Practice Aid Enterprise Risk Management: Guidance for Practical Implementation and Assessment September 1, 2018 23574-349 Copyright © 2018 Association of International Certi(cid:71)(cid:74)ed Professional Accountants. All rights reserved. For information about the procedure for requesting permission to make copies of any part of this work, please email [email protected] with your request. Otherwise, requests should be written and mailed to Permissions Department, 220 Leigh Farm Road, Durham, NC 27707-8110. 1 2 3 4 5 6 7 8 9 0 AAP 1 9 8 ISBN 978-1-94830-636-2(cid:1)(cid:9)(cid:81)(cid:83)(cid:74)(cid:79)(cid:85)(cid:10)(cid:1) (cid:42)(cid:52)(cid:35)(cid:47)(cid:1)(cid:26)(cid:24)(cid:25)(cid:14)(cid:18)(cid:14)(cid:26)(cid:21)(cid:25)(cid:20)(cid:17)(cid:14)(cid:23)(cid:20)(cid:24)(cid:14)(cid:26)(cid:1)(cid:9)(cid:70)(cid:49)(cid:86)(cid:67)(cid:10)(cid:1) iii Recognition AssuranceServicesExecutiveCommittee(2017–2018) RobertDohrer,Chair BradleyAmes ChristineM.Anderson NancyBumgarner JimBurton MaryGraceDavenport ChrisHalterman JenniferHaskell ElaineHowle BrianMartin BradMuniz JoannaPurtell MiklosVasarhelyi RiskAssuranceandAdvisoryServicesTaskForce(2013–2014) AlanAnderson,Co-Chair SuzanneChristensen,Co-Chair AronDunn JohnFarrell BaileyJordan LeslieMurphy TomPatterson PaulPenler SallieJoPerraglia DietmarSerbee BethA.Schneider LeslieThompson AdditionalContributors AnitaDennis EnterpriseRiskManagement:GuidanceforPracticalImplementationandAssessment RevisionContributor(2017–2018) SuzanneChristensen AICPAStaff CharlesE.Landes VicePresident ProfessionalStandardsTeam AmyPawlicki VicePresident AssuranceandAdvisoryInnovation © 2018, Association of International Certified Professional Accountants PRA-ERM iv AmiBeers Director Assurance&AdvisoryServices—CorporateReporting DorothyMcQuilken SeniorManager AuditDataAnalyticsandERM PRA-ERM © 2018, Association of International Certified Professional Accountants TableofContents v TABLE OF CONTENTS Chapter Page 1 OverviewoftheEnterpriseRiskManagementPublication................................. 1 I. Introduction 1 II. WhoShouldUseThisPublication 2 III. ConceptualBasisforThisPublication 2 2 ERMBenefits,Concepts,andComponents................................................ 3 I. BenefitsofaSuccessfulERMProgram 3 II. ERMConcepts 4 DefinitionofERM 4 RisksandOpportunities 4 RiskinStrategyandObjective-Setting 4 TheImportanceofTakinganEnterpriseorPortfolioViewofRisk 5 RiskAppetite,RiskTolerance,andRiskProfile 5 RiskInventory 6 EmergingRisks 6 IntegrationandEmbeddedness 6 III. ComponentsofanERMProgram 6 1.0 GovernanceandCulture 7 2.0 StrategyandObjectiveSetting 8 3.0 Performance 9 4.0 ReviewandRevision 13 5.0 Information,Communication,andReporting 13 3 ERMRolesandResponsibilities........................................................... 15 I. OrganizationRoles 15 BoardorEquivalentRoles 15 OrganizationManagement 16 InternalAuditors 16 II. TheRoleofExternalPartiesintheERMProcess 17 4 ERMProgramDevelopment.............................................................. 