1. By CA Huzeifa I. Unwala
Enterprise Risk Management – Basics, Application,
Implementation & Audit Linkages
February 09 2013

2. SECTION I
Pre-cursor

3. “Risk is a part of God's game, alike for men and nations.”
- Warren Buffet
“Hope for the best but prepare for the worst”
- Anonymous

4. • Olympics organizers and the IOC have wisely leveraged the business world's growing
understanding of risk management. "Risk-based" approaches to planning for the Vancouver
2010 Winter Olympics and the London 2012 Summer Olympics (confirmed through
research interviews with senior officials) reveal the strong influence of the ideas and
practice of risk management, for example in the creation of risk registers (i.e. databases)
and monitoring systems put in place to spot issues that pose potential dangers further down
the line.
• Ensuring readiness for Games-time (in Olympic-speak) now involves strategic pre-emption
through stress-testing and scenario planning. Table-top 'gaming' exercises at the top of the
chain of command and practical training of personnel through rehearsals are routine across
many of the diverse functions of Olympic operations. In the months leading up to London
2012, for example, visible military rehearsals were staged on the River Thames in addition
to many test events performed on the main site. Ahead of Vancouver 2010, IT planning
identified around six hundred scenarios for rehearsals in a formal playbook which also
documented procedures to follow in the event of an incident.
The Olympics Risk Management Case Study

5. “Ability to anticipate is the key element in risk management”
“It has two dimensions – potential damage and opportunity”
Simplified version of Risk Management

6. SECTION II
ERM

7. Enterprise Risk Management
The Committee of Sponsoring Organizations, known as COSO, defines enterprise risk
management (ERM) as:
“…A process, effected by an entity’s board of directors, management and other personnel,
applied in strategy setting and across the enterprise, designed to identify potential events that
may affect the entity, and manage risk to be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity objectives.”
Annexure I (IV) (C)
The company shall lay down procedures to inform board
members about the risk assessment and minimization
procedures. These procedures shall be periodically reviewed
to ensure the executive management controls risks through
means of a properly defined framework
Annexure I (IV) (F)
Management discussion and analysis report should include
discussion on the risk and concerns within the limits set by the
company’s competitive position
India :: Clause 49 of listing agreement
• ISO 31000
• COSO/ COBIT/IIA
Global references
• Business Value Creation & Risk Management
• Decision making
• Project Management
• Assurance
• Governance
Practical Applications

8. • Economic uncertainty & price volatility
• Monitoring and performance management
• Lack of appreciation of common business issues
• Integrated Planning
• Effective Statutory & Internal Audit
Need for Business Risk Management
• Low tolerance for surprises
• Need to increase transparency
• Need to respond on a real time basis
• Need to empower employees to take informed decisions
• Create an environment for Value creation

9. Results of an opinion poll on practical benefits of ERM

10. GOOD BOARD PRACTICES
 Clearly defined roles and authorities
 Duties and responsibilities of directors understood
 Board is well structured
 Appropriate composition and mix of skills
 Appropriate board procedures
 Director remuneration in-line with best practice
 Board self-evaluation and training conducted
CONTROL ENVIRONMENT
 Independent audit committee established
 Risk-management framework present
 Internal control procedures
 Internal audit function
 Independent external auditor conducts audits
 Management information systems established
 Compliance function established
BOARD COMMITMENT
 The board discusses corporate governance issues and has created
corporate governance committee
 The company has a corporate governance champion
 A corporate governance improvement plan has been created
 Appropriate resources are committed
 Policies and procedures have been formalized and distributed to
relevant staff
 A corporate governance code has been developed
 The company is publicly recognized as a corporate governance
leader
TRANSPARENT DISCLOSURE
 Financial information disclosed
 Non-financial information disclosed
 Financials prepared according to IFRS
 High-quality annual report published
 Web-based disclosure
WELL DEFINED SHAREOWNER RIGHTS
 Minority shareowner rights are formalized
 Well-organized general assembly conducted
 Policy on related-party transactions
 Policy on extraordinary transactions
 Clearly defined and explicit dividend policy
ERM a pillar of good corporate governance

11. Enterprise Risk Management
Source: COSO
• Each business entity is unique, each life
stage is unique, one size does not fit all.
Risk Management is all about tailoring and
customization.
• Successfully running a business is like
mastering the art of risk management
which enables entities to reduce the level
of uncertainty and brings in an element of
predictability. ERM is not about holding the
businesses back and scaring them away
from taking risks it is making them
cognizant of the risk and opportunities to
conduct business in a smarter way.

