Для тех, кто интересуется безопасным доступом к онлайн-играм, наш партнер предлагает зеркало Вавады, которое позволяет обходить любые блокировки и сохранять доступ ко всем функциям казино.

RMORSA Part 3: Risk Appetite and Tolerance Statement

The third step in the Risk Management and Own Risk and Solvency Assessment Model Act (RMORSA) is the implementation of a risk appetite and tolerance statement. This step is meant to sets boundaries on how much risk your organization is prepared to accept in the pursuit of its strategic objectives.

An organization-wide risk appetite statement provides direction for your organization and is a mandatory part of your assessment. As defined by COSO (one of the risk management standards measured in the RIMS Risk Maturity Model umbrella framework), the risk appetite statement allows organizations to “introduce operational policies that assure the board and themselves that they are pursuing objectives within reasonable risk limits.” A risk appetite statement should be reflective of your organization’s strategic objectives and serve as a starting point for risk policies and procedures.

Once your organization has documented your risk appetite (and received the Board’s approval), the question becomes how do you measure whether your organization is adhering to it? The answer is to implement risk tolerances.

While risk appetite is a higher level statement that broadly considers the levels of risk that management deems acceptable, risk tolerances set acceptable levels of variation around risk. For example, a company that says it does not accept risks that could result in a significant loss of its revenue base is expressing appetite.  When the same company says that it does wish to accept risks that would cause revenue from its top 10 customers to decline by more than 1%, it is expressing a tolerance.

Why Set Tolerance Levels?

Operating within risk tolerances provides management with greater assurance that the company remains within its risk appetite, which in turn provides a higher degree of comfort that the organization will achieve its objectives.

The second step of RMORSA, Risk Identification and Prioritization, outlines a risk assessment process for your organization that provides quantitative language for risk based decision making. This standardized scale allows you to discuss the resulting assessment indexes to determine a uniform tolerance throughout the organization. It may not be possible to set accurate tolerances until risk intelligence has been collected over a period of time, but eventually you’ll be able to prioritize resources to the risks with the highest variation.

The process of articulating a risk appetite statement and setting tolerances brings your ERM program into alignment. Every day, process owners make operational decisions about risk far from the organization’s risk appetite statement, which is set at a senior executive level. By setting tolerances, process owners are provided benchmarks they can use to measure their performance.

Align with Strategic Goals

When risk tolerances are aligned with both overall risk appetite and strategic goals, they will improve risk mitigation effectiveness and contribute to achieving your strategic goals. It is important to remember that risk appetite and tolerance levels are not static. They should be reviewed and reconsidered periodically by senior executives to keep your organization moving in the right direction.

To learn more about risk appetite and risk tolerance statements, look for the complimentary LogicManager webinar, “ORSA Compliance: 5 Steps You Need to Take” in 2014.

http://info.logicmanager.com/918-orsa-compliance-erm-framework


RMORSA Part 2: Risk Identification and Prioritization

The first step in the Risk Management and Own Risk and Solvency Assessment Model Act (RMORSA) implementation, Risk Culture and Governance, lays the groundwork and defines roles for your risk management function. The second step, Risk Identification and Prioritization, defines an ongoing risk intelligence process that equips an organization with the data needed for risk based decision making.

The engine behind this process – the enterprise risk assessment – isn’t a new concept, but organizations are finding that the traditional, intuitive ideas for how to conduct risk assessments are inadequate. Too often, risk managers are interviewing process owners and collecting huge quantities of data, only to find that their top 10 risks are entirely subjective and lack any actionable component. And what good is a top 10 risk if you can’t answer the inevitable question; what are you going to do about it?

Take a Root-Cause Approach

The first and most common hurdle risk managers face is that the risks expressed by process owners are so specific to their business area that they can’t possibly be measured against the rest of the enterprise.  For example, the IT department may be struggling to find candidates with enough JavaScript experience, or the Health & Safety department might be concerned with an endless string of EPA regulations. Process owners can’t help but think in terms of their immediate environment, but you can make use of their insight by adopting a root-cause approach.

