alinhamento das iniciativas em gestão de riscos (coso, iso 31000, rims, ifac...)
DESCRIPTION
Slides do evento promovido pelo ISO TC 262 (Gestão de Riscos) sobre as principais iniciativas em GR desenvolvidas ao redor do mundo.TRANSCRIPT
Vincent Tophoff, IFACInternational Federation of Accountants
David Landsittel, COSOCommittee of Sponsoring Organizations
Gigi Dawe, CPA ROGBCanada Risk Oversight and Governance Board
Carol Fox, RIMSThe Risk Management Society
Julia Graham, FERMA & IFRIMAFederation of European Risk Mgmt AssocInt’l Federation of Risk and Insurance Mgmt Assoc.
Jan Mattingly, ISO 31004 Work GroupInternational Standards Organization
2
Page 3 | Confidential and Proprietary Information
Pursuing Global Alignment of Risk Management Guidelines
Vincent Tophoff, International Federation of Accountants (IFAC)
COSO, IFAC, ISO, RIMS, and ROGB Panel Discussion and Networking Event
Chicago
September 24, 2013
Page 4 | Confidential and Proprietary Information
International Federation of Accountants
The International Federation of Accountants (IFAC) is:• The global organization of the accountancy profession• 164 member bodies and associates in 125 countries• 2.5 million professional accountants in public practice,
commerce, industry, financial services, the public sector, education, and the not-for-profit sector
• Public interest focused More than half are in this box. We call them PAIBs and the PAIB Committee exists to support them
Page 5 | Confidential and Proprietary Information
International Federation of Accountants
What IFAC does:• Establish and promote adherence to high quality
professional standards • Further adoption and implementation of standards• Support the global development of the accountancy
profession• Provides a global voice and promotes the value of
professional accountants worldwide• Helps its members support professional accountants
in business and small and medium practices
Page 6 | Confidential and Proprietary Information
Professional Accountants in Business
• Supports professional accountants in following areas:– Governance and ethics– Risk management and internal control– Sustainability and corporate responsibility– Financial and performance management– Business reporting– Promoting and contributing to the value of professional accountants
• All areas of critical importance to professional accountants (and for risk managers too…)
Page 7 | Confidential and Proprietary Information
Bad vs. Good RM/IC Practices
There has been an overwhelming load of bad practice:– RM/IC as objective in itself vs. RM/IC to achieve objectives– Auditor / staff driven vs. Board and management driven– Rules-based vs. Principles-based– Of the shelf systems vs. Tailor made– Focused on threats only vs. Also focused on opportunities– Mainly hard controls vs. Social / human aspects– Artificially implemented vs. Organically implemented– Stand-alone / “bolt-on” vs. Integrated / ”built-in”– Static, out-of-date vs. Dynamic, evolving– Creates costs vs. Creates results / value– Abandoned vs. Supported
Page 8 | Confidential and Proprietary Information
• Global Crisis, according to IFAC research, caused by:– Ethical flaws– Governance, RM/IC in name, but not in spirit– Regulatory overload, leading to legalistic compliance– Risk & control systems too narrowly focused on only financial
reporting controls
• Conclusions from the crisis:– Organizations should take a broader approach in risk management
and internal control – Appropriate application of risk management and internal control
standards and principles is often the problem
Global Crisis
Page 9 | Confidential and Proprietary Information
Emerging Trends
Respondents to the IFAC Global Survey on Risk Management & Internal Control recommended the following :
• Emphasize the benefits of (more integrated) risk management and internal control
• Bring various risk management and internal control standard setting organizations (e.g., COSO, ISO 31000, the Risk Oversight & Governance Board, etc.) and their guidelines closer together
• Collaborate with experts on developing practical application guidance for (integration of) risk management & internal control
Page 10 | Confidential and Proprietary Information
COSO ERM vs. ISO 31000
COSO ISO 31000
Lengthy vs. ShortFocused on ERM vs. General approach to managing riskOne cube vs. Framework and processSkewed to negative vs. Risk can be positive or negativeRisk already exists vs. Risk tied to achieving objectivesRisk & opportunities vs. Opportunities also source of riskMore sequential process vs. More iterative process
Many entities use both COSO ERM & ISO 31000…
… Biggest challenge is that concepts not aligned
Too short, however, to really understand
Page 11 | Confidential and Proprietary Information
Next step > Further Global Alignment of Guidelines
• IFAC facilitates further global alignment of risk management and internal control guidelines
• Through bringing various risk management and internal control standard setting organizations (and their guidelines!) closer together
• As per the outcomes of our survey!
