-
企业风险管理
——整合框架
2004
年
9
月
目
录
内容摘要
..................................................
..................................................
.......................................
3
1
定义
.........................
..................................................
..................................................
.................
9
2
内部环境
...........
..................................................
..................................................
......................
3
0
3
目标设定
...........
..................................................
..................................................
......................
4
3
4
事项识别
...........
..................................................
..................................................
......................
5
3
5
风险评估
...........
..................................................
..................................................
......................
6
4
6
风险应对
...........
..................................................
..................................................
......................
7
4
7
控制活动
...........
..................................................
..................................................
......................
8
3
8
信息与沟通
.
....................................
..................................................
..........................................
9
3
9
监控
.........................
..................................................
..................................................
.............
1
05
10
职能与责任
< br>.
...................................
..................................................
.......................................
116
11
企业风险管理的局限
.
.............................................
..................................................
.............
1
30
12
该做些什么
< br>.
...................................
..................................................
.......................................
1
36
内容摘要
企业风险管理的基础性前提
是每一个主体的存在都是为它的利益相关者提
供价值。
所有的主
体都面临不确定性,
管理当局所面临的挑战就是在为增加利益
相
关者价值而奋斗的同时,
要确定承受多大的不确定性。
不确定性
可能会破坏或
增加价值,
因而它既代表风险,
< br>也代表机会。
企业风险管理使管理当局能够有效
地应对不
确定性以及由此带来的风险和机会,增进创造价值的能力。
当管理当局通过制订战略和目标,
力求实现增长和报酬目标以及相关的风险
之间的最优平衡,
并且在追求所在主体的目标的过程中高效率和有效地调配资
源
时,价值得以最大化。企业风险管理包括:
?
协调风险容量(
risk
appet
ite
)与战略
——
管理当局在评价备
选的战略、
设定相关目标和建立相关风险的管理机制的过程中,
需要考虑所在主体的风
险容量。
?
增进风险应对决策
——
企业风险管理为识别和在备选的风险应对
——
风
险回避、降低、分担和承受
——
之间进行选择提供了严密性。
?
抑减经营意外和损失
——
主体识别潜在事项和实施应对的能力得以增强,
抑减了意外情况以及由此带来的成本或损失。
?
识别和管理多重的和贯穿于企业的
风险
——
每一家企业都面临影响组织
的
不同部分的一系列风险,
企业风险管理有助于有效地应对交互影响,
以及
整合式地应对多重风险。
?
抓住机会
——
通过考虑全面范围内的潜在事项,
促使管理当局识别并积极
地实现机会。
?
改善资本调配
——
获取强有力的风险信息,
使得管理当局能够有效地评估
总体资本需求,并改进资本配置。
企业风险管理所固有的这些能力帮助管理当局实现所在主体的业绩和赢利
目标,
防止资源损失。
企业风险管理有助于确保有效的报告以及符合法律和法规
,
还有助于避免对主体声誉的损害以及由此带来的后果。
总之,
企业风险管理不仅
帮助一个主体到达期望的目的地,还有助于避
开前进途中的隐患和意外。
事项<
/p>
——
风险与机会
事项可能会带来负面的影响,
也可能会带来正面的影响,
抑
或二者兼而有之。
带来负面影响的事项代表风险,
它会妨碍价值
创造或者破坏现有价值。
带来正面
影响的事项可能会抵消负面影
响,
或者说代表机会。
机会是一个事项将会发生并
对目标——支持价值创造或保持——的实现产生正面影响的可能性。
管理当局
把
机会反馈到战略或目标制订过程中,以便制订计划去抓住机会。
所定义的企业风险管理
企业
风险管理处理影响价值创造或保持的风险和机会,定义如下:
企业风险管理是一个过程,
它由一个主体的董事会、
管理当局和其他人员实
施,应用于战略制订并贯穿于企业之中,旨在识别可
能会影响主体的潜在事项,
管理风险以使其在该主体的风险容量之内,并为主体目标的实
现提供合理保证。
这个定义反映了几个基本概念。企业风险管理是:
?
一个过程,它持续地流动于主体之内;
?
由组织中各个层级的人员实施;
?
应用于战略制订;
?
贯穿于企业,
在各个层级和单元应用,
还包括采取主体层级的风险组合观;
?
旨在识别一旦发生将会影响
主体的潜在事项,
并把风险控制在风险容量以
内;
?
能够向一个主体的管理当局和董事会提供合理保证;
?
力求实现一个或多个不同类型但相互交叉的目标。
这个定义比较宽泛。
它抓住了对于公司和其他组织如何管理风险至关重要
的
关键概念,
为不同组织形式、
行业和
部门的应用提供了基础。
它直接关注特定主
体既定目标的实现,
并为界定企业风险管理的有效性提供了依据。
目标的实现
在主体既定的使命或愿
景(
vision
)范围内,管理当局制订战略目标、选择
战略,
并在企业内自上而下设定相应的目标。
企业风险管理框架力求实现主体的
以下四种类型的目标:
?
战略(
s
trategic
)目标
——
高层次目标,与使命相关联并支撑其使命;
?
经营(
o
perations
)目标
——
有效和
高效率地利用其资源;
?
报告(
reporting
)目标
——
报告的可靠性;
?
合规(
c
ompliance
)目标
——
符合适
用的法律和法规。
对主体目标的这种分类可以使我们关注企
业风险管理的不同侧面。
这些各不
相同但却相互交叉的类别——
一个特定的目标可以归入多个类别,
反映了主体的
不同需要,<
/p>
而且可能会成为不同管理人员的直接责任。
这个分类还有助于区分
从
每一类目标中能够期望的是什么。
一些主体采用的另一类目标
——保护资源也包
含在上述类别之内。
因为有关报告的可靠性和符合法律、
法规的目标在主体的控制范围之内,
所
以可以期望企业风险管理为实现这些目标提供合理保证。
但是,
战略目标和经营
目标的实现取决于并不一定总在
主体控制范围之内的外部事项,
对于这些目标而
言,
企业风险管理能够合理地保证管理当局和起监督作用的董事会及时地了解主
体朝着实现目标前进的程度。
企业风险管理的构成要素
企业风险
管理包括八个相互关联的构成要素。
它们来源于管理当局经营企业
的方式,并与管理过程整合在一起。这些构成要素是:
?
内部环
境
——
内部环境包含组织的基调,
它为
主体内的人员如何认识和对
待风险设定了基础,包括风险管理理念和风险容量、诚信和道
德价值观,
以及他们所处的经营环境。
?
目标设
定
——
必须先有目标,管理当局才能识别影响目标实现的潜在事
项。
企业风险管理确保管理当局采取适当的程序去设定目标,<
/p>
确保所选定
的目标支持和切合该主体的使命,并且与它的风险容量
相符。
?
事项识
别
——
必须识别影响主体目标实现的内部和外部事项,
区分风险和
机会。机会被反馈到管理当局的战略或目标制订过程中。
?
风险评估
——
通过考虑风险的可能性和影响来对其加以分析,
并以此作为
决定如何进行管理的依据。风险评估应立足于固有风险和剩余风
险。
?
风险应对
——
管理当局选择风险应对
—
—
回避、承受、降低或者分担风险
——
采取一系列行动以便把风险控制在主体的风险容限(
risk
tolerance
)和风险容量以内。
?
控制活动
——
制订和执行政策与程序以帮助确保风险应对得以有效实施。
?
信息与沟通
——
相关的信息以确保员工履行其职责的方式和时机予以识
别
、获取和沟通。有效沟通的含义比较广泛,包括信息在主体中的向下、
平行和向上流动。
?
监控——对企业风险管理进行全面
监控,
必要时加以修正。
监控可以通过
持续的管理活动、个别评价或者两者结合来完成。
企业风险
管理并不是一个严格的顺次过程,
一个构成要素并不是仅仅影响接
下来的那个构成要素。
它是一个多方向的、
反复的过程,
在这个过程中几乎每一
个构成要素都能够、也的确会影响其他构成要
素。
目标与构成要素之间的关系
目标是
指一个主体力图实现什么,
企业风险管理的构成要素则意味着需要什
么来实现它们,
二者之间有着直接的关系。
这种关系可以通
过一个三维矩阵以立
方体的形式表示出来。
四种类型的目标——战略、
经营、<
/p>
报告和合规——用垂直方向的栏表示,
八
个构成要素用水平方向的行表示,而一个主体内的各个单元则用第三个维度表
示。
这种表示方式使我们既能够从整体上关注一个主体的企业风险管理,
也
可以
从目标类别、
构成要素或主体单元的角度,
乃至其中的任何一个分项的角度去加
以认识。
有效性
认定一个主体的企业风险管理是否“有效”,
是在对八个构成要
素是否存在
和有效运行进行评估的基础之上所作的判断。
因此,
构成要素也是判定企业风险
管理有效性的标准。
构成要素如果存在并且正常运行,
那么就可能没有重大缺陷,
< br>而风险则可能已经被控制在主体的风险容量范围之内。
如果确定企业风险管理在所有四类目标上都是有效的,
那么董事会和管理当
局就可以合理保证他们了解主体实现其战略和经营目标、
主体的报告可靠以
及符
合适用的法律和法规的程度。
八个构成要素在每个主体中的运行并不是千篇一律的。
例如,
在
中小规模主
体中的应用可能不太正式,
不太健全。
尽管如此,
当八个构成要素存在且正常运
行时,小规
模主体依然会拥有有效的企业风险管理。
局
限
<
/p>
尽管企业风险管理带来了重要的好处,
但是仍然存在着局限。
除了前面讨论
过的因素之外,局限还导源于下列现实:人类在决策过
程中的判断可能有纰漏,
有关应对风险和建立控制的决策需要考虑相关的成本和效益,<
/p>
类似简单误差或错
误的个人缺失可能会导致故障的发生,
控制可能会因为两个或多个人员的串通而
被规避,
以及管理当局有能力凌驾于企业风险管理决策之上。
这些局限使得董事
会和管理当局不可能就主体目标的实现形成绝对的保证。
涵盖内部控制
< br>内部控制是企业风险管理不可分割的一部分。
这份企业风险管理框架涵盖了
内部控制,
从而构建了一个更强有力的概念和管理工具。
内部控制是在
《内部控
制——整合框架》
中加以定义和描述的。
由于该框架经受了时间的考验,
并且成
为现行规则、
法规和法律的基础,
< br>因此那份文件对内部控制的定义和框架依然有
效。尽管《内部控制——整合框架》
的正文中只有一部分被本框架所引用,但是
本框架通过参考的方式把该框架整体融合了进
来。
职能与责任
主体中的每个人都对企业风险管理负有一定的责任。首席执行官(
CEO
)负
有首要责任,
并且应当假设其拥有所有
权。
其他管理人员支持主体的风险管理理
念,
< br>促使符合其风险容量,
并在各自的责任范围内依据风险容限去管理风险。
风
险官、
财务官、
内部
审计师等通常负有关键的支持责任。
主体中的其他人员负责
按照
既定的指引和规程去实施企业风险管理。
董事会对企业风险管理提供重要的
监督,并察觉和认同主体的风险容量。很多外部方面,例如顾客、卖主、商业伙
伴、外部审计师、监管者和财务分析师常常提供影响企业风险管理的有用信息,
但是他
们不但不对主体的企业风险管理的有效性承担任何责任,
而且也不是它的
组成部分。
本报告的结构
本报告分两卷。
第一卷包括“基本框架”和本部分“内容摘要”
。
“基本框
架”给企业风险管理下定义,
并讲述原则和概念,
为企业和其他组织中的各级管
理人员提供
用来评价和增进企业风险管理有效性的指导。
“内容提要”是一个针
对首席执行官、
其他高级管理人员、
董事会成员和监管者的
高度概括。
第二卷
《应
用技术》
(
Application
Techniq
ues
)
,讲解在应用本框架各个要素的过程中有用
的技术。
本报告的使用
根据本报告的建议所
可能采取的行动,取决于相关方面的地位和职责:
?
董事会——董事会应当与高级管理
人员讨论主体企业风险管理的现状,
并
提供必要的监督。
董事会应当确信知悉最重大的风险,
以及管理当局正在
采取的行动和如何确保有效的企业风险管理。
董事会应当考虑寻求内部审
计师、外部审计师和其他方面的参与。
?
高层管理当局——本项研究建议首
席执行官评估组织的企业风险管理能
力。方法之一是,首席执行官把业务单元(
business unit
)领导和关键
职能
机构人员召集到一起,讨论对企业风险管理能力和有效性的初步评
价。
< br>不管采取什么方式,
初步评估应该确定是否需要以及如何进行更广泛、
更深入的评价。
?
主体中的其他人员——管理人员和
其他人员应该考虑如何根据本框架去
履行他们的职责,并与更高层的人员讨论有关加强企
业风险管理的看法。
内部审计师应该考虑他们关注企业风险管理的范围。
?
