LOGO

Risk Management
Chapter 4

Topics
Overview of Risk
Management

COSO ERM Framework

ISO 31000: 2009 Risk
Management
Internal Audit Function
Role

Definition of Internal Auditing

(IIA, 2012)
Internal auditing is an independent, objective
assurance and consulting activity designed to add
value and improve an organizations operations. It
helps an organization to accomplish its objectives
by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk
management, control, and governance
processes
.

Understanding Internal Auditing

Key components
Helping the organization accomplish its
objectives.
Evaluating and improving the effectiveness of
risk management, control, and governance
processes.
Assurance and consulting activity designed to
add value and improve operations.
Independence and objectivity.
A systematic and disciplined approach

Then, ..
The internal auditor must have:
An understanding of the risk management
process
An understanding of the risk assessment
process
The tools used to make the assessment

Internal Auditing: Assurance and Consulting Services, 3rd Edition. 2013 by The Institute of Internal Auditors
Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA

Apakah Yang
Dimaksud Dengan
Risiko?

Objective: Getting from A to B

Example

MOVIE TIME
CHALLENGER

Challenger

JADI,
APA ITU RISK?

COSO
(The Committee of Sponsoring Organizations of the
Treadway Commissions)

the possibility that an event will occur and

adversely affect the achievement of an objective.

ISO
(The International Organization for Standardization)

effect of uncertainty on objectives

Fundamental Points
Risk begins with strategy formulation and
objective setting.
Risk does not represent a single point
estimate.
Risks may relate to preventing bad things
from happening.
Risks are inherent in all aspects of life.

ERM Defined
a process, effected by an entity's board of
directors, management and other personnel,
applied in strategy setting and across the
enterprise, designed to identify potential events
that may affect the entity, and manage risks to
be within its risk appetite, to provide reasonable
assurance regarding the achievement of entity
objectives.
Source: COSO Enterprise Risk Management Integrated Framework. 2004. COSO.

COSO ERM Framework

1. A process that is ongoing and flows throughout an
organization.
2. Effected by people at every level of an organization.
3. Applied when setting an organizations strategy.
4. Applied across the organization, at every level and unit.
5. Focused on taking an entity-level portfolio view of risk.
6. Designed to identify potential events that, if they occur,
will affect the organization.
7. A means to enable the management of risks within an
organizations risk appetite.
8. Able to provide reasonable assurance to an
organizations management and board of directors.
9. Geared toward achievement of objectives.

Why ERM Is Important

Underlying principles:

Every entity, whether for-profit

or not, exists to realize value for
its stakeholders.

Value is created, preserved, or eroded by

management decisions in all activities, from
setting strategy to operating the enterprise
day-to-day.

Why ERM Is Important

ERM supports value creation by enabling
management to:

Deal effectively with potential future events

that create uncertainty.

Respond in a manner that reduces the

likelihood of downside outcomes and
increases the upside.

Enterprise Risk Management

Integrated Framework
This COSO ERM framework defines
essential components, suggests a
common language, and provides clear
direction and guidance for enterprise
risk management.

Types of
objectives

Component

Business
Structure

Internal Auditing: Assurance and Consulting Services, 3rd Edition. 2013 by The Institute of Internal Auditors
Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA

21

The ERM Framework

Entity objectives can be viewed in the context
of four categories:

Strategic
Operations
Reporting
Compliance

Types of Objectives
Mission and
Vision

Objectives

Strategic

Operation

Reporting

Compliance

The ERM Framework

The eight components
of the framework
are interrelated

Internal
environment

Objective
setting

Monitoring

Information and
communication

Components
of ERM

Control activities

Event
identification

Risk assessment

Risk response

Internal Environment
Management sets a philosophy regarding
risk and establishes a risk appetite
Internal environment is the basis for all
other components of ERM, providing
discipline and structure.

Elements of Internal Environment

Risk
management
philosophy

Risk appetite

Board of
directors

Integrity and
ethical values

Commitment to
competence

Organizational
structure

Assignment of
authority and
responsibility

Human resource
standards

Objective Setting

Is applied when management considers risks

strategy in the setting of objectives.

Forms the risk appetite of the entity a high-level

view of how much risk management and the board
are willing to accept.

Risk tolerance are the acceptable level of variation

around objectives, is aligned with risk appetite.

Event Identification
Differentiates risks and opportunities.
Events that may have a negative impact represent
risks.

Events that may have a positive impact represent

opportunities, which management channels back
to strategy setting.

Event Identification
Involves identifying those incidents, occurring
internally or externally, that could affect
strategy and achievement of objectives.
Addresses how internal and external factors
combine and interact to influence the risk
profile.

