Complete Download Enterprise risk management: achieving and sustaining success – ebook pdf version P
Visit to download the full and correct content document: https://ebookmass.com/product/enterprise-risk-management-achieving-and-sustainin g-success-ebook-pdf-version/
More products digital (pdf, epub, mobi) instant download maybe you interests ...
Critical Infrastructure Protection, Risk Management, and Resilience: A Policy Perspective – Ebook PDF Version
Published by The Institute of Internal Auditors Research Foundation
247 Maitland Avenue
Altamonte Springs, Florida 32701-4201
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means electronic, mechanical, photocopying, recording, or otherwise without prior written permission of the publisher. Requests to the publisher for permission should be sent electronically to: bookstore@theiia.org with the subject line “reprint permission request.”
Limit of Liability: The IIARF publishes this document for informational and educational purposes and is not a substitute for legal or accounting advice The IIARF does not provide such advice and makes no warranty as to any legal or accounting results through its publication of this document When legal or accounting issues arise, professional assistance should be sought and retained.
The Institute of Internal Auditors’ (IIA’s) International Professional Practices Framework (IPPF) comprises the full range of existing and developing practice guidance for the profession. The IPPF provides guidance to internal auditors globally and paves the way to world-class internal auditing.
The IIA and The IIARF work in partnership with researchers from around the globe who conduct valuable studies on critical issues affecting today’s business world Much of the content presented in their final reports is a result of IIARF-funded research and prepared as a service to The IIARF and the internal audit profession. Expressed opinions, interpretations, or points of view represent a consensus of the researchers and do not necessarily reflect or represent the official position or policies of The IIA or The IIARF.
ISBN-13: 978-0-89413-724-2
CONTENTS
About the Authors
SECTION 1: INTRODUCING ERM — SETTING THE STAGE FOR SUCCESS
Chapter 1: Introduction
Chapter 2: The Foundation
SECTION 2: IMPLEMENTING ERM ACHIEVING SUCCESS
Chapter 3: Getting Started
Chapter 4: Determine Risk Criteria
Chapter 5: Risk Assessment
Chapter 6: Risk Treatment
Chapter 7: Monitoring the ERM System
Chapter 8: Risk Management Reporting
SECTION 3: EVALUATING AND IMPROVING ERM SUSTAINING SUCCESS
Chapter 9: Embedding ERM in the Internal Audit Plan
Chapter 10: Embedding ERM in the Internal Audit Methodology
Chapter 11: Assessing the ERM System
APPENDICES
Appendix A: Template for Conducting a Comprehensive Assessment of the ERM System
Appendix B: Template for Conducting an ERM Maturity Assessment
Notes
LIST OF EXHIBITS
Exhibit 2.1: Illustrative Risk Definitions
Exhibit 2.2: The Risk Circle
Exhibit 2.3: Case Scenario: How Much “Moore” is Enough? (Part 1)
Exhibit 2.4: Case Scenario: How Much “Moore” is Enough? (Part 2)
Exhibit 2.5: Governance, ERM, and Internal Control
Exhibit 2.6: ISO’s Risk Management Principles
Exhibit 4.1: Case Scenario: How Much “Moore” is Enough? (Part 3)
Exhibit 5.1: Case Scenario: How Much “Moore” is Enough? (Part 4)
Exhibit 6.1: Case Scenario: How Much “Moore” is Enough? (Part 5)
Exhibit 7.1: Case Scenario: How Much “Moore” is Enough? (Part 6)
LIST OF FIGURES
Figure 3.1: ERM Framework
Figure 4.1: Risk Attitude Spectrum
Figure 5.1: ERM Process
Figure 5.2: Typical Risk Map
Figure 5.3: Risk Model Example
Figure 5.4: Risk Analysis Documentation Example
Figure 5.5: Impact Assessment Levels
Figure 5.6: Likelihood Assessment Levels
Figure 5.7: Enhanced Risk Map
Figure 5.8: Example Prioritization Using Impact and Likelihood Criteria
Figure 5.9: Example Prioritization Using Four Criteria
Figure 11.1: ERM Maturity Stages
ABOUT THE AUTHORS
Paul J. Sobel, CIA, CRMA, CPA, is vice president/chief audit executive for Georgia-Pacific, LLC, a privately owned forest and consumer products company based in Atlanta, GA. He previously served as the chief audit executive for three public companies: Mirant Corporation, an energy company based in Atlanta, GA.; Aquila, Inc., an energy company based in Kansas City, MO.; and Harcourt General’s publishing operations based in Orlando, FL. His responsibilities included leading the global internal audit efforts at these companies, as well as consulting on each company’s ERM, compliance, and internal controls programs. He has also served as international audit manager for PepsiCo, senior manager in Arthur Andersen’s Business Risk Consulting practice, and experienced manager in Arthur Andersen’s Financial Statement Assurance practice.
