Two important ERM frameworks are COSO and RIMS. Each describes an approach for identifying, analyzing, responding to, and monitoring risks or opportunities, within the internal and external environment facing the enterprise. Management selects a risk response strategy for specific risks identified and analyzed, which may include:
- Avoidance: exiting the activities giving rise to risk
- Reduction: taking action to reduce the likelihood or impact related to the risk
- Share or insure: transferring or sharing a portion of the risk, to reduce it
- Accept: no action is taken, due to a cost/benefit decision
Monitoring is typically performed by management as part of its internal control activities, such as review of analytical reports or management committee meetings with relevant experts, to understand how the risk response strategy is working and whether the objectives are being achieved.
COSO ERM framework:
The COSO "Enterprise Risk Management-Integrated Framework" published in 2004 defines ERM as: "A process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."
The COSO ERM Framework has eight Components and four objectives categories. It is an expansion of the COSO Internal Control -Integrated Framework published in 1992 and amended in 1994. The eight components - additional components highlighted - are:
- Internal Environment
- Objective Setting
- Event Identification
- Risk Assessment
- Risk Response
- Control Activities
- Information and Communication
- Monitoring
The four objectives categories - additional components highlighted - are:
- Strategy - high-level goals, aligned with and supporting the organization's mission
- Operations - effective and efficient use of resources
- Financial Reporting - reliability of operational and financial reporting
- Compliance - compliance with applicable laws and regulations
RIMS risk maturity model for enterprise risk management:
Enterprise risk management (ERM) as defined by the Risk and Insurance Management Society (RIMS) is the culture, processes and tools to identify strategic opportunities and reduce uncertainty. ERM is a comprehensive view of risk from both operational and strategic perspectives and is a process that supports the reduction of uncertainty and promotes the exploitation of opportunities.
According to the RIMS Risk Maturity Model for ERM, the following seven core competencies, or attributes, measure how well enterprise risk management is embraced by management and ingrained within the organization. A maturity level is determined for each attribute and ERM maturity is determined by the weakest link.
1. ERM-based approach - Degree of executive support for an ERM-based approach within the corporate culture. This goes beyond regulatory compliance across all processes, functions, business lines, roles and geographies. Degree of integration, communication and coordination of internal audit, information technology, compliance, control and risk management.
2. ERM process management - Degree of weaving the ERM Process into business processes and using ERM Process steps to identify, assess, evaluate, mitigate and monitor. Degree of incorporating qualitative methods supported by quantitative methods, analysis, tools.
3. Risk appetite management – Degree of understanding the risk-reward tradeoffs within the business. Accountability within leadership and policy to guide decision-making and attack gaps between perceived and actual risk. Risk appetite defines the boundary of acceptable risk and risk tolerance defines the variation of measuring risk appetite that management deems acceptable.
4. Root cause discipline - Degree of discipline applied to measuring a problem’s root cause and binding events with their process sources to drive the reduction of uncertainty, collection of information and measurement of the controls’ effectiveness. The degree of risk from people, external environment, systems, processes and relationships is explored.
5. Uncovering risks - Degree of quality and penetration coverage of risk assessment activities in documenting risks and opportunities. Degree of collecting knowledge from employee expertise, databases and other electronic files (such as Microsoft® Word, Excel®, etc) to uncover dependencies and correlation across the enterprise.
6. Performance management - Degree of executing vision and strategy, working from financial, customer, business process and learning and growth perspectives, such as Kaplan’s balanced scorecard, or similar approach. Degree of exposure to uncertainty, or potential deviations from plans or expectations.
7. Business resiliency and sustainability – Extent to which the ERM Process’s sustainability aspects are integrated into operational planning. This includes evaluating how planning supports resiliency and value. The degree of ownership and planning beyond recovering technology platforms. Examples include vendor and distribution dependencies, supply chain disruptions, dramatic market pricing changes, cash flow volatility, business liquidity, etc.
2 comments:
Actually the main advantage of using a GRC is Corporate Governance.
Corporate governance is the set of processes, customs, policies, laws and institutions affecting the way a corporation is directed, administered or controlled. Corporate governance also includes the relationships among the many players involved (the stakeholders) and the goals for which the corporation is governed. The principal players are the shareholders, management and the board of directors. Other stakeholders include employees, suppliers, customers, banks and other lenders, regulators, the environment and the community at large.
Corporate governance is a multi-faceted subject. An important theme of corporate governance is to ensure the accountability of certain individuals in an organization through mechanisms that try to reduce or eliminate the principal-agent problem. A related but separate thread of discussions focus on the impact of a corporate governance system in economic efficiency, with a strong emphasis on shareholders welfare. There are yet other aspects to the corporate governance subject, such as the stakeholder view and the corporate governance models around the world.
Corporate governance models around the world
Although the US model of corporate governance is the most notorious, there is a considerable variation in corporate governance models around the world. The intricated shareholding structures of keiretsus in Japan, the heavy presence of banks in the equity of German firms, the chaebols in South Korea and many others are examples of arrangements which try to respond to the same corporate governance challenges as in the US.