监管者——本框架能
增进有关企业风险管理的共识,包括它能干什么,以
及它的局限。
监管者在对他们所监管的主体采用规则或指南等形式设定期
望,或进行检查时,可以参
考本框架。
?
< br>专业组织——为财务管理、
审计和相关领域提供指南的规则制定机构和其
他专业组织应该对照本框架去考虑它们的准则和指南。
消除概念和术语方
面的差别,对所有各方都有好处。
?
教育机构——本框架可以作为学术
研究和分析的对象,
以便探讨在哪些方
面还能作进一步的改进。
假设本报告能够被普遍接受的话,
它的概念和术
语应该设法进入大学的课程之中。
有了这个共同理解的基础,
所有各方将能够用同一种语言讲话,
更有效地进
行沟通。企业的执行官将能够对照一套标准去评估他们公司的企业风险管理过
程,
强化这个过程从而使他们的企业朝着既定的目标迈进。
将来的研究可
以建立
在一个既定的基础之上。
立法者和监管者将能够获得对企
业风险管理的更深入的
理解,
包括它的好处和局限。
如果所有各方都利用共同的企业风险管理框架,
这
些好处都将实现。
1
定义
1. DEFINITION
Chapter
Summary: All entities face uncertainty, and the
challenge for management is
to
determine how much uncertainty it is prepared to
accept as it strives to grow
stakeholder value. Enterprise risk
management enables management to identify,
assess, and manage risks in the face of
uncertainty, and is integral to value creation
and preservation. Enterprise risk
management is a process, effected by an
en
tity’s
board of
directors, management and other personnel, applied
in strategy setting and
across the
enterprise. It is designed to identify potential
events that may affect the
entity, and
manage risk to be within the entity’s risk
appetite, to provide re
asonable
assurance regarding the achievement of
entity objectives. It consists of eight
interrelated components, which are
integral to the way management runs the
enterprise. The components are linked
and serve as criteria for determining whether
enterprise risk management is
effective.
本章摘要:
所有的主体都面临不确定性
,
对于管理当局的挑战在于确定在追
求增加利益相关者价值的同
时,
准备承受多少不确定性。
企业风险管理使管理当
局能够识别、
评估和管理面对不确定性的风险,
它
对于价值创造和保持而言是必
不可少的。
企业风险管理是一个过
程,
它由一个主体的董事会、
管理当局和其他
< br>人员实施,
应用于战略制订并贯穿于企业之中,
旨在识别
可能会影响主体的潜在
事项,
管理风险以使其在该主体的风险容
量之内,
并为主体目标的实现提供合理
保证。
< br>它包括八个相互关联的构成要素,
它们与管理当局经营企业的方式密不可
分。这些构成要素联系起来,成为确定企业风险管理是否有效的标准。
A key objective of this framework is to
help managements of businesses and other
entities better deal with risk in
achieving an entity’s objectives. But enterprise
risk
management means
different things to different people, with a wide
variety of labels
and meanings
preventing a common understanding. An important
goal, then, is to
integrate various
risk management concepts into a framework in which
a common
definition is established,
components are identified, and key concepts are
described.
This framework accommodates
most viewpoints and provides a starting point for
individual entities’ assessment and
enhancement of enterprise risk management,
for
future initiatives of
rule-making bodies, and for education.
本框架的一个关键目标是帮助企业和其他主体的管理当局在实现主体目标
的过程中更好地
处理风险。
但是企业风险管理有许多不同的称谓和解释,
难以形
成共同的理解,
因而对于不同的人而言意味着不同的含义。
因此,
一个重要的目
的在于把各种不同的风
险管理概念整合到一个构架之中,
在这个构架中构建一个
共同的
定义,辨别构成要素,并讲述关键概念。这个构架容纳大多数观点,为各
个主体评估和增
进企业风险管理,
为规则制定团体和教育机构的未来行动提供一
个出发点。
Uncertainty and Value
不确定性与价值
An underlying premise of enterprise
risk management is that every entity, whether
for-profit, not-for-profit, or a
governmental body, exists to provide value for its
stakeholders. All entities face
uncertainty, and the challenge for management is
to
determine how much uncertainty the
entity is prepared to accept as it strives to grow
stakeholder value. Uncertainty presents
both risk and opportunity, with the potential
to erode or enhance value. Enterprise
risk management enables management to
effectively deal with uncertainty and
associated risk and opportunity and thereby
enhance the entity’s capacity to build
value.
企业风险管理的一个基本前提是每一个主体,<
/p>
不管是营利性的、
非营利性的,
还是政府
机构,
存在的目的都是为它的利益相关者提供价值。
所有的主体
都面临
不确定性,
对于管理当局的挑战在于确定在追求增加利益
相关者价值的同时,
准
备承受多少不确定性。
< br>不确定性潜藏着对价值的破坏或增进,
既代表风险,
也代
表机会。
企业风险管理使管理当局能够有效地处理不确定性以及
由此带来的风险
和机会,从而提高主体创造价值的能力。
Enterprises operate in environments
where factors such as globalization, technology,
restructurings, changing markets,
competition, and regulation create uncertainty.
Uncertainty emanates from an inability
to precisely determine the likelihood that
events will occur and the associated
impacts. Uncertainty also is presented and
created by the entity’s strategic
choices. For example, an entity has a growth
strateg
y
based on expanding
operations to another country. This chosen
strategy presents risks
and
opportunities associated with the stability of the
country’s political environment,
resources, markets, channels, workforce
capabilities, and costs.
在企业经营所处的环境中,诸如
全球化、技术、重组、变化中的市场、竞争
和管制等因素都会导致不确定性。
不确定性来源于不能准确地确定事项发生的可
能性以及所带来的影响。不确
定性也是主体的战略选择所带来和
导致的。举例
来说,
一个主体采取基于向其他国家拓展业务的增长战略。
< br>所选择的这个战略带
来了与该国政治环境的稳定性、资源、市场、渠道、劳动力技
能和成本相关的风
险和机会。
Value is created, preserved, or eroded
by management decisions in all activities, from
strategy setting to operating the
enterprise day-to-day. Value creation occurs
through
deploying resources, including
people, capital, technology, and brand, where the
benefit derived is greater than
resources used. Value preservation occurs where
created value is sustained through,
among other things, superior product quality,
production capacity, and customer
satisfaction. Value can be eroded where these
goals are not achieved due to poor
strategy or execution. Inherent in decisions is
recognition of risk and opportunity,
requiring that management consider information
about internal and external
environments, deploy precious resources, and
recalibrate
activities to changing
circumstances.
从战略制订到企业的日常经营,
在所有的活动中,
管理当局的决策都会创造、
保持或破坏价值
。通过把资源,包括人、资本、技术和品牌,调配到能够产生比
过去更多的利益的地方,
就会发生价值创造。
当创造的价值通过更高的产品质量、
生产能力和顾客满意度以及其他方式得以维持时,
就会发生价值保持。
当由于糟
糕的战略或执行导致这些目标不能达成时,
价值就会被破坏。
决策中伴生着对风
险和机会的认
识,要求管理当局有关内部和外部环境的信息,调配宝贵的资源,
并针对变化的环境重新
校准行动。
Value is maximized
when management sets strategy and objectives to
strike an
optimal balance between
growth and return goals and related risks, and
efficiently and
effectively deploys
resources in pursuit of the entity’s objectives.
Enterprise ris
k
management
encompasses:
当管理当局制订战略和目标,
去追
求增长和报酬目的以及相关的风险之间的
最优平衡,
并且为了实
现主体的目标而提高效率和有效地配置资源时,
价值得以
最大化
。企业风险管理包括:
?
Aligning risk appetite and strategy
–
Management
consider
s the entity’s ris
k
appetite first in evaluating strategic
alternatives, then in setting objectives aligned
with the selected strategy and in
developing mechanisms to manage the related risks.
For example, a pharmaceutical company
has a low risk appetite relative to its brand
value. Accordingly, to protect its
brand, it maintains extensive protocols to ensure
product safety and regularly invests
significant resources in early-stage research and
development to support brand value
creation.
●
协调风险容
量与战略——管理当局首先要在评价备选战略的过程中考虑主体
的风险容量,
然后在设定与选定的战略相协调的目标的过程中,
以及在构建管理
相关风险的机制的过程中,
也要考虑主体的风险容量。
< br>例如,
一家制药公司与其
品牌价值相关的风险容量较低。
因此,
为了保护它的品牌,
它坚持了大
量的规程
以确保产品的安全性,
并且经常性地投入巨额的资源用
于早期的研究与开发以支
持品牌价值创造。
?
Enhancing risk response
decisions
–
Enterprise risk
management provides the rigor
to
identify and select among alternative risk
responses
–
risk avoidance,
reduction,
sharing, and acceptance. For
example, management of a company that uses company
owned and operated vehicles recognizes
risks inherent in its delivery process,
including vehicle damage and personal
injury costs. Available alternatives include
reducing the risk through effective
driver recruiting and training, avoiding the risk
by
outsourcing delivery, sharing the
risk via insurance, or simply accepting the risk.
Enterprise risk management provides
methodologies and techniques for making these
decisions.
●
增进风险应对决策——企业风险管理为识别和在备选的风险应对——风险回
避、降低、分担和承受——之间进行选择提供了严密性。例如,一家利用公司自
有和运
营的车辆的公司的管理当局认识到在其运送过程中存在的风险,
包括车辆
损坏和人身伤害成本。可能的选择包括通过有效的司机招聘和培训来降低风险,
通过外包运送业务来回避风险,
通过保险来分担风险,
或者简单
地承担风险。
企
业风险管理为这些决策提供方法和技巧。
?
Reducing
operational surprises and losses
–
Entities gain enhanced
capability to
identify potential
events, assess risk, and establish responses,
thereby reducing the
occurrence of
surprises and related costs or losses. For
example, a manufacturing
company tracks
production parts and equipment failure rates and
deviation around
averages. The company
assesses the impact of failures using multiple
criteria,
including time to repair,
inability to meet customer demand, employee
safety, and
cost of scheduled versus
unscheduled repairs, and responds by setting
maintenance
schedules accordingly.
●
抑减经营意外和损失——主体增强
了识别潜在事项、
评估风险和加以应对的能
力,
从而降低意外的发生和由此带来的成本或损失。
例如,
一家制造公司调整生
产部件和设备故障率和误差使其接近正常水平。
该公司采用多重标准来评估故障
的影响,
包括维修时间、<
/p>
不能满足客户需要、
员工案例以及预定维修与非预定维
修的成本,并据此制订维护方案来加以应对。
?
Identifying and managing cross-
enterprise risks
–
Every
entity faces a myriad of
risks
affecting different parts of the organization.
Management needs to not only
manage
individual risks, but also understand interrelated
impacts. For example, a
bank faces a
variety of risks in trading activities across the
enterprise, and
management developed an
information system that analyzes transaction and
market
data from other internal
systems, which, together with relevant externally
generated
information, provides an
aggregate view of risks across all trading
activities. The
information system
allows drilldown capability to department,
customer or
counterparty, trader, and
transaction levels, and quantifies the risks
relative to risk
tolerances in
established categories. The system enables the
bank to bring together
previously
disparate data to respond more effectively to
risks using aggregated as well
as
targeted views.
●
识别和管理贯穿于企业的风险——每一个主体都面临着影响组织的不同部分
的无数风险
。
管理当局不仅需要管理个别风险,
还需要了解相互关联的影响
。
例
如,
一家银行面临着贯穿于企业的
交易活动的一系列风险,
管理当局开发一套信
息系统来分析来自
其他内部系统的交易和市场数据,
它与外部生成的有关信息一
起
,
提供了关于贯穿于所有交易活动的风险的整体看法。
这个信息
系统可以向下
追溯到部门、
客户或同行、
交易商和交易层次,
并针对既定类别的风险容量对风
险进行量
化。
这个系统使该银行能够把先前分隔的数据凑到一起,
从而采
用整体
的和有目的性看法来更加有效地应对风险。
?
Providing integrated
responses to multiple risks
–
Business processes carry
many
inherent risks, and enterprise
risk management enables integrated solutions for
managing the risks. For instance, a
wholesale distributor faces risks of over- and
under-supply positions, tenuous supply
sources, and unnecessarily high purchase
prices. Mana
gement
identified and assessed risk in the context of the
company’
s
strategy,
objectives, and alternative responses, and
developed a far-reaching inventory
control system. The system integrates
with suppliers, sharing sales and inventory
information and enabling strategic
partnering, and avoiding stock-outs and unneeded
carrying costs, with longer-term
sourcing contracts and enhanced pricing. Suppliers
take responsibility for replenishing
stock, generating further cost reductions.