Paul is a frequent speaker on governance, ERM, and internal audit topics. He has published a book titled Auditor’s Risk Management Guide: Integrating Auditing and ERM. In addition, he coauthored the textbook published by The IIA Research Foundation titled Internal Auditing: Assurance and Consulting Services. Finally, he has been recognized for articles published in Internal Auditor magazine and Management Accounting Quarterly.
Paul is currently serving on The IIA’s Board of Directors as senior vice chairman. In the past, he served in other vice chairman roles, as president of The IIA Research Foundation, and as senior vice-chair on the North American Board. He was program chair for The IIA’s 2010 International Conference, which was held in Atlanta, and will be serving in the same role for The IIA’s 2013 International Conference, to be held in Orlando. He has also served on the Standing Advisory Group of the Public Company Accounting Oversight Board (PCAOB) and as The IIA’s representative on the Pathways Commission, which was formed to make recommendations on the future of accounting education in the United States.
Kurt F. Reding, PhD, CIA, CPA, CMA, is the Grant Thornton Faculty Fellow and a clinical assistant professor in the School of Accountancy at Wichita State University. He currently serves on The IIA’s Wichita Chapter’s Board of Governors and the Audit Committee of the Via Christi Hospitals Wichita, Inc. Board of Trustees. He has served on The IIA’s Board of Directors, North American Board, Board of Research and Education Advisors, and Academic Relations Committee. He is a frequent speaker at IIA conferences and seminars. Kurt received The IIA’s 2003 Leon R. Radde Educator of the Year Award. He also has received both The IIA’s John B. Thurston Award and the Institute of Management Accountants’ (IMA’s) Lybrand Gold Medal, the highest annual writing awards bestowed by these organizations. He coauthored two textbooks published by The IIA Research Foundation: Internal Auditing: Assurance and Consulting Services and Introduction to Auditing: Logic, Principles, and Techniques. He has published articles in Internal Auditor, Internal Auditing, Managerial Auditing Journal, Management Accounting Quarterly, and other journals.
Kurt has more than 25 years of experience as an audit educator and practitioner and holds a PhD in accounting from The University of Tennessee. He is a member of The Institute of Internal Auditors, the American Institute of Certified Public Accountants, the Institute of Management Accountants, and the American Accounting Association.
Section 1
INTRODUCING ERM — SETTING THE STAGE FOR SUCCESS
Chapter 1 INTRODUCTION
THE CONTEXT OF THIS
BOOK
Globalization, e-commerce, technical innovations, new and complex business transactions, scandals, business failures, financial and economic crises, political unrest, military conflicts, cyberterrorism, government bailouts, crippling regulations, and natural disasters all characterize today’s business climate. Some of these events are relatively new; others have been around forever. Some of them are good; some are bad; and some are good or bad depending on your perspective. Some events happen quickly with little advance notice; others happen slowly and can be anticipated.
