Attachment # 00002768 - 330022.docx
330022.docx (3340.93 KB)
Raw Preview of Attachment:
(refer to the detailed question and attachment below)
Enterprise RiskManagement —Integrated FrameworkExecutive SummaryFrameworkSeptember 2004The Committee of Sponsoring Organizationsof the Treadway CommissionCopyright © 2004 by the Committee of Sponsoring Organizations of the Treadway Commission. 1 2 3 4 5 6 7 8 9 0 MPI 0 9 8 7 6 5 4Additional copies of Enterprise Risk Management – Integrated Framework: Executive Summary and Framework and Enterprise Risk Management – Integrated Framework: Application Techniques, 2 vol. set, item # 990015 may be obtained by calling toll free 1- 888 -777-7077 or visiting www.cpa2biz.com.All rights reserved. For information about reprint permission and licensing please call (201) 938-3245. A permissions request form for emailing requests is available at www.aicpa.org/cpyright.htm. Otherwise, requests should be submitted in writing and mailed to Permissions Editor, AICPA , Harborside Financial Center, 201 Plaza Three, Jersey City, NJ 07311-3881.Committee of Sponsoring Organizations of the Treadway Commission (COSO)OversightRepresentativeCOSO ChairJohn J. FlahertyAmerican Accounting AssociationLarry E. RittenbergAmerican Institute of Certified Public AccountantsAlan W. AndersonFinancial Executives InternationalJohn P. JessupNicholas S. CyprusInstitute of Management AccountantsFrank C. MinterDennis L. NeiderThe Institute of Internal AuditorsWilliam G. Bishop, IIIDavid A. RichardsProject Advisory Council to COSOGuidanceTony Maki, ChairJames W. DeLoachJohn P. JessupPartnerManaging DirectorVice President and TreasurerMoss Adams LLPProtiviti Inc.E. I. duPont de Nemours andCompanyMark S. BeasleyAndrew J. JacksonTony M. KnappProfessorSenior Vice President ofSenior Vice President andNorth Carolina State UniversityEnterprise Risk AssuranceControllerServicesMotorola, Inc.American Express CompanyJerry W. DeFoorSteven E. JamesonDouglas F. PrawittVice President and ControllerExecutive Vice President, ChiefProfessorProtective Life CorporationInternal Audit & Risk OfficerBrigham Young UniversityCommunity Trust Bancorp, Inc.PricewaterhouseCoopers LLPAuthorPrincipal ContributorsRichard M. SteinbergMiles E.A. EversonFormer Partner and Corporate Partner and Financial ServicesGovernance Leader (Presently Finance, Operations, Risk andSteinberg GovernanceCompliance LeaderAdvisors)New YorkFrank J. MartensLucy E. NottinghamSenior Manager, ClientManager, Internal FirmServicesServicesVancouver, CanadaBostoniiiFOREWORDOver a decade ago, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued Internal Control – Integrated Framework to help businesses and other entities assess and enhance their internal control systems. That framework has since been incorporated into policy, rule, and regulation, and used by thousands of enterprises to better control their activities in moving toward achievement of their established objectives.Recent years have seen heightened concern and focus on risk management, and it became increasingly clear that a need exists for a robust framework to effectively identify, assess, and manage risk. In 2001, COSO initiated a project, and engaged PricewaterhouseCoopers, to develop a framework that would be readily usable by managements to evaluate and improve their organizations’ enterprise risk management.The period of the framework’s development was marked by a series of high-profile business scandals and failures where investors, company personnel, and other stakeholders suffered tremendous loss. In the aftermath were calls for enhanced corporate governance and risk management, with new law, regulation, and listing standards. The need for an enterprise risk management framework, providing key principles and concepts, a common language, and clear direction and guidance, became even more compelling. COSO believes this Enterprise Risk Management – Integrated Framework fills this need, and expects it will become widely accepted by companies and other organizations and indeed all stakeholders and interested parties.Among the outgrowths in the United States is the Sarbanes-Oxley Act of 2002, and similar legislation has been enacted or is being considered in other countries. This law extends the long-standing requirement for public companies to maintain systems of internal control, requiring management to certify and the independent auditor to attest to the effectiveness of those systems. Internal Control – Integrated Framework, which continues to stand the test of time, serves as the broadly accepted standard for satisfying those reporting requirements.This Enterprise Risk Management – Integrated Framework expands on internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management. While it is not intended to and does not replace the internal control framework, but rather incorporates the internal control framework within it, companies may decide to look to this enterprise risk management framework both to satisfy their internal control needs and to move toward a fuller risk management process.Among the most critical challenges for managements is determining how much risk the entity is prepared to and does accept as it strives to create value. This report will better enable them to meet this challenge.John J. FlahertyTony MakiChair, COSOChair, COSO Advisory CouncilvTable of ContentsExecutive Summary..3Framework.111.Definition132.Internal Environment273.Objective Setting354.Event Identification415.Risk Assessment496.Risk Response557.Control Activities618.Information and Communication679.Monitoring7510. Roles and Responsibilities8311. Limitations of Enterprise Risk Management9312. What to Do97AppendicesA. Objectives and Methodology99B.Summary of Key Principles101Relationship Between Enterprise Risk Management – Integrated Framework and Internal Control – Integrated Framework109D. Selected Bibliography113E.Consideration of Comment Letters115F.Glossary121G. Acknowledgments125viiEnterprise RiskManagement —Integrated FrameworkExecutive SummarySeptember 2004Executive SummaryEXECUTIVE SUMMARYThe underlying premise of enterprise risk management is that every entity exists to provide value for its stakeholders. All entities face uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value.Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value.Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives. Enterprise risk management encompasses:Aligning risk appetite and strategy – Management considers the entity’s risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks. Enhancing risk response decisions – Enterprise risk management provides the rigor to identify and select among alternative risk responses – risk avoidance, reduction, sharing, and acceptance. Reducing operational surprises and losses – Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses. Identifying and managing multiple and cross-enterprise risks – Every enterprise faces a myriad of risks affecting different parts of the organization, and enterprise risk management facilitates effective response to the interrelated impacts, and integrated responses to multiple risks. Seizing opportunities – By considering a full range of potential events, management is positioned to identify and proactively realize opportunities. Improving deployment of capital – Obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation. These capabilities inherent in enterprise risk management help management achieve the entity’s performance and profitability targets and prevent loss of resources. Enterprise risk management helps ensure effective reporting and compliance with laws and regulations, and helps avoid damage to the entity’s reputation and associated consequences. In sum, enterprise risk management helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.3Executive SummaryEvents – Risks and OpportunitiesEvents can have negative impact, positive impact, or both. Events with a negative impact represent risks, which can prevent value creation or erode existing value. Events with positive impact may offset negative impacts or represent opportunities. Opportunities are the possibility that an event will occur and positively affect the achievement of objectives, supporting value creation or preservation. Management channels opportunities back to its strategy or objective-setting processes, formulating plans to seize the opportunities.Enterprise Risk Management DefinedEnterprise risk management deals with risks and opportunities affecting value creation or preservation, defined as follows:Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.The definition reflects certain fundamental concepts. Enterprise risk management is:A process, ongoing and flowing through an entity Effected by people at every level of an organization Applied in strategy setting Applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite Able to provide reasonable assurance to an entity’s management and board of directors Geared to achievement of objectives in one or more separate but overlapping categories This definition is purposefully broad. It captures key concepts fundamental to how companies and other organizations manage risk, providing a basis for application across organizations, industries, and sectors. It focuses directly on achievement of objectives established by a particular entity and provides a basis for defining enterprise risk management effectiveness.4Executive SummaryAchievement of ObjectivesWithin the context of an entity’s established mission or vision, management establishes strategic objectives, selects strategy, and sets aligned objectives cascading through the enterprise. This enterprise risk management framework is geared to achieving an entity’s objectives, set forth in four categories:Strategic – high-level goals, aligned with and supporting its mission Operations – effective and efficient use of its resources Reporting – reliability of reporting Compliance – compliance with applicable laws and regulations This categorization of entity objectives allows a focus on separate aspects of enterprise risk management. These distinct but overlapping categories – a particular objective can fall into more than one category – address different entity needs and may be the direct responsibility of different executives. This categorization also allows distinctions between what can be expected from each category of objectives. Another category, safeguarding of resources, used by some entities, also is described.Because objectives relating to reliability of reporting and compliance with laws and regulations are within the entity’s control, enterprise risk management can be expected to provide reasonable assurance of achieving those objectives. Achievement of strategic objectives and operations objectives, however, is subject to external events not always within the entity’s control; accordingly, for these objectives, enterprise risk management can provide reasonable assurance that management, and the board in its oversight role, are made aware, in a timely manner, of the extent to which the entity is moving toward achievement of the objectives.Components of Enterprise Risk ManagementEnterprise risk management consists of eight interrelated components. These are derived from the way management runs an enterprise and are integrated with the management process. These components are:Internal Environment – The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. Objective Setting – Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that 5Executive Summarymanagement has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite.Event Identification – Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes. Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis. Risk Response – Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite. Control Activities – Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. Information and Communication – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity. Monitoring – The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both. Enterprise risk management is not strictly a serial process, where one component affects only the next. It is a multidirectional, iterative process in which almost any component can and does influence another.Relationship of Objectives and ComponentsThere is a direct relationship between objectives, which are what an entity strives to achieve, and enterprise risk management components, which represent what is needed to achieve them. The relationship is depicted in a three-dimensional matrix, in the form of a cube.6Executive SummaryThe four objectives categories – strategic, operations, reporting, and compliance – are represented by the vertical columns, the eight components by horizontal rows, and an entity’s units by the third dimension. This depiction portrays the ability to focus on the entirety of an entity’s enterprise risk management, or by objectives category, component, entity unit, or any subset thereof.EffectivenessTIONSSTRATEGICAREPORTING OMPLIANCEOPERCInternal EnvironmentTINUSSENISUBYRAIDISBUSObjective SettingLEVEL-YTITNENOISIVIDEvent IdentificationRisk AssessmentRisk ResponseControl ActivitiesInformation & CommunicationMonitoringDetermining whether an entity’s enterprise riskmanagement is “effective” is a judgment resulting from an assessment of whether the eight components are present and functioning effectively. Thus, the components are also criteria for effective enterprise risk management. For the components to be present and functioning properly there can be no material weaknesses, and risk needs to have been brought within the entity’s risk appetite.When enterprise risk management is determined to be effective in each of the four categories of objectives, respectively, the board of directors and management have reasonable assurance that they understand the extent to which the entity’s strategic and operations objectives are being achieved, and that the entity’s reporting is reliable and applicable laws and regulations are being complied with.The eight components will not function identically in every entity. Application in small and mid-size entities, for example, may be less formal and less structured. Nonetheless, small entities still can have effective enterprise risk management, as long as each of the components is present and functioning properly.LimitationsWhile enterprise risk management provides important benefits, limitations exist. In addition to factors discussed above, limitations result from the realities that human judgment in decision making can be faulty, decisions on responding to risk and establishing controls need to consider the relative costs and benefits, breakdowns can occur because of human failures such as simple errors or mistakes, controls can be circumvented by collusion of two or more people, and management has the ability to override enterprise risk management decisions. These limitations preclude a board and management from having absolute assurance as to achievement of the entity’s objectives.7Executive SummaryEncompasses Internal ControlInternal control is an integral part of enterprise risk management. This enterprise risk management framework encompasses internal control, forming a more robust conceptualization and tool for management. Internal control is defined and described in Internal Control – Integrated Framework. Because that framework has stood the test of time and is the basis for existing rules, regulations, and laws, that document remains in place as the definition of and framework for internal control. While only portions of the text of Internal Control – Integrated Framework are reproduced in this framework, the entirety of that framework is incorporated by reference into this one.Roles and ResponsibilitiesEveryone in an entity has some responsibility for enterprise risk management. The chief executive officer is ultimately responsible and should assume ownership. Other managers support the entity’s risk management philosophy, promote compliance with its risk appetite, and manage risks within their spheres of responsibility consistent with risk tolerances. A risk officer, financial officer, internal auditor, and others usually have key support responsibilities. Other entity personnel are responsible for executing enterprise risk management in accordance with established directives and protocols. The board of directors provides important oversight to enterprise risk management, and is aware of and concurs with the entity’s risk appetite. A number of external parties, such as customers, vendors, business partners, external auditors, regulators, and financial analysts often provide information useful in effecting enterprise risk management, but they are not responsible for the effectiveness of, nor are they a part of, the entity’s enterprise risk management.Organization of This ReportThis report is in two volumes. The first volume contains the Framework as well as this Executive Summary. The Framework defines enterprise risk management and describes principles and concepts, providing direction for all levels of management in businesses and other organizations to use in evaluating and enhancing the effectiveness of enterprise risk management. This Executive Summary is a high-level overview directed to chief executives, other senior executives, board members, and regulators. The second volume, Application Techniques, provides illustrations of techniques useful in applying elements of the framework.Use of This ReportSuggested actions that might be taken as a result of this report depend on position and role of the parties involved:Board of Directors – The board should discuss with senior management the state of the entity’s enterprise risk management and provide oversight as needed. The board should ensure it is apprised of the most significant risks, along with actions 8Executive Summarymanagement is taking and how it is ensuring effective enterprise risk management. The board should consider seeking input from internal auditors, external auditors, and others.Senior Management – This study suggests that the chief executive assess the organization’s enterprise risk management capabilities. In one approach, the chief executive brings together business unit heads and key functional staff to discuss an initial assessment of enterprise risk management capabilities and effectiveness. Whatever its form, an initial assessment should determine whether there is a need for, and how to proceed with, a broader, more in-depth evaluation. Other Entity Personnel – Managers and other personnel should consider how they are conducting their responsibilities in light of this framework and discuss with more-senior personnel ideas for strengthening enterprise risk management. Internal auditors should consider the breadth of their focus on enterprise risk management. Regulators – This framework can promote a shared view of enterprise risk management, including what it can do and its limitations. Regulators may refer to this framework in establishing expectations, whether by rule or guidance or in conducting examinations, for entities they oversee. Professional Organizations – Rule-making and other professional organizations providing guidance on financial management, auditing, and related topics should consider their standards and guidance in light of this framework. To the extent diversity in concepts and terminology is eliminated, all parties benefit. Educators – This framework might be the subject of academic research and analysis, to see where future enhancements can be made. With the presumption that this report becomes accepted as a common ground for understanding, its concepts and terms should find their way into university curricula. With this foundation for mutual understanding, all parties will be able to speak a common language and communicate more effectively. Business executives will be positioned to assess their company’s enterprise risk management process against a standard, and strengthen the process and move their enterprise toward established goals. Future research can be leveraged off an established base. Legislators and regulators will be able to gain an increased understanding of enterprise risk management, including its benefits and limitations. With all parties utilizing a common enterprise risk management framework, these benefits will be realized.9Enterprise RiskManagement —Integrated FrameworkFrameworkSeptember 2004DefinitionDEFINITION Chapter Summary: All entities face uncertainty, and the challenge for management is to determine how much uncertainty it is prepared to accept as it strives to grow stakeholder value. Enterprise risk management enables management to identify, assess, and manage risks in the face of uncertainty, and is integral to value creation and preservation. Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise. It is designed to identify potential events that may affect the entity, and manage risk to be within the entity’s risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. It consists of eight interrelated components, which are integral to the way management runs the enterprise. The components are linked and serve as criteria for determining whether enterprise risk management is effective.A key objective of this framework is to help managements of businesses and other entities better deal with risk in achieving an entity’s objectives. But enterprise risk management means different things to different people, with a wide variety of labels and meanings preventing a common understanding. An important goal, then, is to integrate various risk management concepts into a framework in which a common definition is established, components are identified, and key concepts are described. This framework accommodates most viewpoints and provides a starting point for individual entities’ assessment and enhancement of enterprise risk management, for future initiatives of rule-making bodies, and for education.Uncertainty and ValueAn underlying premise of enterprise risk management is that every entity, whether for-profit, not-for-profit, or a governmental body, exists to provide value for its stakeholders. All entities face uncertainty, and the challenge for management is to determine how much uncertainty the entity is prepared to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables management to effectively deal with uncertainty and associated risk and opportunity and thereby enhance the entity’s capacity to build value.Enterprises operate in environments where factors such as globalization, technology, restructurings, changing markets, competition, and regulation create uncertainty. Uncertainty emanates from an inability to precisely determine the likelihood that events will occur and the associated impacts. Uncertainty also is presented and created by the entity’s strategic choices. For example, an entity has a growth strategy based on expanding operations to another country. This chosen strategy presents risks and opportunities associated with the stability of the country’s political environment, resources, markets, channels, workforce capabilities, and costs.13DefinitionValue is created, preserved, or eroded by management decisions in all activities, from strategy setting to operating the enterprise day-to-day. Value creation occurs through deploying resources, including people, capital, technology, and brand, where the benefit derived is greater than resources used. Value preservation occurs where created value is sustained through, among other things, superior product quality, production capacity, and customer satisfaction. Value can be eroded where these goals are not achieved due to poor strategy or execution. Inherent in decisions is recognition of risk and opportunity, requiring that management consider information about internal and external environments, deploy precious resources, and recalibrate activities to changing circumstances.Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives. Enterprise risk management encompasses:Aligning risk appetite and strategy – Management considers the entity’s risk appetite first in evaluating strategic alternatives, then in setting objectives aligned with the selected strategy and in developing mechanisms to manage the related risks. For example, a pharmaceutical company has a low risk appetite relative to its brand value. Accordingly, to protect its brand, it maintains extensive protocols to ensure product safety and regularly invests significant resources in early-stage research and development to support brand value creation. Enhancing risk response decisions – Enterprise risk management provides the rigor to identify and select among alternative risk responses – risk avoidance, reduction, sharing, and acceptance. For example, management of a company that uses company-owned and operated vehicles recognizes risks inherent in its delivery process, including vehicle damage and personal injury costs. Available alternatives include reducing the risk through effective driver recruiting and training, avoiding the risk by outsourcing delivery, sharing the risk via insurance, or simply accepting the risk. Enterprise risk management provides methodologies and techniques for making these decisions. Reducing operational surprises and losses – Entities gain enhanced capability to identify potential events, assess risk, and establish responses, thereby reducing the occurrence of surprises and related costs or losses. For example, a manufacturing company tracks production parts and equipment failure rates and deviation around averages. The company assesses the impact of failures using multiple criteria, including time to repair, inability to meet customer demand, employee safety, and cost of scheduled versus unscheduled repairs, and responds by setting maintenance schedules accordingly. 14DefinitionIdentifying and managing cross-enterprise risks – Every entity faces a myriad of risks affecting different parts of the organization. Management needs to not only manage individual risks, but also understand interrelated impacts. For example, a bank faces a variety of risks in trading activities across the enterprise, and management developed an information system that analyzes transaction and market data from other internal systems, which, together with relevant externally generated information, provides an aggregate view of risks across all trading activities. The information system allows drilldown capability to department, customer or counterparty, trader, and transaction levels, and quantifies the risks relative to risk tolerances in established categories. The system enables the bank to bring together previously disparate data to respond more effectively to risks using aggregated as well as targeted views. Providing integrated responses to multiple risks – Business processes carry many inherent risks, and enterprise risk management enables integrated solutions for managing the risks. For instance, a wholesale distributor faces risks of over- and under-supply positions, tenuous supply sources, and unnecessarily high purchase prices. Management identified and assessed risk in the context of the company’s strategy, objectives, and alternative responses, and developed a far-reaching inventory control system. The system integrates with suppliers, sharing sales and inventory information and enabling strategic partnering, and avoiding stock-outs and unneeded carrying costs, with longer-term sourcing contracts and enhanced pricing. Suppliers take responsibility for replenishing stock, generating further cost reductions. Seizing opportunities – By considering a full range of potential events, rather than just risks, management identifies events representing opportunities. For example, a food company considered potential events likely to affect its sustainable revenue growth objective. In evaluating the events, management determined that the company’s primary consumers are increasingly health conscious and changing their dietary preferences, indicating a decline in future demand for the company’s current products. In determining its response, management identified ways to apply its existing capabilities to developing new products, enabling the company not only to preserve revenue from existing customers, but also to create additional revenue by appealing to a broader consumer base. Improving deployment of capital – Obtaining robust information on risk allows management to effectively assess overall capital needs and enhance capital allocation. For example, a financial institution became subject to new regulatory rules that would increase capital requirements unless management calculated credit and operational risk levels and related capital needs with greater specificity. The company assessed the risk in terms of system development cost versus additional capital costs, and made an informed decision. With existing, readily modifiable software, the institution developed the more precise calculations, avoiding a need for additional capital sourcing. 15DefinitionThese capabilities are inherent in enterprise risk management, which helps management achieve the entity’s performance and profitability targets and prevent loss of resources. Enterprise risk management helps ensure effective reporting. And it helps ensure that the entity complies with laws and regulations, avoiding damage to its reputation and associated consequences. In sum, enterprise risk management helps an entity get to where it wants to go and avoid pitfalls and surprises along the way.Events – Risks and OpportunitiesAn event is an incident or occurrence from internal or external sources that affects achievement of objectives. Events can have negative impact, positive impact, or both. Events with negative impact represent risks. Accordingly, risk is defined as follows:Risk is the possibility that an event will occur and adversely affect the achievement of objectives.Events with adverse impact prevent value creation or erode existing value. Examples include plant machinery breakdowns, fire, and credit losses. Events with an adverse impact can derive from seemingly positive conditions, such as where customer demand for product exceeds production capacity, causing failure to meet buyer demand, eroded customer loyalty, and decline in future orders.Events with positive impact may offset negative impacts or represent opportunities. Opportunity is defined as follows:Opportunity is the possibility that an event will occur and positively affect the achievement of objectives.Opportunities support value creation or preservation. Management channels opportunities back to its strategy or objective-setting processes, so that actions can be formulated to seize the opportunities.Definition of Enterprise Risk ManagementEnterprise risk management deals with risks and opportunities to create or preserve value. It is defined as follows:Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.16DefinitionThis definition reflects certain fundamental concepts. Enterprise risk management is:A process, ongoing and flowing through an entity Effected by people at every level of an organization Applied in strategy setting Applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk Designed to identify potential events affecting the entity and manage risk within its risk appetite Able to provide reasonable assurance to an entity’s management and board Geared to the achievement of objectives in one or more separate but overlapping categories – it is a means to an end, not an end in itself This definition is purposefully broad for several reasons. It captures key concepts fundamental to how companies and other organizations manage risk, providing a basis for application across types of organizations, industries, and sectors. It focuses directly on achievement of objectives established by a particular entity. And, the definition provides a basis for defining enterprise risk management effectiveness, discussed later in this chapter. The fundamental concepts outlined above are discussed in the following paragraphs.A ProcessEnterprise risk management is not static, but rather a continuous or iterative interplay of actions that permeate an entity. These actions are pervasive and inherent in the way management runs the business.Enterprise risk management is different from the perspective of some observers who view it as something added on to an entity’s activities. That is not to say effective enterprise risk management does not require incremental effort, as it may. In considering credit and currency risks, for example, incremental effort may be required to develop needed models and make necessary analyses and calculations. However, these enterprise risk management mechanisms are intertwined with an entity’s operating activities and exist for fundamental business reasons. Enterprise risk management is most effective when these mechanisms are built into the entity’s infrastructure and are part of the essence of the enterprise. By building in enterprise risk management, an entity can directly affect its ability to implement its strategy and achieve its mission.Building in enterprise risk management has important implications for cost containment, especially in the highly competitive marketplaces many companies face. Adding new procedures separate from existing ones adds costs. By focusing on existing operations and their contribution to effective enterprise risk management, and integrating risk management17Definitioninto basic operating activities, an enterprise can avoid unnecessary procedures and costs. And, a practice of building enterprise risk management into the fabric of operations helps identify new opportunities for management to seize in growing the business.Effected by PeopleEnterprise risk management is effected by an entity’s board of directors, management and other personnel. It is accomplished by the people of an organization, by what they do and say. People establish the entity’s mission, strategy, and objectives, and put enterprise risk management mechanisms in place.Similarly, enterprise risk management affects people’s actions. Enterprise risk management recognizes that people do not always understand, communicate, or perform consistently. Each individual brings to the workplace a unique background and technical ability, and has different needs and priorities.These realities affect, and are affected by, enterprise risk management. Each person has a unique point of reference, which influences how he or she identifies, assesses, and responds to risk. Enterprise risk management provides the mechanisms needed to help people understand risk in the context of the entity’s objectives. People must know their responsibilities and limits of authority. Accordingly, a clear and close linkage needs to exist between people’s duties and the way in which they are carried out, as well as with the entity’s strategy and objectives.An organization’s people include the board of directors, management and other personnel. Although directors primarily provide oversight, they also provide direction and approve strategy and certain transactions and policies. As such, boards of directors are an important element of enterprise risk management.Applied in Setting StrategyAn entity sets out its mission or vision and establishes strategic objectives, which are the high-level goals that align with and support its mission or vision. An entity establishes a strategy for achieving its strategic objectives. It also sets related objectives it wants to achieve, flowing from the strategy, cascading to entity business units, divisions, and processes.Enterprise risk management is applied in strategy setting, in which management considers risks relative to alternative strategies. For instance, one alternative may be to acquire other companies in order to grow market share. Another may be to cut sourcing costs in order to realize higher gross margin percentage. Each of these strategic choices poses a number of risks. If management selects the first strategy, it may have to expand into new and unfamiliar markets, competitors may be able to gain share in the company’s existing markets, or the company might not have the capabilities to effectively implement the strategy. With the18Definitionsecond, risks include having to use new technologies or suppliers, or form new alliances. Enterprise risk management techniques are applied at this level to assist management in evaluating and selecting the entity’s strategy and related objectives.Applied Across the EnterpriseIn applying enterprise risk management, an entity should consider its entire scope of activities. Enterprise risk management considers activities at all levels of the organization, from enterprise-level activities such as strategic planning and resource allocation, to business unit activities such as marketing and human resources, to business processes such as production and new customer credit review. Enterprise risk management also applies to special projects and new initiatives that might not yet have a designated place in the entity’s hierarchy or organization chart.Enterprise risk management requires an entity to take a portfolio view of risk. This might involve each manager responsible for a business unit, function, process, or other activity developing an assessment of risk for the activity. The assessment may be quantitative or qualitative. With a composite view at each succeeding level of the organization, senior management is positioned to make a determination whether the entity’s overall risk portfolio is commensurate with its risk appetite.Management considers interrelated risks from an entity-level portfolio perspective. Risks for individual units of the entity may be within the units’ risk tolerances, but taken together may exceed the risk appetite of the entity as a whole. Or, conversely, potential events may represent an otherwise unacceptable risk in one business unit, but with an offsetting effect in another. Interrelated risks need to be identified and acted on so that the entirety of risk is consistent with the entity’s risk appetite.Risk AppetiteRisk appetite is the amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the entity’s risk management philosophy, and in turn influences the entity’s culture and operating style. Many entities consider risk appetite qualitatively, with such categories as high, moderate, or low, while others take a quantitative approach, reflecting and balancing goals for growth, return, and risk. A company with a higher risk appetite may be willing to allocate a large portion of its capital to such high-risk areas as newly emerging markets. In contrast, a company with a low risk appetite might limit its short-term risk of large losses of capital by investing only in mature, stable markets.Risk appetite is directly related to an entity’s strategy. It is considered in strategy setting, as different strategies expose an entity to different risks. Enterprise risk management helps management select a strategy that aligns anticipated value creation with the entity’s risk appetite.19DefinitionRisk appetite guides resource allocation. Management allocates resources among business units and initiatives with consideration of the entity’s risk appetite and the unit’s plan for generating desired return on invested resources. Management considers its risk appetite as it aligns its organization, people, and processes, and designs infrastructure necessary to effectively respond to and monitor risks.Risk tolerances relate to the entity’s objectives. Risk tolerance is the acceptable level of variation relative to achievement of a specific objective, and often is best measured in the same units as those used to measure the related objective.In setting risk tolerance, management considers the relative importance of the related objective and aligns risk tolerances with risk appetite. Operating within risk tolerances helps ensure that the entity remains within its risk appetite and, in turn, that the entity will achieve its objectives.Provides Reasonable AssuranceWell-designed and operated enterprise risk management can provide management and the board of directors reasonable assurance regarding achievement of an entity’s objectives. Reasonable assurance reflects the notion that uncertainty and risk relate to the future, which no one can predict with precision.Reasonable assurance does not imply that enterprise risk management frequently will fail. Many factors, individually and collectively, reinforce the concept of reasonable assurance. The cumulative effect of risk responses that satisfy multiple objectives and the multipurpose nature of internal controls reduce the risk that an entity may not achieve its objectives. Furthermore, the normal everyday operating activities and responsibilities of people functioning at various levels of an organization are directed at achieving the entity’s objectives. Indeed, among a cross-section of well-controlled entities, it is likely that most will be apprised regularly of movement toward their strategic and operations objectives, will achieve compliance objectives regularly, and consistently will produce – period after period, year after year – reliable reports. However, an uncontrollable event, a mistake, or an improper reporting incident can occur. In other words, even effective enterprise risk management can experience a failure. Reasonable assurance is not absolute assurance.Achievement of ObjectivesWithin the context of the established mission, management establishes strategic objectives, selects strategy, and establishes other objectives cascading through the enterprise and aligned with and linked to the strategy. Although many objectives are specific to a particular entity, some are widely shared. For example, objectives common to virtually all entities are achieving and maintaining a positive reputation within the business and consumer communities, providing reliable reporting to stakeholders, and operating in compliance with laws and regulations.20DefinitionThis framework establishes four categories of entity objectives:Strategic – relating to high-level goals, aligned with and supporting the entity’s mission Operations – relating to effective and efficient use of the entity’s resources Reporting – relating to the reliability of the entity’s reporting Compliance – relating to the entity’s compliance with applicable laws and regulations This categorization of entity objectives allows a focus on separate aspects of enterprise risk management. These distinct but overlapping categories – a particular objective can fall under more than one category – address different entity needs and may be the direct responsibility of different executives. This categorization also allows distinctions between what can be expected from each category of objectives.Some entities use another category of objectives, “safeguarding of resources,” sometimes referred to as “safeguarding of assets.” Viewed broadly, these deal with prevention of loss of an entity’s assets or resources, whether through theft, waste, inefficiency, or what turns out to be simply bad business decisions – such as selling product at too low a price, failing to retain key employees or prevent patent infringement, or incurring unforeseen liabilities. These are primarily operations objectives, although certain aspects of safeguarding can fall under other categories. Where legal or regulatory requirements apply, these become compliance issues. When considered in conjunction with public reporting, a narrower definition of safeguarding of assets often is used, dealing with prevention or timely detection of unauthorized acquisition, use, or disposition of an entity’s assets that could have a material effect on the financial statements.Enterprise risk management can be expected to provide reasonable assurance of achieving objectives relating to the reliability of reporting, and compliance with laws and regulations. Achievement of those categories of objectives is within the entity’s control and depends on how well the entity’s related activities are performed.However, achievement of strategic objectives, such as attaining a specified market share, and operations objectives, such as successfully launching a new product line, is not always within the entity’s control. Enterprise risk management cannot prevent bad judgments or decisions, or external events that can cause a business to fail to achieve operations goals. It does, however, enhance the likelihood that management will make better decisions. For these objectives, enterprise risk management can provide reasonable assurance that management, and the board in its oversight role, are made aware, in a timely manner, of the extent to which the entity is moving toward achievement of the objectives.21DefinitionComponents of Enterprise Risk ManagementEnterprise risk management consists of eight interrelated components. These are derived from the way management runs a business and are integrated with the management process. These components are:Internal Environment – Management sets a philosophy regarding risk and establishes a risk appetite. The internal environment sets the basis for how risk and control are viewed and addressed by an entity’s people. The core of any business is its people – their individual attributes, including integrity, ethical values, and competence – and the environment in which they operate. Objective Setting – Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite. Event Identification – Potential events that might have an impact on the entity must be identified. Event identification involves identifying potential events from internal or external sources affecting achievement of objectives. It includes distinguishing between events that represent risks, those representing opportunities, and those that may be both. Opportunities are channeled back to management’s strategy or objective-setting processes. Risk Assessment – Identified risks are analyzed in order to form a basis for determining how they should be managed. Risks are associated with objectives that may be affected. Risks are assessed on both an inherent and a residual basis, with the assessment considering both risk likelihood and impact. Risk Response – Personnel identify and evaluate possible responses to risks, which include avoiding, accepting, reducing, and sharing risk. Management selects a set of actions to align risks with the entity’s risk tolerances and risk appetite. Control Activities – Policies and procedures are established and executed to help ensure the risk responses management selects are effectively carried out. Information and Communication – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Information is needed at all levels of an entity for identifying, assessing, and responding to risk. Effective communication also occurs in a broader sense, flowing down, across, and up the entity. Personnel receive clear communications regarding their role and responsibilities. Monitoring – The entirety of enterprise risk management is monitored, and modifications made as necessary. In this way, it can react dynamically, changing as conditions warrant. Monitoring is accomplished through ongoing management activities, separate evaluations of enterprise risk management, or a combination of the two. 22DefinitionEnterprise risk management is a dynamic process. For example, the assessment of risks drives risk response and may influence control activities and highlight a need to reconsider information and communication needs or the entity’s monitoring activities. Thus, enterprise risk management is not strictly a serial process, where one component affects only the next. It is a multidirectional, iterative process in which almost any component can and will influence another.No two entities will, or should, apply enterprise risk management in the same way. Companies and their enterprise risk management capabilities and needs differ dramatically by industry and size, and by management philosophy and culture. Thus, while all entities should have each of the components in place and operating effectively, one company’s application of enterprise risk management – including the tools and techniques employed and the assignment of roles and responsibilities – often will look very different from another’s.Relationship of Objectives and ComponentsThere is a direct relationship between objectives, which are what an entity strives to achieve, and the enterprise risk management components, which represent what is needed to achieve them. The relationship is depicted in a three-dimensional matrix, in the shape of a cube, shown in Exhibit 1.1.Exhibit 1.1The four objectives categories – strategic, operations, reporting, and compliance – are represented by the vertical columns The eight components are represented by horizontal rows The entity and its units are depicted by the third dimension of the cube OMPLIANCESTRATEGICREPORTINGOPERATIONSCInternal EnvironmentTINUSSENISUBYRAIDISBUSObjective SettingLEVEL-YTITNENOISIVIDEvent IdentificationRisk AssessmentRisk ResponseControl ActivitiesInformation & CommunicationMonitoring23DefinitionEach component row “cuts across” and applies to all four objectives categories. For example, financial and non-financial data generated from internal and external sources, which is part of the information and communication component, is needed to set strategy, effectively manage business operations, report effectively, and determine that the entity is complying with applicable laws.Similarly, looking at the objectives categories, all eight components are relevant to each. Taking one category, effectiveness and efficiency of operations, for example, all eight components are applicable and important to its achievement.Enterprise risk management is relevant to an entire enterprise or to any of its individual units. This relationship is depicted by the third dimension, which represents subsidiaries, divisions, and other business units. Accordingly, one could focus on any one of the matrix’s cells. For instance, one could consider the top right back cell, representing the internal environment as it relates to compliance objectives of a particular subsidiary.It should be recognized that the four columns represent categories of an entity’s objectives, not parts or units of the entity. Accordingly, when considering the category of objectives related to reporting, for example, knowledge of a wide array of information about the entity’s operations is needed. But in that case, focus is on the right-middle column of the model – the reporting objectives – rather than the operations objectives category.EffectivenessWhile enterprise risk management is a process, its effectiveness is a state or condition at a point in time. Determining whether enterprise risk management is “effective” is a judgment resulting from an assessment of whether the eight components are present and functioning effectively. Thus, the components are also criteria for effective enterprise risk management. For the components to be present and functioning properly there can be no material weaknesses, and risk needs to have been brought within the entity’s risk appetite.When enterprise risk management is determined to be effective in each of the four categories of objectives, respectively, the board of directors and management have reasonable assurance that:They understand the extent to which the entity’s strategic objectives are being achieved They understand the extent to which the entity’s operations objectives are being achieved The entity’s reporting is reliable Applicable laws and regulations are being complied with 24DefinitionWhile in order for enterprise risk management to be deemed effective all eight components must be present and functioning properly – applying the principles described in the following chapters – some trade-offs may exist between components. Because enterprise risk management techniques can serve a variety of purposes, techniques applied relative to one component might serve the purpose of techniques normally present in another. Additionally, risk responses can differ in the degree to which they address a particular risk, so that complementary risk responses and controls, each with limited effect, together may be satisfactory.The concepts discussed here apply to all entities, regardless of size. While some small and mid-size entities may implement component factors differently than large ones, they still can have effective enterprise risk management. The methodology for each component is likely to be less formal and less structured in smaller entities than in larger ones, but the basic concepts should be present in every entity.Enterprise risk management usually is considered in the context of an enterprise as a whole, which involves considering its application in significant business units. There may, however, be circumstances where the effectiveness of enterprise risk management is to be evaluated separately for a particular business unit. In such circumstance, in order to conclude that enterprise risk management for the unit is effective all eight components must be present and functioning effectively in the unit. Thus, for example, because having a board of directors with specified attributes is part of the internal environment, enterprise risk management for a particular business unit may be judged effective only when the unit has in place an appropriately functioning board of directors or similar body (or the entity-level board of directors applies requisite oversight directly to the business unit). Similarly, because the risk response component describes taking a portfolio view of risk, for enterprise risk management to be judged effective there must be a portfolio view of risk for that business unit.Encompasses Internal ControlInternal control is an integral part of enterprise risk management. This enterprise risk management framework encompasses internal control, forming a more robust conceptualization and tool for management. Internal control is defined and described inInternal Control – Integrated Framework. Because Internal Control – Integrated Framework is the basis for existing rules, regulations, and laws, and has stood the test of time, that document remains in place as the definition of and framework for internal control. While only portions of the text of Internal Control – Integrated Framework are reproduced in this framework, the entirety of Internal Control – Integrated Framework is incorporated by reference into this framework. Appendix C describes the relationship between enterprise risk management and internal control.25DefinitionEnterprise Risk Management and the Management ProcessBecause enterprise risk management is part of the management process, the enterprise risk management framework components are discussed in the context of what management does in running a business or other entity. But not everything management does is a part of enterprise risk management. Many judgments applied in management’s decision making and related management actions, while part of the management process, are not part of enterprise risk management. For example:Ensuring there is an appropriate process for objective setting is a critical component of enterprise risk management, but the particular objectives selected by management are not part of enterprise risk management. Responding to risks, based on an appropriate assessment of the risks, is a part of enterprise risk management, but the specific risk responses selected and the associated allocation of entity resources are not. Establishing and executing control activities to help ensure the risk responses management selects are effectively carried out is a part of enterprise risk management, but the particular control activities chosen are not. In general, enterprise risk management involves those elements of the management process that enable management to make informed risk-based decisions, but the particular decisions selected from an array of appropriate choices do not determine whether enterprise risk management is effective. However, while the specific objectives, risk responses, and control activities selected are a matter of management judgment, the choices must result in reducing risk to an acceptable level, as determined by risk appetite and reasonable assurance regarding achievement of entity objectives.26Internal EnvironmentINTERNAL ENVIRONMENT Chapter Summary: The internal environment encompasses the tone of an organization, influencing the risk consciousness of its people, and is the basis for all other components of enterprise risk management, providing discipline and structure. Internal environment factors include an entity’s risk management philosophy; its risk appetite; oversight by the board of directors; the integrity, ethical values, and competence of the entity’s people; and the way management assigns authority and responsibility, and organizes and develops its people.TIONSSTRATEGICAREPORTING OMPLIANCEOPERCInternalEnvironmentTINUSSENISUBYRAIDISBUSObjectiveSettingLEVEL-YTITNENOISIVIDEvent IdentificationRisk AssessmentRisk ResponseControl ActivitiesInformation & CommunicationMonitoringThe internal environment is the basis for all other components of enterprise risk management, providing discipline and structure. It influences how strategies and objectives are established, business activities are structured, and risks are identified, assessed, and acted upon. And it influences the design and functioning of control activities, information and communication systems, and monitoring activities.The internal environment is influenced by an entity’s history and culture. It comprises many elements, including the entity’s ethical values, competence and development of personnel, management’s philosophy for managing risk, and how it assigns authority and responsibility. A board of directors is a critical part of the internal environment and significantly influences other internal environment elements.Although all elements are important, the extent to which each is addressed will vary with the entity. For example, the chief executive of a company with a small workforce and centralized operations might not establish formal lines of responsibility and detailed operating policies.Nevertheless, the company could have an internal environment that provides an appropriate foundation for enterprise risk management.Risk Management PhilosophyAn entity’s risk management philosophy is the set of shared beliefs and attitudes characterizing how the entity considers risk in everything it does, from strategy development and implementation to its day-to-day activities. Its risk management philosophy reflects the entity’s values, influencing its culture and operating style, and affects how enterprise risk management components are applied, including how risks are identified, the kinds of risks accepted, and how they are managed.27Internal EnvironmentA company that has been successful accepting significant risks is likely to have a different outlook on enterprise risk management than one that has faced harsh economic or regulatory consequences as a result of venturing into dangerous territory. While some entities may work to achieve effective enterprise risk management to satisfy requirements of an external stakeholder, such as a parent company or regulator, more often it is because management recognizes that effective risk management helps the entity create and preserve value.When the risk management philosophy is well developed, understood, and embraced by its personnel, the entity is positioned to effectively recognize and manage risk. Otherwise, there can be unacceptably uneven application of enterprise risk management across business units, functions, or departments. But even when an entity’s philosophy is well developed, there nonetheless may be cultural differences among its units, resulting in variation in enterprise risk management application. Managers of some units may be prepared to take more risk, while others are more conservative. For example, an aggressive selling function may focus its attention on making a sale, without careful attention to regulatory compliance matters, while the contracting unit’s personnel focus significant attention on ensuring compliance with all relevant internal and external policies and regulations. Separately, these different subcultures could adversely affect the entity. But by working well together the units can appropriately reflect the entity’s risk management philosophy.The enterprise’s risk management philosophy is reflected in virtually everything management does in running the entity. It is captured in policy statements, oral and written communications, and decision making. Whether management emphasizes written policies, standards of behavior, performance indicators, and exception reports, or operates more informally largely through face-to-face contact with key managers, of critical importance is that management reinforces the philosophy not only with words but also with everyday actions.Risk AppetiteRisk appetite is the amount of risk, on a broad level, an entity is willing to accept in pursuit of value. It reflects the enterprise’s risk management philosophy, and in turn influences the entity’s culture and operating style.Risk appetite is considered in strategy setting, where the desired return from a strategy should be aligned with the entity’s risk appetite. Different strategies will expose the entity to different levels of risk, and enterprise risk management, applied in strategy setting, helps management select a strategy consistent with the entity’s risk appetite.Entities consider risk appetite qualitatively, with such categories as high, moderate, or low, or take a quantitative approach, reflecting and balancing goals for growth and return with risk.28Internal EnvironmentBoard of DirectorsAn entity’s board of directors is a critical part of the internal environment and significantly influences its elements. The board’s independence from management, experience and stature of its members, extent of its involvement and scrutiny of activities, and appropriateness of its actions all play a role. Other factors include the degree to which difficult questions are raised and pursued with management regarding strategy, plans, and performance, and interaction the board or audit committee has with internal and external auditors.An active and involved board of directors, board of trustees, or comparable body should possess an appropriate degree of management, technical, and other expertise, coupled with the mind-set necessary to perform its oversight responsibilities. This is critical to an effective enterprise risk management environment. And, because the board must be prepared to question and scrutinize management’s activities, present alternative views, and act in the face of wrongdoing, the board must include outside directors.Members of top management may be effective board members, bringing their deep knowledge of the company. But there must be a sufficient number of independent outside directors not only to provide sound advice, counsel, and direction, but also to serve as a necessary check and balance on management. For the internal environment to be effective, the board must have at least a majority of independent outside directors.Effective boards of directors ensure that management maintains effective risk management. Although an enterprise historically might have not suffered losses and have no obvious significant risk exposure, the board does not succumb to the mythical notion that events with seriously adverse consequences “couldn’t happen here.” It recognizes that while a company may have a sound strategy, competent employees, sound business processes, and reliable technology, it, like every entity, is vulnerable to risk, and an effectively functioning risk management process is needed.Integrity and Ethical ValuesAn entity’s strategy and objectives and the way they are implemented are based on preferences, value judgments, and management styles. Management’s integrity and commitment to ethical values influence these preferences and judgments, which are translated into standards of behavior. Because an entity’s good reputation is so valuable, the standards of behavior must go beyond mere compliance with law. Managers of well-run enterprises increasingly have accepted the view that ethics pays and ethical behavior is good business.Management integrity is a prerequisite for ethical behavior in all aspects of an entity’s activities. The effectiveness of enterprise risk management cannot rise above the integrity and ethical values of the people who create, administer, and monitor entity activities. Integrity and ethical values are essential elements of an entity’s internal environment,29Internal Environmentaffecting the design, administration, and monitoring of other enterprise risk management components.Establishing ethical values often is difficult because of the need to consider the concerns of several parties. Management values must balance the concerns of the enterprise, employees, suppliers, customers, competitors, and the public. Balancing these concerns can be complex and frustrating because interests are often at odds. For example, providing an essential product (petroleum, lumber, or food) may cause environmental concerns.Ethical behavior and management integrity are by-products of the corporate culture, which encompasses ethical and behavioral standards and how they are communicated and reinforced. Official policies specify what the board and management want to happen. Corporate culture determines what actually happens, and which rules are obeyed, bent, or ignored. Top management – starting with the CEO – plays a key role in determining the corporate culture. As the dominant personality in an entity, the CEO often sets the ethical tone.Certain organizational factors also can influence the likelihood of fraudulent and questionable financial reporting practices. Those same factors are likely to influence ethical behavior as well. Individuals may engage in dishonest, illegal, or unethical acts simply because the entity gives them strong incentives or temptations to do so. Undue emphasis on results, particularly in the short term, can foster an inappropriate internal environment. Focusing solely on short-term results can hurt even in the short term. Concentration on the bottom line – sales or profit at any cost – often evokes unsought actions and reactions. High-pressure sales tactics, ruthlessness in negotiations, or implicit offers of kickbacks, for instance, may evoke reactions that can have immediate (as well as lasting) effects.Other incentives for engaging in fraudulent or questionable reporting practices and, by extension, other forms of unethical behavior may include rewards highly dependent on reported financial and non-financial information, particularly for short-term results.Removing or reducing inappropriate incentives and temptations goes a long way toward eliminating undesirable behavior. As suggested, this can be achieved by following sound and profitable business practices. For example, performance incentives – accompanied by appropriate controls – can be a useful management technique as long as the performance targets are realistic. Setting realistic targets is a sound motivational practice, reducing counterproductive stress as well as the incentive for fraudulent reporting. Similarly, a well-controlled reporting system can serve as a safeguard against temptation to misstate performance.Another cause of questionable practices is ignorance. Ethical values must be not only communicated but also accompanied by explicit guidance regarding what is right and wrong.30Internal EnvironmentFormal codes of corporate conduct are important to and the foundation of an effective ethics program. Codes address a variety of behavioral issues, such as integrity and ethics, conflicts of interest, illegal or otherwise improper payments, and anticompetitive arrangements.Upward communications channels where employees feel comfortable bringing relevant information also are important.Existence of a written code of conduct, documentation that employees received and understand it, and an appropriate communications channel by themselves do not ensure the code is being followed. Also important to compliance are resulting penalties to employees who violate the code, mechanisms that encourage employee reporting of suspected violations, and disciplinary actions against employees who knowingly fail to report violations. But compliance with ethical standards, whether or not embodied in a written code, is equally if not more effectively ensured by top management’s actions and the examples they set. Employees are likely to develop the same attitudes about right and wrong – and about risks and controls – as those shown by top management. Messages sent by management’s actions quickly become embodied in the corporate culture. And, knowledge that the CEO has “done the right thing” ethically when faced with a tough business decision, sends a powerful message throughout the entity.Commitment to CompetenceCompetence reflects the knowledge and skills needed to perform assigned tasks. Management decides how