objective centric erm & internal audit library...
TRANSCRIPT
Objective Centric ERM & Internal Audit Library Overview
Risk Oversight Solutions offers the following reference aid to public and private sector organizations free of charge, with the exception of
any organization whose purpose is to generate revenue from direct or indirect sale of the materials. Contact us today to become an
authorized distributor. Permission to reproduce with attribution is granted by Risk Oversight Solutions Inc. (ROS), with the exception noted
above.
©2017 Risk Oversight Solutions Inc.
RiskStatusOversight™ Library Document Description/Benefits
RiskStatusline™ Core Methodology
The RiskStatusline™ approach provides the foundation building block for
our revolutionary Objective Centric ERM and Internal Audit approach to
risk governance. It explicitly recognizes that prudent risk taking is a key
element of business success. This reference diagram explains in simple
and easy to understand words the key elements of the RiskStatusline™
risk assessment process.
The RiskStatusline™ assessment approach is aligned with ISO 31000 risk
management standard terminology. It puts more emphasis than ISO
31000 on the need to link all risk assessment work to objectives and
performance, and has two additional unique differentiating elements –
“Residual Risk Status” and “Risk Treatment Optimized?”. Residual Risk
Status is comprised of four kinds of information – best available
“Performance/Indicator data” linked to the objective being assessed,
“Concerns” linked to risks that are not currently treated in whole or in
part, “impacts of non-achievement of the objective in whole or in part”,
and “impediments”, situations where it is difficult or impossible for the
owner or sponsor of the objective to adjust the residual risk status.
The RiskStatusline™ approach is the only risk assessment methodology
that encourages users to consider whether the current risk treatment
strategy is “optimized” – the lowest cost possible combination of risk
treatments capable of producing an acceptable residual risk status.
RiskStatusline™ is the ideal risk management system for organizations
that want to deliver better risk information to the C-Suite and board of
directors and want senior management to apply formal risk assessment
methodology as an element of the organization’s strategic planning and
continuous improvement processes; as well as those organizations that
want to ensure that key value creating and value eroding objectives are
adequately considered in their risk management approach.
RiskStatusOversight™ Training & Reference Aid Library Overview
©2017 Risk Oversight Solutions Inc.
RiskStatusline™ Risk Treatment Principles and
Expanded Trigger Statements
Key goals of a robust risk management framework are: 1) to engage the
active participation of all levels of an organization to help make better
resource allocation decisions and 2) integrate and coordinate the efforts
of all the often disparate assurance silos. Adopting a common language
to assess and report upwards on residual risk status is key. The
RiskStatusline™ Risk Treatment Principles, Risk Treatment Elements, and
Risk Treatment Trigger Statements are designed to foster and support the
use of a common language to assess and report on risk entity-wide. They
are written in a way that makes it easy for users to understand how
specific risk treatment elements can contribute to the reduction of risk
likelihood and/or consequences.
The RiskStatusline™ Risk Treatment Principles framework provides an
easy to understand set of core principles to guide risk assessment work.
All elements in COSO 1992 five category system and the more granular
COSO 2013 17 principles are represented in the framework. Once a risk is
identified, users can consider which combination of Risk Treatment
Principles is likely to produce an optimal risk treatment strategy capable
of producing a level of residual risk consistent with the organization’s risk
appetite/tolerance. The nine Risk Treatment Principles are supported by
the more detailed Risk Treatment Design Elements that provide support
for each of the Principles. The Elements are in turn linked to easy to
understand trigger statements that make the purpose of each Risk
Treatment Element understandable to users. The simplicity and
increased emphasis on and importance of “Objective Definition and
Communication”, “Commitment” controls, “Indicator/Measurement”
controls, “Risk Sharing/Transfer” and “Risk Oversight” differentiate this
framework from the more traditional, external auditor-centric design of
COSO 1992 and 2013 “control frameworks”.