Risk and risk management have existed since events like this first occurred, i.e., since the beginning of mankind. Risk involves the uncertainty of events that have not yet occurred or for which the outcomes are not yet fully known. Risk management takes place every day as individuals and organizations attempt to foresee the future, identify potential risks, assess the risks, and respond to them in a cost-effective manner.
The long history of risk and risk management is well documented. Within the context of this history, enterprise risk management (ERM) is relatively new. In generic terms, ERM involves an organizationwide approach to managing risks. Other terms commonly used when referring to this approach include enterprisewide, holistic, and integrated. We present our definition of ERM in chapter 2, “The Foundation.”
ERM is a complex topic for which a rapidly growing body of knowledge exists. Contributors to this body of knowledge include a wide variety of authoritative entities, professional organizations, firms, and individuals. It is only natural, given the complicated nature of ERM and the various
perspectives from which it has been studied, that perfect uniformity in the literature does not exist. Unfortunately, this lack of homogeneity adds a layer of difficulty to an already challenging subject.
WHY WE WROTE THIS BOOK
We wrote this book primarily for internal auditors who, by definition, have a mandate to objectively evaluate and improve their organizations’ risk management systems. While risk management is addressed in The Institute of Internal Auditors’ (IIA’s) International Standards for the Professional Practice of Internal Auditing (Standards), there is insufficient “how to” guidance in The IIA’s International Professional Practices Framework (IPPF), published research, and other sources for internal auditors intent on complying with the Standards when they provide ERM-related services.
Our purpose in writing this book is not to question the worthiness of the ERM thought leadership that has been put forth to date or to offer radically new ideas about ERM. Our objective is to translate complex ERM concepts into concrete guidance that internal auditors find both straightforward and practical. More specifically, our goals are to enhance internal auditors’ understanding of ERM, clarify the roles they should and should not play in developing ERM systems, and provide direction that will enable them to continually audit their organizations’ evolving ERM systems. Armed with practical ERM guidance, internal auditors will be able to help their organizations implement effective and efficient ERM systems and provide value-adding assurance and consulting services for ongoing ERM success.
We anticipate that chief audit executives (CAEs) and their internal audit teams will gain the most from reading this book, but board members, managers, and others involved in risk management also will find it useful. The information is applicable globally and across industry lines and organization sizes.
THE CASE FOR ERM
Achieving and sustaining ERM success is a huge endeavor. It begins with implementation and continues with ongoing evaluations and improvement initiatives. In other words, ERM involves a major, long-term investment of time, energy, and money. As is the case with any large investment under consideration, an organization’s board and management must weigh the expected benefits against the expected costs. In other words, will the organization realize a satisfactory return on its investment?
When it comes to ERM, determining the return on investment (ROI) is difficult. This is due in part to the fact that risk is hard to measure, especially in monetary terms. For example, how does an organization measure the impact of a risk event that was avoided? Likewise, the benefits and costs of ERM, some of which are intangible, are hard to measure quantitatively. For example, how much would it cost an organization to avoid a negative newspaper headline that might severely damage its reputation? Or how much time and money does it take to restore that damaged reputation? Moreover, while it may be reasonable to conclude that weak organizational performance is due, at least in part, to ERM deficiencies, it is much more tenuous to presume that strong performance is due to effective ERM.
Whereas skeptics tend to base their argument on the “hard to measure ROI” aspect of ERM, proponents of ERM focus on perceived, albeit improvable, benefits. We believe, for example, that effective ERM:
• Provides a holistic and cohesive system (i.e., principles, framework, process, people, information, and technology) aimed at achieving the organization’s objectives.
• Fosters an organizationwide risk language that facilitates topdown, bottom-up, and horizontal risk management communications.
• Helps management and the board make informed decisions about how to manage both downside risks (i.e., protecting the
organization’s existing value) and upside risks (i.e., optimizing opportunities to create new value).
• Enhances an organization’s culture, productivity, innovation, and competitiveness, which in turn improves the organization’s prospects for achieving and sustaining success.