• And now over to you…
Page 12 | Confidential and Proprietary Information
• For further information please contact: • Vincent Tophoff at [email protected]• Visit www.ifac.org
Recent COSO Internal Control and Risk Management Developments
IFAC and ISO Panel DiscussionSeptember 24, 2013
David L. LandsittelFormer Chair - COSO
About COSO• Formed in 1985 to sponsor a group to make
recommendations on Fraudulent Financial Reporting • A joint initiative of five private sector organizations: ▫ American Accounting Association (AAA)▫ American Institute of Certified Public Accountants
(AICPA) ▫ Financial Executives International (FEI)▫ Institute of Management Accountants (IMA)▫ The Institute of Internal Auditors (IIA)
COSO’s Mission is “To provide thought leadership through the development of comprehensive frameworks and guidance on enterprise risk management, internal control and fraud deterrence designed to improve organizational performance and governance and to reduce the extent of fraud in organizations.”
COSO’s Fundamental PrincipleGood risk management and internal control are necessary for long term success of all organizations
Mission
COSO’s Three Areas of Focus1. Internal Control
2. Enterprise Risk Management
3. Fraud Deterrence
1985
1990 1995 2000 2005 2010
1987: TreadwayCommission Report
1992: Internal Control –Integrated Framework
1999: Fraud Study I -Fraudulent FinancialReporting: 1987-1997
2004: Enterprise RiskManagement Framework
2006: Guidance for Smaller Businesses onInternal Control over Financial Reporting
2009: Guidance onMonitoring InternalControl Systems
1996: Internal ControlIssues in Derivatives
2010: Fraud Study II -Fraudulent FinancialReporting: 1998-2007
2010-2013: Recent ERM thought papers on current issues
Timeline
COSO Internal Control Framework
• First published in 1992
• Gained wide acceptance following
financial control failures of early 2000’s
• Most widely used framework in the US
• Also widely used around the world – translated into 7 languages
ICIF WorksWell Today
COSO’s Internal Control–Integrated Framework (1992 Edition)
COSO’s Internal Control–Integrated Framework (2013 Edition)
Reflect changes in
business & operating
environments
Updates Context
Expand operations and
reporting objectives
Broadens Application
Articulate principles
to facilitate effective
internal control
Clarifies Requirements
Why Update What Works?
Enhancements
UpdateObjectives
ICIF Will Work Better
Tomorrow
Project Plan & Timetable
Assess & Survey
Stakeholders
Design & Build
Public Exposure & Assess
Finalize
2010 2011 2012 2013
Project Participants
COSO Board of Directors
COSO Advisory Council
• AICPA• AAA• FEI• IIA• IMA• Public Accounting Firms• Regulatory observers• Others (IFAC, ISACA, others)
PwCAuthor and Project Leader
Stakeholder Input
•Survey of over 700 stakeholders and users of the 1992 Internal Control – Integrated Framework
•Public Exposures of updated Framework draft and supporting documents
•Webcasts, round tables, direct correspondence via [email protected] et al
Summary of Updates…
What is not changing... What is changing...
1. Definition of internal control
2. Five components of internal control
3. The fundamental criteria used to assess effectiveness of systems of internal control
4. Use of judgment in designing and implementing controls and in evaluating the effectiveness of systems of internal control
1. Updated to reflect the current business environment
2. Formalized fundamental concepts underlying the five components as principles
3. Expanded financial reporting objective to address internal and external, financial and non-financial reporting objectives
4. Increased focus on operations and compliance objectives based on user input
23
Summary of UpdatesA changing business environment... Drives updates to the Framework...