12. Establish the context
• Set the objectives
• Gather the
expectations of the
stakeholders
• Define the risk and
reward criteria and key
elements
ERM process
Identify the risks
• What can happen?
• How it can happen?
Analyse the risks
• Review controls
• Likelihood
• Consequences
• Level of risk
Evaluate the risks
• Screen and evaluate
• Rank and prioritise
Treat the risks
• Identify options
• Select the best
response
• Develop plans
• Implement

13. ERM Processes /
Approach
ERM Structure
ERM Framework

14. Risk Identification
and Assessment
1
Risk Identification
• Understand the objective and strategy of organization
• Identify the focus areas to guide the risk management activities (strategic business
unit and business support areas)
• Conduct executive interviews at all business units to develop an overall company
specific risk model (An “As Is” Analysis)
• Develop Risk Universe
• Map the risks to the focus areas
• Use agreed-upon rating scales to assess Significance, Likelihood, and Risk
Management Capabilities for identified risks
Risk Assessment and Prioritization
• Conduct risk assessment voting workshops to identify and prioritize risks and discuss
potential risk events and strategies to better manage identified risks
• Develop risk heat maps to prioritize risks
Risk Model Development
• Risk Model
• Risk Universe & Risk Register
• Risk Heat Maps (Group wise & Entity wise)

15. Infrastructure
• Availability of assets
• Capability of assets
• Access to capital
• Complexity
• Mergers/ acquisitions
Personnel
• Employee capability
• Fraudulent activity
• Health and safety
• Judgment
• Malfeasance
• Security practices
• Sales practices
Natural Environment
• Biodiversity
• Emissions, effluents and waste
• Energy
• Fire
• Natural disaster
(earthquake, flood, etc.)
• Sustainable development
• Transport
• Water
Risk Events/ Identification Triggers
Process
• Capacity
• Design
• Execution
• Suppliers/ dependencies
Technological
• Electronic commerce
• External data
• Emerging technology
Source: COSO

16. Risk Events/ Identification Triggers
Technology
• Data Acquisition
• Data Maintenance
• Data Distribution
• Data Confidentiality
• Data Integrity
• Data and system availability Capacity
• System Selection Development
• Deployment
• Reliability
Economic
• Capital availability
• Credit Issuance
•Default
•Concentration
• Liquidity
•Market
•Funding
•Cash flow
•Commodity prices
•Interest rate
•Unemployment
•Indices
•Exchange rate
•Equity valuation
•Real estate values
Business
• Brand/ trademark
• Competition
• Consumer behavior
• Counterparty
• Fraud
• Industry standards
• Ownership structure
• Publicity
• Product relevance
Political
• Governmental changes
• Legislation
• Public policy
• Regulation
Social
• Demographics
• Corporate citizenship
• Environmental stewardship
• Privacy
Source: COSO

17. ERM Reporting and
Implementation Plan
3 ERM Report and Implementation Plan
• Develop overall report on risk assessments, gap analysis, risk management
evaluation (for selected risk categories and events) and residual risks.
• Develop a proposed time bound ERM implementation plan
Risk Category Identification and Gap Analysis
• Evaluate the Risk Management Competence of the Organization
• Conduct a gap analysis for each selected risk, by assessing current management
capability and desired capability
• Undertake root cause analysis
Risk Management Evaluation
• Identify current risk responses/risk management activities, initiatives currently
underway for selected risk categories, and opportunities for improvement
Risk Categorization
and Risk
Management
Evaluation
2
• Risk Control Matrix
• Control wise Capability Maturity Model
• ERM Report & Implementation Plan

