SlideShare a Scribd company logo

Erm whitepaper (2)

MayankGarg200
MayankGarg200

This white paper explains the concepts, legal requirements, strategies, and global framework for the implementation of risk management. It also deals with fraud and reputation risk management and how the negative reputation of an entity may harm the operations and profitability. This white paper may be useful in performing the advisory role in Risk Management and Risk Governance. “Today’s fast-paced business environment encounters a complex and ever-changing risk landscape that may negatively impact organizational value. The only way to respond to it is by having a dynamic and holistic perspective of the risk management approach to ensure business continuity.” – Jack Zahran, President, Pinkerton

Leadership & Management
1 of 6
Download to read offline
Page1 Enterprise Risk Management Enterprise risk management (ERM) is the process of planning, organizing, leading, & controlling activities of an organization to minimize the effects of risk on an organization's capital & earnings with an aim to assist organizations to identify, understand, evaluate & take action on their risks to increase the probability of their success and reducing the impact & likelihood of failure. ERM gives comfort to shareholders, customers, employees & other stakeholders at large that business is being effectively managed & also helps the organization to confirm its compliance with Corporate Governance requirements. Legal requirements with respect to risk management Although in India it is not mandatory/ statutory requirement to have an Enterprise Risk Management (ERM) framework in place. However, as per the Companies Act 2013, there are certain requirements that needs to be complied with respect to Risk Management. In addition, the board and audit committee have been vested with specific responsibilities as per SEBI (LODR) Regulations 2015, in assessing the robustness of Risk Management policy, process and systems. Key Compliance Requirements (The Companies Act, 2013) Section 134(3) – Board: There shall be attached to financial statements laid before a company in general meeting, a report by its Board of Directors, which shall include a statement indicating development & implementation of Risk Management Policy for company including identification therein of elements of risk, if any, which in the opinion of the Board may threaten the existence of the company. Schedule IV [Section 149(8)] – Independent Directors: The independent directors shall: (1) Help in bringing an independent judgement to bear on the Board’s deliberation especially on issues of strategy, performance, risk management, resources, key appointments and standards of conduct; (4) Satisfy themselves on the integrity of financial information and that financial controls and the systems of risk management are robust and defensible. Section 177(4) – Audit Committee: Every Audit Committee shall act in accordance with the terms of reference specified in writing by the Board which shall, inter alia, include evaluation of internal financial controls and risk management systems. Key Compliance Requirements (SEBI (LODR) Regulations, 2015) Regulation 17(9) – Board of Directors: It provides that - (a) The listed entity shall lay down procedures to inform member of board about risk assessment & minimization procedures. (b) The board shall be responsible for framing, implementing and monitoring the risk management plan for the listed entity. Regulation 21 - Risk Management Committee: It requires that every listed company should have a Risk Management Committee comprises of - (1) The board of directors shall constitute a Risk Management Committee. (2) The majority of members of Risk Management Committee shall consist of members of the board.
Page2 (3) The Chairperson of the Risk management committee shall be a member of the board of directors and senior executives of the listed entity may be members of the committee. (4) The board shall define role & responsibility of the Risk Management Committee & may delegate monitoring and reviewing of the risk management plan to the committee and such other functions as it may deem fit. (5) The provisions of this regulation shall be applicable to top 500 listed entities, determined on the basis of market capitalization, as at the end of immediate previous financial year. Board Disclosures as per Clause 49 of the Listing Agreement – Risk management: The Company shall lay down procedures to inform Board members about the risk assessment and minimization procedures. These procedures shall be periodically reviewed to ensure that executive management controls risk through means of a properly defined framework. Strategy to implement Enterprise Risk Management (ERM) ERM is an integrated and continuous process for managing enterprise-wide risks, including strategic, financial, operational, compliance and reputational risks, to minimize unexpected performance variance and maximize intrinsic firm value. This process empowers the board and management to make more informed risk/return decisions by addressing fundamental requirements with respect to governance and policy (including risk appetite) risk analytics, risk management, and monitoring and reporting”. Following are the 5 key steps to develop and implement an effective ERM framework: Step 1: Setting of objectives & risk appetite Before an organization can begin to identify risks, a clear set of objectives must exist. When these objectives are set, the company must have a clear philosophy towards ERM. The company’s risk appetite, the environment, the company operates in and its code of ethics will dictate what this philosophy is. Risk appetite is the amount of risk which the company is willing to accept. It is a key enabling structure and active relation among risk management, strategy and target setting. Every organization follows different aims to add value, and should generally recognize the acceptable level of risk in doing so. Step 2: Risk identification & documentation By risk identification, an organization can study activities and places where its resources are placed to risk. If risk managers do not succeed in identifying all possible losses or gains that challenge the organization, then these non-identified risks will become non-manageable. Results of risk identification are normally documented in a Risk Register, which includes a list of identified risks along with their sources, potential risk responses & risk categories. This information is used for risk analysis, which in turn will support creating risk responses. An effective risk identification process should include following:  Creating a systematic process  Gathering information from various sources  Applying risk identification tools & techniques  Documenting the risks and risk identification process Objective & Risk Appetite Risk Identification Risk Assessment Risk Response Risk Monitoring
Page3 Step 3: Risk assessment Identifying risks is not enough; the impact of the risk should be understood, as well as probability, within an estimated time-frame. The next task is to assess the documented risk in terms of their likelihood and estimated significance. Risk assessment is how enterprises get a handle on how significant each risk is to the achievement of their overall goals. The assessment process is as follows:  Develop assessment criteria  Assess risks and risk interactions  Prioritize risks and response to risks  Effective and sustainable risk assessment process Step 4: Risk response Risk response is intended to figure out how to respond to the high-priority risks. The responsibility falls to management to carefully review probabilities & estimated impacts of each risk, and to consider all associated costs & benefits in developing an appropriate risk response strategy. Risk response falls into 4 categories:  Risk Avoidance  Risk Retention/ Absorption  Risk Reduction  Risk Transfer Step 5: Risk monitoring Identifying risks isn’t something that’s done once – like continuous improvement, it’s an ongoing process. The context in which certain risks are identified is constantly changing, and as such risks need to be monitored to continually determine the significance they represent. Organizations need proper systems in place to monitor and respond to changes in circumstances and adequately determine if identified risks still pose a threat. Global framework for Enterprise Risk Management (ERM) Over the years various ERM frameworks have been developed worldwide. The two most used frameworks are the COSO ERM 2017 Framework and ISO 31000:2018. COSO ERM 2017 Framework COSO stands for ‘Committee of Sponsoring Organizations’. It is a framework that is geared towards ensuring financial data security in your firm. The COSO framework was designed to provide an applied risk management approach to your firm’s internal controls. It is regularly updated to keep up with the changes in the risk environments of businesses with the recent update being in 2017. The framework consists of 20 principles that are grouped to support one of 5 components. These principles cover everything from governance to monitoring. They’re manageable in size, and they describe practices that can be applied in different ways for different organizations regardless of size, type, or sector. Adhering to these principles can provide management and the board with a reasonable expectation that the organization understands and strives to manage the risks associated with its strategy and business objectives. COSO ERM 2017 provides a framework for boards & management in entities of all sizes. It builds on the current level of risk management that exists in the normal course of business. Further, it demonstrates how integrating ERM practices throughout an entity helps to accelerate growth & enhance performance. It also contains
