mastering enterprise risk management inside your organization

!"#$%&'()*$+%*,($%&-&'#%*.'#/*!"(")%0%($**'(#'1%*234&*3&)"('5"63(*

!"#$%&'(')*+*(,%%&'#,*-./'##0%

72"1*!34&$"1"8*97:8*9!:8*9;,8*9<=<8*!>:>*

:?"1%02*@%)&%%#A*

9%&6B%1*7($%&("C*:41'$3&**

9%&6B%1*;&"41*,D"0'(%&**

9%&6B%1*!"(")%0%($*:??34($"($**

9%&6B%1*<&3E%##'3("C*'(*=%"&('()*"(1*<%&E3&0"(?%**

9%&6B?"63(*'(*93($&3C*F%CE*:##%##0%($**

9%&6B?"63(*'(*.'#/*!"(")%0%($*:##4&"(?%*

72"1*!34&$"1"*

4

G-%(H+'(/'()*'#*"(**:9;,*:4$+3&'5%1*H&"'(%&*'(*$+%**I:,*"(1*J"$"&**

.'#/*@%B('63(#**

!.'#/*"#$%&'$()##"*"+"%,$%&-%$-.$'/'.%$0"++$)1123$-.4$-4/'3#'+,$-5'1%$%&'$-1&"'/'6'.%$)7$)*8'19/'#:;$$

<=>=$?@A$B$C.%'D3-%'4$E3-6'0)3F$GH'3#',$<"%,I$JHK$LC<ML#I$NOOPQI$MR$

!.'#/$S"#T$%&'$()##"*"+"%,$)7$-.$'/'.%$)11233".D$%&-%$0"++$&-/'$-.$"6(-1%$).$%&'$-1&"'/'6'.%$)7$)*8'19/'#:$@"#F$"#$6'-#23'4$".$%'36#$)7$"6(-1%$-.4$+"F'+"&))4;$$CMME$GL+%-6).%'$>(3".D#I$EUK$CCLI$NOVVQI$(:PW$$

9"(*234*%C'0'("$%*&'#/K**

X-+2'$-.4$@"#F$

VV$

E3-24$

U-0#2"%#$

M'.-+9'#$-.4$Y.'#$

C.13'-#'4$6-3F'%$#&-3'$

J'0$(3)421%$4'/'+)(6'.%$

C.13'-#'4$3'/'.2'$

9&%"6()*#+"&%+3C1%&*

L"C4%*

M*

N*

O*:*=*I*,*<&%#%&L'()*

#+"&%+3C1%&*L"C4%*

?.%'3(3"#'$@"#F$A-.-D'6'.%$G?@AQ$-#$-.$'##'.9-+$%))+$7)3$D))4$1)3()3-%'$D)/'3.-.1'I$@-&-82$M-+I$Z'+)"['$\$?.%'3(3"#'$@"#F$>'3/"1'#$I>'(%'6*'3$NOVO$

]2#".'##$=*8'19/'#$$

• >%3-%'D"1$=*8'19/'#$$• =('3-9).#$=*8'19/'#$$• @'()39.D$=*8'19/'#$$• <)6(+"-.1'$=*8'19/'#$<=>=$?@A$B$C.%'D3-%'4$E3-6'0)3F$GH'3#',$<"%,I$JHK$LC<ML#I$NOOPQI$MR$

9+"()%*$+%*93($%D$*

H"/'()*.'#/*

*'#*E4(1"0%($"C*$3*13'()*P4#'(%##*

@%"C'()*Q'$+*.'#/*

<)66"[''$)7$>().#)3".D$=3D-."^-9).#$)7$%&'$_3'-40-,$<)66"##").$\$@"#F$L##'##6'.%$".$M3-191'$G=1%)*'3$NOVNQ$$$MV$

=(96-+$$@"#F\_-F".D$$

V:$Z'Y.'$%&'$M3)*+'6$`$=(()3%2."%,$$$

N:$U"#%$L+%'3.-9/'#$$

W:$C4'.97,$M)##"*+'$)2%1)6'$$

P:$U"#%$M-,)5#$

R:$>'+'1%$%&'$?/-+2-9).$A)4'+$

a:$L((+,$A)4'+$b$A-F'$Z'1"#").$

Internal Auditing: Assurance and Consulting Services, 2nd Edition. © 2009 by The Institute of