Once a user has determined that a risk to an objective needs a particular
type of risk treatment from the Risk Treatment Principles they can
consult the menu of Risk Treatment Elements and determine which, if
any, treatment is currently in use/place or could be applied to reduce
residual risk. This framework, unlike COSO 1992 or COSO 2013, explicitly
recognizes the role and importance of “Risk Sharing/Transfer” risk
treatments. (Category 8) The framework is fully aligned with the
emerging expectation that boards are responsible for overseeing and
ensuring the effectiveness of their organization’s “Risk Appetite
Framework”. The importance of Measurement/Indicator controls to
monitor the effectiveness of other risk treatments, and “Commitment”
controls to increase certainty objectives are achieved is emphasized in
this framework.
RiskStatusOversight™ Training & Reference Aid Library Overview
©2017 Risk Oversight Solutions Inc.
RiskStatusline™ Quick Reference and Objective
Centric ERM & Internal Audit Key Concepts
This easy to use reference aid is a multi-purpose tool. It helps users
determine if they have considered the full range of objectives when
building the OBJECTIVE REGISTER by considering the 13 “Business
Objectives Families”. When generating lists of relevant risks for a
specific objective, users can consult “Risk Sources” to provide
additional assurance all relevant and significant risks have been
considered. The “Residual Risk Status Information” provides easy to
use definitions to ensure users understand the four main types of
information gathered to generate a composite and robust snapshot of
“Residual Risk Status”. Residual Risk Status data helps decision
makers assess if the current residual risk status is within corporate risk
appetite/tolerance. “Composite Residual Risk Ratings Definitions” on
the bottom right help OWNER/SPONSORS and Internal Auditors
determine what the most appropriate summary rating for each
objective being assessed.
When an organization elects to introduce Risk Oversight Solutions’
objective centric approach to ERM and Internal Audit a well-designed
training and orientation program must also be launched. This
document provides an easy to use guide for owner/sponsors and
assurance groups that summarizes the key steps involved.
This approach is the only one currently in the world that promotes full
communication to senior management and the board of directors the
top value creation/preservation objectives, the “Composite Residual
Risk Rating”, the level of “Risk Assessment Rigor”, and the
“Independent Assurance Level” attached to each objective included in
the organization’s “Objectives Register”.
This document provides a handy reference tool for Boards, Risk
Oversight Committees, owner/sponsors, and assurance groups that
must decide on and/or quality assure key summary ratings assigned to
each objective.
RiskStatusOversight™ Training & Reference Aid Library Overview
©2017 Risk Oversight Solutions Inc.
Objective Centric ERM & Internal Audit: 5 Step
Overview and Sample Objective Register
The core foundation of our objective centric approach to ERM and
internal audit is an “OBJECTIVES REGISTER”. The 5 Step Overview
summarizes the key steps to implement an objective centric
approach. An important goal is to ensure the OBJECTIVES REGISTER
includes the organization’s top value creation and preservation
objectives. Traditional approaches like THREE LINES OF DEFENSE
focus participants on value preservation objectives. This approach
recognizes organizations must balance value creation and value
preservation objectives to ensure sustained long term success.
The OBJECTIVES REGISTER is to be populated with objectives
recognizing there is a significant cost to formal assurance, be it ERM
or internal audit, and careful consideration should be given to which
objectives warrant the cost of formal risk assessments (as opposed to
informal risk management that occurs at all levels across an
organization. Once an objective is included in the REGISTER decisions
must be made on who will be the OWNER/SPONSOR(S), the target
level of risk assessment rigour, and which group/person will provide
independent assurance on the risk assessments produced.
Sample Objective Centric ERM & Internal Audit
Corporate Risk Management Policy
A key step when implementing a new risk governance approach
entity-wide is to communicate the importance the organization
attaches to it. This sample policy supporting the objective centric
ERM and internal audit approach has been specifically written in a
simple, easy to understand way to communicate the purpose of the
framework and define the role of all the key players.
It can be easily tailored and customized to meet the specific needs of
your organization.
RiskStatusOversight™ Training & Reference Aid Library Overview
©2017 Risk Oversight Solutions Inc.
Risk Culture Survey to Assist in Determining
Implementation Maturity
When transitioning from traditional approaches to ERM and internal
audit careful consideration must be given to the organization’s risk
culture. This easy to understand tool describes key differences
between traditional assurance approaches and an integrated
objective centric approach. It identifies six key elements of culture
which are core to customizing an organization’s overall approach to
assurance. The second page provides ideas how to tailor risk
governance approaches to the current culture.