well these tasks need to be accomplished, weighing the entity’s strategy and objectives against plans for their implementation and achievement. A trade-off often exists between competence and cost – it is not necessary, for instance, to hire an electrical engineer to change a light bulb.Management specifies the competency levels for particular jobs and translates those levels into requisite knowledge and skills. The necessary knowledge and skills in turn may depend on individuals’ intelligence, training, and experience. Factors considered in developing knowledge and skill levels include the nature and degree of judgment to be applied to a specific job. Often a trade-off can be made between the extent of supervision and the requisite competence level of the individual.Organizational StructureAn entity’s organizational structure provides the framework to plan, execute, control, and monitor its activities. A relevant organizational structure includes defining key areas of authority and responsibility and establishing appropriate lines of reporting. For example, an internal audit function should be structured in a manner that achieves organizational objectivity and permits unrestricted access to top management and the audit committee of the board, and the chief audit executive should report to a level within the organization that allows the internal audit activity to fulfill its responsibilities.31Internal EnvironmentAn entity develops an organizational structure suited to its needs. Some are centralized, others decentralized. Some have direct reporting relationships, while others are more of a matrix organization. Some entities are organized by industry or product line, by geographical location or by a particular distribution or marketing network. Other entities, including many state and local governmental units and not-for-profit institutions, are organized by function.The appropriateness of an entity’s organizational structure depends, in part, on its size and the nature of its activities. A highly structured organization with formal reporting lines and responsibilities may be appropriate for a large entity that has numerous operating divisions, including foreign operations. However, such a structure could impede the necessary flow of information in a small company. Whatever the structure, an entity should be organized to enable effective enterprise risk management and to carry out its activities so as to achieve its objectives.Assignment of Authority and ResponsibilityAssignment of authority and responsibility involves the degree to which individuals and teams are authorized and encouraged to use initiative to address issues and solve problems, as well as limits to their authority. It includes establishing reporting relationships and authorization protocols, as well as policies that describe appropriate business practices, knowledge and experience of key personnel, and resources provided for carrying out duties.Some entities have pushed authority downward to bring decision making closer to front-line personnel. A company may take this tack to become more market-driven or quality-focused – perhaps to eliminate defects, reduce cycle time, or increase customer satisfaction. Alignment of authority and accountability often is designed to encourage individual initiatives, within limits. Delegation of authority means surrendering central control of certain business decisions to lower echelons – to the individuals who are closest to everyday business transactions. This may involve empowerment to sell products at discount prices; negotiate long-term supply contracts, licenses, or patents; or enter alliances or joint ventures.A critical challenge is to delegate only to the extent required to achieve objectives. This means ensuring that decision making is based on sound practices for risk identification and assessment, including sizing risks and weighing potential losses versus gains in determining which risks to accept and how they are to be managed.Another challenge is ensuring that all personnel understand the entity’s objectives. It is essential that individuals know how their actions are related to one another and contribute to achievement of the objectives.Increased delegation sometimes is intentionally accompanied by or the result of streamlining or “flattening” the organizational structure. Purposeful structural change to encourage32Internal Environmentcreativity, taking initiative, and faster response times can enhance competitiveness and customer satisfaction. This increased delegation may carry an implicit requirement for a higher level of employee competence, as well as greater accountability. It also requires effective procedures for management to monitor results so that decisions can be overruled or accepted as necessary. Along with better, market-driven decisions, delegation may increase the number of undesirable or unanticipated decisions. For example, if a district sales manager decides that authorization to sell at 35% off list price justifies a temporary 45% discount to gain market share, management may need to know so that it can overrule or accept such decisions going forward.The internal environment is greatly influenced by the extent to which individuals recognize that they will be held accountable. This holds true all the way to the chief executive, who, with board oversight, has ultimate responsibility for all activities within an entity.Additional principles related to roles and responsibilities by parties integral to effective enterprise risk management are set forth in the Roles and Responsibilities chapter.Human Resource StandardsHuman resource practices pertaining to hiring, orientation, training, evaluating, counseling, promoting, compensating, and taking remedial actions send messages to employees regarding expected levels of integrity, ethical behavior, and competence. For example, standards for hiring the most qualified individuals, with emphasis on educational background, prior work experience, past accomplishments, and evidence of integrity and ethical behavior, demonstrate an entity’s commitment to competent and trustworthy people. The same is true when recruiting practices include formal, in-depth employment interviews and training in the entity’s history, culture, and operating style.Training policies can reinforce expected levels of performance and behavior by communicating prospective roles and responsibilities and by including such practices as training schools and seminars, simulated case studies, and role-playing exercises. Transfers and promotions driven by periodic performance appraisals demonstrate the entity’s commitment to advancement of qualified employees. Competitive compensation programs that include bonus incentives serve to motivate and reinforce outstanding performance – although reward systems should be structured, and controls in place, to avoid undue temptation to misrepresent reported results. Disciplinary actions send a message that violations of expected behavior will not be tolerated.It is essential that employees be equipped to tackle new challenges as issues and risks throughout the entity change and become more complex – driven in part by rapidly changing technologies and increasing competition. Education and training, whether classroom instruction, self-study, or on-the-job training, must help personnel keep pace and deal33Internal Environmenteffectively with the evolving environment. Hiring competent people and providing one-time training are not enough. The education process is ongoing.ImplicationsIt is difficult to overstate the importance of an entity’s internal environment and the impact – positive or negative – it can have on other enterprise risk management components. The impact of an ineffective internal environment can be far-reaching, possibly resulting in financial loss, a tarnished public image, or a business failure.An energy company generally was thought to have effective enterprise risk management since it had high-powered and respected senior managers, a prestigious board of directors, an innovative strategy, well-designed information systems and control activities, extensive policy manuals prescribing risk and control functions, and comprehensive reconciling and supervisory routines. Its internal environment, however, was significantly flawed. Management participated in highly questionable business practices, and the board turned a “blind-eye.” The company was found to have misreported financial results and suffered a loss of shareholder confidence, a liquidity crisis, and destruction of entity value. Ultimately the company went into one of the largest bankruptcies in history.The attitude and concern of top management for effective enterprise risk management must be definitive and clear, and permeate the organization. It is not sufficient to say the right words. An attitude of “do as I say, not as I do” will only bring about an ineffective environment.34Objective SettingOBJECTIVE SETTING Chapter Summary: Objectives are set at the strategic level, establishing a basis for operations, reporting, and compliance objectives. Every entity faces a variety of risks from external and internal sources, and a precondition to effective event identification, risk assessment, and risk response is establishment of objectives. Objectives are aligned with the entity’s risk appetite, which drives risk tolerance levels for the entity.STRATEGICTIONSAREPORTING OMPLIANCEOPERCInternal EnvironmentObjective SettingLEVEL-YTITNENOISIVIDTINUSSENISUBYRAIDISBUSEvent IdentificationRisk AssessmentRisk ResponseControl ActivitiesInformation & CommunicationMonitoringObjective setting is a precondition to event identification, risk assessment, and risk response. There must first be objectives before management can identify and assess risks to their achievement and take necessary actions to manage the risks.Strategic ObjectivesAn entity’s mission sets out in broad terms what the entity aspires to achieve. Whatever term is used, such as “mission,” “vision,” or “purpose,” it is important that management − with board oversight −explicitly establish the entity’s broad-based reason for being. From this, management sets strategic objectives, formulates strategy, and establishes related operations, compliance, and reporting objectives for the organization. While an entity’s mission and strategic objectives are generally stable, its strategy and many related objectives are more dynamic and adjusted for changing internal and external conditions. As they change, strategy and related objectives are realigned with strategic objectives.Strategic objectives are high-level goals, aligned with and supporting the entity’s mission/vision. Strategic objectives reflect management’s choice as to how the entity will seek to create value for its stakeholders.In considering alternative ways to achieve its strategic objectives, management identifies risks associated with a range of strategy choices and considers their implications. Various event identification and risk assessment techniques, discussed below and in later chapters, can be used in the strategy-setting process. In this way, enterprise risk management techniques are used in setting strategy and objectives.35Objective SettingRelated ObjectivesEstablishing the right objectives that support and are aligned with the selected strategy, relative to all entity activities, is critical to success. By focusing first on strategic objectives and strategy, an entity is positioned to develop related objectives at an entity level, achievement of which will create and preserve value. Entity-level objectives are linked to and integrated with more specific objectives that cascade through the organization to sub-objectives established for various activities, such as sales, production, and engineering, and infrastructure functions.By setting objectives at the entity and activity levels, an entity can identify critical success factors. These are key things that must go right if goals are to be attained. Critical success factors exist for an entity, a business unit, a function, a department, or an individual. By setting objectives, management can identify measurement criteria for performance, with a focus on critical success factors.Where objectives are consistent with prior practice and performance, the linkage among activities is known. However, where objectives depart from an entity’s past practices, management must address the linkages or run increased risks. In such cases, there is an even greater need for business unit objectives or sub-objectives that are consistent with the new direction.Objectives need to be readily understood and measurable. Enterprise risk management requires that personnel at all levels have a requisite understanding of the entity’s objectives as they relate to the individual’s sphere of influence. All employees must have a mutual understanding of what is to be accomplished and a means of measuring what is being accomplished.Categories of Related ObjectivesDespite the diversity of objectives across entities, certain broad categories are established:Operations Objectives – These pertain to the effectiveness and efficiency of the entity’s operations, including performance and profitability goals and safeguarding resources against loss. They vary based on management’s choices about structure and performance. Reporting Objectives – These pertain to the reliability of reporting. They include internal and external reporting and may involve financial and non-financial information. Compliance Objectives – These pertain to adherence to relevant laws and regulations. They are dependent on external factors and tend to be similar across all entities in some cases and across an industry in others. 36Objective SettingCertain objectives follow from the business an entity is in. Some companies, for example, submit information to environmental agencies, and publicly traded companies file information with securities regulators. These externally imposed requirements are established by law or regulation, and fall into the reporting or compliance categories or, in these examples, both.Conversely, operations objectives, as well as those for internal management reporting, are based more on preferences, judgments, and management style. They vary widely among entities simply because informed, competent, and honest people may select different objectives. Regarding product development, for example, one entity chooses to be an early adapter, another a quick follower, and yet another a slow lagger. These choices affect the structure, skills, staffing, and controls of the research and development function. Consequently, no one formulation of objectives is optimal for all entities.Operations ObjectivesOperations objectives relate to the effectiveness and efficiency of the entity’s operations. They include related sub-objectives for operations, directed at enhancing operating effectiveness and efficiency in moving the enterprise toward its ultimate goal.Operations objectives need to reflect the particular business, industry, and economic environments in which the entity functions. The objectives need, for example, to be relevant to competitive pressures for quality, reduced cycle times to bring products to market, or changes in technology. Management must ensure that objectives reflect reality and the demands of the marketplace, and are expressed in terms that allow meaningful performance measurements. A clear set of operations objectives, linked to sub-objectives, is fundamental to success. Operations objectives provide a focal point for directing allocated resources; if an entity’s operations objectives are not clear or well conceived, its resources may be misdirected.Reporting ObjectivesReliable reporting provides management accurate and complete information appropriate for its intended purpose. It supports management’s decision making and monitoring of the entity’s activities and performance. Examples of such reports include results of marketing programs, daily sales flash reports, production quality, and employee and customer satisfaction results. Reporting also relates to reports prepared for external dissemination, such as financial statements and footnote disclosures, management’s discussion and analysis, and reports filed with regulatory agencies.Compliance ObjectivesEntities must conduct their activities, and often must take specific actions, in accordance with relevant laws and regulations. These requirements may relate to markets, pricing, taxes, the environment, employee welfare, and international trade. Applicable laws and regulations establish minimum standards of behavior, which the entity integrates into its compliance37Objective Settingobjectives. For example, occupational health and safety regulations cause one company to define its objective as, “Package and label all chemicals in accordance with regulations.” In this case, policies and procedures deal with communication programs, site inspections, and training. An entity’s compliance record can significantly – either positively or negatively – affect its reputation in the community and marketplace.SubcategoriesThe categories of objectives are part of the common language established by this framework, facilitating understanding and communication. An entity may, however, find it useful to discuss a subset of one or more objectives categories, to facilitate communication, internally or externally, on a narrower topic. A company might, for instance, decide to communicate the effectiveness of a part of the reporting category, say, enterprise risk management over external reporting, or perhaps over only external financial reporting. Doing so enables the communication to stay within the context of this enterprise risk management framework, while allowing communications on specific subsets of categories.Overlap of ObjectivesAn objective in one category may overlap or support an objective in another. The category in which an objective falls sometimes depends on circumstances. For example, providing reliable information to business unit management to manage and control production activities may serve to achieve both operations and reporting objectives. And, to the extent the information is used for reporting environmental data to the government, it serves compliance objectives.Some entities use another category of objectives, “safeguarding of resources,” sometimes referred to as “safeguarding of assets,” which overlaps with the other categories of objectives. Viewed broadly, safeguarding of assets deals with prevention of loss of an entity’s assets or resources, whether through theft, waste, inefficiency, or what turns out to be simply bad business decisions – such as selling product at too low a price, failing to retain key employees or prevent patent infringement, or incurring unforeseen liabilities. These are primarily operations objectives, although certain aspects of safeguarding can fall under the other categories. Where legal or regulatory requirements apply, these become compliance objectives. On the other hand, properly reflecting asset losses in the entity’s financial statements represents a reporting objective.When considered in conjunction with public reporting, a narrower definition of safeguarding of assets often is used, dealing with prevention or timely detection of unauthorized acquisition, use, or disposition of an entity’s assets. For further discussion of this category of objectives, reference should be made to Internal Control – Integrated Framework, including the Addendum to Reporting to External Parties module.38Objective SettingAchievement of ObjectivesAn appropriate process for objective setting is a critical component of enterprise risk management. Although objectives provide the measurable targets toward which the entity moves in conducting its activities, they have differing degrees of importance and priority. Accordingly, while an entity should have reasonable assurance that certain objectives are achieved, that may not be the case for all objectives.Effective enterprise risk management provides reasonable assurance that an entity’s reporting objectives are being achieved. Similarly, there should be reasonable assurance that compliance objectives are being achieved. Achieving reporting and compliance objectives is largely within the entity’s control. That is, once the objectives have been determined, the entity has control over its ability to do what is needed to meet them.But there is a difference when it comes to strategic and operations objectives, because their achievement is not solely within the entity’s control. An entity may perform as intended, yet be outperformed by a competitor. It is subject to external events – such as a change in government, poor weather, and the like – where an occurrence is beyond its control. It may even have considered some of these events in its objective-setting process and treated them as having a low likelihood, with a contingency plan in case they occurred. However, such a plan only mitigates the impact of external events. It does not ensure that the objectives will be achieved.Enterprise risk management over operations focuses primarily on developing consistency of objectives and goals throughout the organization; identifying key success factors and risks; assessing the risks and making informed responses; implementing appropriate risk responses and establishing needed controls; and timely reporting of performance and expectations. For strategic and operations objectives, enterprise risk management can provide reasonable assurance that management and, in its oversight role, the board are made aware, in a timely manner, of the extent to which the entity is moving toward achievement of these objectives.Selected ObjectivesAs part of enterprise risk management, management not only selects objectives and considers how they support the entity’s mission, but also ensures that they align with the entity’s risk appetite. Misalignment could result in not accepting enough risk to achieve the objectives or, conversely, accepting too much risk. Effective enterprise risk management does not dictate which objectives management should choose, but that management has a process that aligns strategic objectives with the entity’s mission and that ensures the chosen strategic and related objectives are consistent with the entity’s risk appetite.39Objective SettingRisk AppetiteRisk appetite, established by management with oversight of the board of directors, is a guidepost in strategy setting. Companies may express risk appetite as the acceptable balance of growth, risk, and return, or as risk-adjusted shareholder value-added measures. Some entities, such as not-for-profit organizations, express risk appetite as the level of risk they will accept in providing value to their stakeholders.There is a relationship between an entity’s risk appetite and its strategy. Usually any of a number of different strategies can be designed to achieve desired growth and return goals, each having different risks. Enterprise risk management, applied in strategy setting, helps management select a strategy consistent with its risk appetite. If the risk associated with a strategy is inconsistent with the entity’s risk appetite, the strategy is revised. This may occur where management initially formulates a strategy that exceeds the entity’s risk appetite, or where the strategy does not embrace sufficient risk to allow the entity to achieve its strategic objectives and mission.The entity’s risk appetite is reflected in entity strategy, which in turn guides resource allocation. Management allocates resources across business units, with consideration of the entity’s risk appetite and individual business units’ strategic plans, to generate a desired return on invested resources. Management looks to align the organization, people, processes, and infrastructure to facilitate successful strategy implementation and enable the entity to stay within its risk appetite.Risk TolerancesRisk tolerances are the acceptable levels of variation relative to the achievement of objectives. Risk tolerances can be measured, and often are best measured in the same units as the related objectives.Performance measures are used to help ensure that actual results will be within established risk tolerances. For example, a company targets on-time delivery at 98%, with acceptable variation in the range of 97%–100% of the time; it targets training with a pass rate of 90%, with acceptable performance of at least 75%; and it expects staff to respond to all customer complaints within 24 hours, but accepts that up to 25% of complaints may receive a response within 24–36 hours.In setting risk tolerances, management considers the relative importance of the related objectives, and aligns risk tolerances with risk appetite. Operating within risk tolerances provides management greater assurance that the entity remains within its risk appetite, which, in turn, provides a higher degree of comfort that the entity will achieve its objectives.40STRATEGIC TIONSREPORTINGOMPLIANCE A OPER CEvent IdentificationEVENT IDENTIFICATION Chapter Summary: Management identifies potentialevents that, if they occur, will affect the entity, anddetermines whether they representopportunitiesorInternalEnvironmentwhether they might adversely affect the entity’s abilityObjectiveSettingLEVEL-YTITNEto successfully implementstrategyandachieveEvent Identificationobjectives. Events with negative impact represent risks,Risk Assessmentwhich require management’s assessment and response.Risk ResponseEvents with positive impactrepresent opportunities,Control Activitieswhich management channels back into the strategy andobjective-setting processes.Whenidentifyingevents,Information & Communicationmanagement considers a varietyofinternalandMonitoringexternal factors that may give rise to risks and opportunities, in the context of the full of the organization.EventsNOISIVIDTINUSSENISUBYRAIDISBUSscopeAn event is an incident or occurrence emanating from internal or external sources that affects implementation of strategy or achievement of objectives. Events may have positive or negative impact, or both.In event identification, management recognizes that uncertainties exist, but does not know whether an event will occur, or when, or its precise impact should it occur. Management initially considers a range of potential events − stemming from both internal and external sources − without necessarily focusing on whether the impact is positive or negative. In this way management identifies not only potential events with negative impact, but also those representing opportunities to be pursued.Events range from the obvious to the obscure, and the effects from the inconsequential to the highly significant. To avoid overlooking relevant events, identification is best made apart from the assessment of the likelihood of the event occurring and its impact, which is the topic of Risk Assessment. However, practical limitations exist, and it is often difficult to know where to draw the line. But even events with a relatively low possibility of occurrence should not be ignored if the impact on achieving an important objective is great.Influencing FactorsA myriad of external and internal factors drive events that affect strategy implementation and achievement of objectives. As part of enterprise risk management, management recognizes the importance of understanding these external and internal factors and the type of events that can emanate therefrom. External factors, along with examples of related events and their implications, include:41Event IdentificationEconomic – Related events include price movements, capital availability, or lower barriers to competitive entry, resulting in higher or lower cost of capital and new competitors. Natural environment – Events include flood, fire, or earthquake, resulting in damage to plant or buildings, restricted access to raw materials, or loss of human capital. Political – Events include election of government officials with new political agendas, and new laws and regulations, resulting, for example, in newly open or restricted access to foreign markets, or higher or lower taxes. Social – Events include changing demographics, social mores, family structures, and work/life priorities, and terrorism activity, resulting in changing demand for products and services, new buying venues and human resource issues, and production stoppages. Technological – Events include new means of electronic commerce, resulting in expanded availability of data, reductions in infrastructure costs, and increased demand for technology-based services. Events also stem from choices management makes about how it will function. An entity’s capability and capacity reflect previous choices, influence future events, and affect management decisions. Internal factors, along with examples of related events and their implications, include:Infrastructure – Events include increasing capital allocation to preventive maintenance and to call center support, reducing equipment downtime, and improving customer satisfaction. Personnel – Events include workplace accidents, fraudulent activities, and expiration of labor agreements, resulting in loss of available personnel, monetary or reputational damage, and production stoppages. Process – Events include process modification without adequate change management protocols, process execution errors, and outsourcing customer delivery with inadequate oversight, resulting in loss of market share, inefficiency, and customer dissatisfaction and loss of repeat business. Technology – Events include increasing resources to handle volume volatility, security breaches, and potential systems downtime, resulting in backlog reduction, fraudulent transactions, and inability to continue business operations. Identifying external and internal factors that influence events is useful to effective event identification. Once the major contributing factors are identified, management can consider their significance and focus on events that can affect achievement of objectives.42Event IdentificationA manufacturer and importer of footwear, for example, established a vision of being an industry leader in high-quality men’s shoes. To achieve this, it set out to manufacture products combining style, comfort, and durability, using the most advanced techniques, together with highly selective import sourcing. The company reviewed its external operating environment and identified social factors and related events such as changing age of its primary consumer market and changing trends in work attire. Events from economic factors included foreign currency fluctuations and interest rate movements. Internal technology factors pointed to an outdated distribution management system, and personnel factors, to inadequate marketing training.In addition to identifying events at the entity level, events also should be identified at the activity level. This helps focus risk assessment (the subject of the next chapter) on major business units or functions, such as sales, production, marketing, technology development, and research and development.Event Identification TechniquesAn entity’s event identification methodology may comprise a combination of techniques, together with supporting tools. For instance, management may use interactive group workshops as part of its event identification methodology, with a facilitator employing any of a variety of technology-based tools to assist participants.Event identification techniques look to both the past and the future. Techniques that focus on past events and trends consider such matters as payment default histories, changes in commodity prices, and lost-time accidents. Techniques that focus on future exposures consider such matters as shifting demographics, new market conditions, and competitor actions.Techniques vary widely in level of sophistication. While many of the more sophisticated techniques are industry-specific, most are derived from a common approach. For example, both the financial services and health and safety industries use loss event tracking techniques. These techniques start with a focus on common historical events – where the more basic approaches look at events based on internal staff perceptions, while more advanced techniques are based on factual sources of observable events – and then feed the data into sophisticated projection models. Companies more advanced in enterprise risk management typically employ a combination of techniques that consider both past and potential future events.Techniques also vary in where they are used within an entity. Some focus on detailed data analysis and create a bottom-up view of events, while others focus top down. Exhibit 4.1 provides examples of event identification techniques.43Event IdentificationExhibit 4.1Event inventories – These are detailed listings of potential events common to companies within a particular industry, or to a particular process or activity common across industries. Software products can generate relevant lists of generic potential events, which some entities use as a starting point for event identification. For example, a company undertaking a software development project draws on an inventory detailing generic events related to software development projects. Internal analysis – This may be done as part of a routine business planning cycle process, typically via a business unit’s staff meetings. Internal analysis sometimes utilizes information from other stakeholders (customers, suppliers, other business units) or subject matter expertise outside the unit (internal or external functional experts or internal audit staff). For example, a company considering introduction of a new product utilizes its own historical experience, along with external market research identifying events that have affected the success of competitors’ products. Escalation or threshold triggers – These triggers alert management to areas of concern by comparing current transactions, or events, with predefined criteria. Once triggered, an event may require further assessment or an immediate response. For example, a company’s management monitors sales volume in markets targeted for new marketing or advertising programs and redirects resources based on results. Another company’s management tracks competitors’ pricing structures and considers changes in its own prices when a specified threshold is met. Facilitated workshops and interviews – These techniques identify events by drawing on accumulated knowledge and experience of management, staff, and other stakeholders through structured discussions. The facilitator leads a discussion about events that may affect achievement of entity or unit objectives. For example, a financial controller conducts a workshop with members of the accounting team to identify events that have an impact on the entity’s external financial reporting objectives. By combining the knowledge and experience of team members, important events are identified that otherwise might be missed. Process flow analysis – This technique considers the combination of inputs, tasks, responsibilities, and outputs that combine to form a process. By considering the internal and external factors that affect inputs to or activities within a process, an entity identifies events that could affect achievement of process objectives. For example, a medical laboratory maps its processes for receipt and testing of blood samples. Using process maps, it considers the range of factors that could affect inputs, tasks, and responsibilities, identifying risks related to sample labeling, handoffs within the process, and personnel shift changes. 44Event IdentificationLeading event indicators – By monitoring data correlated to events, entities identify the existence of conditions that could give rise to an event. For example, financial institutions have long recognized the correlation between late loan payments and eventual loan default, and the positive effect of early intervention. Monitoring payment patterns enables the potential for default to be mitigated by timely action. Loss event data methodologies – Repositories of data on past individual loss events are a useful source of information for identifying trends and root causes. Once a root cause has been identified, management may find that it is more effective to assess and treat it than to address individual events. For example, a company operating a large fleet of automobiles maintains a database of accident claims and through analysis finds that a disproportionate percentage of accidents, in number and monetary amount, are linked to staff drivers in particular units, geographies, and age bracket. This analysis equips management to identify root causes of events and take action. Depth, breadth, timing, and discipline in event identification vary among entities. Management selects techniques that fit its risk management philosophy and ensures that the entity develops needed event identification capabilities and that supporting tools are in place. Overall, event identification needs to be robust, as it forms the basis for the risk assessment and risk response components.InterdependenciesEvents often do not occur in isolation. One event can trigger another, and events can occur concurrently. In event identification, management should understand how events relate to one another. By assessing the relationships, one can determine where risk management efforts are best directed. For example, a change in a central bank interest rate affects foreign exchange rates relevant to a company’s currency transaction gains and losses. A decision to curtail capital investment defers an upgrade to distribution management systems, causing additional downtime and increased operating costs. A decision to expand marketing training may improve sales capability and service quality, resulting in an increase in frequency and volume of repeat customer orders. A decision to enter a new line of business, with significant incentives tied to reported performance, can increase risks of error in application of accounting principles and of fraudulent reporting.Event CategoriesIt may be useful to group potential events into categories. By aggregating events horizontally across an entity and vertically within operating units, management develops an understanding of relationships between events, gaining enhanced information as a basis for risk assessment. By grouping similar events, management can better determine opportunities and risks.45Event IdentificationEvent categorization also allows management to consider the completeness of its event identification efforts. For instance, a company may have categorized events related to creditor collections into a single category called creditor defaults. By examining the events in this category, management can gauge whether it has identified all significant potential events related to creditor defaults.Some companies develop event categories based on categorization of their objectives, using a hierarchy that begins with high-level objectives and then cascades down to objectives relevant to organizational units, functions, or business processes.Exhibit 4.2 illustrates one approach used in establishing event categories within the context of broad internal and external factors.Exhibit 4.2Event CategoriesExternal FactorsInternal FactorsEconomicInfrastructureCapital availabilityAvailability of assetsCredit issuance, defaultCapability of assetsConcentrationAccess to capitalLiquidityComplexityFinancial marketsPersonnelUnemploymentEmployee capabilityCompetitionFraudulent activityMergers/acquisitionsHealth and safetyNatural EnvironmentProcessEmissions and wasteCapacityEnergyDesignNatural disasterExecutionSustainable developmentSuppliers/dependenciesPoliticalTechnologyGovernmental changesData integrityLegislation Data and system availabilityPublic policySystem selectionRegulationDevelopmentDeploymentMaintenance46Event IdentificationEvent CategoriesExternal FactorsInternal FactorsSocialDemographics Consumer behavior Corporate citizenship Privacy Terrorism TechnologicalInterruptions Electronic commerce External data Emerging technology Distinguishing Risks and OpportunitiesEvents, if they occur, have a negative impact, a positive impact, or both. Events with a negative impact represent risks, which require management’s assessment and response. Accordingly, risk is the possibility that an event will occur and adversely affect the achievement of objectives.Events with a positive impact represent opportunities, or offset the negative impact of risks. Opportunity is the possibility that an event will occur and positively affect the achievement of objectives and creation of value. Events representing opportunities are channeled back to management’s strategy or objective-setting processes, so that actions can be formulated to seize the opportunities. Events offsetting the negative impact of risks are considered in management’s risk assessment and response.47Risk AssessmentRISK ASSESSMENT Chapter Summary: Risk assessment allows an entity to consider the extent to which potential events have an impact on achievement of objectives. Management assesses events from two perspectives − likelihood and impact − and normally uses a combination of qualitative and quantitative methods. The positive and negative impacts of potential events should be examined, individually or by category, across the entity. Risks are assessed on both an inherent and a residual basis.TIONSSTRATEGICAREPORTING OMPLIANCEOPERCInternalEnvironmentTINUSSENISUBYRAIDISBUSObjectiveSettingLEVEL-YTITNENOISIVIDEvent IdentificationRisk AssessmentRisk ResponseControl ActivitiesInformation & CommunicationMonitoringContext for Risk AssessmentExternal and internal factors influence which events may occur and to what extent the events will affect an entity’s objectives. Although some factors are common to companies in an industry, the resulting events often are unique to a particular entity, because of its established objectives and past choices. In risk assessment management considers the mix of potential future events relevant to the entity and its activities in the context of matters that shape the entity’s risk profile, such as entity size, complexity of operations, and degree of regulation over its activities.In assessing risk, management considers expected and unexpected events. Many events are routine and recurring, and are already addressed in management programs and operating budgets, while others are unexpected. Management assesses the risk of unexpected potential events and, if it has not already done so, expected events that can have a significant impact on the entity.Although the term “risk assessment” sometimes has been used in connection with a one-time activity, in the context of enterprise risk management the risk assessment component is a continuous and iterative interplay of actions that take place throughout the entity.Inherent and Residual RiskManagement considers both inherent and residual risk. Inherent risk is the risk to an entity in the absence of any actions management might take to alter either the risk’s likelihood or impact. Residual risk is the risk that remains after management’s response to the risk. Risk assessment is applied first to inherent risks. Once risk responses have been developed, management then considers residual risk.49Risk AssessmentEstimating Likelihood and ImpactUncertainty of potential events is evaluated from two perspectives – likelihood and impact. Likelihood represents the possibility that a given event will occur, while impact represents its effect. Likelihood and impact are commonly used terms, although some entities use terms such as probability, and severity, seriousness, or consequence. Sometimes the words take on more specific connotations, with “likelihood” indicating the possibility that a given event will occur in qualitative terms such as high, medium, and low, or other judgmental scales, and with “probability” indicating a quantitative measure such as a percentage, frequency of occurrence, or other numerical metric.Determining how much attention should be given to assessing the array of risks an entity faces is difficult and challenging. Management recognizes that a risk with a low likelihood of occurrence and little potential impact generally does not warrant further consideration. On the other hand, a risk with high likelihood of occurrence and significant potential impact demands considerable attention. Circumstances in between these extremes usually require difficult judgments. It is important that the analysis be rational and careful.The time horizon used to assess risks should be consistent with the time horizon of the related strategy and objectives. Because many entities’ strategy and objectives focus on short to mid-term time horizons, management naturally focuses on risks associated with those time frames. However, some aspects of strategic direction and objectives extend to the longer term. As a result, management needs to be cognizant of the longer timeframes and not ignore risks that might be further out.For example, a company operating in California may consider the risk of an earthquake disrupting its business operations. Without a specified risk assessment time horizon, the likelihood of an earthquake exceeding 6.0 on the Richter scale is high, perhaps virtually certain. On the other hand, the likelihood of such an earthquake occurring within two years is substantially lower. By establishing a time horizon, the entity gains greater insight into the relative importance of the risk and an enhanced ability to compare multiple risks.Management often uses performance measures in determining the extent to which objectives are being achieved and normally uses the same, or congruent, unit of measure when considering the potential impact of a risk on the achievement of a specified objective. A company, for example, with an objective of maintaining a specified level of customer service will have devised a rating or other measure for that objective – such as a customer satisfaction index, number of complaints, or measure of repeat business. When assessing the impact of a risk that might affect customer service – such as the possibility that the company’s website might be unavailable for a time period – impact is best determined using the same measures.50Risk AssessmentData SourcesEstimates of risk likelihood and impact often are determined using data from past observable events, which provide a more objective basis than entirely subjective estimates. Internally generated data based on an entity’s own experience may reflect less subjective personal bias and provide better results than data from external sources. However, even where internally generated data is a primary input, external data can be useful as a checkpoint or to enhance the analysis. For example, a company’s management assessing the risk of production stoppages because of equipment failure looks first at frequency and impact of previous failures of its own manufacturing equipment. It then supplements that data with industry benchmarks. This allows a more precise estimate of likelihood and impact of failure, enabling more effective preventive maintenance scheduling. Caution should be exercised when using past events to make predictions about the future, as factors influencing events may change over time.PerspectiveManagers often make subjective judgments about uncertainty, and in doing so they should recognize inherent limitations. Findings in psychology research indicate that decision makers in a variety of capacities, including business managers, are overconfident in their estimation abilities and do not recognize the amount of uncertainty that actually exists. Studies show a marked “overconfidence bias,” leading to inappropriately narrow confidence intervals around estimated amounts or likelihoods as applied, for example, in value-at-risk methodologies. This tendency toward overconfidence in estimating uncertainty can be minimized by effective use of internally or externally generated empirical data. In the absence of such data, a keen awareness of the pervasiveness of the bias can help mitigate the effects of overconfidence.Human tendencies around decision making are exhibited in another way, where it is not uncommon for personnel to make different choices in pursuit of gains versus avoiding losses. By recognizing these human tendencies, managers can frame information to reinforce the risk appetite and behavior throughout the entity. How information is presented or “framed” can significantly affect how the information is interpreted and how the associated risks or opportunities are viewed, as highlighted in Exhibit 5.1.Exhibit 5.1Individuals have different responses to potential losses compared with potential gains. How a risk is framed – focusing on the upside (a potential gain) or downside (a potential loss) – often will influence the response. Prospect theory, which explores human decision making, says that individuals are not risk neutral; rather, a response to loss tends to be more extreme than a response to gain. And with this comes a tendency to misinterpret probabilities and best solution reactions. To illustrate, an individual is confronted with two sets of choices:51Risk AssessmentA sure gain of $240, or a 25% chance to gain $1,000 and a 75% chance to gain nothing.A sure loss of $750, or a 75% chance to lose $1,000 and a 25% chance to lose nothing. In the first set of choices, most people select a “sure gain of $240,” due to tendencies to be risk averse concerning gain and positively framed questions. In contrast, most people select a “75% chance to lose $1,000,” due to a tendency to be risk seeking concerning losses and negatively framed questions. Prospect theory holds that people do not want to put at risk what they already have or think they can have, but they will have higher risk tolerances when they think they can minimize losses.Assessment TechniquesAn entity’s risk assessment methodology comprises a combination of qualitative and quantitative techniques. Management often uses qualitative assessment techniques where risks do not lend themselves to quantification or when either sufficient credible data required for quantitative assessments is not practically available or obtaining or analyzing data is not cost-effective. Quantitative techniques typically bring more precision and are used in more complex and sophisticated activities to supplement qualitative techniques.Quantitative assessment techniques usually require a higher degree of effort and rigor, sometimes using mathematical models. Quantitative techniques are highly dependent on the quality of the supporting data and assumptions, and are most relevant for exposures that have a known history and frequency of variability and allow reliable forecasting. Exhibit 5.2 provides examples of quantitative risk assessment techniques.Exhibit 5.2Benchmarking – A collaborative process among a group of entities, benchmarking focuses on specific events or processes, compares measures and results using common metrics, and identifies improvement opportunities. Data on events, processes, and measures are developed to compare performance. Some companies use benchmarking to assess the likelihood and impact of potential events across an industry. Probabilistic Models – Probabilistic models associate a range of events and the resulting impact with the likelihood of those events based on certain assumptions. Likelihood and impact are assessed based on historical data or simulated outcomes reflecting assumptions of future behavior. Examples of probabilistic models include value at risk, cash flow at risk, earnings at risk, and development of credit and operational loss distributions. Probabilistic models may be used with different time horizons to estimate such outcomes as the range of values of financial instruments 52Risk Assessmentover time. Probabilistic models also may be used to assess expected or average outcomes versus extreme or unexpected impacts.Non-probabilistic Models – Non-probabilistic models use subjective assumptions in estimating the impact of events without quantifying an associated likelihood. Assessing the impact of events is based on historical or simulated data and assumptions of future behavior. Examples of non-probabilistic models include sensitivity measures, stress tests, and scenario analyses. To gain consensus on likelihood and impact using qualitative assessment techniques, entities may employ the same approach they use in identifying events, such as interviews and workshops. A risk self-assessment process captures participants’ views on the potential likelihood and impact of future events, using either descriptive or numerical scales.An entity need not use common assessment techniques across all business units. Rather, the choice of techniques should reflect the need for precision and the culture of the business unit. In one company, for example, in identifying and assessing risk at a process level, one business unit uses self-assessment questionnaires while another uses workshops. The risks are assessed on an inherent and a residual basis, and then organized and grouped by risk categories and objectives for both business units. Although different methods are used, they provide sufficient consistency to facilitate assessment of risks across the entity.Management is able to derive an entity-wide quantitative impact measure of an event when all of the individual risk assessments for that event are expressed in quantitative terms. For example, the impact on gross margin of a change in energy prices is computed across business units and an entity-wide impact is determined. Where there is a blend of qualitative and quantitative measures, management develops a qualitative assessment across both the qualitative and quantitative measures, with the resulting composite assessment expressed in qualitative terms. Establishing common likelihood and impact terms across an entity and common risk categories for qualitative measures facilitates these composite assessments of risk.Relationships between EventsWhere potential events are not related, management assesses them individually. For example, a company with business units with exposure to different price fluctuations − such as pulp and foreign currency − would assess the risks separately relative to market movements. But where correlation exists between events, or events combine and interact to create significantly different probabilities or impacts, management assesses them together. While the impact of a single event might be slight, the impact of a sequence or combination of events might be more significant.53Risk AssessmentFor example, a defective valve on a propane tank in a distribution warehouse allows propane to leak; the warehouse doors are kept closed to retain heat in adjoining offices; the driver of an approaching truck activates a remote control device to open the warehouse doors.Together, the presence of propane gas and spark caused by the garage-door motor results in an explosion. These distinct events interact and result in a significant risk. In another example, a company enters a foreign market with new locally hired managers, untested reporting systems, and little basis for central management to judge relative performance, with a resulting significant risk of erroneous or fraudulent reporting.Where risks are likely to affect multiple business units, management may group them into common event categories, and consider them first by unit and then together on an entity-wide basis. For example, a financial services company’s business units are subject to risk of a change in government interest rates, and its management assesses the risk not only on each individual business unit but also on a combined, entity-wide basis. A manufacturing company has multiple business units, each with exposure to gold price fluctuations; management aggregates the risk of potential shifts in the price of gold into a single measure showing the net effect of a $1/ounce shift on its total gold inventory.The nature of events, and whether they are related, may affect assessment techniques used. For example, in assessing the impact of events that could have extreme impact, management may use stress testing, whereas in assessing the effects of multiple events, management might find simulations or scenario analysis more useful.Looking at interrelationships of risk likelihood and impact is an important management responsibility. Effective enterprise risk management requires that risk assessment be done both with respect to inherent risk and also following risk response, as discussed in the next chapter.54Risk ResponseRISK RESPONSE Chapter Summary: Having assessed relevant risks, management determines how it will respond. Responses include risk avoidance, reduction, sharing, and acceptance. In considering its response, management assesses the effect on risk likelihood and impact, as well as costs and benefits, selecting a response that brings residual risk within desired risk tolerances. Management identifies any opportunities that might be available, and takes an entity-wide, or portfolio, view of risk, determining whether overall residual risk is within the entity’s risk appetite.TIONSSTRATEGICAREPORTING OMPLIANCEOPERCInternalEnvironmentTINUSSENISUBYRAIDISBUSObjectiveSettingLEVEL-YTITNENOISIVIDEvent IdentificationRisk AssessmentRisk ResponseControl ActivitiesInformation & CommunicationMonitoringRisk responses fall within the following categories:Avoidance – Exiting the activities giving rise to risk. Risk avoidance may involve exiting a product line, declining expansion to a new geographical market, or selling a division. Reduction – Action is taken to reduce risk likelihood or impact, or both. This typically involves any of a myriad of everyday business decisions. Sharing – Reducing risk likelihood or impact by transferring or otherwise sharing a portion of the risk. Common techniques include purchasing insurance products, engaging in hedging transactions, or outsourcing an activity. Acceptance – No action is taken to affect risk likelihood or impact. Exhibit 6.1 provides examples of how these risk responses are applied.Exhibit 6.1Avoidance – A not-for-profit organization identified and assessed risks of providing direct medical services to its members and decided not to accept the associated risks. It decided instead to provide a referral service.Reduction – A stock-clearing corporation identified and assessed the risk of its systems not being available for more than three hours and concluded that it would not accept the impact of such an occurrence. The company invested in technology with enhanced failure self-detecting and back-up systems to reduce the likelihood of system unavailability.55Risk ResponseSharing – A university identified and assessed the risk associated with managing its student dormitories and concluded it did not have the requisite in-house capabilities to effectively manage these large residential properties. The university outsourced the dorm management to a property management company better able to reduce the impact and likelihood of property-related risks.Acceptance – A government agency identified and assessed the risks of fire to its infrastructure across diverse geographical regions and assessed the cost of sharing the impact of its risk through insurance coverage. It concluded that the incremental cost of insurance and related deductibles exceeded the likely cost of replacement and decided to accept this risk.The avoidance response suggests that no response option was identified that would reduce the impact and likelihood to an acceptable level. Reduction and sharing responses reduce residual risk to a level aligned with desired risk tolerances, while an acceptance response suggests that inherent risk already is within risk tolerances.For many risks, appropriate response options are obvious and well accepted. For instance, for the risk of losing computing availability, a typical response option is implementation of a business continuity plan. For other risks, available options might not be readily apparent, requiring investigation and analysis. For example, response options relevant to mitigating the effect of competitor activities on brand value might require market research and analysis.In determining risk response, management should consider such things as:Effects of potential responses on risk likelihood and impact – and which response options align with the entity’s risk tolerances Costs versus benefits of potential responses Possible opportunities to achieve entity objectives going beyond dealing with the specific risk For significant risks, an entity typically considers potential responses from a range of response options. This gives depth to response selection and challenges the “status quo.”Evaluating Possible ResponsesInherent risks are analyzed and responses evaluated with the intent of achieving a residual risk level aligned with the entity’s risk tolerances. Often, any of several responses will bring residual risk in line with risk tolerances, and sometimes a combination of responses provides the optimum result. Conversely, sometimes one response will affect multiple risks, in which case management may decide that additional actions to address a particular risk are not needed.56Risk ResponseEvaluating Effect on Risk Likelihood and ImpactIn evaluating response options, management considers the effect on both risk likelihood and impact, recognizing that a response might affect likelihood and impact differently. For example, a company with a computer center located in a region with heavy storm activity establishes a business continuity plan, which, while having no effect on likelihood of a storm, mitigates the impact of building damage or personnel being unable to get to work. On the other hand, the choice to move the computer center to another region will not reduce the impact of a comparable storm, but does reduce the likelihood of a storm occurring in the first place.In analyzing responses, management may consider past events and trends, and potential future scenarios. In evaluating alternative responses, management typically determines their potential effect using the same, or congruent, units of measure as those used for the related objective.Assessing Costs versus BenefitsResources always have constraints, and entities must consider the relative costs and benefits of alternative risk response options. Cost and benefit measurements for implementing risk responses are made with varying levels of precision. Generally, it is easier to deal with the cost side of the equation, which, in many cases, can be quantified fairly precisely. All direct costs associated with instituting a response, and indirect costs where practically measurable, usually are considered. Some entities also include opportunity costs associated with use of resources.In some cases, however, it is difficult to quantify costs of risk response. Challenges in quantification arise in estimating time and effort associated with a particular response, as may be the case, for example, in capturing market intelligence on evolving customer preferences, competitors’ activities, or other externally generated information.The benefit side often involves even more subjective valuation. For example, benefits of effective training programs usually are apparent, but difficult to quantify. In many cases, however, the benefit of a risk response can be evaluated in the context of the benefit associated with achievement of the related objective.When considering cost–benefit relationships, looking at risks as interrelated allows management to pool the entity’s risk reduction and risk sharing responses. For instance, when sharing risk via insurance, it may be beneficial to combine risks under one policy since pricing usually is reduced when combined exposures are insured under one financing arrangement.57Risk ResponseOpportunities in Response OptionsThe event identification chapter describes how management identifies potential events affecting achievement of entity objectives, either positively or negatively. Events with positive impacts represent opportunities and are channeled back to the strategy or objective-setting processes.Similarly, opportunities may be identified when considering risk response. Risk response considerations should not be limited solely to reducing identified risks, but also should include consideration of new opportunities for the entity. Management may identify innovative responses, which, while fitting within the response categories described earlier in this chapter, may be entirely new to the entity or even an industry. Such opportunities may surface when existing risk response options are reaching the limit of effectiveness, and when further refinements likely will provide only marginal changes to a risk impact or likelihood. An example is the creative response by an automobile insurance company to the high number of accidents at certain road intersections − it decided to fund enhancements to traffic signal lights, reducing accident claims and improving margins.Selected ResponsesOnce the effects of alternative risk responses have been evaluated, management decides how it intends to manage the risk, selecting a response or combination of responses designed to bring risk likelihood and impact within risk tolerances. The response need not necessarily result in the least amount of residual risk. But where a risk response would result in residual risk exceeding risk tolerance, management revisits and revises the response accordingly or, in certain instances, reconsiders the established risk tolerance. Accordingly, the balancing of risk and risk tolerance may involve an iterative process.Evaluating alternative responses to inherent risk requires consideration of additional risks that might result from a response. This also may prompt an iterative process whereby before management finalizes a decision, it considers these additional risks, including any that might not be immediately evident.Once management selects a response, it may need to develop an implementation plan to execute the response. A critical part of an implementation plan is establishing control activities (discussed in the next chapter) to ensure the risk response is carried out.Management recognizes that some level of residual risk will always exist, not only because resources are limited, but also because of future uncertainty and limitations inherent in all activities.58Risk ResponsePortfolio ViewEnterprise risk management requires that risk be considered from an entity-wide, or portfolio, perspective. Management typically takes an approach in which risk first is considered for each business unit, department, or function, with the responsible manager developing a composite assessment of risks for the unit reflecting the unit’s residual risk profile relative to its objectives and risk tolerances.With a view of risk for individual units, an enterprise’s senior management is well positioned to take a portfolio view, to determine whether the entity’s residual risk profile is commensurate with its overall risk appetite relative to its objectives. Risks in different units may be within the risk tolerances of the individual units, but, taken together, risks might exceed the risk appetite of the entity as a whole, in which case additional or different risk response is needed to bring risk within the entity’s risk appetite. Conversely, risks may naturally offset across the entity where, for example, some individual units have higher risk while others are relatively risk averse, such that overall risk is within the entity’s risk appetite, obviating the need for a different risk response.A portfolio view of risk can be depicted in any of a variety of ways. A portfolio view may be gained by focusing on major risks or event categories across business units, or on risk for the company as a whole, using such metrics as risk-adjusted capital or capital at risk. Such composite measures are particularly useful when measuring risk against objectives stated in terms of earnings, growth, and other performance measures, sometimes relative to allocated or available capital. Such portfolio view measures can provide information useful in reallocating capital across business units and modifying strategic direction.One example is a manufacturing company that takes a portfolio view of risk in the context of its operating earnings objective. Management uses common event categories to capture risks across its business units. It then develops a graph showing, by category and business unit, the risk likelihood in terms of frequency on a time horizon, and the relative impacts on earnings. The result is a composite, or portfolio, view of risk the company faces, with management and the board positioned to consider the nature, likelihood, and relative size of risks, and how they may affect the company’s earnings.Another example is a financial institution that calls on business units to establish objectives, risk tolerances, and performance measures all in terms of risk-adjusted return on capital. This consistently applied metric facilitates management’s rolling up units’ combined risk assessments into a portfolio view of risk for the institution as a whole, enabling management to consider the units’ risks, by objective, and determine whether the entity is within its risk appetite.59Risk ResponseWhen looking at risk from a portfolio perspective, management is positioned to consider whether it remains with the established risk appetite. Further, it can reevaluate the nature and type of risk it wishes to take. In cases where the portfolio view shows risks significantly less than the entity’s risk appetite, management may decide to motivate individual business unit managers to accept greater risk in targeted areas, striving to enhance the entity’s overall growth and return.60Control ActivitiesCONTROL ACTIVITIES Chapter Summary: Control activities are the policies and procedures that help ensure that management’s risk responses are carried out. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities − as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.STRATEGICTIONSAREPORTING OMPLIANCEOPERCInternal EnvironmentObjective SettingEvent IdentificationRisk AssessmentRisk ResponseControl ActivitiesLEVEL-YTITNENOISIVIDTINUSSENISUBYRAIDISBUSInformation & CommunicationMonitoringControl activities are policies and procedures, which are the actions of people to implement the policies, directly or through application of technology, to help ensure that management’s risk responses are carried out. Control activities can be categorized based on the nature of the entity’s objectives to which they relate: strategic, operations, reporting, and compliance.Although some control activities relate solely to one category, there often is overlap. Depending on circumstances, a particular control activity could help satisfy entity objectives in more than one of the categories. For example, certain operations controls also can help ensure reliable reporting, reporting control activities can serve to effect compliance, and so on.Integration with Risk ResponseHaving selected risk responses, management identifies control activities needed to help ensure that the risk responses are carried out properly and in a timely manner.Linkage of objectives, risk responses, and control activities is illustrated in the following example: A company sets an objective to meet or exceed sales targets, identifying as a risk failing to have sufficient knowledge of external factors such as current and potential customers’ needs. To reduce the likelihood of occurrence and impact of the risk, management establishes buying histories of existing customers and undertakes new market research initiatives. These risk responses serve as focal points for the establishment of control activities, including tracking progress of development of customer buying histories against established timetables, and taking steps to ensure the accuracy of reported data. In this sense, control activities are built directly into the management process.In selecting control activities, management considers how control activities are related to one another. In some instances, a single control activity addresses multiple risk responses. In other instances, multiple control activities are needed for one risk response. In still others,61Control Activitiesmanagement might find that existing control activities are sufficient to ensure that new risk responses are executed effectively.While control activities generally are established to ensure risk responses are appropriately carried out, with respect to certain objectives, control activities themselves are the risk response. For instance, for an objective to ensure specified transactions are properly authorized, the response will likely be control activities such as segregation of duties and approvals by supervisory personnel.Just as selection of risk responses considers their appropriateness and remaining, or residual, risk, selection or review of control activities should include consideration of their relevance and appropriateness to the risk response and related objective. This may be accomplished by separate consideration of the propriety of the control activities, or by considering residual risk in the context of both the risk response and related control activities.Control activities are an important part of the process by which an enterprise strives to achieve its business objectives. Control activities are not performed simply for their own sake or because it seems to be the “right or proper” thing to do. In the example above, management needs to take steps to ensure that sales targets are met. Control activities serve as mechanisms for managing the achievement of that objective.Types of Control ActivitiesMany different descriptions of types of control activities have been put forth, including preventive, detective, manual, computer, and management controls. Control activities also can be typed by specified control objectives, such as ensuring completeness and accuracy of data processing.Exhibit 7.1 describes commonly used control activities. These are just a few among many procedures commonly performed by personnel at various organizational levels that serve to enforce adherence to established action plans and to keep entities on track toward achieving their objectives. They are presented to illustrate the range and variety of control activities, not to suggest any particular categorization.Exhibit 7.1Top-level reviews – Senior management reviews actual performance versus budgets, forecasts, prior periods, and competitors. Major initiatives are tracked – such as marketing thrusts, improved production processes, and cost containment or reduction programs – to measure the extent to which targets are being reached. Implementation of plans is monitored for new product development, joint ventures, or financing. Direct functional or activity management – Managers running functions or activities review performance reports. A manager responsible for a bank’s consumer loans 62Control Activitiesreviews reports by branch, region, and loan (collateral) type, checking summarizations and identifying trends, and relating results to economic statistics and targets. In turn, branch managers receive data on new business by loan-officer and local-customer segment. Branch managers also focus on compliance issues, reviewing reports required by regulators on new deposits over specified amounts. Reconciliations are made of daily cash flows, with net positions reported centrally for overnight transfer and investment.Information processing – A variety of controls are performed to check accuracy, completeness, and authorization of transactions. Data entered are subject to on-line edit checks or matching to approved control files. A customer’s order, for example, is accepted only after reference to an approved customer file and credit limit. Numerical sequences of transactions are accounted for, with exceptions followed up and reported to supervisors. Development of new systems and changes to existing ones are controlled, as is access to data, files, and programs. Physical controls – Equipment, inventories, securities, cash, and other assets are physically secured and periodically counted and compared with amounts shown on control records. Performance indicators – Relating different sets of data − operating or financial − to one another, together with analyses of the relationships and investigative and corrective actions, serves as a control activity. Performance indicators include, for example, staff turnover rates by unit. By investigating unexpected results or unusual trends, management identifies circumstances where an insufficient capacity to complete key processes may mean that objectives have a lower likelihood of being achieved. How managers use this information − for operating decisions only, or also to follow up on unexpected results in reporting systems − determines whether analysis of performance indicators serves operational purposes alone or reporting control purposes as well. Segregation of duties – Duties are divided, or segregated, among different people to reduce the risk of error or fraud. For instance, responsibilities for authorizing transactions, recording them, and handling the related asset are divided. A manager authorizing credit sales would not be responsible for maintaining accounts receivable records or handling cash receipts. Similarly, salespersons would not have the ability to modify product price files or commission rates. Often, a combination of controls is implemented to deal with related risk responses. For example, a company’s management sets transaction limits to manage risks related to an investment portfolio, and establishes control activities designed to help ensure the trading limits are not exceeded. Control activities include preventive controls to stop certain transactions before execution, and detective controls to identify other transactions on a timely basis. The control activities combine computer and manual controls, including automated63Control Activitiescontrols to ensure all information is correctly captured, and routing procedures enabling responsible individuals to authorize or approve investment decisions.Policies and ProceduresControl activities usually involve two elements: a policy establishing what should be done and procedures to effect the policy. For example, a policy might call for review of customer trading activities by a securities dealer’s retail branch manager. The procedure is the review itself, performed in a timely manner and with attention to factors set forth in the policy, such as the nature and volume of securities traded and their relation to customer net worth and age.Many times, policies are communicated orally. Unwritten policies can be effective where the policy is a long-standing and well-understood practice, and in smaller organizations where communications channels involve few management layers and close interaction with and supervision of personnel. But regardless whether it’s written, a policy must be implemented thoughtfully, conscientiously, and consistently. A procedure will not be useful if performed mechanically and without a sharp, continuing focus on conditions to which the policy is directed. Further, it is essential that conditions identified as a result of the procedure be investigated and appropriate corrective actions taken. Follow-up actions might vary depending on the size and organizational structure of an enterprise. They could range from formal reporting processes in a large company −where business units state why targets were not met and what actions are being taken to prevent recurrence −to an owner-manager of a small business walking down the hall to speak with the plant manager about what went wrong and what needs to be done.Controls over Information SystemsWith widespread reliance on information systems to operate an enterprise and meet reporting and compliance objectives, controls are needed over significant systems. Two broad groupings of information systems control activities can be used. The first is general controls, which apply to many if not all application systems and help ensure their continued, proper operation. The second is application controls, which include computerized steps within application software to control the processing. General and application controls, combined with manual process controls where necessary, work together to ensure completeness, accuracy, and validity of information.General ControlsGeneral controls include controls over information technology management, information technology infrastructure, security management, and software acquisition, development, and maintenance. They apply to all systems −from mainframe to client/server to desktop and portable computer environments. Exhibit 7.2 provides examples of common controls within these categories.64Control ActivitiesExhibit 7.2Information technology management – A steering committee provides oversight, monitoring, and reporting of information technology activities and improvement initiatives. Information technology infrastructure – Controls apply to system definition, acquisition, installation, configuration, integration, and maintenance. Controls may include service-level agreements that establish and reinforce system performance, business continuity planning that maintains system availability, tracking network performance for operational failures, and scheduling computer operations. The system software component of information technology infrastructure may include such controls as management or steering committee review and approval of significant new acquisitions, restricting access to system configuration and operating system software, automated reconciliations of data accessed through middleware software, and parity bit detection for communications errors. System software controls also include incident tracking, system logging, and review of reports detailing usage of data-altering utilities. Security management – Logical access controls such as secure passwords restrict access at the network, database, and application levels. User accounts and related access privilege controls help restrict authorized users to only applications or application functions needed to do their jobs. Internet firewalls and virtual private networks protect data from unauthorized external access. Software acquisition, development, and maintenance – Controls over software acquisition and implementation are incorporated into an established process for managing change, including documentation requirements, user acceptance testing, stress testing, and project risk assessments. Access to source codes is controlled via code library. Software developers work only in segregated development/test environments and do not have access to the production environment. Controls over system changes include required authorization of change requests, review of the changes, approvals, documentation, testing, implications of changes for other information technology components, stress testing results, and implementation protocols. Application ControlsApplication controls focus directly on completeness, accuracy, authorization, and validity of data capture and processing. They help ensure data are captured or generated when needed, supporting applications are available, and interface errors are detected quickly.An important objective of application controls is to prevent errors from entering the system, as well as to detect and correct errors once they are present. To do this, application controls often involve computerized edit checks consisting of format, existence, reasonableness, and65Control Activitiesother data checks built into applications during development. When properly designed, they can provide control over data entering the system.Exhibit 7.3 provides examples of application controls. These are just a few among a myriad of controls performed every day, through calculation and comparison, that serve to prevent and detect inaccurate, incomplete, inconsistent, or improper data capture and processing.Exhibit 7.3Balancing control activities – Detect data capture errors by reconciling amounts entered, either manually or automatically, to a control total. A company automatically balances the total number of transactions processed and passed from its on-line order entry system to the number of transactions received in its billing system. Check digits – Validate data by calculations. A company’s part numbers contain a check digit to detect and correct inaccurate ordering from its suppliers. Predefined data listings – Provide the user with predefined lists of acceptable data. A company’s intranet site includes drop-down lists of products available for purchase. Data reasonableness tests – Compare data captured with a present or learned pattern of reasonableness. An order to a supplier by a home renovation retail store for an unusually large number of board feet of lumber triggers a review. Logic tests – Include use of range limits or value or alphanumeric tests. A government agency detects potential errors in social security numbers by checking whether all entered numbers contain nine digits. Entity SpecificBecause each entity has its own set of objectives and implementation approaches, there will be differences in risk responses and related control activities. Even if two entities had identical objectives and made similar decisions on how they should be achieved, the control activities likely would be different. Each entity is managed by different people who use individual judgments in effecting control. Moreover, controls reflect the environment and industry in which an entity operates, as well as the size and complexity of its organization, nature and scope of its activities, its history, and its culture.Large, complex organizations with diverse activities may face more difficult control issues than small, simple organizations with less varied activities. An entity with decentralized operations, and an emphasis on local autonomy and innovation, presents different control circumstances than a highly centralized one. Other factors that influence an entity’s complexity, and therefore the nature of its controls, include location and geographical dispersion, extensiveness and sophistication of operations, and information processing methods.66Information and CommunicationINFORMATION AND COMMUNICATION Chapter Summary: Pertinent information is identified,TIONScaptured, and communicated in a form and timeframeSTRATEGICAREPORTING OMPLIANCEthat enable people to carry out their responsibilities.OPERCInternalEnvironmentTINUSSENISUBYRAIDISBUSInformation systems use internally generated data, andObjectiveSettingLEVEL-YTITNENOISIVIDinformationfromexternalsources,providingEvent Identificationinformation for managing risks and making informedRisk Assessmentdecisionsrelativetoobjectives.EffectiveRisk Responsecommunication also occurs, flowing down, across, andControl Activitiesup the organization.All personnelreceive aclearInformation & Communicationmessage from top managementthatenterpriseriskmanagementresponsibilitiesmust betakenseriously.MonitoringThey understand their own role in enterprise risk management, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There is also effective communication with external parties, such as customers, suppliers, regulators, and shareholders.Every enterprise identifies and captures a wide range of information, relating to external as well as internal events and activities, relevant to managing the entity. This information is delivered to personnel in a form and timeframe that enable them to carry out their enterprise risk management and other responsibilities.InformationInformation is needed at all levels of an organization to identify, assess, and respond to risks, and to otherwise run the entity and achieve its objectives. An array of information is used, relevant to one or more objectives categories.Operating information from internal and external sources, both financial and non-financial, is relevant to multiple business objectives. Financial information, for instance, is used in developing financial statements for reporting purposes, and also for operating decisions, such as monitoring performance and allocating resources. Reliable financial information is fundamental to planning, budgeting, pricing, evaluating vendor performance, assessing joint ventures and alliances, and a range of other management activities.Similarly, operating information is essential for developing financial and other reports. This includes the routine – purchases, sales, and other transactions – as well as information on competitors’ product releases or economic conditions, which can affect inventory and receivables valuations. And information needed for compliance purposes, such as information on airborne particle emissions or personnel data, also may serve financial reporting objectives.67Information and CommunicationInformation comes from many sources – internal and external, and in quantitative and qualitative forms – and facilitates responses to changing conditions. A challenge for management is to process and refine large volumes of data into actionable information. This challenge is met by establishing an information systems infrastructure to source, capture, process, analyze, and report relevant information. These information systems – usually computerized but also involving manual inputs or interfaces – often are viewed in the context of processing internally generated data. But information systems have a much broader application. They also deal with information about external events, for example, market- or industry-specific economic data that signals changes in demand for a company’s products or services, data on goods and services for production processes, market intelligence on evolving customer preferences or demands, information on competitors’ product development activities, and legislative or regulatory initiatives.Information systems can be formal or informal. Conversations with customers, suppliers, regulators, and entity personnel often provide critical information needed to identify risks and opportunities. Similarly, attendance at professional or industry seminars and memberships in trade and other associations can provide valuable information.Keeping information consistent with needs is particularly important when an entity faces fundamental industry changes, highly innovative and quick-moving competitors, or significant customer demand shifts. Information systems change as needed to support new objectives. They identify and capture needed financial and non-financial information, and also process and report this information in a timeframe and way that are useful in controlling the entity’s activities.Strategic and Integrated SystemsAs enterprises have become more collaborative and integrated with customers, suppliers, and business partners, the division between an entity’s information systems architecture and that of external parties is increasingly blurred. As a result, data processing and data management often become a shared responsibility of multiple entities. In such cases, an organization’s information systems architecture must be sufficiently flexible and agile to effectively integrate with affiliated external parties.The design of an information systems architecture and acquisition of technology are important aspects of entity strategy, and choices regarding technology can be critical to achieving objectives. Decisions about technology selection and implementation depend on many factors, including organizational goals, marketplace needs, and competitive requirements. While information systems are fundamental to effective enterprise risk management, risk management techniques can assist in making technology decisions.Information systems have long been designed and used to support business strategy. This role becomes critical as business needs change and technology creates new opportunities for68Information and Communicationstrategic advantage. In some cases, changes in technology have reduced the advantage gained in initial deployment, driving new strategic direction. For instance, airline reservation systems that gave travel agents easy access to flight information later moved to customer-facing Internet reservation systems, significantly reducing or eliminating involvement of the traditional travel agent.Integration with OperationsInformation systems often are fully integrated into most aspects of operations. Web and web-based systems are common, with many companies having enterprise-wide information systems such as enterprise resource planning. These applications facilitate access to information previously trapped in functional or departmental silos, making it available for widespread management use. Transactions are recorded and tracked in real time, enabling managers to immediately access financial and operating information more effectively to control business activities. For example, a construction company dealing in multiple large-scale projects uses an integrated, extranet-based system to meet marketplace and efficiency expectations. The system provides information that helps managers track customer-supplied inventory and parts, identify over- or short-supply material at multiple job sites, obtain cost savings with suppliers of common materials or combine with similar organizations to obtain volume discounts, and oversee the subcontractors’ activities. It also allows employees to seamlessly share current drawings with architects and engineers, customers, subcontractors, and regulators, while maintaining drawing version control. Additionally, the system encompasses knowledge management capabilities that allow company employees to share innovative solutions throughout the organization.To support effective enterprise risk management, an entity captures and uses historical and present data. Historical data allows the entity to track actual performance against targets, plans, and expectations. They provide insights into how the entity performed under varying conditions, allowing management to identify correlations and trends, and to forecast future performance. Historical data also can provide early warning of potential events that warrant management attention.Present or current-state data allows an entity to determine whether it is remaining within established risk tolerances. Such data allows management to take a real-time view of existing risks within a process, function, or unit, and to identify variations from expectations.Developments in information systems have improved the ability of many organizations to measure and monitor performance and present analytical information at an enterprise level. System complexity and integration continue, with organizations utilizing new technology capabilities as they emerge. However, the growing reliance on information systems at the strategic and operational level brings about new risks – such as information security breaches or cyber-crimes – that must be integrated into the entity’s enterprise risk management.69Information and CommunicationDepth and Timeliness of InformationThe information infrastructure sources and captures data in a timeframe and at a depth consistent with an entity’s need to identify, assess, and respond to risk, and remain within its risk tolerances. Timeliness of information flow needs to be consistent with the rate of change in the entity’s internal and external environments.The importance of depth of data is illustrated by looking at different events affecting a brokerage firm located in a city susceptible to floods. For business continuity planning, management maintains a general awareness of potential flood conditions and is positioned to advise personnel when to move to back-up facilities. Information captured at this high level is sufficient to allow the firm to adequately manage the risk. In contrast, as a broker, the firm sources and continuously captures changes in stock, bond, and commodity prices to several decimal points. This level of data timeliness and detail is consistent with the firm’s need to respond immediately to price changes that may precipitate risks, such as an overexposure to a particular market sector or security inconsistent with the firm’s risk appetite.The information infrastructure converts raw data into relevant information that assists personnel in carrying out their enterprise risk management and other responsibilities. Information is provided in a form and timeframe that are actionable, readily usable, and linked to defined accountabilities.Advances in data collection, processing, and storage have resulted in exponential growth in data volume. With more data available − often in real time − to more people in an organization, the challenge is to avoid “information overload” by ensuring flow of the right information, in the right form, at the right level of detail, to the right people, at the right time. In developing the knowledge and information infrastructure, consideration should be given to the distinct information requirements of individual users and departments, and to summary-level information needed by different levels of management.Information QualityWith increasing dependence on sophisticated information systems and data-driven automated decision systems and processes, data reliability is critical. Inaccurate data can result in unidentified risks or poor assessments and bad management decisions.The quality of information includes ascertaining whether:Content is appropriate – Is it at the right level of detail? Information is timely – Is it there when required? Information is current – Is it the latest available? Information is accurate – Is the data correct? Information is accessible – Is it easy to obtain by those who need it? 70Information and CommunicationTo drive data quality, entities establish enterprise-wide data management programs, encompassing acquisition, maintenance, and distribution of relevant information. Without such programs, information systems might not provide the information that management and other personnel require.Challenges are many: Conflicting functional needs, system constraints, and non-integrated processes can inhibit data acquisition and its effective use. To meet these challenges, management establishes a strategic plan with clear accountability and responsibilities for data integrity, and performs regular data quality assessments.Having the right information, on time and at the right place, is essential to effecting enterprise risk management. That is why information systems, while a component of enterprise risk management, also must be controlled.CommunicationCommunication is inherent in information systems. As discussed above, information systems must provide information to appropriate personnel so that they can carry out their operating, reporting, and compliance responsibilities. But communication also must take place in a broader sense, dealing with expectations, responsibilities of individuals and groups, and other important matters.InternalManagement provides specific and directed communication that addresses behavioral expectations and the responsibilities of personnel. This includes a clear statement of the entity’s risk management philosophy and approach and a clear delegation of authority. Communication about processes and procedures should align with, and underpin, the desired culture.Communication should effectively convey:The importance and relevance of effective enterprise risk management The entity’s objectives The entity’s risk appetite and risk tolerances A common risk language The roles and responsibilities of personnel in effecting and supporting the components of enterprise risk management All personnel, particularly those with important operating or financial management responsibilities, need to receive a clear message from top management that enterprise risk management must be taken seriously. Both the clarity of the message and effectiveness with which it is communicated are important.71Information and CommunicationPersonnel also need to know how their activities relate to the work of others. This knowledge is necessary to recognize a problem or determine its cause and corrective action. And, they need to know what is deemed acceptable and unacceptable behavior. There have been well-publicized instances of fraudulent reporting in which managers, under pressure to meet budgets, misrepresented operating results. In a number of these instances, no one had told these individuals that such misreporting could be illegal or otherwise improper. This underscores the critical nature of how messages are communicated within an organization. A manager who instructs subordinates, “Meet the budget – I don’t care how you do it, just do it,” unwittingly can send the wrong message.Front-line employees who deal with critical operating issues every day are often in the best position to recognize problems as they arise, and communications channels should ensure personnel can communicate risk-based information across business units, processes, or functional silos, as well as upstream. For example, sales representatives or account managers may learn of important customer product design needs, production personnel may become aware of costly process deficiencies, and purchasing personnel may be confronted with improper incentives from suppliers. Communication breakdowns can occur when individuals or units are discouraged from providing information important to others or do not have a vehicle to provide it. Personnel may be aware of significant risks, but unwilling or unable to report them.For such information to be reported, there must be open channels of communication and a clear-cut willingness to listen. Personnel must believe their superiors truly want to know about problems and will deal with them effectively. Most managers recognize intellectually that they should avoid “shooting the messenger.” But when caught up in everyday pressures, they can be unreceptive to people bringing them legitimate problems. Personnel are quick to pick up on spoken or unspoken signals that a superior doesn’t have the time or interest to deal with problems they have uncovered. Compounding such problems, the unreceptive manager is the last to know that the communications channel has been effectively shut down.In most cases, normal reporting lines in an organization are the appropriate channels of communication. In some circumstances, however, separate lines of communication are needed to serve as a fail-safe mechanism in case normal channels are inoperative. Many companies provide, and make employees aware of, a channel directly to the chief internal auditor or legal counsel or other senior officer having access to the board of directors, along with board or audit committee oversight, and laws and regulations increasingly call on companies to establish these mechanisms. Because of its importance, effective enterprise risk management requires such an alternative communications channel. Without both open communications channels and a willingness to listen, the upward flow of information might be blocked.72Information and CommunicationIt is important that personnel understand that there will be no reprisals for reporting relevant information. A clear message is sent by the existence of mechanisms that encourage employees to report suspected violations of an entity’s code of conduct and by the treatment of reporting personnel.A relevant and comprehensive code of conduct, coupled with employee training sessions, and ongoing corporate communications and feedback mechanisms, along with the right example set by the actions of senior management, can reinforce these important messages.Among the most critical communications channels is that between top management and the board of directors. Management must keep the board up-to-date on performance, risk, and the functioning of enterprise risk management, and other relevant events or issues. The better the communications, the more effective a board will be in carrying out its oversight responsibilities – acting as a sounding board for management on critical issues, monitoring its activities, and providing advice, counsel, and direction. By the same token, the board should communicate its information needs to management and provide feedback and direction.ExternalThere needs to be appropriate communication not only within the entity, but with the outside as well. With open external communications channels, customers and suppliers can provide highly significant input on the design or quality of products or services, enabling a company to address evolving customer demands or preferences. For example, customer or supplier complaints or inquiries about shipments, receipts, billings, or other activities often point to operating problems, and possibly to fraudulent or other improper practices. Management should be ready to recognize implications of such circumstances and investigate and take necessary corrective actions, focusing on the impact on financial reporting and compliance as well as operations objectives.Open communication about the entity’s risk appetite and risk tolerances is important, particularly for entities linked with others in supply chains or e-business enterprises. In such instances, management considers how its risk appetite and risk tolerances align with those of its business partners, ensuring it does not inadvertently accept too much risk through its partners.Communication to stakeholders, regulators, financial analysts, and other external parties provides information relevant to their needs, so they can understand readily the circumstances and risks the entity faces. Such communication should be meaningful, pertinent, and timely, and conform to legal and regulatory requirements.Management’s commitment to communication with external parties – whether open and forthcoming and serious in follow-up, or otherwise – also sends messages throughout the organization.73Information and CommunicationMeans of CommunicationCommunication can take such forms as policy manuals, memoranda, e-mails, bulletin board notices, webcasts, and videotaped messages. Where messages are transmitted orally – in large groups, smaller meetings, or one-on-one sessions – tone of voice and body language emphasize what is being said.The way management deals with personnel can communicate a powerful message. Managers should remember that actions speak louder than words. Their actions are, in turn, influenced by the entity’s history and culture, drawing on past observations of how their mentors dealt with similar situations.An entity with a history of operating with integrity, and whose culture is well understood by people throughout the organization, will likely find little difficulty communicating its message. An entity without such a tradition will need to put more effort into the way messages are communicated.74MonitoringMONITORING Chapter Summary: Enterprise risk management is monitored – assessing the presence and functioning of its components over time. This is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Ongoing monitoring occurs in the normal course of management activities. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Enterprise risk management deficiencies are reported upstream, with serious matters reported to top management and the board.STRATEGICREPORTINGOMPLIANCEOPERATIONSCInternal EnvironmentTINUSSENISUBYRAIDISBUSObjective SettingLEVEL-YTITNENOISIVIDEvent IdentificationRisk AssessmentRisk ResponseControl ActivitiesInformation & CommunicationMonitoringAn entity’s enterprise risk management changes over time. Risk responses that were once effective may become irrelevant; control activities may become less effective, or no longer be performed; or entity objectives may change. This can be due to the arrival of new personnel, changes in entity structure or direction, or the introduction of new processes. In the face of such changes, management needs to determine whether the functioning of enterprise risk management continues to be effective.Monitoring can be done in two ways: through ongoing activities or separate evaluations. Enterprise risk management mechanisms usually are structured to monitor themselves on an ongoing basis, at least to some degree. The greater the degree and effectiveness of ongoing monitoring, the less need for separate evaluations. The frequency of separate evaluations necessary for management to have reasonable assurance about the effectiveness of enterprise risk management is a matter of management’s judgment. In making that determination, consideration is given to the nature and degree of changes occurring and their associated risks, the competence and experience of the personnel implementing risk responses and related controls, and the results of ongoing monitoring. Usually, some combination of ongoing monitoring and separate evaluations will ensure that enterprise risk management maintains its effectiveness over time.Ongoing monitoring is built into the normal, recurring operating activities of an entity. Ongoing monitoring is performed on a real-time basis, reacts dynamically to changing conditions, and is ingrained in the entity. As a result, it is more effective than separate evaluations. Since separate evaluations take place after the fact, problems often will be identified more quickly by ongoing monitoring routines. Many entities with sound ongoing monitoring activities nonetheless conduct separate evaluations of enterprise risk management75Monitoringperiodically. An entity that perceives a need for frequent separate evaluations should focus on enhancing ongoing monitoring activities.Ongoing Monitoring ActivitiesMany activities serve to monitor the effectiveness of enterprise risk management in the ordinary course of running the business. These stem from regular management activities, which might involve variance analysis, comparisons of information from disparate sources, and dealing with unexpected occurrences.Ongoing monitoring activities generally are performed by line operating or functional support managers, giving thoughtful consideration to implications of information they receive. By focusing on relationships, inconsistencies, or other relevant implications, they raise issues and follow up with other personnel as necessary to determine whether corrective or other action is called for. Ongoing monitoring activities are differentiated from activities performed as required by policy in business processes. For example, approvals of transactions, reconciliations of account balances, and verifying the accuracy of changes to master files, performed as required steps in information systems or accounting processes, are best defined as control activities.Exhibit 9.1 includes examples of ongoing monitoring activities.Exhibit 9.1Managers reviewing operating reports, used to manage operations on an ongoing basis, may spot inaccuracies or exceptions to anticipated results. For example, managers of sales, purchasing, and production at divisional, subsidiary, and corporate levels who are in touch with operations can question reports that differ significantly from their knowledge of operations. Timely and complete reporting and resolution of these exceptions enhance effectiveness of the process. Changes in information reported in value-at-risk models used to evaluate the impacts of potential market movements on an entity’s financial position are related to reported financial transactions, focusing on expected relationships. Communications from external parties corroborate internally generated information or indicate problems. Customers implicitly corroborate billing data by paying their invoices. Conversely, customer complaints about billings could indicate system deficiencies in the processing of sales transactions. Similarly, reports from investment managers on securities gains, losses, and income can corroborate or signal problems with the entity’s (or the manager’s) records. An insurance company’s review of safety policies and practices provides information on operational safety and compliance performance. 76MonitoringRegulators communicate with management on compliance or other matters that reflect on the functioning of enterprise risk management. Internal and external auditors and advisors regularly provide recommendations to strengthen enterprise risk management. Auditors may focus considerable attention on key risks and related responses and design of control activities. Potential weaknesses may be identified, and alternative actions recommended to management, accompanied by information useful in making cost-benefit determinations. Internal auditors or personnel performing similar review functions can be particularly effective in monitoring an entity’s activities. Training seminars, planning sessions, and other meetings provide important feedback to management on whether enterprise risk management is effective. In addition to particular problems that may indicate risk issues, participants’ risk and control consciousness often becomes apparent. Managers in the normal course of running the business discuss with personnel such matters as their understanding of the entity’s code of conduct, how they identify risks, and issues arising in connection with the operation of control activities. These discussions confirm proper functioning of elements of enterprise risk management or surface matters needing attention. Separate EvaluationsWhile ongoing monitoring procedures usually provide important feedback on the effectiveness of other enterprise risk management components, it may be useful to take a fresh look from time to time, focusing directly on enterprise risk management effectiveness. This also provides an opportunity to consider the continued effectiveness of the ongoing monitoring procedures.Scope and FrequencyEvaluations of enterprise risk management vary in scope and frequency, depending on the significance of risks and importance of the risk responses and related controls in managing the risks. Higher-priority risk areas and responses tend to be evaluated more often. Evaluation of the entirety of enterprise risk management – which generally will be needed less frequently than the assessment of specific parts – may be prompted by a number of reasons: major strategy or management change, acquisitions or dispositions, changes in economic or political conditions, or changes in operations or methods of processing information. When a decision is made to undertake a comprehensive evaluation of an entity’s enterprise risk management, attention should be directed to addressing its application in strategy setting as well as with respect to significant activities. The evaluation scope also will depend on which objectives categories – strategic, operations, reporting, and compliance – are to be addressed.77MonitoringWho EvaluatesOften, evaluations take the form of self-assessments, where persons responsible for a particular unit or function determine the effectiveness of enterprise risk management for their activities. For example, the chief executive of a division directs the evaluation of its enterprise risk management activities. He or she personally assesses the risk management activities associated with strategic choices and high-level objectives as well as the internal environment component, and individuals in charge of the division’s various operating activities assess the effectiveness of enterprise risk management components relative to their spheres of responsibility. Line managers focus on operations and compliance objectives, and the divisional controller focuses on reporting objectives. The division’s assessments are then considered by senior management, along with evaluations of the company’s other divisions.Internal auditors normally perform evaluations as part of their regular duties, or at the specific request of senior management, the board, or subsidiary or divisional executives. Similarly, management may utilize input from external auditors in considering the effectiveness of enterprise risk management. A combination of efforts may be used in conducting whatever evaluative procedures management deems necessary.The Evaluation ProcessEvaluating enterprise risk management is a process in itself. While approaches or techniques vary, a discipline should be brought to the process, with certain basics inherent in it.The evaluator must understand each of the entity’s activities and each of the components of enterprise risk management being addressed. It may be useful to focus first on how enterprise risk management purportedly functions − sometimes referred to as the system or process design.The evaluator must determine how the system actually works. Procedures designed to operate in a particular way may be modified over time to operate differently or may no longer be performed. Sometimes new procedures are established but are not known to those who described the process and are not included in available documentation. A determination as to actual functioning can be accomplished by holding discussions with personnel who perform or are affected by enterprise risk management, by examining records on performance, or a combination of procedures.The evaluator analyzes the enterprise risk management process design and the results of tests performed. The analysis is conducted against the backdrop of management’s established standards for each component, with the ultimate goal of determining whether the process provides reasonable assurance with respect to the stated objectives.78MonitoringMethodologyA variety of evaluation methodologies and tools are available, including checklists, questionnaires, and flowcharting techniques. As part of their evaluation methodology, some companies compare or benchmark their enterprise risk management process against those of other entities. An entity may, for example, measure its enterprise risk management against those companies with reputations for having particularly good enterprise risk management. Comparisons might be done directly with another company or under the auspices of trade or industry associations. Other organizations may provide comparative information, and peer review functions in some industries can help a company evaluate its enterprise risk management against its peers. A word of caution is needed. When conducting comparisons, consideration must be given to differences that always exist in objectives, facts, and circumstances. And all eight enterprise risk management components, as well as the inherent limitations of enterprise risk management, need to be kept in mind.DocumentationThe extent of documentation of an entity’s enterprise risk management varies with the entity’s size, complexity, and similar factors. Larger organizations usually have written policy manuals, formal organization charts, written job descriptions, operating instructions, information system flowcharts, and so forth. Smaller entities typically have considerably less documentation. Many aspects of enterprise risk management are informal and undocumented, yet are regularly performed and highly effective. These activities may be tested in the same ways as documented activities. The fact that elements of enterprise risk management are not documented does not mean that they are not effective or that they cannot be evaluated. However, an appropriate level of documentation usually makes evaluations more effective and efficient.The evaluator may decide to document the evaluation process itself. He or she usually will draw on existing documentation of the entity’s enterprise risk management. Typically, this will be supplemented with additional documentation, along with descriptions of the tests and analyses performed in the evaluation.Where management intends to make a statement to external parties regarding enterprise risk management effectiveness, it should consider developing and retaining documentation to support the statement. Such documentation may be useful if the statement subsequently is challenged.Reporting DeficienciesDeficiencies in an entity’s enterprise risk management may surface from many sources, including the entity’s ongoing monitoring procedures, separate evaluations, and external parties. A deficiency is a condition within enterprise risk management worthy of attention that may represent a perceived, potential, or real shortcoming, or an opportunity to strengthen79Monitoringenterprise risk management to increase the likelihood that the entity’s objectives will be achieved.Sources of InformationOne of the best sources of information on enterprise risk management deficiencies is enterprise risk management itself. Ongoing monitoring activities of an enterprise, including managerial activities and everyday supervision of employees, generate insights from those who are directly involved in the entity’s activities. These insights are gained in real time and can provide quick identification of deficiencies. Other sources of deficiencies are the separate evaluations of enterprise risk management. Evaluations performed by management, internal auditors, or other functions can highlight areas in need of improvement.External parties frequently provide important information on the functioning of an entity’s enterprise risk management. These include customers, vendors and others doing business with the entity, external auditors, and regulators. Reports from external sources should be carefully considered for their implications for enterprise risk management, and appropriate corrective actions should be taken.What Is ReportedWhat should be reported? Although a universal answer is not possible, certain parameters can be drawn.All identified enterprise risk management deficiencies that affect an entity’s ability to develop and implement its strategy and to set and achieve its objectives should be reported to those positioned to take necessary action. The nature of matters to be communicated will vary depending on individuals’ authority to deal with circumstances that arise and on the oversight activities of superiors. In considering what needs to be communicated, it is necessary to look at the implications of findings. It is essential not only that a particular transaction or event be reported, but also that related potentially faulty procedures be reevaluated.It can be argued that no problem is so insignificant as to make investigation of its implications unwarranted. An employee taking a few dollars from a petty cash fund for personal use, for example, would not be significant in terms of that particular event, and probably not in terms of the amount of the entire petty cash fund. Thus, investigating it might not be worthwhile. However, such apparent condoning of personal use of the entity’s money might send the wrong message to employees.In addition to deficiencies, identified opportunities to increase the likelihood that the entity’s objectives will be achieved also should be reported.80MonitoringTo Whom to ReportInformation generated in the course of operating activities usually is reported through normal channels to immediate superiors. They in turn may communicate upstream or laterally in the organization, so that the information ends up with personnel who can and should act on it.Alternative communications channels also should exist for reporting sensitive information such as illegal or improper acts. Findings of enterprise risk management deficiencies usually should be reported not only to the individual responsible for the function or activity involved, but also to at least one level of management above that person. This higher level of management provides needed support or oversight for taking corrective action and is positioned to communicate with others in the organization whose activities may be affected. Where findings cut across organizational boundaries, the reporting should cross over as well and be directed to a sufficiently high level to ensure appropriate action.Reporting DirectivesProviding needed information on enterprise risk management deficiencies to the right party is critical. Protocols should be established to identify what information is needed at a particular level for effective decision making.Such protocols reflect the general rule that a manager should receive information that affects actions or behavior of personnel within his or her responsibility, as well as information needed to achieve specific objectives. A chief executive normally would want to be apprised, for example, of serious infractions of policies and procedures. He or she also would want supporting information on matters that could have significant financial impacts or strategic implications or that could affect the entity’s reputation.Senior managers should be apprised of risk management and control deficiencies affecting their units. Examples include circumstances where assets with a specified monetary value are not adequately protected, where the competence of employees is lacking, or where important financial reconciliations are not performed correctly. Managers should be informed of deficiencies in their units in increasing levels of detail, as one moves down the organizational structure.Supervisors define reporting protocols for subordinates. The degree of specificity will vary, usually increasing at lower levels in the organization. While reporting protocols can inhibit effective reporting if too narrowly defined, they can enhance reporting if sufficient flexibility is provided.Parties to whom deficiencies are to be communicated sometimes provide specific directives regarding what should be reported. A board of directors or audit committee, for example, may ask management or internal or external auditors to communicate only those deficiencies meeting a specified threshold of seriousness or importance.81Roles and ResponsibilitiesROLES AND RESPONSIBILITIES Chapter Summary: Everyone in an entity has some responsibility for enterprise risk management. The chief executive officer is ultimately responsible and should assume “ownership.” Other managers support the risk management philosophy, promote compliance with the risk appetite, and manage risks within their spheres of responsibility consistent with risk tolerances. Other personnel are responsible for executing enterprise risk management in accordance with established directives and protocols. The board of directors provides important oversight to enterprise risk management. A number of external parties often provide information useful in effecting enterprise risk management, but they are not responsible for the effectiveness of the entity’s enterprise risk management.Enterprise risk management is effected by a number of parties, each with important responsibilities. The board of directors (directly or through its committees), management, internal auditors, and other personnel all make important contributions to risk management. Other parties, such as external auditors and regulatory bodies, are sometimes associated with risk assessments and internal control. However, a distinction exists between those who are part of an entity’s enterprise risk management process and those who are not, but whose actions nonetheless can affect the process or otherwise help the entity achieve its objectives. Directly or indirectly helping an entity achieve its objectives, however, does not make an external party a part of or responsible for the entity’s enterprise risk management.Entity PersonnelThe board of directors, management, risk officers, financial officers, internal auditors, and indeed every individual within an entity contribute to effective enterprise risk management.Board of DirectorsManagement is accountable to the board of directors or trustees, which provides monitoring, guidance, and direction. By selecting management, the board has a major role in defining what it expects in integrity and ethical values, and through its oversight activities can determine whether its expectations are being met. Similarly, by reserving authority in certain key decisions, the board plays a role in setting strategy, formulating high-level objectives, and broad-based resource allocation.The board provides oversight with regard to enterprise risk management by:Knowing the extent to which management has established effective enterprise risk management in the organization Being aware of and concurring with the entity’s risk appetite Reviewing the entity’s portfolio view of risk and considering it against the entity’s risk appetite 83Roles and ResponsibilitiesBeing apprised of the most significant risks and whether management is responding appropriately The board is part of the internal environment component and must have the requisite composition and focus for enterprise risk management to be effective.Effective board members are objective, capable, and inquisitive. They have a working knowledge of the entity’s activities and environment and commit the time necessary to fulfill their board responsibilities. They utilize resources as needed to conduct special investigations and have open and unrestricted communications with internal auditors, external auditors, and legal counsel.Boards of directors may use board committees in carrying out certain of their duties. The use and focus of committees vary from one entity to another, although common committees are nominating/governance, compensation, and audit committees, with each focusing attention on elements of enterprise risk management. The nominating committee, for example, identifies and considers qualifications of prospective board members, and the compensation committee considers the appropriateness of reward systems, balancing healthy motivational programs with the need to avoid unnecessary temptation to manipulate compensation drivers. The audit committee has a direct role in the reliability of external reporting, and must recognize key risks relative to reliable financial reporting. As such, the board and its committees are an important part of enterprise risk management.ManagementManagement is directly responsible for all activities of an entity, including enterprise risk management. Naturally, management at different levels has different enterprise risk management responsibilities. These vary, often considerably, depending on the entity’s characteristics.In any entity, the chief executive officer has ultimate ownership responsibility for enterprise risk management. One of the most important aspects of this responsibility is ensuring the presence of a positive internal environment. More than any other individual or function, the CEO sets the tone at the top that influences internal environmental factors and other components of enterprise risk management. A CEO also can influence the board of directors, through whatever influence he or she has on identifying new members, and in setting an example and serving to attract, or deter, candidates for the board. Increasingly, candidates for board seats look closely at top management’s integrity and ethical values in determining whether to accept a nomination. Potential directors also focus on whether the entity’s enterprise risk management has the necessary critical underpinnings of integrity and ethical values to enable its effectiveness.84Roles and ResponsibilitiesThe chief executive’s responsibilities include seeing that all components of enterprise risk management are in place. The CEO generally fulfills this duty by:Providing leadership and direction to senior managers. Together with them, the CEO shapes the values, principles, and major operating policies that form the foundation of the entity’s enterprise risk management. The CEO and key senior managers set strategic objectives, strategy, and related high-level objectives. They also set broad-based policies and develop the entity’s risk management philosophy, risk appetite, and culture. They take actions concerning the entity’s organizational structure, content and communication of key policies, and the type of planning and reporting systems the entity will use. Meeting periodically with senior managers responsible for major functional areas – sales, marketing, production, procurement, finance, human resources – to review their responsibilities, including how they manage risk. The CEO gains knowledge of risks inherent in operations, risk responses, and control improvements required, and the status of efforts under way. To discharge this responsibility, the CEO must clearly define the information he or she needs. With this knowledge, the CEO is positioned to monitor activities and risks in relation to the entity’s risk appetite. Where evolving circumstances, emerging risks, strategy implementation, or anticipated actions indicate potential misalignment with risk appetite, the CEO will take necessary action to reestablish alignment, or discuss with the board of directors further action to be taken or whether the entity’s risk appetite should be adjusted.Senior managers in charge of organizational units have responsibility for managing risks related to their units’ objectives. They convert strategy into operations, identify events and assess risks, and effect risk responses. Managers guide application of enterprise risk management components within their spheres of responsibility, ensuring application is consistent with risk tolerances. In this sense, a cascading responsibility exists, where each executive is effectively a CEO for his or her sphere of responsibility.Senior managers usually assign responsibility for specific enterprise risk management procedures to managers in specific processes, functions, or departments. Accordingly, these managers usually play a more hands-on role in devising and executing particular risk procedures that address unit objectives, such as techniques for event identification and risk assessment, and in determining responses, such as developing protocols for purchasing raw materials or accepting new customers. They also make recommendations on related control activities, monitor their application, and meet with upper-level managers to report on the control activities’ functioning.85Roles and ResponsibilitiesThis may involve investigating external events or conditions, data entry errors, or transactions appearing on exception reports, looking into reasons for departmental expense budget variances and following up on customer back orders or product inventory positions. Significant matters, whether pertaining to a particular transaction or an indication of a larger concern, are communicated upward in the organization.Staff functions, such as human resources, compliance, or legal, also have important supporting roles in designing or shaping effective enterprise risk management components. The human resources function may design and help implement training programs on the entity’s code of conduct and other broad policy issues, often rolled out with business unit leadership. The legal function provides information to line managers on new laws and regulations that affect operating policies, and it or compliance officers provide critical information on whether planned transactions or protocols conform to legal and ethical requirements.Managers’ responsibilities should entail both authority and accountability. Each manager should be accountable to the next higher level for his or her portion of enterprise risk management, with the CEO ultimately accountable to the board. Although different management levels have distinct enterprise risk responsibilities and functions, their actions should coalesce in the entity’s enterprise risk management.Risk OfficerSome companies have established a centralized coordinating point to facilitate enterprise risk management. A risk officer – referred to in some organizations as the chief risk officer or risk manager – works with other managers in establishing effective risk management in their areas of responsibility. Established by and under direct auspices of the chief executive, the risk officer has the resources to help effect enterprise risk management across subsidiaries, businesses, departments, functions, and activities. The risk officer may have responsibility for monitoring progress and for assisting other managers in reporting relevant risk information up, down, and across the entity. The risk officer also may serve as a supplementary reporting channel.Some companies assign this role to another senior officer, such as chief financial officer, general counsel, chief audit executive, or chief compliance officer; others have found that the importance and breadth of scope of this function require separate assignment and resources.Companies have found this role most successful when set up with clarity around its responsibility as a staff function – providing support and facilitation to line management. For enterprise risk management to be effective, line managers must assume primary responsibility and have accountability for managing risk within their respective areas.86Roles and ResponsibilitiesResponsibilities of a risk officer may include:Establishing enterprise risk management policies, including defining roles and responsibilities and participating in setting goals for implementation Framing authority and accountability for enterprise risk management in business units Promoting an enterprise risk management competence throughout the entity, including facilitating development of technical enterprise risk management expertise and helping managers align risk responses with the entity’s risk tolerances and developing appropriate controls Guiding integration of enterprise risk management with other business planning and management activities Establishing a common risk management language that includes common measures around likelihood and impact, and common risk categories Facilitating managers’ developing of reporting protocols, including quantitative and qualitative thresholds, and monitoring the reporting process Reporting to the chief executive on progress and outliers and recommending action as needed Financial ExecutivesOf particular significance to enterprise risk management activities are finance and controllership executives and their staffs, whose activities cut across, up, and down all operating and business units. These financial executives often are involved in developing entity-wide budgets and plans, and they track and analyze performance, often from an operations, compliance, and reporting perspective. These activities are usually part of an entity’s central or “corporate” organization, but commonly they also have “dotted line” responsibility for monitoring division, subsidiary, or other unit activities. As such, the chief financial officer, chief accounting officer, controller, and others in the financial function are central to the way management exercises enterprise risk management. They play an important role in preventing and detecting fraudulent reporting, and as a member of top management, the chief financial officer helps set the tone of the organization’s ethical conduct; has a major responsibility for the financial statements, and influences the design, implementation, and monitoring of the company’s reporting systems.When looking at the components of enterprise risk management, it is clear that the chief financial officer and his or her staff play critical roles. This person is a key player when objectives are established, strategies decided, risks analyzed, and decisions made on how changes affecting the entity will be managed. He or she provides valuable input and direction and is positioned to focus on monitoring and following up on the actions decided.87Roles and ResponsibilitiesAs such, the chief financial officer should come to the table an equal partner with the other functional heads. Any attempt by management to have him or her more narrowly focused – limited to principally areas of financial reporting and treasury, for example – could severely limit the entity’s ability to succeed.Internal AuditorsInternal auditors play a key role in evaluating the effectiveness of − and recommending improvements to − enterprise risk management. Standards established by the Institute of Internal Auditors specify that the scope of internal auditing should encompass risk management and control systems. This includes evaluating the reliability of reporting, effectiveness and efficiency of operations, and compliance with laws and regulations. In carrying out their responsibilities, internal auditors assist management and the board of directors or audit committee by examining, evaluating, reporting on, and recommending improvements to the adequacy and effectiveness of the entity’s enterprise risk management.The Institute of Internal Auditors standards also address what roles are appropriate for internal audit, making clear that internal auditors should be objective with regard to the activities they audit. This objectivity should be reflected by their position and authority within the entity and appropriate internal auditor staff assignments. Organizational position and authority involve such matters as a reporting line to an individual who has sufficient authority to ensure appropriate audit coverage, consideration, and response; selection and dismissal of the chief audit executive only with concurrence of the board of directors or audit committee; access to the board or audit committee; and authority to follow up on findings and recommendations.Other Entity PersonnelEnterprise risk management is, to some degree, the responsibility of everyone in an entity and therefore should be an explicit or implicit part of everyone’s job description. This is true from two perspectives:Virtually all personnel play some role in effecting risk management. They may produce information used in identifying or assessing risks, or take other actions needed to effect enterprise risk management. The care with which those activities are performed directly affects the effectiveness of an entity’s enterprise risk management. All personnel are responsible for supporting information and communication flows inherent in enterprise risk management. This includes communicating to a higher organizational level any problems in operations, non-compliance with the code of conduct, or other violations of policy or illegal actions. Enterprise risk management relies on checks and balances, including segregation of duties, and on personnel not “looking the other way.” Personnel should understand the need to resist pressure from superiors to participate in improper activities, and channels outside of normal reporting lines should be available to permit reporting of such circumstances. 88Roles and ResponsibilitiesEnterprise risk management is everyone’s business, and roles and responsibilities of all personnel should be well defined and effectively communicated.External PartiesA number of external parties can contribute to achievement of an entity’s objectives, sometimes by actions that parallel those taken within the entity. In other cases, external parties may provide information useful to the entity in its enterprise risk management activities.External AuditorsExternal auditors provide management and the board of directors a unique, independent, and objective view that can contribute to an entity’s achievement of its external financial reporting objectives, as well as other objectives.In a financial statement audit, the auditor expresses an opinion on the fairness of the financial statements in conformity with generally accepted accounting principles, thereby contributing to the entity’s external financial reporting objectives. The auditor conducting a financial statement audit may contribute further to those objectives, by providing information useful to management in carrying out its risk management-related responsibilities. Such information includes:Audit findings, analytical information, and recommendations for actions necessary to achieve established objectives Findings regarding deficiencies in risk management and control that come to the auditor’s attention, and recommendations for improvement This information frequently will relate not only to reporting but to strategic, operations, and compliance activities as well, and can make important contributions to an entity’s achievement of its objectives in each of these areas. The information is reported to management and, depending on its significance, to the board of directors or audit committee.It is important to recognize that a financial statement audit, by itself, normally does not include a significant focus on enterprise risk management, and in any event does not result in the auditor forming an opinion on the entity’s enterprise risk management. Where, however, law or regulation requires the auditor to evaluate a company’s assertions related to internal control over financial reporting and the supporting basis for those assertions, the scope of the work directed at those areas will be extensive, and additional information and assurance will be gained.89Roles and ResponsibilitiesLegislators and RegulatorsLegislators and regulators affect the enterprise risk management of many entities, either through requirements to establish risk management mechanisms or internal controls or through examinations of particular entities. Many of the relevant laws and regulations deal primarily with financial reporting risks and controls. Some, however − particularly those that apply to government organizations − also can deal with operations and compliance objectives. Many entities have long been subject to legal requirements for internal control. For example, U.S. public companies have been required to establish and maintain internal accounting control systems that satisfy specified objectives. More-recent legislation requires that senior executives of publicly listed companies certify to the effectiveness of the companies’ internal control over financial reporting, together with auditor attestation.Several regulatory agencies directly examine entities for which they have oversight responsibility. For example, federal and state bank examiners conduct examinations of banks and often focus on aspects of the banks’ risk management and internal control systems. These agencies make recommendations and take enforcement action.Therefore, legislators and regulators affect entities’ enterprise risk management in two ways: They establish rules that provide the impetus for management to ensure that risk management and control systems meet minimum statutory and regulatory requirements. And, pursuant to examination of a particular entity, they provide information useful to the entity in applying enterprise risk management, and recommendations and sometimes directives to management regarding needed improvements.Parties Interacting with the EntityCustomers, vendors, business partners, and others who conduct business with an entity are an important source of information used in enterprise risk management activities. Information can be as varied as emerging demand for new product or service, shipment or billing discrepancies, quality issues, or actions by personnel outside integrity and ethical boundaries. This input can be extremely important to the entity in achieving its strategic, operations, reporting, and compliance objectives. The entity must have mechanisms in place to receive such information and to take appropriate action. Needed action includes not only addressing the particular situation reported, but also investigating the underlying source of the problem and fixing it.In addition to customers and vendors, other parties, such as creditors, can provide oversight regarding achievement of an entity’s objectives. A bank, for example, may request reports on an entity’s compliance with certain debt covenants. It also may recommend performance indicators or other desired targets or controls.90Roles and ResponsibilitiesOutsource Service ProvidersMany organizations outsource business functions, delegating their day-to-day management to outside providers. Administrative, finance, and internal operations sometimes are outsourced, with the objective of obtaining access to enhanced capabilities and lower cost of services. A financial institution may outsource its loan review process to a third party; a technology company may outsource the operation and maintenance of its information technology processing; and a retail company may outsource its internal audit function. While these external parties execute activities for or on behalf of the entity, management cannot abdicate its responsibility to manage the associated risks and should implement a program to monitor those activities.Financial Analysts, Bond Rating Agencies, News MediaFinancial analysts and bond rating agencies consider many factors relevant to an entity’s worthiness as an investment. They analyze management’s strategy and objectives, historical financial statements and prospective financial information, actions taken in response to conditions in the economy and marketplace, potential for success in the short and long term, and industry performance and peer group comparisons. The print and broadcast media, particularly financial journalists, also may undertake similar analyses.The investigative and monitoring activities of these parties can provide insights on how others perceive the entity’s performance, industry and economic risks the entity faces, innovative operating or financing strategies that may improve performance, and industry trends. This information sometimes is provided in face-to-face meetings between the parties and management, or indirectly in analyses for investors, potential investors, and the public. In either case, management should consider the observations and insights of financial analysts, bond rating agencies, and the news media that may enhance enterprise risk management.91Limitations of Enterprise Risk ManagementLIMITATIONS OF ENTERPRISE RISK MANAGEMENT Chapter Summary: Effective enterprise risk management, no matter how well designed and operated, provides only reasonable assurance to management and the board of directors regarding achievement of an entity’s objectives. Achievement of objectives is affected by limitations inherent in all management processes. These include the realities that human judgment in decision making can be faulty and that breakdowns can occur because of such human failures as simple error or mistake. Additionally, controls can be circumvented by the collusion of two or more people, and management has the ability to override the enterprise risk management process, including risk response decisions and control activities. Another limiting factor is the need to consider the relative costs and benefits of risk responses.To some observers, enterprise risk management, with embedded internal control, ensures that an entity will not fail – that is, the entity will always achieve its objectives. This view is misguided.In considering limitations of enterprise risk management, three distinct concepts must be recognized:First, risk relates to the future, which is inherently uncertain. Second, enterprise risk management – even effective enterprise risk management – operates at different levels with respect to different objectives. For strategic and operations objectives, enterprise risk management can help ensure that management, and the board in its oversight role, is aware, in a timely manner, only of the extent to which the entity is moving toward achievement of these objectives. But it cannot provide even reasonable assurance that the objectives themselves will be achieved. Third, enterprise risk management cannot provide absolute assurance with respect to any of the objective categories. The first limitation acknowledges that no one can predict the future with certainty. The second acknowledges that certain events are simply outside management’s control. The third has to do with the reality that no process will always do what it is intended to do.Reasonable assurance does not imply that enterprise risk management frequently will fail. Many factors, individually and collectively, reinforce the concept of reasonable assurance. The cumulative effect of risk responses that satisfy multiple objectives and the multipurpose nature of internal controls reduce the risk that an entity may not achieve its objectives. Furthermore, the normal everyday operating activities and responsibilities of people functioning at various levels of an organization are directed at achieving the entity’s objectives. Indeed, among a cross-section of well-controlled entities, it is likely that most will be apprised regularly of movement toward their strategic and operations objectives, will93Limitations of Enterprise Risk Managementachieve compliance objectives regularly, and consistently will produce – period after period, year after year – reliable reports. However, an uncontrollable event, a mistake, or an improper reporting incident can occur. In other words, even effective enterprise risk management can experience a failure. Reasonable assurance is not absolute assurance.JudgmentThe effectiveness of enterprise risk management is limited by the realities of human frailty in making business decisions. Decisions must be made with human judgment in the time available, based on information at hand, and under the pressures of the conduct of business. With the clairvoyance of hindsight, some decisions later may be found to produce less than desirable results and may need to be changed.BreakdownsWell-designed enterprise risk management can break down. Personnel may misunderstand instructions. They may make judgment mistakes. Or, they may commit errors due to carelessness, distraction, or fatigue. An accounting department supervisor responsible for investigating exceptions simply might forget to follow up or fail to pursue the investigation far enough to be able to make appropriate corrections. Temporary personnel executing control duties for vacationing or sick employees might not perform correctly. System changes may be implemented before personnel have been trained to react appropriately to signs of incorrect functioning.CollusionThe collusive activities of two or more individuals can result in enterprise risk management failures. Individuals acting collectively to perpetrate and conceal an action from detection often can alter financial data or other management information in a manner that cannot be identified by the enterprise risk management process. For example, there may be collusion between an employee performing an important control function and a customer, a supplier, or another employee. On a different level, several layers of sales or divisional management might collude in circumventing controls so that reported results meet budgets or incentive targets.Costs versus BenefitsAs discussed in the Risk Assessment chapter, there are always resource constraints, and entities must consider the relative costs and benefits of decisions, including those related to risk response and control activities.In determining whether a particular action should be taken or control established, the risk of failure and the potential effect on the entity are considered along with the related costs. For example, it may not pay for a company to install sophisticated inventory controls to monitor94Limitations of Enterprise Risk Managementlevels of raw material if the cost of the raw material used in a production process is low, the material is not perishable, ready supply sources exist, and storage space is readily available.Costs and benefits of implementing event identification and risk assessment capabilities and related response and control activities are measured with different levels of precision, often varying depending on the nature of the entity. The challenge is to find the right balance. Just as limited resources should not be allocated to less than significant risks, excessive control is costly and counterproductive. Customers placing telephone orders will not tolerate order acceptance procedures that are too cumbersome or time-consuming. A bank that makes creditworthy potential borrowers “jump through hoops” will not book many new loans. Too little control, on the other hand, presents undue risk of bad debts. An appropriate balance is needed in a highly competitive environment. And, despite the difficulties, cost-benefit decisions will continue to be made.Management OverrideEnterprise risk management can be only as effective as the people who are responsible for its functioning. Even in effectively managed and controlled entities − those with generally high levels of integrity and risk and control consciousness, alternative communications channels, and an active and informed board with an appropriate governance process − a manager still might be able to override enterprise risk management. No management or control system is infallible, and those with criminal intent will seek to break systems. However, effective enterprise risk management will improve the entity’s capacity to prevent and detect override activities.The term “management override” is used here to mean overruling prescribed policies or procedures for illegitimate purposes − such as personal gain or an enhanced presentation of an entity’s financial condition or compliance status. A manager of a division or unit, or a member of top management, might override enterprise risk management for many reasons: to increase reported revenue to cover an unanticipated decrease in market share; to enhance reported earnings to meet unrealistic budgets; to boost the market value of the entity prior to a public offering or sale; to meet sales or earnings projections to bolster bonus pay-outs tied to performance or value of stock options; to appear to cover violations of debt covenant agreements; or to hide lack of compliance with legal requirements. Override practices include deliberate misrepresentations to bankers, lawyers, auditors, and vendors, and intentionally issuing false documents such as purchase orders and sales invoices.Management override should not be confused with management intervention, which represents management’s actions to depart from prescribed policies or procedures for legitimate purposes. Management intervention is necessary to deal with non-recurring and non-standard transactions or events that otherwise might be handled inappropriately. Provision for management intervention is necessary because no process can be designed to95Limitations of Enterprise Risk Managementanticipate every risk and every condition. Management’s actions to intervene are generally overt and commonly documented or otherwise disclosed to appropriate personnel. Actions to override usually are not documented or disclosed, with an intent to cover up the actions.96What to DoWHAT TO DO Actions that might be taken as a result of this report depend on the position and role of the parties involved.Board Members – Members of the board of directors should discuss with senior management the state of the entity’s enterprise risk management and provide oversight as needed. The board also should ensure that the entity’s enterprise risk management mechanisms provide it with an assessment of the most significant risks relative to strategy and objectives, including what actions management is taking and how it is engaged in monitoring enterprise risk management. The board should seek input from the internal auditors, external auditors, and advisors. Senior Management – This study suggests that the chief executive should assess the entity’s enterprise risk management capabilities. Using this framework, a CEO, together with key operating and financial executives, can focus attention where needed. Under one approach, the chief executive brings together business unit heads and key functional staff to discuss an initial assessment of enterprise risk management capabilities and effectiveness. Whatever its form, an initial assessment should determine whether there is a need for, and how to proceed with, a broader, more in-depth evaluation. It also should ensure that ongoing monitoring processes are in place. Time spent in evaluating enterprise risk management represents an investment, but one capable of providing a high return. Other Entity Personnel – Managers and other personnel should consider how their enterprise risk management responsibilities are being conducted in light of this framework and discuss with more senior personnel ideas for strengthening enterprise risk management. Internal auditors should consider the breadth of their focus on enterprise risk management. Regulators – Expectations for enterprise risk management vary widely with regard to what it can accomplish, and about what the “reasonable assurance” concept means and how it should be applied. This framework can promote a shared view of enterprise risk management, including what it can do and its limitations. Regulators may refer to this framework in establishing expectations, whether by rule or guidance, or in conducting examinations, for entities they oversee. Professional Organizations – Rule-making and other professional organizations providing guidance on financial management, auditing, and related topics should consider their standards and guidance in light of this framework. To the extent diversity in concept and terminology is eliminated, all parties will benefit. Educators – This framework should be the subject of academic research and analysis, to see where future enhancements can be made. With the presumption that this report becomes accepted as a common ground for understanding, its concepts and terms should find their way into university curricula. 97What to DoWe believe this report offers a number of benefits. With this foundation for mutual understanding, all parties will be able to speak a common language and communicate more effectively. Business executives will be positioned to assess enterprise risk management processes against a standard, and strengthen the process and move their enterprises toward established goals. Future research can be leveraged off an established base. Legislators and regulators will be able to gain an increased understanding of enterprise risk management, its benefits, and its limitations. With all parties utilizing a common enterprise risk management framework, these collective and reinforcing benefits will be realized.98Appendix A – Objectives and MethodologyOBJECTIVES AND METHODOLOGY In Fall 2001, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) initiated a study designed to help organizations manage risk. Despite an abundance of literature on the subject, COSO concluded there was a need for this study to design and build a framework and related application techniques. PricewaterhouseCoopers was engaged to conduct this project, resulting in this report, Enterprise Risk Management – Integrated Framework.The Framework volume defines risk and enterprise risk management, and provides foundational definitions, concepts, objectives categories, components, and principles of a comprehensive enterprise risk management framework. It provides direction for companies and other organizations in determining how to enhance their enterprise risk management, providing context for and facilitating application in the real world. This document also is designed to provide a basis for entities’ use in determining whether their enterprise risk management is effective and, if not, what is needed to make it so.The Application Techniques volume links directly to the Framework. It provides illustrations of risk management techniques that can be applied by companies and other organizations at various levels – enterprise, line of business, and individual process or function – and in support of incremental or transformational enhancement.Because of readers’ diverse needs, input was obtained from corporate executives of organizations of varying sizes, including public and private companies in different industries, and government organizations. The executives included corporate chief executives, chief financial officers, chief risk officers, controllers, internal auditors, legislators, regulators, lawyers, external auditors, consultants, academicians, and others.Throughout the project, the project team received advice and counsel from an Advisory Council to the COSO Board. The Advisory Council, composed of individuals in senior financial management, internal and external audit, and academia, met periodically with the project team and members of the COSO Board to review the project plan, progress, and drafts of the framework, and to take up related matters. At important project milestones, the Advisory Council and the project team communicated with the COSO Board.The methodology employed in this study was designed to produce a report meeting the stated objectives. The project consisted of five phases:Assessment The project team assessed the current state of risk management models through literature review, survey, and workshops, for the purpose of capturing relevant information across the full spectrum of risk management. This phase encompassed analyzing the information, comparing and contrasting conceptual and practical risk 99Appendix A – Objectives and Methodologymanagement philosophies and protocols, understanding user needs, and identifying critical issues and concerns.Envisioning The team created a working enterprise risk management framework conceptual model and developed a preliminary inventory of tools as a basis for the application techniques. Using customized input solicitation techniques, the team tested the concepts with key user and stakeholder groups and, based on feedback, refined the conceptual model. Building and Designing Using the refined conceptual model as a blueprint, the team developed the framework, including definitions, objectives categories, components, principles, infrastructure, and management context, along with related discussion. This phase also encompassed designing the organization and approach to developing the application techniques. Both the draft framework and application techniques design were reviewed with key user and stakeholder groups, and reactions and suggestions for enhancement obtained. IV.Preparation for Public ExposureIn this phase the team refined the framework and further developed the application techniques, and reviewed them with executives from several companies who provided feedback on their value and utility.Finalization This phase encompassed issuing the Framework volume for public exposure for a 90-day comment period and field testing the framework with select companies. Upon receipt of comments, the project team reviewed and analyzed them, and identified needed modifications. The team finalized the Framework and Application Techniques volumes and provided the final manuscripts to the COSO Advisory Council and COSO Board for review and acceptance. As part of this process, the project team gave careful consideration to all information received, including other frameworks already in existence. A listing of some of the published sources referenced is included in Appendix D – Selected Bibliography. As one might expect, many different and sometimes contradictory opinions were expressed on fundamental issues – within a project phase and between phases. The project team, with COSO Advisory Council and Board oversight, carefully considered the merits of the positions put forth, both individually and in the context of related issues, embracing those that facilitated development of a relevant, logical, and internally consistent framework. The Advisory Council and COSO Board are entirely supportive of, and have approved, the framework resulting from this process.100Appendix B – Summary of Key PrinciplesSUMMARY OF KEY PRINCIPLES The following highlights key principles inherent in the eight enterprise risk management components. This appendix purports neither to precisely or fully describe the principles set forth in the Framework, nor to represent a complete list of principles.Internal EnvironmentRisk Management PhilosophyThe entity’s risk management philosophy represents the shared beliefs and attitudes characterizing how the entity considers risk in all activities It reflects the entity’s values, influencing its culture and operating style It affects how enterprise risk management components are applied, including how events are identified, the kinds of risks accepted, and how they are managed It is well developed, understood, and embraced by the entity’s personnel It is captured in policy statements, oral and written communications, and decision making Management reinforces the philosophy not only with words but also with everyday actions Risk AppetiteThe entity’s risk appetite reflects the entity’s risk management philosophy and influences the culture and operating style It is considered in strategy setting, with strategy aligned with risk appetite Board of DirectorsThe board is active and possesses an appropriate degree of management, technical, and other expertise, coupled with the mind-set necessary to perform its oversight responsibilities It is prepared to question and scrutinize management’s activities, present alternative views, and act in the face of wrongdoing It has at least a majority of independent outside directors It provides oversight to enterprise risk management and is aware of and concurs with the entity’s risk appetite Integrity and Ethical ValuesThe entity’s standards of behavior reflect integrity and ethical values Ethical values not only are communicated but also accompanied by explicit guidance regarding what is right and wrong Integrity and ethical values are communicated through a formal code of conduct Upward communications channels exist where employees feel comfortable bringing relevant information 101Appendix B – Summary of Key PrinciplesPenalties are applied to employees who violate the code, mechanisms encourage employee reporting of suspected violations, and disciplinary actions are taken against employees who knowingly fail to report violations Integrity and ethical values are communicated through management actions and the examples they set Commitment to CompetenceCompetence of the entity’s people reflects the knowledge and skills needed to perform assigned tasks Management aligns competence and cost Organizational StructureThe organizational structure defines key areas of responsibility and accountability It establishes lines of reporting It is developed in consideration of the entity’s size and nature of activities It enables effective enterprise risk management Assignment of Authority and ResponsibilityAssignment of authority and responsibility establishes the degree to which individuals and teams are authorized and encouraged to use initiative to address issues and solve problems, and provides limits to authority The assignments establish reporting relationships and authorization protocols Policies describe appropriate business practices, knowledge and experience of key personnel, and associated resources Individuals know how their actions interrelate and contribute to achievement of objectives Human Resource StandardsStandards address hiring, orientation, training, evaluating, counseling, promoting, compensation, and remedial actions, driving expected levels of integrity, ethical behavior, and competence Disciplinary actions send the message that violations of expected behavior will not be tolerated Objective SettingStrategic ObjectivesThe entity’s strategic objectives establish high-level goals that align with and support its mission/vision They reflect management’s strategic choices as to how the entity will seek to create value for its stakeholders 102Appendix B – Summary of Key PrinciplesManagement identifies risks associated with strategy choices and considers their implications Related ObjectivesRelated objectives support and are aligned with selected strategy, relative to all entity activities Each level of objectives is linked to more specific objectives that cascade through the organization The objectives are readily understood and measurable They align with risk appetite Selected ObjectivesManagement has a process that aligns strategic objectives with the entity’s mission and ensures the strategic and related objectives are consistent with the entity’s risk appetite Risk AppetiteThe entity’s risk appetite is a guidepost in strategy setting It guides resource allocation It aligns organization, people, processes, and infrastructure Risk TolerancesRisk tolerances are measurable, preferably in the same units as the related objectives They align with risk appetite Event IdentificationEventsManagement identifies potential events affecting strategy implementation or achievement of objectives – those that may have positive or negative impacts, or both Even events with a relatively low possibility of occurrence are considered if the impact on achieving an important objective is great Influencing FactorsManagement recognizes the importance of understanding external and internal factors and the type of events that can emanate therefrom Events are identified both at the entity and activity levels Event Identification TechniquesTechniques used look to both the past and future Management selects techniques that fit its risk management philosophy and ensures the entity develops needed event identification capabilities 103Appendix B – Summary of Key PrinciplesEvent identification is robust, forming a basis for risk assessment and risk response components InterdependenciesManagement understands how events relate to one another Distinguishing Risks and OpportunitiesEvents with negative impact represent risks, which management assesses and responds to Events representing opportunities are channeled back to management’s strategy or objective-setting processes Risk AssessmentIn assessing risk, management considers expected and unexpected events Inherent and Residual RiskManagement assesses inherent risks Once risk responses have been developed, management considers residual risk Estimating Likelihood and ImpactPotential events are evaluated from two perspectives – likelihood and impact In assessing impact, management normally uses the same, or congruent, unit of measure as used for the objective The time horizon used to assess risks should be consistent with the time horizon of the related strategy and objectives Assessment TechniquesManagement uses a combination of qualitative and quantitative techniques The techniques support development of a composite assessment of risk Relationships between EventsWhere correlation exists between events, or events combine and interact, management assesses them together Risk ResponseIn responding to risk, management considers among risk avoidance, reduction, sharing, and acceptance Evaluating Possible ResponsesResponses are evaluated with the intent of achieving residual risk aligned with the entity’s risk tolerances 104Appendix B – Summary of Key PrinciplesIn evaluating risk responses, management considers their effects on likelihood and impact Management considers their costs versus benefits, as well as new opportunities Selected ResponsesResponses chosen by management are designed to bring anticipated risk likelihood and impact within risk tolerances Management considers additional risks that might result from a response Portfolio ViewManagement considers risk from an entity-wide, or portfolio, perspective Management determines whether the entity’s residual risk profile is commensurate with its overall risk appetite Control ActivitiesIntegration with Risk ResponseManagement identifies control activities needed to help ensure that risk responses are carried out properly and in a timely manner Selection or review of control activities includes consideration of their relevance and appropriateness to the risk response and related objective In selecting control activities, management considers how control activities interrelate Types of Control ActivitiesManagement selects from a variety of types of control activities, including preventive, detective, manual, computer, and management controls Policies and ProceduresPolicies are implemented thoughtfully, conscientiously, and consistently Procedures are carried out with sharp, continuing focus on conditions to which the policy is directed Conditions identified as a result of the procedure are investigated and appropriate corrective actions taken Controls over Information SystemsAppropriate general and application controls are implemented 105Appendix B – Summary of Key PrinciplesInformation and CommunicationInformationRelevant information is obtained from internal and external sources The entity captures and uses historical and present data as needed to support effective enterprise risk management The information infrastructure converts raw data into relevant information that assists personnel in carrying out their enterprise risk management and other responsibilities; information is provided at a depth and in a form and timeframe that are actionable, readily usable, and linked to defined accountabilities – including the need to identify, assess, and respond to risk Source data and information are reliable, and provided on time at the right place to enable effective decision making Timeliness of information flow is consistent with the rate of change in the entity’s internal and external environments Information systems change as needed to support new objectives CommunicationManagement provides specific and directed communication addressing behavioral expectations and responsibilities of personnel, including a clear statement of the entity’s risk management philosophy and approach and clear delegation of authority Communication about processes and procedures aligns with, and underpins, the desired culture All personnel receive a clear message from top management that enterprise risk management must be taken seriously Personnel know how their activities relate to the work of others, enabling them to recognize problems, determine cause, and take corrective action Personnel know what is deemed acceptable and unacceptable behavior There are open channels of communication and a willingness to listen, and personnel believe their superiors truly want to know about problems and will deal with them effectively Communications channels outside normal reporting lines exist, and personnel understand there will be no reprisals for reporting relevant information An open communications channel exists between top management and the board of directors, with appropriate information communicated on a timely basis Open external communications channels exist, where customers and suppliers can provide significant input The entity communicates relevant information to regulators, financial analysts, and other external parties 106Appendix B – Summary of Key PrinciplesMonitoringManagement determines, through ongoing monitoring activities or separate evaluations, or a combination, whether the functioning of enterprise risk management continues to be effective Ongoing Monitoring ActivitiesMonitoring activities are built into the entity’s normal, recurring operations, performed in the ordinary course of running the business They are performed on a real-time basis and react dynamically to changing conditions Separate EvaluationsSeparate evaluations focus directly on enterprise risk management effectiveness and provide an opportunity to consider the continued effectiveness of the ongoing monitoring activities The evaluator understands each of the entity activities and each enterprise risk management component being addressed The evaluator analyzes enterprise risk management design and the results of tests performed, against the backdrop of management’s established standards, determining whether enterprise risk management provides reasonable assurance with respect to the stated objectives Reporting DeficienciesDeficiencies reported from both internal and external sources are carefully considered for their implications for enterprise risk management, and appropriate corrective actions are taken All identified deficiencies that affect the entity’s ability to develop and implement its strategy and to achieve its established objectives are reported to those positioned to take necessary action Not only are reported transactions or events investigated and corrected, but potentially faulty underlying procedures also are reevaluated Protocols are established to identify what information is needed at a particular level for effective decision making Roles and ResponsibilitiesBoard of DirectorsThe board knows the extent to which management has established effective risk management in the organization It is aware of and concurs with the entity's risk appetite It reviews the portfolio view of risk and considers it against the risk appetite Is apprised of the most significant risks and whether management is responding appropriately 107Appendix B – Summary of Key PrinciplesManagementThe chief executive has ultimate responsibility for enterprise risk management He/she ensures the presence of a positive internal environment, and that all enterprise risk management components are in place Senior managers in charge of organizational units have responsibility for managing risks related to their unit's objectives They guide application of enterprise risk management, ensuring application is consistent with risk tolerances Each manager is accountable to the next higher level, for his/her portion of enterprise risk management, with the CEO ultimately accountable to the board Other Entity PersonnelEnterprise risk management is an explicit or implicit part of everyone's job description Personnel understand the need to resist pressure from superiors to participate in improper activities, and channels outside normal reporting lines are available to permit reporting such circumstances The enterprise risk management roles and responsibilities of all personnel are well defined and effectively communicated Parties Interacting with the EntityMechanisms are in place to receive relevant information from parties interacting with the entity and take appropriate action Action includes not only addressing the particular situation reported, but also investigating the underlying source of the problem and fixing it For outsourced activities, management has implemented a program to monitor those activities Management considers the observations and insights of financial analysts, bond rating agencies and the news media that may enhance enterprise risk management 108Appendix C – Relationship Between Enterprise Risk Management – Integrated Frameworkand Internal Control – Integrated FrameworkRELATIONSHIP BETWEEN ENTERPRISE RISK MANAGEMENT – INTEGRATED FRAMEWORK AND INTERNAL CONTROL – INTEGRATED FRAMEWORK In 1992, the Committee of Sponsoring Organizations of the Treadway Commission issued Internal Control – Integrated Framework, which establishes a framework for internal control and provides evaluation tools that business and other entities can use to evaluate their control systems. The framework identifies and describes five interrelated components necessary for effective internal control.Internal Control – Integrated Framework defines internal control as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations This appendix outlines the relationship between the internal control framework and the enterprise risk management framework.Broader than Internal ControlInternal control is encompassed within and an integral part of enterprise risk management. Enterprise risk management is broader than internal control, expanding and elaborating on internal control to form a more robust conceptualization focusing more fully on risk. Internal Control – Integrated Framework remains in place for entities and others looking at internal control by itself.Categories of ObjectivesInternal Control – Integrated Framework specifies three categories of objectives – operations, financial reporting, and compliance. Enterprise risk management specifies three similar objectives categories – operations, reporting, and compliance. The reporting category in the internal control framework is defined as relating to the reliability of published financial statements. In the enterprise risk management framework, the reporting category is significantly expanded, to cover all reports developed by an entity, disseminated both internally and externally. These include reports used internally by management and those issued to external parties, including regulatory filings and reports to other stakeholders. And, the scope expands from financial statements to cover not just financial information more broadly, but non-financial information as well.109Appendix C – Relationship Between Enterprise Risk Management – Integrated Frameworkand Internal Control – Integrated FrameworkEnterprise Risk Management – Integrated Framework adds another category of objectives, namely, strategic objectives, which operate at a higher level than the others. Strategic objectives flow from an entity’s mission or vision, and the operations, reporting, and compliance objectives should be aligned with them. Enterprise risk management is applied in strategy setting, as well as in working toward achievement of objectives in the other three categories.The enterprise risk management framework introduces the concepts of risk appetite and risk tolerance. Risk appetite is the broad-based amount of risk an entity is willing to accept in pursuit of its mission/vision. It serves as a guidepost in strategy setting and selection of related objectives. Risk tolerances are the acceptable levels of variation relative to achievement of objectives. In setting risk tolerances, management considers the relative importance of the related objectives and aligns risk tolerances with risk appetite. Operating within risk tolerances provides management greater assurance that the entity remains within its risk appetite, which, in turn, provides a higher degree of comfort that the entity will achieve its objectives.Portfolio ViewA concept not contemplated in the internal control framework is a portfolio view of risk. In addition to focusing on risk in considering achievement of entity objectives on an individual basis, it is necessary to consider composite risks from a “portfolio” perspective.ComponentsWith the enhanced focus on risk, the enterprise risk management framework expands the internal control framework’s risk assessment component, creating four components – objective setting (which is a prerequisite to internal control), event identification, risk assessment, and risk response.Internal EnvironmentIn discussing the environment component, the enterprise risk management framework discusses an entity’s risk management philosophy, which is the set of shared beliefs and attitudes characterizing how an entity considers risks, reflecting its values and influencing its culture and operating style. As described above, the framework encompasses the concept of an entity’s risk appetite, which is supported by more specific risk tolerances.Because of the critical importance of the board of directors and its composition, the enterprise risk management framework expands on the internal control framework’s call for at least a critical mass of independent directors – that is, normally at least two independent directors – stating that for enterprise risk management to be effective, the board must have at least a majority of independent outside directors.110Appendix C – Relationship Between Enterprise Risk Management – Integrated Frameworkand Internal Control – Integrated FrameworkEvent IdentificationThe enterprise risk management and internal control frameworks both acknowledge that risks occur at every level of the entity and result from a variety of internal and external factors. And, both frameworks consider risk identification in the context of the potential impact on the achievement of objectives.The enterprise risk management framework discusses the concept of potential events, defining an event as an incident or occurrence emanating from internal or external sources that affect strategy implementation or achievement of objectives. Potential events with positive impact represent opportunities, while those with negative impact represent risks. Enterprise risk management involves identifying potential events using a combination of techniques that consider both past as well as emerging trends, and what triggers the events.Risk AssessmentWhile both the internal control and enterprise risk management frameworks call for assessment of risk in terms of the likelihood that a given risk will occur and its potential impact, the enterprise risk management framework suggests viewing risk assessment through a sharper lens. Risks are considered on an inherent and a residual basis, preferably expressed in the same unit of measure established for the objectives to which the risks relate. Time horizons should be consistent with an entity’s strategies and objectives, and, where possible, observable data. The enterprise risk management framework also calls attention to interrelated risks, describing how a single event may create multiple risks.As noted, enterprise risk management encompasses the need for management to develop an entity-level portfolio view. With managers responsible for business unit, function, process, or other activities having developed a composite assessment of risk for individual units, entity-level management considers risk from a “portfolio” perspective.Risk ResponseThe enterprise risk management framework identifies four categories of risk response – avoid, reduce, share, and accept. As part of enterprise risk management, management considers potential responses from these categories and considers these responses with the intent of achieving a residual risk level aligned with the entity’s risk tolerances. Having considered responses to risk on an individual or a group basis, management considers the aggregate effect of its risk responses across the entity.111Appendix C – Relationship Between Enterprise Risk Management – Integrated Frameworkand Internal Control – Integrated FrameworkControl ActivitiesBoth frameworks present control activities as helping ensure that management’s risk responses are carried out. The enterprise risk management framework explicitly makes the point that in some instances control activities themselves serve as a risk response.Information and CommunicationThe enterprise risk management framework expands on the information and communication component of internal control, highlighting consideration of data derived from past, present, and potential future events. Historical data allows the entity to track actual performance against targets, plans, and expectations, and provides insights into how the entity performed in past periods under varying conditions. Present or current-state data provides important additional information, and data on potential future events and underlying factors completes the information analysis. The information infrastructure sources and captures data in a timeframe and at a depth of detail consistent with the entity’s need to identify events and assess and respond to risks and remain within its risk appetite.The discussion around existence of an alternative communications channel, outside normal reporting lines, in the internal control framework has greater emphasis in the enterprise risk management framework, which states that effective risk management requires such a channel.Roles and ResponsibilitiesBoth frameworks focus attention on the roles and responsibilities of various parties that are a part of, or provide important information to, internal control and enterprise risk management. The enterprise risk management framework describes the role and responsibilities of risk officers and expands on the role of an entity’s board of directors.112Appendix D – Selected BibliographySELECTED BIBLIOGRAPHY American Institute of Certified Public Accountants and The Canadian Institute of Chartered Accountants. Managing Risk in the New Economy. New York. AICPA. 2000.Banham, Russ. A High Level of Intolerance. CFO, The Magazine for Senior Financial Executives. April 2000.Barton ,Thomas L., William G. Shenkir, and Paul L.Walker. Making Enterprise Risk Management Pay Off: How Leading Companies Implement Risk Management. Financial Executive. 2001.Bazerman, Max H. Judgment in Managerial Decision Making. New York. John Wiley & Sons. 2001.Committee of Sponsoring Organizations of the Treadway Commission (COSO). Internal Control – Integrated Framework. New York. AICPA. 1992.Crouhy, Michael, Dan Galai, and Robert Mark. Risk Management. New York. McGraw-Hill. 2001.Davidson, Clive. Lofty Ambitions for Measuring Global Risk. Securities Industry News. June 5, 2000.DeLoach, James W. Enterprise-Wide Risk Management: Strategies for Linking Risk and Opportunity. London. Financial Times Prentice Hall. 2000.DiPiazza, Samuel A., Jr. and Robert G. Eccles. Building Public Trust: The Future of Corporate Reporting. New York. John Wiley & Sons. 2002.Everson, Miles. Creating an Operational Risk-Sensitive Culture. The RMA Journal. March 1, 2002.Economist Intelligence Unit in cooperation with Arthur Andersen & Co. Managing Business Risk – An Integrated Approach. The Economist Intelligence Unit. 1995.Economist Intelligence Unit in cooperation with MCC Enterprise Risk. Enterprise Risk Management – Implementing New Solutions. The Economist Intelligence Unit. 2001.FEI Research Foundation in cooperation with Andersen. Risk Management: An Enterprise Perspective. Financial Executive. 2002.Haubenstock, Michael and John Gontero. Operational Risk Management: The Next Frontier. New York. RMA. 2001.Institute of Chartered Accountants in England and Wales. Internal Control Guidance for Directors on the Combined Code. London. ICAEW. 1999.113Appendix D – Selected BibliographyInstitute of Directors in Southern Africa. King Report on Corporate Governance for South Africa 2001. The Institute of Directors in Southern Africa. 2001.International Organization for Standardization. ISO/IEC Guide 73. 2002.Lam, James. The CRO Is Here to Stay. Risk Management. April 2001.National Commission on Fraudulent Financial Reporting. Report of the National Commission on Fraudulent Financial Reporting. 1987.Nottingham, Lucy. A Conceptual Framework for Integrated Risk Management. Ottawa. Conference Board of Canada. 1997.Risk Management Group of the Basel Committee on Banking Supervision. Sound Practices for the Management and Supervision of Operational Risk. 2001.Root, Stephen J. Beyond COSO Internal Control to Enhance Corporate Governance. New York. John Wiley & Sons. 1998.Standards Australia and Standards New Zealand. Australian/New Zealand Standard 4360:1999: Risk Management. Standards Australia and Standards New Zealand. 1999.Steinberg, Richard M. The CEO and the Board: Enhancing the Relationship. G100 Insights. April 2003.Steinberg, Richard M. and Catherine L. Bromilow. Corporate Governance and the Board – What Works Best. The Institute of Internal Auditors Research Foundation. 2001.The Institute of Risk Management (IRM), The Association of Insurance and Risk Managers (AIRMIC), and ALARM The National Forum for Risk Management in the Public Sector. A Risk Management Standard. AIRMIC, ALARM, and IRM. 2002.Thiessen, Karen. A Composite Sketch of Chief Risk Officer. Ottawa. Conference Board of Canada. 2001.Thiessen, Karen. Don’t Gamble with Goodwill – The Value of Effectively Communicating Risks. Ottawa. Conference Board of Canada. 2000.Tillinghast–Towers Perrin. Enterprise Risk Management: Trends and Emerging Practices. New York. Tillinghast–Towers Perrin, 2001.Walker, Paul L., William G. Shenkir, and Thomas L. Barton. Enterprise Risk Management: Pulling It All Together. The Institute of Internal Auditors Research Foundation. 2002.114Appendix E – Consideration of Comment LettersCONSIDERATION OF COMMENT LETTERS As noted in Appendix A, a draft of this Framework document was exposed for public comment. The 78 response letters received contain hundreds of individual comments on a wide variety of matters. Each comment was considered in formulating revisions to the final document. This appendix summarizes the more significant issues and resulting modifications reflected in this final report. It also provides perspective on why certain views were accepted over others.Definition of Enterprise Risk ManagementRealizing Value for StakeholdersThe exposure draft described how enterprise risk management enables an organization to realize value for its stakeholders, although the concept of value was not explicitly reflected in the definition of enterprise risk management. Some respondents suggested the definition should make such explicit reference.It was concluded that the definition as presented should be retained. The definition explicitly states that enterprise risk management involves providing assurance regarding achievement of entity objectives, which inherently provides value. Further, the text surrounding the definition describes how enterprise risk management provides value for stakeholders. Because of this existing linkage to and description around value, and to avoid an unreasonably long definition (as suggested by other respondents), the definition has been retained.OpportunitiesThe exposure draft described how enterprise risk management involves identifying and addressing potential events that have negative impact on an entity, called risks, and events with positive impact, referred to as opportunities. Some respondents said because of the importance of identifying opportunities, the definition of risk should be broadened to include that concept. Some argued that not including opportunities in the definition of risk can lead a reader not to see opportunities as part of enterprise risk management, thereby undermining the framework’s relevance. On the other hand, some respondents suggested that all reference to opportunities be eliminated from the final report.It was concluded that because of the importance of identifying and seizing opportunities, the framework’s discussion of opportunities should be retained and enhanced, and the final report expands the discussion on identifying and reacting to opportunities as an integral part of enterprise risk management. Discussions in the component chapters of the final report further describe the process by which management considers both the negative and positive – or opportunity side – effects of potential events in managing risk. As to the definition of risk, it was concluded that adding the concept of opportunity would cloud the concepts and make communication more difficult. Maintaining the distinction between a negative event and a positive one brings clarity to the enterprise risk management language.115Appendix E – Consideration of Comment LettersA ProcessThe exposure draft defined enterprise risk management as a process and set forth components that can be viewed as elements of a process. Some respondents said the term “process” inappropriately implies carrying out predefined, sequential steps or tasks.The report has been revised to reinforce the concept that enterprise risk management is not necessarily conducted sequentially, but rather is a continuous and iterative interplay of actions conducted throughout an entity.Applied in Strategy SettingThe exposure draft described how objectives must be set and clearly communicated before risks to their achievement can be identified and addressed. It also stated that enterprise risk management techniques are applied in strategy setting to assist management in evaluating and selecting the entity’s strategy, and linking to related objectives. Some respondents commented that risk management is secondary to management’s development of entity strategy, and that the framework places undue focus on risk rather than objective setting.It was concluded that it is not necessary, or useful, to portray one concept, strategy setting, as necessarily more important than another, managing risk. Both are important and inherent in enterprise risk management. The final document does, however, contain enhanced discussion of the strategy and objective-setting process in effecting enterprise risk management.Risk Appetite and ToleranceThe exposure draft discussed the concepts of risk appetite and risk tolerance. Some respondents suggested that additional information should be provided, including guidance on how to express and measure risk appetite. Others stated there is little difference in these two concepts and that they should be combined.The final report retains the distinction between risk appetite and risk tolerance, where risk appetite pertains at a high level to the entity as a whole, while risk tolerance relates to specific objectives. The Application Techniques volume illustrates application of these concepts.Provides Reasonable AssuranceSome respondents suggested the concept of reasonable assurance should be more precisely defined.It was concluded that the discussion surrounding the term “reasonable assurance” is appropriate, and further precision in its definition is beyond the scope of this project.116Appendix E – Consideration of Comment LettersCategories of ObjectivesSome respondents said that setting forth categories of entity objectives is not helpful and unnecessarily complicates the framework.The final document retains the categories of entity objectives, on the basis that the categorization allows a focus on separate aspects of enterprise risk management, facilitates distinguishing between what can be expected from each category of objectives, and supports use of a common language for enterprise risk management.Achievement of ObjectivesSome respondents questioned why reasonable assurance applies only to the extent to which strategic and operations objectives are being achieved, rather than to their actual achievement.It was concluded that the distinction between what can be expected of enterprise risk management regarding achievement of strategic and operations objectives, relative to reporting and compliance objectives, continues to be appropriate for the reasons set forth in the document, centered on whether achievement is within or outside an entity’s control.EffectivenessSeveral respondents stated that enterprise risk management effectiveness should be defined relative to results attained, measured in terms of outcomes the process is intended to achieve, rather than as a subjective judgment of whether the eight components are present and functioning properly.The criteria for effectiveness – the presence and effective functioning of each component – remain in the final document. It was concluded that the principle developed in the internal control framework, and carried forward to the enterprise risk management framework, is logical and best serves users’ needs – that when the eight components are deemed present and functioning effectively (and no material weaknesses exist), the result or outcome is that management and the board gain reasonable assurance regarding achievement of the stated objectives. The final document retains that principle, and also highlights that bringing risk within the entity’s risk appetite is a necessary element of effective enterprise risk management. The concept of a subjective judgment as to the presence and functioning of the eight components has been removed, on the grounds that the judgment can be objective, based on the principles in this framework.Encompasses Internal ControlThe exposure draft contained some but not all of the text of Internal Control – Integrated Framework, stating that the entirety of the internal control document was incorporated by reference in the enterprise risk management framework. The exposure draft included an appendix comparing and contrasting the two frameworks.117Appendix E – Consideration of Comment LettersSome respondents suggested that the final report should identify more prominently those portions carried forward from Internal Control – Integrated Framework. Some recommended that the entirety of Internal Control – Integrated Framework be included as an attachment, with a detailed reconciliation of differences between the two documents, while others suggested that the document describe in detail in what way Internal Control – Integrated Framework is expanded on in the enterprise risk management framework. And some respondents suggested that the document highlight and clarify the intended audience and purpose of each framework.It was concluded that the description of differences between the frameworks is at the appropriate level. Appendix C highlights the key differences and identifies which concepts in the enterprise risk management framework are incorporated directly from Internal Control – Integrated Framework, which concepts taken from the internal control framework are expanded on, and which are new. It was deemed unnecessary to include the internal control framework as an attachment, as it is readily available to users. And, the purpose and intended audiences of each of the frameworks already are described in sufficient depth.Enterprise Risk Management and the Management ProcessSome respondents suggested that the exhibit comparing management activities with enterprise risk management activities provided little useful information and could cause confusion to readers. Some said setting forth management activities as distinct from enterprise risk management activities could reduce – rather than reinforce – the notion of embedding risk management within business and management activities.The exhibit in the exposure draft has not been carried forward to the final report; instead, relevant messages are presented in the text.Information and CommunicationSome respondents commented on the importance of a communications channel outside normal reporting lines, suggesting that such a channel is a necessary element of enterprise risk management.The final report reflects this view, stating that for enterprise risk management to be effective, an entity is required to maintain such a communications channel.Roles and ResponsibilitiesSome respondents suggested that there is need for greater clarity regarding the different accountabilities for enterprise risk management of the board of directors, management, other entity personnel, and external parties.118Appendix E – Consideration of Comment LettersThe final report expands the discussion and clarifies the respective roles and responsibilities of these parties.Other ConsiderationsForm and PresentationSome respondents commented on the length, format, and style of the exposure draft, and expressed a variety of views on how the report could be reorganized and streamlined.It was concluded that the report should be reorganized and streamlined to enhance readability and clarity and reduce redundancy. The exposure draft’s “Executive Summary” has been replaced by a shorter summary. Chapter 1 of the exposure draft, “Relevance of Enterprise Risk Management,” has been eliminated, with the more important concepts incorporated into the final report’s “Definition” chapter. Redundancies have been reduced, less important discussions deleted or shortened, and the report wording streamlined.Relationship between Enterprise Risk Management – Integrated Framework and Other Reports and LegislationSome respondents said it would be useful to have a discussion of relationships between the enterprise risk management framework and the Sarbanes-Oxley Act of 2002, the Basel Committee on Banking Supervision’s New Basel Capital Accord, and risk management legislation in Australia, Canada, Germany, Japan, the United Kingdom, and other countries. Some respondents recommended that the document state clearly that Internal Control – Integrated Framework continues to be an acceptable framework for compliance with Section 404 the Sarbanes-Oxley Act of 2002 and that issuance of Enterprise Risk Management – Integrated Framework does not require companies to use it for purposes of Section 404 compliance.It was concluded that reconciling Enterprise Risk Management – Integrated Framework with other documents is beyond the scope of this project. With regard to complying with Sarbanes-Oxley Section 404 requirements, COSO is communicating, via the Foreword to this report, that Internal Control – Integrated Framework remains in place and is appropriately looked to as a basis for reporting under certain legislative requirements such as the Sarbanes-Oxley Act of 2002.Application GuidanceSome respondents recommended inclusion of specified content for the application guidance volume. Some suggested that one or more comprehensive case studies be included in order to help organizations of various sizes implement the framework. Others suggested that the Framework document and application guidance contain cross-reference linkages.119Appendix E – Consideration of Comment LettersIt was concluded that the application guidance volume should contain certain suggested content, including illustrations of how entities may apply specific concepts described in the Framework document. The final report contains that information, although it was decided that it is not practicable to identify or develop one case study illustrating application of all of the framework’s concepts, and doing so is beyond the scope of this project. With the sharpened focus of the content of this volume, it was decided that a more appropriate title is Application Techniques, and the name has been revised accordingly. Also, directional linkages from the Application Techniques to the Framework document have been included.120Appendix F – GlossaryGLOSSARY Application Controls – Programmed procedures in application software, and related manual procedures, designed to help ensure the completeness and accuracy of information processing. Examples include computerized edit checks of input data, numerical sequence checks, and manual procedures to follow up on items listed in exception reports.Compliance – Used with “objectives”: having to do with conforming with laws and regulations applicable to an entity.Component – There are eight enterprise risk management components: the entity’s internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring.Control – 1. A noun, denoting an item, e.g., existence of a control – a policy or procedure that is part of internal control. A control can exist within any of the eight components. 2. A noun, denoting a state or condition, e.g., to effect control – the result of policies and procedures designed to control; this result may or may not be effective internal control. 3. A verb, e.g., to control – to regulate; to establish or implement a policy that effects control.Criteria – A set of standards against which enterprise risk management can be measured in determining effectiveness. The eight enterprise risk management components, taken in the context of inherent limitations of enterprise risk management, represent criteria for enterprise risk management effectiveness for each of the four objectives categories.Deficiency – A condition within enterprise risk management worthy of attention that may represent a perceived, potential, or real shortcoming, or an opportunity to strengthen enterprise risk management to provide a greater likelihood that the entity’s objectives will be achieved.Design – 1. Intent. As used in the definition, enterprise risk management is intended to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance as to achievement of objectives. 2. Plan; the way a process is supposed to work, contrasted with how it actually works.Effected – Used with enterprise risk management: devised and maintained.Enterprise Risk Management Process – A synonym for enterprise risk management applied in an entity.121Appendix F – GlossaryEntity – An organization of any size established for a particular purpose. An entity, for example, may be a business enterprise, not-for-profit organization, government body, or academic institution. Terms used as synonyms include organization and enterprise.Event – An incident or occurrence, from sources internal or external to an entity, that affects achievement of objectives.General Controls – Policies and procedures that help ensure the continued, proper operation of computer information systems. They include controls over information technology management, information technology infrastructure, security management, and software acquisition, development, and maintenance. General controls support the functioning of programmed application controls. Other terms sometimes used to describe general controls are general computer controls and information technology controls.Impact – Result or effect of an event. There may be a range of possible impacts associated with an event. The impact of an event can be positive or negative relative to the entity’s related objectives.Inherent Limitations – Those limitations of enterprise risk management. The limitations relate to the limits of human judgment; resource constraints, and the need to consider the cost of controls in relation to expected benefits; the reality that breakdowns can occur; and the possibility of management override and collusion.Inherent Risk – The risk to an entity in the absence of any actions management might take to alter either the risk’s likelihood or impact.Integrity – The quality or state of being of sound moral principle; uprightness, honesty, and sincerity; the desire to do the right thing, to profess and live up to a set of values and expectations.Internal Control – A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations. Internal Control System – A synonym for internal control applied in an entity.122Appendix F – GlossaryLikelihood – The possibility that a given event will occur. Terms sometimes take on more specific connotations, with “likelihood” indicating the possibility that a given event will occur in qualitative terms such as high, medium, and low, or other judgmental scales, and “probability” indicating a quantitative measure such as a percentage, frequency of occurrence, or other numerical metric.Management Intervention – Management’s actions to overrule prescribed policies or procedures for legitimate purposes; management intervention is usually necessary to deal with non-recurring and non-standard transactions or events that otherwise might be handled inappropriately by the system (contrast this term with Management Override).Management Override – Management’s overruling of prescribed policies or procedures for illegitimate purposes with the intent of personal gain or an improperly enhanced presentation of an entity’s financial condition or compliance status (contrast this term with Management Intervention).Management Process – The series of actions taken by management to run an entity. Enterprise risk management is a part of and integrated with the management process.Manual Controls – Controls performed manually, not by computer.Objectives Category – One of four categories of entity objectives – strategic, effectiveness and efficiency of operations, reliability of reporting, and compliance with applicable laws and regulations. The categories overlap, so that a particular objective might fall into more than one category.Operations – Used with “objectives”: having to do with the effectiveness and efficiency of an entity’s activities, including performance and profitability goals, and safeguarding resources against loss.Opportunity – The possibility that an event will occur and positively affect the achievement of objectives.Policy – Management’s dictate of what should be done to effect control. A policy serves as the basis for procedures for its implementation.Procedure – An action that implements a policy.Reasonable Assurance – The concept that enterprise risk management, no matter how well designed and operated, cannot provide a guarantee regarding achievement of an entity’s objectives. This is because of Inherent Limitations in enterprise risk management.123Appendix F – GlossaryReporting – Used with “objectives”: having to do with the reliability of the entity’s reporting, including both internal and external reporting of financial and non-financial information.Residual Risk – The remaining risk after management has taken action to alter the risk’s likelihood or impact.Risk – The possibility that an event will occur and adversely affect the achievement of objectives.Risk Appetite – The broad-based amount of risk a company or other entity is willing to accept in pursuit of its mission (or vision).Risk Tolerance – The acceptable variation relative to the achievement of an objective.Stakeholders – Parties that are affected by the entity, such as shareholders, the communities in which the entity operates, employees, customers, and suppliers.Strategic – Used with “objectives”: having to do with high-level goals that are aligned with and support the entity’s mission (or vision).Uncertainty – Inability to know in advance the exact likelihood or impact of future events.124Appendix G – AcknowledgmentsACKNOWLEDGMENTS The COSO Board, Advisory Council, and PricewaterhouseCoopers LLP gratefully acknowledge the many executives, legislators, regulators, auditors, academics, and others who gave their time and energy to participating in and contributing to various aspects of the study. Also recognized are the considerable efforts of the COSO organizations and their members who responded to surveys, participated in workshops and meetings, and provided comments and feedback throughout the development of this framework.The following PricewaterhouseCoopers partners provided important input to this framework: Dick Anderson, Jeffrey Boyle, Glenn Brady, Michael Bridge, John Bromfield, Gary Chamblee, Nicholas Chipman, John Copley, Michael de Crespigny, Stephen Delvecchio, Scott Dillman, P. Gregory Garrison, Bruno Gasser, Susan Kenney, Brian Kinman, Robert Lamoureux, James LaTorre, Mike Maali, Jorge Manoel, Cathy McKeon, Juan Pujadas, Richard Reynolds, Mark Stephen, Robert Sullivan, Jeffrey Thompson, and Shyam Venkat.The following individuals also contributed to this study: Michael Haubenstock, Director, Enterprise Risk Management, Capital One Finance Corporation; Adrienne Willich, Manager of Operational Risk, Capital One Finance Corporation; and Daniel Mudge, President and Chief Operating Officer, OpVantage. Richard A. Scott, William G. Shenkir, and Paul L. Walker from the University of Virginia conducted preliminary research leading to this study. Thanks also go to Myra Cleary for her editorial guidance.Special acknowledgment goes to Robert G. Eccles, President, Advisory Capital Partners, Inc. and former Harvard Business School Professor, for his extensive contributions to this framework.Finally, we pay tribute to William H. Bishop, III, President of the Institute of Internal Auditors, who until his passing worked tirelessly to enhance the role and stature of the auditing profession. Bill’s participation in this project, and indeed in COSO’s internal control framework project, helped make those reports better. As a colleague and friend, he will be sorely missed.125Enterprise RiskManagement —Integrated FrameworkApplication TechniquesSeptember 2004The Committee of Sponsoring Organizationsof the Treadway CommissionCopyright © 2004 by the Committee of Sponsoring Organizations of the Treadway Commission. 1 2 3 4 5 6 7 8 9 0 MPI 0 9 8 7 6 5 4Additional copies of Enterprise Risk Management – Integrated Framework: Executive Summary and Framework and Enterprise Risk Management – Integrated Framework: Application Techniques, 2 vol. set, item # 990015 may be obtained by calling toll free 1-888-777-7077 or visiting www.cpa2biz.com.All rights reserved. For information about reprint permission and licensing please call (201) 938-3245. A permissions request form for emailing requests is available at www.aicpa.org/cpyright.htm. Otherwise, requests should be submitted in writing and mailed to Permissions Editor, AICPA , Harborside Financial Center, 201 Plaza Three, Jersey City, NJ 07311-3881.Committee of Sponsoring Organizations of the Treadway Commission (COSO)OversightRepresentativeCOSO ChairJohn J. FlahertyAmerican Accounting AssociationLarry E. RittenbergAmerican Institute of Certified Public AccountantsAlan W. AndersonFinancial Executives InternationalJohn P. JessupNicholas S. CyprusInstitute of Management AccountantsFrank C. MinterDennis L. NeiderThe Institute of Internal AuditorsWilliam G. Bishop, IIIDavid A. RichardsProject Advisory Council to COSOGuidanceTony Maki, ChairJames W. DeLoachJohn P. JessupPartnerManaging DirectorVice President and TreasurerMoss Adams LLPProtiviti Inc.E. I. duPont de Nemours andCompanyMark S. BeasleyAndrew J. JacksonTony M. KnappProfessorSenior Vice President ofSenior Vice President andNorth Carolina State UniversityEnterprise Risk AssuranceControllerServicesMotorola, Inc.American Express CompanyJerry W. DeFoorSteven E. JamesonDouglas F. PrawittVice President and ControllerExecutive Vice President, ChiefProfessorProtective Life CorporationInternal Audit & Risk OfficerBrigham Young UniversityCommunity Trust Bancorp, Inc.PricewaterhouseCoopers LLPAuthorPrincipal ContributorsRichard M. SteinbergMiles E.A. EversonFormer Partner and Corporate Partner and Financial ServicesGovernance Leader (Presently Finance, Operations, Risk andSteinberg GovernanceCompliance LeaderAdvisors)New YorkFrank J. MartensLucy E. NottinghamSenior Manager, ClientManager, Internal FirmServicesServicesVancouver, CanadaBostoniiiTable of Contents1. Introduction12. Internal Environment53. Objective Setting134. Event Identification215. Risk Assessment336. Risk Response557. Control Activities638. Information and Communication679. Monitoring8510. Roles and Responsibilities93AppendixAcknowledgments105vIntroductionINTRODUCTION Use of This DocumentThis volume of Enterprise Risk Management – Integrated Framework provides practical illustrations of techniques used at various levels of an organization in applying enterprise risk management principles. The organization of this volume parallels that of the Framework volume. In order to provide further linkage, passages from the Framework volume are included here, in italics. Those passages also provide a foundation for the illustrated techniques. To gain the desired benefit from this material, users should be familiar with theFramework document.While it is expected that this material will be useful to those seeking to apply enterprise risk management techniques, it is not a part of the Framework. Its presentation here in no way suggests that the illustrated techniques need to be used to effect enterprise risk management, or that their application must be present in determining whether enterprise risk management is effective. There is no suggestion that these descriptions or exhibits are a preferred method, or represent “best practices.”The techniques illustrated in this volume are neither intended to be, nor are they, complete. The exhibits and accompanying discussions relate to only certain elements presented in the Framework and depicted in Exhibit 1.1. Some of the techniques are applicable to smaller, non-complex organizations, while others are more relevant to larger, complex entities. A more comprehensive presentation of techniques for applying enterprise risk management that reflects entity size, diversity, and industry is beyond the scope of this project. Over time, we believe that additional guidance will evolve as professional organizations, industry groups, academics, regulators, and others develop material to assist their constituencies.It is suggested that readers considering enterprise risk management application techniques also refer to the Evaluation Tools volume of Internal Control – Integrated Framework for additional guidance. It presents tools for use in conducting an evaluation of an entity’s internal control system, including a set of blank tools, filled-in tools completed for a hypothetical company, and a reference manual.Key Elements of Enterprise Risk ManagementTo provide ready context, Exhibit 1.1 lists key elements of each of the enterprise risk management components.1IntroductionExhibit 1.1Key Elements of Each ComponentInternal EnvironmentRisk Management Philosophy – Risk Appetite – Board of Directors – Integrity and Ethical Values– Commitment to Competence – Organizational Structure – Assignment of Authority and Responsibility – Human Resource StandardsObjective SettingStrategic Objectives – Related Objectives – Selected Objectives – Risk Appetite –Risk TolerancesEvent IdentificationEvents – Influencing Factors – Event Identification Techniques –Event Interdependencies – Event Categories – Distinguishing Risks and OpportunitiesRisk AssessmentInherent and Residual Risk – Establishing Likelihood and Impact – Data Sources –Assessment Techniques – Event RelationshipsRisk ResponseEvaluating Possible Responses – Selected Responses – Portfolio ViewControl ActivitiesIntegration with Risk Response – Types of Control Activities – Policies and Procedures – Controls over Information Systems – Entity SpecificInformation and CommunicationInformation – CommunicationMonitoringOngoing Monitoring Activities – Separate Evaluations – Reporting Deficiencies2IntroductionAn Implementation ProcessAs noted, this volume illustrates a variety of techniques useful in applying specific elements of the enterprise risk management framework. A higher-level, “up front” issue involves what approach management takes when first considering how to implement the framework throughout the organization.An entity’s size, complexity, industry, culture, management style, and other attributes will affect how the framework’s concepts and principles are most effectively and efficiently implemented. Because of the array of available approaches and choices, even similar organizations implement enterprise risk management differently – whether applying the framework’s concepts and principles for the first time or considering whether their existing enterprise risk management process, which may have been developed ad hoc over time, is truly effective. Experience shows, however, that certain commonalities exist, and provided here is a brief description of common broad-based steps taken by managements that have successfully completed enterprise risk management implementation:Core Team Preparedness – Establishing a core team, with representation from business units and key support functions, including strategic planning, is an important first step. This team becomes intimately familiar with the framework’s components, concepts, and principles. This familiarity provides a common understanding and language, and a foundational basis needed to design and implement an enterprise risk management process that effectively addresses the entity’s unique needs. Executive Sponsorship – While the timing and form of executive sponsorship vary by organization, it is important that executive sponsorship be initiated early and solidified as implementation progresses. Executive leadership articulates the benefits of enterprise risk management, and establishes and communicates the business case for the related investment of resources. CEO support, and usually at least initial direct and visible involvement, drives success. Implementation Plan Development – An initial plan is created for the next steps, setting out key project phases, including defined work streams, milestones, resources, and timing. Responsibilities are identified, and a project management system put in place. The plan serves as a means to consistently communicate and coordinate with team leadership, and as a basis for communicating and confirming expectations of various units and personnel, and discussing entity-wide changes anticipated from adopting enterprise risk management. Current State Assessment – This includes an assessment of how enterprise risk management components, concepts, and principles currently are being applied across the entity. This usually involves ascertaining whatever risk management philosophy has evolved within the organization and determining whether there is uniform understanding of the entity’s risk appetite. The core team also identifies formal and informal policies, processes, practices, and techniques currently in place, as well as 3Introductionexisting capabilities in the organization for applying the framework’s principles and concepts.Enterprise Risk Management Vision – The core team develops a vision that sets out how enterprise risk management will be used going forward and how it will be integrated within the organization to achieve its objectives – including how the organization focuses its enterprise risk management efforts on aligning risk appetite and strategy, enhancing risk response decisions, identifying and managing cross-enterprise risks, seizing opportunities, and improving deployment of capital. Capability Development – The current state assessment and the enterprise risk management vision provide insights needed to determine the people, technology, and process capabilities already in place and functioning, as well as new capabilities that need to be developed. This includes defining roles and responsibilities, and modifications to the organizational model, policies, processes, methodologies, tools, techniques, information flows, and technologies. Implementation Plan – The initial plan is updated and enhanced, adding depth and breadth to cover further assessment, design, and deployment. Additional responsibilities are defined, and the project management system refined as needed. The plan typically embraces general project management disciplines that are a part of any implementation process. Change Management Development and Deployment – Actions are developed as needed to implement and sustain the enterprise risk management vision and desired capabilities – including deployment plans, training sessions, reward reinforcement mechanisms, and monitoring the remainder of the implementation process. Monitoring – Management will continually review and strengthen risk management capabilities as part of its ongoing management process. The following chapters illustrate some of the specific techniques for applying the concepts and principles in each of the components of the enterprise risk management framework.4Internal EnvironmentINTERNAL ENVIRONMENT Framework Chapter Summary: The internal environment encompasses the tone of an organization, influencing the risk consciousness of its people, and is the basis for all other components of enterprise risk management, providing discipline and structure. Internal environment factors include an entity’s risk management philosophy; its risk appetite; oversight by the board of directors; the integrity, ethical values, and competence of the entity’s people; and the way management assigns authority and responsibility, and organizes and develops its people.This application techniques chapter briefly describes the impact internal environment elements can have on an entity’s success or failure, and illustrates statements of risk management philosophy, techniques to evaluate the extent to which the philosophy is integrated into an entity’s culture, and tools to promote a culture of integrity and ethics.ImpactAn organization’s internal environment has a significant impact on how enterprise risk management is implemented and functions on an ongoing basis. The internal environment is the context in which other components of enterprise risk management are applied, typically with powerful effect, either positive or negative. An example of the latter is presented in Exhibit 2.1.Exhibit 2.1Impact of the Internal EnvironmentThe impact of the internal environment is illustrated in findings from the Columbia Accident Investigation Board Report. This board, activated by the National Aeronautics and Space Administration (NASA), investigated the causes of the Columbia Space Shuttle disaster, where the space shuttle broke up on re-entry. The report states: “The organizational causes of the Columbia accident were rooted in the Space Shuttle Program’s history and culture. . . . Cultural traits and organizational practices detrimental to safety were allowed to develop, including: reliance on past success as a substitute for sound engineering practices (such as testing to understand why systems were not performing in accordance with requirements); organizational barriers that prevented effective communication of critical safety information and stifled professional differences of opinion; lack of integrated management across program elements; and the evolution of an informal chain of command and decision-making processes that operated outside the organization’s rules.”Risk Management PhilosophyAn entity’s risk management philosophy is the set of shared beliefs and attitudes characterizing how the entity considers risk in everything it does, from strategy development and implementation to its day-to-day activities. . . . [It] is reflected in virtually everything management does in running the entity. It is captured in policy statements, oral and written communications, and decision making. Whether management emphasizes written policies, standards of behavior, performance indicators, and exception reports, or operates more5Internal Environmentinformally largely through face-to-face contact with key managers, of critical importance is that management reinforces the philosophy not only with words but also with everyday actions.Managements of some companies articulate elements of their risk management philosophy in writing. Examples of risk management philosophies are presented in Exhibits 2.2 and 2.3.Exhibit 2.2Illustrative Statement Describing Risk Management PhilosophyAmidst global growth and cultural expansion, our organization requires a comprehensive approach to corporate risk management that promotes broad strategic thinking and analysis, while fundamentally integrating the Organization’s Core Values and Beliefs. To this end, we strive for risk management to become our competitive advantage.The starting point for our risk management program is an enterprise risk strategy that respects the needs and aspirations of all with whom we have relationships. By facilitating the flow of information and stressing communication across the organization, the risk management program provides a continuous loop risk information model. This model provides information regarding stakeholder needs and expectations to continuously improve our enterprise-wide risk strategy.To ensure that we fulfill our strategy, our risk management program arms our people with the tools and capabilities to overcome the barriers that arise in striving to exceed expectations. By realizing that risk and control is everyone’s job, our people will proactively identify risk in delivering products and services to the market in a more efficient and cost effective manner. Our risk management program allows our people to view the problem from various angles to identify not only the risk mitigation activities, but also to anticipate and act on potential opportunities—therefore challenging conventional wisdom to create better solutions.A fundamental tenet of our organization is respect and integrity for our employees, customers and shareholders. By incorporating risk management into our daily business practices and by operationalizing the related performance measures, the risk management program ensures that we maintain our highest ethical standards by living our core values.Exhibit 2.3Illustrative Statement Describing Risk Management PhilosophyEnterprise risk management will provide our organizations with the superior capabilities to identify, assess and manage the full spectrum of risks and to enable staff at all levels to better understand and manage risk. This will provide us with:Responsible acceptance of riskSupport for Executive and the BoardImproved outcomesStrengthened accountabilityEnhanced stewardship6Internal EnvironmentAll staff are expected to demonstrate appropriate standards of behavior in development of strategy and pursuit of objectives. This philosophy is supported by following guiding principles. Management and staff shall:Consider all forms of risk in decision-making. Create and evaluate business-unit level and Company-level risk profile to consider what’s best for their individual business unit and department and what’s best for the Company as a whole. Support executive management’s creation of a Company-level portfolio view of risk. Retain ownership and accountability for risk and risk management at the business unit or other point of influence level. Risk management does not defer accountability to others. Strive to achieve best practices in enterprise risk management. Monitor compliance with policies and procedures and the state of enterprise risk management. Lever existing risk management practices, wherever they exist within the Company. Document and report all significant risks and enterprise risk management deficiencies. Accept that enterprise risk management is mandatory, not optional. To gain insight into how well the risk management philosophy is integrated into an entity’s culture, some companies conduct a risk-related culture survey, which measures the presence and strength of key risk-related attributes. Some of the attributes typically addressed in these surveys are presented in Exhibit 2.4.Exhibit 2.4Attributes Measured in a Risk-Related Culture Survey1. Leadership and StrategyDemonstrate Ethics and Values Communicate Mission and Objectives2. People and CommunicationCommitment to Competency Share Information and Knowledge3. Accountability and ReinforcementOrganizational StructureMeasure and Reward Performance4. Risk Management and InfrastructureAssess and Measure RiskSystem Access and Security7Internal EnvironmentSome companies survey all staff periodically, such as annually, and a representative sample of staff more frequently, based on desired timing and confidence level. One company deploys these surveys quarterly to allow for greater insight into the ongoing pulse and trends of the organization, especially helpful during times of change. The results of such surveys provide directional indicators of areas of strength and weakness in an organization’s culture. An illustration of how results of a risk-related culture survey question are presented and interpreted is shown, in part, in Exhibit 2.5. The results help the entity identify attributes that need strengthening to ensure an effective internal environment.Exhibit 2.5Illustrative Risk-Related Culture Survey#QuestionAttributeMean RatingStdCountSDDNASADevThe leaders of my unitLeadership andStrong0.7118613977961set a positive example1.42Strategyfor ethical conductI understand the entity’sLeadership and0.691860718119422overall mission and1.05GoodStrategystrategyDisciplinary action isAccountabilityActiontaken against those who115518683and0.211.2017523engage in professionalNeededReinforcementmisconductTurnover of personnel4has not significantlyPeople and0.81Caution0.8814543396930affected our ability toCommunicationachieve objectivesThe leaders of myRiskbusiness unit areManagement0.99Good0.8518321316106465receptive to allandcommunications aboutInfrastructurerisk, including bad newsIn the example above, each question is ranked using a scale of -2 to +2 as follows: -2 Strongly Disagree (SD); -1 Disagree (D); 0 Neutral (N); +1 Agree (A); +2 Strongly Agree (SA). The assessment, depicted by the color coding, is based on the mean ratings. Additional information is provided by the standard deviation, which is a measure of the respondents’ degree of consensus around an issue – the smaller the standard deviation, the greater the respondents’ level of agreement on that issue, and the greater the standard deviation, the less agreement.Integrity and Ethical ValuesThe effectiveness of enterprise risk management cannot rise above the integrity and ethical values of the people who create, administer, and monitor entity activities.Integrity and commitment to ethical values start with the individual. Value judgments, attitude, and style are based on individual experiences. Nowhere are integrity and ethical values more important than with the CEO and the senior management team, who set the “tone8Internal Environmentat the top” and influence how other entity personnel will conduct themselves. The “right” tone at the top helps:The organization’s people do the right thing, both legally and morally Create a compliance-supporting culture, which is committed to enterprise risk management Navigate “gray” areas where no specific compliance rules or guidelines exist Promote a willingness to seek assistance and report problems before the point of no return Organizations support a culture of integrity and ethical values with communications such as a credo or core values statement that sets out the organization’s values and priorities, and a code of conduct. A code of conduct provides a connection between the organization’s mission or vision and its operating policies and procedures. Not typically an exhaustive conduct guide, or a legal document outlining in detail key organizational protocols, a code of conduct is a proactive statement of an organization’s positions on ethics and compliance issues. Codes also can serve as a “user-friendly” guide to the organization’s policies on employee and organizational conduct.An illustration of topics often addressed in a code of conduct is presented in Exhibit 2.6. This structure is derived from the Open Compliance and Ethics Group’s pending Foundation Guidelines for an Integrated Compliance and Ethics Program.Exhibit 2.6Illustrative Code of Conduct StructureCode SectionSection Outline1.Letter from Chief ExecutivePresents top management’s message of the importance ofintegrity and ethics to the organizationIntroduces the code of conduct: its purpose and how to use it2.Goals and PhilosophyConsiders the entity’s:− Culture− Business and industry− Geographic locations, domestically and internationally− Commitment to ethical leadership3.Conflicts of InterestAddresses conflicts of interest and forms of self-dealingSpeaks to personnel and other corporate agents and thoseactivities, investments, or interests that reflect on the entity’sintegrity or reputation4.Gifts and GratuitiesDeals with giving of gifts and gratuities, setting forth theentity’s policy, typically going well beyond local lawSets standards and provides guidance regarding gifts andentertainment and their proper reporting5.TransparencyIncludes provisions dealing with the organization’scommitment to complete and understandable social,9Internal EnvironmentCode SectionSection Outlineenvironmental, and economic reporting6.Corporate ResourcesIncludes provisions dealing with corporate resources, includingintellectual property and proprietary information – whom thesebelong to and how they are safeguarded7.Social ResponsibilityIncludes the entity’s role as a corporate citizen, including itscommitment to human rights, environmental sustainability,community involvement, and environmental and economicissues8.Additional Conduct-RelatedIncludes provisions regarding adherence to policies establishedTopicswithin specific areas of company activity, for example:− Employment issues such as fair labor practices andantidiscrimination− Governmental dealings such as contracting, lobbying, andpolitical activity− Antitrust and other competitive practices− Good faith and fair dealing with customers/competitors/suppliers− Confidentiality and security of information− Environmental practices− Product safety/qualityThe overview from a professional service firm’s code of conduct is presented in Exhibit 2.7.Exhibit 2.7Illustrative Overview from Code of ConductOur ValuesThe best solutions come from working together with colleagues and clients. Effective teamwork requires Relationships, Respect and Sharing. Delivering what we promise and adding value beyond what is expected. We achieve excellence through Innovation, Learning, and Agility. Leading with clients, leading with people and thought leadership. Leadership demands Courage, Vision and Integrity. Upholding the [firm] nameOur clients and colleagues trust [firm name] based on our professional competence and integrity – qualities that underpin our reputation. We uphold that reputation. We seek to serve only those clients whom we are competent to serve, who value our service and who meet appropriate standards of legitimacy and integrity. When speaking in a forum in which audiences would reasonably expect that we are speaking as a representative of [firm name], we generally state only [firm name] view and not our own. We use all assets belonging to [firm name] and to our clients, including tangible, intellectual and electronic assets, in a manner both responsible and appropriate to the business and only for legal and authorized purposes. 10Internal EnvironmentBehaving ProfessionallyWe deliver professional services in accordance with [firm name] policies and relevant technical and professional standards. We offer only those services we can deliver and strive to deliver no less than our commitments. We compete vigorously, engaging only in practices that are legal and ethical. We meet our contractual obligations and report and charge honestly for our services. We respect the confidentiality and privacy of our clients, our people and others with whom we do business. Unless authorized, we do not use confidential information for personal use, [firm name’s] benefit or to benefit a third party. We disclose confidential information or personal data only when necessary, and when appropriate approval to do so has been obtained, and/or we are compelled to do so by legal, regulatory or professional requirements. We aim to avoid conflicts of interest. Where potential conflicts are identified and we believe that the respective parties' interests can be properly safeguarded by the implementation of appropriate procedures, we will implement such procedures. We treasure our independence of mind. We protect our clients' and other stakeholders' trust by adhering to our regulatory and professional standards, which are designed to enable us to achieve the objectivity necessary in our work. In doing so, we strive to ensure our independence is not compromised or perceived to be compromised. We address circumstances that impair or could appear to impair our objectivity. When faced with difficult issues or issues that place [firm name] at risk, we consult appropriate [firm name] individuals before taking action. We follow our applicable technical and administrative consultation requirements. It is unacceptable for us to receive or pay bribes. Respecting OthersWe treat our colleagues, clients and others with whom we do business with respect, dignity, fairness and courtesy. We take pride in the diversity of our workforce and view it as a competitive advantage to be nurtured and expanded. We are committed to maintaining a work environment that is free from discrimination or harassment. We try to balance work and private life and help others to do the same. We invest in the ongoing enhancement of our skills and abilities. We provide a safe working environment for our people. Corporate CitizenshipWe express support for fundamental human rights and avoid participating in business activities that abuse human rights. We act in a socially responsible manner, within the laws, customs and traditions of the countries in which we operate, and contribute in a responsible manner to the development of communities. We aspire to act in a manner that minimizes the detrimental environmental impacts of our business operations. We encourage the support of charitable, educational and community service activities. 11Internal EnvironmentWe are committed to supporting international and local efforts to eliminate corruption and financial crime. To monitor the extent to which employees’ actions conform to established standards, some companies periodically use staff focus groups. This feedback, often employing technology, is used to “validate” core values. Technology also can be used to enable sharing and updating information and tracking employee compliance with the code of conduct and related policies, standards, and procedures. Illustrations of how entities are using technology to foster the desired culture are presented in Exhibit 2.8.Exhibit 2.8Technology to Support a Culture of Integrity and EthicsA direct link from the organization’s Internet (or intranet) home page to the values statement and code of conduct, facilitating their use and sending a message about their importance Electronically available codes and related information, providing ease of access and eliminating need for paper copies Confirmation that staff received the information Training venues and e-learning Automatic reference to the code or guidance used during completion of tasks Automatic reminder to staff of required actions Notification to staff’s immediate supervisor and above if action is not taken in a timely manner Method to obtain certification of compliance Audit trail of activities 12Objective SettingOBJECTIVE SETTING Framework Chapter Summary: Objectives are set at the strategic level, establishing a basis for operations, reporting, and compliance objectives. Every entity faces a variety of risks from external and internal sources, and a precondition to effective event identification, risk assessment, and risk response is establishment of objectives. Objectives are aligned with the entity’s risk appetite, which drives risk tolerance levels for the entity.This chapter illustrates linking an entity’s mission with strategic and related objectives, aligning strategic and related objectives, and depictions of risk appetite and risk tolerances.Strategic ObjectivesIn considering alternative ways to achieve its strategic objectives, management identifies risks associated with a range of strategy choices and considers their implications. Various event identification and risk assessment techniques, discussed below and in later chapters, can be used in the strategy-setting process.Exhibit 3.1 illustrates setting strategic objectives, using risk assessment techniques.Exhibit 3.1Setting Strategic ObjectivesA community bank considering its options for enhancing customer services identified three strategies:Option A – Expand its branch network into new areas matching its target demographics Option B – Scale back the branch network to 50% of its current size, and significantly enhance its Internet and call-center capabilities Option C – Maintain the branch network, and outsource the existing Internet and call-center operations to a lower-cost company in a foreign country When considered against the bank’s vision, which encompasses contributing to the communities within which it operates, Option C was seen as inconsistent with the vision, given the job losses that would result. Management then focused on Options A and B.Using scenario analysis, modeling, and stress testing (discussed in the Risk Assessment chapter), management compared the results of each option in relation to the impact on return on capital employed. Management identified the distribution of potential return outcomes given their differing credit and operational risk profiles, and determined that the potential returns on capital employed under the two scenarios, while having similar median outcomes, have markedly different distributions, as shown below.13Objective Setting10 .0%7.5%Probability5. 0%2.5%Median = 15%Median = 15%-5%0%5%10 %15 %20%25 %30%35 %Estimated ReturnA – Expand branch networkB – Expand Internet networkBased on this analysis, management adopted Option A, deciding to forego the potential upside but avoiding the potential downside of Option B.Related ObjectivesEntity-level objectives are linked to and integrated with more specific objectives that cascade through the organization to sub-objectives established for various activities, such as sales, production, and engineering, and infrastructure functions.Linkage of a company’s mission with its strategic objectives, strategies, and related objectives is illustrated in Exhibit 3.2.Exhibit 3.2Linking Mission/Vision with Strategic and Related ObjectivesMission To provide high-quality, accessible, and affordable community-based healthcareStrategic Be the first or second largest, full-service health care provider in mid-sizeObjectivesmetropolitan markets Rank in the top quartile in quality for our core medical services Be recognized in the local marketplaces as quality/price leaders14Objective SettingStrategies Align with stand-alone hospitals in the target markets in which we do notcurrently have a presence Acquire high-quality, under-performing medical service providers in targetmarkets where feasible – otherwise, consider lesser programs to revamp andrebuild Develop ownership participation or profit-sharing programs to attract top localmedical talent Develop tailored, targeted marketing programs for large and middle marketbusinesses in target markets Bring our state-of-the-art infrastructure systems to provide effectivemanagement and cost control Achieve leading track record of compliance with all healthcare and otherapplicable laws and regulationsRelated Objectives- Operations  Initiate dialogue with leadership of ten top under-performing hospitals and negotiate agreements with two this year Target ten other programs in key target markets and execute agreements withfive this year Identify needs and motivations of leading practitioners in major markets andstructure alternative model terms Ensure at least one top medical talent is on board in each core discipline in atleast five major markets this year Hold focus groups with business leaders in key markets to determine programneeds Develop alternative model programs for business customers Develop methodologies for quick-start implementation of information andoperational systems in acquired/rebuilt hospitals Set protocols for migration from existing systems Implement new systems in one new location to serve as model going forward- Reporting Install our foundation systems in newly acquired facilities to providemanagement reports on key performance measures, with exception and trendline analysis, within four working days of month-end Ensure all facilities report, accurately and on a timely basis, complianceperformance and issues for management review Establish uniform reporting system/accounts for assembly of accurate andcomplete information required for external reporting- Compliance Establish compliance office with charter, leadership, and staffing centrally,providing support to local units Ensure line personnel recognize their primary compliance responsibilities,building into human resource objectives and performance assessments Develop company-wide protocols for medical procedures, drug storage anddispensing, staffing assignments and schedules, and all aspects of patient care Review privacy policies and practices and benchmark against federalrequirements and best practices15Objective SettingAnother example of linkage is illustrated in Exhibit 3.3. Here, the bank referred to in Exhibit 3.1 aligned its vision first with strategic objectives and strategies, and then with objectives in its property unit and human resources function.Exhibit 3.3Linking Mission/Vision with Strategic and Related ObjectivesVisionBe the leading and most trusted provider of financial services to families withinthe region, thereby contributing to the communities within which we operateStrategic To maintain an annual return on capital employed of 15%Objectives To grow the customer base by 30% within three years through expandingthe branch network by 50% over that timeframeStrategies Acquire new property leases in areas that match our target customerdemographics Maintain the current cost structure for the branch networkProperty Unit Develop an outsourcing relationship with a qualified real estate company toObjectivesidentify and negotiate suitable leases in accordance with the required growthin the property portfolio Open 15 new branches in the coming year Maintain rental cost average of $xx rental per square foot across the propertyportfolio Recruit two additional in-house property managersHuman Annual turnover of customer services staff below 10%Resources Recruit and train 100 customer service staff in the coming yearObjectives Develop negotiating position and plan for upcoming negotiations with thetrade union regarding treatment of the new employeesRisk AppetiteRisk appetite can be expressed in qualitative or quantitative terms. Exhibit 3.4 provides illustrative questions management might ask when considering its risk appetite.Exhibit 3.4Considering Risk AppetiteWhat risks is the company in business to accept and what risks will it not accept – e.g., is the organization prepared to accept minor losses of physical inventory from pilferage but not willing to accept large losses of physical inventory from spoilage, obsolescence, or natural disasters? Is the company comfortable with the amount of risk accepted, or to be accepted, by each of its businesses? What levels of risk is the company prepared to accept on new initiatives in order to achieve the company-wide desired return on invested capital of 15%? Is the entity prepared to accept more risk than it currently is accepting and, if so, what return level would be required? 16Objective SettingWhat level of capital or earnings is the organization willing to put at risk given a particular confidence level – e.g., will management accept 50% of its capital at risk of loss with 95% confidence in this amount? What percentage of “worst case” risks does the company want to have capital available to cover – based on a scale of likelihood and impact of major risk potentialities? Is it acceptable that an unlikely event could challenge the entity’s viability? Are there specific risks that the organization is not prepared to accept, such as risks that could result in non-compliance with privacy of information laws? To what extent will the company accept risk to competing objectives, such as risk of lower gross profit margin in return for greater market share? How does the organization’s risk appetite compare with that of peers – how much risk is the organization prepared to accept to move from following competitors in product innovation to trend-setter status? What are the relative risks, and related comfort levels, in preserving value by maintaining the quality of existing products and services, versus seeking to create new value through new product development? To what extent is the company prepared to enter into projects with lower likelihood of success but larger potential returns? Is the organization more comfortable with a qualitative descriptor versus a quantitative one? Some organizations express risk appetite in terms of a “risk map,” as illustrated in Exhibit 3.5. In this exhibit, any significant residual risk in the yellow area exceeds the company’s risk appetite, calling for management to take action to reduce the likelihood and/or impact of the risk to bring it within the company’s risk appetite.Exhibit 3.5Forming Risk AppetiteHighExceedingRisk AppetiteImpactMediumWithin RiskAppetiteLowLowMediumHighLikelihood17Objective SettingSome industries, especially those in financial services and the oil and gas sector, are able to adopt sophisticated approaches using quantitative techniques to express risk appetite. Advanced entities might express risk appetite using market measures or risk-based capital. Exhibit 3.6 provides an illustration of a statement of risk appetite in terms of market measures.Exhibit 3.6Risk Appetite in Terms of Market MeasuresA utility company focuses on growing market value capitalization through generating stable cash flows and earnings, and sets risk appetite in those terms. Therefore, all entity-level risks are expressed in relation to the effect on earnings and cash flow volatility. When the trend line in volatility approaches risk appetite, management takes actions as necessary.Exhibit 3.7 illustrates how a company views capital at risk versus return in relation to risk appetite. The company strives to diversify its portfolio to earn a return that lines up along the target profile, rather than lower down, in the interior of the region.ReturnExhibit 3.7Risk Appetite, Return, and Capital at RiskTarget risk-return profileVenture CapitalTradingHotel OperationsFibre OpticsCorporate FinancingMineralsPipelinesFertilizersCapital at RiskCurrent StateTarget StateDetermine Risk TolerancesRisk tolerances are the acceptable levels of variation relative to the achievement of objectives. . . . Operating within risk tolerances provides management greater assurance that the entity remains within its risk appetite, which, in turn, provides a higher degree of comfort that the entity will achieve its objectives.18Objective SettingDevelopment of risk tolerances by an airline related to on-time service is illustrated in Exhibit 3.8.Exhibit 3.8Objectives and Risk TolerancesAn airline decided to set an objective around superior on-time service. Management recognized the factors causing flight delays, some of which are within its control, while others are not, and understood well how the various factors affected regulators’ public reporting of on-time service. In considering risk tolerances, marketing, customer service, and operations, personnel determined that:85% on-time flight arrival has remained the company’s target for many years, which generally has been achieved and is in line with messages in its marketing program The industry average for on-time arrival on the relevant routes for the past several years has remained at approximately 80% There is minimal effect on the company’s customer flight bookings when arrival times temporarily decrease to as low as the industry average The cost to achieve more than 87% on-time arrival is uneconomical and cannot be passed through in ticket prices The company has been criticized by industry analysts for its inability to keep costs down Based on this information, management maintained the objective of 85% average on-time arrival, with a tolerance of between 82% and 86%. Looking at the tolerances for other objectives, management is better able to allocate resources to ensure reasonable likelihood of achieving outcomes across multiple objectives.Risk tolerances sometimes are set at the entity level and allocated across business units, as illustrated in Exhibit 3.9.Exhibit 3.9Risk Tolerances Across Multiple Business UnitsA company set a risk tolerance of no more than 20% of revenue to be derived from alliance partners. When its two business units developed operating and marketing plans for the coming period, both showed a strong dependence on alliance partners, and, when aggregated, the plans reflected such sourced revenue exceeding the 20% threshold. Management decided to allow business unit A to generate up to 40% of revenue from its alliance partner, while business unit B was allowed only 15%, allowing the company’s overall plan to retain the 20% tolerance level.The way in which one organization depicted the relationship between its mission, objectives, appetite, and tolerance is illustrated, in part, in Exhibit 3.10.19Objective SettingExhibit 3.10Relating Mission, Objectives, Appetite, and ToleranceMissionTo be a leading producer of premium household products in the regions in which we operateStrategicObjectivesTo be in the top quartile of product sales for retailers of our products Measures1. Market shareStrategyExpand production of our top-five selling retail products to meet increased demandRelated ObjectivesIncrease production of Unit X by 15% in the next 12 months Hire 180 qualified new staff across all manufacturing divisions Maintain product quality of 4.0 sigma Maintain 22% staff cost per dollar order MeasuresUnits of production Number of staff hired Product quality by sigma Risk AppetiteAccept that the company will consume large amounts of capital investing in new assets, people and process Accept that competition could increase (e.g., through predatory pricing, etc.) as we seek to increase market share, thereby reducing profit margins We do not accept erosion of product quality Risk Tolerances•MeasureTargetTolerances – Acceptable RangeMarket share25th percentile20% – 30%•Units of production150,000 units-7,500/+10,000•Number of staff hired (net)180 staff-15/+ 20•Product quality index4.0 sigma4.0 – 4.5 sigma20Event IdentificationEVENT IDENTIFICATION Framework Chapter Summary: Management identifies potential events that, if they occur, will affect the entity, and determines whether they represent opportunities or whether they might adversely affect the entity’s ability to successfully implement strategy and achieve objectives. Events with negative impact represent risks, which require management’s assessment and response. Events with positive impact represent opportunities, which management channels back into the strategy and objective-setting processes. When identifying events, management considers a variety of internal and external factors that may give rise to risks and opportunities, in the context of the full scope of the organization.This chapter illustrates some of the techniques used in event identification. Included are illustrations of how events are linked with objectives; techniques enabling personnel to identify events using event inventories, facilitated workshops, interviews, questionnaires, surveys, and process flow analysis; and identifying events using leading event indicators, escalation triggers, and loss event data tracking. Also illustrated are interrelationships between multiple events, and use of event categories to enhance understanding the relationships.Linking Events with ObjectivesIn some circumstances, identifying events related to a specific objective is reasonably straightforward, as illustrated in Exhibit 4.1. In this illustration, building on Exhibit 3.10, potential events and their impacts are identified and related to the objective, associated risk tolerance, and measurement unit. In this example, management determined that increasing staffing levels and maintaining staff costs were two operations objectives (other operations objectives are not presented).21Event IdentificationExhibit 4.1Identifying EventsMissionTo be the leading producer of premium household products in the regionsin which we operateStrategic objectiveTo be in the top quartile of product sales for retailers of our productsRelated objectivesHire 180 new qualified staff across all manufacturing divisions tomeet customer demand without overstaffingMaintain 22% staff cost per dollar orderObjective unit ofNumber of new qualified staff hiredmeasureStaff cost per dollar orderTolerance165 – 200 new qualified staffStaff cost between 20% and 23% per dollar orderPotential events/risksUnexpected slowdown in job market causing more offers beingand related impactaccepted than planned, resulting in excess staffUnexpected heating up of job market causing fewer offers beingaccepted, resulting in too few staffInadequate needs/specifications descriptions, resulting in hiringunqualified staffIn other circumstances, risk identification is not as immediately evident, and a variety of techniques are used, as discussed in the following paragraphs.Event Identification TechniquesAn entity’s event identification methodology may comprise a combination of techniques, together with supporting tools. . . . Event identification techniques look to both the past and the future.Management uses any number of techniques to identify potential events affecting achievement of objectives. The techniques are used in identifying risks and opportunities, for example, when implementing a new business process, re-designing an existing one, or evaluating a process. Or, they may be used in connection with strategic or business unit planning, or when considering new initiatives or organizational change. They may be used on a periodic or an ongoing basis.Application of common event identification techniques is illustrated below.Event InventoriesManagements use listings of potential events common to a specific industry or functional area. The list is developed by personnel within the entity, or from generic lists generated externally. Such lists of potential events are used, for example, relative to a specific project, process or activity, and can be useful in ensuring a consistent view across similar activities within the organization. If externally developed, the inventory is enhanced and otherwise22Event Identificationtailored to the entity’s circumstances, to better relate to the organization’s risks, and to be consistent with the organization’s common enterprise risk management language. Exhibit 4.2 illustrates use of an externally produced inventory of events potentially affecting a software development project.Exhibit 4.2Event InventoriesBefore undertaking a software development project, a company reviews an inventory of generic risks inherent in software development projects. The inventory provides a useful way to draw on the accumulated risk knowledge of others experienced in this subject area. Recognizing that the inventory includes risks from companies with different characteristics, management considers the effect of these risks on its own unique circumstances.Facilitated WorkshopsEvent identification facilitated workshops typically bring together cross-functional or multi-level individuals for the purpose of drawing on the group’s collective knowledge to develop a list of events as they relate, for example, to the company’s strategic, business unit, or process objectives. The results of workshops usually depend on the depth and breadth of information the participants bring to the table.Some organizations in connection with strategy setting hold a workshop of senior management to identify events that could affect achievement of corporate strategic objectives. An approach to the workshop and agenda used by one company to identify potential events relevant to the achievement of specified objectives is outlined in Exhibit 4.3.Exhibit 4.3Facilitated Workshop OutlinePrior to the workshopIdentify experienced facilitator to lead the session, manage group dynamics, and plan how best to capture generated ideas in usable form Establish and agree on ground rules at the commencement of the workshop Recognize the different participant styles and personality types, considering how to optimize their contribution Identify which objectives, category of objectives, and categories of events to focus on Invite an appropriate number of workshop participants – normally limit to 15 or fewer Set realistic expectations up front with respect to what the workshop is intended to achieve Agenda Introduction Explain background of workshop and why each participant has been invited Explain ground rules Explain workshop process Events are to be considered against corporate objectives per business plan 23Event IdentificationFor each objective, the facilitator will prompt discussion on events emanating from the following factors, and their related effects:ExternalInternalEconomicInfrastructureNatural environmentPersonnelPoliticalProcessSocialTechnologyTechnologicalDescribe how and when voting tools and verbal inputs will be used Explain how ideas, conclusions will be documented Explore Objective 1 Identify the objective, its unit of measure, and the related established targets Gain consensus of risk tolerance – the degree of acceptable variation around the unit of measure Discuss internal and external factors that drive potential events relative to the objective Determine which events represent risks to achieving the objective, and which events represent opportunities Consider how multiple risks affecting this objective relate to one another Next steps and close Distribute the workshop output to all participants within 48 hours, with action plan for next steps InterviewsInterviews typically are conducted in a one-on-one setting, or sometimes two-on-one, where the interviewer is accompanied by a colleague taking notes. The purpose is to ascertain the individual’s candid views and knowledge of actual past events and potential events. An interview agenda used in focusing on business unit objectives is illustrated in Exhibit 4.4.Exhibit 4.4Interview AgendaInterview AgendaIntroduction Provide background on the project and interview process Confirm the person’s position, background, and current responsibilities Confirm they received and read any background material provided in advance Strategies and Objectives Identify the key objectives within the interviewee’s business unit/division Determine how the objectives align with and support the entity’s strategies and objectives Identify the unit of measure for each objective and the related established targets Determine the established risk tolerances Discuss factors related to potential events relative to the objective Identify potential events creating risks to objectives, and those representing opportunities Consider how the interviewee prioritizes these events, considering likelihood and impact Identify events that have occurred in the past 12 months that impacted the entity that were not identified by management and staff Consider whether risk identification mechanisms need to be enhanced 24Event IdentificationQuestionnaires and SurveysQuestionnaires address a range of issues to be considered by participants, focusing their thinking on internal and external factors that have given rise, or may give rise, to events. Questions can be open-ended or closed, depending on the goal. They can be directed to one or a few individuals, or used in connection with a broader-based survey, either within an entity or directed to customers, suppliers, or other external parties. Use of these techniques is illustrated in Exhibit 4.5.Exhibit 4.5Illustrative Questionnaire and SurveyTargeted QuestionnaireA company requires business unit staff to complete a questionnaire before accepting a new vendor. The questionnaire requires the staff person to consider a range of questions exploring the potential vendor’s:Quality processes Risk management processes Insurance coverage Terms and conditions In considering the questions, the staff person identified the following potential events to which the company would be exposed if it were to do business with the vendor:The vendor’s history of inconsistent delivery presents a risk of supply chain disruptions. The vendor is not certified to an appropriate quality standard. A risk exists that the materials provided might not meet the company’s quality specifications, resulting in production problems, loss of customers, and reputational damage. The vendor has inadequate insurance coverage for product defects. A risk exists that the company would not be able to recover associated losses. The vendor’s terms require a two-year commitment from the company, with an associated risk of changing needs and related economic loss. SurveyA fast-food company regularly surveys its customers in two areas: changes in their consumption habits/preferences, and satisfaction levels with the service received in its restaurants. A recently completed survey identified a shift in preference toward organic foods and away from genetically modified foods. With this information, management assessed the extent to which the shift in preferences called for modification of strategy and related objectives, including new product offerings and marketing programs. Similarly, management used the survey results – which showed a declining level of satisfaction with service at particular restaurants – in looking at underlying issues related to those units.25Event IdentificationProcess Flow AnalysisProcess flow analysis typically involves the diagrammatic representation of a process, with the goal of better understanding the interrelationships of its component inputs, tasks, outputs, and responsibilities. Once mapped, events can be identified and considered against process objectives. As with other event identification techniques, process flow analysis can be used in looking from a high level within the entity, or at a detailed level. Exhibit 4.6 illustrates the latter, depicting how a company mapped its cash receipts process as a basis for identifying related risks to the objective of depositing and recording all cash receipts on a timely and accurate basis.Exhibit 4.6Process Flow AnalysisInputsTasksCheck received1. Clerk stampscheck with datestamp4. Remittance slipsand check registersent to AR Clerk6. Posting reportmatched to depositslipOutputs2. Check entered3. CheckA. Stampedinto checkdeposited bydeposit slipregisterClerk5. AR Clerk postsB. Posting reportchecks to ARledgerC. Posting report filed with deposit slipTasksPossible