Page4 principles that can be applied - from strategic decision-making through to performance. Below are the details, why it makes sense for management and boards to use the ERM framework, what organizations have achieved by applying ERM. Management’s Guide - Management holds overall responsibility for managing risk to the entity, but it is important for management to go further: to enhance the conversation with the board and stakeholders about using ERM to gain a competitive advantage. ERM allows management to feel more confident that they’ve examined alternative strategies and considered the input of those in their organization who will implement the strategy selected. The Board’s Guide - Every board has an oversight role, helping to support the creation of value in an entity and prevent its decline. Traditionally, ERM has played a strong supporting role at the board level. Framework supplies important considerations for boards in defining & addressing their risk oversight responsibilities. These considerations include governance and culture; strategy and objective-setting; performance; information, communications and reporting; and the review and revision of practices to enhance entity performance. ISO 31000:2018 The foundation of 31000 standards is the belief that risk management should establish and sustain value. This makes it necessary for an institution to integrate ERM into their systems for accountability and sustainability. This integration will help these institutions to evaluate the risks involved in their decisions which is crucial in addressing various insecurities. To enhance the efficiency of the ERM system, it is necessary that it is designed into a systematic, timely, and structured process to incorporate crucial information necessary in risk management. In 2018, ISO re-released the ISO 31000 Standard, with the new version giving streamlined definitions that focus on 8 principles: 1. Integrated: Risk management is an integral part of all organizational activities. 2. Structured and comprehensive: A structured and comprehensive approach to risk management contributes to consistent and comparable results. 3. Customized: The risk management framework and process are customized and proportionate to the organization’s external and internal context related to its objectives. 4. Inclusive: Appropriate and timely involvement of stakeholders enables their knowledge, views and perceptions to be considered. This results in improved awareness and informed risk management. 5. Dynamic: Risks can emerge, change or disappear as an organization’s external and internal context changes. Risk management anticipates, detects, acknowledges and responds to those changes and events in an appropriate and timely manner. 6. Best available information: The inputs to risk management are based on historical and current information, as well as on future expectations. 7. Human and cultural factors: Human behavior and culture significantly influence all aspects of risk management at each level and stage. 8. Continual improvement: Risk management is continually improved via learning & experience. The first five principles provide guidance on how a risk management initiative should be designed, and principles six, seven and eight relate to the operation of the risk management initiative. These latter principles confirm that the best information available should be used; human and cultural factors should be considered; and the risk management arrangements should ensure continual improvement. The organization’s risk management process should involve systematic application of policies, procedures & practices to activities of communicating & consulting, establishing the context & assessing, treating, monitoring, reviewing, recording and reporting risk.
Page5 How ISO 31000:2018 and COSO ERM Framework 2017 complement each other in implementation of ERM process: The COSO and ISO framework for ERM, both complement each other. ISO 31000 offers wider directives that enable organizations to fit COSO’s principles of ERM into overarching corporate governance. Below table shows how the process of Enterprise Risk Management explained in these two frameworks is different but still similar: # Steps for Implementing ERM ISO 31000:2018 Framework (Process) COSO ERM 2017 Framework (Components & Principles) I Objectives & Risk Appetite 1. Establishing the context - Define scope - External & internal context - Define risk criteria 2. Communicate & Consult - Info for oversight & decision- making - Considering different views - Bring different areas of expertise 1. Governance & Culture - Exercise Board Risk Oversight - Establish Operation Structures - Define Desire Culture - Demonstrate commitment to Values - Attracts, Develops, & Retains Individuals 2. Strategy & Objective Setting - Analyze business Context - Defines Risk Appetite - Evaluate Alternative Strategies - Formulate business Objective II Risk Identification & Documentation 3. Risk Assessment - Risk identification - Risk analysis - Risk evaluation 3. Performance - Identifies Risk - Assesses Risk Severity - Prioritizes Risks - Implements Risk Responses - Develops Portfolio View III Risk Assessment IV Risk Response 4. Risk Treatment - Select treatment options - Prepare & Implement treatment plans V Risk Monitoring 5. Monitoring & Review - Planning, Gathering & Analyzing Information - Recording Results - Providing Feedback 6. Recording & Reporting - Communicate Risk Activities - Provide info for decision-making - Assist interaction with stakeholders 4. Review & Revision - Assesses substantial change - Reviews Risk Performance - Pursues improvement in ERM 5. Information, Communication & Reporting - Leverage Information & Technology - Communicate Risk Information - Report on Risk, Culture & Performance
Page6 Despite the fact that these two frameworks complement each other there are various similarities and differences between the two as described in below table: Similarities Differences  Rather than just limiting negative risks, both standards help & encourage risk-taking  Both are just guiding standards and not certifiable  Both standards embed risk management in decision making process  ISO standard is short & structured, whereas COSO is long, includes more visuals & don't follow "structural" standard.  ISO 31000 standard was developed by participation of member of over 70+ countries whereas COSO 2017 have most of the contribution from US.  COSO focuses more on Corporate Governance. However, ISO focuses almost exclusively on Risk & incorporating it in strategic planning process.  COSO is targeted more toward people in accounting & audit. Whereas, ISO 31000 is written for anyone interested in risk management. Conclusion: In the wake of dynamic market conditions & regulatory initiatives, protecting shareholders’ interests from various risks is becoming a top priority for managements across various industries. Perceptions of company are affected by the risks it faces and the manner in which these risks are managed. While no business is immune to risks, managing them to create a sustainable shareholder value is the critical challenge. Enterprise Risk Management (ERM) is a systematic & methodical approach to identifying and managing an organization’s risks as it provides a practical and time tested method to align risk appetite. Therefore, effective risk management drives adequate protection against the risk and leverage risk management to convert risks into opportunities.

