IMPLEMENTATION ERM


IMPLEMENTING ERM

COSO framework states that Enterprise Risk Management (ERM) is defined as a process, affected by an entity's board of directors, management, and other personal, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. ERM includes the following activities: 
  •  Determining the risk appetite. 
  •  Establishing an appropriate internal environment, including a risk management policy and framework. 
  •  Identifying potential threats to the achievement of its objectives and assessing the risk, i.e., the impact and likelihood of the threat occurring. 
  •  Undertaking control and other response activities. 
  • Communicating information on risks in a consistent manner at all levels in the organization. 
  •  Centrally monitoring and coordinating the risk management processes and the outcomes, and 
  •  Providing assurance on the effectiveness with which risks are managed. 
The term 'risk appetite' used in the above definition refers to the extent of risk that the Board is willing to take to pursue the objectives. Risk appetite setting is done at different levels, viz. for the organization at the entity level, process level, and different risk groups and for individual key risks. Risk appetite provides a standard against which a risk can be compared and where the risk is above the risk appetite, it is considered a threat to the reasonable assurance that the objective will be achieved.

While risk appetite is to be set lower than the risk capacity; however, with an aggressive Board, the risk appetite can be higher than the risk capacity. For example, the Board may decide on utilizing the cash flow for operational purposes in the short term for earmarked funds meant for payment of quarterly installment of taxes. This could result in default of payment on due date and hence becomes a significant risk which needs to be covered by the internal auditor and reported upon even though the risk may be within the risk appetite. However, in the normal course, internal auditors are expected to take the risk appetite as a given and evaluating the risk appetite is out of audit scope. Internal auditors can, however, do a consulting activity of assisting the Board in fixing the risk appetite and its documentation.

ERM is a new approach in the ways organizations are assessing, managing and communicating business risks. By assisting organizations climb up on the risk maturity scale, ERM makes a major contribution towards helping an organization manage risks to achieve its objectives. ERM helps an organization become a risk managed business.

An ERM policy is first put in place which defines the guiding principles showing responsibility of line management for ERM and the broad activities covered by the risk management processes. A risk management framework to implement the ERM policy is then finalized showing the activities which need to be carried out and how they are to be carried out under three processes, viz.
  •  Risk assessment. 
  •  Risk management. 
  •  Risk communication. 
Implementation is facilitated by a risk manager or the internal auditor as a consulting assignment. Subsequently risk based internal audit is carried out.

By at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)