19 I. Mobilize 19 EstablishingAppropriateSponsorshipandResourcing 20 ERMSponsorship 20 CommitmentofResources 20 EstablishingRolesandResponsibilities 21 ProgramGovernance 21 PlanningandLaunchforanInitialProgramDevelopmentPhase 21 Timeline 21 II. CurrentStateAnalysis 22 CurrentStateConsiderations 22 CreatinganInitialInventoryofActivitiesandOutcomesandGather Documentation 23 Timeline 24 III. FutureStateOperatingModelDesign 24 PeerandIndustryAnalysis 24 DevelopingaTargetERMOperatingModelandFramework 25 DevelopingtheERMRiskAppetiteandRiskTolerances 25 © 2018, Association of International Certified Professional Accountants Contents vi TableofContents Chapter Page 4 ERMProgramDevelopment—continued.................................................. LinkingCurrentERMActivitiestotheERMProgramPlan 27 DocumentingERMPolicies 27 ERMProgramScalabilityandRelatedConsiderations 27 ERMProgramTechnologyConsiderations 27 Timeline 28 IV. GapAnalysis 28 PreliminaryObservations 28 Recommendations 29 Timeline 29 V. ImplementationandReporting 29 DevelopingImplementationRoadmapandProjectPlan 30 DesigningProgramPerformanceMeasuresandReporting 30 CommunicationandTraining 30 ChangestotheImplementationPlan 30 Timeline 31 5 ERMProgramEvaluationandContinuousImprovement.................................. 33 I. ERMProgramEvaluation 33 ApproachtoanERMProgramEvaluation 33 II. ContinuousImprovement 34 ApproachtoContinuousImprovement 34 CommitmenttoContinuousImprovement 36 GlossaryofTerms................................................................................. 37 AppendixA—COSOandISO31000FrameworkMapping........................................ 39 AppendixB—ExampleERMProgramMaturitySelf-Assessment................................. 45 AppendixC—References........................................................................ 51 Contents © 2018, Association of International Certified Professional Accountants OverviewoftheEnterpriseRiskManagementPublication 1 Chapter 1 Overview of the Enterprise Risk Management Publication I. Introduction Everyorganization1existsforthepurposeofcreatingvalueforitsstakeholders.Tocreatevalue,anorganiza- tionsetsobjectives,developsstrategies,andplansforpursuingthem,andperformsactions.However,strate- gies,plans,andactionsalonedonotguaranteeadesiredoutcome.Eventsandcircumstancescouldaffectthe s s ntnt execution of these strategies and plans. Management is faced with the challenge of dealing with the uncer- aa ntnt tainties surrounding the achievement of its objectives. Enterprise risk management (ERM) is a process that uu oo cc enables management to address these uncertainties in a comprehensive, integrated, and organization-wide cc AA mannerinordertocreatevalue.ByimplementingandmaintaininganeffectiveERMprogram,management al al nal nal teams and the governing bodies of those organizations can increase their confidence that the organization cc oo cticti ssissi canbesuccessfulinachievingitsobjectives.Customers,vendors,regulators,ratingagencies,andotherstake- aa ee PrPr ofof holdersareincreasinglyinterestedinunderstandinganorganization’sERMprocessandmaybasedecisions Guidance for Guidance for al Certified Pral Certified Pr rpTsetrhagoigascerepsdsusion.brgliiscthaateliirorenaindistyeirnwatceetnlilodenessdtawtboiltihhsehtlhepdet,ohtroogsadenerisezisgapntiooannnsidobnloetphfeoerrapateenrcaEenRiveMeffdepcsrtooipvgheraiEsmtRi,cMwathipoernothgaenrradmthe.effepcrtoigvreanmessisoifnthitesEeaRrMly ent: ent: ationation Tobegin,itishelpfultounderstandwhatanERMprogramencompassesandhowitisdefined.TheCommittee mm nn ageage nternter ofSponsoringOrganizationsoftheTreadwayCommission(COSO),inits2017EnterpriseRiskManagement— rise Risk Manrise Risk ManAssessment Assessment A A ssociation of Issociation of I IntegTtrihoatneisncgurelwltyuitrohen,ScttraoaptmaegbayinliaatngiedesP,riaesrnkfdoirnmpcraraneccateitcipneusg,b,ilpnicrteaestgieroranvt,einddgew,fianintehdssErterRaaMltiezgianysg-fsoevltaltoliunwegs.:andperformance,thatorganiza- Practice Aid: EnterpPractice Aid: EnterpImplementation and Implementation and By