Expectations for governance oversight
Globalization of markets and operations
Changes in business models
Demands and complexity of rules, regulations and standards
Expectations for competencies and accountabilities
Use and reliance on evolving technology
Expectations for preventing and detecting fraud
Control Environment
Risk Assessment
Control Activities
Information & Communication
Monitoring Activities
1. Demonstrates commitment to integrity and ethical values2. Exercises oversight responsibility3. Establishes structure, authority and responsibility4. Demonstrates commitment to competence5. Enforces accountability
6. Specifies suitable objectives7. Identifies and analyzes risk8. Assesses fraud risk9. Identifies and analyzes significant change
10. Selects and develops control activities11. Selects and develops general controls over technology12. Deploys through policies and procedures
13. Uses relevant information14. Communicates internally15. Communicates externally
16. Conducts ongoing and/or separate evaluations17. Evaluates and communicates deficiencies
17 Principles of the Updated ICIF
Control Environment
Update Articulates Principles of Effective Internal Control
1. The organization demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
Project Deliverables: Internal Control-Integrated Framework
• Consists of three volumes:▫ Executive Summary▫ Framework and Appendices▫ Illustrative Tools: Assessing
Effectiveness of a System of Internal Control
• Sets out: ▫ Definition of internal control▫ Categories of objectives▫ Components of internal control
and related principles and points of focus
▫ Requirements for Effectiveness
Project Deliverables: Internal Control over External Financial Reporting: A Compendium
• Provides approaches and Examples illustrating how principles are applied in preparing financial statements for external purposes
• Is relevant for variety of entities – public, private, not-for-profit, and government
• Is consistent with and does not modify the updated Framework
The ERM Framework
• Published in 2004• Based upon a framework
with similarities to the COSO 92 framework
• Widely recognized, but not as widely adopted as COSO 92
• Implementation not as robust as COSO 92
Some Current ERM Challenges• Uneven support to adopt any formal risk management
process
• Less than robust ERM implementation
• Difficulty “getting started” with ERM implementation
• Difficulty aligning ERM with top management view
• Inadequate board oversight of risk management – and regulatory pressure mounting for better oversight
• Immature development of risk appetite
• Failure to consider low likelihood but high impact risks –overconfidence
COSO ERM ResponseOur objective – to assist stakeholders in moving up “maturity curve” of an effective ERM process
30
Publication of a series of thought papers
COSO ERM “Thought Papers”
31
• Four Papers issued in 2009 surveying ERM practices – and particularly practices and recommendations related to board of director oversight
• Four Papers in 2011 and 2012 focusing on difficult ERM process implementation issues:▫ “Getting Started”▫ Developing Key Risk Indicators▫ Understanding and Communicating Risk Appetite▫ Risk Assessment Practices
• Two Papers in 2012-2013 dealing with applying ERM to current Management issues:▫ “Cloud” Computing Risks▫ Sustainability Risks
• A Behavioral Paper in 2012 dealing with Judgment Biases
Questions or Comments?
Thank You!
David Landsittelwww.coso.org
CPA Canada Risk Oversight and Governance Board Role in Risk
GIGI DAWE.PRINCIPAL, GOVERNANCE, STRATEGY AND RISK
• Chartered professional Accountants of Canada, through its Risk Oversight and Governance Board (ROGB), develops guidance materials for boards of directors and senior officers
• As such, our focus is on the oversight of enterprise risk, vs. risk management.
• Our goal is to offer unique support specifically for directors that supports the activities of management
Role of CPA Canada’s ROGB in Risk
• Twelve year ago the ROGB began the 20 Questions series for directors – concise, practical guidance
• The 20 Questions series address subjects important to directors by posing questions that directors may ask of management, advisors, or themselves
• A brief summary of current thinking and some recommended practices are provided for each question
Role of CPA Canada’s ROGB in Risk
Issues
• Insufficient time spent on risk oversight – and on risk management
• Limited knowledge of the organization and risks associated
• Lack of clarity – board / management role• Limited knowledge of finance• Excessive reliance on management / few advisors• No system in place to manage risks or to
communicate them to the board
• In 2012 the ROGB published A Framework for Board Oversight of Enterprise Risk – a slightly different, more “prescriptive” approach
• Intended to support management use of COSO, ISO-31000 or other
• Feedback from directors – very positive – unique, usable, new
• Feedback from risk managers – “keep out” – made changes for more support
Role of CPA Canada’s ROGB in Risk
Risk Oversight Framework
• Oversight of the risk management systems and processes by the board including continuously reviewing both the planning and outcomes of such processes.
• Propose the board needs to play a more active and direct role in the oversight of risk
• Boards need to much better understand their role
• Like this group we want to support international efforts and provide CPAs a picture of international initiatives
• Want to ensure that any director materials are aligned with risk management
• We will vary delivery methods
Where are we going?
