微信客服:xiaoxionga100
微信客服:ITCS521
演讲稿代写-L5
时间:2022-11-29
Final ERM Team Presentation Rubric
Assignment Objective:
Learning Outcomes- L1, L2, L3, L4, L5 & L6: Demonstrate your ability to understand, identify, assess and mitigate and monitor risks
and enhance risk governance capabilities using COSO Internal Control Framework, COSO ERM Framework and/or ISO Framework
principles as a benchmark.
Students are expected to develop original work.
There are 2 parts to this Presentation. Part II is an enterprise level project plan proposal, and is distinct from PART I.
• Part I: For Specific Risk Events/ risk exposures across one or more risk types: Apply these concepts, terminology,
methodology to identify, risk assess real-life risk event & a material risk exposure of a public company to create a Board
report with risk response (action plan) and monitoring (KRI) frequency.
• Part II: Perform a gap analysis and propose a project plan for Enterprise-wide Risk Framework Enhancements in response
to a regulatory finding (FRB, OCC, NYS DFS 500) to enhance risk governance framework and risk capabilities at the firm. Use
COSO Internal Control Framework, COSO ERM Framework and/or ISO Framework principles as a benchmark.
Approach: Utilize required reading and class material to demonstrate your understanding for Sessions 1 to 12. Use optional
reference material provided in Canvas and research online to risk assess the event.
• Risk Identification (root cause analysis including risk factors- triggers and conditions),
• Risk Assessment and Measurement (Assess Inherent Risk (Impact x Likelihood with rationale, Assign Control rating (with
rationale and map the control weaknesses to COSO Internal Control and/or COSO ERM frameworks) to derive Residual Risk
• Risk Mitigation and Corrective Action Plans (projects/plans to strengthen specific control weakness identified above
• Risk Monitoring- Establish KRIs around risk factors identified in root cause analysis above
o COSO KRI paper entitled “Developing Key Risk Indicators to Strengthen Enterprise Risk management” provided in
Canvas files (see sections on Developing KRIS, Sources & information when developing KRIS and KRI communication &
reporting)
o And other required and optional material provided in syllabus and as class material to improve your work.
2
Step by Step Approach and Rubric for Grading:
Part I: For Specific Risk Events/ risk exposures across one or more risk types: Apply these concepts, terminology, methodology to
identify, risk assess real-life risk event & a material risk exposure of a public company to create a Board report with risk response
(action plan) and monitoring (KRI) frequency.
Material Risk is a designation that (typically in a particular regulatory context) indicates that a certain risk is of sufficient
significance for an organization that it must be managed following certain minimum criteria. As part of Capital Adequacy
Assessment Process, regulated financial institutions must identify and manage all their material risks.
The material risk event or risk exposure can be non-financial (operational, model, vendor, cyber) or strategic or financial risk
(credit, market, liquidity/funding). Please note that Reputational Risk is always a secondary or tertiary knock-on effect, so
please do not select it.
Select
a. One real, material risk event of a public company from recent news (within the past 2 years) to conduct root cause analysis
using Titanic bow-tie template provided.
b. One real, material risk exposure from Annual reports or another material risk event to perform Annual or bi-annual Risk
Assessment performed by the business line process owner or 4rd line auditor.
How to ensure risks is material? For this, determine Inherent Risk to the company: Adapt the Likelihood and Impact rating in
Session 2 slides to your company’s size, complexity, and business risk profile. To derive the materiality of the inherent risk,
please follow the instructions provided in the class, If you have Qs, please ask us after you have documented your Impact
rationale and likelihood rationale in discussion forum. This is the most important step as you don’t want to select a minor
incident to report to the Board.
a. Using the Impact x Likelihood scale + rationale for each, determine if the Inherent Risk rating is in Critical/ High range.
This is generally the range of material risk, and it is important enough to be mitigated and reported to the board, even
if it is well managed/ monitored and the controls are strong.
1. (Total 25 points): Risk Event and Risk Exposure Selection
A. (20 points) Risk Event Selection Process by performing a Bow-tie analysis diagram using Titanic Template- Needed
3
Identify the Risk Factors, Risk Conditions & Risk Consequences: For the selected material risk, conduct the root cause via
Bow-Tie analysis Diagram using Session 1- Titanic template and include Risk Factors (Blues: Trigger events - root causes;
Greens: Conditions - root causes); Risk Event: Red; Consequences: Yellows: Consequences and end event (loss))
B. (5 points) Risk Exposure Selection Process: Bow-tie Analysis NOT needed. But you need to identify risk factors around which
KRIs will need to be established.
