ebook img

Practical Enterprise Risk Management: A Business Process Approach PDF

291 Pages·2010·4.958 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Practical Enterprise Risk Management: A Business Process Approach

E1FFIRS 09/09/2010 11:4:3 Page4 E1FFIRS 09/09/2010 11:4:3 Page1 Practical Enterprise Risk Management A Business Process Approach GREGORY H. DUCKERT JohnWiley&Sons,Inc. E1FFIRS 09/09/2010 11:4:3 Page2 Copyright#2011byJohnWiley&Sons,Inc.Allrightsreserved. PublishedbyJohnWiley&Sons,Inc.,Hoboken,NewJersey. PublishedsimultaneouslyinCanada. Nopartofthispublicationmaybereproduced,storedinaretrievalsystem,or transmittedinanyformorbyanymeans,electronic,mechanical,photocopying, recording,scanning,orotherwise,exceptaspermittedunderSection107or108ofthe 1976UnitedStatesCopyrightAct,withouteitherthepriorwrittenpermissionofthe Publisher,orauthorizationthroughpaymentoftheappropriateper-copyfeetothe CopyrightClearanceCenter,Inc.,222RosewoodDrive,Danvers,MA01923,(978) 750-8400,fax(978)646-8600,orontheWebatwww.copyright.com.Requeststo thePublisherforpermissionshouldbeaddressedtothePermissionsDepartment,John Wiley&Sons,Inc.,111RiverStreet,Hoboken,NJ07030,(201)748-6011,fax(201) 748-6008,oronlineathttp://www.wiley.com/go/permissions. LimitofLiability/DisclaimerofWarranty:Whilethepublisherandauthorhaveused theirbesteffortsinpreparingthisbook,theymakenorepresentationsorwarranties withrespecttotheaccuracyorcompletenessofthecontentsofthisbookandspecifically disclaimanyimpliedwarrantiesofmerchantabilityorfitnessforaparticularpurpose.No warrantymaybecreatedorextendedbysalesrepresentativesorwrittensalesmaterials. Theadviceandstrategiescontainedhereinmaynotbesuitableforyoursituation.You shouldconsultwithaprofessionalwhereappropriate.Neitherthepublishernorauthor shallbeliableforanylossofprofitoranyothercommercialdamages,includingbutnot limitedtospecial,incidental,consequential,orotherdamages. Forgeneralinformationonourotherproductsandservicesorfortechnicalsupport, pleasecontactourCustomerCareDepartmentwithintheUnitedStatesat(800) 762-2974,outsidetheUnitedStatesat(317)572-3993orfax(317)572-4002. Wileyalsopublishesitsbooksinavarietyofelectronicformats.Somecontentthat appearsinprintmaynotbeavailableinelectronicbooks.Formoreinformationabout Wileyproducts,visitourwebsiteatwww.wiley.com. LibraryofCongressCataloging-in-PublicationData: Duckert,GregoryH.,1949- Practicalenterpriseriskmanagement:abusinessprocessapproach/ GregoryH.Duckert. p.cm. Includesindex. ISBN978-0-470-55985-7(cloth);978-0-470-89251-0(ebk); 978-0-470-89252-7(ebk);978-0-470-89253-4(ebk) 1. Riskmanagement. I. Title. HD61.D852010 0 658.155—dc22 2010016278 PrintedintheUnitedStatesofAmerica 10 9 8 7 6 5 4 3 2 1 E1FFIRS 09/09/2010 11:4:3 Page3 ToDina, mybestfriend, mysoulmate, myheartmate, mywife, myeverything. E1FFIRS 09/09/2010 11:4:3 Page4 E1FTOC 09/09/2010 16:11:28 Page5 Contents Preface vii Acknowledgments xi Chapter1:CorporateGovernance:AGutCheck 1 Chapter2:WhatERMIsandWhatItIsNot 23 Chapter3:UnderstandingWhattheBusinessIs 38 Chapter4:DefiningWhatTrueBusinessRiskIs 59 Chapter5:ObjectivelyDefiningRisk 80 Chapter6:BuildingaFluid/DynamicRiskModel 92 Chapter7:Top-DownRiskAssessment:EvolvingtheFluidERM Environment—AStep-by-StepApproach 122 Chapter8:TheFutureEvolutionoftheModel 203 Chapter9:RelatedTopicsandSpecialRiskSituations 221 Chapter10:MaximizingImpact—MinimizingExposure 260 AbouttheAuthor 269 Index 271 v E1FTOC 09/09/2010 16:11:28 Page6 E1FPREF 09/08/2010 10:3:7 Page7 Preface T HIS BOOK IS INTENDED to be a handbook of how to establish a highlyeffectiveenterpriseriskmanagement(ERM)environmentthatis actually a business tool that yields real business value. This book is a definitiveguideformembersoftheBoardsofDirectors,theCSuite,ChiefRisk Officers(CROs),andthosechargedwithERM,aswellasalllevelsofmanage- ment.Inaddition,thisbookisamusthaveforanyshareholderwhoownsstock in any publicly listed corporation and should be read cover to cover to understand why she should be concerned. This is a how-to, hands-on guide, not a generic framework scenario. With the