© 2013 Risk and Insurance Management Society, Inc. All rights reserved.
41Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved.
RIMS MissionTo advance risk management for your organization’s success
As the preeminent organization dedicated to advancing the practice of risk management, RIMS, the risk management society™, is a global not-for-profit organization representing more than 3,500 industrial, service, nonprofit, charitable and government entities throughout the world. Founded in 1950, RIMS brings networking, professional development and education opportunities to its membership of more than 11,000 risk management professionals located in over 60 countries. For more information on RIMS, visit www.RIMS.org.
42Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved.
Involved in Standards Development
RIMS Approved as Accredited Standards Organization by American National Standards Institute 7/15/2011
NEW YORK (July 15, 2011) — RIMS today announced that it has been approved as an accredited standards development organization by the American National Standards Institute (ANSI) Executive Standards Council. This status will increase RIMS’ profile in the standards and practices arena by enabling it to take a lead role in shaping and developing risk management standards.
Collaborating with other associations and SDOs on standards development
43Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved.
Attributes Seven core areas of ERM that drive effectiveness Compatible with various specialized frameworks
Risk competency measurement 25 factors and 68 indicators Objective evaluation criteria Key issues that differentiate maturity levels
Maturity levels Five maturity levels Detailed descriptions unique for each attribute Measure to help reach goals for improvement
Benchmarking with more than 2,000 organizations Standing in peer group Highlights ERM trends and priorities
RIMS Risk Maturity Model™w
ww
.rim
s.or
g/re
sour
ces/
ERM
/Pag
es/R
iskM
atur
ityM
odel
.asp
x
Complements multiple standards and frameworks
44Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved.
Research Using RIMS Risk Maturity Model
ERM-based approach ERM process management Risk appetite management Root cause discipline Uncovering risks Performance management Resiliency and sustainability
Non Existent Ad hoc Initial Repeatable
LeadershipManaged
45Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved.
Executive Reports
46Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved.
Executive Reports
47Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved.
RIMS Strategic Risk Management Framework
Strategic risk management (“SRM”) is a business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization’s strategy and strategy execution.
Also complements multiple standards and frameworks
48Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved.
Webinars on ERM and SRM
49Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved.
Surveys
50Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved.
Understanding Expectations
Q: What are the top two areas of improvement to help senior management and board more fully understand the risk landscape of your organization?
Source: Marsh/RIMS Excellence in Risk Management 10
51Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved.
Risk Appetite and Risk Tolerance
Q: Has your organization developed formal enterprise-level risk appetite and/or risk tolerance statements?
Source: Marsh/RIMS Excellence in Risk Management 10
52Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved.
Surveys
Source: 2013 RIMS Enterprise Risk Management (ERM) Survey. All rights reserved.
Q: To what extent has your organization adopted an enterprise risk management (ERM) program?
53Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved.
Who Is Primarily Responsible for ERM?
Source: RIMS 2013 Benchmark SurveyProduced by Advisen
54Copyright © 2013 Risk and Insurance Management Society, Inc. All rights reserved.
Standards or Frameworks Used
Source: RIMS 2013 Benchmark SurveyProduced by Advisen
ISO 31000 up 5% from 2011
COSO up 2% from 2011
Q: Our program is most closely aligned with …
www.rims.org
Carol Fox, ARMDirector of Strategic and Enterprise Risk Practice+1 [email protected]
FERMAThe Federation of Risk Management Associations
56
57
Mission and Objectives
FERMA Alliances
Represents 22 national risk management associations 20 countries who have individual members Partners with other associations where mutual interest:
European Confederation of Institutes of Internal Auditing (ECIIA) European Confederation of Directors Associations (ecoDA) Insurance intermediaries association (BIPAR) European Insurance Law association (AIDA)
FERMA strengthens the voice of risk management in Europe by increasing contacts with their members and through joint representation to the European Commission
Promotes the profession of risk manager by encouraging the development of risk management education and qualifications and support for young risk managers
58
FERMA Certification of Risk Managers
A European professional Certification framework in order to value the Risk Manager’s function with more credibility, visibility and recognition.
The ambition is for the Certification to be recognized by Risk Managers, Insurance Managers and more broadly all the functions involved in the 1st and 2nd lines of defence as the European leading reference in Risk Management.