Recommended

COSO ERM Topology
COSO ERM TopologyCOSO ERM Topology
COSO ERM Topology
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
Risk Management1
Risk Management1Risk Management1
Risk Management1
Henry H L Lim
 
Enterprise Risk Management White Paper
Enterprise Risk Management White PaperEnterprise Risk Management White Paper
Enterprise Risk Management White Paper
Shadowlit Ndou Sidija
 
Audit, control and enterprise wide risk management
Audit, control and enterprise wide risk managementAudit, control and enterprise wide risk management
Audit, control and enterprise wide risk management
peterObakozuwa
 
COSO ERM 2017
COSO ERM 2017COSO ERM 2017
COSO ERM 2017
Jorge A. Gomez P.
 
Coso erm
Coso ermCoso erm
Coso erm
luisrobles_cl
 
Enterprise risk-management1973
Enterprise risk-management1973Enterprise risk-management1973
Enterprise risk-management1973
NATHAN Consulting
 
Internal Control COSO
Internal Control COSOInternal Control COSO
Internal Control COSO
Jesús Gándara
 

Recommended

COSO ERM Topology
COSO ERM TopologyCOSO ERM Topology
COSO ERM Topology
Jason Rusch - CISSP CGEIT CISM CISA GNSA
 
Risk Management1
Risk Management1Risk Management1
Risk Management1
Henry H L Lim
 
Enterprise Risk Management White Paper
Enterprise Risk Management White PaperEnterprise Risk Management White Paper
Enterprise Risk Management White Paper
Shadowlit Ndou Sidija
 
Audit, control and enterprise wide risk management
Audit, control and enterprise wide risk managementAudit, control and enterprise wide risk management
Audit, control and enterprise wide risk management
peterObakozuwa
 
COSO ERM 2017
COSO ERM 2017COSO ERM 2017
COSO ERM 2017
Jorge A. Gomez P.
 
Coso erm
Coso ermCoso erm
Coso erm
luisrobles_cl
 
Enterprise risk-management1973
Enterprise risk-management1973Enterprise risk-management1973
Enterprise risk-management1973
NATHAN Consulting
 
Internal Control COSO
Internal Control COSOInternal Control COSO
Internal Control COSO
Jesús Gándara
 
An approach to erm in the insurance industry apria 2002 rama warrier&preeti
An approach to erm in the insurance industry apria 2002 rama warrier&preetiAn approach to erm in the insurance industry apria 2002 rama warrier&preeti
An approach to erm in the insurance industry apria 2002 rama warrier&preeti
Rama Warrier
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820
สปสช นครสวรรค์
 
Pp the three lines of defense in effective risk management and control
Pp the three lines of defense in effective risk management and controlPp the three lines of defense in effective risk management and control
Pp the three lines of defense in effective risk management and control
Erwin Morales
 