18. ERM Structure
• Develop an appropriate risk management and oversight structure to execute and
monitor the execution of risk management related activities
• Risk Management Policies e.g. Policy governing risk assessment of contracts over
a specified value or requiring signing of guarantees, M&A decisions etc.
• Roles and responsibilities of the constituents of the risk management and
oversight structure
• Standard procedures to guide risk identification, prioritization, mitigation and
monitoring process on an ongoing basis
• Risk Management Activity Calendar (Formalizing Risk Management as an ongoing
activity by identifying key dates related to risk management review and reporting)
• Enablers for creating a common language across the organization e.g. Risk
classification framework and definitions, Risk assessment criteria
• Risk Management Organization Structure and Roles & Responsibilities
• Risk Management Policy
• Risk Management Activity Calendar

19. ERM Approach – Aligned
with COSO Framework
Mapping of ERM Framework with COSO Framework
Internal Environment
• Risk management philosophy
• Risk appetite
• Risk culture
• Integrity and ethical values
• Commitment to competence
• Management’s philosophy and operating style
• Organizational structure
• Assignment of authority and responsibility
• Human resources policies and practices
Event Identification
• Events
• Factors influencing strategy and objectives
• Methodologies and techniques
• Event interdependencies
• Event categories
• Risks and opportunities
Risk Assessment
• Inherent and residual risk
• Likelihood and impact
• Methodologies and techniques
• Correlation
Risk Response
• Identify risk response
• Evaluate possible risk responses
• Select responses
• Portfolio view
Control Activities
• Integration with risk response
• Types of control activities
• General controls
• Application controls
• Entity specific
Information & Communication
• Information
• Strategic and integrated systems
• Communication
Monitoring
• Separate evaluations
• Ongoing evaluations

20. Risk Control Matrix Risk Model
Entity wise Risk Heat Map Group wise Risk Heat Map
ERM Sample Deliverables

21. Risk Management Evaluation Risk wise Capability Maturity Model
Implementation Calendar

22. SECTION III
RISK ASSESSMENT (AS PART OF IC)

23. Control Environment
Risk Assessment
Control Activities
Information and Communication
Monitoring Activities
1
2
3
4
5
COSO : The 5 Components of IC

24. INTERNAL CONTROL IS DEFINED
Is a process, effected by an entity’s board of
directors, management, and other personnel,
designed to provide reasonable assurance
regarding the achievement of objectives in the
following categories:
• Effectiveness and efficiency of operations
• Reliability of reporting
• Compliance with applicable laws and
regulations
A process consisting of on-going tasks and activities. Policies
and procedures exist to effect control.
Effected by people.
Able to provide reasonable assurance, not absolute assurance.
Geared to the achievement of objectives in a one or more
separate but overlapping categories. The categories are:
- Effectiveness and efficiency of Operations Reliability of
Reporting (internal, external and non-financial)
- Adherence to laws and regulations
Adaptable to the entity structure. IC can be applied as per
management’s decision in the context of legal requirement,
operating model, entity structure or combination of these.
Understanding Internal Control

25. Operations Objectives
 Avoiding wastage
 Avoiding rework
 Reducing cost
 Reducing production time
 Improving customer satisfaction
 Improving employee satisfaction
 Improving innovation
 Accurate & timely financial closure
Reporting Objectives
 Corporate Laws and Corporate
Filings
 Pre-requisite for accessing capital
markets
 Tax Laws and Tax filings
 Dealing with large suppliers and
customers
 Private equity / Resource raising
Compliance Objectives
 Adherence to all applicable legal
and regulatory framework
 Adherence to code of conduct /
ethics
Overlap is possible and sometimes frequent
Key Objectives of Internal Control – in a general business environment
Source: COSO

26. Control Environment (Principles)
 Organization demonstrates a commitment
to integrity and ethical values
 Board demonstrates independence
 Management establishes oversight,
reporting lines and authority structure
 Organization demonstrates a commitment
to attract, develop and retain competent
individuals
 Individual accountability for IC
responsibilities
Risk Assessment (Principles)
 Risk specific objectives
 Risk identification and analysis
 Consider the potential for fraud
 Identify and assess changes that could
significantly impact the system of internal
control
Control Activities (Principles)
 Organization selects and develops
control activities that contribute to the
mitigation of risks
 Organization selects and develops
general control activities over
technology that contribute to the
mitigation of risks
 Organization deploys control activities
as manifested in policies that establish
what is expected and in relevant
procedures to effect the policies
Information and Communication (P)
 Information generation and use
 Internal communications
 External communications
Monitoring Activities (Principles)
 Organization selects, develops and performs on going and/or separate
evaluations to ascertain whether the components of IC exists and
function
 Communicates IC deficiencies
Components of Internal Control / System of IC
Source: COSO