●
提供对多重风险的整体应对——经
营过程带来许多固有的风险,
而企业风险管
理能够为管理这些风
险提供整体解决方案。
例如,
一个批发本着商面临着供货过
量和不足、
薄弱的供货来源以及不必要的高采购价格等方面的风险。
管理当局以
公司战略、
目标和备选的应
对为背景识别和评估风险,
开发了一套广泛拓展的存
货控制系统
。
这个系统与供货商相整合,
共享销售和库存信息,
帮助选择战略伙
伴,
并通过更长期间的进货合同和
改进的定价方式,
避免缺货和不必要的运送成
本。由供应商负责
补足库存,从而进一步降低了成本。
?
Seizing opportunities
–
By considering a full
range of potential events, rather than
just risks, management identifies
events representing opportunities. For example, a
food company considered potential
events likely to affect its sustainable revenue
growth objective. In evaluating the
events, management determined that the
company’s primary consumers are
increasingly health conscious and changing
thei
r
dietary preferences,
indicating a decline in future demand for the
company’
s current
products.
In determining its response, management identified
ways to apply its
existing capabilities
to developing new products, enabling the company
not only to
preserve revenue from
existing customers, but also to create additional
revenue by
appealing to a broader
consumer base.
●
抓住机会——通过考虑潜在事项的各个方面,
而不仅仅只是风险,
管理当局就
能识别代表机会的事项。
例如,
< br>一家食品公司考虑可能影响其收入持续增长的潜
在事项。
在评价这些事项的过程中,
管理当局认识到该公司主要消费者的健康意
< br>识越来越强,
正在改变他们的饮食偏好,
对公司现有产品
的未来需求呈现下降的
趋势。
在确定应对的过程中,
管理当局明确了通过利用其现有的生产能力去开发
新产品的方法,
从而使公司不仅能保持来自现在消费者的收入,
而且还能通过吸
引更广泛的消费者来创造额外的收入。
?
Improving deployment of capital
–
Obtaining robust
information on risk allows
management
to effectively assess overall capital needs and
enhance capital allocation.
For
example, a financial institution became subject to
new regulatory rules that would
increase capital requirements unless
management calculated credit and operational
risk levels and related capital needs
with greater specificity. The company assessed
the risk in terms of system development
cost versus additional capital costs, and made
an informed decision. With existing,
readily modifiable software, the institution
developed the more precise
calculations, avoiding a need for additional
capital
sourcing.
●
改善资本调配——获取关于风险的
有分量的信息,
可以使管理当局有效地评估
总体资本需求,并改
进资本配置。例如,一家金融机构面临新的监管,除非管理
当局更加精确地计算信用和经
营风险水平以及相关的资本需求,
否则就要提高资
本要求量。<
/p>
该公司根据系统开发成本以及追加的资本成本评估了风险,
作出了
一
个有信息支持的决策。
利用现有的可修改软件,
该机构开发了更加精确的计算工
具,避免了寻求额外资本的需要。
These capabilities are inherent
in enterprise risk management, which helps
management achieve the entity’s
performance and profitability targets and
preven
t
loss of resources.
Enterprise risk management helps ensure effective
reporting. And it
helps ensure that the
entity complies with laws and regulations,
avoiding damage to
its reputation and
associated consequences. In sum, enterprise risk
management helps
an entity get to where
it wants to go and avoid pitfalls and surprises
along the way.
企业风险管理固有这些能力,它能帮助管理当局实现主
体的业绩和赢利目
标,
并防止资源的损失。
企业风险管理有助于确保有效的报告。
它还有助于确保
主体
符合法律和法规,
避免对主体声誉的损害以及由此带来的后果。
总之,
企业
风险管理不仅帮助一个主体到达期望的目的地,
还有助于避开前进途中的隐患和
意外。
Events
–
Risks
and Opportunities
事项——风险与机会
An
event is an incident or occurrence from internal
or external sources that affects
achievement of objectives. Events can
have negative impact, positive impact, or both.
Events with negative impact represent
risks. Accordingly, risk is defined as follows:
事项是源于内部或外部的影响目标实现的或事件。
事项可能有负面影
响,
也
可能有下面影响,或者两者兼而有之。带来负面影响的事
项代表风险。因此,可
以定义如下:
Risk is the possibility that an event
will occur and adversely affect the achievement of
objectives
.
风险是一个
事项将会
发生
并给目标实现带来负面影响的可能性。
Events with adverse impact
prevent value creation or erode existing value.
Examples
include plant machinery
breakdowns, fire, and credit losses. Events with
an adverse
impact can derive from
seemingly positive conditions, such as where
customer
demand for product exceeds
production capacity, causing failure to meet buyer
demand, eroded customer loyalty, and
decline in future orders.
带有负面影响的事项阻碍价值
创造,
或者破坏现有的价值。
例子包括机器设
< br>备故障、
火灾和信用损失等。
带有负面影响的事项可能源
于看似正面的情况,
比
如客户对产品的需求超过了生产能力,<
/p>
就会导致不能满足买方的需求,
从而损害
客户忠诚度和减少未来的订单。
Events with
positive impact may offset negative impacts or
represent opportunities.
Opportunity is
defined as follows:
Opportunity is the
possibility that an event will occur and
positively affect the
achievement of
objectives.
带有正面影响的事项可以消弭负面影响,
或带来机会。
机会的定义如下:
机
会是一个事项将会发生并给目标实现带来正面影响的可能性。
Opportunities support value creation or
preservation. Management channels
opportunities back to its strategy or
objective-setting processes, so that actions can
be
formulated to seize the
opportunities.
机会支持价值创造或保持。管理当局把机会反馈到战略
或目标制订过程中,
以便规划行动去抓住机会。
Definition of Enterprise Risk
Management
企业风险管理的定义
Enterprise risk management deals with
risks and opportunities to create or preserve
value. It is defined as follows:
Enterprise risk management is a
process, effected by an entity’s board
o
f directors,
management and
other personnel, applied in strategy setting and
across the
enterprise, designed to
identify potential events that may affect the
entity, and manage
risk to be within
its risk appetite, to provide reasonable assurance
regarding the
achievement of entity
objectives.
企业风险管理处理风险和机会,
以便
创造或保持价值。
它的定义如下:
企业
风险管理是一个过程,
它由一个主体的董事会、
管理当局和其他
人员实施,
应用
于战略制订并贯穿于企业之中,
旨在识别可能会影响主体的潜在事项,
管理风险
以使其
在该主体的风险容量之内,并为主体的实现提供合理保证。
This definition reflects certain
fundamental concepts. Enterprise risk management
is:
? A process, ongoing and flowing
through an entit
y
? Effected by people at every level
of
an organization
? Applied in strategy
settin
g
? Applied across the
enterprise, at every level and unit,
and includes taking an Entity level
portfolio view of risk
? Designed to
identify potential events affecting the entity and
manage risk within it
s
risk
appetite
? Able to provide
reasonable assurance to an entity’s management and
boar
d
? Geared
to the achievement of objectives in one or more
separate but overlappin
g
categories
–
it
is a means to an end, not an end in itself
这个定义反映了几个基本概念。企业风险管理是:
●
一个过程,它持续地流动于主体之内;
●
由组织中各个层级的人员实施;
●
应用于战略制订;
●
贯穿于企业,在各个层级和单元应
用,还包括采取主体层级的风险组合观;
●
旨在识别一旦发生将会影响主体的
潜在事项,并把风险控制在风险容量以内;
●
能够向一个主体的管理当局和董事会提供合理保证;
●
力求实现一个或多个不同类型但相
互交叉的目标——它只是实现结果的一种
手段,并不是结果本身。
This definition is purposefully broad
for several reasons. It captures key concepts
fundamental to how companies and other
organizations manage risk, providing a basis
for application across types of
organizations, industries, and sectors. It focuses
directly on achievement of objectives
established by a particular entity. And, the
definition provides a basis for
defining enterprise risk management effectiveness,
discussed later in this chapter. The
fundamental concepts outlined above are discussed
in the following paragraphs.
这个定义之所以比较宽泛,
是出于几个方面的原因。
它抓住了
对于公司和其
他组织如何管理风险至关重要的关键概念,
为不同
组织形式、
行业和部门的应用
提供了基础。
它直接关注特定主体既定目标的实现,
并为界定将在本章后文中讨
< br>论的企业管理的有效性提供了依据。
以上所列示的基本概念将在下面各个段落予<
/p>
以讨论。
A Process
一个过程
Enterprise risk management is not
static, but rather a continuous or iterative
interplay
of actions that permeate an
entity. These actions are pervasive and inherent
in the way
management runs the
business.
企业风险管理并不是静止的,
而是渗透于
一个主体的各种活动的持续的或反
复的相互影响。这些活动渗透和潜藏于管理当局经营企
业的方式之中。
Enterprise risk
management is different from the perspective of
some observers who
view it as something
added on to an entity’
s activities.
That is not to say effective
enterprise
risk management does not require incremental
effort, as it may. In
considering
credit and currency risks, for example,
incremental effort may be required
to
develop needed models and make necessary analyses
and calculations. However,
these
enterprise risk management mechanisms are
intertwined with an entity’
s
operating activities and exist for
fundamental business reasons. Enterprise risk
management is most effective when these
mechanisms are built into
the
entity’
s
infrastructure and
are part of the essence of the enterprise. By
building in enterprise
risk management,
an entity can directly affect its ability to
implement its strategy and
achieve its
mission.
企业风险管理并不像一些观察家所认为的那样是加在主体活动之上的
东西。
这并不是说有效的企业风险管理不要求进一步的努力,
它
可能会那样要求。
例如,
在考虑信用和货币风险时,
可能需要进一步努力去开发所需的模型和进行必要的
分析和计算。
但是,
这些企业风险管理机制与主体的经营活动交织在一起,
为了
基本的经营理由而存在。
当这些机制被构建到
主体的结构之中,
并成为企业核心
要件的一部分时,
企业风险管理就会更加有效。
通过建立企业风险管理,
一个主
体能够直接影响其执行战略和实现使命的能力。
Building in enterprise risk management
has important implications for cost
containment, especially in the highly
competitive marketplaces many companies face.
Adding new procedures separate from
existing ones adds costs. By focusing on
existing operations and their
contribution to effective enterprise risk
management, and
integrating risk
management into basic operating activities, an
enterprise can avoid
unnecessary
procedures and costs. And, a practice of building
enterprise risk
management into the
fabric of operations helps identify new
opportunities for
management to seize
in growing the business.
建立企业风险管理对于抑制成本
具有重要意义,
尤其是在许多公司所面临的
高度竞争的市场中更
是如此。
在现有程序之外增加新的程序会增加成本。
通过关
注现有的经营业务以及它们对有效的企业风险管理的贡献,
并将风险
管理整合到
基本的经营活动之中,
企业就能够避免不必要的程序
和成本。
而且,
把企业风险
管理建立在
经营业务的基本构架之中的做法,可以帮助管理当局识别新的机会,
以便抓住这些机会实
现业务增长。
Effected by People
由人员来实施
Enterprise r
isk management
is effected by an entity’s board of directors,
managemen
t
and other
personnel. It is accomplished by the people of an
organization, by what they
do and say.
People establish the entity’s mission, strategy,
and objectives, and pu
t
enterprise risk management mechanisms
in place.
企业风险管理由一个主体的董事会、
管理
当局和其他人员实施。
它是通过一
个组织中的人、通过他们的言
行来完成的。人制订主体的使命、战略和目标,并
使企业风险管理机制得以落实。
Similarly, enterprise risk
management affects people’s actions. Enterprise
ris
k
management recognizes
that people do not always understand, communicate,
or
perform consistently. Each
individual brings to the workplace a unique
background
and technical ability, and
has different needs and priorities.
同样,
企业风险管理也会影响人的行动。
企业风险管理认识到人们并不
总是
始终如一地理解、
沟通和行动。
每
个人都会给工作场所带来一个独特的背景和技
术能力,他们有着不同的需要和偏好。
These realities affect, and
are affected by, enterprise risk management. Each
person
has a unique point of reference,
which influences how he or she identifies,
assesses,
and responds to risk.
Enterprise risk management provides the mechanisms
needed to
help pe
ople
understand risk in the context of the entity’s
objectives. People mus
t
know
their responsibilities and limits of authority.
Accordingly, a clear and close
linkage
needs to exist between people’s duties and the way
in which they are carrie
d
out, as wel
l as with the
entity’s strategy and objectives.
这些现实影响企业风险管理,
同时也受到企业管理的影响。
每个人都有一个
独特的参照点,
它影响他或她怎样去识
别、
评估和应对风险。
企业风险管理提供
所需的机制,
帮助在主体目标的背景下去理解。
人们必须知道
他们的责任和权力
的局限。
因此,
在人
们的职责和他们履行职责的方式以及主体的战略和目标之间,
需要有一个而又密切的联系
。
An organization’s people
include the board of directors
,
management and other
personnel.
