E-BOOK :

E-BOOK : PRACTICAL ENTERPRISE RISK MANAGEMENT A BUSINESS PROCESS APPROACH GREGORY H. DUCKERT Primary Author mixed material bibliography New Jersey John Wiley & Sons, Inc., 2011 en English THIS BOOK IS INTENDED to be a handbook of how to establish a highly effective enterprise risk management (ERM) environment that is actually a business tool that yields real business value. This book is a definitive guide for members of the Boards of Directors, the C Suite, Chief Risk Officers (CROs), and those charged with ERM, as well as all levels of management. In addition, this book is a must have for any shareholder who owns stock in any publicly listed corporation and should be read cover to cover to understand why she should be concerned. This is a how-to, hands-on guide, not a generic framework scenario. With the advent of corporate business catastrophes such as Enron, WorldCom, Lehman Bros., General Motors, and so on it behooves corporate executives to get better connected with their businesses. In addition, the government has now initiated a number of regulatory activities, including Sarbanes-Oxley, which further complicate the lives of the auditors and the corporate executives. The only way to be truly in compliance with Sarbanes- Oxley is to be well aware of what is going on in your corporation, virtually daily. To accomplish this, it is necessary for corporations to establish a highly effective information-centric risk assessment methodology. Without such a methodology intricately woven into the fabric of the organization, it is virtually impossible to guarantee any type of compliance in a realistic fashion. Enterprise-wide risk assessment is much more than simply a catchy phrase or the latest in a string of failed corporate initiatives. If properly constructed, it can be a highly effective governance and oversight tool, which becomes almost irreplaceable in the arsenal of tools necessary for progressive organizations today. Of interest is that the Chairman Emeritus of the Committee of Sponsoring Organizations (COSO), Larry Rittenberg, PhD., CPA, CIA attended the session I presented for the Madison, Wisconsin, chapter of the IIA on Enterprise-Wide Risk Assessment in 2001. The entire discussion was focused on the concept of vii using data to evaluate risk throughout an organization. In the presentation, real-time triggers, key process indicators, key risk indicators, Metric Oversight Monitoring Systems (MOMS), and numerous other concepts were discussed for consideration by the participants. I have used these and other similar tools during 30 years of data-centric risk assessment. These tools and methodology will be discussed in this book. Dave Coderre, a very talented ACL practitioner and author, published the GTAG (Global Technology Audit Guide) on Continuous Auditing in which he presented a very convincing argument for the necessity of continuous audit tools, continuous monitoring, and continuous risk assessment. All of these advanced methods, of course, revolve around the utilization of data. I had the great pleasure of having Dave Coderre as a participant in one of my risk assessment sessions discussing the use of data-driven risk assessment a number of years ago. It is excellent to see that the subject matter is finally getting some serious discussion at these levels. This book is meant to be a reference point for all organizations that are engaged in or will be engaged in the exercise of establishing an enterprise-wide risk assessment and management oversight system for their organization. It presents an alternative approach to the models that are most commonly seen. In keeping with the underlying thought process of this book, it is straightforward and to the point. This book is not an exercise in overcomplicating a straightforward issue. There are many people who believe that complexity adds value to a process or a methodology. I am not one of them. The whole premise of the book is that complexity in most cases adds nothing to a business process but complexity. A risk model is no exception. The reality of the matter is that when a risk model becomes overly complex it also becomes unusable. Therefore, as we proceed from this point forward, everything will be clearly expressed and understandable. There will be no complex theories to entangle endlessly what is actually a very commonsense subject matter. Under no circumstances will there be any abstract theories or unattainable methodologies employed. The approach to risk assessment undertaken in this book is based upon fact, common sense, and practical methodologies for implementation. The model also eliminates subjectivity and guesswork as much as possible. The model presented parallels the normal operation of the business, be able to be effectively utilized at all levels of the business, and can be truly used to create an all-encompassing risk model. In Chapter 1 I discuss the subject of corporate governance and what is wrong with it in its current format. In addition, I call attention to one of the viii n Preface major shortcomings of most corporations and one of its biggest risk areas, which is systems implementation. In Chapter 2 I address what I believe to be a significant misunderstanding relative to the subject of risk and risk management. Essentially every model that is out there to perform any type of enterprise