Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


ERM Policy and Procedures Training

No description

Renee Eubank

on 18 August 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of ERM Policy and Procedures Training

FSC ERM Policy and Procedures Training
Introduction and Overview
FSC Risk Appetite and Tolerances
ERM Roles and Resposibilities
ERM Defined:
“…..a process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

Benefits of ERM
Proactively support the achievement of the FSC’s agreed objectives

Enhance strategic planning through the identification of risks to the FSC’s mission

Identify strategically significant high priority risk issues for the Board’s attention

Early detect unlawful activities

Firm will be better prepared and have a more cost-effective way of dealing with risk.
Malaysia Flight M17
What is risk appetite and tolerance?
Risk appetite is the level of risk that an organization is willing to accept or retain in the pursuit of its long-term objectives.

Risk tolerance is the boundary of risk taking outside of which the organization is not prepared to venture in pursuit of its long-term objectives.

Risk appetite and tolerance levels will be developed for each identified significant risk that reflects the level of risk appetite elected by the Board.

Aim of Risk Appetite
Risk Appetite Statement
Risk Appetite Framework
Board of Commissioners
The Board of Commissioners has the ultimate responsibility for the oversight of the management of risk, including the determination of the organization’s tolerance for risk, part of which they may delegate to its Audit Committee.

Audit Committee
The Audit Committee is responsible for the oversight of all risks including compliance with ERM policy and procedures.

August 18, 2014
Presented by: Renee Eubank, Risk Officer - CIC Division

Introduction and Overview

FSC Risk Appetite and Tolerances

ERM Roles and Responsibilities



Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.

FSC ERM Framework
The categories of risks managed through the FSC ERM framework include:

Strategic Risks
Compliance Risks
Reputational Risks
Financial Risks
Operational Risks

Scope of FSC's Policy and Procedures
This is an organization-wide manual

This manual applies to all employees, whether full-time, contract
and temporary at any level of seniority within the FSC

Each staff member of the FSC has a role to play in the identification
and management of risk through risk management processes

This manual applies to all activities and processes undertaken in
the course of business, whether on the FSC offices or other locations

Risk Management Performance
Risk Management performance will be measured by a combination of:

Status of the Risk Register, extent to which risks are managed within
the stated appetite

Reporting on initiatives planned/completed that address exposures

Quarterly report on the performance in relation to the risk management objectives

Regular reports on incidents and accidents

Risk owners are clearly identified.

Purpose and Objectives
Confirm and communicate the FSC’s commitment to risk management

Provide and entity-wide approach for the assessment and treatment of risk

Embed risk awareness and management in planning and decision-making

Outline key aspects of the risk management process

The risk appetite of the FSC is conservative and deems a 15% probability of incurring losses of more than a set dollar amount to be the acceptable level of risk exposure in pursuit of its strategic objectives.

nternal Fraud
Employee Health and Safety
Capital Budget
Management Risk Committee
Monitor all risk at a higher level and report the risk assumed by the organization to the Audit Committee.

Compliance and Internal Control Division
Appraise the extent to which the Division/Department’s comply with the company’s risk policies on an on-going basis.

Risk Officer
Implement the entity-wide risk management framework and develop a plan for the management of risk throughout the FSC.

Senior Director, Compliance and Internal Control
Approve risk reduction initiatives including
action plans within the context of the annual

Heads of Departments (or line managers)
HOD’s are accountable for the implementation and
maintenance of sound risk management processes
and structures within their area of responsibility in
conformity with ERM policy and procedures.

Executive Director
In conjunction with his/her direct reports,
is accountable for ensuring risk is managed
across all activities and for reporting to the
Board of Commissioners.

Risk Owner
Manager of a particular risk and
accountable for providing information
on progress of mitigation plans to the
Risk Officer.

Contribute to the establishment and implementation of risk management systems
for all functions and activities of the FSC.

Employee Turnover
Critical Skills
The FSC has a low risk appetite related to employee health and safety. As such, the FSC will place employee health and safety amongst its highest priorities.

Internal Control
The FSC has a low risk appetite for significant breaches or material deficiencies in internal control. As such, the FSC will maintain the number of identified breaches in any one department to no more than three (3) per year.

Operational Risk
Operational Risk
Operational Risk
Operational Risk
Financial Risk
The FSC has a higher risk appetite in relation to new ventures and projects that support its strategic objectives and is willing to accept higher losses in the pursuit of its goals.