events1.Clerk stamps check with date stamp Clerk fails to stamp check2.Check entered into check register Clerk fails to record check details Clerk records incorrect check details Clerk misappropriates check3.Check deposited by Clerk Check lost en route to bank Check deposited to incorrect bank account Incorrect amount recorded by bank Stamped deposit slip lost4.Remittance slips and check register Remittance slips or check register misplaced or lostsent to AR Clerk5.AR Clerk posts checks to AR ledger Checks applied to incorrect accounts Incorrect amount recorded against customer account AR Clerk does not post checks6.Posting report matched to deposit Details do not matchslip26Event IdentificationLeading Event Indicators and Escalation TriggersLeading event indicators, often called leading risk indicators, are qualitative or quantitative measures that provide insight into potential events – such as the price of fuel, turnover in investor securities accounts, and traffic on an Internet site. To be useful, leading risk indicators must be available to management on a timely basis, which, depending on the information, might be daily, weekly, monthly, or in real time.Escalation triggers typically focus on day-to-day operations and are reported, on an exception basis, when a pre-established threshold is passed. Companies often have escalation triggers established within business units or departments. To be effective, escalation triggers need to establish when managers are to be notified, with notification timing based on the manager’s view of how much time is needed to take action.Leading risk indicators and escalation triggers are illustrated in Exhibit 4.7.Exhibit 4.7Leading Risk Indicators and Escalation TriggersBusiness UnitTarget andLeadingEscalationMeasurePotential EventTrigger forObjectiveToleranceIndicatorBusiness UnitDevelopNumber ofTarget: 1,000ConsumerConsumerConsumerproductunits sold perunits of newconfidenceconfidenceconfidencepromotionalmonth perproduct solddecreases,indicatorsdecreases bycampaign withstoreper month perresulting inmore than 5%supermarketstore duringdecreases inchain in keypromotionalpurchases of theregioncampaigncompany’sTolerance:products900–1,250units sold permonth perstoreCreate andNumber ofTarget: 0 perUnauthorizedDetectedNew criticalmaintainsuccessfulmonthindividualsvulnerabilities invulnerabilitiesstrong securityintrusionsTolerance: 0access thethe company’sidentified byagainstper monthcompany’score operatingthird partiesexternalsystems viasystemsintrusions onInternet portspublished by thesystemsvendor/thirdparty; number ofunauthorizedattemptsComply withVolume ofTarget: <100Corrosion onAge of barrelsBarrels in use forstandardsspills ofgallons perbarrels causesused to transportmore than 85%governing thehazardousyearmaterial to leakhazardousof their estimatedmovements ofmaterialsTolerance: 0–from trucksmaterialuseful life27Event IdentificationBusiness UnitTarget andLeadingEscalationMeasurePotential EventTrigger forObjectiveToleranceIndicatorBusiness Unithazardoustransported by125 gallonsduring transportmaterialcompany staffMaintainTurnover ofTarget:High performersStaff morale ofHigh performersstable high-staff rated asTurnover ofresignhigh performersresponding asqualityhighhigh“very” orworkforceperformersperformers <“somewhat”10%dissatisfied inTolerance: 2%annual employee–12%surveyLoss Event Data TrackingMonitoring relevant data can help an organization identify past events having a negative impact and quantify the associated losses, in order to predict future occurrences. While event data typically are used in risk assessment – based on actual experience with likelihood and impact – they also can be useful in event identification by providing a basis for fact-based discussion, institutionalizing knowledge (particularly helpful where staff turnover is high), and serving as a source for understanding loss event interdependencies and developing predictive and causal models.Loss event databases developed and maintained by third party service providers are available on a subscription basis. In some industries, such as banking, consortiums have formed to share internal data.Loss event databases contain information on actual events meeting specified criteria. Information in externally developed event databases can be useful to supplement internally generated information in estimating future event likelihood and impact, particularly for potential events with low likelihood (which a company is unlikely to have experienced in the past) but high impact. One such database, for example, contains loss event data, across industries, on publicly reported operational losses in excess of one million dollars.Some companies track ranges of external data. Large companies, for example, track a range of leading economic indicators to identify movements suggesting change in demand for their products and services. Similarly, financial institutions monitor changes in world politics to identify leading indicators suggesting modification to future investment strategies and actual events calling for immediate change to investment portfolios.Use of internally generated data is illustrated in Exhibit 4.8, and externally developed data in Exhibit 4.9.28Event IdentificationExhibit 4.8Loss Event Tracking Using Internal DataA manufacturing company tracks production equipment failures, through automated routines that electronically monitor and capture disparate equipment diagnostic information. By tracking the sequence of events, management is positioned to assess the underlying cause of a manufacturing process failure and the costs associated with equipment downtime. Operations managers use the information in real time, diagnosing the cause and quickly making repair decisions. Future maintenance schedules reflect known past equipment failures. Periodically operations management is provided reports determining the effect of the equipment failures on a key unit of measure – production availability – and associated monetized cost.NegativeEquipmentComponentSub-CauseDowntimeEffect onCostcomponentDurationProductionAvailabilityPump #1MotorInsulationOverheating1H: 20M0.4%$24,000due todeteriorationin insulationcaused byexcessivelead cablelengthsPump #2MotorSwitchProduct2H: 10M0.7%$42,000defectConveyorBeltingRollerContamination4H: 45M1.6%$95,000in the ball oilExhibit 4.9Loss Event Tracking Using External DataA government agency is tasked with controlling the inflow of illegal drugs and other contraband through its ports. Governments from multiple countries collect and share data, including:Port of originCountries traveled through en routeShip carried onType of goods carriedTraditional cargo carriedOwner of vesselOwner of goodsReceiver of goodsValue of goodsDelivery addressFrequency of tripsThe data are measured against predefined threshold triggers in order to more effectively target inspections.29Event IdentificationOngoing Event IdentificationThe techniques illustrated above typically are applied in particular circumstances, with varying frequency over time. Potential events also are identified on an ongoing basis in connection with routine business activities. Exhibit 4.10 illustrates some of those techniques, which are useful in bringing to light risks and opportunities that may be important to an entity’s achieving its objectives. This exhibit demonstrates how one company matches its ongoing event identification mechanisms against external and internal factors that give rise to events, to aid in determining whether there is a need to take further action.Exhibit 4.10Illustrative Event Identification MechanismsExternal FactorsInternal FactorsMechanism – Input fromEconomicNaturalEnvironmentPoliticalSocialTechnologicalInfrastructurePersonnelProcessTechnologyIndustry/technical conferencesPeer company websites and advertisingcampaignsPolitical lobbyistsInternal risk management meetingsBenchmarking reportsCompetitors’ regulatory filingsKey external indicesKey internal indices/risk & performancemeasures/scorecardsNew legal decisionsMedia reportsMonthly management reportsAnalyst reportsElectronic bulletin boards andnotification servicesIndustry, trade, and professional journalsTiming of new product launches versuscompetitorsProfiling calls to customer serviceReal-time feeds of financial marketactivity30Event IdentificationInterrelationship of Events That May Affect ObjectivesIn many circumstances multiple events can impact achievement of an objective. To gain an understanding and insight into interrelationships, some companies use event tree diagrams, also known as fishbone diagrams. An event tree diagram provides a means by which to identify and graphically represent uncertainty, generally focusing on one objective and how multiple events affect its achievement. This technique is illustrated in Exhibit 4.11.Exhibit 4.11Linking Factors and Potential Events to Objective Unit of MeasureA company that sells mattresses through retail outlets seeks to maintain a 30% margin on sales. It looks to determine which factors and events affect product demand and cost of production – either of which is likely to affect achievement of the 30% margin objective. The objective is shown at the right end of the main “bone.” At an angle to this main bone are sub-bones listing events that directly affect the objective. Sub-bone events that positively affect achievement of the objective are depicted by an upward pointing arrow, and those with a negative effect by a downward arrow. The related internal and external factors associated with the sub-bone events are identified at the left.EconomicNatural environmentPoliticalSocialTechnologicalNew competitor enters marketHurricaneChange in sales tax ratesIncreasesIncreasing empty-nestersIncreasesProduct comparisonIncreasesdemandconsumervia the InternetIncreasessalesintaxIncreasessouthchoice↓knowledgedemandrates↑↓↑consumer↑↓Objective:Maintain30%InfrastructurePersonnelProcessproductioninstalled↑NewcontractequipmentUnionexpires↓↑product↓↑IncreaseddefectsproductionwarrantyschedulingImprovedmarginTechnology31Event IdentificationCategorizing EventsBy grouping similar potential events, management can better determine opportunities and risks.Some entities categorize potential events to assist in ensuring event identification efforts are complete. Categorization also can help to subsequently develop a portfolio view of risks. A categorization used by one company, a hospital, is illustrated in Exhibit 4.12.Exhibit 4.12Illustrative Event CategorizationServiceHumanNaturalFactorsEconomicPopulationTechnologyHealthDeliveryResourcesEnvironmentEventsChanges in• Funding• Lifestyle• Acute• Employment• System / data• Emissions /• Exchangechoicesinterventionopportunitiesaccesswasteguidelinesprotocolsproductsrates• Social• Staff retentioncreatedbehaviors• Ambulatoryrates• Data and• Interest ratepracticessystem• Natural• Industry• Physician and• Creditavailabilitydisastersstandards• Continuingnursingdefaultscare practicesstaffing levels• Available• Long-term• Diagnostic• Evaluationtechnologiescapitalproceduresprocedures• Systemsavailability(implemented• Disease• Health andor abandoned)preventionsafety• Emergencypractices• Health recordsrequirementsservicespractices• Palliative carepractices32Risk AssessmentRISK ASSESSMENT Framework Chapter Summary: Risk assessment allows an entity to consider the extent to which potential events have an impact on achievement of objectives. Management assesses events from two perspectives − likelihood and impact − and normally uses a combination of qualitative and quantitative methods. The positive and negative impacts of potential events should be examined, individually or by category, across the entity. Risks are assessed on both an inherent and a residual basis.This chapter illustrates some of the techniques used in risk assessment. Included are illustrations of inherent and residual risk assessments; qualitative techniques including risk ranking and questionnaires; quantitative techniques including such probabilistic techniques as value at risk, market value at risk, loss distributions, and back-testing, and non-probabilistic techniques such as sensitivity analysis, scenario analysis, stress testing, and benchmarking. Also illustrated are techniques for risk and capital attribution used to estimate the amount of capital required for accepted risks; how risks may be portrayed in risk maps, heat maps, or numerical presentations; and techniques for entity-level views of risk.Inherent and Residual RiskInherent risk is the risk to an entity in the absence of any actions management might take to alter either the risk’s likelihood or impact.An example of an inherent risk assessment, linking risks to objectives, is illustrated in Exhibit 5.1 (which builds on Exhibit 4.1).Exhibit 5.1Inherent Risk AssessmentOperations objectiveHire 180 new qualified staff across all manufacturing divisions to meetcustomer demand without overstaffingObjective unit ofNumber of new qualified staff hiredmeasureTolerance165 – 200 new qualified staff, with staff cost between 20% and 23% per dollarorderRisksInherent risk assessmentLikelihoodImpactInsufficient number10% reduction in hiring←18of qualified20%unfilled positionscandidates availableInitial candidate5% reduction in hiring due to poorscreening filters too30%candidate screenings←9 unfilledstringentpositions33Risk AssessmentResidual risk is the risk that remains after management’s response to the risk.Residual risk reflects the risk remaining after management’s intended actions to mitigate an inherent risk have been effectively implemented. These may include diversification strategies related to customers, products, or other concentrations; policies and procedures providing limits, authorizations, and other protocols; supervisory staff reviewing and acting on performance measures; or automating criteria to standardize and accelerate recurring decisions or transaction approvals. These actions may reduce the likelihood of occurrence of a potential event, the impact of such event, or both.In the following example, management assesses the inherent risk in changes in foreign currency exchange rates, in terms of the effect on revenue generated by the company’s foreign operations. In this case, management considered foreign exchange hedging as a risk response and reassessed the remaining exposure after reflecting the effects of the hedges. The result of the risk assessment is illustrated in Exhibit 5.2.Exhibit 5.2Inherent and Residual Risk AssessmentOperations objectiveOperating income from foreign operations of $100 millionUnit of measureChange in operating income from foreign operationsRiskExchange rate fluctuation adversely affects operating income from foreignoperationsRisk toleranceAcceptable variation is +/- $10,000,000RiskInherent risk assessmentRiskResidual risk assessmentLikelihoodImpactresponseLikelihoodImpactForeign exchange10%$5,000,000No10%$5,000,000rate moves up 1response inpercentage pointplacewithin 90 daysForeign exchange4%$10,000,000Obtain4%$5,000,000rate moves up 1.5foreignpercentage pointsexchangewithin 90 dayshedgeForeign exchange1%$20,000,000instruments1%$8,000,000rate moves up 3to limit thepercentage pointsimpactwithin 90 days34Risk AssessmentQualitative and Quantitative Methodology and TechniquesAn entity’s risk assessment methodology comprises a combination of qualitative and quantitative techniques. Management often uses qualitative assessment techniques where risks do not lend themselves to quantification or when either sufficient credible data required for quantitative assessments is not practically available or obtaining or analyzing data is not cost-effective. Quantitative techniques typically bring more precision and are used in more complex and sophisticated activities to supplement qualitative techniques.Measurement ScalesIn estimating likelihood and impact of potential events, whether on an inherent or a residual basis, some form of measurement is applied. For purposes of illustration, there are four general types of measurement, namely, nominal, ordinal, interval, and ratio.Nominal measurement – This is the simplest form of measurement and involves grouping events by such categories as economic, technology, or natural environment. It does not involve any kind of ranking where one is deemed “more” than another. Numbers assigned in nominal measurement are for identification purposes only – like numbers assigned to baseball players – and items cannot be ordered, ranked, or added. Ordinal measurement – In this type of measurement events are listed in order of importance, perhaps with such tags as high, medium, or low, or otherwise in rank-order along a scale. Management states that item one is greater than item two. For instance, management may assess the likelihood of a new computer virus disrupting its systems as greater than the likelihood of staff’s unauthorized transmittals of confidential information. Interval measurement – Interval measures use a scale of numerically equal distances. If, for instance, the impact of the loss of production of a key machine is measured as a “three,” the impact of a one-hour power outage as a “six,” and the effect of 100 vacant positions as a “nine,” management can state that the difference in potential impact between losing a machine and the one-hour power outage is the same as the difference between the one-hour power outage and having 100 vacant positions. This does not mean, however, that the impact of the event measured as a “six” is twice as great as the impact of the event measured as a “three.” Ratio measurement – A ratio measurement scale allows one to conclude that if the potential impact of one event is assigned a “three” and another event a “six,” the second event has twice the potential impact as the first. This is possible because ratio measurement includes the concept of a true zero, whereas interval measurement does not. Used here, nominal and ordinal measures are considered “qualitative” techniques, whereas interval and ratio measures are quantitative.35Risk AssessmentQualitative TechniquesWhile some qualitative risk assessments are put forth in subjective terms, and others in more objective ones, the quality of the assessments depends largely on the knowledge and judgment of the individuals involved, their understanding of potential events, and the surrounding context and dynamics.The following exhibits portray qualitative assessments using ordinal measurement scales. Exhibit 5.3 illustrates a scale of the likelihood of events affecting computer operations. In Exhibit 5.4, rankings are given to the range of potential impacts of the risk of a hazardous materials release.Exhibit 5.3Likelihood Risk Ranking Affecting Computer Operations (Next Quarter Timeframe)LevelDescriptorLikelihood of OccurrenceRisk1RareVery lowTechnology systems shut downfor prolonged periods by terroristor other intentional action2UnlikelyLowA natural disaster or third party(e.g., utility) event requiresinvoking the business continuityplan3PossibleModerateHackers penetrate our computersecurity4LikelyHighInternal staff use companyresources to access inappropriateinformation from the Internet5Almost certainVery highInternal staff use companyresources for personal messaging36Risk AssessmentExhibit 5.4Impact Risk Ranking of Hazardous Materials Release (One Year Timeframe)Objective To manage hazardous materials in accordance with state and federal requirementsRiskUnits of MeasureProduction hours lostUnplanned release of hazardous materialContainment costsLost time injuriesCompensation and related costsLevelRelativeMeasuresImpact1InsignificantNo reportable incidents Minimal loss of production hoursNo injuries2Minor1–2 reportable incidents Materials contained on-site by staff Effect less than 5% of day’s production hours No or minor injuries3ModerateSeveral reportable incidents Material contained on-site with outside assistance Effect between 5% and 20% of day’s production hours Out-patient medical treatment required4MajorMajor reportable event Material released into environment, but without real or perceiveddetrimental effects Significant loss of production – between 20% and 100% of day’sproduction hours Limited in-patient care required5CatastrophicMultiple major reportable events or a single catastrophic event Release into environment with significant detrimental effect,requiring significant third party resources Substantial loss of production capability – more than two days’production hoursSignificant injuriesThe questionnaire in Exhibit 5.5 is used by a company in a regulated industry in assessing risks related to implementing new information systems, using categorization and risk ranking of low (green), moderate (yellow), and high (red).37Risk AssessmentExhibit 5.5Risk Assessment for New Systems ImplementationObjective: Implement a new information system to oversee compliance with federal and state legislationRisk:The project takes longer to complete than expectedCategoryQuestionResponsePersonnelWhat is the experience ofAt least one staff member has successfullypersonnel on this project?implemented such system beforeAt least one staff member has implemented suchsystem before, but with mixed resultsNo team member has done this before, or has withnegative resultsManagementHow stable is theStable management team with average tenure >2processmanagement team?yearsChanging management team with average tenurebetween 1 and 2 yearsNew management team with average tenure < 1 yearVendorHow well known is theExpansion of current services with alliance partnertechnology vendor?New service with existing vendorNew vendorImplementationHow well established isProven methodologyprocessthe implementationExisting methodology in place, but used with mixedprocess?resultsNew methodologyRegulatoryHow well are regulatoryRegulatory requirements are well establishedrequirements known?Regulatory requirements are unclear or subject toperiodic amendmentRegulatory requirements are unknown or frequentlysubject to substantial changeContinuity planHow well tested is theSuccessfully tested continuity plan for the newcontinuity plan for thisapplicationproject?Tested continuity plan for the new application, withsignificant needed fixes identifiedNo continuity plan in place for the new applicationQuantitative TechniquesQuantitative techniques can be used when enough information exists to estimate risk likelihood or impact using interval or ratio measures. Quantitative methods include probabilistic, non-probabilistic, and benchmarking techniques. An important consideration in quantitative assessment is availability of accurate data, either internally or externally sourced, and one of the challenges in using these techniques is obtaining enough valid data points.Probabilistic TechniquesProbability-based techniques measure the likelihood and impact of a range of outcomes based on distributional assumptions of the behavior of events. Probabilistic techniques include “at-risk” models (including value at risk, cash flow at risk, and earnings at risk), assessment of loss events, and back-testing.38Risk AssessmentValue at RiskValue-at-risk (VaR) models are based on distributional assumptions about change in the value of an item or group of items, which is not expected to be exceeded with a given confidence level over a defined time period. These models are used to estimate extreme ranges of value change expected to occur infrequently, such as the estimated level of loss that would not be expected to be exceeded with 95% or 99% confidence. Management chooses both the desired confidence and the time horizon over which the risk is assessed, based, in part, on established risk tolerances.Value-at-risk measures sometimes are used to rationalize capital required for business units by estimating, with high confidence over a specified time horizon, the capital required to cover possible losses. The period for capital measurement is set to coincide with the period of performance assessment.One application of value at risk is market value at risk, which is used by trading institutions to assess exposures to price changes affecting financial instruments and by some non-trading institutions as well. Market value at risk is defined as the estimated maximum loss on an instrument or portfolio that can be expected over a given time horizon with specified confidence. Exhibit 5.6 provides an example of a market-value-at-risk measure.Exhibit 5.6Market-Value-at-Risk AnalysisA financial services company assesses the risk of change in the value of its trading portfolio. It estimates the maximum loss during any one day with 95% confidence, assuming portfolio value changes are represented by a normal distribution, which takes into account all possible scenarios. Value at risk is depicted as follows:ProbabilityMaximum loss with 95% confidenceLosses in excess of 95% confidence-3-2-10+1+2+3Change in market value ($ millions)The light blue area represents an estimate of losses that exceed the maximum loss estimated over one day with 95% confidence.39Risk AssessmentCash Flow at RiskThis measure is similar to value at risk, except that it estimates a change in the cash flows of an organization or business unit relative to a targeted cash flow expectation with a given confidence over a defined time horizon. This is based on distributional assumptions about the behavior of changes in cash flows. Cash flow at risk is used for businesses whose results are sensitive to changes in cash flows related to non-market-price factors. For example, a computer manufacturer desiring to measure risk to its net cash flows may use a cash-flow-at-risk technique that includes either one variable such as a foreign currency rate, or multiple variables such as changes in gross domestic product, supply and demand for computer components, and corporate research and development budgets. These measures would allow the company to assess its foreign currency risk in relation to cash flows, or its broader cash flow performance.Earnings at RiskSimilar to cash flow at risk, earnings at risk estimates a change in the accounting earnings of an organization or business unit, the amount of which is not expected to be exceeded with given confidence over a defined time period, based on distributional assumptions about the behavior of accounting earnings. Exhibit 5.7 provides an example of an earnings-at-risk analysis.Exhibit 5.7Earnings-at-Risk AnalysisManagement of a pharmaceutical company determines the company’s earnings at risk by performing a Monte Carlo simulation on the revenue from sales of prescription drugs, research spending, and other income/expenses. In this example, management is 95% sure that earnings will be at least $1.10 per share.30%20%95%10%5%$1.101.251.501.752.0040Risk AssessmentLoss DistributionsCertain operational or credit loss distribution estimations use statistical techniques, generally based on non-normal distributions, to calculate maximum losses resulting from operational risks with a given confidence level. These analyses require collection of operational loss data categorized by root cause of the loss, such as criminal activity, human resources, sales practices, unauthorized activity, management process, and technology. Using these loss data and reflecting data on related insurance costs and proceeds, a preliminary loss distribution is developed and then refined to take into account the organization’s risk responses.Back-TestingIn this context, back-testing typically consists of periodic comparison of an entity’s at-risk measures with subsequent profit or loss. Back-testing commonly is used by financial institutions. Some organizations, including many banks, routinely compare daily profits and losses with their risk model-generated outputs to gauge the quality and accuracy of their risk assessment systems, as illustrated in Exhibit 5.8.Exhibit 5.8Back-Testing AnalysisBack-Testing Aggregated Value at Risk and Loss from Credit Exposures($ millions)108Loss642468102Time in MonthsVaR99th PercentileExpected LossActual LossNon-Probabilistic TechniquesNon-probabilistic techniques are used to quantify the impact of a potential event, based on distributional assumptions, but without assigning likelihood of event occurrence. Thus, these techniques require that management determine likelihood separately. Commonly used non-probabilistic techniques are sensitivity analysis, scenario analysis, and stress testing.41Risk AssessmentSensitivity AnalysisSensitivity analysis is used to assess the impact of normal, or routine, changes in potential events. Due to relative ease of calculation, sensitivity measures sometimes are used to complement a probabilistic approach. Sensitivity analysis is used with:Operational measures, such as the effect of changes in sales volume on call center response time or number of manufacturing defects. Equity securities, using beta. For equities, beta represents the ratio of the movements of an individual stock relative to the movements of an overall market portfolio or a proxy such as the S&P 500 index. Exhibit 5.9 illustrates use of a linear approximation to estimate changes in the value of a fixed income security. This approximation (represented by the lighter line in the illustration) is constructed by using a fixed income sensitivity measure, which measures the change in value for a small change in interest rate (between 4½% and 5½% in the illustration), and uses that measure to approximate change in value for large changes (outside the 4½% to 5½% range). The difference between the actual value (represented by the heavier line) and approximated value is due to convexity.Exhibit 5.9Sensitivity Analysis of Fixed Income Instruments200.00Linear Approximation to a Bond Price180.00160.00140.00120.00100.0080.0060.0040.0020.00-0.0%2.0%4.0%6.0%8.0%10.0%12.0%42Risk AssessmentScenario AnalysisScenario analysis assesses the effect on an objective of one or more events. Scenario analysis may be used in connection with business continuity planning or estimating the impact of a system failure or network failure, and reflects the effects across the business. Scenario analysis may be performed in strategic planning as management seeks to link growth, risk, and return, as shown in Exhibit 5.10, where risks are assessed in terms of shareholder value added.Exhibit 5.10Analysis of Various Scenarios Across Multiple Business Units onTotal Shareholder Value AddedImpact of Key Potential Business Scenarios on Shareholder Value Addedby Business Unit ($ Millions)UnitPotential Business ScenarioIncrease (Decrease)in SVA1Risk rating deteriorates by 20%$(150)Consumer loans decrease by 10%(120)Increased competition – one new market entrant(100)Revenue in the banking group decreases by 15%(80)Loss of a top-tier customer(50)……2Increased competition – one new market entrant$(50)Revenue declines by 10% due to customer service(30)Loss of a top-tier customer(20)Unsuccessful new product launch(20)One new pending “large” (but not “mega”) lawsuit(20)……3Increased competition – one new market entrant$(40)Loss of a top-tier customer(30)Reduction of asset base by 10%(20)……Stress TestingStress testing assesses the impact of events having extreme impact. Stress testing differs from scenario analysis in that it focuses on the direct impact of a change in only one event or activity under extreme circumstances, as opposed to focusing on changes on a more normal scale as in scenario analysis. Stress testing generally is used as a complement to probabilistic measures to examine the results of low likelihood, high impact events that might not be captured adequately by distributional assumptions used with probabilistic techniques. Similar to sensitivity analysis, stress testing often is used to assess the impact of changes in operational events or financial market movements in order to avoid big surprises and losses. Stress tests include, for example, estimation of the effect of a rapid and large:43Risk AssessmentIncrease in product manufacturing defects Movement in a foreign exchange rate Movement in price of an underlying factor on which a derivative instrument is based Increase in interest rates on the value of a fixed income investment portfolio Increase in energy prices affecting the cost to run a manufacturing plant BenchmarkingSome companies use benchmarking techniques to assess a specific risk in terms of likelihood and impact, where management seeks to enhance its risk response decisions to reduce either likelihood or impact. Benchmark data can provide management insight into the likelihood or impact of risks based on experiences of other organizations. Benchmarking also is used with respect to activities in a business process to identify opportunities for process improvement.Benchmarks include:Internal – Compare measures of one department or division with others of the same entity Competitive/industry – Compare measures among direct competitors or broader groups of companies with similar characteristics Best-in-class – Look at like measures among companies across industries An example of a competitive/industry benchmark is presented in Exhibit 5.11, which depicts the effect of events related to shrinkage within a peer group.44Risk AssessmentExhibit 5.11Comparison of Inventory LossesBenchmarking of Shrink Percentage Among Peer Retail OperationsPercent43.532.521.51.610.50ShrinkageDefinition: Losses in physical inventory from events such as shoplifting or other forms of theft. Shrink percentage is defined as the value of lost physical inventory divided by net sales.Analyzing performance: Best practice companies reduce shrinkage by selecting risk responses and designing control activities that reduce the likelihood and impact of inventory loss.Quartile 4:1.80%–3.50%Quartile 3:1.30%–1.80%Quartile 2:0.88%–1.30%Quartile 1:0.33%–0.88%YourBenchmark GroupCompanyLowMedianHigh1.6%0.33%1.30%3.50%Risk and Capital AttributionSome organizations, particularly financial institutions, estimate economic capital. Some companies use this term to refer to the amount of capital required to cover financial exposures. Others use it somewhat differently, as a measure of capital needed to run the business as planned. It is used by management in strategy setting, resource allocation, and performance measurement. An illustration is shown in Exhibit 5.12.45Risk AssessmentExhibit 5.12Using Economic CapitalA bank uses “economic capital” to estimate the amount of equity required. It represents the level of equity capital required within a given time period, at a given confidence level. For example, the bank adopts a 95% confidence level and two-year time period to determine its economic capital requirements. After modeling its expected earnings distribution taking into account market, credit, operational, and fixed asset risk, management identifies its economic capital requirement as $120,638,000, as follows:Earnings ($m)25%20%Probability15%10%5%0Nil-120,638Earnings forecastRecognizing the lack of precision in operational risk measurement methodology, and recognizing exposure beyond the 95% confidence level, the bank’s policy is to create an additional “capital cushion” on top of its economic capital requirement to provide additional confidence that the calculated economic capital balance is sufficient.The bank also uses the relationship of economic capital to book capital as a guidepost in strategic direction. When book capital minus the capital cushion is less than required economic capital, management looks to whether it should:Scale back certain business activitiesRaise additional equityLower its risk positions in its lending, investing, or operational activitiesWhen book capital minus the capital cushion is greater than required economic capital, management considers opportunities to:Expand its business into new products or markets Take higher-risk positions in its lending, investing, or operational activities Return capital to shareholders 46Risk AssessmentPortraying Risk AssessmentsOrganizations use any of a number of different methods to portray risk assessments. Portraying risks in a clear and concise manner is especially important with qualitative assessment because risks are not summarized in one number or range of numbers as with quantitative techniques. Techniques include risk maps and numerical representations.Risk MapsA risk map is a graphic representation of likelihood and impact of one or more risks. Risk maps may take the form of heat maps or process charts that plot quantitative or qualitative estimates of risk likelihood and impact. Risks are depicted in a way that highlights which risks are more significant (higher likelihood and/or impact) and which are less significant (lower likelihood and/or impact). Depending on the level of detail and depth of analysis, risk maps either can present the overall expected likelihood and/or impact or can incorporate an element of variability of likelihood and/or impact. The following examples of risk maps depict assessment of risks relating to the objective of retaining high-performing employees.Exhibit 5.13 illustrates a heat map, presenting risk levels (likelihood and impact) by color, where red represents high risk, yellow moderate risk, and green low risk.Exhibit 5.13Heat MapA company assesses risks to its objective of maintaining a quality workforce. Likelihood isconsidered in terms of percentage turnover within a specified period and impact in terms of cost ofoperational inefficiency and cost to replace, retrain, and develop employees. Color codinghighlights those risks that are most likely to occur and most likely to have a significant effect on objectives.TopicRisk DescriptionLikelihoodImpactACompensationEmployee dissatisfaction withcompensation leads to higher staffPossibleModerateturnover.BRecognitionEmployees feel unrecognized, resultingin reduced focus on tasks and higherUnlikelyMinorerror rates.CDownsizingEmployees are over-utilized and workconsiderable overtime. Staff leave toLikelyModeratepursue work in other organizations thatoffer a better work/life balance.DDemographicsChanging demographic composition ofAlmostthe employee group causes increasedModerateCertainturnover.EEmploymentIncreased demand for companyUnlikelyModeratemarketemployees by recruiting firms.47Risk AssessmentTopicRisk DescriptionLikelihoodImpactFPerformanceEmployee dissatisfaction withevaluationperformance appraisal measures andprocesses causes low morale, staff toPossibleModeratefocus on non-critical objectives, and lossof staff to companies perceived to beemployers of choice.GCommunicationIneffective communication betweenemployees and management results inPossibleModeratemixed messages being heard and in thepursuit of alternative employment.HWorkplaceUnsafe workplace causes employeesafetyinjury and resignations by injured staffUnlikelyMajorand by others concerned over safetyissues.ICareerEmployees perceive limited control overdevelopmenttheir career development, causing higherPossibleModerateturnover.JWork diversityEmployee dissatisfaction with jobvariety results in rote performance,higher errors in key processes, andPossibleModeratepursuit of more interesting jobopportunities outside the company.These same risks can be depicted in a matrix risk map with likelihood on the horizontal axis and impact on the vertical, as illustrated in Exhibit 5.14. Because this provides more information, management can more readily prioritize where attention is needed.Exhibit 5.14Risk Map of Mean Values for Likelihood and ImpactImpact5HA.Compensation4B.RecognitionC.DownsizingBDD.DemographicsE.Employment market3A F G JF.Performanceevaluation2EICG.CommunicationH.Workplace safetyI.Career developmentJ.Work diversity112345Likelihood48Risk AssessmentExhibit 5.15 provides the same basic information, but in still further depth. It presents information on variability around risk likelihood and impact, providing management with an additional perspective on the risks.Exhibit 5.15Risk Map Showing Variability for Likelihood and ImpactImpact5HA.Compensation4B.RecognitionC.DownsizingBDD.Demographics3AFG JE.Employment marketF.Performanceevaluation2ECG.CommunicationIH.Workplace safetyI.Career developmentJ.Work diversity112345LikelihoodNumerical RepresentationsDepending on the business context, quantitative measures of risk can be presented in monetary or percentage terms, and can be presented with a specified confidence interval, for example, 95% or 99% confidence. One example of a numerical representation is shown in Exhibit 5.6, with a value-at-risk measure. Another is shown in Exhibit 5.10, with a shareholder-value-added measure using scenario analysis. Another example is shown in Exhibit 5.16, illustrating risks related to customer concentrations. In this exhibit, the largest customer is segmented by geographical region, providing information on regional exposure.49Risk AssessmentExhibit 5.16Revenue Analysis by Customer18%14%Second Largest CustomerThird Largest CustomerFourth Largest Customer13%Fifth Largest CustomerNext 5 Largest Customers14%25%8%Next 25 Largest Customers4%4%All Others6%Largest Customer - North America8%11%Largest Customer - South AmericaLargest Customer - EuropeEntity-Level ViewsAs part of risk assessment, management may leverage business unit risk assessments or conduct a separate assessment using techniques illustrated earlier to form an entity-level risk profile. Overall risk assessments may take the form of an aggregate risk measure where underlying risk measures are of like types and where correlations between risks are considered. Another aggregation approach is to translate related but unlike risk measures to a common unit of measure, as shown in Exhibit 5.17.Exhibit 5.17Analysis of the Effect of Multiple Business Unit Measures on a Single Entity-Level Measure (EPS)This company assesses the risk impact within its respective departments using the units of measure established for the department: equipment availability, customer payment default, and staffing levels. These are portrayed in the following diagrams. At the entity level, management assesses risk in terms of entity earnings per share (EPS) as shown in theEPS2.1002.0502.0001.9501.9001.850123456789101112MonthsUpper toleranceLower toleranceTargetStaffing LevelsEquipmentAvailabilityCredit Default RatesRisk-adjusted EPS50Risk Assessmentfirst diagram, where the effect of each business unit measure is converted to the entity-level measure based on the budgeted contribution or loss from each activity. The dashed lines in the first diagram represent the upper and lower EPS risk tolerances.Staffing Levels1,1001,0501,000950900850123456789101112MonthsUpper toleranceLower toleranceTargetRisk adjustedEquipment Availability100.0%95.0%90.0%85.0%80.0%123456789101112MonthsUpper toleranceLower toleranceTargetRisk adjustedCredit Default4.5%4.0%3.5%3.0%2.5%2.0%1.5%1.0%0.5%0.0%123456789101112MonthsUpper toleranceLower toleranceTargetRisk adjusted51Risk AssessmentWhen direct aggregation of risk measures is not possible, some managements find it useful to compile measures in a summary report in order to facilitate drawing conclusions and making decisions. In these cases, even though measures are not directly aggregated, management subjectively places the risks on the same qualitative or quantitative scale to assess likelihood and impact of multiple risks to a single objective, or the effect of one risk on multiple objectives.For example, management of one company estimates the impact on EPS of several different events, as illustrated in Exhibit 5.18. In this exhibit the effects on business units of a 100 basis point decrease in foreign exchange rate naturally offset at the entity level, so that any actions taken by one or more of the business units to manage foreign exchange exposures could adversely affect the entity as a whole. A 100 basis point increase in interest rate would only partially offset on an entity-wide basis, and management might respond to this risk either within one or more of the business units or at the entity level. Similarly, for the risks related to movements in the price of raw material and pending union negotiations, management would decide where and how to respond, to keep within entity-level risk tolerances.Exhibit 5.18Analysis of the Effect of Multiple Risks Across Business Units (Dollar Amounts inThousands Except EPS)Objective: To achieve consistent earnings growthRiskCorpDiv 1Div 2Div 3EntityBusinessBusinessBusinessBusinessEarnings perUnitUnitUnitUnitShareContributionContributionContributionContributionDecrease in localImpact$(1,000)$600$300$100$ 0.00currency inrelation to U.S.dollar by 100Likelihood20%basis pointsIncrease inImpact$ (750)$1,600$800$100$ (0.035)interest rate by100 basis pointsLikelihood20%Increase in rawImpact-$10,000$5,000$5,000$(0.40)materials price of10%Likelihood-20%30%15%Pending unionImpact-$5,000$0$1,000$(0.12)negotiations haltproduction for >Likelihood-10%0%25%10 daysManagement of another company assesses the effect of a single event on multiple objectives, illustrated in Exhibit 5.19. Using one of the risks addressed in Exhibit 5.18 – union negotiations halting production for more than 10 days – management assesses its effect on multiple objectives.52Risk AssessmentExhibit 5.19Analysis of the Effect of a Single Risk Across Business UnitsRisk: Pending union negotiations halt production for > 10 daysDiv 1Div 2Div 3EntityObjectiveLikelihood10%0%25%Maintain a return onUnit ofProduction HrsProduction HrsProductionHrsEarnings perMeasureShareequity of 15%Impact-50,0000-10,000$ -.80Increase our market shareUnit of-BU-Earnings perMeasureContributionSharein EuropeImpact--500--.45Increase annual sales perUnit ofUnits SoldUnits SoldUnits SoldEarnings perMeasureSharesales representativeImpact-50,0000-10,000-.30Increase employeeUnit ofProduction UnitsProduction UnitsProduction UnitsEarnings perproductivityMeasureShareImpact-25,0000-5,000-.0553Risk ResponseRISK RESPONSE Framework Chapter Summary: Having assessed relevant risks, management determines how it will respond. Responses include risk avoidance, reduction, sharing, and acceptance. In considering its response, management assesses the effect on risk likelihood and impact, as well as costs and benefits, selecting a response that brings residual risk within desired risk tolerances. Management identifies any opportunities that might be available, and takes an entity-wide, or portfolio, view of risk, determining whether overall residual risk is within the entity’s risk appetite.This chapter illustrates some of the techniques used in risk response. Included are illustrations of techniques used in evaluating risk response alternatives in relation to risk tolerance, evaluating costs and benefits of alternative responses, and considering the portfolio view.Risk Responses: Avoid, Reduce, Share, AcceptFor significant risks, an entity typically considers potential responses from a range of response options.Examples of risk responses for avoidance, sharing, reduction, and acceptance are presented in Exhibit 6.1.Exhibit 6.1Illustrative Risk Responses by Response TypeAvoidanceSharing Disposing of a business unit, product line, Insuring significant unexpected lossgeographical segment Entering into joint venture/partnership Deciding not to engage in new Entering into syndication agreementsinitiatives/activities that would give rise to Hedging risks through capital marketthe risksinstruments Outsourcing business processes Sharing risk through contractual agreementswith customers, vendors, or other businesspartnersReductionAcceptance Diversifying product offerings “Self-insuring” against loss Establishing operational limits Relying on natural offsets within a portfolio Establishing effective business processes Accepting risk as already conforming to risk Enhancing management involvement intolerancesdecision making, monitoring Rebalancing portfolio of assets to reduceexposure to certain types of losses Reallocating capital among operating units55Risk ResponseAt the completion of its risk response actions, management may have a view of individual risks and responses and their alignment with associated tolerances, as illustrated in Exhibit 6.2 (which builds on Exhibit 5.1).Exhibit 6.2Linking Objectives, Events, Risk Assessment, and Risk ResponseOperations objective• Hire 180 new qualified staff across all manufacturing divisions to meetcustomer demand without overstaffing• Maintain 22% staff cost per dollar orderObjective unit ofNumber of new qualified staff hiredmeasureTolerance165–200 new qualified staff, with staff cost between 20% and 23% per dollarorderRisksInherent risk assessmentRiskResidual risk assessmentLikelihoodImpactresponseLikelihoodImpact10%Contract in10%place with aDecreasing numberreduction inreduction inthird party10%of qualified20%hiring←18hiring←18hiring agencycandidates availableunfilledunfilledto sourcepositionspositionscandidates5% reductionReview of2% reductionin hiring duein hiring duehiringUnacceptableto poorto poorprocess20%variability in our30%candidatecandidateconductedhiring processscreenings←screenings←every two9 unfilled4 unfilledyearspositionspositionsAlignment with riskResponse expected to bring company within risk tolerancetoleranceConsidering Risk ResponsesAs with assessing inherent risk, residual risk may be assessed qualitatively or quantitatively. Generally, the same measures used in assessing inherent risk are used in assessing residual risk. The approach taken by one company is illustrated in Exhibit 6.3.56Risk ResponseExhibit 6.3Effect of Risk Response on Residual RiskStrategic objectiveExpand product offerings related to health-based cat foodsOperations objectiveGenerate $30 million in “year-one” revenue by introducing one new “healthy-cat”productUnit of measureRevenue from new productsRisk tolerance$25–35 million in new revenueRisksInherent RiskResidual RiskRisk ResponseImpact onLikelihoodRevenue fromAlternativesLikelihoodImpactNew ProductA – Provideadditional funding tothe R&D and15% lessCompetitor reachesProduction divisions20%revenue fromnew productsmarket first40%($10,000,000)to reach marketwithin the next 90($4,500,000)daysB – Take no specificaction to be first to40%($10,000,000)marketC – Co-brand product10% lessrevenue fromwith an established20%new productthird partyMarket acceptance($3,000,000)of this new productD – Pilot in test15% lessis slower than25%($15,000,000)market; modify15%revenue frommarket researchmarketing approachnew productsuggestsaccordingly($4,500,000)E – Take no action toensure market25%($15,000,000)acceptanceFor some risks, management may rely on multiple techniques to reduce the overall residual risk in order to meet its risk tolerance. Exhibit 6.4 illustrates how a company uses multiple risk response techniques to reduce the risk of non-compliance with local environmental laws and regulations. In this example, management has not evaluated the effect of each risk response selected but has evaluated them together to establish residual risk.57Risk ResponseExhibit 6.4Multiple Risk ResponsesCompliancePesticides are used at the company premises in accordance with all relevantobjectiveenvironmental laws and regulationsUnit of measureRate of complianceTarget100% complianceRisk tolerance98%–100%RisksInherent RiskSelected RiskResidual RiskLikelihoodImpactResponseLikelihoodImpactDistribution of allpesticides for useon companygrounds iscoordinatedthrough theFacilitiesDepartmentPesticides areFines,A web-basedFines,sanctions,notification formsanctions,sprayed in prohibitedModerateLowreputationalis completed byreputationalareasdamageall groundsdamagepersons settingout key details 72hours beforepesticides areappliedAll prohibitedareas are clearlymarkedCosts versus BenefitsVirtually every risk response will incur some direct or indirect cost that is weighed against the benefits it creates. The initial cost to design and implement a response (processes, people, and technology) is considered, as is the cost to maintain the response on an ongoing basis. The costs, and associated benefits, can be measured quantitatively or qualitatively,with the unit of measure typically consistent with that used in establishing the related objective and risk tolerance. A cost–benefit analysis is illustrated in Exhibit 6.5.58Risk ResponseExhibit 6.5Evaluating the Costs and Benefits of Alternative Risk ResponsesA supplier to the automotive industry manufactures aluminum suspension modules. The supplier is in a “tandem” relationship with an original equipment manufacturer (OEM), where the vast majority of revenue is generated with the OEM. This OEM traditionally revises its forecasted demand by an average of 20%, always late in the cycle, creating a high degree of uncertainty for the supplier’s production and scheduling activities. If the OEM were not to significantly revise demand late in the cycle, the supplier would be able to increase plant utilization by increasing its manufacturing of products for other customers, thereby increasing profitability. The supplier seeks to optimize scheduling and capacity planning for plant utilization to achieve 95% average monthly utilization. Management assessed the most significant risk to this objective – that is, the high level of uncertainty regarding actual demand from the OEM – and assessed costs and benefits of the following risk responses:Accept – Absorb the cost of having to respond to late changes in OEM demand, and consider the extent to which it can produce and sell product to other customers within the constraints of the OEM relationship Avoid – Exit the relationship with the OEM, and establish relationships with new customers offering more stable demand Share – Negotiate a revision to the current contract, stipulating a “take or pay” clause to ensure a certain rate of return Reduce – Install a more sophisticated forecasting system, which analyzes external factors (e.g., public information on consumer budgets, OEM and dealership inventories) and internal factors (historical orders from various sources) to better project actual demand from all customers The following table compares the costs and benefits of these responses. Costs relate predominantly to supply chain management, marketing, information technology, and legal functions. Benefits are expressed using the unit of measure for the objective – plant utilization – and the resulting effect on targeted earnings before interest and taxes (EBIT).ResponseCostDescriptionBenefitsAAccept$750,000Marketing/sales efforts required toManagement predicts it can sell angenerate additional customers, andadditional 2% to other customers,additional transportation costs,bringing utilization up to 82%$750,000Effect on EBIT: increase of $1,250,000BAvoid$1,500,000Unit price drops 2% due to smallerMarketing efforts allow utilization ofcustomers paying less than premium97%price$750,000 in increased salary costs forEffect on EBIT: increase of $1,560,000personnel required to identify, win,and sustain new customers$250,000 in increased outboundlogistics costs due to larger number ofsuppliers$500,000 in legal fees to negotiateand finalize new agreements59Risk ResponseResponseCostDescriptionBenefitsCShare$350,000Unit price drops 5% due to increasedNew contract allows utilization of 99%pressure from OEM in response to“take or pay” nature of relationshipEffect on EBIT: increase of $100,000$250,000 in legal fees to negotiateand revise contract agreement$100,000 to improve data sharing,forecasting, and planningDReduce$1,050,000Average unit price drops 1% due toImproved forecasting provides sufficientsmaller customers not payingtime to win alternative customers for apremium priceutilization of 98%$500,000 for purchasing new softwareEffect on EBIT: increase of $3,170,000$50,000 for new software training$500,000 for increased forecastingand analysisWith this analysis, and considering the likelihood of each alternative and sustainability of results, management decided on response D.Portfolio View of Residual RiskWith a view of risk for individual units, an enterprise’s senior management is well positioned to take a portfolio view, to determine whether the entity’s residual risk profile is commensurate with its overall risk appetite relative to its objectives.A portfolio view of risk can be depicted in any of a number of ways. Exhibit 6.6 illustrates how a company assesses risks from across the organization. The likelihood of events is presented in the context of frequency of occurrence, and the potential impact using a single entity unit of measure – operating earnings.60Risk ResponseExhibit 6.6Portfolio View of Residual RiskEvent CategoryAAccess to capital: Insufficient funds availableto business unitBSupplier effectiveness: Supplier fails todeliver on commitments$300CProcess efficiency: While effective,processes are too complex or manual to be intop tier when compared to leading practicesDProcess effectiveness: Processes are not as$250effective, resulting in defective outputsEarningsELitigation: Risk of recall and class actionLlawsuitsFAsset management(In Millions)$200GDemand: Inability to meet consumer demandon OperatingHIntellectual property: Impact of patentCinfringements or R&D leaksILeadership: Right people to drive business$150and efficient decisionsQJGovernance: Sarbanes-Oxley, ethics &ImpactMBJgovernment compliance$100IKSystems: Upgrades, enhancementsNLConcentration: Effectiveness ofSAconcentrations (e.g. customers, productcategories, geographies, etc…)$ 50EDMCompetition: New low cost competitorsKOG FHRNInterdependencies: Between BU’sPOEconomicLowMediumHighPEmployee SafetyQGovernment regulations>3 years1 to 3 yearsOnce or more per yearREmployee capabilities: Skills, Losing keyFrequency of OccurrenceemployeesSData confidentialityExhibit 6.7 illustrates how managers of a company’s business units establish objectives, risk tolerances, and performance measures relevant to their operations in terms of business unit contribution. The business units’ risk assessments then are presented as a portfolio view, enabling entity-level management to consider the units’ risks, by objective, in terms of an earnings per share measure relative to the entity as a whole.Exhibit 6.7Portfolio View of Residual RiskA company that manufactures and distributes inflatable rafts for personal recreational use has its corporate headquarters in southern California, and two business units, one in South Carolina and the other in Oregon. The company assessed its key risks, which are changes in interest rates, which correlate directly to customer demand for its product; unexpected increases in the price of raw materials; and the potential of a work stoppage. Management assessed the risks, developed risk responses, and formed a portfolio view in terms of earnings per share. Some risk responses, such as the hedging program to reduce the effect of changing interest rates and the negotiating strategy to reduce the likelihood of a work stoppage, are coordinated and executed at the entity level. Other responses, such as the decision to enter into long-term contracts to reduce the likelihood and impact of unexpected raw materials price increases, and the redistribution of production scheduling to other regions to reduce the impact of a work stoppage, are executed at the regional level.61RiskResponseInherent RiskRisk Response ActionsResidual RiskRiskCorpOregonSouthEntityCorpOregonSouth CarolinaEntityCarolinaUnit ofBusiness Unit ContributionEarnings perEarnings perMeasureShareShareImpact$ 100 ↑$ 80 ↓$ 38 ↓0.10 net ↓$0.05 ↓– 50 BPSThe U.S.– 100 BPS$ 200 ↑$ 160 ↓$ 75 ↓0.20 net ↓Reduce – hedge program at entity level$0.10 ↓interest ratechanges by– 200 BPS$ 400 ↑$ 320 ↓$ 150 ↓0.40 net ↓$0.20 ↓50, 100, and200 basisLikelihood25%25%points (BPS)– 50 BPSin next 12– 100 BPS10%10%months– 200 BPS4%4%6Price of raw$ 100 ↓$ 50 ↓0.07 ↓Reduce –Accept –$0.05 ↓Impact-N/ALong-termNo actions takenN/A2materialscontracts put into alter potentialincreases byplace for rawprice changes for10%Likelihood-15%20%N/Amaterialskey materialsN/A10%Unit ofProduction Hours LostEarnings perEarnings perMeasureShareShareReduce –Accept/ReduceProduction– ProductionPendingcapacity equal tocapacity equal to.01 ↓Impact-4,0003,0000.02N/A50% of output40% of outputN/Aunionavailabletransferable tonegotiationsthrough allianceOregon, ifhaltpartnersoperatingproductionReduce – Effective negotiatingfor one weekstrategy developed by managementLikelihood-15%3%N/A5%team to successfully avert workstoppageControl ActivitiesCONTROL ACTIVITIES Framework Chapter Summary: Control activities are the policies and procedures that help ensure that management’s risk responses are carried out. Control activities occur throughout the organization, at all levels and in all functions. They include a range of activities − as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance, security of assets, and segregation of duties.This chapter illustrates how control activities support risk responses, and how control activities themselves may serve as a risk response.Integration with Risk ResponseHaving selected risk responses, management identifies control activities needed to help ensure that the risk responses are carried out properly and in a timely manner.Exhibit 7.1 provides illustrations of how control activities align with each of the response types of avoidance, reduction, sharing, and acceptance.Exhibit 7.1Risk Responses and Control ActivitiesRisk Avoidance – In looking to improve operating margins, a software company’s management considered moving programming activities to a country with lower labor costs. After assessing the associated risks, management decided such a move is outside the company’s risk appetite, and that contracting of programming activities will be done only within the company’s home country. To help ensure the policy decision is properly implemented, the “New Programmer” form was amended to include the country of vendor operations, which information is reviewed and (electronically) signed by senior management as the basis of programmer selection. Risk Reduction – A hospital’s management recognized that its ability to protect the health and well-being of its patients would be adversely affected by disruption in electrical power supply. Management responded by installing back-up electrical generators. To help ensure that the generators operate when needed, the company’s engineering department conducts routine maintenance, with maintenance logs reviewed monthly by the head of the engineering department. Risk Sharing – A manufacturing company determined that a prolonged disruption to its plant would significantly impact its ability to meet its production targets. Based on assessment of the company’s capital position, its risk tolerance, and cost of sharing the risk with an insurer, management approved purchasing insurance coverage for the value of lost production for a period of up to six months. To help ensure that the response is implemented, the Chief Risk Manager periodically reviews the company’s coverage, as well as compliance with all negotiated terms and conditions of the agreement with the insurer, and reports to the Chief Operating Officer on compliance. 63Control ActivitiesRisk Acceptance – A company’s management identified changes in world commodity prices as a risk. After assessing the risk likelihood and impact and considering the company’s risk tolerance, management decided to accept the risk. Management instituted a policy whereby the Treasury Department formally reassesses the exposure every three months and reports to the management committee its recommendation on whether a hedging strategy should be adopted. Control Activities Serving as Risk ResponseWhile control activities generally are established to ensure risk responses are appropriately carried out, with respect to certain objectives, control activities themselves are the risk response.In some circumstances control activities themselves serve as the risk response. This frequently is the case with respect to risks related to reporting objectives. Exhibit 7.2 provides an illustration.Exhibit 7.2Relationship Between Objectives, Risks, Responses, and Control ActivitiesReportingAsset acquisitions and expenses incurred are entered for processingobjectivecompletely (C) and accurately (A), and are valid/occurred (V)Unit of measureFinancial reporting errors detected, measured in dollarsTargetErrors in monthly financial statements are less than $100,000ToleranceErrors less than $110,000RisksInherent risk assessmentRiskResidual risk assessmentLikelihoodImpactresponseLikelihoodImpactVendor invoiceMinorMinoramounts arePossible$5,000–Unlikely$2,500–captured$15,000$7,500incorrectlySee belowVendor invoicesModeratefor controlMinorare not receivedAlmost$10,000–activities thatPossible$2,500–prior to the month-Certain$25,000serve as the$7,500end cutoffresponses toVendors are paidthese risksfrom statements asMinorMinorwell as invoices,Possible$5,000–Unlikely$5,000–resulting in$15,000$7,500duplicate payments64Control ActivitiesControl ActivitiesAsset acquisition and expense transactions are subjected toprogrammed edit/validation checks which include:- Purchasing data (PO number, amount, etc.) are validated againstspecified files or tables (A)- Key fields are tested for blanks, alphas, values within a specifiedrange (e.g., purchase amounts), missing data elements (e.g.,payment due date), and programmed check digits (e.g., vendornumber) (A)- Reasonableness tests are performed, comparing data input in twoor more different fields based on specified criteria (e.g., sales taxrate is compared with the state tax rate based on the vendor’s zipcode) (A)- Edit checks compare key amounts with tables to ensure input dataare within limits established for each user or class of user (e.g.,payment amounts are compared with approval limits for electronicpayment) (A)- Edit checks compare vendor name/number and invoice numberswith those on file to ensure valid vendor and to detect duplicatepayments (V)All payment transactions input are matched to the original purchaseorder details before further processing may occur (A)Payment amounts, including electronic payment transactions, areverified on screen by someone other than the staff memberresponsible for the original payment information (A,V)Staff reconcile each batch or series of on-line transactions withsystem edit or processing reports (A,C)Exception reports are produced listing large or unusual items (e.g.,amounts exceeding $100,000), which are then individually comparedwith input documents (A)Exception reports produce a listing of unmatched purchase ordersopen for more than 30 days, which are then followed up (C)Changes to user-defined system parameters (e.g., authorizationlimits) are automatically reported and checked by an independentofficial (A,C,V)Overrides of system warnings by the user are automatically reportedfor independent approval (A,C,V)Exhibit 7.3 provides additional illustrations of control activities that also may be the risk response.65Control ActivitiesExhibit 7.3Control Activities as a Risk ResponseTo ensure that pension obligations and costs are reported properly in the financial statements, management reviews the company’s demographic data and the methods and assumptions used by the actuary, and compares amounts in the actuary’s report with those in the financial statements and related footnotes. To help ensure that a company’s monthly income tax remittances are made in compliance with regulations, an electronic tickler file prompts staff with due dates for tax filings, and a supervisor verifies timely remittance. To help ensure that computer interfaces between general ledger systems operate to effect complete and accurate processing, transaction totals from subsidiary systems are compared with the balance in the general ledger control account, with any differences reported and followed up. To help minimize inventory losses, transfer documents are reviewed and approved by the warehouse supervisor before goods are released. To help ensure that only tested and accepted programs are transferred from test to production libraries, transfers are made only based on completion of testing and related approvals and authorization of the IT and user line/department managers. 