The key to this root cause approach is a common risk library, or Taxonomy, that orients the concerns of business areas to a category that you as the risk manager can take action upon. When IT says it can’t find candidates with JavaScript experience, for example, what it’s really expressing is an issue with hiring practices, just as health and safety is expressing its concern with the company’s regulatory environment.

By categorizing risks, it becomes evident when more than one business area is expressing the same concern, allowing the risk management function to identify and address systemic risks.

Use a Single Set of Criteria

When engaging a variety of business areas for risk assessments, ensure you’re using a single set of criteria. Often risk managers will begin with a monetary value that represents a critical loss, and they’ll evaluate risks based on that amount. But consider how many process owners in your organization have the financial transparency to operate off of monetary values. Chances are, the answer will be very few.

To combat the lack of financial awareness, qualitative criteria is essential for operational risk assessments. Create qualitative criteria that will apply to multiple functions. For example, a major risk—such as fraud or embezzlement—might result in a work stoppage, or result in a serious variation from an organization’s business values.

Tell a Story to Your Board and Executive Leadership

The key to any good story is not only an identifiable villain (your top 10 risks), but also a damsel in distress (your company’s strategic goals). Tying risks to strategic objectives allows you to demonstrate ORSA compliance by orienting your initiative to the executive objectives of the company. When the question is asked “why is this risk a priority?” your top 10 list won’t exist in isolation, but will be mapped back to the priorities already set by the board.

Demonstrating risk-based decision making is one of the more difficult elements of ORSA compliance, but it can be accomplished by gathering meaningful, contextual risk intelligence with well-designed risk assessments.

For more information on risk assessment best practices, download LogicManager’s complementary guide, “5 Steps for Better Risk Assessments.”

RMORSA: Risk Culture and Governance

The National Association of Insurance Commissioners adoption of the Risk Management and Own Risk and Solvency Assessment Model Act (RMORSA) requires insurance organizations to take a broader approach to risk management. As U.S. insurers begin to mobilize their efforts to comply with the regulation by the 2015 deadline, it’s important for them to take a step back, leverage their existing risk management operations, and develop their RMORSA efforts with a mind to the future.

The groundwork for RMORSA was laid with International Association of Insurance Supervisors’ (IAIS) Core Principle 16 – Enterprise Risk Management – and much of the ORSA requirements can be fulfilled with the adoption of an ERM framework that addresses:

• Risk culture and governance

• Risk identification and prioritization

• Risk appetite and tolerances

• Risk management and controls

• Risk reporting and communication

Before you scoff at the scope of these requirements, consider that the ORSA Guidance Manual stipulates that insurers with appropriately developed ERM frameworks “may not require the same scope or depth of review” as organizations with less defined processes.

As defined by the NAIC, risk culture and governance defines roles, responsibilities, and accountability in risk-based decision making. In effect, the principle builds off of a 2010 SEC mandate requiring corporate boards to document their role overseeing enterprise risk. This rule extends the board’s role in risk oversight from C-level risks, activities and decisions to now having accountability at the business process level. Boards are explicitly given a choice between either having effective risk management, or disclosing their ineffectiveness to the public. Doing neither is considered fraud or negligence. Enforcement actions by the SEC have doubled in recent years, so it’s likely your board has already established risk management as a priority, but what does this mean for your organization?

The first practical issue is that it is no longer sufficient to rely on the audit function as a hub for risk management. Risk responsibility has always been the responsibility of process owners, and ORSA is now mandating better oversight under the guidance of a risk management function. For many organizations, the critical first step has been taken by establishing executive responsibility in a chief risk officer (a CRO is actually required to sign off on the ORSA assessment), but without the appropriate tools to make risk management actionable, accountability beyond the CRO is never properly defined. Front line managers hear “risk responsibility” and take the same action they would for other lofty strategic initiatives—that is to say, they take no action at all.

