Management Accountant-an accountant of the future for Governance-Both Corporate world and government.
The underlying premise of enterprise risk management is that every entity exists to provide
value for its stakeholders. All entities face uncertainty, and the challenge for management is
to determine how much uncertainty to accept as it strives to grow stakeholder value.
Uncertainty presents both risk and opportunity, with the potential to erode or enhance value.
Enterprise risk management enables management to effectively deal with uncertainty and
associated risk and opportunity, enhancing the capacity to build value.
Value is maximized when management sets strategy and objectives to strike an optimal
balance between growth and return goals and related risks, and efficiently and effectively
deploys resources in pursuit of the entity’s objectives. Enterprise risk management
encompasses:
• Aligning risk appetite and strategy – Management considers the entity’s risk appetite
in evaluating strategic alternatives, setting related objectives, and developing
mechanisms to manage related risks.
• Enhancing risk response decisions – Enterprise risk management provides the rigor to
identify and select among alternative risk responses – risk avoidance, reduction,
sharing, and acceptance.
• Reducing operational surprises and losses – Entities gain enhanced capability to
identify potential events and establish responses, reducing surprises and associated
costs or losses.
• Identifying and managing multiple and cross-enterprise risks – Every enterprise faces
a myriad of risks affecting different parts of the organization, and enterprise risk
management facilitates effective response to the interrelated impacts, and integrated
responses to multiple risks.
• Seizing opportunities – By considering a full range of potential events, management is
positioned to identify and proactively realize opportunities.
• Improving deployment of capital – Obtaining robust risk information allows
management to effectively assess overall capital needs and enhance capital allocation.
These capabilities inherent in enterprise risk management help management achieve the
entity’s performance and profitability targets and prevent loss of resources. Enterprise risk
management helps ensure effective reporting and compliance with laws and regulations, and
helps avoid damage to the entity’s reputation and associated consequences. In sum, enterprise
risk management helps an entity get to where it wants to go and avoid pitfalls and surprises
along the way.
Events can have negative impact, positive impact, or both. Events with a negative impact
represent risks, which can prevent value creation or erode existing value. Events with
positive impact may offset negative impacts or represent opportunities. Opportunities are the
possibility that an event will occur and positively affect the achievement of objectives,
supporting value creation or preservation. Management channels opportunities back to its
strategy or objective-setting processes, formulating plans to seize the opportunities.
Enterprise risk management deals with risks and opportunities affecting value creation or
preservation, defined as follows:
Enterprise risk management is a process, effected by an entity’s board of directors,
management and other personnel, applied in strategy setting and across the
enterprise, designed to identify potential events that may affect the entity, and manage
risk to be within its risk appetite, to provide reasonable assurance regarding the
achievement of entity objectives.
The definition reflects certain fundamental concepts. Enterprise risk management is:
• A process, ongoing and flowing through an entity
• Effected by people at every level of an organization
• Applied in strategy setting
• Applied across the enterprise, at every level and unit, and includes taking an entitylevel
portfolio view of risk
• Designed to identify potential events that, if they occur, will affect the entity and to
manage risk within its risk appetite
• Able to provide reasonable assurance to an entity’s management and board of
directors
• Geared to achievement of objectives in one or more separate but overlapping
categories
This definition is purposefully broad. It captures key concepts fundamental to how
companies and other organizations manage risk, providing a basis for application across
organizations, industries, and sectors. It focuses directly on achievement of objectives
established by a particular entity and provides a basis for defining enterprise risk management
effectiveness.
Within the context of an entity’s established mission or vision, management establishes
strategic objectives, selects strategy, and sets aligned objectives cascading through the
enterprise. This enterprise risk management framework is geared to achieving an entity’s
objectives, set forth in four categories:
• Strategic – high-level goals, aligned with and supporting its mission
• Operations – effective and efficient use of its resources
• Reporting – reliability of reporting
• Compliance – compliance with applicable laws and regulations.
This categorization of entity objectives allows a focus on separate aspects of enterprise risk
management. These distinct but overlapping categories – a particular objective can fall into
more than one category – address different entity needs and may be the direct responsibility of
different executives. This categorization also allows distinctions between what can be
expected from each category of objectives. Another category, safeguarding of resources, used
by some entities, also is described.
Because objectives relating to reliability of reporting and compliance with laws and
regulations are within the entity’s control, enterprise risk management can be expected to
provide reasonable assurance of achieving those objectives. Achievement of strategic
objectives and operations objectives, however, is subject to external events not always within
the entity’s control; accordingly, for these objectives, enterprise risk management can provide
reasonable assurance that management, and the board in its oversight role, are made aware, in
a timely manner, of the extent to which the entity is moving toward achievement of the
objectives.
3
Enterprise risk management consists of eight interrelated components. These are derived
from the way management runs an enterprise and are integrated with the management
process. These components are:
• Internal Environment – The internal environment encompasses the tone of an
organization, and sets the basis for how risk is viewed and addressed by an entity’s
people, including risk management philosophy and risk appetite, integrity and ethical
values, and the environment in which they operate.