2. (2.5 points each= Total 5 points): Summarize/ Describe risk event and risk exposure
A. Summarize the risk event in two sentences. (Describe who, what, when why and how- root cause).
B. Describe/ summarize the risk exposure in two sentences
3. (10 points each= Total 20 points): Assign Control Rating + Rationale + 2 weak controls per risk event/ exposure = (to derive the)
Residual Risk Rating
For both A and B, provide the following
o Control Effectiveness Rating: Utilize Control Effectiveness Rating provided in blue (Session 2 Slides) between inherent
and Control Matrix, and this derives residual risk rating.
o Control Rating Rationale + identify at least two controls weaknesses. This is the Control weakness/ vulnerability that was
exploited for the risk event or can potentially be exploited for material risk exposure if controls are not strengthened.
§ COSO Internal Control- 17 principles, Sample internal Controls & Summary with Examples (Sessions 1 & 2)
§ Revised COSO ERM Framework – 20 Principles (Session 3)
I. For the risk event, assign a Control rating by identifying at least two controls that in your opinion were absent or weak.
This is the Control weakness/ vulnerability/failure that was exploited and most likely contributed to risk materialization.
Derive the Residual Risk Rating: Depending on when the risk event has taken place, the rationale may include the status
update of risk mitigation projects.
I. If the risk event took place 1+ year ago, residual risk may include that some control weaknesses that have already
been addressed by management. If that is so, you should clearly explain your rationale.
II. If the risk event took place within the past few months, it is possible that CAP is still in progress, and is being
monitored till the risks are mitigated within appetite.
II. Similarly, for the risk exposure, assign a control rating with rationale. Focus on control weaknesses found in recent audit/
regulatory exams and risk events- Assume if not available publicly or take from peers.
Derive the Residual Risk Rating. Add rationale like A above if relevant.
4
4. (2.5 points each= Total 5 points):
For 1 A & B above, establish two Corrective Action Plans (projects) + expected completion timelines. The plan with timelines
should aim to correct (reduce/mitigate) an identified control deficiency risk to an acceptable level + a completion timeline for
each project. An action plan can include creating a NEW control or enhance an existing, weak control. These can be project plan
to strengthen specific control weakness identified above, generally around risk factors (triggers and conditions).
5. (2.5 points each = Total 5 points):
For 1 A & B above,
I. Assign a business Owner for Corrective Action Plan (CAP) (accountable person who owns the process where risk
materialized). The CAP owner takes actions, monitors, and periodically reports to senior management on the progress
made- on a monthly, quarterly basis as needed. Sometimes multiple roles and departments are involved to remediate
enterprise wide, cross-functional/ complex risks.
II. Assign a sub-committee responsible + reporting frequency for monitoring the effectiveness of the mitigation/ CAP for
the control deficiencies
6. (5 points each = Total 10 points): Establish Monitoring (KRIs and or KPIs):
For 1 A & B above,
a. Early warning signals (Cause related KRIs or exposure related KRIs) or
b. Lagging Indicators (loss related) or performance/action indicator (KPIs).
c. Provide KRI description, measure, and threshold (in terms of red, yellow, and Green)
Part II: For Enterprise-wide Risk Framework Enhancements across all risk types: In response to a regulatory (FRB, OCC finding) to
enhance risk governance framework, propose a project plan to enhance risk capabilities at the firm.
7. (25 points) In response to a regulatory (FRB, OCC finding) to enhance risk governance framework,
I. (10 Points) Perform a high-level gap analysis of existing risk management capabilities and
II. (10 Points) Establish a project plan to enhance risk governance and risk capabilities/ processes at the firm.
5
Propose project implementation plan in phases- I, II, III, etc. (18 months minimum).
Note: You can consider COSO Internal Control, COSO ERM or ISO Frameworks as a benchmark/ maturity model to
improve the risk management at the firm. Risk Governance and Risk capabilities examples include establishing/ review/
revision of Risk Appetite with KRIs, Lines of Defense
III. (5 Points) Specify Executive Sponsor(s) and Steering Committee responsible. Identify team members/ resources needed
(internal and external), such as, outside counsel/ consulting firms, risk and business staff. Any GRC tool needed?
8. (2.5 points each = Total 5 points) Professional Writing (Written slides + Oral Presentation))
A) Exhibit communication skills as taught in Strategic Communications, including the following:
a. Face the audience/camera at all times
b. Project your voice so that the person on the last row can hear you clearly
c. No reading from the slides
d. Good posture
B) Written PowerPoint Slides:
a. Structure, Development, and Consistency of presentation- Organization, flow, and coherence of ideas.
b. Risk Identification and supporting Analysis.
c. Correct use of terminology and concepts taught in class.
d. Grammatically correct and clear layout of the presentation.