Readers should be cautioned, however, that certain things such as greed, arrogance, and complacency can undermine an ERM system that would otherwise be effective.
HOW THE BOOK WAS DEVELOPED
This book conveys the authors’ thoughts about the risk management expertise internal auditors must possess. Although our view of ERM is heavily influenced by our personal experiences and writings in this arena, it is also affected greatly by what we have learned from professional colleagues and the risk management literature.
We chose the International Organization for Standardization’s (ISO’s) International Standard 31000:2009(E), Risk management – Principles and guidelines (ISO 31000), as the starting point for framing our discussion of ERM for two reasons: (1) ISO is a well-respected, worldwide provider of promulgated guidance and (2) ISO 31000 presents risk management in a relatively simple and intuitive manner.
Our overall view of ERM aligns well with the ISO risk management standard, which comprises three major components:
• Principles. ISO 31000 “establishes a number of principles that need to be satisfied to make risk management effective.”1
• Framework. The risk management framework is the “set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing, and continually improving risk management throughout the organization.”2 The purpose of the framework is “to integrate the process for managing risk into the organization’s overall governance strategy and planning, management, reporting processes, policies, values, and culture.”3
• Process. The risk management process is the “systematic application of management policies, procedures, and practices to the activities of communicating, consulting, establishing the context, and identifying, analyzing, evaluating, treating, monitoring, and reviewing risk.”4
ISO 31000 describes each of these components and defines fundamental risk management terms in a straightforward manner. However, ISO’s approach is purposely generic and conceptual so that organizations of any nature and size will find the guidance useful. Accordingly, we delve more deeply into the concepts covered in ISO 31000 and provide application-oriented insights intended to enhance the reader’s working knowledge of ERM. Authoritative sources of guidance other than ISO 31000 are referred to throughout the book, including, for example, The IIA’s Standards and the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Enterprise Risk Management – Integrated Framework.
HOW THE BOOK IS STRUCTURED
The book is divided into three sections:
• Section 1: Introducing ERM Setting the Stage for Success
• Section 2: Implementing ERM Achieving Success
• Section 3: Evaluating and Improving ERM Sustaining Success
Section 1 sets the stage for the remainder of the book. In this chapter, we establish the context in which the book was written, explain why we wrote the book, and present our arguments for investing in ERM. Chapter 2 covers foundational concepts that organizations can use as a starting point for building successful ERM systems: our definition of risk; the relationship between governance, ERM, and control; ERM principles; and an introduction to the ERM-related roles and responsibilities of internal auditors.
Section 2 focuses on implementing an effective and efficient ERM system.
• Chapter 3, “Getting Started,” provides guidance on how to initiate a structured, disciplined approach to ERM implementation.
• Chapter 4, “Determine Risk Criteria,” discusses the types of risk criteria that should be considered.
• Chapter 6, “Risk Treatment,” describes risk treatment options and discusses how to develop a risk treatment plan.
• Chapter 7, “Monitoring the ERM System,” defines ERM monitoring and discusses why monitoring is important, what is monitored, how monitoring is performed, and who monitors.
• Chapter 8, “Risk Management Reporting,” highlights the
importance of risk management reporting and covers internal and external reporting requirements.
Each of the six chapters in section 2 includes a section devoted to the roles and responsibilities of internal auditors in the implementation process.
In section 3, we discuss in detail the assurance and consulting services that internal auditors can provide to help ensure their organizations’ ERM systems continue to evolve and remain effective and efficient over time.
• Chapter 9, “Embedding ERM in the Internal Audit Plan,” discusses implanting an ERM-based internal audit plan, providing ongoing assurance and consulting services, coordinating assurance and consulting activities, and documenting internal audit’s ERM roles and responsibilities in the internal audit charter. This chapter also delves into internal audit’s strategic planning roles and responsibilities.