Risk management
Risk managementRisk management
Risk management
Lepipi
 
Role and responsibility of risk manager
Role and responsibility of risk managerRole and responsibility of risk manager
Role and responsibility of risk manager
Shimon Yelinek
 
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_NewsletterSTRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
Dion K Hamilton
 
Risk Based Audit Training by TOMMY SEAH
Risk Based Audit Training by TOMMY SEAHRisk Based Audit Training by TOMMY SEAH
Risk Based Audit Training by TOMMY SEAH
Tommy Seah
 
Developing an Effective Enterprise Risk Capability
Developing an Effective Enterprise Risk CapabilityDeveloping an Effective Enterprise Risk Capability
Developing an Effective Enterprise Risk Capability
Continuity and Resilience
 
Testing value creation through erm maturity
Testing value creation through erm maturityTesting value creation through erm maturity
Testing value creation through erm maturity
Mbuthiac Mbuthiac
 
Enterprise Risk Management and Sustainability
Enterprise Risk Management and SustainabilityEnterprise Risk Management and Sustainability
Enterprise Risk Management and Sustainability
Jeff B
 
IRM SIG What does the Second Line of Defence look like post SII July 2013
IRM SIG What does the Second Line of Defence look like post SII July 2013IRM SIG What does the Second Line of Defence look like post SII July 2013
IRM SIG What does the Second Line of Defence look like post SII July 2013
Susan Young
 
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
prosenzw69
 
A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...
Hassan Zaitoun
 
DMI Finance - Risk management policy
DMI Finance - Risk management policyDMI Finance - Risk management policy
DMI Finance - Risk management policy
dmifinance
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk Management
Continuity and Resilience
 
Enterprise Risk Management as a Core Management Process
Enterprise Risk Management as a Core Management ProcessEnterprise Risk Management as a Core Management Process
Enterprise Risk Management as a Core Management Process
regio12
 
Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk management
SiteshUpadhyay
 
Enterprise Risk Management
Enterprise Risk Management Enterprise Risk Management
Enterprise Risk Management
GAURAV SHARMA
 
Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2
Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2
Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2
Tim Leech
 
Enterprise risk management summary approach guide
Enterprise risk management summary approach guideEnterprise risk management summary approach guide
Enterprise risk management summary approach guide
AstalapulosListestos
 
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdfSun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
abdo badr
 
ERM ppt.pptx
ERM ppt.pptxERM ppt.pptx
ERM ppt.pptx
CindyMaeHermoso
 

More Related Content

What's hot

Pp the three lines of defense in effective risk management and control
Pp the three lines of defense in effective risk management and controlPp the three lines of defense in effective risk management and control
Pp the three lines of defense in effective risk management and control
Erwin Morales
 
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_NewsletterSTRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
Dion K Hamilton
 
Testing value creation through erm maturity
Testing value creation through erm maturityTesting value creation through erm maturity
Testing value creation through erm maturity
Mbuthiac Mbuthiac
 
IRM SIG What does the Second Line of Defence look like post SII July 2013
IRM SIG What does the Second Line of Defence look like post SII July 2013IRM SIG What does the Second Line of Defence look like post SII July 2013
IRM SIG What does the Second Line of Defence look like post SII July 2013
Susan Young
 
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
prosenzw69
 
A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...
Hassan Zaitoun
 
Enterprise Risk Management as a Core Management Process
Enterprise Risk Management as a Core Management ProcessEnterprise Risk Management as a Core Management Process
Enterprise Risk Management as a Core Management Process
regio12
 
Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2
Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2
Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2
Tim Leech
 

What's hot (20)

An approach to erm in the insurance industry apria 2002 rama warrier&preeti
An approach to erm in the insurance industry apria 2002 rama warrier&preetiAn approach to erm in the insurance industry apria 2002 rama warrier&preeti
An approach to erm in the insurance industry apria 2002 rama warrier&preeti
 
Risk management standard_030820
Risk management standard_030820Risk management standard_030820
Risk management standard_030820
 
Pp the three lines of defense in effective risk management and control
Pp the three lines of defense in effective risk management and controlPp the three lines of defense in effective risk management and control
Pp the three lines of defense in effective risk management and control
 
Risk management
Risk managementRisk management
Risk management
 
Role and responsibility of risk manager
Role and responsibility of risk managerRole and responsibility of risk manager
Role and responsibility of risk manager
 
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_NewsletterSTRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
STRATEGIC RISK ADVISORY SOLUTIONS_Risk Management_Newsletter
 
Risk Based Audit Training by TOMMY SEAH
Risk Based Audit Training by TOMMY SEAHRisk Based Audit Training by TOMMY SEAH
Risk Based Audit Training by TOMMY SEAH
 
Developing an Effective Enterprise Risk Capability
Developing an Effective Enterprise Risk CapabilityDeveloping an Effective Enterprise Risk Capability
Developing an Effective Enterprise Risk Capability
 
Testing value creation through erm maturity
Testing value creation through erm maturityTesting value creation through erm maturity
Testing value creation through erm maturity
 
Enterprise Risk Management and Sustainability
Enterprise Risk Management and SustainabilityEnterprise Risk Management and Sustainability
Enterprise Risk Management and Sustainability
 
IRM SIG What does the Second Line of Defence look like post SII July 2013
IRM SIG What does the Second Line of Defence look like post SII July 2013IRM SIG What does the Second Line of Defence look like post SII July 2013
IRM SIG What does the Second Line of Defence look like post SII July 2013
 
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
UCI Exec. MBA & Forum for Corp. Directors July 2009 - Board Governance: E...
 