Anglo-American Model
There are many different models of corporate governance around the world. These differ according to the variety of capitalism in which they are embedded. The liberal model that is common in Anglo-American countries tends to give priority to the interests of shareholders. The coordinated model that one finds in Continental Europe and Japan also recognizes the interests of workers, managers, suppliers, customers, and the community. Both models have distinct competitive advantages, but in different ways. The liberal model of corporate governance encourages radical innovation and cost competition, whereas the coordinated model of corporate governance facilitates incremental innovation and quality competition. However, there are important differences between the U.S. recent approach to governance issues and what has happened in the U.K..
In the United States, a corporation is governed by a board of directors, which has the power to choose an executive officer, usually known as the chief executive officer. The CEO has broad power to manage the corporation on a daily basis, but needs to get board approval for certain major actions, such as hiring his/her immediate subordinates, raising money, acquiring another company, major capital expansions, or other expensive projects. Other duties of the board may include policy setting, decision making, monitoring management's performance, or corporate control.
The board of directors is nominally selected by and responsible to the shareholders, but the bylaws of many companies make it difficult for all but the largest shareholders to have any influence over the makeup of the board; normally, individual shareholders are not offered a choice of board nominees among which to choose, but are merely asked to rubberstamp the nominees of the sitting board. Perverse incentives have pervaded many corporate boards in the developed world, with board members beholden to the chief executive whose actions they are intended to oversee. Frequently, members of the boards of directors are CEOs of other corporations, which some see as a conflict of interest.
The U.K. has pioneered a flexible model of regulation of corporate governance, known as the "comply or explain" code of governance. This is a principle based code that lists a dozen of recommended practices, such as the separation of CEO and Chairman of the Board, the introduction of a time limit for CEOs' contracts, the introduction of a minimum number of non-executives Directors, of independent directors, the designation of a senior non executive director, the formation and composition of remuneration, audit and nomination committees. Publicly listed companies in the U.K. have to either apply those principles or, if they choose not to, to explain in a designated part of their annual reports why they decided not to do so. The monitoring of those explanations is left to shareholders themselves. The tenet of the Code is that one size does not fit all in matters of corporate governance and that instead of a statuary regime like the Sarbanes-Oxley Act in the U.S., it is best to leave some flexibility to companies so that they can make choices most adapted to their circumstances. If they have good reasons to deviate from the sound rule, they should be able to convincingly explain those to their shareholders.
The code has been in place since 1993 and has had drastic effects on the way firms are governed in the U.K. A study by Arcot, Bruno and Faure-Grimaud from the Financial Markets Group at the London School of Economics shows that in 1993, about 10% of the UK companies member of the FTSE 350 were complaints on all dimensions while they were more than 60% in 2003. The same success was not achieved when looking at the explanation part for non compliant companies. Many deviations are simply not explained and a large majority of explanations fail to identify specific circumstances justifying those deviations. Still, the overall view is that the U.K.'s system works fairly well and in fact is often branded as a benchmark, followed by several countries.
Non Anglo-American Model
In East Asian countries, family-owned companies dominate. A study by Claessens, Djankov and Lang (2000) investigated the top 15 families in East Asian countries and found that they dominated listed corporate assets. In countries such as Pakistan, Indonesia and the Philippines, the top 15 families controlled over 50% of publicly owned corporations through a system of family cross-holdings, thus dominating the capital markets. Family-owned companies also dominate the Latin model of corporate governance, that is companies in Mexico, Italy, Spain, France (to a certain extent), Brazil, Argentina, and other countries in South America.
Europe and Asia exemplify the insider system: Shareholder and stakeholder
• a small number of listed companies,
• an illiquid capital market where ownership and control are not frequently traded
• high concentration of shareholding in the hands of corporations, institutions, families or government
. • the insider model uses a system of interlocking networks and committees.
At the same time that developing countries are undergoing a process of economic growth and transformation, they are also experiencing a revolution in the business and political relationships that characterize their private and public sectors. Establishing good corporate governance practices is essential to sustaining long-term development and growth as these countries move from closed, market-unfriendly, undemocratic systems towards open, market-friendly, democratic systems. Good corporate governance systems will allow organizations to realize their maximum productivity and efficiency, minimize corruption and abuse of power, and provide a system of managerial accountability.[8] These goals are equally important for both private corporations and government bodies.
Because of the implicit relationship between private interests and the larger government, good corporate governance practices are essential to establishing good governance at the national level in developing countries.A number of ties the keep the public and private sectors closely linked. On one hand, judiciary and regulatory bodies as well as legislatures play a role in corporate management and oversight. At the same time cartels and large corporate interests use their size to exert not only economic, but also political power. These two sectors are so intertwined that a country cannot significantly change one without simultaneously instituting changes in the other.
According to Nicolas Meisel, there are four priorities which developing countries should concentrate on while experimenting with new forms of corporate and public governance. The first is to focus on improving the quality of information and increasing the speed at which it is created and distributed to the public. Good communication is important to the functioning of any organization. The second is to allow individual actors more autonomy while at the same time maintaining or increasing accountability. Thirdly, if a hierarchical organization used to orient private activities toward the general interest, new countervailing powers should be encouraged to fill this role. Finally, the part the state plays and how government officials are selected must be considered if a developing economy is to achieve sustainable growth. This may involve making it easier for newcomers with new ideas incumbents who may hold to older, possibly outdated, models
Millions thnx Mr Salman.
My concept for GRC solutions and ERM is pretty much clear Now.
I browsed the net but i rank your theory for GRC and ERM at the Top.
Keep it up...
Post a Comment