最新Internl Control nd Risk Mngement(共44张PPT课件).pptx

Internal Control and Risk Management1Thomas Henschel第一页，共四十四页。Learning ObjectivesTo appreciate current regulations of Internal Control and Risk ManagementTo understand that risk management is an integral part of corporate governanceTo appreciate the benefits of Enterprise Risk Management and controlling risks2第二页，共四十四页。The role of the board and the integration of risk managementSource: Chapman, Enterprise Risk Management, Wiley, 2008, p. 7Risk and Opportunity ManagementPolicy review cycleOperations review cycleGovernance review cycleStrategy review cycleInternalExternalShort-termLong-termAccountability-to the company-to owners-to regulators-to legislators-to other stakeholdersPolicy formulation-creating the vision-creating the mission-creating values-developing culture-monitoring the environ-mentStrategic thinking- positioning in the changing markets- setting corporate direction- reviewing and deciding key resources- deciding the implemen-tation processSupervisory management- oversight management- monitoring budgetary control- reviewing key business results- ensuring business capability第三页，共四十四页。Internal control and risk management in contextHM TreasuryFinancial Services Authority(FSA)Admission to listing and tra-ding on an RIE marketGuidance on Audit Committees (The Smith Guidance, 2003)Internal Control: Guidance for Directors on the CC, Turnbull Committee 1999Institute of Chartered Accountants in England and WalesFinancial Services and Markets Act 2000Trade securities on RIE Market London Stock ExchangeUK subsidiaries of US listed companies Sarbanes-Oxley Act 2002Requires reporting on the effectiveness of internal controlsCOSOERM FrameworkListing RulesRisk ManagementAuditorsPublic Company (Issuer)Internal ControlAnnual Reports and AccountsDescribe compliance with the provisions of the Combined CodeCombined Code of Corporate Governance July 2008 DerekHiggsReportRobertSmithGuidanceC.2 InternalControlCode Provision C.2.1C.3 Audit Comittee and AuditorsCode Provision C.3.2Source: Chapman, Enterprise Risk Management, Wiley, 2008, p. 42第四页，共四十四页。Composition of the Combined Code 2008 and its relationship to the Turnbull guidanceCorporate GovernanceInternal ControlThe Combined Code on Corporate Governance, July 2008Internal Control: Guidance for Directors on the Combined Code, published by the Institute of Chartered Accountants in England and Wales in September 1999A. DirectorsB. RemunerationC. Accountability and auditE. Institutional ShareholdersD. Relations with ShareholdersC.1 Financial ReportingC.2 Internal ControlC.3 Audit committee and auditorsfinancialoperationalcompliancerisk managementElements of a sound system of internal controlFacilitate its (the companys)effective and efficient operation by enabling it to respond appropriately to significant business, operational, financial, compliance and other risks to achieve the companys objectives.Help ensure the quality of internal and external reportingHelp ensure compliance with applicable laws and regulSource: Chapman, Enterprise Risk Management, Wiley, 2008, p. 35第五页，共四十四页。The Turnbull Report 1999The Combined Code (1998) dealt with internal control in Provisions D.2.1 and D.2.2. These became Provisions C.2 and C.2.1 in the Revised Combined Code (2003,2008)In these Provisions, the Code stated that company directors should conduct a review of the effectiveness of their internal control systems and report this information to shareholders. Turnbull provided an explicit framework for reporting on risk management6第六页，共四十四页。The Turnbull FrameworkSolomon et al. , 20077第七页，共四十四页。Defining internal controlDefinition of COSO (Committee of Sponsoring Organizations)Internal control is a process, established, operated and monitored by those charged with governance and management of a company, to provide reasonable assurance regarding the achievement of objectives in the following categories:a) The effectiveness and efficiency of the companys operations;b) The reliability of its financial reporting;c) Its compliance with applicable laws and regulations.第八页，共四十四页。Internal control objectives (COSO)Sustaining the companys business operations (efficiency and effectiveness concerns)Preparing reliable financial reporting (including financial statements)Compliance with applicable laws and regulations第九页，共四十四页。Components of a system of internal control (COSO)A system of internal control consists of five interrelated components: Control environment Risk assessment Control activities Information and communication MonitoringEach component is relevant for each internal control objective第十页，共四十四页。Components of a system of internal control第十一页，共四十四页。Separation of functionsSeparation of functions (“segregation of duties”) as a preventive control measure It calls for the separation of the four basic functions of transaction processing Authorizing transactions Executing transactions Recording transactions Safeguarding resources resulting from consummating transactionsThe objective is mainly to provide an environment where fraud becomes difficult第十二页，共四十四页。