FERMA aims at balancing expenses on a medium term, not to make profit on the certification activity
Two levels: Passport Professional
Develop a body of knowledge A number of potential global and European partners
59
Leadership in Risk Management C-Suite supervision of risk management increasing and there is increasingly a
role for leadership of risk management The majority of companies have education and review processes in place that
keep the C-suite informed about risk exposures Most think communication between the C-Suite and the "CRO" could be better Companies aspire to improve the link between risk management and strategic
planning Risk management has some way to go to use the risk management function for
making more effective strategic decisions Risk-based incentives as part of remuneration slow Brand and reputation rising concerns Some executives and "experts" cite lack of risk management talent as an
important area especially in emerging products and markets Processes to define risk appetite now in place at nearly half of the companies
60
Leadership in Risk Management – Zurich, Harvard, FERMA and PRIMO 2013
FERMA Forum
Maastricht 29 September – 2 October 1500 professionals in risk management and insurance Panels, Workshops and Master Classes Global subject matter leaders Demonstration of tools and techniques Promotion of young professionals and Diversity Affiliation meetings including IFRIMA
61
62
63
Julia Graham Director of Risk Management and Insurance
T +44 20 7796 6428 F +44 207 796 6594 M +44 7968 558 898 E [email protected]
Exploring Common Paths in Risk Management
Risk Management Perspectives in ISO Standardization Experience
65
Overview Risk Management Standards & ISO Development challenges and successes Looking Ahead: exploring shared
perspectives
66
ISO Standards Development –An Opinion
Governance structures, directives, tools and guidance exist to support standards development
There are various types of standards’ products Development process has many checks and
balances to ensure country and stakeholder feedback: it ain’t perfect!
All work is done by volunteers nominated by their national technical committee and endorsed by each country’s national standards bodies: discussion can be colorful, exciting and heated!
Developing products takes time because of the create-feedback-review cycle:
67
ISO Standards & Risk ManagementThe ISO community is very gradually moving
towards harmonization in risk management expectations, terminology but progress is slow, still fragmented◦ ISO 31010◦ Guide 73◦ ISO 22301◦ Etc.
Within the ISO context Technical Committee 262 is seen as a natural home for risk management but it is only ONE ISO home. ISO is at the early stage of harmonization on risk management activity.
68
Sample Successes Publication of ISO 31000 in 2009 – Risk
Management Principles and Guidelines◦ Globally popular◦ Early feedback that it has helped
Update of Guide 73 – Risk Management Terminology in 2009
Technical Committee established 2012 by ISO’s Technical Management Board
Liaisons established with some other ISO committees to help harmonize risk management expectations, etc.
Upcoming publication of ISO 31004 – Guidance for Implementation of ISO 31000: October 2013
69
Challenges Understanding who our primary audience is and
is not Communicating the value of the risk
management standard Streamlining standards development processes Applying good practices in engaging and
monitoring stakeholders throughout development
Promoting regional cooperation Varying capacities of standards bodies Risk management as a lever for innovation
70
Looking Ahead – Exploring Shared Perspectives
1. Coherent expectations: Would it be helpful to organizations to have a coherent understanding of what is expected as part of ‘good risk management practice’?
2. Better practice in risk management: can we share and consolidate our knowledge to help organizations
3. Roles/Responsibilities: can we help organizations with a common approach to establishing who does what? (See attached sample)
71
Framework Design: Clarifying Who Does What
(Sample Organization)
(Based on the Institute of Internal Auditors Position Paper www.theiia.org)
Core internal audit roles in regard to ERM
Legitimate internal audit roles with safeguards
Roles internal audit should not undertake
Proposed Planning role
Audit/evaluation Role
Risk Oversight Role
Proposed ERM Leadership Roles
Proposed Business Unit Role
Legal
Legend
The adaptation and use of this graphic as a tool for ERM design and implementation is copyrighted to RiskResults Consulting Inc. 2010 ©
72
Conclusion We have similar
challenges◦ Value proposition of our
respective auditing and risk management functions
We have a major common objective◦ helping organizations to
achieve their objectives
One Road: How can we pull together, on what topics, to help organizations worldwide improve
performance?
Jan MattinglyRiskResults Consulting Inc.www.riskresults.caT/M: 613-286-6885Email: [email protected]