While the FSC has a higher risk appetite related to its pursuit of its strategic objectives, it is not willing to take more than a 25% chance that a venture/project leads to a loss of more than 50% of our existing budget.
At the point that a loss of 30% of existing budget is reached, there should be an immediate execution of contingency plan.

Financial Reporting
Financial Risk
The FSC has a low risk tolerance related to financial reporting data quality (reliability, accuracy and timeliness). As we conduct our operation, we will manage our operational activities and exposures to avoid any misstatements, inaccuracies and unreliability in financial reporting.


General Management and Supervision
Strategic Risk

In view of the generally conservative (low) risk appetite and the principal objectives of promoting financial system confidence and stability, the FSC deems the following risks exposures as unacceptable:

General management failure
Reduced supervisory reputation
Regulatory non-compliance
Failure to meet internal and external customer service standards
Reduced powers to enforce regulations
Reduced monitoring of regulated entities
Reduced enforcement of regulations
Reduced examination of regulated entities

Strategic Risk

Strategic Risk

Project Execution
The FSC has a low risk tolerance to project execution failure.
Therefore, the FSC will seek to methodically manage each
stage of the project lifecycle while balancing the activities
of the organization’s portfolio of projects that supports the
FSC’s strategic goals. This will in effect minimize risk of
projects not being executed on time, within scope and on

Compliance Risk

The FSC has a low appetite for absence of policies
and procedures manuals. As such, the FSC will
consider its goal to constantly update and develop
required policies and procedures to effectively
manage its operations. Policies and procedures
will be enforced through regular internal auditing.

Reputational Risk

The FSC has a zero risk tolerance set
for risks that would damage its reputation.
With that said, the FSC will avoid any
situations and action resulting in a negative
impact on its reputation and image. If and
when an undesirable situation arises, we
will manage it aggressively to preserve our
reputation and image.

Performance Incentive Programme

An effective performance incentive plan will be designed that aligns with risk management objectives, motivate employees to achieve incremental performance, comply with risk management responsibilities and encourage prudent “risk taking” behaviour at all levels of the FSC.

The Risk Officer is responsible for the development of risk management goals and targets for staff appraisals and integration in performance incentive programme.

The achievement of risk management goals and targets under the staff performance incentive programme shall include all employees whether full-time, temporary and contract at any level of seniority within the FSC.

Risk Management Training

The Risk Officer is responsible for the development and provision of risk management awareness training as well as specific training and education programmes throughout the FSC.
Risk management training programmes shall include all Commissioners and employees whether full-time, temporary and contract at any level of seniority within the FSC.

All risk management training will be mandatory for all employees of the FSC as well as Commissioners.

The Human Resource Manager shall incorporate ERM as an element in the organization’s orientation programme for new staff.

ERM Process Overview
Step 1: Objective Setting
Step 2: Risk Identification
Step 2: Risk Identification (Cont.)

The procedures for the risk management process involves the following 6 steps:

The Board of Commissioners determines the risk appetite and tolerance levels and types of risk to be undertaken.

As part of the corporate planning process, the FSC’s management team determines what the company wants to achieve during the upcoming year.

During this planning process, the FSC determines how much resource to allocate to risk management.

Structured risk identification
As corporate plans are developed during the planning cycle, FSC managers should consider what to do over the next few years and identifying risks which may arise.

Team approach to risk identification and recording in Risk Register.

Ad-hoc risk identification
Risk are identified during the normal course of work or for new legislations, services, processes, and projects or changes contemplated to existing legislation, services and processes.

Managed at the time and reported by staff to the HOD and the Risk Officer.

Whenever risks are identified, staff must:

Determine if immediate action is necessary to reduce the risk, and if so carry it out.

Complete the Risk Register

Ensure completed Risk Register is authorized by the relevant Department Head (or line manager).

Forward the completed Risk Register to the Risk Officer.

Step 2: Risk Identification (Cont.)
How to find risks...
Refer to strategy, objectives and processes

Scenario analysis



Inspect the workplace

Consult with workers

Review prior incidents

Review external risks

Step 3: Risk Assessment
Risk Assessment involves two processes: risk analysis and evaluation.

Step 3: Risk Assessment
All risks within the FSC are assessed by:
Estimating the likelihood (probability)

Identifying the consequences

Determine the risk rating

Risks are ranked in the following five categories ranging from 1 to 5:
1= Very low

2= Low

3= Moderate

4= High

5= Very high

Step 3: Risk Assessment
Estimating the likelihood (probability)

Step 3: Risk Assessment
Identify the consequences

Step 3: Risk Assessment
Determine the risk rating

To assess the risk rating (i.e. Low, Medium, High or Extreme) multiply each risk’s impact score by the likelihood score:
20 to 25 = Extreme
10 to 16 = High
5 to 9 = Medium
1 to 4 = Low

Step 3: Risk Assessment
Once the matrix has been used to determine the risk rating it is then possible to establish the appropriate actions required.

