard loss, and changes in customers’ tastes and preferences, competitors, political environment, laws/regulations, and capital and labor availability. Business Process and Asset Loss Risks— threats from ineffective or inefficient business processes for acquiring, financing, transforming, and marketing goods and services, and threats of loss of firm assets including its reputation. Information Risks— threats from poor-quality information for decision-making within the business (i.e., the risk of being misinformed about real-world conditions due to using measurement methods that are not relevant, from careless or biased application of measurement methods or their display, or from incomplete information).
Examples of External Risk Factors • Competitors • Natural Hazards • Customer Needs • Capital Availiability • Industry • Legal/political • Supply Chain Efficiency & Relationship • Technology • Shareholders Relations
The ERM Framework The eight components of the framework are interrelated …
ERM Components ERM has eight components: • Environment • Objective Setting • Event identification • Risk assessment • Response • Control activities • Information and communications • Monitoring
ERM Components1.The Environment, & 2.Objective Setting Directors and management determine the objectives of the entity, its strategies to achieve objectives, a business model detailing how business processes interrelate, and operating plans to implement strategies in the short-run. These choices comprise the environmentfor ERM and provide the framework within which the components operate. The environment also includes what might be called a “philosophy about risk management” and an “appetite” for risk to define how it wishes to incorporate possible adverse unexpected events — some of which will occur. Management (and directors) must decide how to deal with the risk/reward trade-offs implicit in a strategy and its implementation. Attitudes toward risk will affect which business activities the enterprise undertakes, and it will implement strategies only if it can limit risk inherent in a strategy to an acceptable level.
Example :Control EnvironmentControl Objective : Management promote a strong control environment [1]Ask for Borad of Directors minutes of meetings [2] Ask for Management circulars,public internal notes,etc…
Example :Control EnvironmentControl Objective : Management promote a strong control environment [1]Ask for Borad of Directors minutes of meetings [2] Ask for Management circulars,public internal notes,etc…
CRITERIA FOR AN EFFECTIVE COMPLIANCE AND ETHICS PROGRAM An organization should: • Establish standards and procedures to prevent and detect criminal conduct. • Ensure proper leadership and oversight of the compliance and ethics program. • Make reasonable efforts, exercising due diligence, not to delegate authority to anyone who has engaged in illegal activities or other unethical conduct. • Communicate about and train directors, senior personnel, and employees on the compliance and • ethics program. • Take reasonable steps to ensure the compliance. and ethics program is followed by: auditing and monitoring to detect criminal conduct; periodically evaluating the program’s effectiveness; and having and advertising an anonymous or confidential hotline for employees to report issues or seek guidance. • Encourage adherence to the program through appropriate incentives and apply appropriate discipline if personnel engage in criminal conduct. • If criminal conduct takes place, take reasonable steps to respond to and prevent similar incidents, and modify the program as necessary, periodically assessing the risk of criminal conduct.
ERM Components – 3.Event Identification Given an understanding of an entity’s objectives, strategy, and plans, along with consideration of current external and internal conditions, ERM requires identifying all of the important conditions (or events) that might occur that could adversely affect the achievement of the entity’s objectives. This critical step requires knowledge of the entity as well as business in general, as well as the current and likely future environment, and how to link knowledge of various types. The identification step is critical because possible events not identified may not be addressed in planning responses and accepting risk, thus leading to unplanned exposures.
ERM Components – 4.Risk Assessment Risk is typically assessed along two dimensions — -the likelihood, or probability, that a given adverse event will occur, and -impact of the event on operations, financial reporting, and possibly strategy if the event does occur. Some risks are discrete and some are continuous with a range of possible results . Measures of potential impact may be in terms of possible disruption of operations, amounts, monetary loss, or impairment of strategy objectives. Risk assessment across an enterprise requires a combination of qualitative and quantitative methodologies. This leads to a need to consider the (joint occurrence) risk that two or more events will occur simultaneously.
ERM Components – 4.Risk Assessment High Medium Risk High Risk I M P A C T Share Mitigate & Control Low Risk Medium Risk Accept Control Low High PROBABILITY
ERM Components – 5.Risk Response An entity evaluates the risk/reward trade-off for each important risk. Depending on the trade-off, it can respond to risk by accepting, avoiding, or mitigating risk. Mitigation includessharing, transferring, or reducing risk (including control activities as discussed below) depending on the risk/reward trade-off, price, and the entity’s risk appetite.
ERM Components – 6.Control Activities Control activities are the policies and procedures designed by management to provide reasonable assurance that the chosen risk mitigation responses are implemented. Control activities are applied throughout the organization and include approvals, authorizations, cancellations, confirmations, observations, verifications, reconciliations, reviews of operating performance, physical security of assets, and segregation of duties.
ERM Components – 7.Informations & Communications Risk identification, assessment, response, and control activities can provide necessary risk information at all levels of an entity. But like financial and other information, risk information must be communicated in a form and time frame that enables workers, management, and directors to carry out their various responsibilities. According to COSO, “Reports may include lagging or forward indicators, performance metrics, and operational or financial results.” For ERM at the entity level, multiple data and information flows must be aggregated (and integrated) to communicate an overview on the entity’s portfolio risk profile. Effective communication involves downward flows (communicating management’s plans and known risks to employees), parallel flows (personnel communicating production and distribution risks across departments), and upward flows (employees informing top management of surprises).