Internal Auditors Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL

32701 USA

<=>=$G<)66"[''$)7$>().#)3".D$=3D-."^-9).#Q$

7(+%&%($*.'#/#*



32701 USA

F34&?%A*7.!*

CCL$<-.-4-I$?3"1$U-/)"'$

@"#F$L(('9%'$-.4$_)+'3-.1'$

<C%"#%**/%%-**

$+%*79,*

<C"(*"(1*?3(#$&4?$*$+%*$"CC%#$*#$&4?$4&%*"(1*-4$*$+%*0"&#+0"CC3Q*3(*$3->**

C6(-1%$/#:$M3)*-*"+"%,$

Control

Share/Transfer Mitigate & Control

Accept (Mointor)

High Risk

Medium Risk

Medium Risk

Low Risk

Low

High

High

I M P A C T

PROBABILITY

,($%&-&'#%*&'#/*0"(")%0%($*T,.!U*

9GFG*,.!*

@%B('63(*3E*,.!*$ $!"#$#!"#$%&&%#&'&()&*#+,#$-#&-.),/0#+1$2*#13#*42&()120%#5$-$6&5&-)#$-*#1)7&2#8&201--&9%#$8894&*#4-#0)2$)&6,#0&:-6#$-*#'$"#&&()*%(%+)%"!",&%%#*&046-&*#)1#4*&-.3,#81)&-.$9#&;&-)0#)7$)#5$,#$'&()#)7&#&-.),%#$-*#5$-$6&#240<0#)1#+&#=4)74-#4)0#240<#$88&.)&%#)1#821;4*&#2&$01-$+9&#$00>2$-(&#2&6$2*4-6#)7&#$(74&;&5&-)#13#&-.),#1+?&(.;&0@A## # # #########################B1>2(&C##DEBE#F-)&28240&#G40<#H$-$6&5&-)#I#J-)&62$)&*#K2$5&=12<@##LMMN@##

O7&#D1554P&&#13#B81-0124-6#E26$-4Q$.1-0#13#)7&#O2&$*=$,#D15540041-#RDEBES$

,.!*@%B('63(*E&30*77:*

?@A$!"#$-$#%321%23'4I$1).#"#%'.%$-.4$1).9.2)2#$(3)1'##$-13)##$%&'$0&)+'$)3D-."^-9).$7)3$"4'.97,".DI$-##'##".DI$4'1"4".D$).$3'#().#'#$%)$-.4$3'()39.D$).$)(()3%2."9'#$-.4$%&3'-%#$%&-%$-5'1%$%&'$-1&"'/'6'.%#$)7$"%#$)*8'19/'#:;$

L##'##$@"#F#$M3)1'##$E+)0$Z"-D3-6$



32701 USA

@3?40%(6()**.'#/*:##%##0%($***

&[(K``000:".#"D&%:%,('(-4:1):2F`$

=3#$*"$*F%"**V&"+"0%*W(3D*

V%$*R*H'?/%$*34$*RSS**$3*Q'(*RS8SSS*

V%$*R*H'?/%$*34$*3E*RS8SSS**$3*Q'(*R8SSS8SSS*

:*

X*RY*

S>SRY*

-.#/($'+(*'0%(1",22,'+)(,3%'&4(1/)(,5(6#/($'+7)(8%)()*%9('$"#&&:(6#/"(,3%'&(;#+7)(8%)(6#/('+6;*%"%<=(

(>(?%%(@'$#$$':(A#"9%"(B*"6&2%"($*',"9'+(*

.'#/*&%-3&6()*"(1*?3004('?"63(#*

I(1%&#$"(1*$+%*-%&#-%?6L%*3E*234&*?C'%($*

*Mea

sure

and

repo

rt RM

impl

emen

tatio

n

Excellent

•  Advanced capabilities to identify, measure, manage all risk exposures within tolerances

•  Advanced implementation, development and execution of ERM parameters •  Consistently optimizes risk adjusted returns throughout the organization

Strong

•  Clear vision of risk tolerance and overall risk profile •  Risk control exceeds adequate for most major risks •  Has robust processes to identify and prepare for emerging risks •  Incorporates risk management and decision making to optimize risk adjusted

returns

Adequate

•  Has fully functioning control systems in place for all of their major risks •  May lack a robust process for identifying and preparing for emerging risks •  Performing good classical “silo” based risk management •  Not fully developed process to optimize risk adjusted returns