Step 3: Risk Assessment

Risk evaluation:

In this step, the Management team compare
risk estimates to the risk limits set by the Board.

Management will try to determine the cost of risk
management activities versus the damages or losses
incurred with a negative event.

Step 4: Risk Control
The objective of this step is to identify how the identified risks will be treated. Risk treatment involves identifying the options for treating each risk, evaluating those options, assigning accountability (for Extreme, High and Medium risks), preparing risk treatment plans and implementing them.

The following options are available for treating risks and may be applied individually or in combination, with due consideration of risk appetite:

Step 4: Risk Control
Where controls have been identified for a risk, the Head of Department (or line manager) must update the corporate risk register to show:

Causes of the risk.

Implications of the risk with amendment to existing controls (if they exist).

What existing mitigating controls are in place

Procedure Illustration - Identification
Step 4: Risk Control
What actions are being undertaken to put further controls
in place, or maintain existing controls and by when

Who is responsible for ensuring the controls are in place

The action items entered into the risk register shall be
followed up and reported on by the Risk Owner at each
Management Risk Committee meeting.

Start with an objective
Identify risks

What could prevent you from meeting this objective? (What needs to happen to accomplish this objective?)
Who has primary and secondary responsibility for this risk?
What type of risk is this?

Objective: Keep confidential (generally) any information organization receives.

Risk and Risk Category
Strategic: risk of not promoting stability and public confidence of prescribed financial institutions (reputational damage).

Operational: IT risk and data protection issues arising from third parties (hackers, vendors) and transferred/terminated employees having unauthorized access to confidential data.

The Procedure
An Example
Procedure Illustration - Assessment
The Procedure
An Example
Procedure Illustration - Control
The Procedure
An Example
Step 5: Risk Reporting
This step involves communicating relevant information in the risk assessment regarding the risks and the appropriate risk control measures to the Risk Officer and others as appropriate.

Step 5: Risk Reporting
HOD’s (or line managers) are required to report at least quarterly on the management of risks for which they have responsibility.

These reports form the basis of the report of the Risk Officer to the Management Risk Committee and Board Audit Committee.

Step 5: Risk Reporting
Step 6: Risk Monitoring
All retained risks must be monitored.

All risks rated as medium, high or extreme, in the risk identification process will be reviewed and monitored by the Management Risk Committee and Audit Committee on a quarterly basis.

Risk control measures are monitored on a quarterly basis by HOD’s, Risk Owners and the Risk Officer.

Step 6: Risk Monitoring
Risk management activities are monitored by reviewing the Risk Register and progress of action plans on a regular basis.

Monitoring is also achieved by reviewing the status of risk logs, KRIs and risk limits.

Risk limits will be used as thresholds for KRIs in order to trigger actions to adjust the chosen strategies to mitigate the risk.

Step 6: Risk Monitoring
The Risk Officer will monitor the performance of risk limits through KRIs to analyse positive and adverse changes.

The exceeding of thresholds is indicated by the orange light of the monitoring risk dashboard.

When the risk is in orange or red area, the Risk Officer must take action to prevent the risk.

Step 6: Risk Monitoring
Each month, Department Heads (or line managers) will collect and aggregate information to measure KRI’s.

The Department Head (or line manager) should provide quarterly reports on KRI levels, risk tolerance (limits) levels and status of risk mitigation strategies to the Risk Officer.

If a threshold (risk limit) was exceeded (breached), the Risk Officer should be immediately notified by the Department Head, who will be required to undertake urgent remedial actions as advised by the Risk Officer.

Step 6: Risk Monitoring
Those risks that still remain above acceptable risk levels should be considered by the Board of Commissioners for their approval of any necessary resolution strategies.

If a threshold (risk limit) was exceeded (breached), the Risk Officer should immediately notify the Chairman of the Audit Committee, Executive Director and the Department Head, and provide written notification to the full Board of Commissioners at its next meeting.

Internal control will conduct routine audits of the corporate Risk Register, risk mitigation action plans and KRI’s to confirm compliance with policies and procedure and alert the Risk Officer to any breaches.

Thank You
Full transcript