A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...A structured approach to Enterprise Risk Management (ERM) and the requirement...
A structured approach to Enterprise Risk Management (ERM) and the requirement...
 
DMI Finance - Risk management policy
DMI Finance - Risk management policyDMI Finance - Risk management policy
DMI Finance - Risk management policy
 
Enterprise Risk Management
Enterprise Risk ManagementEnterprise Risk Management
Enterprise Risk Management
 
Enterprise Risk Management as a Core Management Process
Enterprise Risk Management as a Core Management ProcessEnterprise Risk Management as a Core Management Process
Enterprise Risk Management as a Core Management Process
 
Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk management
 
Enterprise Risk Management
Enterprise Risk Management Enterprise Risk Management
Enterprise Risk Management
 
Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2
Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2
Paradigm Paralysis in ERM & IA EB7_p48-51 Tim Leech v2
 
Enterprise risk management summary approach guide
Enterprise risk management summary approach guideEnterprise risk management summary approach guide
Enterprise risk management summary approach guide
 

Similar to Erm whitepaper (2)

Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdfSun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
abdo badr
 
Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)
deeptica
 
Enterprise Risk Management Integrating with Strategy and Per
Enterprise Risk Management Integrating with Strategy and PerEnterprise Risk Management Integrating with Strategy and Per
Enterprise Risk Management Integrating with Strategy and Per
TanaMaeskm
 
Super Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationSuper Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy Presentation
David Fernandes
 
A to Z of Risk Management
A to Z of Risk ManagementA to Z of Risk Management
A to Z of Risk Management
Mark Conway
 

Similar to Erm whitepaper (2) (20)

Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdfSun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
Sun-Pharma-Risk-Management-Policy-Synopsis-May-2022.pdf
 
ERM ppt.pptx
ERM ppt.pptxERM ppt.pptx
ERM ppt.pptx
 
COSO ERM
COSO ERMCOSO ERM
COSO ERM
 
Coso Erm(2)
Coso Erm(2)Coso Erm(2)
Coso Erm(2)
 
PwC GN10 risk committees 2016
PwC GN10 risk committees 2016PwC GN10 risk committees 2016
PwC GN10 risk committees 2016
 
Practical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal AuditPractical approach to Risk Based Internal Audit
Practical approach to Risk Based Internal Audit
 
Implementing an Enterprise Risk Management Program | Cyberroot Risk Advisory
Implementing an Enterprise Risk Management Program | Cyberroot Risk AdvisoryImplementing an Enterprise Risk Management Program | Cyberroot Risk Advisory
Implementing an Enterprise Risk Management Program | Cyberroot Risk Advisory
 
Enterprise Risk Management Integrating with Strategy and Per
Enterprise Risk Management Integrating with Strategy and PerEnterprise Risk Management Integrating with Strategy and Per
Enterprise Risk Management Integrating with Strategy and Per
 
Super Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy PresentationSuper Strategies 2014 Risk Strategy Presentation
Super Strategies 2014 Risk Strategy Presentation
 
A to Z of Risk Management
A to Z of Risk ManagementA to Z of Risk Management
A to Z of Risk Management
 
Erm talking points
Erm talking pointsErm talking points
Erm talking points
 
7 Key Elements Of An Enterprise Risk Management Program
7 Key Elements Of An Enterprise Risk Management Program7 Key Elements Of An Enterprise Risk Management Program
7 Key Elements Of An Enterprise Risk Management Program
 
Enterprise Risk Management (ERM); From theory to practice
Enterprise Risk Management (ERM); From theory to practiceEnterprise Risk Management (ERM); From theory to practice
Enterprise Risk Management (ERM); From theory to practice
 
Enterprise risk management
Enterprise risk managementEnterprise risk management
Enterprise risk management
 
2017 coso-erm-integrating-with-strategy-and-performance-executive-summary
2017 coso-erm-integrating-with-strategy-and-performance-executive-summary2017 coso-erm-integrating-with-strategy-and-performance-executive-summary
2017 coso-erm-integrating-with-strategy-and-performance-executive-summary
 
insurance-busines.pdf
insurance-busines.pdfinsurance-busines.pdf
insurance-busines.pdf
 
Risk Management Maturity Model (RMMM)
Risk Management Maturity Model (RMMM)Risk Management Maturity Model (RMMM)
Risk Management Maturity Model (RMMM)
 
COSO_ERM.ppt
COSO_ERM.pptCOSO_ERM.ppt
COSO_ERM.ppt
 
COSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORECOSO Vs ERM - NMIMS INDORE
COSO Vs ERM - NMIMS INDORE
 
Enterprise risk management-Yashvanth G Nayak
Enterprise risk management-Yashvanth G NayakEnterprise risk management-Yashvanth G Nayak
Enterprise risk management-Yashvanth G Nayak
 

Recently uploaded

Beyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentBeyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable development
Nimot Muili
 
internship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamrainternship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamra
AllTops
 
How Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptxHow Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptx
Aaron Stannard
 