Weak •  Incomplete control process for one or more major risks •  Inconsistent or limited capabilities to identify, measure or manage major risk

exposures Source: Standard & Poor!

f2"4'$%)$?.%'3(3"#'$@"#F$A-.-D'6'.%I$E3'g2'.%+,$L#F'4$h2'#9).#$M3)9/"9$C.1:$H-.2-3,$NOOa$

F?3-%*3E*7FG*ZRSSS*_&"#$".%'3.-9).-+$#%-.4-34$(3)/"4'#$(3".1"(+'#$-.4$D'.'3"1$D2"4'+".'#$).$3"#F$6-.-D'6'.%i$"%$1-.$*'$2#'4$*,$-.,$(2*+"1I$(3"/-%'$)3$1)662."%,$'.%'3(3"#'I$-##)1"-9).I$D3)2($)3$".4"/"42-+:$$_&'3'7)3'I$%&"#$#%-.4-34$"#$.)%$#('1"Y1$%)$-.,$".42#%3,$)3$#'1%)3:$

9&'6?"C*930-3(%($#*3E*7FG*ZRSSS*

_&'$-&'(?'-C%#$(3)/"4'$%&'$

7)2.4-9).$-.4$4'#13"*'$%&'$g2-+"9'#$)7$'5'19/'$3"#F$

6-.-D'6'.%$".$-.$)3D-."^-9).$

The framework manages the

overall process and

its full integration

into the organization

The process for managing risk

focuses on individual or

groups of risks, their

identification, analysis,

evaluation and treatment

A)."%)3".D$b$3'/"'0I$1).9.2-+$"6(3)/'6'.%$-.4$1)662."1-9).$)1123$%&3)2D&)2%$

E3)6$LJ>C`L>>?`C>=$WVOOO$

Principles

A-.4-%'$b$<)66"%6'.%$

Z'#"D.$73-6'0)3F$7)3$6-.-D".D$3"#F$

Framework RM Process

C6(+'6'.%$3"#F$6-.-D'6'.%$

A)."%)3$-.4$3'/"'0$%&'$73-6'0)3F$

<).9.2-++,$"6(3)/'$%&'$73-6'0)3F$

?#%-*+"#&$%&'$1).%'j%$

<)662.

"1-%'$-.4$1).#2+%$

A).

"%)3$-.4$3'/"'0

$@"#F$"4'.9Y1-9).$

@"#F$-.-+,#"#$

@"#F$%3'-%6'.%$

@"#F$'/-+2-9).$

@"#F$-##'##6'.%$

•  <3'-%'#$/-+2'$•  C.%'D3-+$(-3%$)7$$)3D-."^-9).-+$(3)1'##'#$

•  M-3%$)7$4'1"#").$6-F".D$

•  ?j(+"1"%+,$-443'##'#$2.1'3%-".%,$

•  >,#%'6-91I$#%321%23'4$b$96'+,$

•  ]-#'4$).$*'#%$-/-"+-*+'$".7)$

•  _-"+)3'4$•  _-F'#$&26-.$$b$12+%23-+$7-1%)3#$".%)$-11)2.%$

•  _3-.#(-3'.%$b$".1+2#"/'$

•  Z,.-6"1I$"%'3-9/'$b$3'#().#"/'$%)$1&-.D'$

•  E-1"+"%-%'#$1).9.2-+$"6(3)/'6'.%$b$'.&-.1'6'.%$)7$%&'$)3D$

k.4'3#%-.4$J'0$@"#F#$

U)0$M3)*-*"+"%,$*2%$X'3,$l"D&$C6(-1%$

9&%"6()*"*.'#/*94C$4&%*

7($%CC')%($*.'#/*!"(")%0%($*#2#$%0*

V3L%&("(?%8**.'#/*!"(")%0%($**

"(1*930-C'"(?%*TV.9U*

7$*'#*(3$*"P34$**.'#/*!"(")%0%($**P4$*&"$+%&*"P34$*

0"(")'()*$+%*&'#/*

mastering enterprise risk management inside your organization

Business

risk management

risk adjustedreturnsadequate

emerging risks

major risks inconsistent

developed process

major riskexposuressource

functioning control

limited capabilities