Although directors primarily provide oversight,
they also provide direction
and approve
strategy and certain transactions and policies. As
such, boards of
directors are an
important element of enterprise risk management. <
/p>
一个组织中的人包括董事会、
管理当局和其他人员。
尽管董事主要是提供监
督,他们也提供指导,审批战略和特定的交易与政策。
因此,董事会是企业风险
管理的一个重要的要素。
Applied in Setting Strategy
应用于战略制订
An entity
sets out its mission or vision and establishes
strategic objectives, which are
the
high-level goals that align with and support its
mission or vision. An entity
establishes a strategy for achieving
its strategic objectives. It also sets related
objectives it wants to achieve, flowing
from the strategy, cascading to entity business
units, divisions, and processes.
一个主体设定其使命或愿景,
并制订战略目标,
它们
是协调和支撑其使命或
愿景的高层次的目的。
主体为了实现其战
略目标而制订战略。
它还设定所希望实
现的相关目标,上至战略
,下至主体的业务单元、分部和流程。
Enterprise
risk management is applied in strategy setting, in
which management
considers risks
relative to alternative strategies. For instance,
one alternative may be
to acquire other
companies in order to grow market share. Another
may be to cut
sourcing costs in order
to realize higher gross margin percentage. Each of
these
strategic choices poses a number
of risks. If management selects the first
strategy, it
may have to expand into
new and unfamiliar markets, competitors may be
able to gain
share in the company’s
existing markets, or the company might not have
th
e
capabilities to
effectively implement the strategy. With the
second, risks include
having to use new
technologies or suppliers, or form new alliances.
Enterprise risk
management techniques
are applied at this level to assist management in
evaluating
and selecting the entity’s
strategy and related objectives.
企业风险管理应用于战略制订之中,
此时管理当局考虑与备选战略相关的风<
/p>
险。
举例来说,
一个选择可能是收购其他
公司以扩大市场份额。
另一个可能是削
减采购成本以实现更高的
毛利率。这些战略选择中的每一个都会带来许多风险。
如果管理当局选择第一个战略,<
/p>
就可能必须向新的和不熟悉的市场拓展,
竞争者
< br>就可能会占取公司目前市场的份额,
或者公司可能没有能力去有效地实施这一战<
/p>
略。
对于第二个而言,
风险包括必须利用
新的技术或供应商,
或者建立新的联盟。
企业风险管理技术被应
用在这个层次上,
以帮助管理当局评价和选择该主体的战
略和相
关的目标。
Applied Across the
Enterprise
应用贯穿于企业
In
applying enterprise risk management, an entity
should consider its entire scope of
activities. Enterprise risk management
considers activities at all levels of the
organization, from enterprise-level
activities such as strategic planning and resource
allocation, to business unit activities
such as marketing and human resources, to
business processes such as production
and new customer credit review. Enterprise risk
management also applies to special
projects and new initiatives that might not yet
have a designated place in the
e
ntity’s hierarchy or organization
chart.
在应用企业风险管理时,
主体应该考虑其全部活动。
企业风险管理考虑组织
的各个层级
的活动,
从诸如战略和资源配置等企业层次的活动,
到诸如市场
营销
和人力资源等业务单元的活动,
再到诸如生产和新客户信用
评价等经营流程。
企
业风险管理还应用于特殊项目和目前在主体
的层级和组织结构图中还没有一个
明确位置的新的活动。
Enterprise risk management requires an
entity to take a
portfolio view
of risk. This
might involve
each manager responsible for a business unit,
function, process, or
other activity
developing an assessment of risk for the activity.
The assessment may
be quantitative or
qualitative. With a composite view at each
succeeding level of the
organization,
senior management is positioned to make a
determination whether the
entity’s
overall risk portfolio is commensurate with its
risk appetite.
企业风险管理要求主体对风险
采取组合的观念。
这可能要求负责一个业务单
元、
职能机构、
流程或其他活动的每一名管理人员对各自的活动形成一个风险评<
/p>
估。
这种评估可能是定量的,
也可能是定
性的。
高层管理当局采用复合的观念看
待组织中的所有层级,以
便确定该主体的整体风险组合是否与它的风险容量相
称。
Management considers interrelated risks
from an entity-level portfolio perspective.
Risks for individual units of the
entity may be within the units’ risk tolerances,
bu
t
taken together may
exceed the risk appetite of the entity as a whole.
Or, conversely,
potential events may
represent an otherwise unacceptable risk in one
business unit,
but with an offsetting
effect in another. Interrelated risks need to be
identified and
acted on so that the
entirety o
f risk is consistent with the
entity’s risk appetite.
管理当局
从主体层次组合的角度考虑相互关联的风险。
主体中单个单元的风
险可能在该单元的风险容限范围之内,
但是凑到一起可能会超出该主体作为一个
整体的风险容量。
或者刚好相反,
潜在事项在
一个业务单元中可能意味着不可接
受的风险,
但是在其他业务单
元中存在抵消效应。
相互关联的风险需要识别和发
挥作用,以便
使整体风险符合主体的风险容量。
Risk
Appetite
风险容量
Risk appetite is the amount of risk, on
a broad level, an entity is willing to accept in
pursuit of value. It reflects the
entity’s risk management philosophy, and in
tur
n
influences the entity’s
culture and operating style. Many entities
consider risk appetit
e
qualitatively, with such categories as
high, moderate, or low, while others take a
quantitative approach, reflecting and
balancing goals for growth, return, and risk. A
company with a higher risk appetite may
be willing to allocate a large portion of its
capital to such high-risk areas as
newly emerging markets. In contrast, a company
with a low risk appetite might limit
its short-term risk of large losses of capital by
investing only in mature, stable
markets.
风险容量是一个主体在追求价值的过程中所愿意承受的广泛意义的风
险的
数量。
它反映了主体的风险管理理念,
进而影响主体的文化和经营风格。
许多主
体采用诸如高、<
/p>
适中或低之类的分类定性地考虑风险容量,
而其他主体则采用定<
/p>
量的方法,
反映和平衡增长、
报酬和风险
目标。
具有较高风险容量的公司可能愿
意把它的大部分资本配置
到诸如新兴市场等高风险领域。
反过来,
具有低风险容
量的公司可能会仅仅投资于成熟的、
稳定的市场,
以便限制其短期的巨额资本损
失风险。
Risk appetite is directly related to an
entity’s strategy. It is considered in
strateg
y
setting, as
different strategies expose an entity to different
risks. Enterprise risk
management helps
management select a strategy that aligns
anticipated value creation
with the
entity’s risk appetite.
风险容量
与一个主体的战略直接相关。
它在战略制订过程中予以考虑,
因
为
不同的战略会使主体面临不同的风险。
企业风险管理可以帮助
管理当局选择一个
将期望的价值创造与主体的风险容量相协调的战略。
< br>
Risk appetite guides resource
allocation. Management allocates resources among
business units and initiatives with
consideration of the entity’s risk appetite and
th
e
unit’s plan for
generating desired return on invested resources.
Ma
nagement considers
its
risk appetite as it aligns its organization,
people, and processes, and designs
infrastructure necessary to effectively
respond to and monitor risks.
风险容量指导资源配
置。
管理当局通过考虑主体的风险容量和业务单元为实
现投入资
源的期望报酬而制订的计划,
把资源配置到业务单元和活动之中。
管理
当局考虑容量,
使其与组织、
人
员和流程相适应,
并设计的基础结构以便有效地
应对和监控风险
。
Risk tolerances relate to
the entity’s objectives. Risk tolerance is the
acceptable leve
l
of
variation relative to achievement of a specific
objective, and often is best measured
in the same units as those used to
measure the related objective.
风险容限与主体的
目标相关。
风险容限是相对于实现一项具体目标而言,
可
以接受的偏离程度,它通常最好采用那些与度量相关目标相同的单位进行度量。
In setting risk tolerance,
management considers the relative importance of
the related
objective and aligns risk
tolerances with risk appetite. Operating within
risk tolerances
helps ensure that the
entity remains within its risk appetite and, in
turn, that the entity
will achieve its
objectives.
在设定风险容限的过程中,
管理当局
要考虑相关目标的相对重要性,
并使风
险容限与风险容量相协调
。
在风险容限范围内经营有助于确保该主体能保持在它
的风险容
量之内,进而确保该主体将会实现其目标。
Provides
Reasonable Assurance
提供合理保证
Well-designed and operated enterprise
risk management can provide management and
the board of directors reasonable
assurance regarding achievement of an
entity’
s
objectives.
Reasonable assurance reflects the notion that
uncertainty and risk relate to
the
future, which no one can predict with precision. <
/p>
设计和运行良好的企业风险管理能够为管理当局和董事会提供关于主体目
< br>标实现的合理保证。
合理保证意味着与未来相关的不确定性和风险,
因为没有人
能够准确地预知未来。
Reasonable assurance does not imply
that enterprise risk management frequently will
fail. Many factors, individually and
collectively, reinforce the concept of reasonable
assurance. The cumulative effect of
risk responses that satisfy multiple objectives
and
the multipurpose nature of internal
controls reduce the risk that an entity may not
achieve its objectives. Furthermore,
the normal everyday operating activities and
responsibilities of people functioning
at various levels of an organization are directed
at achieving the entity’s objectives.
Indeed, among a cross
-section of well-
controlled
entities, it is likely that
most will be apprised regularly of movement toward
their
strategic and operations
objectives, will achieve compliance objectives
regularly, and
consistently will
produce
–
period after
period, year after year
–
reliable reports.
However, an
uncontrollable event, a mistake, or an improper
reporting incident can
occur. In other
words, even effective enterprise risk management
can experience a
failure. Reasonable
assurance is not absolute assurance.
合理
保证并不意味着企业风险管理经常会失败。
许多因素独自或一直加强了
< br>合理保证的概念。
满足多重目标的风险应对的累积影响,
以及内部控制多重目的
的性质,
降低了主体可能不能实现其目标
的风险。
而且,
正常的日常经营活动和
组织中各个层级人员职责的发挥,
都是以实现主体的目标为目的的。
事实上,
在
一些控制良好主体的典型样本(
cross-section
)中,几乎绝大多数都会经常性
< br>地被告知朝着它们的战略和经营目标迈进,
正常地实现合规目标,
并且一贯地编
制——期复一期,年复一年——可靠的报告。担是,不可控的事项
、差错或者不
当的报告偶尔也会发生。换句话说,即使是有效的企业风险管理也会遭遇失
败。
合理保证并不是绝对保证。
Achievement of Objectives
目标的实现
Within the
context of the established mission, management
establishes strategic
objectives,
selects strategy, and establishes other objectives
cascading through the
enterprise and
aligned with and linked to the strategy. Although
many objectives are
specific to a
particular entity, some are widely shared. For
example, objectives
common to virtually
all entities are achieving and maintaining a
positive reputation
within the business
and consumer communities, providing reliable
reporting to
stakeholders, and
operating in compliance with laws and regulations.
在既定使命的背景下,
管理当局制订战略目标,
选择战略,
并制订贯穿企业
之中的、
< br>与战略相协调和相关联的其他目标。
尽管许多目标是具体针对特定主体
的,但是,一些是广泛共通的。例如,在商务和消费者圈子里树立和保持正面的
声誉,
向利益相关者提供可靠的报告,
以及遵循法律和法规
开展经营,
是几乎所
有主体共同的目标。
This framework establishes four
categories of entity objectives:
?
Strategic
–
relating to high-
level goals, aligned
with and supporting the entity’
s
mission
?
Operations
–
relating to effective and efficient use
of the entity’s resource
s
?
Reporting
–
relating to the reliability of the
entity’s reportin
g
?
Compliance
–
relating
to the entity’s compliance
with applicable laws an
d regulations
本构架将主体的目标分成四类:
●
战略——与高层次的目的相关,协调并支撑主体的目标;
●
经营——与利用主体资源的有效性效率相关;
●
报告——与主体报告的可靠性相关;
●
合规——与主体符合适用的法律和法规相关。
This categorization of entity
objectives allows a focus on separate aspects of
enterprise risk management. These
distinct but overlapping categories
–
a particular
objective can fall under more than one
category
–
address different
entity needs and
may be the direct
responsibility of different executives. This
categorization also
allows distinctions
between what can be expected from each category of
objectives.
对主体目标的这种分类使我们可以关注企业风险管理的不同侧
面。
这些各不
相同却又相互交叉的类别——一个特定的目标可以
归入多个类别,
反映了不同的
主体需要,
并且可能成为不同管理者的直接责任。
这个分类还有助于区分从每一
< br>类目标中能够期望的是什么。
Some
entities use another category of
objec
tives, “safeguarding of
resources,”
sometimes
referred to as “safeguarding of assets.” Viewed
broadly, these deal wit
h
prevention of loss of an entity’s
assets or resources, whether through theft,
waste
,
inefficiency, or what
turns out to be simply bad business decisions
–
such as selling
product at too low a price, failing to
retain key employees or prevent patent
infringement, or incurring unforeseen
liabilities. These are primarily operations
objectives, although certain aspects of
safeguarding can fall under other categories.
