COSO_ERM企业风险管理框架(1)

整理文档很辛苦,赏杯茶钱您下走!

免费阅读已结束,点击下载阅读编辑剩下 ...

阅读已结束,您可以下载文档离线阅读编辑

资源描述

ApplyingCOSO’sEnterpriseRiskManagement—IntegratedFrameworkSeptember29,2004Today’sorganizationsareconcernedabout:•RiskManagement•Governance•Control•Assurance(andConsulting)ERMDefined:“…aprocess,effectedbyanentity'sboardofdirectors,managementandotherpersonnel,appliedinstrategysettingandacrosstheenterprise,designedtoidentifypotentialeventsthatmayaffecttheentity,andmanageriskstobewithinitsriskappetite,toprovidereasonableassuranceregardingtheachievementofentityobjectives.”Source:COSOEnterpriseRiskManagement–IntegratedFramework.2004.COSO.WhyERMIsImportantUnderlyingprinciples:•Everyentity,whetherfor-profitornot,existstorealizevalueforitsstakeholders.•Valueiscreated,preserved,orerodedbymanagementdecisionsinallactivities,fromsettingstrategytooperatingtheenterpriseday-to-day.WhyERMIsImportantERMsupportsvaluecreationbyenablingmanagementto:•Dealeffectivelywithpotentialfutureeventsthatcreateuncertainty.•Respondinamannerthatreducesthelikelihoodofdownsideoutcomesandincreasestheupside.ThisCOSOERMframeworkdefinesessentialcomponents,suggestsacommonlanguage,andprovidescleardirectionandguidanceforenterpriseriskmanagement.EnterpriseRiskManagement—IntegratedFrameworkTheERMFrameworkEntityobjectivescanbeviewedinthecontextoffourcategories:•Strategic•Operations•Reporting•ComplianceTheERMFrameworkERMconsidersactivitiesatalllevelsoftheorganization:•Enterprise-level•Divisionorsubsidiary•BusinessunitprocessesEnterpriseriskmanagementrequiresanentitytotakeaportfolioviewofrisk.TheERMFramework•Managementconsidershowindividualrisksinterrelate.•Managementdevelopsaportfolioviewfromtwoperspectives:-Businessunitlevel-EntitylevelTheERMFrameworkTheeightcomponentsoftheframeworkareinterrelated…TheERMFrameworkInternalEnvironment•Establishesaphilosophyregardingriskmanagement.Itrecognizesthatunexpectedaswellasexpectedeventsmayoccur.•Establishestheentity’sriskculture.•Considersallotheraspectsofhowtheorganization’sactionsmayaffectitsriskculture.ObjectiveSetting•Isappliedwhenmanagementconsidersrisksstrategyinthesettingofobjectives.•Formstheriskappetiteoftheentity—ahigh-levelviewofhowmuchriskmanagementandtheboardarewillingtoaccept.•Risktolerance,theacceptablelevelofvariationaroundobjectives,isalignedwithriskappetite.EventIdentification•Differentiatesrisksandopportunities.•Eventsthatmayhaveanegativeimpactrepresentrisks.•Eventsthatmayhaveapositiveimpactrepresentnaturaloffsets(opportunities),whichmanagementchannelsbacktostrategysetting.EventIdentification•Involvesidentifyingthoseincidents,occurringinternallyorexternally,thatcouldaffectstrategyandachievementofobjectives.•Addresseshowinternalandexternalfactorscombineandinteracttoinfluencetheriskprofile.RiskAssessment•Allowsanentitytounderstandtheextenttowhichpotentialeventsmightimpactobjectives.•Assessesrisksfromtwoperspectives:-Likelihood-Impact•Isusedtoassessrisksandisnormallyalsousedtomeasuretherelatedobjectives.RiskAssessment•Employsacombinationofbothqualitativeandquantitativeriskassessmentmethodologies.•Relatestimehorizonstoobjectivehorizons.•Assessesriskonbothaninherentandaresidualbasis.RiskResponse•Identifiesandevaluatespossibleresponsestorisk.•Evaluatesoptionsinrelationtoentity’sriskappetite,costvs.benefitofpotentialriskresponses,anddegreetowhicharesponsewillreduceimpactand/orlikelihood.•Selectsandexecutesresponsebasedonevaluationoftheportfolioofrisksandresponses.ControlActivities•Policiesandproceduresthathelpensurethattheriskresponses,aswellasotherentitydirectives,arecarriedout.•Occurthroughouttheorganization,atalllevelsandinallfunctions.•Includeapplicationandgeneralinformationtechnologycontrols.•Managementidentifies,captures,andcommunicatespertinentinformationinaformandtimeframethatenablespeopletocarryouttheirresponsibilities.•Communicationoccursinabroadersense,flowingdown,across,anduptheorganization.Information&CommunicationMonitoringEffectivenessoftheotherERMcomponentsismonitoredthrough:•Ongoingmonitoringactivities.•Separateevaluations.•Acombinationofthetwo.InternalControlAstrongsystemofinternalcontrolisessentialtoeffectiveenterpriseriskmanagement.•ExpandsandelaboratesonelementsofinternalcontrolassetoutinCOSO’s“controlframework.”•Includesobjectivesettingasaseparatecomponent.Objectivesarea“prerequisite”forinternalcontrol.•Expandsthecontrolframework’s“FinancialReporting”and“RiskAssessment.”RelationshiptoInternalControl—IntegratedFrameworkERMRoles&Responsibilities•Management•Theboardofdirectors•Riskofficers•InternalauditorsInternalAuditors•PlayanimportantroleinmonitoringERM,butdoNOThaveprimaryresponsibilityforitsimplementationormaintenance.•Assistmanagementandtheboardorauditcommitteeintheprocessby:-Monitoring-Evaluating-Examining-Reporting-RecommendingimprovementsVisittheguidancesectionofTheIIA’sWebsiteforTheIIA’spositionpaper,“RoleofInternalAuditing’sinEnterpriseRiskManagement.”InternalAuditors•2010.A1–Theinternalauditactivity’splanofengagementsshouldbebasedonariskassessment,undertakenatleastannually.•2120.A1–Basedontheresultsoftheriskassessment,theinternalauditactivityshouldevaluatetheadequacyandeffe

1 / 49
下载文档,编辑使用

©2015-2020 m.777doc.com 三七文档.

备案号:鲁ICP备2024069028号-1 客服联系 QQ:2149211541

×
保存成功