Use the same Appendix/ Reference as Individual Assignment 1 Rubric
Assignment Objective:
Learning Outcomes- L1, L2, L3, L4, L5 & L6: Demonstrate your ability to understand, identify, assess and mitigate and monitor risks
and enhance risk governance capabilities using COSO Internal Control Framework, COSO ERM Framework and/or ISO Framework
principles as a benchmark.
Students are expected to develop original work.
There are 2 parts to this Presentation. Part II is an enterprise level project plan proposal, and is distinct from PART I.
• Part I: For Specific Risk Events/ risk exposures across one or more risk types: Apply these concepts, terminology,
methodology to identify, risk assess real-life risk event & a material risk exposure of a public company to create a Board
report with risk response (action plan) and monitoring (KRI) frequency.
• Part II: Perform a gap analysis and propose a project plan for Enterprise-wide Risk Framework Enhancements in response
to a regulatory finding (FRB, OCC, NYS DFS 500) to enhance risk governance framework and risk capabilities at the firm. Use
COSO Internal Control Framework, COSO ERM Framework and/or ISO Framework principles as a benchmark.
Approach: Utilize required reading and class material to demonstrate your understanding for Sessions 1 to 12. Use optional
reference material provided in Canvas and research online to risk assess the event.
• Risk Identification (root cause analysis including risk factors- triggers and conditions),
• Risk Assessment and Measurement (Assess Inherent Risk (Impact x Likelihood with rationale, Assign Control rating (with
rationale and map the control weaknesses to COSO Internal Control and/or COSO ERM frameworks) to derive Residual Risk
• Risk Mitigation and Corrective Action Plans (projects/plans to strengthen specific control weakness identified above
• Risk Monitoring- Establish KRIs around risk factors identified in root cause analysis above
o COSO KRI paper entitled “Developing Key Risk Indicators to Strengthen Enterprise Risk management” provided in
Canvas files (see sections on Developing KRIS, Sources & information when developing KRIS and KRI communication &
reporting)
o And other required and optional material provided in syllabus and as class material to improve your work.
2
Step by Step Approach and Rubric for Grading:
Part I: For Specific Risk Events/ risk exposures across one or more risk types: Apply these concepts, terminology, methodology to
identify, risk assess real-life risk event & a material risk exposure of a public company to create a Board report with risk response
(action plan) and monitoring (KRI) frequency.
Material Risk is a designation that (typically in a particular regulatory context) indicates that a certain risk is of sufficient
significance for an organization that it must be managed following certain minimum criteria. As part of Capital Adequacy
Assessment Process, regulated financial institutions must identify and manage all their material risks.
The material risk event or risk exposure can be non-financial (operational, model, vendor, cyber) or strategic or financial risk
(credit, market, liquidity/funding). Please note that Reputational Risk is always a secondary or tertiary knock-on effect, so
please do not select it.
Select
a. One real, material risk event of a public company from recent news (within the past 2 years) to conduct root cause analysis
using Titanic bow-tie template provided.
b. One real, material risk exposure from Annual reports or another material risk event to perform Annual or bi-annual Risk
Assessment performed by the business line process owner or 4rd line auditor.
How to ensure risks is material? For this, determine Inherent Risk to the company: Adapt the Likelihood and Impact rating in
Session 2 slides to your company’s size, complexity, and business risk profile. To derive the materiality of the inherent risk,
please follow the instructions provided in the class, If you have Qs, please ask us after you have documented your Impact
rationale and likelihood rationale in discussion forum. This is the most important step as you don’t want to select a minor
incident to report to the Board.
a. Using the Impact x Likelihood scale + rationale for each, determine if the Inherent Risk rating is in Critical/ High range.
This is generally the range of material risk, and it is important enough to be mitigated and reported to the board, even
if it is well managed/ monitored and the controls are strong.
1. (Total 25 points): Risk Event and Risk Exposure Selection
A. (20 points) Risk Event Selection Process by performing a Bow-tie analysis diagram using Titanic Template- Needed
3
Identify the Risk Factors, Risk Conditions & Risk Consequences: For the selected material risk, conduct the root cause via
Bow-Tie analysis Diagram using Session 1- Titanic template and include Risk Factors (Blues: Trigger events - root causes;
Greens: Conditions - root causes); Risk Event: Red; Consequences: Yellows: Consequences and end event (loss))
B. (5 points) Risk Exposure Selection Process: Bow-tie Analysis NOT needed. But you need to identify risk factors around which
KRIs will need to be established.