Where legal or regulatory requirements
apply, these become compliance issues. When
considered in conjunction with public
reporting, a narrower definition of safeguarding
of assets often is used, dealing with
prevention or timely detection of unauthorized
acquisition, use, or disposition of an
entity’s assets that could have a material
effec
t
on the financial
statements.
一些主体采用另一类目标,“保护资源”(
< br>safeguarding
of
resources
),
有时也称为“保护资产”(
saf
eguarding
of
assets
)。广义地看,它们是在防
止主体的资产或资源的损失,这些损失可能是由于盗窃、
浪费、低效率造成的,
也可能就是由于糟糕的经营决策所造成的——例如以过低的价格销
售产品,
未能
留住关键的员工或防止侵犯专利权,
或者发生未曾预见到的债务。
这些主要是经
营目标,
尽管保护的某些方面可以归入其他的类别。
如果适用于法律或监
管要求,
这些就会变成合规问题,
当与公开的报告联系起来考虑
时,
通常用的是保护资产
的一个狭义的定义,
< br>防止或及时侦查未经授权的购买、
使用或处置一个主体的资
产,该资产可能对财务报表有重大影响。
Enterprise risk management can be
expected to provide reasonable assurance of
achieving objectives relating to the
reliability of reporting, and compliance with laws
and regulations. Achievement of those
categories of objectives is within the
entity’
s
control and depends
on how well the entity’s related
activities are performed.
企业
风险管理可望为实现与报告的可靠性、
符合法律和法规相关的目标提供
< br>合理保证。
这些类型的目标的实现处于主体的控制范围之内,
并且取决于主体的
相关活动完成的好坏。
However, achievement of strategic
objectives, such as attaining a specified market
share, and operations objectives, such
as successfully launching a new product line, is
not always within the entity’s control.
Enterprise risk management cannot prevent
ba
d
judgments or decisions,
or external events that can cause a business to
fail to achieve
operations goals. It
does, however, enhance the likelihood that
management will make
better decisions.
For these objectives, enterprise risk management
can provide
reasonable assurance that
management, and the board in its oversight role,
are made
aware, in a timely manner, of
the extent to which the entity is moving toward
achievement of the objectives.
< br>但是,战略目标(例如取得预定的市场份额)与经营目标(例如成功地引入
一条新
的产品线)
的实现并不总是处在主体的控制范围之内。
企业风险
管理不能
防止糟糕的判断或决策,或可能导致一项经营业务不能达成经营目标的外部事<
/p>
项。但是,它的确能够增大管理当局作出更好的决策的可能性。针对这些目标,
企业风险管理能够合理地保证管理当局和起监督作用的董事会及时地了解主体
朝着实现目标前进的程度。
Components of
Enterprise Risk Management
企业风险管理的构成要素
Enterprise risk management consists of
eight interrelated components. These are
derived from the way management runs a
business and are integrated with the
management process. These components
are:
企业风险管理包括八个相互关联的构成要素。
它们源
于管理当局经营企业的
方式,并与管理过程融合在一起,这些构成要素是:
?
Internal Environment
–
Management sets a
philosophy regarding risk and
establishes a risk appetite. The
internal environment sets the basis for how risk
and
control are viewed and addressed by
an entity’s people. The core of any
busin
ess is its
people
–
their individual
attributes, including integrity, ethical values,
and
competence
–
and the environment in which they operate.
●
内部环境——管理当局确立关于风
险的理念,
并确定风险容量。
内部环境为主
体中的人们如何看待风险和着手控制确立了基础。
所有企业的核心都是人——他
们的个人品性,包括诚信、道德价值观和胜任能力——以及经营所处的环境。
?
Objective Setting
–
Objectives must exist
before management can identify potential
events affecting their achievement.
Enterprise risk management ensures that
management has in place a process to
set objectives and that the chosen objectives
support and alig
n with the
entity’s mission and are consistent with its risk
appetite.
●
目标设定——必须先有目标,管理当局才能识别影响它们的实现的潜在事项。
企业风险管理确保管理当局采取恰当的程序去设定目标,
确保所选定的目标支持
和切合该主体的使命,并且与它的风险容量相一致。
?
Event Identification
–
Potential events that
might have an impact on the entity must
be identified. Event identification
involves identifying potential events from
internal
or external sources affecting
achievement of objectives. It includes
distinguishing
between events that
represent risks, those representing opportunities,
and those that
m
ay be both.
Opportunities are channeled back to
management’
s strategy or
objective-setting processes.
●
事项识别——必须识别可能对主体
产生影响的潜在事项。
事项识别涉及到从影
响目标实现的内部或
外部原因中识别潜在的事项,
它包括区分代表风险的事项和
代表
机会的事项,
以及可能二者兼有的事项,
机会被反馈到管理当局
的战略或目
标制订过程中。
?
Risk Assessment
–
Identified risks are analyzed in order to form a
basis for
determining how they should
be managed. Risks are associated with objectives
that
may be affected. Risks are
assessed on both an inherent and a residual basis,
with the
assessment considering both
risk likelihood and impact.
●
风险评估——要对识别的风险进行
分析,
以便形成确定应该如何对它们进行管
理的依据。
风险与可能被影响的目标相关联。
既要对固有风险进行评估,
也要对
剩余风险进行评估,评估要考虑到风险的可能性和影响。
?
Risk Response
–
Personnel identify and
evaluate possible responses to risks, which
include avoiding, accepting, reducing,
and sharing risk. Management selects a set of
actions to align risks with the
entity’s risk tolerances and risk
appetite.
●
风险应对——员工识别和评价可能的风险应对,包括回避、承担、降低和分担
风险。管理当局选择一系列措施使风险与主体的风险容限和风险容量相协调。
?
Control Activities
–
Policies and procedures
are established and executed to help
ensure the risk responses management
selects are effectively carried out.
●
控制活动——制订和实施政策与程
序以帮助确保管理当局所选择的风险应对
得以有效实施。
?
Information and
Communication
–
Relevant
information is identified, captured, and
communicated in a form and timeframe
that enable people to carry out their
responsibilities. Information is needed
at all levels of an entity for identifying,
assessing, and responding to risk.
Effective communication also occurs in a broader
sense, flowing down, across, and up the
entity. Personnel receive clear
communications regarding their role and
responsibilities.
●
< br>信息与沟通——相关的信息以确保员工履行其职责的方式和动机予以识别、
获
取和沟通。
主体的各个层级都需要借助信息来识别、
评估和应对风险。
有效沟通
的含义比较广泛,
包括信息在主体中的向下、
平行和向上流动。
员
工获得有关他
们的职能和责任的清晰的沟通。
?
Monitoring
–
The entirety of enterprise
risk management is monitored, and
modifications made as necessary. In
this way, it can react dynamically, changing as
conditions warrant. Monitoring is
accomplished through ongoing management
activities, separate evaluations of
enterprise risk management, or a combination of
the
two.
●
监控——对企业风险管理进行全面监控,必要时加以修正。通过这种方式,它
能够动态地反应,
根据条件的要求而变化。
监控通过持续的管理
活动、
对企业风
险管理的个别评价或者两者相结合来完成。
Enterprise risk management is
a dynamic process. For example, the assessment of
risks drives risk response and may
influence control activities and highlight a need
to
recon
sider information
and communication needs or the entity’s monitoring
activities.
Thus, enterprise
risk management is not strictly a serial process,
where one
component affects only the
next. It is a multidirectional, iterative process
in which
almost any component can and
will influence another.
企业风险管理是一个动态的过程。
举例来说,
风险评估促动风险应对,
它
可
能会影响控制活动,并凸显出考虑信息与沟通的需要或主体的监控活动的必要
性。
因此,
企业风险管理并不只是一个构成要素
仅仅影响接下来的那一个的顺次
的过程。
它是一个多方向的、<
/p>
反复的过程,
在这个过程中几乎每一个构成要素都
能够并且将会影响另一个要素。
No two
entities will, or should, apply enterprise risk
management in the same way.
Companies
and their enterprise risk management capabilities
and needs differ
dramatically by
industry and size, and by management philosophy
and culture. Thus,
while all entities
should have each of the components in place and
operating
effectively, one company’s
application of enterprise risk management
–
including the
tools and
techniques employed and the assignment of roles
and responsibilities
–
often
will look very different from
another’s.
任何两个主体都不可能,
也不应该以同样的方式应用企业风险管理。
公司和
它
们的企业风险管理能力和需求由于行业和规模,
以及管理理念和文化的不同而
大相径庭。
因此,
尽管所有的主体都应该具备每一
个构成要素并有效运行,
公司
对企业风险管理的应用——包括采
用的工具和以及职能与责任的划分——通常
会各不相同。
Relationship
of
Objectives
and
Components
目标与构成要素之间
的关系
There is a direct relationship between
objectives, which are what an entity strives to
achieve, and the enterprise risk
management components, which represent what is
needed to achieve them. The
relationship is depicted in a three-dimensional
matrix, in
the shape of a cube, shown
in Exhibit 1.1.
Exhibit 1.1
? The four objectives categories
–
strategic, operations, reporting, and
compliance
–
are
represented by the vertical columns
?
The eight components are represented by
horizontal rows
? The entity
and its units are depicted by the third dimension
of the
cube
目标是指
一个主体略图实现什么,
企业风险管理的构成要素则意味着需要什
么来实现它们,
二者之间有着直接的关系。
这种关系通过一个
三维矩阵以立方体
的形状体现。如专栏
1
-
1
所示。
●
四种类型的目标——战略、经营、
报告和合规——用垂直方向的列来表示;
●
八个构成要素用水平方向的行来表示;
●
主体和单元用立方体的第三个维度表示。
Each component row “cuts across” and
applies to all four objectives categories.
Fo
r
example, financial and
non-financial data generated from internal and
external
sources, which is part of the
information and communication component, is needed
to
set strategy, effectively manage
business operations, report effectively, and
determine
that the entity is complying
with applicable laws.
每个表示构成要素的行“交叉切分”并
适用于所有的四类目标。例如,来自
内部和外部渠道的财务和非财务数据是信息与沟通这
个构成要素的一部分,
制订
战略、
有效
地管理经营业务、
有效地报告以及确定主体符合适用的法律都需要这
些数据。
Similarly, looking at
the objectives categories, all eight components
are relevant to
each. Taking one
category, effectiveness and efficiency of
operations, for example, all
eight
components are applicable and important to its
achievement.
同样地,
来看看不同类型的目标,
所有的
八个构成要素都和它们中的每一类有关联。
以
其中的一类——经营的有效性和效率为例,
所
有的八个要素对于它的实现不仅都适用,
而且
都很重要。
Enterprise risk
management is relevant to an entire enterprise or
to any of its
individual units. This
relationship is depicted by the third dimension,
which represents
subsidiaries,
divisions, and other business units. Accordingly,
one could focus on any
one of the
matrix’s cells. For instance, one could consider
the top right back cell
,
representing the internal environment
as it relates to compliance objectives of a
particular subsidiary.
企业风险管
理与整个或者它的任何单个的单元相关。
这种关系通过第三个维
度来体现,它表示子公司、分部和其他业务单元。这样,我们可以着眼于这个矩
阵中的任
何一个区间。
例如,
我们可以顶部右侧后边的那个区间,
它代表一个特
定的子公司与合规目标有关的内部环境。
It should be recognized that
the four columns represent categories
of an entity’
s
objectives,
not parts or units of the entity. Accordingly,
when considering the
category of
objectives related to reporting, for example,
knowledge of a wide array of
information about the entity’s
opera
tions is needed. But in that case,
focus is on the
right-middle column of
the model
–
the reporting
objectives
–
rather than the
operations objectives category.
应该认识到四个栏代表的是一个主体目标的类型,
而不是这个主体的某个部
分或单元的目标。因此,举例来说,当考虑与报告有关的目标类型时,就需要了
解关于主体经营的广泛的信息。
但是在这种情况,
应
该关注的目标类型是这个模
型的中部右侧的栏——报告目标,而不是经营目标。
Effectiveness
有效性
While
enterprise risk management is a process, its
effectiveness is a state or condition
at a point in time. Determining whether
enterprise risk management is “effective” is
a
judgment resulting from an
assessment of whether the eight components are
present
and functioning effectively.
Thus, the components are also criteria for
effective
enterprise risk management.
For the components to be present and functioning
properly there can be no material
weaknesses, and risk needs to have been brought
within the entity’s risk
appetite.