risk management is based upon the premise of subjective scoring to arrive at a conclusion. Subjective models are always time and space dependent, and therefore inconsistent. In other words, the same exact situation will always be viewed differently by the exact same person on a different day in a different environment or on a different hour in the same environment. In addition, when dealing with the subject of risk, you must be prepared to estimate probability and impact or exposure; these models attempt to deal with the subject matter via scoring and unexplainable calculations. Anybody that is the least bit familiar with risk or risk management knows that probability and impact can only be calculated using cold hard facts and data. Chapter 3 is centered on the business, which is what risk assessment and risk management is all about. I discuss how to go about this and how to create pictures of the enterprise to ensure that effective risk management is put in place and becomes a must-have business tool. In Chapter 4 I discuss what true business risk is, how it can be categorized, the fact that risk is not a one-off occurrence, and how to establish a risk universe for evaluating all risk. In Chapter 5 I talk about one of the most critical issues in risk management— the ability to do it objectively not subjectively. I talk about utilizing a data-centric approach, why it is necessary, and why doing risk assessment and management any other way really does not track logically. In Chapter 6 I begin the discussion of how to build a fluid dynamic risk model that is designed to flow with the movements of the enterprise and to keep pace with changes as they occur. I also discuss options that can be utilized to drive the model. Chapter 7 is an extensive discussion of how to actually build a model with all of the various components included. It talks about how to construct an ERM environment that is absolutely centered on the organization in its day-to-day operations. There are extensive examples given throughout the chapter relative to the concept of enterprise risk management and key risk indicators (KRIs). There are examples for the administrative areas of the organization as well as operational areas. Chapter 8 discusses the future evolution of the ERM model and why this is absolutely essential to keep the ERM environment vibrant and connected with Preface n ix the business. Also, the subject of how to make systems self-monitoring from a risk perspective, utilizing advanced tooling, is discussed. In Chapter 9 I raise the issue of special risk situations and related topics that presents significant exposure to the organization. The two key topics that are discussed in this regard are outsourcing and mergers and acquisitions. In addition, I discuss significantly reducing external audit fees through the utilization of twenty-first-century approaches. Chapter 10 is the last chapter of this book, and we talk about ownership of risk, extending the impact of the ERM environment, and summarize how to build an automated environment to handle all of your governance concerns. Another subject that is addressed in this book is the prioritization of risk and risk management relative to internal controls. Internal controls can exist separately and distinctly from the business; however, business risk and the business are inseparably intertwined. I have finally tired of listening to a bunch of supposed experts pontificate on what they believe enterprise risk management to be, while clearly demonstrating they have not the slightest notion of how it should be done in a manner that yields real business value. This approach actually evaluates and manages risk truly on an enterprise basis, and provides a highly effective business tool as well, while many of the others are financial or administration-centric. Therefore, do not be surprised or alarmed when I take issue with common practices that have been espoused by very large and well-recognized organizations. I am not trying to be hypercritical nor implying that they are not competent nor unethical. I am simply trying to speak the truth regarding those situations that I believe to be counterintuitive or in some cases unacceptable business practice and a poor use of business resources. Also, be prepared as the approach used here is different from the norm and as such you will have to expand your thought process and allow yourself to accept something other than the same old recycled ideas, not that recycling is bad, but in this case it is. Keep an open mind and shift your thought parameters and I believe you will find a much better approach to ERM at the end of the day. I now undertake the task of clarifying once and for all what a commonsense, logically structured, ERM environment should look like and why if implemented properly, it will create a singular, highly effective overriding governance infrastructure. Thank you for coming along on this journey! EBOOK BUSINESS manajemen Bisnis Risk Management 658.150 9780470892510 POLITEKNIK PARIWISATA PRIMA INTERNASIONAL UPT. PERPUSTAKAAN - OPAC (Online Public Access Catalog) 658.150 DUC p E00027 Perpus Utama 658.150 DUC p E-BOOK : PRACTICAL ENTERPRISE RISK MANAGEMENT A BUSINESS PROCESS APPROACH Practical_Enterprise_Risk_Manag_-_Gregory_H._Duckert.jpg.jpg 794 2018-04-12 14:53:52 2018-04-12 15:03:21 machine generated