AICPA and CIMBy AICPA and CIMCopyright © 2018 ACopyright © 2018 A IfiftrFouneonvrtrcethiohsepemweruairsiprcnekptaxgiormvp,isislreataoeineinconasof,sgorttdehafhmeicirnsoiIegsnmpnktautmemnabrdunslaian”ncrtcaeiaicotpogaionooetrirnmandtl,igienSnanatgnaatntrnpeEdiddsrRcokaaMoc.r”cndetssiiPzsvurailaotttsgiiienorasagnm”t,oOseysidrstsgiatrdaebenemlcifiitszanahatneiitcniddogancaptosh(pnIealStinrcOcooa)olntir3atog1ennax0on0tor0iafgz,npaaRdntoiiliaosizkscnasiM’teesissoa,EsnnpiRnawrMggoei,ctmtehcrdeuernualetttgru—ieanrsregGda,,unmctioaddoperpnlaiisrnibktaeio”clsrit,taiiidncneeegsds-,, and practices, including its people, structures, governance mechanisms, documents, values and incentives, data, and supporting technologies that allow an organization to operationalize and execute its end-to-end ERM programs. Many organizations are challenged with the initial design and implementation of such an enterprise-wideriskmanagementprocessandprogramandwithmaintainingandimprovingthemovertime sothattheycontinuetooperateeffectivelyandaddvalue. Thus, the purpose of this publication is to leverage these two existing conceptual frameworks and provide practicalguidancefordesigningandimplementinganewERMprogramalongwiththepoliciesandproce- duresthatdefineanentireERMprogram,orforassessingandimprovinganexistingprogram.Thispublication intendstoserveasabridgebetweenthesubstantial,conceptualguidancethatexiststodayandthepractical realitiesofcreatingandsustainingasuccessfulERMprogram. 1 organization.Anyformoffor-profit,not-for-profit,orgovernmentalbody.Anorganizationmaybepubliclylisted,privatelyowned, ownedthroughacooperativestructure,oranyotherlegalstructure. © 2018, Association of International Certified Professional Accountants PRA-ERM 2 EnterpriseRiskManagement II. Who Should Use This Publication This publication is intended for practitioners who are implementing a new ERM program or improving an existingprogram.ThispublicationprovidesasummaryoftheconceptsandcomponentsofasuccessfulERM programandprovidesamaturitymatrixandself-assessmentguidancethatmaybehelpfulforpractitioners whoareimplementingorimprovinganERMprogram.Thispublicationmayalsobehelpfultothirdparties whohavebeenaskedtoprovideanevaluationorassessmentofanERMprogram,suchasauditors,compliance specialists, consultants, or other mandated parties. Internal or external auditors in particular may be called upontoindependentlyevaluatetheeffectivenessoftheorganization’sERMprogramandtomakemeaningful recommendationsforimprovingorenhancingtheprogram. TheERMconcepts,components,andexamplespresentedinthispublicationareintendedtobeindustryag- nosticandapplicabletoorganizationsofmanysizesandtypes—includingpublic,private,not-for-profit,and governmentorganizations.AnERMprogram,however,mayvarysignificantlybyindustryandorganization, andaspectsofthispublicationmaybemoreusefultosomeorganizationsthanothers.Carefulconsideration shouldbegiventothespecificcircumstancesofeachindividualorganizationtoensurethatthetargetedERM programiswell-suitedfortheorganization. III. Conceptual Basis for This Publication Theconceptsusedinthispublicationareprimarilydevelopedbasedontwoofthemostwell-knownriskman- agementframeworks,theCOSOEnterpriseRiskManagement—IntegratingwithStrategyandPerformanceframe- work(theCOSOERMframework)andtheISO31000RiskManagement—Guidelines(theISO31000framework). Thispublicationdoesnotcreateanewframeworkbutleveragesthefoundationalconceptsoftheseexisting frameworks.Tobegin,thispublicationhighlightsoverarchingconceptsofERM,whicharefoundationaltothe