尽管企业风险管理是一个过程,
它的有效性却是在某个时点上的一种状态或
情况。确定企业风险管理是否
“有效”,是在对八个构成要素是否存在和有效运
行的评估的基础之上所作出的判断。<
/p>
因此,
构成要素同时也是有效的企业风险管
理的判断标准。如果这些构成要素存在且正常运行,那么就可能没有重大缺陷,
而风险
可能已经被控制在主体的风险容量以内。
When
enterprise risk management is determined to be
effective in each of the four
categories of objectives, respectively,
the board of directors and management have
reasonable assurance that:
?
They understand the extent to which the entity’s
strategic objectives are bein
g
achieved
? They understand
the extent to which the entity’s operations
objectives are
being achieved
? The entity’s reporting is
reliabl
e
? Applicable laws
and regulations
are being complied with
如果确定企业风险管理在所有四类目标上都是有效的,
那么就意味着董事会和管
理当局对下列方面的合理保证:
●
他们了解主体实现其战略目标的程度;
●
他们了解主体实现其经营目标的程度;
●
主体的报告是可靠的;
●
符合适用的法律和法规。
While
in order for enterprise risk management to be
deemed effective all eight
components
must be present and functioning properly
–
applying the principles
described in the following chapters
–
some trade-offs may exist
between components.
Because enterprise
risk management techniques can serve a variety of
purposes,
techniques applied relative
to one component might serve the purpose of
techniques
normally present in another.
Additionally, risk responses can differ in the
degree to
which they address a
particular risk, so that complementary risk
responses and
controls, each with
limited effect, together may be satisfactory.
尽管为了使企业风险管理被判定有效,
所有的八个构成都必须存在和正常
运
行——运用在接下来的各章讲述的原则,
但是在构成要素之间
可能会存在着某些
权衡。
因为企业风险管理技术可以服务于许多
目的,
所运用的与一个构成要素相
关的技术,
< br>或许能服务于通常代表另一个构成要素的技术的目的。
此外,
针对特
定的风险而言,
风险应对的程度可能有所不同,
所以具有互补性的风险应对和控
制,尽管各自的效果都很有限,但是
结合起来可能是令人满意的。
The concepts
discussed here apply to all entities, regardless
of size. While some small
and mid-size
entities may implement component factors
differently than large ones,
they still
can have effective enterprise risk management. The
methodology for each
component is
likely to be less formal and less structured in
smaller entities than in
larger ones,
but the basic concepts should be present in every
entity.
这里所讨论的概念适用于所有的主体,
无论其
规模如何。
尽管一些中小规模
的主体在实施这些构成要素时可能
与大型主体有所不同,
但是它们仍然可能拥有
有效的企业风险管
理。
比起较大的主体而言,
在较小的主体中,
< br>各个构成要素的
方法可能不太正式和不太健全,但是在每一个主体中这些基本的概
念都应该存
在。
Enterprise risk management usually is
considered in the context of an enterprise as a
whole, which involves considering its
application in significant business units. There
may, however, be circumstances where
the effectiveness of enterprise risk
management is to be evaluated
separately for a particular business unit. In such
circumstance, in order to conclude that
enterprise risk management for the unit is
effective all eight components must be
present and functioning effectively in the unit.
Thus, for example, because having a
board of directors with specified attributes is
part
of the internal environment,
enterprise risk management for a particular
business unit
may be judged effective
only when the unit has in place an appropriately
functioning
board of directors or
similar body (or the entity-level board of
directors applies
requisite oversight
directly to the business unit). Similarly, because
the risk response
component describes
taking a portfolio view of risk, for enterprise
risk management
to be judged effective
there must be a portfolio view of risk for that
business unit.
一般把企业当作一个整体来考虑企业风险管理,
其中包括考虑它在重要的业
务单元中的应用。
但是,
也会有单独针对一个特定的业务单元去评价企业风险管
理
的有效性的情况,
在这种情况下,
为了得出这个单元的企业风险
管理有效的结
论,
所有的八个构成要素在这个单元中必须存在且
有效运行。
举例来说,
由于有
一个具有
规定特质的董事会是内部环境的一部分,
某个特定业务单元的企业风险
< br>管理,
只有当该单元拥有一个恰当运行的董事会或类似机构
(或者主体层次的董
事会对该业务单元进行必要的监督)时,才能被判定为有效。同样
地,由于对风
险应对这个构成要素的描述采取了风险组合观,
要
想使企业风险管理被判定为有
效,该业务单元也必须采取风险组合观。
< br>
Encompasses Internal Control
涵盖内部控制
Internal
control is an integral part of enterprise risk
management. This enterprise risk
management framework encompasses
internal control, forming a more robust
conceptualization and tool for
management. Internal control is defined and
described
in
Internal
Control
–
Integrated
Framework
. Because
Internal
Control
–
Integrated
Framework
is the basis for
existing rules, regulations, and laws, and has
stood the test
of time, that document
remains in place as the definition of and
framework for
internal control. While
only portions of the text of
Internal
Control
–
Integrated
Framework
are reproduced in
this framework, the entirety of
Internal Control
–
Integrated
Framework
is incorporated by reference
into this framework
.
Appendix C
describes the
relationship between enterprise risk management
and internal control.
内部控制是企业风险管理不可分割的一
部分。
这份企业风险管理框架涵盖了
内部控制,
从而构建一个更强有力的概念和管理工具。
内部控制是在
《内部控制
——整合框架》中加以定义和讲述的。因为《内部控制——整合框架》是现
行规
则、
监管和法律的基础,
而且经受
了时间的检验,
因此那份文件中对内部控制的
定义和框架依然有
效。
尽管
《内部控制——整合框架》
的
正文中只有一部分被本
框架所引用,
但是本框架通过参考的方式
把整个
《内部控制——整合框架》
融合
了进来。附录
C
讲述了企业风险管理与内部控制之间的关系。
Enterprise Risk Management and the
Management Process
企业风险管理与管理过程
Because enterprise risk management is
part of the management process, the enterprise
risk management framework components
are discussed in the context of what
management does in running a business
or other entity. But not everything
management does is a part of enterprise
risk management. Many judgments applied in
management’s decision making
a
nd related management actions, while
part of the
management process, are not
part of enterprise risk management. For example: <
/p>
因为企业风险管理是管理过程的一部分,
所以企业风险管理框架的
构成要素
是在管理当局如何经营企业或其他主体的背景下加以讨论的。
< br>但是并不是管理当
局所做的每一件事情都是企业风险管理的一部分。
管理当局在决策和相关的管理
活动中所运用的许多判断,
尽管是管理过程的一部分,
但是并不是企业风险管理
的一部
分。例如:
? Ensuring there is an
appropriate process for objective setting is a
critical componen
t
of
enterprise risk management, but the particular
objectives selected by management
are
not part of enterprise risk management.
? Responding to risks,
based
on an appropriate assessment of the risks, is a
part of
enterprise risk management, but
the specific risk responses selected and the
associated
allocation of entity
resources are not.
? Establishing and
executing control activities to help ensure
th
e risk responses
management selects are effectively
carried out is a part of enterprise risk
management,
but the particular control
activities chosen are not.
●
确保有一个恰当的目标设定过程是企业风险管理的一个重要的构成要素,
但是
管理当局所选定的选定目标并不是企业风险管理的一部分。
●
根据对风险的恰当评估
去应对风险是企业风险管理的一部分,
但是所选定的具
体风险应
对和主体资源的相应配置却不是。
●
确定的执行控制活动以帮助确保管理当局选择的应对得以有效实施是企业风
险管理的一部分,但是所选定的特定的控制活动却不是。
In general, enterprise risk management
involves those elements of the management
process that enable management to make
informed risk-based decisions, but the
particular decisions selected from an
array of appropriate choices do not determine
whether enterprise risk management is
effective. However, while the specific
objectives, risk responses, and control
activities selected are a matter of management
judgment, the choices must result in
reducing risk to an acceptable level, as
determined by risk appetite and
reasonable assurance regarding achievement of
entity
objectives.
总之,
企业风险管理包括管理过程中那些保证管理当局作出知情的风险决策
(
informed risk-based decisions
)的
要素,但是从一系列合适的选项中选定
的特定决策并不能决定企业风险管理是否有效。<
/p>
管理选定的具体目标、
风险应对
和控制活
动与管理当局的判断有关,
但是这些选择必须最终把风险降低到一个可
< br>以接受的水平——这个水平取决于风险容量,以及有关实现主体目标的合理保
证。
2
内部环境
2. INTERNAL
ENVIRONMENT
Chapter Summary: The
internal environment encompasses the tone of an
organization,
influencing the risk
consciousness of its people, and is the basis for
all other
components of enterprise risk
management, providing discipline and structure.
Internal environment factors include an
entity’s risk management philosophy; its
ris
k
appetite; oversight by
the board of directors; the integrity, ethical
values, and
competence of the entity’s
people; and the way management assigns authority
an
d
responsibility, and
organizes and develops its people.
本章摘要
:
内部环境包含组织的基调,
它影响组织中人员的风险意识,<
/p>
是企
业风险管理所有其他构成要素的基础,
为其他要素提供约束和结构。
环境因素包
括主体的风险管理理
念、它的风险容量、董事会的监督、主体中人员的诚信、首
先价值胜任能力,以及管理当
局分配权力和职责、组织和开发其员工的方式。
The
internal environment is the basis for all other
components of enterprise risk
management, providing discipline and
structure. It influences how strategies and
objectives are established, business
activities are structured, and risks are
identified,
assessed, and acted upon.
And it influences the design and functioning of
control
activities,
information and communication systems, and
monitoring activities.
内部环境是企业风险管理所有其他构
成要素的基础,
为其他要素提供约束和
结构。
< br>它影响着战略和目标如何制订、
经营活动如何组织以及如何识别、
评估风
险并采取行动。
它还影响着控制活动、
信息与沟通体系和监控措施的设计与运行。
The internal environment is influenced
by an entity’s history and culture. It
comprise
s
many elements,
including the entity’s ethical values, competence
and development o
f
personnel, management’s philosophy for
mana
ging risk, and how it assigns
authority
and responsibility. A board
of directors is a critical part of the internal
environment
and significantly
influences other internal environment elements.
内部环境受到主体的历史和文化的影响。
它包含许多要素,
包括主体的道德
价值观、
员工的胜任能力和开发
、
管理当局管理风险的理念以及如何分配权力和
职责。
董事会是内部环境的一个关键部分,
它对其他的内部环境要素有重大的影
响。
Although all
elements are important, the extent to which each
is addressed will vary
with the entity.
For example, the chief executive of a company with
a small workforce
and centralized
operations might not establish formal lines of
responsibility and
detailed operating
policies. Nevertheless, the company could have an
internal
environment that provides an
appropriate foundation for enterprise risk
management.
尽管所有要素都很重要,
但是对每个
要素的强调程度会因主体而异。
举例来
说,
一家员工较少、
专注化经营的公司的首席执行官可能就不会制订正式的职责
划分和具体的经营政策。
但是,
这家公司也会有
为企业风险管理提供合适基础的
内部环境。
Risk Management Philosophy
风险管理理念
An
entity’s risk management philosophy is the set of
shared beliefs and attitude
s
characterizing how the entity considers
risk in everything it does, from strategy
development and implementation to its
day-to-day activities. Its risk management
philosophy reflects the entity’s
values, influencing its culture and operating
style, an
d
affects how
enterprise risk management components are applied,
including how risks
are identified, the
kinds of risks accepted, and how they are managed.
一个主体的风险管理理念是一整套共同的信念和态度,
它决定着
该主体在做
任何事情——从战略制订和执行到日常和活动——时如何考虑风险。
风险管理理
念反映了主体的价值观,
影响它的文
化和经营风格,
承担哪些风险,
以及如何管
理这些风险。
A company that has
been successful accepting significant risks is
likely to have a
different outlook on
enterprise risk management than one that has faced
harsh
economic or regulatory
consequences as a result of venturing into
dangerous territory.
While some
entities may work to achieve effective enterprise
risk management to
satisfy requirements
of an external stakeholder, such as a parent
company or regulator,
more often it is
because management recognizes that effective risk
management helps
the entity create and
preserve value.
成功地承担了重大风险的公司对企业风险管理的看法
,
似乎不同于由于在危
险的地区创业而面临过严酷的经济或管制
后果的公司。
尽管有些主体会为了满足
外部利益相关者——例如
母公司或监管者的需要,
而努力实现有效的企业风险管
理,
但是更常见的是因为管理当局认识到有效的风险管理有助于主体创造和保持
< br>价值。
When the risk
management philosophy is well developed,
understood, and embraced
by its
personnel, the entity is positioned to effectively
recognize and manage risk.
Otherwise,
there can be unacceptably uneven application of
enterprise risk
management across
business units, functions, or departments. But
even when an
entity’s philosophy is
well developed, there nonetheless may be cultural
difference
s
among its units,
resulting in variation in enterprise risk
management application.