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professionalW.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
William (Bill) H. Bender, FCSI
 
The Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard BrownThe Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard Brown
SandaliGurusinghe2
 
Agile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxAgile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptx
alinstan901
 
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTECAbortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Riyadh +966572737505 get cytotec
 
Independent Escorts Vikaspuri / 9899900591 High Profile Escort Service in Delhi
Independent Escorts Vikaspuri / 9899900591 High Profile Escort Service in DelhiIndependent Escorts Vikaspuri / 9899900591 High Profile Escort Service in Delhi
Independent Escorts Vikaspuri / 9899900591 High Profile Escort Service in Delhi
guptaswati8536
 

Recently uploaded (17)

Beyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable developmentBeyond the Codes_Repositioning towards sustainable development
Beyond the Codes_Repositioning towards sustainable development
 
Safety T fire missions army field Artillery
Safety T fire missions army field ArtillerySafety T fire missions army field Artillery
Safety T fire missions army field Artillery
 
internship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamrainternship thesis pakistan aeronautical complex kamra
internship thesis pakistan aeronautical complex kamra
 
How Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptxHow Software Developers Destroy Business Value.pptx
How Software Developers Destroy Business Value.pptx
 
International Ocean Transportation p.pdf
International Ocean Transportation p.pdfInternational Ocean Transportation p.pdf
International Ocean Transportation p.pdf
 
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professionalW.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
W.H.Bender Quote 62 - Always strive to be a Hospitality Service professional
 
Strategic Management, Vision Mission, Internal Analsysis
Strategic Management, Vision Mission, Internal AnalsysisStrategic Management, Vision Mission, Internal Analsysis
Strategic Management, Vision Mission, Internal Analsysis
 
The Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard BrownThe Psychology Of Motivation - Richard Brown
The Psychology Of Motivation - Richard Brown
 
Intro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptxIntro_University_Ranking_Introduction.pptx
Intro_University_Ranking_Introduction.pptx
 
digital Human resource management presentation.pdf
digital Human resource management presentation.pdfdigital Human resource management presentation.pdf
digital Human resource management presentation.pdf
 
Marketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docxMarketing Management 16th edition by Philip Kotler test bank.docx
Marketing Management 16th edition by Philip Kotler test bank.docx
 
Agile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptxAgile Coaching Change Management Framework.pptx
Agile Coaching Change Management Framework.pptx
 
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTECAbortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
Abortion pills in Jeddah |• +966572737505 ] GET CYTOTEC
 
Reviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptxReviewing and summarization of university ranking system to.pptx
Reviewing and summarization of university ranking system to.pptx
 
Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...Dealing with Poor Performance - get the full picture from 3C Performance Mana...
Dealing with Poor Performance - get the full picture from 3C Performance Mana...
 
Leaders enhance communication by actively listening, providing constructive f...
Leaders enhance communication by actively listening, providing constructive f...Leaders enhance communication by actively listening, providing constructive f...
Leaders enhance communication by actively listening, providing constructive f...
 
Independent Escorts Vikaspuri / 9899900591 High Profile Escort Service in Delhi
Independent Escorts Vikaspuri / 9899900591 High Profile Escort Service in DelhiIndependent Escorts Vikaspuri / 9899900591 High Profile Escort Service in Delhi
Independent Escorts Vikaspuri / 9899900591 High Profile Escort Service in Delhi
 

Erm whitepaper (2)