ERMprocessandtotherestofthispublication.Insubsequentsections,thepublicationdiscussesingreaterde- tailtheseconceptsandtheERMprocessbyleveragingCOSO’sframeworkofcomponentsandprincipleswith comparisonstotheISO31000framework.AmoredetailedmappingofCOSOERMframeworkcomponents andISO’s31000frameworkcanbefoundinappendixA,”COSOandISO31000FrameworkMapping.” AbouttheCOSOandISORiskManagementFrameworks The June 2017 COSO Enterprise Risk Management—Integrating with Strategy and Performance publication pro- videsguidanceonthebroadersubjectofenterpriseriskbydefiningandexplainingkeyERMconcepts,com- ponents,andprinciples. The ISO 31000 Risk Management—Guidelines of 2018 provides principles, framework, and process guidelines onmanagingrisksfacedbyorganizations.Thedocumentincludesanapproachformanagingdifferenttypes ofrisksandcanbeappliedtoanyactivityatalllevelsofanorganization. PRA-ERM © 2018, Association of International Certified Professional Accountants ERMBenefits,Concepts,andComponents 3 Chapter 2 ERM Benefits, Concepts, and Components I. Benefits of a Successful ERM Program TheprimaryfocusofanERMprogramistoaidanorganizationinachievingitsobjectivestoultimatelyrealize value.Thus,thebenefitsofaneffectiveERMprogramaresignificant. StrongERMGivesCompaniesHigherMarketValue s nt “TheValuationImplicationsofEnterpriseRiskManagementMaturity,”fromtheJournalofRiskandInsurance, a unt foundthatorganizationsexhibitingmatureriskmanagementpracticesrealizeavaluegrowthpotentialofup o c to25percent.UsingdatafromtheRIMSRiskMaturityModel(RMM),MarkFarrell,ActuarialScienceandRisk c A cal onal MGaalnlaaggheemreonfttPhreoUgrnaimveDrsiirteyctoofrEadtiQnbuueregnhsUBunsivineersssityScMhoaonla,gpermoveindteSdcheovoidleonfcBeetlhfaasttfi(QrmUsMthSa)tanhdavDerr.eRaochneadn cti ssi maturelevelsofERMqualitiesexhibitahigherfirmvalue. a e Pr of r Pr Guidance fo al Certified AEbeRlntMheofiputrsgohogfrtihammeppalrececmvriueoneuttsioneogxraagmnadnpilmzeaaitsiinognteasainoreifndagltloatywspuaercsdcienfsocsrlf-uupdlriEonRfigtMnoorpgt-rafoongrir-zapamrtoiofiinntsca,lnuthddeegborvoeardnemrebnetnael.fiTtsheofmaosruecscpeescsiffiucl ent: ation • increasingtherangeofopportunitiesavailabletoanorganizationtoachieveitsmissionandbusiness m n objectives. rise Risk ManageAssessment A ssociation of Inter •• romeenndahenuapacnagicnreitgntoghsfueotsrhvepeerrroiiassrelkglssao.nnroigztaaontniiozlaynticinoanninpcdreeirvafiotderumraisalknascreetoabsoytohifnetrchraeeraoesraigsna,gnanitzhdaetEiloRiknMeblihuhetoloapcdsrotoosfspatrchoheaiecevtniivtneegrlpytrhiideseeon.rRtgiifasynkaiszniadn- ractice Aid: Enterpmplementation and y AICPA and CIMopyright © 2018 A •• tnibimnieiozcnnpraee’rtsfioaiosvtssnitinrnaiagnlgtdeotchgriasgieprcasuienatpanidztldieaoactonniiosp.dineorarnaelstsa.iodounarpaclteaobabiljlleiotccytaiavtnieosdnarsnebsdiylrieepndrcouevcbiindyginhpgeelpbrfieontrtgemtrhaienncofoerrgvmaanariitzaioabtniiloittnoyitadhseasnettscisfaynthacenrdecaortesetssporoagnnadd- PIBC toexternalandinternalchangeinamoretimelyandembeddedmanner.Riskexistsinalmostevery decision.Thus,inordertobeadaptableandresilient,itisessentialthatriskmanagementisintegrated fullyintodecision-makingthroughouttheorganization. Toaddvalue,however,anERMprogrammustbeeffective.Thus,itisimportanttounderstandtheanswers tothefollowingtwoquestions: • WhataretheattributesorcharacteristicsofasuccessfulERMprogram? • HowdoIknowthatanERMprogramiseffective? To answer these questions and achieve the overall objectives of this publication, this chapter provides an overview of the ERM concepts and components that compose the ERM framework