Managers of
some units may be prepared to take more risk,
while others are more
conservative. For
example, an aggressive selling function may focus
its attention on
making a sale, without
careful attention to regulatory compliance
matters, while the
contracting unit’s
personnel focus significant attention on ensuring
compliance wit
h
all relevant
internal and external policies and regulations.
Separately, these different
subcultures
could adversely affect the entity. But by working
well together the units
can
appropriately reflect the entity’s risk management
philosophy.
当风险管理理念被很好地确立和理解
、
并且为员工所信奉时,
主体就能有效
地识别和管理风险。
否则,
企业风险管理在各个业务单元、
职能机构或部门中的
应用就可能会出现不可接受的不平衡状态。
但是即使一个主体的理念被很好地确
立,
在
它的各个单元之间仍然会存在文化上的差别,
从而导致风险管理应用方面
的差异。
一些单元的管理者可能准备承担更大的风险,
而其他的则更为保守。
例
如,
一个有闯
劲的销售职能机构可能会集中关注实现销售,
而没有仔细注意对法
规的遵循问题,
而缔约单元的人员主要集中关注确保符合所有的相关内部和外部
政策与法规。
孤立地看,
这些不同的次级文化
都能对主体产生负面影响。
但是通
过很好的合作,这些单元能够
恰当地反映主体的风险管理理念。
The
enterprise’s risk management philosophy is
reflected in virtually everyt
hing
management does in running the entity.
It is captured in policy statements, oral and
written communications, and decision
making. Whether management emphasizes
written policies, standards of
behavior, performance indicators, and exception
reports,
or operates more informally
largely through face-to-face contact with key
managers,
of critical importance is
that management reinforces the philosophy not only
with
words but also with everyday
actions.
企业的风险管理理念实质上反映在管理当局在经营该主体的过程中所
做的
每一件事情上。
它可以从政策表述、
口头和书面的沟通以及决策中反映出来。
无
论管理当局是强调
书面的政策、
行为准则、
业绩指标和例外报告,
还是更为非正
式地大量通过与关键的管理者面对面的接触来进行运营,
至关重要的是管理当局
不仅要通过口头、而且还要通过日常的行动来强化
这种理念。
Risk Appetite
风险容量
Risk
appetite is the amount of risk, on a broad level,
an entity is willing to accept in
pursuit of value. It reflects the
ent
erprise’s risk management
philosophy, and in tur
n
influences the entity’s culture and
operating style.
风险容量是一个主体在追
求价值的过程中所愿意承担的广泛意义上风险的
数量。它反映了企业的风险管理理念,进
而影响了主体的文化和经营风格。
Risk
appetite is considered in strategy setting, where
the desired return from a strategy
should be aligned with the entity’s
risk appetite. Different strategies will expose
th
e
entity to different
levels of risk, and enterprise risk management,
applied in strategy
setting, helps
management select a strategy consistent with the
entity’s risk
appetite.
风险容量
在战略制订的过程中加以考虑,
来自一项战略的期望报酬应该与主
体的风险容量相协调。
不同的战略会使主体面临不同程度的风险,
应用于战略制
订过程的企业风险管理帮助管理当局选择一个与主体的风险容量相一致
的战略。
Entities consider risk
appetite qualitatively, with such categories as
high, moderate, or
low, or take a
quantitative approach, reflecting and balancing
goals for growth and
return with risk.
主体运用类似高、
适中或低等类别,
从
质的角度考虑风险容量,
或者运用数
量化的方法,来反映和平衡
增长、报酬和风险方面的目标。
Board of
Directors
董事会
An
entity’s board of directors is a critical part of
the internal environment an
d
significantly influences its elements.
The board’s independence from
management
,
experience and
stature of its members, extent of its involvement
and scrutiny of
activities, and
appropriateness of its actions all play a role.
Other factors include the
degree to
which difficult questions are raised and pursued
with management regarding
strategy,
plans, and performance, and interaction the board
or audit committee has
with internal
and external auditors.
一个主体的董事会是内部环境的关键
部分,
它对其要素有着重大影响。
董事
会对于管理当局的独立性、
其成员的经验和才干、
对活动参与和
审察的程度,
以
及其行为的适当性都起着重要的作用。
其他因素包括提出有关战略、
计划和业绩
方面的
疑难问题和与管理当局进行商讨的程度,
以及董事会或审计委员会与内部
和外部审计师的交流。
An active and
involved board of directors, board of trustees, or
comparable body
should possess an
appropriate degree of management, technical, and
other expertise,
coupled with the mind-
set necessary to perform its oversight
responsibilities. This is
critical to
an effective enterprise risk management
environment. And, because the
board
must be prepared to question and scrutinize
management’s activities, presen
t
alternative views, and act in the face
of wrongdoing, the board must include outside
directors.
一个积极的和高度参与型的董事会、托管委员会(
board
of trustees
)或
类似的机构,
应该具有适当程度的管理、
技术和其他专长,
以及履行监督
职责所
需要的思维方式。
这对于一个有效的企业风险管理环境至
关重要。
而且,
由于董
事会必须准备仔
细审查管理当局的活动,
提出不同的观点,
并针对不当行为采取
行动,因此董事会必须包含外部董事。
Members of top management may be
effective board members, bringing their deep
knowledge of the company. But there
must be a sufficient number of independent
outside directors not only to provide
sound advice, counsel, and direction, but also to
serve as a necessary check and balance
on management. For the internal environment
to be effective, the board must have at
least a majority of independent outside
directors.
高层管理当局的成员可能带来他们对公
司的深入了解,
从而成为有效的董事
会成员。
< br>但是必须有足够数量的独立外部董事,
他们不但要提供合理的建议、
咨
询和指导,而且还要对管理当局形成必要的牵制和制衡。要想使内部环境有
效,
董事会中的独立外部董事必须至少占多数。
Effective boards of directors ensure
that management maintains effective risk
management. Although an enterprise
historically might have not suffered losses and
have no obvious significant risk
exposure, the board does not succumb to the
mythical
notion that eve
nts
with seriously adverse consequences “couldn’t
happen here.” I
t
recognizes
that while a company may have a sound strategy,
competent employees,
sound business
processes, and reliable technology, it, like every
entity, is vulnerable
to risk, and an
effectively functioning risk management process is
needed.
有效的董事会能确保管理当局保持有效的风险管理。
< br>尽管一家企业在过去可
能没有遭受损失、
没有暴露出明显
的重大风险,
董事会也不能天真地认定带有严
重负面后果的事项
“在这里不会发生”。应该认识到,尽管一家公司可能有合理
的战略、
< br>胜任的员工、
合理的经营流程和可靠的技术,
但是它和所
有的主体一样,
对于风险而言都很脆弱,因此也需要有效运行的风险管理。
Integrity and Ethical Values
诚信与道德价值观
An
entity’s strategy and objectives and the way they
are implemented are based o
n
preferences, value judgments, and
management styles. Management’s integrity
an
d
commitment to ethical
values influence these preferences and judgments,
which are
translate
d into
standards of behavior. Because an entity’s good
reputation is s
o
valuable,
the standards of behavior must go beyond mere
compliance with law.
Managers of well-
run enterprises increasingly have accepted the
view that ethics pays
and ethical
behavior is good business.
主体的战略和目标以及它们
得以推行的方式建立在偏好、
价值判断和管理风
格的基础之上。
管理当局的诚信和对道德价值观的要求影响这些转化为行为准则
的偏好和判断。
因为一个主体的良好声誉是如此有价值,
所以行
为的准则就仅仅
只是遵循法律。
经营良好的企业的管理者越来越
接受这样的观点,
那就是道德是
值得的,道德行为就是良好的经
营。
Management integrity is a
prerequisite for ethical behavior in all aspects
of an en
tity’
s
activities. The effectiveness of
enterprise risk management cannot rise above the
integrity and ethical values of the
people who create, administer, and monitor entity
activities. Integrity and ethical
values are essential elements of an entity’s
in
ternal
environment,
affecting the design, administration, and
monitoring of other enterprise
risk
management components.
管理当局的诚信是一个主体活动的所
有方面的道德行为的先决条件。
企业风
险管理的有效性不可能脱
离那些创造、
管理和监督主体活动的人的诚信和道德价
值观。<
/p>
诚信和道德价值观是一个主体内部环境的关键要素,
它影响着企业
风险管
理其他构成要素的设计、管理和监控。
Establishing ethical values often is
difficult because of the need to consider the
concerns of several parties. Management
values must balance the concerns of the
enterprise, employees, suppliers,
customers, competitors, and the public. Balancing
these concerns can be complex and
frustrating because interests are often at odds.
For
example, providing an essential
product (petroleum, lumber, or food) may cause
environmental concerns.
树立道德
价值观通常很困难,
因为需要考虑多个方面的利益。
管理当局的
价
值观必须平衡企业、员工、供应商、客户、竞争者和公众的利益。平衡这些利益
可能是复杂而令人沮丧的,
因为利益通常是互相矛盾的。
举例来说,
提供一种必
需的产品(石油、木材或食品
)可能会导致环境方面的关切。
Ethical
behavior and management integrity are by-products
of the corporate culture,
which
encompasses ethical and behavioral standards and
how they are communicated
and
reinforced. Official policies specify what the
board and management want to
happen.
Corporate culture determines what actually
happens, and which rules are
obeyed,
bent, or ignored. Top management
–
starting with the CEO
–
plays a key role
in determining the corporate culture.
As the dominant personality in an entity, the
CEO often sets the ethical tone.
道德行为和管理当局的诚信是公司文化的副产品,
公司文化包含道德和行为<
/p>
准则以及它们的沟通和强化方式。
正式的政策指明了董事会和管理
当局希望发生
的情况。
公司文化决定着实际发生的情况,
以及哪些规则被遵循、
扭曲或忽视了。
高层管
理当局——从
CEO
开始——在确定公司文化方面起着关键作
用。
作为主体
中的居于支配地位的人员,
CEO
往往确定了道德基调。
Certain organizational factors also can
influence the likelihood of fraudulent and
questionable financial reporting
practices. Those same factors are likely to
influence
ethical behavior as well.
Individuals may engage in dishonest, illegal, or
unethical
acts simply because the
entity gives them strong incentives or temptations
to do so.
Undue emphasis on results,
particularly in the short term, can foster an
inappropriate
internal environment.
Focusing solely on short-term results can hurt
even in the short
term. Concentration
on the bottom line
–
sales
or profit at any cost
–
often evokes
unsought actions and
reactions. High-pressure sales tactics,
ruthlessness in
negotiations, or
implicit offers of kickbacks, for instance, may
evoke reactions that
can have immediate
(as well as lasting) effects.
特定的组织因素也会
影响出现欺诈性和可疑的财务报告行为的可能性。
这些
因素可能
还会影响道德行为。
个人可能会因为主体给了他们这么做的强烈动机或
< br>诱惑,而参与不诚实的、非法的或不道德的行为。过分地强调结果,尤其是短期
结
果,
可能会造成一个不恰当的内部环境。
仅仅关注短期结果即使
在短期可能有
危害。
专注于底线——不顾成本的销售收入或利润
——通常会引发不希望看到的
行动和反应。
例如,
高压销售策略、
谈判的残酷或者对的暗示可能会引发具有即
< br>期(以及持久)影响的反应。
Other
incentives for engaging in fraudulent or
questionable reporting practices and, by
extension, other forms of unethical
behavior may include rewards highly dependent
on reported financial and non-financial
information, particularly for short-term
results.
参与欺诈性和可疑的财务报告行为以及其他
形式的不道德行为的其他动机
可能包括高度依赖于所报告的财务或非财务信息——尤其是
短期结果——的报
酬。
Removing or reducing inappropriate
incentives and temptations goes a long way
toward eliminating undesirable
behavior. As suggested, this can be achieved by
following sound and profitable business
practices. For example, performance
incentives
–
accompanied by appropriate controls
–
can be a useful management
technique as long as the performance
targets are realistic. Setting realistic targets
is a
sound motivational practice,
reducing counterproductive stress as well as the
incentive for fraudulent reporting.
Similarly, a well controlled reporting system can
serve as a safeguard against temptation
to misstate performance.
从消除或减少不恰当的动机和诱
惑到消除不当行为之间要走一段很长的路。
就像所建议的那样,
它可以通过从事合理而又有利可图的经营活动来实现。
例如,
只
要业绩目标切合实际,
业绩激励——配以适当的控制——就能成为一个有用的
管理技术。
设定切合实际的目标是一项正确的激励措施,
< br>它能降低产生相反作用
的压力,
以及欺诈性报告的动机。
同样地,
一个控制良好的报告体系能够起到防
< br>止错报业绩诱惑的作用。
Another cause
of questionable practices is ignorance. Ethical
values must be not only
communicated
but also accompanied by explicit guidance
regarding what is right and
wrong.