66Information and CommunicationINFORMATION AND COMMUNICATION Framework Chapter Summary: Pertinent information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Information systems use internally generated data, and information from external sources, providing information for managing risks and making informed decisions relative to objectives. Effective communication also occurs, flowing down, across, and up the organization. All personnel receive a clear message from top management that enterprise risk management responsibilities must be taken seriously. They understand their own role in enterprise risk management, as well as how individual activities relate to the work of others. They must have a means of communicating significant information upstream. There is also effective communication with external parties, such as customers, suppliers, regulators, and shareholders.This chapter illustrates how information is obtained and flows in an organization and is used and presented to support enterprise risk management. Also illustrated are techniques that facilitate communication supporting effective enterprise risk management.InformationInformation is needed at all levels of an organization to identify, assess, and respond to risks, and to otherwise run the entity and achieve its objectives.Information both from external sources and internally generated is obtained and analyzed in setting strategy and objectives, identifying events, analyzing risks, determining risk responses, and otherwise effecting enterprise risk management and carrying out other management activities. A broad-based, generic depiction of information flows into, out of, and within an entity to support its ongoing management is shown in Exhibit 8.1 (taken from the Internal Control – Integrated Framework Evaluation Tools Reference Manual, and drawn fromCompetitive Advantage, M. E. Porter). Further detail on information flows is shown in theInternal Control – Integrated Framework Evaluation Tools Reference Manual.6768Exhibit 8.1Generic Business Model—Context LevelShareholdersOther SourcesPublic BodiesInvestorsof&Collaborators&CompetitorsConsumptionOther PartiesFinancialInstitutionsRevenue OpportunitiesComplianceShared& Threats& PersuasionVenturesReportsMarket Threats& OpportunitiesCandidatesStaffing NeedsSkills & ExperienceFundsAvailable TechnologyRun anCapabilitiesEnterpriseRequests forGoods & ServicesBuyersSpecificationsShipped ProductVendors&Purchase OrdersServiceDistributorsPurchased Goods &ServicesInformation and CommunicationInformation and CommunicationIn addition to information flows into and within an organization, there are flows among activities inherent in the enterprise risk management components. Exhibit 8.2 illustrates how these information flows may be conceptualized.Exhibit 8.2Information Flows Within Enterprise Risk ManagementInternal EnvironmentRisk management philosophy Risk appetite Objective Setting• Objectives• Inventory of• Risk• Units of measureopportunitiestolerancesEvent IdentificationInventory of risks Risk Assessment• Inherent risks• Risk• Residual risksassessedresponsesassessedRisk ResponseRisk responses Portfolio view Control ActivitiesOutputs Indicators Reports Monitoring69Information and CommunicationTechnology is applied to improve the effectiveness and efficiency of information processes. Exhibit 8.3 illustrates how a company may utilize information technology to support the timely use of information in an event identification process.Exhibit 8.3Use of Information Technology in Event IdentificationAs part of the event identification process, a chain of automotive dealerships regularly reviews leading newspapers, business publications, and trade journals to keep track of changes in the competitor landscape. Initially done manually, as described in the first bulleted item below, the process was automated, as described in the second.A researcher reviewed hard copy of selected publications on a daily, weekly, and monthly basis, provided the information to applicable managers for analysis, and developed related reports. The reports were distributed to unit leaders and others for consideration in the risk assessment process. This process normally took 24–48 hours to complete each week, month, and quarter. The company now subscribes to Internet libraries, and the researcher uses web-based search engines to identify relevant information, and attaches “relevance” ratings to the information. The captured information is analyzed, and reports are distributed electronically to the responsible managers. Including the manual analysis, the process now takes only several hours to complete, and garners a broader array of relevant information. Strategic and Integrated SystemsThe design of an information systems architecture and acquisition of technology are important aspects of entity strategy, and choices regarding technology can be critical to achieving objectives.Technology plays a critical role in enabling the flow of information in an organization, including information directly relevant to enterprise risk management. The selection of specific technologies to support enterprise risk management for an organization typically is a reflection of the:Entity’s approach to enterprise risk management and its degree of sophistication Types of events affecting the entity Entity’s overall information technology architecture Degree of centralization of supporting technology In some organizations, information is managed separately by unit or function, whereas others have integrated systems. Exhibit 8.4 illustrates the loan origination and risk management functions of a corporate bank, where information is developed by functional unit and shared as needed with others in the organization..70Information and CommunicationExhibit 8.4Loan Origination Information FlowsIndividual functions – marketing, risk management, legal, and operations – are each supported by their own technology, which captures, maintains, and reports relevant information, which then is shared across the organization.MarketingWorkflowMarketingPortfolio MgtProductCreditProcessorsApprovalCredit RiskIntradayCredit RiskCalc andInterfaceMonitoringCredit Risk ReportingRiskSecurityManagementLegalAgreementsGLBack OfficeInterfaceLegalOperationsCollateralInformationMgt. & ReconIntradayMarket RiskInterfaceMarket RiskRisk/MISCalc andStandardsMonitoringMarket Risk ReportingWith added focus on information needed for risk management, some organizations have enhanced their technology architectures to allow greater connectivity and usability of data, with some using the Internet and data interchange capabilities. Web services-based information strategies enable real-time information capture, maintenance, and distribution across units and functions, often enhancing information capture, better controlling multiple sources of data, minimizing manual processing of the data, and enabling automated analysis, retrieval, and reporting.Under an open architecture, technologies such as XBRL, XML, and Web services are used to facilitate data aggregation, transfer, and connectivity between disparate or stand-alone systems. XBRL, the acronym for eXtensible Business Reporting Language, is derived from XML (eXtensible Markup Language). XBRL is an open, royalty-free, Internet-based information standard for business reporting of all kinds. XBRL labels data so that they are provided with context that remains with them and brings conformity to the names by which they are recognized by disparate software.71Information and CommunicationWeb services is an Internet protocol for transporting data between disparate applications, within a company’s boundaries or across companies. XBRL, used with Web services, facilitates automated information exchange across diverse platforms and different applications and automates business reporting processes. Exhibit 8.5 illustrates how XBRL and Web services can improve the efficiency of the reporting processes for the loan processing activities identified in Exhibit 8.4.Exhibit 8.5Integration of SystemsLimitsProducersCollateralReferenceCRM SystemCustomerDataDataOrigination /LoansWorkflowMaintenanceWeb ServicesConsumersExceptionsRisk ReportsProfitabilityReportsExhibit 8.6 illustrates how two organizations address the requirements of multiple constituents and leverage information across functions using XBRL and Web services.72Information and CommunicationExhibit 8.6Data, Systems IntegrationA telecommunications company uses XBRL and Web services to automate its billing process. Using an XBRL telecom billing taxonomy, transaction-level data are passed from ordering systems to provisioning and billing systems, and positioned for creating customer invoices. XBRL enables the billing system to feed information directly to company reporting systems via the XBRL general ledger standards-based platform. That platform provides predefined data tags for elements of financial transactions, enabling the company to represent, for example, all parties to a transaction, all resources that are part of the transaction (such as supplies, inventory, and other resources), and all related events (such as when the transaction was created, sent, received, and entered into the system). This audit trail allows managers and auditors to quickly verify information at any consolidation level − in an installation, in an operating unit, or at the entity level. The process reduces the cost of compliance by providing a more efficient platform for communication with regulators, creditors, and other third parties. And, systems changes on either side of the XBRL integration point can proceed with less disruption to the information transfer cycle because the new system can readily understand and use the XBRL-enriched information. Another company uses XBRL technology to obtain more complete information on exposures in its accounts receivable. Previously, business units reported receivables from individual customers exceeding a monetary threshold, but the composite reports did not include exposures slightly under the threshold. With XBRL, the company’s reports include all exposures to a particular customer, enabling quicker and more relevant management action. Some organizations, rather than using open architectures, develop customized systems encompassing data warehouses, which generate key metrics and measures to support enterprise risk management.Integration with OperationsMany organizations have highly complex information technology infrastructures developed over time to support operations, reporting, and compliance objectives. In many instances the information generated by these systems in the regular course of business is integral to the enterprise risk management process.Exhibit 8.7 illustrates how information used in enterprise risk management is an inherent part of and integrated with business processes – in this instance, the sales process (items listed under the component headings include only examples of relevant information).7374Exhibit 8.7Information Flows Across a Sales ProcessBusiness ProcessOrdersBuyMfg ProductShip ProductBillCollectinventoryOperational Data• Purchasing patterns• Select suppliers• Production rates• Materials handling• Process customer• Manage and process• Forecasts• Order materials• Quality/defect rates• Order processingcreditcollections• Sales targets• Warehousing• Process proceduresand scheduling• Process accounts• Non-payments• Customer relationship• Inventory controland efficiencies• Complaints/receivable• Outstandingmanagement (CRM)• Material costs• Health and safetywarranties/claims/receivablesobjectives• Inventory levels• Production control andreturns• Over-due accounts• Manage pricingmanagement• Measure customer• Compliance withsatisfactionregulationsEnterprise Risk Management ComponentsInternal EnvironmentObjective SettingEvent IdentificationRisk AssessmentRisk ResponseControl Activities• Risk appetite (e.g.• Strategic (e.g.• Internal and external• Estimate risk• Selected risk• Policies andtarget customers)customer growth),factorslikelihood and impactresponse (e.g.procedures (e.g. over• Integrity and ethicaloperational (e.g.• Event identification(e.g. creditmarketing campaignssales practices)values (e.g. code ofcustomer retention),techniques (e.g.worthiness)to support sales• General computerconduct and statementsreporting (e.g. salesescalation triggers on• Riskgrowth targets )controlsaround customer gifts)targets in thesales volumeinterdependencies• Cost/benefits of• Application controlsMD&A), compliancemeasures, changing(e.g. decliningresponses(e.g. predatorypurchasing patterns)purchasing patterns• Portfolio viewpractices) objectives• Eventlinked to product• Residual risks• Risk tolerancesinterdependenciesdefects)aligned to tolerancesInformation and Communication – Information provided to individuals in a format and timeframe to allow them to carry out responsibilities (e.g. payment defaults available to client service representatives; orders provided to plant supervisors to align staffing levels)Monitoring – Ongoing monitoring and separate evaluationsInformation and CommunicationInformation and CommunicationDepth and Timeliness of InformationAdvances in data collection, processing, and storage have resulted in exponential growth in data volume. With more data available − often in real time − to more people in an organization, the challenge is to avoid “information overload” by ensuring flow of the right information, in the right form, at the right level of detail, to the right people, at the right time.Exhibit 8.8 illustrates information needs that management may consider when planning and implementing technological infrastructures.Exhibit 8.8Considerations in Determining Information RequirementsWhat are the key performance indicators for the business? What key risk indicators provide a top-down perspective of potential risks? What performance metrics are required for monitoring? What data are required for the performance metrics? What level of granularity of information is needed? How frequently does the information need to be collected? What level of accuracy or rigor is needed? What are the criteria for data collection? Where and how should data be obtained (e.g., from business units or operating areas, electronically or manually)? What data/information are present from existing processes? How should data repositories be structured? What data recovery mechanisms are needed? Many organizations have established a structured approach to information management. Such approaches enable management to identify the value and rank the importance of information, and develop effective processes and appropriate tools and methods to reliably collect, store, and distribute data. Exhibit 8.9 illustrates elements of an information management program used by a large retail bank to support management of market risk exposures.75Information and CommunicationExhibit 8.9Managing Market Risk ExposuresThe Market Risk Function of a large retail bank tracks the organization’s actual and potential exposures to movements in interest rates each day. In identifying the information needed to perform risk assessments, and ensure the bank remains within its risk tolerances, management views information in the context of the following elements:PrimarySource and Capture – defines how information is to be produced or acquired, from internal or external sources. Rules for modifying or transforming data, methods of extraction, and selection criteria are addressed at this level. For the Market Risk Function, data are sourced from multiple internal systems, including back office trade processing systems and market risk limit systems, and from external sources, including rates from a market data provider. Data are captured by automated interfaces from each of the sources. Process and Analyze – defines how information is maintained once it is in production. Data integrity, data quality, and data cleansing exercises are performed at this level. Data for the Market Risk Function are processed using market risk models to calculate exposure. Management analyzes resulting information to evaluate the organization’s exposure against pre-set tolerances and market risk limits. Report – defines how information is distributed to end-users. Data aggregation criteria, authorization considerations, and whether information is distributed in raw form or standard or customizable reports, are addressed at this level. In this instance, systems report exceptions in real time to line managers and summarize the daily overall position to senior management. SecondaryGovernance – defines the policy, organizational structure, and mandate supporting the primary characteristics. Policies – define the general principles, standards, and framework. Processes – define the procedures and standards employed to support the primary characteristics. Technology – defines the architecture, applications, databases, security, and controls that support the primary characteristics. 76Information and CommunicationHaving the right information, on time and at the right place, is essential to effecting enterprise risk management.Exhibit 8.10 illustrates information sources and flows in a common reporting process. Each of the four zones captures information used in the management process, including risk management. When these disparate systems, such as operational systems (Zone 1), financial reporting systems (Zone 2), performance management systems (Zone 3), and formal and informal data management systems (Zone 4), are integrated, management is able to obtain enhanced risk management reporting on a real-time basis.Exhibit 8.10Overview of Data Flows Within a Reporting ProcessZone 1Zone 2•Application Systems•General Ledger•Transactions•Automated AccountsFinancialand Protocols•Capture - Maintain -•Manual AdjustmentStatementDistributeAccountsReportingStandardsZone 3Zone 4•Incident Management•Management Info SystemsSystems, e.g., Fraud• Data Warehouse / ModelsRules,Loss Data•Excel / AccessRisk ManagementReporting, e.g. Leading Risk Indicators,Escalation Triggers“Dashboard”-style reports are used by organizations to present information necessary for enterprise risk management. These dashboard reports enable management to quickly determine the extent to which the entity’s risk profile is aligned with risk tolerances. Where misalignment occurs, which suggests existing risk responses or controls are not performing as expected, management can take corrective action. These dashboard reports are generated from information obtained from any or all of the four zones depicted in Exhibit 8.10 and from information external to the company.A risk profile dashboard used by a large bank is illustrated in Exhibit 8.11, which allows management to view risk relative to both the entity as a whole and individual business units.77Information and CommunicationExhibit 8.11Dashboard ReportingCompany WideDriversValueKeyQualityBudgetCostGrowthCategoriesRiskKeyPerformanceEfficiencyCreditMarketLiquidityOperationalRiskRiskRiskRiskBusiness UnitsCapitalWorkoutCreditTrustNationalFinancialRetailE-Bus.Corporate InternationalMarketsCardHousingPlanningThe arrows provide two pieces of information:Arrow direction indicates quarter-to-quarter trend in expected loss from the underlying risks, with a down arrow indicating a decline in expected loss trend, and an up arrow an increase. Arrow color indicates residual risk in relation to tolerances, where green indicates expected loss safely within risk tolerance, yellow indicates expected loss near or at risk tolerance, and red indicates risk tolerance is exceeded. Looking at the Capital Markets business unit, for example, the up arrow shows a quarter-to-quarter increase in expected loss, and the color green indicates that the unit’s expected loss remains safely within the established risk tolerance.Many of these dashboard reporting systems allow users to “drill down” to examine the underlying data. For example, Exhibit 8.12 illustrates how the same bank shows the details behind the operational risk arrow in Exhibit 8.11.78Information and CommunicationExhibit 8.12Drilldown to Operational RiskInternal and External Fraud IncidentsInternal Fraud4External Fraud3Internal FraudIncidents2External FraudEmployment practices1IncidentsClients, products, & Business0PracticesJanMarMayJulySeptNovDamage to Physical AssetsInternal and External Fraud CostsBusiness DisruptionExecution, Delivery & Process800Mgmt600400External Fraud CostInternal Fraud Cost2000JanMarMayJulySeptNovThe data depicted in the charts at the right feed the first two entries in the color-coded graphic at the left, and the data from that graphic in turn feed the entity-level measure in the dashboard in Exhibit 8.11 – in this illustration, supporting the measure for operational risk. The bank established that if none of the business unit measures are coded red (that is, none exceed risk tolerance), then the entity-level measure will be coded green; if one business unit measure is red, the entity-level measure will be coded yellow; and if two or more are red, the entity-level measure will be coded red. While the color scheme at the entity level does not provide precise information, it allows management to quickly focus on those risks not within its tolerances and to drill down for more precise information and to identify areas where action may be required.CommunicationManagement provides specific and directed communication that addresses behavioral expectations and the responsibilities of personnel. This includes a clear statement of the entity’s risk management philosophy and approach and a clear delegation of authority. Communication about processes and procedures should align with, and underpin, the desired culture.Communications are key to creating the “right” internal environment and to supporting the other components of enterprise risk management. For example, embedding the risk management philosophy into an organization’s culture is facilitated by top-down communications on what the philosophy is and what is expected of the organization’s people, and supported by bottom-up information flows. Similarly, management reinforces or changes an organization’s cultures with words and everyday actions. One company adopted an internal communications program, as illustrated in Exhibit 8.13, specifically to support the79Information and Communicationintegration of its risk management philosophy and to help reinforce an ethical internal environment.Exhibit 8.13Communicating Risk Management PhilosophyManagement discusses risks and associated risk responses in regular briefings with employees. Management regularly communicates entity-wide risks in employee communications. Enterprise risk management policies, standards, and procedures are made readily available to employees along with clear statements requiring compliance. Management requires employees to consult with others across the organization as appropriate when new events are identified. New hire orientation sessions include information and literature on the company’s risk management philosophy and enterprise risk management program. Tenured employees are required to take workshops and/or refresher courses on the organization’s enterprise risk management initiatives. The risk management philosophy is reinforced in regular and ongoing internal communication programs and through specific communication programs to reinforce tenets of the company’s culture. Exhibit 8.14 is an example of a letter from the CEO of one company to employees, emphasizing the importance of enterprise risk management.Exhibit 8.14Message from CEOOur overall objective is to maximize shareholder value.To achieve this goal we must have superior risk management capabilities, which address the full spectrum of risks facing our businesses. A structured and disciplined approach to risk management will ensure that our strategic efforts are not diminished through avoidable loss, or hampered by change and uncertainty. Additionally, we must harness our ability to cope with emerging risks and opportunities in an increasingly competitive environment.Everyone has a role to play in our enterprise risk management. This entails understanding the risks and opportunities facing our business, assessing exposure, and taking action to effectively respond to preserve and maximize value.We have developed a framework document as a tool to guide our efforts to manage the risks, uncertainties, and opportunities of our businesses to support the achievement of organizational objectives and maximize shareholder value.We look to all our employees to participate in applying this framework on a daily basis to help ensure we fulfill our objectives.80Information and CommunicationIn addition to “top-down” information flows, communications channels should enable personnel to communicate risk-based information across business units, processes, or functional silos. Exhibit 8.15 includes examples of vehicles managements use to communicate such information.Exhibit 8.15Communications VehiclesBroadcast e-mails Broadcast voice mails Corporate newsletters Databases supporting specific risk issues Letters from the CEO E-mail discussion groups Intranet sites capturing information regarding enterprise risk management for easy access by personnel Messages integrated into ongoing corporate communications Organization, function, or location-wide webcasts or conference calls Posters or signs reinforcing key aspects of enterprise risk management Regular face-to-face meetings of “risk champions” or other employees from a range of functions and business units with responsibility for aspects of enterprise risk management Regular risk management conference calls among a network of risk champions and other employees Regularly issued newsletters from the chief risk officer and associated staff “Town-hall” meetings A desirable goal is, over time, to embed communications on enterprise risk management into an entity’s broad-based, ongoing communications programs, consistent with the concept of building enterprise risk management into the fabric of the organization.Many organizations use technology to facilitate ongoing communication for enterprise risk management. Technology, such as an intranet site, can put enterprise risk management information within easy and constant access of all staff. Exhibit 8.16 illustrates information typically provided and made readily available.81Information and CommunicationExhibit 8.16Intranet Site Information on Enterprise Risk Management“Ask anything” links CEO’s message stating the entity’s risk management philosophy, risk appetite, and basic objectives of its enterprise risk management approach Discussion forum Enterprise risk management policies and procedures Frequently asked questions regarding the organization’s enterprise risk management program Relevant enterprise risk management reports and reporting activities Readily accessible information on and links to corporate whistle-blower channels or hotlines Links to other organizations’ websites providing information on risk management within key functions and processes, such as human resources policies, procurement, travel, vendor relations, etc. List of responsibilities and contact information for chief risk officer and key staff supporting the enterprise risk management program In some circumstances . . . separate lines of communication are needed to serve as a fail-safe mechanism in case normal channels are inoperative.In the event regular communications channels are not effective or appropriate, many organizations have set up supplemental employee communications channels. These channels, which may be called “whistle-blower” programs or “ethics hotlines,” may be voluntary or legally mandated. Their purpose is to provide a ready means whereby employees at any organizational level can confidentially discuss or report perceived or actual illegal, unethical, or otherwise inappropriate behavior.Exhibit 8.17 provides questions that might be considered when establishing an ethics hotline.Exhibit 8.17Considerations for Ethics HotlinesAre reporting mechanisms and protocols such that personnel will feel comfortable using the channel? What procedures will be used to ensure personnel trust the communications channel, with no concern about potential reprisal? Will the system be managed internally or by an external third party? How will incidents be prioritized? How will appropriate follow-up resources be identified? What is target response time? What are documentation standards? What monitoring processes should be in place? 82Information and CommunicationAre technology and security resources sufficient to manage the system? Who will perform any necessary investigations? How will complaints be documented and tracked? How will the employee reporting the information be advised of conclusions and actions taken? What kinds of summary reports are needed, and with what frequency? What mechanisms will be in place to ensure needed broad-based corrective and future preventive actions are taken? Exhibit 8.18 provides an illustrative work flow diagram for a supplemental reporting process.83Exhibit 8.18Alternative Reporting ProcessInformationIncident Reporting Workflow (Basic)Publicize how toInitialreport an incidentcomplaintwithout fear ofreceivedretaliationPhoneYesGet preliminaryEmailAnonymous?incidentinformationNoGet applicableLettercallerinformationIn-personWhat?InformationalIntegrity/RequestConductWhen?Why?Identify incidentWho?categoryLegal/Public/Where?unrelatedRegulatoryinquiry(misdirected)and Communication84Begin investigation ofHighDateSend preliminaryEstablish expectedincident or forward toAssignReceivedLog details innote toappropriate people to pursue"Urgencytemplate sheet orresponse timeMediumcomplainant(e.g. Legal and/Rating"in database/or HR)DatewebsiteEscalated;InvestigatingProvideProtectLowif applicablecomplaintre-contactcomplainantdatefromretaliationGather documents andRequest additionalfindings. Discuss plans ofMaintain records inMisconduct orinformation, asaction or closure withbusiness ethicsSend response/secure environment,necessary fromappropriate parties. (Legalcomplaints made byresolution topursuant to applicableapplicable parties,Dept. may/ not be involved).employees keptcomplainantdocument retentionincluding complainantDraft final response (initialseparate fromrequirementsif appropriateresponse to query, but dialoguepersonnel filesmay continue)Complainant notprivy to specificdisciplinaryactions takenRevise trainingWhat?materials & deliveryas appropriate. Keepongoing records ofRelated Requirements:training; with signed1 - Code of Conductand/ or policies & procedures exist & were communicated toWhere?employeeemployees through training, publications, etc.acknowledgments2 - Compliance network & people exist & are trained to handle inquiries. 3 - A hotline and other means of reporting incidents exist.4 - A secure environment exists to maintain confidential files.When?Assign Incident # (especially important if made anonymously)'Roll-up' relevant datato corporate headquarters for tracking/ resolution/ trend analysis & resultant actions, as requiredDisciplinaryProgramDevelopmentTrainingMonitoringMonitoringMONITORING Framework Chapter Summary: Enterprise risk management is monitored – assessing the presence and functioning of its components over time. This is accomplished through ongoing monitoring activities, separate evaluations, or a combination of the two. Ongoing monitoring occurs in the normal course of management activities. The scope and frequency of separate evaluations will depend primarily on an assessment of risks and the effectiveness of ongoing monitoring procedures. Enterprise risk management deficiencies are reported upstream, with serious matters reported to top management and the board.This chapter illustrates some the techniques used in ongoing monitoring and separate evaluations, and provides an overview of methodology, tools, documentation, and considerations for reporting deficiencies. In addition to the techniques illustrated here, readers are referred to the evaluation tools provided in Internal Control – Integrated Framework, which may serve as a useful reference for separate evaluations of enterprise risk management.Ongoing Monitoring ActivitiesMany different activities performed in the ordinary course of running a business serve to monitor the effectiveness of enterprise risk management components. These include day-to-day review of information in carrying out normal business activities, as illustrated in Exhibit 9.1.Illustration 9.1Examples of Ongoing Monitoring ActivitiesManagement reviews reports of key business activity indicators such as flash reports of new sales or cash position, and information on backlog, gross margins, and other key financial and operational statistics. Operating management compares production, inventory, quality measures, sales, and other information obtained in the course of daily activities to systems-generated information and to budget or plan. Management reviews performance against limits established for risk exposures, such as acceptable error rates, items in suspense, reconciling items, foreign currency exposure balances, or exposure to counterparties. Management reviews transactions reported through escalation triggers. Management reviews key performance indicators such as trends in direction and magnitude of risks, status of strategic and tactical initiatives, trends or variances in actual results to budget or prior periods, and event triggers, as described in the Event Identification chapter. 85MonitoringSeparate EvaluationsWhile ongoing monitoring procedures usually provide important feedback on the effectiveness of other enterprise risk management components, it may be useful to take a fresh look from time to time, focusing directly on enterprise risk management effectiveness.Separate evaluations of enterprise risk management typically are conducted periodically. In some cases, they are prompted by change in strategy, key processes, or entity structure. Separate evaluations are conducted by management, the internal audit function, external specialists, or a combination thereof.Separate evaluations sometimes are broad-based, with scope including the entirety of the entity and all enterprise risk management components. In some cases, the evaluation is limited to a specific business unit, process, or department, with other areas of the business addressed over time. Exhibit 9.2 describes how a manufacturer designed an evaluation of its new inventory control system.Exhibit 9.2Separate Monitoring of a New ProcessManagement of a large manufacturing company installed new modules for its enterprise resource planning system, to enhance its global supply chain processes. Objectives included reducing inventory costs, improving tracking capabilities, and providing better information on inventory availability. Given the critical importance of the system to achieving customer service goals, and the scale of the changes to the processes, it was decided that a separate evaluation of the process would be conducted on a monthly basis for four months following the “go-live” date, and every six months thereafter for two years.The evaluations were conducted by a team comprising individuals from the information technology function, the internal audit function, and outside consultants. The first evaluation focused on:System change controlsOrganizational change readinessSecurityData qualityInterfaces with legacy systemsSubsequent evaluations addressed accuracy and completeness of processing, including transfers and handoffs, related control activities, changes to and control over access, manual interfaces, and use and usefulness of information outputs.86MonitoringInternal Audit ReviewsInternal audit functions typically provide an assessment of risks and control activities of a business unit, process, or department. These assessments provide an objective perspective on any or all elements of enterprise risk management, from the company’s internal environment through monitoring. In some cases particular attention is given to risk identification, analysis of likelihood and impact, risk response, control activities, and information and communication. Internal audit, based on its knowledge of the business, may be positioned to consider how new company initiatives and circumstances might affect application of enterprise risk management, and to take that into account in its review and testing of relevant information. Further information is available in The Institute of Internal Auditors’ Practice Advisories, which set out guidance for evaluating and reporting on risk management effectiveness.The Evaluation ProcessEvaluating enterprise risk management is a process in itself. While approaches or techniques vary, a discipline should be brought to the process, with certain basics inherent in it.A disciplined process provides a sound basis for an evaluation. Any of a number of approaches and techniques are used, generally depending on the circumstances of the company and nature and scope of the evaluation to be performed. Exhibit 9.3 illustrates one company’s basic approach.Exhibit 9.3Steps in a Separate EvaluationPlanningDefine the objectives and scope of the evaluation Identify an executive with requisite authority to manage the evaluation Identify the evaluation team, support personnel, and key business unit contacts Define the evaluation methodology, timeline, and steps to be conducted Agree on evaluation plan PerformanceGain an understanding of the business unit’s/process’s activities Understand how the unit’s/process’s risk management process is designed to work Apply the agreed-on methods to evaluate the risk management process Analyze results by comparison to the Company’s internal audit standards and follow up as necessary Document deficiencies and proposed remediation, if applicable Review and validate findings with appropriate personnel 87MonitoringReporting and Corrective ActionsReview results with business unit/process and other management as appropriate Obtain comments and remediation plans from unit/business process management Incorporate management feedback into final evaluation report MethodologyA variety of evaluation methodologies and tools are available, including checklists, questionnaires, and flowcharting techniques.Evaluators identify methodologies and tools needed to support the evaluation process. A number of structured methodologies and tools exist that are used to document and assess specific aspects of enterprise risk management. Factors in selecting evaluation methodologies and tools include whether they can be readily used by assigned staff, are relevant to the given scope, and are appropriate to the nature and expected frequency of the evaluation. For example, where the scope involves understanding and documenting differences between business process design and actual performance, the evaluation team might review or develop process flowcharts and control matrices, whereas a scope limited to addressing whether specific mandated control activities are present might suggest using a pre-established questionnaire. Exhibit 9.4 lists tools used, either individually or in conjunction with one another.Exhibit 9.4Methodologies and ToolsProcess flowcharting Risk and control matricesRisk and control reference manualsBenchmarking using internal, industry, or peer information Computer assisted audit techniquesRisk and control self-assessment workshops QuestionnairesFacilitated sessionsExhibit 9.5 contains an excerpt of a risk and control self-assessment questionnaire for a payroll process, serving as a diagnostic reference point focusing on the extent to which controls related to payroll processing risks actually are being applied. The results form a basis for needed corrective action.88MonitoringExhibit 9.5Risk and Control Self-Assessment Questionnaire ExcerptsPayroll QuestionsQuestionnaire Response OptionsPolicyReference1.My departmentreviews the budgetDon’tPayrollsummaries preparedYesNoN/AN/Aknowpolicy #1by the BudgetingDepartment2.My departmentmonitors the numberYesNoDon’tN/AN/APayrollof employees paidknowpolicy #2from your budget3.My departmentreviews the monthlyPayrollreport of salaries andNeverSeldomUsuallyAlwaysN/Apolicy #3wages posted to ourdepartment4.When reviewing thispayroll report, whatwould you consider tobe an exceedingly highnumber of overtime10–2020–3030–40> 40Don’tNo payrollpayroll hours perknowpolicyperson that you wouldreview in detail todetermine theunderlying cause?Summary of Findings95% of respondents review budget summaries prepared by the Budgeting Department 93% review the number of people paid from their budget 70% always review payroll reports; 18% usually do, and 12% seldom review these reports See graph at right 10 - 2020 - 3030 - 40> 40Don’tKnow89MonitoringDocumentationThe extent of documentation of an entity’s enterprise risk management varies with the entity’s size, complexity, and similar factors.The desired level of enterprise risk management documentation varies by company, often based on size, complexity, and management style. In addition to scale and depth of documentation, considerations include whether it will be paper- or electronic-based, centralized or distributed, and means of access for update and review.In evaluating enterprise risk management, existing documentation of processes and other activities are reviewed, or may be created, to allow the evaluation team to readily understand the unit, process, or department’s risks and responses. Documentation considered in an evaluation may include:Organization charts Description of key roles, authorities, and responsibilities Policy manuals Operating procedures Process flowcharts Relevant controls and associated responsibilities Key performance indicators Key identified risks Key risk measures Such documentation may form the basis for developing review processes that include tests to determine whether the processes and related policies and procedures represented to have been established are both appropriate to address the entity’s risks and being followed.With regard to what documentation of the evaluation process itself is to be developed, the evaluation team might consider the extent to which documentation is expected to achieve the objectives of:Providing an “audit trail” of the evaluation team’s assessments and testing Communicating the results of the evaluation – findings, conclusions, and recommendations Facilitating review by supervisory personnel Facilitating evaluations in subsequent periods Identifying and reporting broader issues Identifying individual roles and responsibilities in the evaluation process Supplementing existing enterprise risk management documentation that may be deficient 90MonitoringReporting DeficienciesAll identified enterprise risk management deficiencies that affect an entity’s ability to develop and implement its strategy and to set and achieve its objectives should be reported to those positioned to take necessary action.Some companies have developed guidelines regarding to whom deficiencies are to be reported, as illustrated in Exhibit 9.6.Exhibit 9.6Illustrative Deficiency Reporting GuidelinesDeficiencies are reported to persons directly responsible for achieving business objectives affected by the deficiency Deficiencies are reported to the person directly responsible for the activity and a person at least one level higher Alternative reporting channels exist for reporting sensitive information such as illegal or improper acts Specified types of deficiencies are reported to more senior management Protocols are established for what is reported to the board of directors or a specified board committee Information on corrective actions taken or to be taken is communicated back to relevant personnel involved in the reporting process Another company established criteria for deciding which deficiencies are to be reported to senior management (and depending on significance, to the board of directors), as illustrated in Exhibit 9.7.Exhibit 9.7Illustrative Criteria for Reporting to Senior ManagementDeficiencies will be reported where the likelihood of an event occurring is not insignificant, and the impact is such that there could be a resulting:Adverse impact on safety of staff or others Illegal or improper actSignificant loss of assets Failure to achieve key objectivesNegative effect on the entity’s reputation Improper external reporting91Roles and ResponsibilitiesROLES AND RESPONSIBILITIES Framework Chapter Summary: Everyone in an entity has some responsibility for enterprise risk management. The chief executive officer is ultimately responsible and should assume “ownership.” Other managers support the risk management philosophy, promote compliance with the risk appetite, and manage risks within their spheres of responsibility consistent with risk tolerances. Other personnel are responsible for executing enterprise risk management in accordance with established directives and protocols. The board of directors provides important oversight to enterprise risk management. A number of external parties often provide information useful in effecting enterprise risk management, but they are not responsible for the effectiveness of the entity’s enterprise risk management.This chapter illustrates organizational approaches for assigning roles and responsibilities for enterprise risk management, and provides guidance on the roles and responsibilities of the board of directors, chief executive officer, chief risk officer, business unit management, and internal audit, as well as relevant board and management committees.A defining characteristic of how enterprise risk management is implemented is the extent to which roles and responsibilities are clearly defined, and whether they are assigned on a centralized or decentralized basis. While how this is done varies widely by entity, commonalities can be observed. Exhibit 10.1 depicts three approaches, each with a different degree to which roles and responsibilities are or are not centralized for identifying, assessing, responding to, and reporting on risks.93Roles and ResponsibilitiesExhibit 10.1Organizational ApproachesApproach 1Approach 2Approach 3BoardBoardBoardSenior ManagementSenior ManagementSenior ManagementCentralCentralCentralFunction(s)Function(s)Function(s)Identify, AssessRespondIdentify, Assess, RespondApproach 1 depicts a model where event identification and risk assessment occur in the business lines or departmental management, but authority to determine risk response and related control activities rests with the center, and the center also reports risks upstream. This approach may work for smaller entities where central management has clear sight lines into the business activities, and key decision authorities remain with the center. Approach 2 depicts a model where event identification, risk assessment, risk response, control activities, and reporting are primarily the responsibility of the business lines. The center is involved in monitoring the process and might have a broad-based role in reporting as well. Approach 3 is a variation on Approach 2, illustrating that certain risks may be addressed at the center, such as entity-wide risks of commodity or foreign currency price movements that are tracked and managed at the entity level. Each of these approaches has benefits and challenges, described in Exhibit 10.2.94Roles and ResponsibilitiesExhibit 10.2Benefits and Challenges of Organizational ApproachesApproach123BenefitsEffective eventOwnership of riskMore significant risksidentification and riskresponse and controladdressed by higher-levelassessment by thoseactivities by managersmanagersclosest to emerging issuesclosest to emerging issuesFacilitates managing risksRisk responsesAbility to generate moreon entity-wide basisdetermined by higher-complete managementlevel managersinformationEnhanced ability tomanage risk-basedactivitiesChallengesMight be disconnectPotential for less-Requires effectivebetween risk assessmentconsistent riskcommunication andand responsemanagement (but thiscoordination with Lack of ownership by riskpotentiality is reduced bybusiness unitsan effective centraltakers in risk responsesupport/monitoringfunction)Many companies find that as they expand in size and complexity, they can most effectively apply enterprise risk management principles and disciplines by pushing much, if not all, responsibility to the lines of business and functional support units. At the same time, a small central supporting infrastructure deals with more pervasive, entity-wide risks.Board of DirectorsThe board provides oversight with regard to enterprise risk management.The board has a key role in the oversight of enterprise risk management. The board should be apprised on a timely basis of the most significant risks, management’s assessment, and its planned response. Importantly, the board should feel comfortable that appropriate processes are in place and that management is positioned to identify, assess, and respond to risk, and to bring relevant information to the board level.The types of questions directors ask in performing this oversight role are illustrated in Exhibit 10.3.95Roles and ResponsibilitiesExhibit 10.3Questions Raised by Boards Regarding Enterprise Risk ManagementWhat information about the risks facing the organization do we receive to fulfill our fiduciary and advisory governance responsibilities? When and how does senior management report risk information to us? How do we know that the information we receive on risks and risk management is accurate and complete for our purposes? Have we effectively communicated our expectations to senior management concerning the company’s risk management process, and is there a clear understanding of those expectations, including what information we expect to receive? How do we ensure that the organization is performing according to established risk tolerance limits and overall risk appetite? How do we as a board help establish the right "tone at the top" that reinforces the organization’s values and promotes a "risk aware culture"? Are we effectively carrying out our responsibilities as a board in overseeing risk management? Boards may choose to delegate responsibilities and accountabilities for specified aspects of enterprise risk management to one or more board committees to help ensure a clear focus on the risk areas.Audit CommitteeIt is not uncommon for oversight responsibility for enterprise risk management to be assigned to the audit committee. In many cases it is believed that with its focus on internal control over financial reporting, and possibly a broader focus on internal control, the audit committee already is well positioned to expand its responsibility to overseeing enterprise risk management. Some observers point to certain regulatory standards as providing support for placing responsibility with this committee. See Exhibit 10.4 for an excerpt from the New York Stock Exchange’s rules.96Roles and ResponsibilitiesExhibit 10.4Audit Committee RoleThe New York Stock Exchange’s Corporate Governance Rules require that a listed company’s audit committee have a written charter that addresses the committee’s duties and responsibilities, which must include discussing policies with respect to risk assessment and risk management. The rules’ commentary notes:While it is the job of the CEO and senior management to assess and manage the company’s exposure to risk, the audit committee must discuss guidelines and policies to govern the process by which this is handled. The audit committee should discuss the company’s major financial risk exposures and the steps management has taken to monitor and control such exposures. The audit committee is not required to be the sole body responsible for risk assessment and management, but, as stated above, the committee must discuss guidelines and policies to govern the process by which risk assessment and management is undertaken. Many companies, particularly financial companies, manage and assess their risk through mechanisms other than the audit committee. The processes these companies have in place should be reviewed in a general manner by the audit committee, but they need not be replaced by the audit committee.Risk CommitteeThe New York Stock Exchange rule commentary states that some companies assign board-level risk management oversight responsibility to other than the audit committee, and some organizations indeed have determined that tasking the audit committee with oversight of entity-wide risks in non-financial areas (e.g., operational, compliance) exceeds the intended authority of the audit committee and its available resources. Some boards have established a risk committee to focus directly on enterprise risk management. A description of one company’s board risk committee is provided in Exhibit 10.5. In this case, senior members of management attend the committee’s meetings, and the committee’s responsibilities reflect that it works with management in dealing with such matters as developing and refining the enterprise-wide risk appetite and risk tolerances.Exhibit 10.5Risk Committee DescriptionObjectivesThe Board of Directors (exercised through the Risk Committee) recognizes its responsibility for ensuring that a comprehensive Risk Management system which includes policies, programs, measures and competencies for identifying, assessing and managing risk needs to be in place to assist senior management in managing growth in a rapidly changing environment.In this regard, the specific objectives of the Committee include ensuring that:Management understands and accepts its responsibility for identifying, assessing and managing risk Senior Management and business unit management are strategically focused on the enterprise-wide risk strategy 97Roles and ResponsibilitiesLeading tools and processes are provided to the businesses to facilitate achievement of their Risk Management responsibilities Business unit risk assessments are performed periodically and completely Business unit risk mitigation activities are successful in: safeguarding assets maintaining appropriate standards regarding the environment and health and safety issues meeting legal and regulatory obligations reinforcing the values of the organization by focusing on stakeholder needs Proper accounting records are being maintained, appropriate accounting policies have been adopted and financial information is comprehensive and accurate Effective risk mitigation/control testing programs are in place and the results evaluated and acted upon ResponsibilitiesThe Risk Committee’s responsibilities include the following:Oversee development of and participation in an annual enterprise-wide risk strategy analysis Develop and refine the enterprise-wide appetite/tolerance for risk Provide direction and oversight to the Chief Risk Officer and the Global Risk Leaders Evaluate material risk exposures and report to Board Evaluate enterprise-wide risk exposure report Evaluate enterprise-wide risk trending report and ensure corporate strategy is responsive to issues raised Oversee the role and responsibilities of the Internal Audit Team Review semi-annual and annual consolidated accounts Materiality and FocusThe Committee is charged with ensuring that the competency for identifying, assessing and managing risk continues to evolve in relation to the growing risk appetite of the organization. To that end, it will focus primarily on the effectiveness of enterprise risk management.The Committee should review those risks which may be deemed material through agreement between the Committee and the Chief Risk Officer. Materiality considerations will be based upon both immediate financial exposure to the organization’s shareholders and long term material financial exposure to the organization’s shareholders.The goal of the Committee is to encourage broader thinking by management in relation to risks so that greater focus is applied to continue to evolve the organization’s competencies along their risk management vision.98Roles and ResponsibilitiesStructure and MembershipMembers of the Committee will be appointed by resolution of the Board The Committee will comprise four non-executive Board directors, one of whom will be appointed to chair the Committee MeetingsMeetings will be held quarterly prior to Board meetings The General Counsel & Secretary will attend all Committee meetings and will act as Committee Secretary. The Chief Risk Officer and the CFO will also attend all Committee meetings A report of the meeting will be presented to the next Board meeting following each Committee meeting ManagementManagement is directly responsible for all activities of an entity, including enterprise risk management.Chief Executive OfficerThe chief executive's responsibilities include seeing that all components of enterprise risk management are in place.The chief executive has ultimate ownership responsibility for enterprise risk management. The CEO generally fulfills these responsibilities by providing leadership and direction to senior managers and by setting broad-based policies reflecting the entity’s risk management philosophy and risk appetite.A number of chief executive officers have identified a senior executive to provide direction, under the auspices of the CEO, to the organization on enterprise risk management implementation. Some CEOs have established a committee to provide this direction. Another approach, which is being used by an increasing number of companies, is to establish a chief risk officer to provide direction, guidance, and support to and monitoring of line managers in effecting enterprise risk management.Enterprise Risk Management Executive CommitteeIn some large organizations, the CEO has established an enterprise risk management committee of senior executives, consisting of a subset of senior management, including functional managers such as the chief financial officer, chief audit executive, chief information officer, and others.Functions and responsibilities of the committee include such matters as:99Roles and ResponsibilitiesOverall responsibility for the enterprise risk management process, including the processes used to identify, assess, respond to, and report on risk Defining roles, responsibilities, and accountabilities at the executive and senior management level Providing policies, frameworks, methodologies, and tools to business units for the identification, assessment, and management of risks Reviewing the company’s risk profile Reviewing performance measures against tolerances and recommending corrective action where appropriate Communicating the risk management process to the CEO and the board The responsibilities of one enterprise risk management committee are outlined in an excerpt from a sample charter, shown in Exhibit 10.6.Exhibit 10.6Enterprise Risk Management Committee CharterThe Enterprise Risk Management Committee determines the corporate objectives, risk appetite and aggregate risk tolerance levels. It oversees the process by which business unit management identifies and assesses risks and determines appropriate responses. It addresses enterprise-wide risks, and sets performance measure goals and key risk indicators for those risks. It is responsible for capital allocations, capital planning, and risk capital allocation and overrides. The committee also reviews capital usage and actual risk management performance versus plan.Chief Risk OfficerSome companies have established a centralized coordinating point to facilitate enterprise risk management. A risk officer – referred to in some organizations as the chief risk officer or risk manager – works with other managers in establishing effective risk management in their areas of responsibility.Companies that have a chief risk officer (CRO) position tend to be larger and more complex enterprises. An alternative to creating this position is to assign this role to a senior officer, such as chief financial officer, general counsel, or chief compliance officer. Some companies that initially chose this approach found over time that the breadth and scope of dealing effectively with risk require more time and effort than senior officers have available, and have moved to establishing a CRO resource.A model for the CRO that a number of companies have found successful begins with establishing clarity around the risk officer’s responsibilities and accountabilities. While some companies assign direct responsibility for effective risk management to the CRO, many others have found success by maintaining responsibility for risk management with line and functional unit leaders, with the risk officer having important directional, support, and monitoring responsibilities. Experience shows that success also depends on the CRO having100Roles and Responsibilitiesthe appropriately high stature within the organization, as well as necessary resources. Some companies provide CRO staff within subsidiaries, business units, and departments, to ensure CRO staff support is close to the entity’s operating activities.One company’s CRO job description, which outlines key responsibilities, is illustrated in Exhibit 10.7.Exhibit 10.7Chief Risk Officer Job DescriptionReports to:Chairman – Risk Committee of the Board, and CEODirect Reports:Global Risk Leaders, Group-wide Risk Specialists (pertaining to risk matters) Business Unit Risk Coordinators, Internal Audit Responsibilities:Enable the Risk Committee of the Board to fulfill its responsibilities as stated in its Charter Communicate and manage the establishment and ongoing maintenance of enterprise risk management pursuant to the Corporation’s risk management vision Ensure proper risk management ownership by Business Unit CEOs and effective oversight by the Regional/Business Boards Validate that enterprise risk management is functioning in each Business Unit and that all significant risks are being recognized and effectively managed in a timely manner Communicate with the Risk Committee regarding the status of enterprise risk management Promote the enterprise risk management model to the CEO and Business Unit heads and assist in integrating into their business plans and ongoing reporting Ensure a risk management capability is developed and maintained in all Business Units and enterprises, including new acquisitions and joint venture investments Specific Activities:Develop integrated procedures to report major risks Regularly visit business units and meet with senior executives to promote imbedding risk management into culture and daily activities Develop a standardized risk information model and automated process and ensure it is usable across the organization Maintain a cost–benefit focus on enterprise risk management Ensure employees are educated about risk management. Transfer knowledge and information and generally assist in the efficient management of risk and help maintain an appropriate risk culture Work with business unit leaders to ensure business plans and budgets include risk identification and management Work with Business Units to ensure monitoring and reporting to ensure compliance with the organization’s standards and reporting of the most significant risks 101Roles and ResponsibilitiesReport to the Risk Committee regarding the: Progression of enterprise risk management and its implementation Identified significant and material risk exposures and recommendations across the organization Consolidated enterprise risk management plan encompassing analysis and recommendations Professional Attributes:Foundation in enterprise risk management Ability to clearly demonstrate grasp of tenets of the organization’s enterprise risk management infrastructure Creative, "out of the box" thinker Experience globally with differing cultures Good executive presence Exceptional interpersonal communication skills Able to demand respect from Board and Business Units Senior management experience, i.e., member of executive team responsible for a large group of people, or CFO or COO experience Excellent presentation skills, articulate Superior facilitation competencies Large project management experience Strong analytical capabilities Exceptional problem-solving skills The CRO job description for a financial services company, with a somewhat more operational focus, is illustrated in Exhibit 10.8.Exhibit 10.8Chief Risk Officer Job Description, Financial Services CompanyResponsibilities:Establish the corporate-wide risk limits Approve risk taking authority, capital allocation and limit setting based on a business unit’s: Absolute and risk-adjusted performance Risk profile and strategy Earnings quality/consistency Efficiency of capital usage Diversification benefits or disadvantages Reliability and competence of management Establish and maintain corporate-wide risk management standards, such as standards for: Business unit policies and limit frameworks Corporate risk data requirements Reporting to business managers, senior management and the Board Valuation and risk measurement methodology 102Roles and ResponsibilitiesReview and approve policy exceptions Establish a risk reporting framework including consistent risk-adjusted profitability measurement, analysis and decision-making tools Aggregate and analyze common risk factors across business lines (e.g., stress testing/scenario analysis) Conduct macro assessments of the risk profile and the drivers of change Support management of stakeholder relations Required Skills:Ability to serve as an advisor to and partner of the CEO, CFO and COO In-depth industry experience Integrity and credibility necessary to communicate with business leaders, regulators and other stakeholders Comprehensive risk management experience with an excellent grasp of market risk, credit risk and operational risk issues Excellent managerial skills able to motivate and lead a diverse group of professionals with varying backgrounds Excellent oral communication skills able to interact with Board members and business leaders Quick thinker with polished presentation skills able to communicate with external stakeholders such as regulators, investors and the financial press Strong and effective negotiating skills necessary to arbitrate/adjudicate business unit demands for corporate capital (financial and human) Strategic thinker able to navigate rapidly changing technology and competitive landscape Firsthand experience in lending and/or credit approval extremely desirable Ability to effectively formulate policy necessary to meet strategic objectives ManagementSenior managers in charge of organizational units have responsibility for managing risks related to their units' objectives.Heads of line business units, business processes, and functional departments are responsible for identifying, assessing, and responding to risk relative to meeting the unit’s objectives. They ensure that processes utilized are in compliance with the entity’s enterprise risk management policies and that their unit’s activities are within established risk tolerance levels.In some companies the job descriptions of these leaders explicitly outline their enterprise risk management responsibilities, as well as associated performance measures. Unit leaders typically report on progress and issues to the CRO and/or another executive.Unit leaders naturally delegate responsibility for specific business unit enterprise risk management activities to managers in their units, with responsibilities addressing such matters as:103Roles and ResponsibilitiesComplying with enterprise risk management policies and developing techniques tailored to the unit’s activities Applying enterprise risk management techniques and methodologies to ensure risks are appropriately identified, assessed, responded to, reported on, and monitored Ensuring risks are managed on a daily basis Providing unit leadership with complete and accurate reports regarding the nature and extent of risks in the business activities As with unit leaders, some companies’ staff job descriptions outline their enterprise risk management responsibilities and associated performance measures.Internal AuditorsIn many companies, internal auditors play a key role in the ongoing functioning of enterprise risk management by providing objective monitoring of its application and effectiveness. Internal auditors may conduct examinations for the purpose of providing an objective assessment of the entire enterprise risk management process or subsets thereof. In this role, internal auditors may support management by providing assurance on the:Enterprise risk management processes – both design and function Effectiveness and efficiency of risk responses and related control activities Completeness and accuracy of enterprise risk management reporting Internal auditors sometimes act in a consulting role, where they serve to facilitate improvements in the organization’s enterprise risk management process. In this capacity, internal auditors may, among other activities, promote development of a common understanding of enterprise risk management, coach management on enterprise risk management concepts, facilitate risk-based workshops, and provide tools and techniques to help managers analyze risks and design control activities.104AppendixACKNOWLEDGMENTSThe COSO Board, Advisory Council, and PricewaterhouseCoopers LLP gratefully acknowledge the many individuals who gave their time and energy to participating in and contributing to various aspects of the application techniques. Also recognized are the considerable efforts of the COSO organizations and their members who responded to surveys, participated in workshops and meetings, and provided comments and feedback throughout the development of these application techniques.The following PricewaterhouseCoopers partners and staff provided important input to these application techniques: Dick Anderson, Jeffrey Boyle, Glenn Brady, Michael Bridge, John Bromfield, Gary Chamblee, Nicholas Chipman, John Copley, Michael de Crespigny, Stephen Delvecchio, Carlo di Florio, Scott Dillman, P. Gregory Garrison, Bruno Gasser, Suzanne Holifield, Susan Kenney, Brian Kinman, Robert Lamoureux, James LaTorre, Mike Maali, Jorge Manoel, Cathy McKeon, Juan Pujadas, Richard Reynolds, Sonny Sonnenstein, Mark Stephen, Robert Sullivan, Jeffrey Thompson, John Tomac, and Shyam Venkat. Thanks go to Myra Cleary for her editorial guidance.Also making an important contribution to this document is Kathleen H.J. Leibfried, Senior Global Operational Risk Director, Citigroup Private Bank.105
Information and Communication