27. Risk Assessment (Principles)
 Risk specific objectives
 Risk identification and analysis
 Consider the potential for fraud
 Identify and assess changes that
could significantly impact the system of
internal control
1. Circumstances requiring special attention:
1. Changes in external environment
2. Changes in physical environment (disasters)
3. Significant acquisitions / divestitures
4. Foreign operations
5. Rapid growth
6. New technology
7. Significant changes in personnel
Control Activities (Principles)
 Organization selects and develops
control activities that contribute to the
mitigation of risks
 Organization selects and develops
general control activities over
technology that contribute to the
mitigation of risks
 Organization deploys control activities
as manifested in policies that
establish what is expected and in
relevant procedures to effect the
policies
1. Integration with Risk Assessment
2. Each entity is unique
3. Business Process Controls / Transaction Controls: Completeness,
Accuracy & Validity
4. Control Activities:
1. Verifications
2. Reconciliations
3. Direct Observation
4. Authorisations
5. Physical controls
6. Controls over standing data
7. Supervisory controls
8. Automated controls
9. Segregation of duties
10. Choice of alternative controls
11. Technology controls (General, Infra, & Security)
12. Policies & procedures
13. Reassess policies
Risk Assessment as a Component of Internal Control
Source: COSO

28. SECTION IV
RISK ASSESSMENT (AUDIT LINKAGES)

29. What is Risk Assessment?
Risk assessment is the determination of quantitative or qualitative value of risk related to a situation and a
recognized threat
Risk assessment measurement is a process used to identify and evaluate risks and their potential effect
Risk assessment is the process where you:
• Identify risk.
• Analyze or evaluate the risk.
• Determine appropriate ways to eliminate or control the risk.
Why is Risk Assessment important?
The auditor should perform risk assessment procedures to obtain an understanding of the entity and its
environment, including its internal control
They help to:
• Create awareness of risks.
• Identify who may be at risk
• Determine if existing control measures are adequate or if more should be done.
• Prioritize risk and control measures.
Risk Assessment in IA

30. Risk Assessment in IA
Understanding
the Organization
Risk
Assessment
Business
Process Scope
and Plan
Risk and
Control
evaluations
Recommend
and Report
• Understanding of:
• Business
Objectives
• Organization
structure
• Business
segments
• Value chain
• Reporting and
monitoring
framework
• Risk
Identification
• Risk
Assessment and
detailed profiling
of each identified
risks
• Prioritization of
risks and
mapping on the
risk heat map
Deliverables
• Prioritized risk
listing
• Risk heat map
• Identification of
business units
and processes
to be covered
under process
review scope
• Detailed process
understand
(interviews and
walkthroughs)
• Process
validation
• Identify
processes risks
for various
activities
• Identify existing
controls
• Evaluate design
effectiveness
• Test operating
effectiveness
• Identify gaps
• Comparison with
leading practices
• Develop
recommendations
to bridge the gaps
• Summarization of
issues to be
presented to the
management
• Rate the findings
as per the scale
agreed with the
Management
• Process owner
buy-in
• Executive
Summary and
final report –
discussion with
the Management
and Audit
Committee
Deliverables
• Risk Based
Internal Audit
Report

31. Statutory auditors expectations from risk management
 No surprises on the financial statement signing date or after
 Move from Annual to continuous/ on-going risk assessments
 Watch out for risks encountered by competition and their impact
Identify and
assess risk of
material
misstatement
 Fraudulent financial reporting
 Enhances knowledge of the auditor and assists in evaluation of
effectiveness of internal controls