To engage process owners in a risk culture, each business area must take ownership for a subset of the enterprise risks.

online pharmacy singulair with best prices today in the USA

Risk managers, in effect, do not own the risks to the organization; on the contrary, they own the ERM process. Their primary role is to lay the groundwork for risk assessments, aggregate risk intelligence for board reports and create actionable initiatives for business areas in need of oversight.

Engaging process owners has the dual effect of permeating an enterprise-wide risk culture, while also creating a sense of shared responsibility. The structure defined above also creates three levels of defense, a concept adopted and well-articulated by the Institute of Internal Auditors. The operational risks are owned by the process owners. The risk management function provides guidance and strategic alignment.

online pharmacy spiriva with best prices today in the USA

And finally, internal audit ensures adherence to the proper policies and regulatory standards.

Risk culture and governance cannot be accomplished overnight, but significant progress can be made by adopting and articulating the best practices outlined above.

online pharmacy elavil with best prices today in the USA

For more information on engaging process owners, implementing a standardized risk assessment process, and reporting this information to the board, download LogicManager’s complimentary eBook, Presenting Risk Management to the Board.

Companies in 2013 Are Less Prepared for Major Risks Than They Were in 2011

(Click for larger chart)

Gloomy news: Companies across the world are now less prepared to deal with risks than they were two years ago. Even worse: Though companies have had nearly five years to respond to the global economic slowdown — which they cite as as the biggest risk to business — they are increasingly unable to confront the revenue problems it has created.

This is according to the 2013 Global Risk Management Survey released today at the RIMS 2013 Annual Conference & Exhibition by insurance broker Aon. To formulate its findings (displayed in the above chart), Aon compiled the “risk readiness” scores from companies’ responses to its survey and compared them to the results of its 2011 report.

“Risk readiness means a company has a comprehensive plan in place to address risks or has undertaken a formal review of those risks,” states the report. “In comparison with that of 2011, overall readiness for the top 10 risks has dropped by 7% to 59%. In fact, of the top 10 risks, all but business interruption has registered a decrease in overall readiness. Given the attention and scrutiny that risk management practices have received from stakeholders since the financial crisis, this is a disturbing trend and a bit surprising.

As noted, companies still don’t know how to navigate the economic slowdown.

Aon offers some advice: “Since concerns over the world’s economy will not go away soon, organizations need to embrace it for the long-term and from a global perspective. We are no longer sitting on an island by ourselves. What happens on the other side of the world can have a direct impact on every organization, whether it has international operations or not.”

(Click for larger chart)

It isn’t just the international exposures that threaten revenue, however.

In another startling trend, companies are increasingly losing money due to regulatory and legislative changes. A staggering 54% of companies reported income loss (in the last 12 months) due to regulatory and legislative changes — a huge jump from 22% in 2011.

In addition to surveying companies and breaking down how they are responding to individual risks, Aon also analyzed how businesses are using risk management while creating strategy.

The short answer: They are not.

Only 22% of respondents consider “improved business strategy” to be one of the primary benefits of investing in risk management. While there has never been a time when risk management was heavily used to create strategy, this is actually a 1% dip from the 2011 report, in which 23% listed improved business strategy as a primary benefit.

Javier Gimeno, a professor of strategy at INSEAD, a business school in France and contributor to the report, highlighted the concern these findings raise. He notes that many of the top risks cited by companies are strategic in nature. And to deal with these types of threats, companies must re-think their strategy-formulating process. It must incorporate risk management.

“The practice in many companies is still sequential: strategy development comes first…and risk management takes strategy as a given and manages the ensuing risks,” he wrote. “That may lead to strategies that are not sufficiently flexible or adaptive. When strategic risk management is embedded as an integral part of the strategy process, the strategies can become more robust to uncertainty, and more flexible and exploratory.”

He concludes with some advice for companies that want to be better prepared for the 50 top risks (see chart below).

“Developing capabilities for strategic risk management by top management teams and boards should be an important priority in these uncertain times.”