and are important to a well-functioning ERM program. In addition, subsequent chapters provide practical guidance to create a © 2018, Association of International Certified Professional Accountants PRA-ERM 4 EnterpriseRiskManagement referenceguidetodesignandimplement,orevaluateandimprove,theERMpracticesofanorganizationto ultimatelycontributetothesuccessoftheorganization. ASuccessfulERMProgram “Properlydesignedandimplemented,theriskmanagementframeworkwillensurethattheriskmanagement processisapartofallactivitiesthroughouttheorganization,includingdecision-making,andthatchangesin externalandinternalcontextswillbeadequatelycaptured.”(ISO31000RiskManagement—Guidelines,Section 5.5,“Implementation”) It is important to note that no two organizations are alike and, to be successful, an ERM program must be tailoredtothespecificculture,attributes,andneedsoftheorganization.AnERMprogramisalsonota“check- the-box” or “complete a checklist” activity, as considerable organizational participation and judgment is re- quired. As such, this publication describes the key concepts and components of an effective ERM program alongwithpracticalguidanceonhowtoimplementorevolvetheseconceptsinagoalofcreatinganorgani- zationallyappropriateERMprogramandachievingprogramsuccess. II. ERM Concepts ThefollowingsectionprovidesanoverviewofkeyERMtermsandconceptsthatareessentialtoasuccessful enterprise-wideriskmanagementprogram. Definition of ERM The COSO ERM framework defines ERM as the “culture, capabilities, and practices, integrated in strategy- settingandperformancethatorganizationsrelyontomanagetheriskincreating,preserving,andrealizing value.” Similar to the ISO 31000 framework, the COSO definition stresses that the goal of ERM is to better enabletheorganizationtomanageuncertaintyandmeetitsobjectivestoultimatelyrealizevalue. Risks and Opportunities Thelinkagebetweentheseconceptsandhowtheyaffectanorganization’sabilitytomeetitsobjectivesarewell establishedinbothframeworks.AlthoughtheCOSOERMframeworkobservesthatriskisthepossibilitythat eventswilloccurandaffectanorganization’sabilitytoachieveitsestablishedstrategyandbusinessobjectives, italsonotesthataneffectiveERMprogramcanincreasetherangeofopportunitiesavailabletoanorganization. Forexample,anorganizationmaydetermineafterassessingitscurrentrisksthatitisnottakingenoughrisk andbyacceptingmorerisk,theorganizationhasmoreavailablebusinessopportunitiestopursue. The ISO 31000 framework defines risk similarly as the effect of uncertainty on objectives where an effect is adeviationfromtheexpected,eitherpositive,negative,orboth,thatcancreateorresultinopportunitiesor threats.Duetotheuncertaintythatunderpinsrisk,itispossibleforaneventtogiverisetoanewriskoranew opportunity.Forexample,strongerthanexpectedsalesinoneareamaycauseresourceconstraintsandrisks toanotherareaoftheorganization.Incontrast,decliningsalesinoneareamightfreeupresourcestoallowthe organizationtopursueanewareaofopportunityorgrowth. Risk in Strategy and Objective-Setting TheCOSOERMframeworkstressestheimportanceofaneffectiveERMprograminincreasingthelikelihood thatanorganizationwillrealizeitsbusinessobjectives.AlthoughERMdoesnotcreateanorganization’sbusi- nessobjectives,ERMisintegraltodevelopingthestrategythatdrivesthosebusinessobjectives.ERMincreases therangeofopportunitiestobeconsideredinstrategy-settingandincreasesthelikelihoodthatanorganization willbesuccessfulinbothidentifyingthesetofoptimalbusinessobjectivesandrealizingthetargetedresults. PRA-ERM © 2018, Association of International Certified Professional Accountants