• Objective Setting – Objectives must exist before management can identify potential
events affecting their achievement. Enterprise risk management ensures that
Executive Summary
management has in place a process to set objectives and that the chosen objectives
support and align with the entity’s mission and are consistent with its risk appetite.
• Event Identification – Internal and external events affecting achievement of an entity’s
objectives must be identified, distinguishing between risks and opportunities.
Opportunities are channeled back to management’s strategy or objective-setting
processes.
• Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis
for determining how they should be managed. Risks are assessed on an inherent and a
residual basis.
• Risk Response – Management selects risk responses – avoiding, accepting, reducing,
or sharing risk – developing a set of actions to align risks with the entity’s risk
tolerances and risk appetite.
• Control Activities – Policies and procedures are established and implemented to help
ensure the risk responses are effectively carried out.
• Information and Communication – Relevant information is identified, captured, and
communicated in a form and timeframe that enable people to carry out their
responsibilities. Effective communication also occurs in a broader sense, flowing
down, across, and up the entity.
• Monitoring – The entirety of enterprise risk management is monitored and
modifications made as necessary. Monitoring is accomplished through ongoing
management activities, separate evaluations, or both.
Enterprise risk management is not strictly a serial process, where one component affects only
the next. It is a multidirectional, iterative process in which almost any component can and
does influence another.
Relationship of Objectives and Components
There is a direct relationship between objectives, which are what an entity strives to achieve,
and enterprise risk management components, which represent what is needed to achieve them.
The relationship is depicted in a three-dimensional matrix, in the form of a cube.
5
The four objectives categories – strategic,
operations, reporting, and compliance – are
represented by the vertical columns, the eight
components by horizontal rows, and an entity’s
units by the third dimension. This depiction
portrays the ability to focus on the entirety of an
entity’s enterprise risk management, or by
objectives category, component, entity unit, or
any subset thereof.
Effectiveness
Determining whether an entity’s enterprise risk
management is "effective" is a judgment resulting from an assessment of whether the eight
components are present and functioning effectively. Thus, the components are also criteria
for effective enterprise risk management. For the components to be present and functioning
properly there can be no material weaknesses, and risk needs to have been brought within the
entity’s risk appetite.
When enterprise risk management is determined to be effective in each of the four categories
of objectives, respectively, the board of directors and management have reasonable assurance
that they understand the extent to which the entity’s strategic and operations objectives are
being achieved, and that the entity’s reporting is reliable and applicable laws and regulations
are being complied with.
The eight components will not function identically in every entity. Application in small and
mid-size entities, for example, may be less formal and less structured. Nonetheless, small
entities still can have effective enterprise risk management, as long as each of the components
is present and functioning properly.
Limitations
While enterprise risk management provides important benefits, limitations exist. In addition
to factors discussed above, limitations result from the realities that human judgment in
decision making can be faulty, decisions on responding to risk and establishing controls need
to consider the relative costs and benefits, breakdowns can occur because of human failures
such as simple errors or mistakes, controls can be circumvented by collusion of two or more
people, and management has the ability to override enterprise risk management decisions.
These limitations preclude a board and management from having absolute assurance as to
achievement of the entity’s objectives.
Determining whether an entity’s enterprise risk
management is "effective" is a judgment resulting from an assessment of whether the eight
components are present and functioning effectively. Thus, the components are also criteria
for effective enterprise risk management. For the components to be present and functioning
properly there can be no material weaknesses, and risk needs to have been brought within the
entity’s risk appetite.
When enterprise risk management is determined to be effective in each of the four categories
of objectives, respectively, the board of directors and management have reasonable assurance
that they understand the extent to which the entity’s strategic and operations objectives are
being achieved, and that the entity’s reporting is reliable and applicable laws and regulations
are being complied with.
The eight components will not function identically in every entity. Application in small and
mid-size entities, for example, may be less formal and less structured. Nonetheless, small
entities still can have effective enterprise risk management, as long as each of the components
is present and functioning properly.
While enterprise risk management provides important benefits, limitations exist. In addition
to factors discussed above, limitations result from the realities that human judgment in
decision making can be faulty, decisions on responding to risk and establishing controls need
to consider the relative costs and benefits, breakdowns can occur because of human failures
such as simple errors or mistakes, controls can be circumvented by collusion of two or more
people, and management has the ability to override enterprise risk management decisions.
These limitations preclude a board and management from having absolute assurance as to
achievement of the entity’s objectives.
Internal control is an integral part of enterprise risk management. This enterprise risk
management framework encompasses internal control, forming a more robust
conceptualization and tool for management. Internal control is defined and described in
Internal Control – Integrated Framework. Because that framework has stood the test of time
and is the basis for existing rules, regulations, and laws, that document remains in place as the
definition of and framework for internal control. While only portions of the text of Internal
Control – Integrated Framework are reproduced in this framework, the entirety of that
framework is incorporated by reference into this one.
Roles.
(Compiled from net source).
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment