เรื่อง กรอบการบริหารความเสี่ยง 2017 (Enterprise Risk ...

1 ( ) 2017 (Enterprise Risk Management Integrating with Strategy and Performance: 2017) 6 2560 . F-310 2 3.

2 What s New under coso -ERM 2017 Framework?Sillapaporn Srijunpetch, , CPANew coso -ERM 2017223 Today s organizations are concerned about: Risk Management Governance Control Assurance (andConsulting)Please noteGovernance has beendropped to rankingnumber two. coso ERM 20044 coso : The Committee of Sponsoring Organization of Treadway Commission56 ERM Defined: .. a process,effected by an entity's board of directors,management and other personnel,applied in strategy setting and across the enterprise,designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

3 Source: coso Enterprise Risk Management Integrated Framework. 2 (Negative Effect) (Risk) (Positive Effect) (Opportunity)78 Why ERM Is Important [Exec Summary page 1]Underlying principles: Every entity, whether for-profit or not, exists to realize value for its stakeholders.

4 Value is created, preserved, or erodedby management decisions in all activities, fromsetting strategy tooperating the enterprise day-to-day. 9 Why ERM Is Important [Exec Summary page 1]ERM supports value creation by enabling management to: Deal effectivelywith potential future events that create uncertainty. Respondin a manner that reducesthe likelihood of downside outcomes and increases the upside. 10 This coso ERM framework - defines essential components, - suggests a common language, and- provides clear direction and guidance for enterprise risk Framework Enterprise Risk Management - Integrated Framework 1: 2.

5 3: 11 Internal EnvironmentEvent IdentificationRisk AssessmentControl ActivitiesRisk ResponseInformation & CommunicationMonitoringObjective SettingSubsidiaryBusiness UnitDivisionEntity-Level1.

6 2. 3. 4. 5. 6. 7. 8. 1213 Internal Environment Establishes a philosophyregarding risk management. It recognizes that unexpectedas well as expectedevents may occur. Establishes the entity s risk culture. Considers all other aspectsof how the organization s actions may affect its risk Setting Is applied when management considers risks strategyin the setting of objectives.

7 Forms the risk appetiteof the entity - a high-level view of how muchrisk management and the board are willing to Identification Differentiates risksand opportunities. Events that may have a negative impactrepresent risks. Events that may have a positive impactrepresent natural offsets (opportunities), which management channels back to strategy Identification Involves identifying those incidents, occurring internally or externally, that could affect strategyand achievement of objectives. Addresses how internal and external factors combineand interactto influence the risk Assessment Allows an entity to understandthe extent to which potential events might impact objectives.

8 Assesses risks from twoperspectives:- Likelihood-Impact18 Risk Assessment Employs a combination of both qualitativeand quantitativerisk assessment Response Identifiesand evaluatespossible responses to risk. Evaluates optionsin relation to entity s risk appetite, cost vs. benefit of potential risk responses, and degree to which a response will reduce impact and/or Activities Policiesand proceduresthat help ensure that the risk responses, as well as other entity directives, are carried out. Occur throughoutthe organization, at all levelsand in all functions.

9 Include applicationand generalinformation technology Managementidentifies, captures, and communicatespertinent information in a formand timeframethat enables people to carry out their responsibilities. Communication occurs in a broadersense, flowing down, across, and upthe & Communication22 MonitoringEffectiveness of the other ERM components is monitored through: Ongoing monitoring activities. Separate evaluations. A combination of the two. 23 Internal ControlA strong system of internalcontrol is essential to effectiveenterprise risk management. This ERM Framework does not replacethe earlier Framework on Internal control, but Roles & Responsibilities Management The board of directors Risk officers Internal auditorsThere is now a CROC hief Risk Officer, in addition to CEO, COO, CFO & CIO.

10 25 Environmental Risks Capital Availability Regulatory, Political, and Legal Financial Markets and Shareholder RelationsProcess Risks Operations Risk Empowerment Risk Information Processing / Technology Risk Integrity Risk Financial RiskInformation for Decision Making Operational Risk Financial Risk Strategic RiskExample: Risk Model26 Key questions: What risks will the organization not accept? ( environmental or quality compromises) What risks will the organization takeon new initiatives? ( new product lines) What risks will the organization acceptfor competing objectives?