• Chapter 10, “Embedding ERM in the Internal Audit Methodology,” describes how to execute internal audit projects aimed at assessing the design adequacy and operating effectiveness of risk treatments and validating the reasonableness of the overall residual risk assessment.
• Chapter 11, “Assessing the ERM System,” describes two approaches to assessing an ERM system the comprehensive assessment approach and the maturity assessment approach. Templates for conducting the two types of assessments are documented in appendices to the chapter.
WHY THIS BOOK IS IMPORTANT
To be successful, organizations must find ways to create new value and protect existing value from being prematurely destroyed. Good strategic planning is critical to ongoing success, but managing the risks associated with any strategic plan is equally important. ERM equips an organization to intelligently take on those risks that will enable success and mitigate those that can destroy success. Implementing and then evaluating and improving an effective ERM system over time provides assurance to management and the board that success will be achieved and sustained.
Internal auditors are an integral part of an organization achieving and sustaining success. They can play an important role in all phases of ERM implementation and help validate and improve ERM activities by aligning their ongoing audit activities with the objectives of ERM. This book provides a roadmap for all internal auditors regardless of their ERM expertise to play prominent roles in their organizations achieving and sustaining success.
Chapter 2 THE FOUNDATION
INTRODUCTION
An organization that underestimates the complexities involved in effectively managing risk is setting itself up to fail. Likewise, an internal audit activity that is ill-prepared to fulfill its risk-related roles and responsibilities will contribute little, if anything, to risk management effectiveness.
Although there is no single right way to achieve and sustain risk management success, there are underlying fundamentals an organization can use as a foundation upon which to build. In this chapter, we address three key topics: risk, enterprise risk management (ERM), and the internal audit activity’s role in ERM. More specifically, this chapter answers the following basic questions:
• What is risk? How is risk related to objectives? How are risk and uncertainty related?
• What is ERM? What is the relationship between governance, ERM, and internal control? What are the key principles of effective ERM?
• What are the roles and responsibilities of the internal audit activity in ERM? What ERM-related assurance and consulting services should internal audit provide? What ERM-related activities should internal audit avoid?
RISK
Understanding risk is a precondition to effectively managing it. Traditionally, risk has had a negative connotation as reflected in the first two definitions in exhibit 2.1. An increasingly popular view among risk management practitioners, which is reflected in the International Organization for Standardization (ISO) and IIA definitions of risk, is that risk encompasses both positive and negative aspects.
Exhibit 2.1
Illustrative Risk Definitions
“risk … A chance of encountering harm or loss; hazard; danger.”
Funk & Wagnall’s, New International Dictionary of the English Language Comprehensive Edition (Chicago, IL: J.G. Ferguson Publishing Company, 1995), p. 1,087.
“Risk is the possibility that an event will occur and adversely affect the achievement of objectives.”
— Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management – Integrated Framework (Jersey City, NJ: American Institute of Certified Public Accountants, 2004), p 5
“risk [is the] effect of uncertainty on objectives.”
ISO Guide 73, Risk management – Vocabulary (New York, NY: American National Standards Institute on behalf of the International Organization for Standardization, 2009), p. 1.
“Risk [is] [t]he possibility of an event occurring that will have an impact on the achievement of objectives. Risk is measured in terms of impact and likelihood ”
— International Professional Practices Framework (Altamonte
Springs, FL: The Institute of Internal Auditors, 2011), p. 43.
Our definition of risk is aligned with the latter perspective:
Risk is the aggregate effect of uncertain events and outcomes on the achievement of objectives.
Fully comprehending risk, which is portrayed pictorially in exhibit 2.2, requires an understanding of objectives, uncertainty, events, outcomes, and effects. Since risk begins and ends with objectives, we discuss objectives first. Given that uncertainty is such a pervasive aspect of risk, we introduce it next and then discuss it further within the context of events, outcomes, and effects.
Objectives
Objectives are the goals, or end results, that an entity wants to achieve. The “risk circle” presented in exhibit 2.2 shows that risk is relevant only within the context of objectives and that it portends both positive and negative ramifications regarding the achievement of objectives.