32. The entity’s risk assessment process may address how the entity considers the possibility of unrecorded
transactions or identifies and analyzes significant estimates recorded in the financial statements.
Risks relevant to reliable financial reporting include external and internal events, transactions or circumstances
that may occur and adversely affect an entity’s ability to initiate, record, process, and report financial data
consistent with the assertions of management in the financial statements. Certain operational events that may
have an impact on the financial reporting include:
• Changes in the regulatory or operating environment
• Significant and rapid changes in information systems can change the risk relating to internal control.
• New personnel
• Corporate restructurings. Restructurings may be accompanied by staff reductions and changes in
supervision and segregation of duties that may change the risk associated with internal control.
• Expanded foreign operations. The expansion or acquisition of foreign operations carries new and often
unique risks that may affect internal control, for example, additional or changed risks from foreign
currency transactions.
• New accounting pronouncements.
Business risks relevant to financial reporting
Statutory Auditor is expected to perform risk assessment procedures that extend beyond the internal information
gateways of an entity and look at reviewing information obtained from external sources such as trade and
economic journals; reports by analysts, banks, or rating agencies; or regulatory or financial publications. Making
inquiries of the entity’s external legal counsel or of valuation experts that the entity has used.

33. • Inadequate Segregation of duties. Assigning different people the responsibilities of authorizing
transactions, recording transactions, and maintaining custody of assets. Segregation of duties is
intended to reduce the opportunities to allow any person to be in a position to both perpetrate and
conceal errors or fraud in the normal course of the person’s duties.
• The information system relevant to financial reporting objectives, which includes the financial reporting
system, encompasses methods and records that:
• Identify and record all valid transactions.
• Describe on a timely basis the transactions in sufficient detail to permit proper classification of
transactions for financial reporting.
• Measure the value of transactions in a manner that permits recording their proper monetary value in
the financial statements.
• Determine the time period in which transactions occurred to permit recording of transactions in the
proper accounting period.
• Present properly the transactions and related disclosures in the financial statements.
• The quality of system-generated information affects management’s ability to make appropriate decisions
in managing and controlling the entity’s activities and to prepare reliable financial reports.
Business risks relevant to financial reporting

34. Core
Process
Order of
Importance
Applications Location Worst Case
Scenario
Financial
Impact
Non-Financial
Impact
Regional
Operations
XX • Core
application
• Non-core
North
Central
Terrorist Strike
Business Impact Analysis
Risk Assessment
Assets Threats
(Nature, 1 to 5)
Probability
(1 to 3)
Risk Impact
(T *P)
Importance Enlist
Control
Measures
Data Centre Inland Flooding, 5 1 5 1
Risk Assessment (example)

35. • Your risk portfolio should be
comprehensive but concise
• Monitor your risk portfolio and
undertake root cause analysis for
sticky risks
• Update the risk portfolio as business
is dynamic
ERM – avoid the common mistakes
• Prediction of Black swan events
• History alone is sufficient to give us
foresight
• Sophisticated models may mislead at
times

36. ERM Policy Charter ERM Steering Committee Risk Owners
Risk Information and
Reporting System
ERM POLICY
FRAMEWORK
Financial Risks
Market RisksOperational Risks
Strategic Risks
Risk Identification and
Analysis
Risk Portfolio and
Profiling
Risk Mitigation Plan
Quantified Risk
Assessment
RISK
CLASSIFICATION
AND PORTFOLIO
APPROACH
Risk Management Framework
Risk
Benchmarking
On-going
History
Scenario Play

37. SECTION V
PRACTICAL CASE STUDY

38. Practical Case Study on ERM
Business Scenario :
The company is a family owned business since 1931. It has manufacturing plants at
Tarapur & Jammu with plans to set up one more plant in India. It is currently the
market leader in fine chemicals, stationery and school products. Since last decade
the company has been steadily losing out to competition and its market share is
declining. If things don’t improve then the promoters will be forced to exit the
business by stake sale to international players. You have been requested by the
Board to carry out a ERM exercise and present results.
Develop a indicative risk register covering strategic, operational, compliance and
financial risks.

39. The views expressed in this material are personal in nature. Any reliance should be placed only post
consultation with the author.
Questions