  • 1. Page1 Enterprise Risk Management Enterprise risk management (ERM) is the process of planning, organizing, leading, & controlling activities of an organization to minimize the effects of risk on an organization's capital & earnings with an aim to assist organizations to identify, understand, evaluate & take action on their risks to increase the probability of their success and reducing the impact & likelihood of failure. ERM gives comfort to shareholders, customers, employees & other stakeholders at large that business is being effectively managed & also helps the organization to confirm its compliance with Corporate Governance requirements. Legal requirements with respect to risk management Although in India it is not mandatory/ statutory requirement to have an Enterprise Risk Management (ERM) framework in place. However, as per the Companies Act 2013, there are certain requirements that needs to be complied with respect to Risk Management. In addition, the board and audit committee have been vested with specific responsibilities as per SEBI (LODR) Regulations 2015, in assessing the robustness of Risk Management policy, process and systems. Key Compliance Requirements (The Companies Act, 2013) Section 134(3) – Board: There shall be attached to financial statements laid before a company in general meeting, a report by its Board of Directors, which shall include a statement indicating development & implementation of Risk Management Policy for company including identification therein of elements of risk, if any, which in the opinion of the Board may threaten the existence of the company. Schedule IV [Section 149(8)] – Independent Directors: The independent directors shall: (1) Help in bringing an independent judgement to bear on the Board’s deliberation especially on issues of strategy, performance, risk management, resources, key appointments and standards of conduct; (4) Satisfy themselves on the integrity of financial information and that financial controls and the systems of risk management are robust and defensible. Section 177(4) – Audit Committee: Every Audit Committee shall act in accordance with the terms of reference specified in writing by the Board which shall, inter alia, include evaluation of internal financial controls and risk management systems. Key Compliance Requirements (SEBI (LODR) Regulations, 2015) Regulation 17(9) – Board of Directors: It provides that - (a) The listed entity shall lay down procedures to inform member of board about risk assessment & minimization procedures. (b) The board shall be responsible for framing, implementing and monitoring the risk management plan for the listed entity. Regulation 21 - Risk Management Committee: It requires that every listed company should have a Risk Management Committee comprises of - (1) The board of directors shall constitute a Risk Management Committee. (2) The majority of members of Risk Management Committee shall consist of members of the board.
  • 2. Page2 (3) The Chairperson of the Risk management committee shall be a member of the board of directors and senior executives of the listed entity may be members of the committee. (4) The board shall define role & responsibility of the Risk Management Committee & may delegate monitoring and reviewing of the risk management plan to the committee and such other functions as it may deem fit. (5) The provisions of this regulation shall be applicable to top 500 listed entities, determined on the basis of market capitalization, as at the end of immediate previous financial year. Board Disclosures as per Clause 49 of the Listing Agreement – Risk management: The Company shall lay down procedures to inform Board members about the risk assessment and minimization procedures. These procedures shall be periodically reviewed to ensure that executive management controls risk through means of a properly defined framework. Strategy to implement Enterprise Risk Management (ERM) ERM is an integrated and continuous process for managing enterprise-wide risks, including strategic, financial, operational, compliance and reputational risks, to minimize unexpected performance variance and maximize intrinsic firm value. This process empowers the board and management to make more informed risk/return decisions by addressing fundamental requirements with respect to governance and policy (including risk appetite) risk analytics, risk management, and monitoring and reporting”. Following are the 5 key steps to develop and implement an effective ERM framework: Step 1: Setting of objectives & risk appetite Before an organization can begin to identify risks, a clear set of objectives must exist. When these objectives are set, the company must have a clear philosophy towards ERM. The company’s risk appetite, the environment, the company operates in and its code of ethics will dictate what this philosophy is. Risk appetite is the amount of risk which the company is willing to accept. It is a key enabling structure and active relation among risk management, strategy and target setting. Every organization follows different aims to add value, and should generally recognize the acceptable level of risk in doing so. Step 2: Risk identification & documentation By risk identification, an organization can study activities and places where its resources are placed to risk. If risk managers do not succeed in identifying all possible losses or gains that challenge the organization, then these non-identified risks will become non-manageable. Results of risk identification are normally documented in a Risk Register, which includes a list of identified risks along with their sources, potential risk responses & risk categories. This information is used for risk analysis, which in turn will support creating risk responses. An effective risk identification process should include following:  Creating a systematic process  Gathering information from various sources  Applying risk identification tools & techniques  Documenting the risks and risk identification process Objective & Risk Appetite Risk Identification Risk Assessment Risk Response Risk Monitoring
  • 3. Page3 Step 3: Risk assessment Identifying risks is not enough; the impact of the risk should be understood, as well as probability, within an estimated time-frame. The next task is to assess the documented risk in terms of their likelihood and estimated significance. Risk assessment is how enterprises get a handle on how significant each risk is to the achievement of their overall goals. The assessment process is as follows:  Develop assessment criteria  Assess risks and risk interactions  Prioritize risks and response to risks  Effective and sustainable risk assessment process Step 4: Risk response Risk response is intended to figure out how to respond to the high-priority risks. The responsibility falls to management to carefully review probabilities & estimated impacts of each risk, and to consider all associated costs & benefits in developing an appropriate risk response strategy. Risk response falls into 4 categories:  Risk Avoidance  Risk Retention/ Absorption  Risk Reduction  Risk Transfer Step 5: Risk monitoring Identifying risks isn’t something that’s done once – like continuous improvement, it’s an ongoing process. The context in which certain risks are identified is constantly changing, and as such risks need to be monitored to continually determine the significance they represent. Organizations need proper systems in place to monitor and respond to changes in circumstances and adequately determine if identified risks still pose a threat. Global framework for Enterprise Risk Management (ERM) Over the years various ERM frameworks have been developed worldwide. The two most used frameworks are the COSO ERM 2017 Framework and ISO 31000:2018. COSO ERM 2017 Framework COSO stands for ‘Committee of Sponsoring Organizations’. It is a framework that is geared towards ensuring financial data security in your firm. The COSO framework was designed to provide an applied risk management approach to your firm’s internal controls. It is regularly updated to keep up with the changes in the risk environments of businesses with the recent update being in 2017. The framework consists of 20 principles that are grouped to support one of 5 components. These principles cover everything from governance to monitoring. They’re manageable in size, and they describe practices that can be applied in different ways for different organizations regardless of size, type, or sector. Adhering to these principles can provide management and the board with a reasonable expectation that the organization understands and strives to manage the risks associated with its strategy and business objectives. COSO ERM 2017 provides a framework for boards & management in entities of all sizes. It builds on the current level of risk management that exists in the normal course of business. Further, it demonstrates how integrating ERM practices throughout an entity helps to accelerate growth & enhance performance. It also contains