Business objectives are broad goals that reflect an organization’s business model, personify the organization’s core reasons for existing, and tend to remain relatively fixed over time. They encompass the organization’s vision and mission and reflect the organization’s values. An organization’s vision is what the organization aspires to achieve long-term. Its mission is what it desires to achieve near-term. The vision and mission must be aligned with the values, which are the fundamental principles that define the manner in which the organization conducts its business.
Performance objectives are specific goals, against which the achievement of business objectives can be assessed. These objectives, which are subject to periodic review and revision, guide management in directing the activities of the organization toward the achievement of its business objectives. There is no single right way to categorize performance objectives. The following classifications are aligned with the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) categorization of entity objectives,1 but the definitions vary slightly from COSO’s:
• Strategic objectives pertain to the organization’s methods for achieving its business objectives.
• Operations objectives pertain to the organization’s effective and efficient use of resources in pursuit of its business objectives and the safeguarding of resources against loss.
• Reporting objectives pertain to the quality of information the organization communicates externally and internally.
• Compliance objectives pertain to the organization’s conformity with applicable laws and regulations, contractual obligations, and
policies.
Before proceeding further into our discussion of risk, we want to introduce you to the case scenario we will use to illustrate the concepts covered in the text. To get our arms around the complexities of risk and how to effectively manage it we have found it useful to start simple and deal with increasingly complex issues as our understanding develops. To facilitate this process for readers, we use a straightforward, but realistic, case scenario that illustrates risk management as it pertains to everyday personal life. Case scenario “How Much ‘Moore’ Is Enough?” focuses on a family’s accumulation of wealth to support long-term spending and retirement objectives. We believe that understanding the application of risk management concepts in this relatively simple setting will serve as a useful stepping stone to understanding their application in a more complex business environment. We begin the case scenario in exhibit 2.3 by introducing you to the Moore family and outlining their wealth accumulation vision, mission, and performance objectives. We continue the case scenario later in this chapter and throughout section 2, “Implementing ERM Achieving Success,” as new ERM concepts are introduced.
Ernie Moore is 37 and employed as an accountant for a large public utility company. His wife, Ivanna Moore, is 35 and employed as a corporate lawyer for a privately held manufacturing company. The Moores have three children:
• Anita Moore is in 8th grade and is active in sports and clubs at school.
• Sam Moore is in 5th grade and is an avid musician with interests in math and science
• Lillian (Lil) Moore is in 2nd grade and is also interested in sports and music.
Exhibit 2.3
Case Scenario: How Much “Moore” Is Enough? (Part 1)
Ernie and Ivanna understand the importance of long-term wealth planning and have begun working with a financial advisor. The first thing the financial advisor had Ernie and Ivanna do is articulate their wealth accumulation vision and mission. After much thought and debate, they decided on the following:
Moore family wealth accumulation vision. Amass an appropriate amount of wealth to fund a reasonable lifestyle over our lifetime and a nice estate for our children, given our expected longevity.
Moore family wealth accumulation mission. Assemble and manage a portfolio of wealth enhancement vehicles (e.g., insurance products, tangible assets, and prudent savings and investments) during our primary income earning years, while adhering to our core values.
With the vision and mission as a foundation for discussion, the advisor next helped the Moores determine their wealth accumulation performance objectives:
• Retirement. Anticipate comfortable retirement needs and fund retirement savings to support those needs assuming both of us live to 95.
• Lifestyle Live slightly below our financial means during our primary working years (consistent with one of our core values to live a humble, and not too opulent, lifestyle). However, striving to meet our retirement goals should not prevent us from enjoying life.
• Education. Pay for our three children to pursue and earn undergraduate university degrees.
• Weddings. Pay for nice but not overly extravagant weddings for Anita and Lil.
• Charity. Consistently give to charity, with a goal of donating at least 10% of our after-tax income each year.