Information and Communication

Question # 00047910 Posted By: solutionshere Updated on: 02/11/2015 01:50 AM Due on: 02/11/2015
Subject General Questions Topic General General Questions Tutorials:
Question
Dot Image

 Accounting Information Systems

COSO Information and Communication

Deliverable

· Typed paper, half page, for answers to questions 2 and 3

· Three separate reports; one each for the Vice President of Sales, Sales Department Manager, and company President (1.5 to 2 pages each for each report.)

· You must properly cite your sources in the paper and include a bibliography. (APA)

· Total pages: 6 pages, for answers to questions 2, 3, and 4)

Assignment

1. Read Information and Communication, pages 67-74, in the COSO ERM Integrated Framework.

2. Identify and explain the elements that determine quality of information, as listed in the COSO ERM Integrated Framework.

3. In your opinion, can and must all elements of quality information be simultaneously achieved for information to be useful? Are compromises ever necessary or acceptable? Explain why or why not.

4. You are the corporate controller, and must prepare a report for each of the positions identified below.

a. Vice President of Sales

b. Sales Department manager

c. President of the Company

Review the “Budget Example” Excel workbook. Create a report to summarize, analyze, or explain the budget numbers. I want you to actually prepare the reports; don’t just describe what the report would look like. Each report should include data and analysis.

The reports do not need to be long and tedious. Begin by identifying what information is relevant and useful for each person, in their respective official positions. You do not need to (and should not) use all the information in the Excel budgets.

You may prepare the reports in Excel or Word. You may invent any details or make any assumptions you choose. There is no right or wrong regarding the story you choose to tell with the data. The numbers are not the important part of this assignment.

References below may help you determine how to prepare the reports. You may also find your own sources.

Using Graphs and Visuals to Present Financial Information

Displaying Data with Graphs

Teaching Graphics for Communication

How to Write a Business Report, Business Memo and Business Email

Effective Business Report Writing

Report Writing - How to Format a Business Report

How to Write an Effective Report | eHow.com

How to Write a Business Report | eHow.com

How to Write a Formal Business Report | eHow.com

How to Write an Informal Business Report | eHow.com

How to Write a Short Report to the General Manager | eHow.com

How to Write Business & Technical Reports | eHow.com

Purdue OWL: Effective Workplace Writing

Purdue OWL: Audience Analysis

Purdue OWL: Prioritizing Your Concerns for Effective Business Writing

Purdue OWL: HATS: A Design Procedure for Routine Business Documents

Purdue OWL: Business Letters: Accentuating the Positives

Purdue OWL: Memos

The Purdue OWL: Professional, Technical Writing

The Purdue OWL: Tone in Business Writing

Types of Graphs and Charts

Business Charts

Writing a Business Report

Why Charts and Graphs Help

Dot Image
Attachments
330021.xlsx (29.75 KB)
330022.docx (3340.93 KB)
Tutorials for this Question
  1. solutionshere
    Tutorial # 00045722 Posted By: solutionshere Posted on: 02/11/2015 01:53 AM
    Puchased By: 3
    Tutorial Preview
    precise information so that relevant decisions derived out of it ...
      Get the Solution
    Attachments
    194002.docx (22.35 KB)
    194003.docx (16.96 KB)
    chupter.docx (40.13 KB)
    chupter_1.docx (24.36 KB)
    chupter_2.docx (18.57 KB)
Whatsapp Lisa