Defining internal audit“Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organisations operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes.”Institute of Internal Auditors第十三页，共四十四页。Internal audit processPrimary task: Examine and evaluate the adequacy and effectiveness of the internal control systemEvaluate the quality of performance in carrying out assigned responsibilitiesCan be considered to be part of the monitoring component of a IC systemIts scope potentially covers all activities within the company第十四页，共四十四页。Independence of internal audit Independence with regard to the acitivities they audit, is essential for the internal audit function Independence should be assured through: Organizational position and authority within the company Recognition of professional objectivity第十五页，共四十四页。Enterprise Risk Management: OverviewRisk AttitudesRisk Management Systems: ERMRisk and CultureRisk & ResponsibilitiesRisk Management Strategies16第十六页，共四十四页。Risk AttitudesPersonal ViewsShareholder demandOrganisational influenceNational and Cultural influencesEntrepreneurial risk Uncertainty regarding market demand Uncertainty regarding own entrepreneurial ability17第十七页，共四十四页。Risk Management Systems: Enterprise Risk Management“ERM is the discipline by which an organisation in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organisations short and long term value to its shareholders. The CAS Committee on ERMERM is a framework designed to ensure the consistent identification, assessment, evaluation and management of risks across the organisation. 18第十八页，共四十四页。Enterprise Risk Management: Key DriversMore and more complicated risksExternal pressuresPortfolio point of viewQuantificationRisk as an opportunity19第十九页，共四十四页。Benefits of ERMAlignment of risk appetite and strategyLink growth risk and returnChoose best risk responseMinimise surprise and lossesIdentify and manage risks across the organisationProvide responses to multiple risksSeize OpportunitiesRationalise Capitalhttp:/www.coso.org/Publications/ERM/COSO_ERM_ExecutiveSummary.pdf20第二十页，共四十四页。ERM: LimitationsSome events cant be foreseenBoard depends on management for correct information Boards can blinkERM has been flawed historically because practitioners tended to pay a lot of attention to quantifiable risks 21第二十一页，共四十四页。Embedding risk awareness and assessmentRisk Culture: an integral part of embedding risk awareness and assessmentRisk policy statementRisk Register22第二十二页，共四十四页。Risk Management ResponsibilitiesThe Board: The boards role in managing risk is one of the most important. Emphasised in the Turnbull Report. Determining risk management strategy Policies on internal controls and seeking assurance on internal controls Monitoring risks23第二十三页，共四十四页。Risk Management ResponsibilitiesRisk Management Committee If a risk management committee is not present under the combined code the audit committee will be responsible for risk management Are there advantages in having a separate risk management committee?Roles of the Risk Management Committee Approving the risk management strategy and policyReviewing reports on key risks Monitoring overall risk exposure Providing early warning to the board Reviewing the companys statement on internal control 24第二十四页，共四十四页。Risk Management ResponsibilitiesRisk Management GroupInternal and External AuditLine Managers (Emphasised in the Turnbull Report)Staff (Emphasised in the Turnbull Report)25第二十五页，共四十四页。Risk Management ResponsibilitiesRisk Manager (as applied to ERM) Overall leadership for ERM Integrate RM across the organisationImplement RM policiesImplement a set of risk indicators and reports Dealing with insurance companies Allocating economic capital to business activitiesReporting to the CEO (Some CROs have a direct reporting line to the board).26第二十六页，共四十四页。Risk Management StrategiesAvoidance of risko Will the possible savings from avoiding the risks be greater than not taking any measures and running the risks?27第二十七页，共四十四页。Risk Management StrategiesReduction of riskWhat measures could you take to reduce the risk that suppliers do not deliver supplies of the required quality or do not deliver on time?28oContingency PlanningInformationResponsibilitiesPracticeoLoss ControlPhysical DevicesAwareness and Commitmento Risk pooling and diversificationSystematic (market risk) and Unsystematic riskThe Capital Asset Pricing Model (CAPM)o Risk Hedging Commonly used in the area of currency and interest rate management第二十八页，共四十四页。Risk Management StrategiesAcceptance of risksoSelf-InsuranceoCaptive Insurance (A captive insurance company is, a subsidiary company formed to insure or reinsure the risks of its parent and / or associated group companies )CostFlexibilityClaims Management29第二十九页，共四十四页。