a coso based risk & control framework
DESCRIPTION
A COSO Based Risk & Control FrameworkTRANSCRIPT
Operational Risk Management
A Proposal for Success
Mission Statement
We will support management’s goals and objectives by providing
independent monitoring and assessment of management’s key
business processes to ensure all business risks are anticipated,
recognized and appropriately addressed before they adversely affect
the Company. We will assess, monitor and manage risks in a manner
that integrates with management’s strategic objectives and the
corporate decision making process. We will help management
effectively and efficiently deploy resources by striking balance between
growth, returns and related risk.
Objectives
The primary objectives of the Operational Risk Program are to:• Act decisively to identify and manage key risks.• Enable an appropriate risk/reward balance in operational risk
decisions.• Delivery transparent reporting of key risks to enable informed
decisions.• Drive accountability and exercise appropriate authority.• Ensure consistency through a common framework.• Maintain independent oversight of business performance.• Transfer ownership of risks and controls to the business units.
Risk Framework
The operational risk framework consists of four fundamental elements
designed to provide a consistent approach to managing risk across the
Company. This framework is intended to correspond with the
framework components of COSO. These framework components are
Event Identification and Assessment, Risk Response and Control
Activities, Monitoring and Reporting.
Identify and Assess
Each business unit should understand and document key operational
risks to the organization, complete periodic self assessments of the
risk environment to confirm identified key risks and identify new or
emerging risks and prioritize those risks to ensure focus on risks that
present frequent risk to the business.• A documented risk profile is in place and updated annually.• Risk and Control self assessments are completed periodically.• Scenario analysis workshops have appropriate representation and
support from each business unit to enable identification of emerging risks. Any gaps identified will be documented and addressed.
• Operational loss collection is performed per the Operational Incident Policy to identify control weaknesses or areas for improvement.
Risk Response and Control
Each business unit will document mitigation of key operational risks,
including key controls, risk transfer and risk acceptance.• Risk tolerance levels should be established to aid in the decisioning
of mitigation activities.• Mitigation actions for key risks identified in the annual risk
assessment are documented. Key risks may be mitigated using controls, risk transfer or risk acceptance.
• Risk acceptance is documented with the following information:– Description of risk.– Date of decision to accept the risk.– Officers who agreed to accept the risk and the date of the next review of the
decision.– Policies and procedures are in place and include controls that mitigate risks.– Risk requirements are included in annual employee goals and training.
Monitor
Each business unit will develop metrics to facilitate monitoring of the
control environment. Risks that have been accepted will be reviewed
periodically to ensure that acceptance remains the appropriate
mitigation approach.• Businesses develop key risk metrics to monitor performance of key
controls and supplement enterprise metrics. Key risks and controls are monitored to ensure they continue to be effective in managing and reducing risk.
• Mitigation and action plans are monitored by the businesses to ensure plan activities are completed.
• Each business has a process to escalate operational risk issues identified through monitoring.
Report
Each business unit will report metrics and risk assessment results to
management and risk governance bodies.• Key risks, mitigation actions and monitoring results are reported to
the appropriate levels of management timely• Business issues are escalated to line of business governance in a
timely manner and line of business issues that could have an enterprise impact will be escalated to senior management timely.