advent of corporate business catastrophes such as Enron, WorldCom, Lehman Bros., General Motors, and so on it behooves corporate executives to get better connected with their businesses. In addition, the government has now initiated a number of regulatory activities, including Sarbanes-Oxley, which further complicate the lives of the auditors and the corporateexecutives. The onlyway tobetruly incompliance with Sarbanes- Oxley is to be well aware of what is going on in your corporation, virtually daily.Toaccomplishthis,itisnecessaryforcorporationstoestablishahighly effective information-centric risk assessment methodology. Without such a methodologyintricatelywovenintothefabricoftheorganization,itisvirtually impossible to guarantee any type of compliance in a realistic fashion. Enterprise-wide risk assessment is much more than simply a catchy phrase or the latest in a string of failed corporate initiatives. If properly constructed, it can be a highly effective governance and oversight tool, which becomes almostirreplaceableinthearsenaloftoolsnecessaryforprogressiveorganiza- tions today. OfinterestisthattheChairmanEmeritusoftheCommitteeofSponsoring Organizations(COSO),LarryRittenberg,PhD.,CPA,CIAattendedthesessionI presented for the Madison, Wisconsin, chapter of the IIA on Enterprise-Wide RiskAssessmentin2001.Theentirediscussionwasfocusedontheconceptof vii E1FPREF 09/08/2010 10:3:7 Page8 viii n Preface using data to evaluate risk throughout an organization. In the presentation, real-timetriggers,keyprocessindicators,keyriskindicators,MetricOversight MonitoringSystems(MOMS),andnumerousotherconceptswerediscussedfor consideration by the participants. I have used these and other similar tools during30yearsofdata-centricriskassessment.Thesetoolsandmethodology will be discussed in this book. DaveCoderre,averytalentedACLpractitionerandauthor,publishedthe GTAG(GlobalTechnologyAuditGuide)onContinuousAuditinginwhichhe presented a very convincing argument for the necessity of continuous audit tools, continuous monitoring, and continuous risk assessment. All of these advancedmethods,ofcourse,revolvearoundtheutilizationofdata.Ihadthe great pleasure of having Dave Coderre as a participant in one of my risk assessmentsessionsdiscussingtheuseofdata-drivenriskassessment anumber ofyearsago.Itisexcellenttoseethatthesubjectmatterisfinallygettingsome serious discussion at these levels. This book is meant to be a reference point for all organizations that are engagedinorwillbeengagedintheexerciseofestablishinganenterprise-wide risk assessment and management oversight system for their organization. It presentsanalternativeapproachtothemodelsthataremostcommonlyseen. In keeping with the underlying thought process of this book, it is straightfor- ward and to the point. This book is not an exercise in overcomplicating a straightforwardissue.Therearemanypeoplewhobelievethatcomplexityadds valuetoaprocessoramethodology.Iamnotoneofthem.Thewholepremise ofthebookisthatcomplexityinmostcasesaddsnothingtoabusinessprocess but complexity. Ariskmodelisnoexception.Therealityofthematteristhatwhenarisk model becomes overly complex it also becomes unusable. Therefore, as we proceed from this point forward, everything will be clearly expressed and understandable.Therewillbenocomplextheoriestoentangleendlesslywhat is actually a very commonsense subject matter. Under no circumstances will there be any abstract theories or unattainable methodologies employed. The approach to risk assessment undertaken in this book is based upon fact, common sense, and practical methodologies for implementation. The model also eliminates subjectivity and guesswork as much as possible. The model presented parallels the normal operation of the business, be able to be effectivelyutilizedatalllevelsofthebusiness,andcanbetrulyusedtocreatean all-encompassing risk model. In Chapter 1 I discuss the subject of corporate governance and what is wrong with it in its current format. In addition, I call attention to one of the

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.