Event Identification
Economic
events

Natural
environment
events

Technological
events

External
Factors

Social
events

Political
events

Event Identification
Infrastructure
factors

Technology
factors

Internal
Factors

Process
factors

Personnel
factors

Risk Assessment
Allows an entity to understand the extent to
which potential events might impact
objectives.
Assesses risks from two perspectives:
- Likelihood
- Impact
Is used to assess risks and is normally also
used to measure the related objectives.

Risk Assessment
Employs a combination of both qualitative
and quantitative risk assessment
methodologies.
Relates time horizons to objective horizons.
Assesses risk on both an inherent and a
residual basis.

Risk Response
Identifies and evaluates possible responses
to risk.
Evaluates options in relation to entitys risk
appetite, cost vs. benefit of potential risk
responses, and degree to which a response
will reduce impact and/or likelihood.
Selects and executes response based on
evaluation of the portfolio of risks and
responses.

Risk Response

Avoidance

Reduction

Sharing

Acceptance

Control Activities
Policies and procedures that help ensure that
the risk responses, as well as other entity
directives, are carried out.
Occur throughout the organization, at all
levels and in all functions.
Include application and general information
technology controls.

Control Activities - Examples

Top-level review
Direct functional or activity management
Information processing controls
Physical control
Performance indicators
Segregation of duties

Information & Communication

Management identifies, captures, and

communicates pertinent information in a form
and timeframe that enables people to carry
out their responsibilities.

Communication occurs in a broader sense,

flowing down, across, and up the
organization.

Monitoring
Effectiveness of the other ERM components is
monitored through:

Ongoing monitoring activities.

Separate evaluations.

A combination of the two.

The ERM Framework

ERM considers activities at all levels
of the organization:
Enterprise-level
Division
Business unit
processes
Subsidiary

ERM Role and Responsibilities

Board of Director
Management
Risk Officer
Financial Executives
Internal Auditors
Other Individual in the
Organization
Independent outside
auditors
Legislators and regulators
Other External Parties

Provides oversight and direction

Play a role in strategy setting
Responsible for all activities
Responsible for effective and success of ERM
Acts as the centralized coordinating point
Monitoring risk management progress
Developing organization wide budget
Preventing and detecting fraudulent
Evaluating the effectiveness of ERM and recommending improvements

ERM is the responsibility of everyone in the organization

Provide an informed, independent, and objective risk management
perspective
Require organization to establish risk management mechanisms

ISO 3100:2009 RISK MANAGEMENT

PRINCIPLES AND GUIDANCE
ISO 3100 Principles
ISO 3100 Framework
ISO 3100 Process

ISO 3100 Principles

Creates and protects value.
Is an integral part of all organizational processes.
Is part of decision making.
Explicitly addresses uncertainty.
Is systematic, structured, and timely.
Is based on the best available information.
Is tailored.
Takes human and cultural factors into account.
Is transparent and inclusive.
Is dynamic, iterative, and responsive to change.
Facilitates continual improvement of the organization.

ISO 3100 Framework

Mandate and commitment.
Design of framework for managing risks

Understanding the organization and its context

Establishing a risk management policy
Delegating accountability and authority
Integrating risk management into organizational processes
Allocating the necessary resource
Establishing internal and external communication and reporting
mechanism

Implementing the risk management framework and

process
Monitoring the framework
Continually improving the framework

ISO 3100 Process

Establish the context
Assess the risks
Treat the risks
Monitor risks
Establish a communication and consultation process

Internal Auditing: Assurance and Consulting Services, 3rd Edition. 2013 by The Institute of Internal Auditors
Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA

47

APA PERANAN AUDITOR

INTERNAL?

Internal Audit Functions Role

IIA Standard 2120:
The internal audit activity must evaluate the effectiveness
and contribute to the improvement of risk management
processes.

IIA IPPF Position Paper:

Internal auditings core role with regard to ERM is to
provide objective assurance to the board on the
effectiveness of an organizations ERM activities to help
ensure key business risks are being managed
appropriately and that the system of internal control[s] is
operating effectively

Internal Auditing: Assurance and Consulting Services, 3rd Edition. 2013 by The Institute of Internal Auditors
Research Foundation, 247 Maitland Avenue, Altamonte Springs, FL 32701 USA

50

Opportunities to Provide Insight

Assess whether the organizations objectives are
sufficient
Provide insight on the nature and effectiveness
of the control environment
Facilitate determination of the organizations risk
appetite and risk tolerance level
Brainstorm possible risk events
Facilitate the assessment and prioritization of
risks
Advise on other risk assessment criteria

Opportunities to Provide Insight

Advise on the choice of risk responses
treatments
Assist management with monitoring the external
and internal environments
Provide audit results in a format that helps
management understand
Conduct an overall assessment of the risk
management system

LOGO

End of Chapter 4