Risk Management StrategiesTransfer of risko Hold Harmless agreementso Limitation of liabilityo Risk Sharing30第三十页，共四十四页。ERM framework5. Sources of Risk(internal to a business and emanating from the environment)4. Risk Management Process(incremental phases of an iterative process)3. Implementation(appointment of external support)1.Corporate Governance(board oversight)2. Internal Control(sound system of internal control)Risk IdentifikationRisk AssessmentRisk EvaluationRisk PlanningRisk ManagementAnalysisInternal ProcessesBusiness Operating EvironmentSource: Chapman, Enterprise Risk Management, Wiley, 2008, p. 10第三十一页，共四十四页。Levels within a corporate organisation CorporateStrategic BusinessProjectRisk ManagementLong-term risks- low level of detail involvedShort-term risks- high level of detail involvedSource: Merna/Al-Thani, Corporate Risk Management, Wiley, 2008, p. 3第三十二页，共四十四页。Sources of market risk and opportunityMacro Marketing EnvironmentPoliticalCulturalDemo-graphicPhysical & NaturalLegal & RegulatoryTechno-logicalEconomicCompetitiveSource: Chapman, Enterprise Risk Management, Wiley, 2008, p. 357第三十三页，共四十四页。Typical risk parametersSource: Merna/Al-Thani, Corporate Risk Management, Wiley, 2008, p. 11Susceptibility to Change or External Influences:opportunityupside or downside resultDegree of Interdependency with other Factors of RiskSeverity of Impact (high/low): threat intensity (damage potential) continuously varying in terms of cost & timeProbability of Occurrence (high/low): Varying probability (0-1) Frequency (high/low)Risk第三十四页，共四十四页。Classification of strategy riskStrategyObjectivesBusiness planNew business developmentResourcesStakeholder interestsCorporate experienceReputation- objectives- factors of production- reflects strategy- assumptions- currency- regulatory priorities- additional costs- IT failure- 3rd party providers- overheads- customer base- fraud exposure- resource needs- resource mismatch- ability of staff- equity debt- identified- assessed- reflected in business plan- markets- customers- suppliers/contractors- distribution mechanisms- products/services- risk/regulatory/legal context- brand protectionSource: Chapman, Enterprise Risk Management, Wiley, 2008, p. 224Risk classification: element, attributes and features第三十五页，共四十四页。Classification of people riskPeopleHRM practicesSalariesRegulatory and statutory req.Staff constraintsStaff dishonestyRisk managementHealth and safety- liquidity- working conditions- job satisfaction- development and training- fairness of rewards- employee relations- contracts- maternity- discrimination- whistleblowing- dismissal- trade unions- recruitment- staff turnover- staff absenteeism- staff criticality matrix- fraud/deception- theft- concealment- culture- system- management- plant and machinery- fleet management- office accommodationSource: Chapman, Enterprise Risk Management, Wiley, 2008, p. 229Risk classifcation: element, attributes and features第三十六页，共四十四页。Classification of processes and systems riskProcesses and systemsControlsRegulatory and statutory req.ContinuityTransactionsComputer/IT systemsKnowledge managementIndicators of loss- notification- trigger points- business objectives- quality- business continuity- meeting commitments- production processes- documentation- product variation- goods in transit- business alignment- network availability- data integrity- electronic data security- system capacity- data recovery- intellectual property- establish indicators- review processSource: Chapman, Enterprise Risk Management, Wiley, 2008, p. 246Risk classification: element, attributes and features第三十七页，共四十四页。The value chain (Porter, 1991)Business InfrastructureHuman Resource ManagementTechnology DevelopmentProcurementInbound LogisticsOperationsMarketing & SalesOutbound LogisticsServicePrimary activitiesSupport activitiesMarginMarginSource: Chapman, Enterprise Risk Management, Wiley, 2008, p. 432第三十八页，共四十四页。Typical summary of a risk register outputPriorityDescriptionProbabilityImpactOwnerKey DatesCurrent ActionsReview Date123xnSource: Merna/Al-Thani, Corporate Risk Management, Wiley, 2008, p. 73第三十九页，共四十四页。Risk matrix chartSource: Merna/Al-Thani, Corporate Risk Management, Wiley, 2008, p. 75PUPPIES(High Probability, Low Impact)Can do damage but little training to ensure not much trouble.TIGERS(High Probability, High Impact)Dangerous and need to be neutralised as soon as possible.KITTENS(Low Probability, Low Impact)Little attention needed as project can be tolerated.ALLIGATORS(Low Probability, High Impact)Dangerous but can be avoided with care.IMPACTPROBABILITY第四十页，共四十四页。41LECTURE SUMMARY INTERNAL CONTROL AND RISK MANAGEMENTRisk Management Strategies and TechniquesRisk Management ResponsibilitiesEnterprise Risk ManagementInternal Control ConceptThe Turnbull Report 1999Link between Internal Control and Risk Management第四十一页，共四十四页。第四十二页，共四十四页。Captain Maurice