ERM - Objective Setting/Event Identification/Risk Assessment/Risk Response & Control Activities
The third part to my post requires an understanding on the following components in a single stretch to understand how a control is determined and implemented for the purpose of ERM.
(1) Objective Setting,
(2) Event Identification,
(3) Risk Assessment,
(4) Risk Response & Control Activities
(1) Objective Setting – Involves identifying or understanding what an organization or a division or a department is expected to achieve in long term aka strategic objective and its related short term or operational objectives that would enable achieving the strategic objectives. In due course we also understand to what extent an organization is willing to tolerate or accept deviations to its operational objectives such that the strategic objective is considered as achieved or achievable.
Let us take an example for sales process and identify the objectives on a hypothetical basis:
(2) Event Identification – Events are those that either provides an opportunity or poses a risk to achieving the operational objectives. This can either arise on account of external factors or on account of internal factors and are measurable.
In the given example of retaining the customer base as an operational objective the following could be considered as events (Internal) that may be a cause of concern along with additional aspects to Events:
(3) Risk Assessment – Involves determination of probability of occurrence and its impact on the measured values (Recall my views expressed on “what is Risk” in my first post). While performing this assessment the techniques listed below may be used by the Risk assessing consultant to arrive at the likelihood of the occurrence of the event:
(a) Qualitative measure –
(i) Nominal Measurement
(ii) Ordinal Measurement
Required techniques for the above measurement are:
(i) Risk Ranking like Low, Medium and High
(ii) Color coding like Green, yellow and Red
(b) Quantitative measure –
(i) Probabilistic
(a) Value at risk
(b) Cash flow at risk
(c) Earnings at risk
(d) Assessment of loss events and
(e) Back testing
(ii) Non-Probabilistic involves understanding how the occurrences of relevant values are distributed and the related probability may be determined post this exercise
(a) Sensitivity analysis
(b) Scenario analysis
(c) Stress analysis
(iii) Benchmarking involves comparison of actual values with
(a) Internally determined benchmark
(b) External or market trend (Competition or Industry)
(c) Best in class
Note: The above approach is to assess the likelihood based on which the impact would be computed
(4) Risk Response & Control Activities –
Response - As we determine the impact of inherent risk through risk assessment process the senior management is expected to exercise its philosophy of managing the same so that the impact or residual risk remains within the tolerance determined during the objective setting. This is basically achieved by either
(a) Avoid the risk: Eliminate the event that carries such inherent risk or
(b) Reduce the risk: implement controls in such a manner that the residual risk remains with in the tolerance defined or
(c) Share the risk: The risk and rewards are shared by more than one stake holder of which the concerned organization is a party to it through joint ventures, insurance and others
(d) Accept the risk: The management decides to accept the loss on account the risk having an impact on its objectives
Control Activities – Once management decides to opt for the second choice to reduce the risk would come with controls to mitigate or reduce the likelihood of occurrences of inherent risk such that residual risk is within the tolerance limits defined during objective setting:
Pictorial presentation of Risk Response and Control activities are given below:
Risk Response and control activities identified are as given below:
Risk Management & Overall View for reference:
The third part to my post requires an understanding on the following components in a single stretch to understand how a control is determined and implemented for the purpose of ERM.
(1) Objective Setting,
(2) Event Identification,
(3) Risk Assessment,
(4) Risk Response & Control Activities
(1) Objective Setting – Involves identifying or understanding what an organization or a division or a department is expected to achieve in long term aka strategic objective and its related short term or operational objectives that would enable achieving the strategic objectives. In due course we also understand to what extent an organization is willing to tolerate or accept deviations to its operational objectives such that the strategic objective is considered as achieved or achievable.
Let us take an example for sales process and identify the objectives on a hypothetical basis:
(2) Event Identification – Events are those that either provides an opportunity or poses a risk to achieving the operational objectives. This can either arise on account of external factors or on account of internal factors and are measurable.
In the given example of retaining the customer base as an operational objective the following could be considered as events (Internal) that may be a cause of concern along with additional aspects to Events:
(3) Risk Assessment – Involves determination of probability of occurrence and its impact on the measured values (Recall my views expressed on “what is Risk” in my first post). While performing this assessment the techniques listed below may be used by the Risk assessing consultant to arrive at the likelihood of the occurrence of the event:
(a) Qualitative measure –
(i) Nominal Measurement
(ii) Ordinal Measurement
Required techniques for the above measurement are:
(i) Risk Ranking like Low, Medium and High
(ii) Color coding like Green, yellow and Red
(b) Quantitative measure –
(i) Probabilistic
(a) Value at risk
(b) Cash flow at risk
(c) Earnings at risk
(d) Assessment of loss events and
(e) Back testing
(ii) Non-Probabilistic involves understanding how the occurrences of relevant values are distributed and the related probability may be determined post this exercise
(a) Sensitivity analysis
(b) Scenario analysis
(c) Stress analysis
(iii) Benchmarking involves comparison of actual values with
(a) Internally determined benchmark
(b) External or market trend (Competition or Industry)
(c) Best in class
Note: Measure and techniques were not detailed here as the intent was to give a overview and not to present any theoretical knowledge on how to utilize the same.
Pictorial presentation of Risk Assessment is given below: Note: The above approach is to assess the likelihood based on which the impact would be computed
(4) Risk Response & Control Activities –
Response - As we determine the impact of inherent risk through risk assessment process the senior management is expected to exercise its philosophy of managing the same so that the impact or residual risk remains within the tolerance determined during the objective setting. This is basically achieved by either
(a) Avoid the risk: Eliminate the event that carries such inherent risk or
(b) Reduce the risk: implement controls in such a manner that the residual risk remains with in the tolerance defined or
(c) Share the risk: The risk and rewards are shared by more than one stake holder of which the concerned organization is a party to it through joint ventures, insurance and others
(d) Accept the risk: The management decides to accept the loss on account the risk having an impact on its objectives
Control Activities – Once management decides to opt for the second choice to reduce the risk would come with controls to mitigate or reduce the likelihood of occurrences of inherent risk such that residual risk is within the tolerance limits defined during objective setting:
Pictorial presentation of Risk Response and Control activities are given below:
Risk Response and control activities identified are as given below:
Risk Management & Overall View for reference:
No comments:
Post a Comment