2. (2.5 points each= Total 5 points): Summarize/ Describe risk event and risk exposure
A. Summarize the risk event in two sentences. (Describe who, what, when why and how- root cause).
B. Describe/ summarize the risk exposure in two sentences
3. (10 points each= Total 20 points): Assign Control Rating + Rationale + 2 weak controls per risk event/ exposure = (to derive the)
Residual Risk Rating
For both A and B, provide the following
o Control Effectiveness Rating: Utilize Control Effectiveness Rating provided in blue (Session 2 Slides) between inherent
and Control Matrix, and this derives residual risk rating.
o Control Rating Rationale + identify at least two controls weaknesses. This is the Control weakness/ vulnerability that was
exploited for the risk event or can potentially be exploited for material risk exposure if controls are not strengthened.
§ COSO Internal Control- 17 principles, Sample internal Controls & Summary with Examples (Sessions 1 & 2)
§ Revised COSO ERM Framework – 20 Principles (Session 3)
I. For the risk event, assign a Control rating by identifying at least two controls that in your opinion were absent or weak.
This is the Control weakness/ vulnerability/failure that was exploited and most likely contributed to risk materialization.
Derive the Residual Risk Rating: Depending on when the risk event has taken place, the rationale may include the status
update of risk mitigation projects.
I. If the risk event took place 1+ year ago, residual risk may include that some control weaknesses that have already
been addressed by management. If that is so, you should clearly explain your rationale.
II. If the risk event took place within the past few months, it is possible that CAP is still in progress, and is being
monitored till the risks are mitigated within appetite.
II. Similarly, for the risk exposure, assign a control rating with rationale. Focus on control weaknesses found in recent audit/
regulatory exams and risk events- Assume if not available publicly or take from peers.
Derive the Residual Risk Rating. Add rationale like A above if relevant.
4
4. (2.5 points each= Total 5 points):
For 1 A & B above, establish two Corrective Action Plans (projects) + expected completion timelines. The plan with timelines
should aim to correct (reduce/mitigate) an identified control deficiency risk to an acceptable level + a completion timeline for
each project. An action plan can include creating a NEW control or enhance an existing, weak control. These can be project plan
to strengthen specific control weakness identified above, generally around risk factors (triggers and conditions).
5. (2.5 points each = Total 5 points):
For 1 A & B above,
I. Assign a business Owner for Corrective Action Plan (CAP) (accountable person who owns the process where risk
materialized). The CAP owner takes actions, monitors, and periodically reports to senior management on the progress
made- on a monthly, quarterly basis as needed. Sometimes multiple roles and departments are involved to remediate
enterprise wide, cross-functional/ complex risks.
II. Assign a sub-committee responsible + reporting frequency for monitoring the effectiveness of the mitigation/ CAP for
the control deficiencies
6. (5 points each = Total 10 points): Establish Monitoring (KRIs and or KPIs):
For 1 A & B above,
a. Early warning signals (Cause related KRIs or exposure related KRIs) or
b. Lagging Indicators (loss related) or performance/action indicator (KPIs).
c. Provide KRI description, measure, and threshold (in terms of red, yellow, and Green)
Part II: For Enterprise-wide Risk Framework Enhancements across all risk types: In response to a regulatory (FRB, OCC finding) to
enhance risk governance framework, propose a project plan to enhance risk capabilities at the firm.
7. (25 points) In response to a regulatory (FRB, OCC finding) to enhance risk governance framework,
I. (10 Points) Perform a high-level gap analysis of existing risk management capabilities and
II. (10 Points) Establish a project plan to enhance risk governance and risk capabilities/ processes at the firm.
5
Propose project implementation plan in phases- I, II, III, etc. (18 months minimum).
Note: You can consider COSO Internal Control, COSO ERM or ISO Frameworks as a benchmark/ maturity model to
improve the risk management at the firm. Risk Governance and Risk capabilities examples include establishing/ review/
revision of Risk Appetite with KRIs, Lines of Defense
III. (5 Points) Specify Executive Sponsor(s) and Steering Committee responsible. Identify team members/ resources needed
(internal and external), such as, outside counsel/ consulting firms, risk and business staff. Any GRC tool needed?
8. (2.5 points each = Total 5 points) Professional Writing (Written slides + Oral Presentation))
A) Exhibit communication skills as taught in Strategic Communications, including the following:
a. Face the audience/camera at all times
b. Project your voice so that the person on the last row can hear you clearly
c. No reading from the slides
d. Good posture
B) Written PowerPoint Slides:
a. Structure, Development, and Consistency of presentation- Organization, flow, and coherence of ideas.
b. Risk Identification and supporting Analysis.
c. Correct use of terminology and concepts taught in class.
d. Grammatically correct and clear layout of the presentation.
Use the same Appendix/ Reference as Individual Assignment 1 Rubric
