COSO_ERM企业风险管理框架-PPT49

无聊蚂蚁
2 ℃
2020-02-10

整理文档很辛苦，赏杯茶钱您下走！

还剩 ... 页未读，继续阅读 >>

免费阅读已结束，点击下载阅读编辑剩下 ... 页

阅读已结束，您可以下载文档离线阅读编辑

资源描述

xxEnterpriseRiskManagement—IntegratedFrameworkToday’sorganizationsareconcernedabout:•RiskManagement•Governance•Control•Assurance(andConsulting)ERMDefined:“…aprocess,effectedbyanentity'sboardofdirectors,managementandotherpersonnel,appliedinstrategysettingandacrosstheenterprise,designedtoidentifypotentialeventsthatmayaffecttheentity,andmanageriskstobewithinitsriskappetite,toprovidereasonableassuranceregardingtheachievementofentityobjectives.”Source:COSOEnterpriseRiskManagement–IntegratedFramework.2004.COSO.WhyERMIsImportantUnderlyingprinciples:•Everyentity,whetherfor-profitornot,existstorealizevalueforitsstakeholders.•Valueiscreated,preserved,orerodedbymanagementdecisionsinallactivities,fromsettingstrategytooperatingtheenterpriseday-to-day.WhyERMIsImportantERMsupportsvaluecreationbyenablingmanagementto:•Dealeffectivelywithpotentialfutureeventsthatcreateuncertainty.•Respondinamannerthatreducesthelikelihoodofdownsideoutcomesandincreasestheupside.ThisCOSOERMframeworkdefinesessentialcomponents,suggestsacommonlanguage,andprovidescleardirectionandguidanceforenterpriseriskmanagement.EnterpriseRiskManagement—IntegratedFrameworkTheERMFrameworkEntityobjectivescanbeviewedinthecontextoffourcategories:•Strategic•Operations•Reporting•ComplianceTheERMFrameworkERMconsidersactivitiesatalllevelsoftheorganization:•Enterprise-level•Divisionorsubsidiary•BusinessunitprocessesEnterpriseriskmanagementrequiresanentitytotakeaportfolioviewofrisk.TheERMFramework•Managementconsidershowindividualrisksinterrelate.•Managementdevelopsaportfolioviewfromtwoperspectives:-Businessunitlevel-EntitylevelTheERMFrameworkTheeightcomponentsoftheframeworkareinterrelated…TheERMFrameworkInternalEnvironment•Establishesaphilosophyregardingriskmanagement.Itrecognizesthatunexpectedaswellasexpectedeventsmayoccur.•Establishestheentity’sriskculture.•Considersallotheraspectsofhowtheorganization’sactionsmayaffectitsriskculture.ObjectiveSetting•Isappliedwhenmanagementconsidersrisksstrategyinthesettingofobjectives.•Formstheriskappetiteoftheentity—ahigh-levelviewofhowmuchriskmanagementandtheboardarewillingtoaccept.•Risktolerance,theacceptablelevelofvariationaroundobjectives,isalignedwithriskappetite.EventIdentification•Differentiatesrisksandopportunities.•Eventsthatmayhaveanegativeimpactrepresentrisks.•Eventsthatmayhaveapositiveimpactrepresentnaturaloffsets(opportunities),whichmanagementchannelsbacktostrategysetting.EventIdentification•Involvesidentifyingthoseincidents,occurringinternallyorexternally,thatcouldaffectstrategyandachievementofobjectives.•Addresseshowinternalandexternalfactorscombineandinteracttoinfluencetheriskprofile.RiskAssessment•Allowsanentitytounderstandtheextenttowhichpotentialeventsmightimpactobjectives.•Assessesrisksfromtwoperspectives:-Likelihood-Impact•Isusedtoassessrisksandisnormallyalsousedtomeasuretherelatedobjectives.RiskAssessment•Employsacombinationofbothqualitativeandquantitativeriskassessmentmethodologies.•Relatestimehorizonstoobjectivehorizons.•Assessesriskonbothaninherentandaresidualbasis.RiskResponse•Identifiesandevaluatespossibleresponsestorisk.•Evaluatesoptionsinrelationtoentity’sriskappetite,costvs.benefitofpotentialriskresponses,anddegreetowhicharesponsewillreduceimpactand/orlikelihood.•Selectsandexecutesresponsebasedonevaluationoftheportfolioofrisksandresponses.ControlActivities•Policiesandproceduresthathelpensurethattheriskresponses,aswellasotherentitydirectives,arecarriedout.•Occurthroughouttheorganization,atalllevelsandinallfunctions.•Includeapplicationandgeneralinformationtechnologycontrols.•Managementidentifies,captures,andcommunicatespertinentinformationinaformandtimeframethatenablespeopletocarryouttheirresponsibilities.•Communicationoccursinabroadersense,flowingdown,across,anduptheorganization.Information&CommunicationMonitoringEffectivenessoftheotherERMcomponentsismonitoredthrough:•Ongoingmonitoringactivities.•Separateevaluations.•Acombinationofthetwo.InternalControlAstrongsystemofinternalcontrolisessentialtoeffectiveenterpriseriskmanagement.•ExpandsandelaboratesonelementsofinternalcontrolassetoutinCOSO’s“controlframework.”•Includesobjectivesettingasaseparatecomponent.Objectivesarea“prerequisite”forinternalcontrol.•Expandsthecontrolframework’s“FinancialReporting”and“RiskAssessment.”RelationshiptoInternalControl—IntegratedFrameworkERMRoles&Responsibilities•Management•Theboardofdirectors•Riskofficers•InternalauditorsInternalAuditors•PlayanimportantroleinmonitoringERM,butdoNOThaveprimaryresponsibilityforitsimplementationormaintenance.•Assistmanagementandtheboardorauditcommitteeintheprocessby:-Monitoring-Evaluating-Examining-Reporting-RecommendingimprovementsVisittheguidancesectionofTheIIA’sWebsiteforTheIIA’spositionpaper,“RoleofInternalAuditing’sinEnterpriseRiskManagement.”InternalAuditors•2010.A1–Theinternalauditactivity’splanofengagementsshouldbebasedonariskassessment,undertakenatleastannually.•2120.A1–Basedontheresultsoftheriskassessment,theinternalauditactivityshouldevaluatetheadequacyandeffectivenessofcontrolsencompass