  • 4. Page4 principles that can be applied - from strategic decision-making through to performance. Below are the details, why it makes sense for management and boards to use the ERM framework, what organizations have achieved by applying ERM. Management’s Guide - Management holds overall responsibility for managing risk to the entity, but it is important for management to go further: to enhance the conversation with the board and stakeholders about using ERM to gain a competitive advantage. ERM allows management to feel more confident that they’ve examined alternative strategies and considered the input of those in their organization who will implement the strategy selected. The Board’s Guide - Every board has an oversight role, helping to support the creation of value in an entity and prevent its decline. Traditionally, ERM has played a strong supporting role at the board level. Framework supplies important considerations for boards in defining & addressing their risk oversight responsibilities. These considerations include governance and culture; strategy and objective-setting; performance; information, communications and reporting; and the review and revision of practices to enhance entity performance. ISO 31000:2018 The foundation of 31000 standards is the belief that risk management should establish and sustain value. This makes it necessary for an institution to integrate ERM into their systems for accountability and sustainability. This integration will help these institutions to evaluate the risks involved in their decisions which is crucial in addressing various insecurities. To enhance the efficiency of the ERM system, it is necessary that it is designed into a systematic, timely, and structured process to incorporate crucial information necessary in risk management. In 2018, ISO re-released the ISO 31000 Standard, with the new version giving streamlined definitions that focus on 8 principles: 1. Integrated: Risk management is an integral part of all organizational activities. 2. Structured and comprehensive: A structured and comprehensive approach to risk management contributes to consistent and comparable results. 3. Customized: The risk management framework and process are customized and proportionate to the organization’s external and internal context related to its objectives. 4. Inclusive: Appropriate and timely involvement of stakeholders enables their knowledge, views and perceptions to be considered. This results in improved awareness and informed risk management. 5. Dynamic: Risks can emerge, change or disappear as an organization’s external and internal context changes. Risk management anticipates, detects, acknowledges and responds to those changes and events in an appropriate and timely manner. 6. Best available information: The inputs to risk management are based on historical and current information, as well as on future expectations. 7. Human and cultural factors: Human behavior and culture significantly influence all aspects of risk management at each level and stage. 8. Continual improvement: Risk management is continually improved via learning & experience. The first five principles provide guidance on how a risk management initiative should be designed, and principles six, seven and eight relate to the operation of the risk management initiative. These latter principles confirm that the best information available should be used; human and cultural factors should be considered; and the risk management arrangements should ensure continual improvement. The organization’s risk management process should involve systematic application of policies, procedures & practices to activities of communicating & consulting, establishing the context & assessing, treating, monitoring, reviewing, recording and reporting risk.
  • 5. Page5 How ISO 31000:2018 and COSO ERM Framework 2017 complement each other in implementation of ERM process: The COSO and ISO framework for ERM, both complement each other. ISO 31000 offers wider directives that enable organizations to fit COSO’s principles of ERM into overarching corporate governance. Below table shows how the process of Enterprise Risk Management explained in these two frameworks is different but still similar: # Steps for Implementing ERM ISO 31000:2018 Framework (Process) COSO ERM 2017 Framework (Components & Principles) I Objectives & Risk Appetite 1. Establishing the context - Define scope - External & internal context - Define risk criteria 2. Communicate & Consult - Info for oversight & decision- making - Considering different views - Bring different areas of expertise 1. Governance & Culture - Exercise Board Risk Oversight - Establish Operation Structures - Define Desire Culture - Demonstrate commitment to Values - Attracts, Develops, & Retains Individuals 2. Strategy & Objective Setting - Analyze business Context - Defines Risk Appetite - Evaluate Alternative Strategies - Formulate business Objective II Risk Identification & Documentation 3. Risk Assessment - Risk identification - Risk analysis - Risk evaluation 3. Performance - Identifies Risk - Assesses Risk Severity - Prioritizes Risks - Implements Risk Responses - Develops Portfolio View III Risk Assessment IV Risk Response 4. Risk Treatment - Select treatment options - Prepare & Implement treatment plans V Risk Monitoring 5. Monitoring & Review - Planning, Gathering & Analyzing Information - Recording Results - Providing Feedback 6. Recording & Reporting - Communicate Risk Activities - Provide info for decision-making - Assist interaction with stakeholders 4. Review & Revision - Assesses substantial change - Reviews Risk Performance - Pursues improvement in ERM 5. Information, Communication & Reporting - Leverage Information & Technology - Communicate Risk Information - Report on Risk, Culture & Performance
  • 6. Page6 Despite the fact that these two frameworks complement each other there are various similarities and differences between the two as described in below table: Similarities Differences  Rather than just limiting negative risks, both standards help & encourage risk-taking  Both are just guiding standards and not certifiable  Both standards embed risk management in decision making process  ISO standard is short & structured, whereas COSO is long, includes more visuals & don't follow "structural" standard.  ISO 31000 standard was developed by participation of member of over 70+ countries whereas COSO 2017 have most of the contribution from US.  COSO focuses more on Corporate Governance. However, ISO focuses almost exclusively on Risk & incorporating it in strategic planning process.  COSO is targeted more toward people in accounting & audit. Whereas, ISO 31000 is written for anyone interested in risk management. Conclusion: In the wake of dynamic market conditions & regulatory initiatives, protecting shareholders’ interests from various risks is becoming a top priority for managements across various industries. Perceptions of company are affected by the risks it faces and the manner in which these risks are managed. While no business is immune to risks, managing them to create a sustainable shareholder value is the critical challenge. Enterprise Risk Management (ERM) is a systematic & methodical approach to identifying and managing an organization’s risks as it provides a practical and time tested method to align risk appetite. Therefore, effective risk management drives adequate protection against the risk and leverage risk management to convert risks into opportunities.