Formal codes of corporate conduct are important to
and the foundation of an
effective
ethics program. Codes address a variety of
behavioral issues, such as
integrity
and ethics, conflicts of interest, illegal or
otherwise improper payments, and
anticompetitive arrangements. Upward
communications channels where employees
feel comfortable bringing relevant
information also are important.
可疑行为的另一
个原因是忽视。
道德价值观不仅必须沟通,
而且必须辅以关
于是非对错的明确指南。
正式的公司行为守则对有效的道德项目十分
重要,
是它
的基础。守则致力于一系列的行为问题,例如诚信与
道德、利益冲突、不合法或
不恰当的支付以及反竞争的(
ant
icompetitive
)协议等。向上沟通的渠道也很
重要
,它带来相关信息并使员工感到舒服。
Existence
of a written code of conduct, documentation that
employees received and
understand it,
and an appropriate communications channel by
themselves do not
ensure the code is
being followed. Also important to compliance are
resulting
penalties to employees who
violate the code, mechanisms that encourage
employee
reporting of suspected
violations, and disciplinary actions against
employees who
knowingly fail to report
violations. But compliance with ethical standards,
whether or
not embodied in a written
code, is equally if not more effectively ensured
by top
management’s actions and the
examples they set. Employees are likely to develop
th
e
same attitudes about
right and wrong
–
and about
risks and controls
–
as
those shown
by top management. Messages
sent by management’s actions quickly
becom
e
embodied in the
corporate culture. And, knowledge that the CEO has
“done the righ
t
thing”
ethically when faced with a tough business
decision, sends a pow
erful message
throughout the entity.
仅仅有书面
的行为守则、
员工接受和理解的文件和适当的沟通渠道,
还不能
确保守则被遵守。
对违反守则的员工所给予的处罚,
鼓励员工报告所怀疑的违反
行为的机制,
以及针对
知情而不报告违反行为的员工的惩戒措施,
对于遵守守则
而言也
很重要。
但是如果不能通过高层管理当局的行为和他们所作的表率提供更
有效的保证的话,
无论道德准则是否包含在书面的守则之中,
< br>对道德准则的遵守
都没有什么区别。
对于是非对错——以
及对于风险与控制,
员工可能会形成与高
层管理当局所出来的一
样的态度。
管理当局的行为所传达的信息很快就会被包含
到公司
文化之中,
而且,
有关有
CEO
在面临一个艰难的经营决策时从道德的角度
讲“做了正确的事情”的
认识,能够在整个主体中传达一个强有力的信息。
Commitment to Competence
对胜任能力的要求
Competence reflects the knowledge and
skills needed to perform assigned tasks.
Management decides how well these tasks
need to be accomplished, weighing the
entity’s strategy and objectives
against plans for their implementation
an
d
achievement. A trade-off
often exists between competence and cost
–
it is not
necessary, for instance, to hire an
electrical engineer to change a light bulb.
胜任能力反映实现规定的任务所需要的知识和技能。
管理当局通过在主体的<
/p>
战略和目标与它们的执行和实现计划之间进行权衡,
来决定这些任
务应该完成到
什么程度。
通常会存在能力与成本之间的权衡,<
/p>
比如说,
没有必要去雇用一个电
气工程师
来更换灯泡。
Management specifies
the competency levels for particular jobs and
translates those
levels into requisite
knowledge and skills. The necessary knowledge and
skills in turn
may depend on
individuals’ intelligence, training, and
experience. Factors considere
d
in developing knowledge and skill
levels include the nature and degree of judgment
to
be applied to a specific job. Often
a trade-off can be made between the extent of
supervision and the requisite
competence level of the individual.
管理当
局明确特定岗位的胜任能力水平,
并把这些水平转换成所需的知识和
技能。
而这些必要的知识和技能可能又取决于个人的智力、
培训和经验。
在开发
知识和技能水平的过程中所考虑的因素包括
一个具体岗位所运用判断的性质和
程度。通常会在监督的范围和所需的胜任能力水平之间
作出权衡。
Organizational
Structure
组织结构
An entity’s organizational structure
provides the framework to plan, execute,
control
,
and monitor its
activities. A relevant organizational structure
includes defining key
areas of
authority and responsibility and establishing
appropriate lines of reporting.
For
example, an internal audit function should be
structured in a manner that achieves
organizational objectivity and permits
unrestricted access to top management and the
audit committee of the board, and the
chief audit executive should report to a level
within the organization that allows the
internal audit activity to fulfill its
responsibilities.
一个主体的组织结构提
供了计划、
执行、
控制和监督其活动的框架。
< br>相关的
组织结构包括确定权力与责任的关键界区,
以及确
立恰当的报告途径。
举例来说,
内部审计职能机构的结构设计应
该致力于实现组织的目标,
并且允许不受限制地
与高层管理当局
和董事会的审计委员会接触,
而且首席审计官应当向组织中能保
证内部审计活动实现其职责的层级报告工作。
An
entity develops an organizational structure suited
to its needs. Some are
centralized,
others decentralized. Some have direct reporting
relationships, while
others are more of
a matrix organization. Some entities are organized
by industry or
product line, by
geographical location or by a particular
distribution or marketing
network.
Other entities, including many state and local
governmental units and
not-for-profit
institutions, are organized by function.
主体建立适合其需要的组织结构。
有的是集权型的,
有的是
分权型的。
有的
有着直接报告关系,
而
其他的则更接近于矩阵型组织。
一些主体按照行业或产品
线、按
照地理位置或者按照特定的本着或营销网络来进行组织。而其他的主体,
包括很多州和地
方政府单位以及非营利机构,则按照职能进行组织。
The
appropriateness of an entity’s organizational
structure depends, in part, on its siz
e
and the nature of its activities. A
highly structured organization with formal
reporting
lines and responsibilities
may be appropriate for a large entity that has
numerous
operating divisions, including
foreign operations. However, such a structure
could
impede the necessary flow of
information in a small company. Whatever the
structure,
an entity should be
organized to enable effective enterprise risk
management and to
carry out its
activities so as to achieve its objectives.
一个主体的组织结构的适当
取决于它
的规模的所从事活动的性质,有着正
式的报告途径和职责的高度结构化的组织,
可能适合于很多经营分部、
包括外国
业务的大型
主体。
然而,
在一家小公司中,
这种结
构可能会阻碍必要的信息流动。
不管采取什么样的结构,
主体的
组织方式都应该确保有效的企业风险管理,
并采
取行动以便实现
其目标。
Assignment of Authority
and Responsibility
权力和职责的分配
Assignment of authority and
responsibility involves the degree to which
individuals
and teams are authorized
and encouraged to use initiative to address issues
and solve
problems, as well as limits
to their authority. It includes establishing
reporting
relationships and
authorization protocols, as well as policies that
describe appropriate
business
practices, knowledge and experience of key
personnel, and resources
provided for
carrying out duties.
权力的职责的分配涉及到个人和团队被并
鼓励发挥主动性去指出问题和解
决问题的程度,
以及对他们的权
力的限制。
它包括确立报告关系和授权规程,
以
及描述恰当经营活动的政策,
关键人员的知识和经验,
和为履行职责而赋予的资
源。
Some entities have pushed authority
downward to bring decision making closer to
front-line personnel. A company may
take this tack to become more market-driven or
quality-focused
–
perhaps to eliminate defects, reduce cycle time,
or increase
customer satisfaction.
Alignment of authority and accountability often is
designed to
encourage individual
initiatives, within limits. Delegation of
authority means
surrendering central
control of certain business decisions to lower
echelons
–
to the
individuals who are closest to everyday
business transactions. This may involve
empowerment to sell products at
discount prices; negotiate long-term supply
contracts,
licenses, or patents; or
enter alliances or joint ventures.
一些主体
将权力下放,
以便使决策更接近于一线的人员。
公司可以采取这
种
方式而变得更具市场的特点,
或者更关注质量——或许是消除
缺陷、
缩短周围时
间或者提高客户满意度。
通常通过将权力与受托责任
(
accountabilit
y
)
相结合
来鼓励个人在限定的范围内
发挥主动性。
权力的委派意味着将特定经营决策的核
心控制权交
给较低的层级——给那些更靠近日常经营业务的人员。
这可能包括授
权以折扣价格销售产品,
商谈长期供货合同、
许可或专利,
或者参加联盟或合营
企业。
A
critical challenge is to delegate only to the
extent required to achieve
objectives.
This means ensuring that decision
making is based on sound practices for risk
identification and assessment,
including sizing risks and weighing potential
losses
versus gains in determining
which risks to accept and how they are to be
managed.
一个关键的挑战是仅仅针对实现目标所需要的范围来进行授权。
这意味着确
保决策是基于合理的风险识别和评估活动,
包括在确定接受何种风险以及如何对
它们加以管理的过程中,估计风险的大小
和权衡潜在的损失与收益。
Another
chall
enge is ensuring that all
personnel understand the entity’s objectives.
I
t
is essential that
individuals know how their actions are related to
one another and
contribute to
achievement of the objectives.
另一个挑战是确保
所有的人员都了解主体的目标。
每个人都知道他们的行为
彼此之
间有什么关联和对实现目标有什么作用,是至关重要的。
Increased delegation sometimes is
intentionally accompanied by or the result of
streamlining or “flattening” the
organizational structure. Purposeful structural
chang
e
to encourage
creativity, taking initiative, and faster response
times can enhance
competitiveness and
customer satisfaction. This increased delegation
may carry an
implicit requirement for a
higher level of employee competence, as well as
greater
accountability. It also
requires effective procedures for management to
monitor results
so that decisions can
be overruled or accepted as necessary. Along with
better,
market-driven decisions,
delegation may increase the number of undesirable
or
unanticipated decisions. For
example, if a district sales manager decides that
authorization to sell at 35% off list
price justifies a temporary 45% discount to gain
market share, management may need to
know so that it can overrule or accept such
decisions going forward.
增加授
权有时候有意伴随着组织结构的简化或“扁平化”,或者是其结果。
为激发创造性、
发挥主动性和加快反应速度而开展的有意识的组织变革,
能够提
高竞争力和客户满意度。
这种增加授权可能会带来对更高的员工胜任
能力水平以
及更大的受托责任的隐含要求。
它还要求管理当局采
用有效的程序对结果进行监
控,从而使决策能够根据需要被否决或接受。有了更好的、市
场的决策,授权能
够增加非期望或非预期决策的数量。
例如,<
/p>
如果一个区域销售经理决定授权在零
售价的基础上折让
35%
来进行销售,
以证实目前
< br>45%
的折扣能够获取市场份额,
管
理当局可能需要了解情况才能否决或者接受让这种决策进行下去。
The internal environment is greatly
influenced by the extent to which individuals
recognize that they will be held
accountable. This holds true all the way to the
chief
executive, who, with board
oversight, has ultimate responsibility for all
activities
within an entity.
内部环境极大地受到个人对他们将要承担责任的认识程度的影响。
对于首席
执行官而言,
也是如此,
他在董事会的监督下对主
体内部的所有活动负有终极责
任。
Additional principles related to roles
and responsibilities by parties integral to
effective enterprise risk management
are set forth in the
Roles and
Responsibilities
chapter.
与有
效的企业风险管理密不可分的各个方面的职能与责任的其他相关原则,
将在“职能与责任
”那一章中展开讲述。
Human Resource
Standards
人力资源准则
Human resource practices pertaining to
hiring, orientation, training, evaluating,
counseling, promoting, compensating,
and taking remedial actions send messages to
employees regarding expected levels of
integrity, ethical behavior, and
competence.
For example,
standards for hiring the most qualified
individuals, with emphasis on
educational background, prior work
experience, past accomplishments, and evidence
of integrity and ethical behavior,
demonstrate an entity’s commitme
nt to
competent
and trustworthy people. The
same is true when recruiting practices include
formal,
in-
depth employment
interviews and training in the entity’s history,
culture, an
d
operating
style.
包括雇用、定位、培训、评价、咨询、晋升、付酬和采取补偿措施在内的
人
力资源业务向员工传达着有着诚信、道德行为和胜任能力的期望水平方面的信
息。例如,强调教育背景、前期工作经验、过去的成就和有着诚信和道德行为的
< br>证据,
以便雇用资质最好的个人的准则,
表明了一个主体
对胜任和可信任人员的
承诺。
当活动中包括正式的、
深入的招聘大幅度和有着该主体的历史、
文化和经
营风格方面的培训时,也是如此。
Training
policies can reinforce expected levels of
performance and behavior by
communicating prospective roles and
responsibilities and by including such practices
as training schools and seminars,
simulated case studies, and role-playing
exercises.
Transfers and promotions
driven by periodic performance appraisals
demonstrate the
entity’s commitment to
advancement of qualified e
mployees.
Competitive
compensation programs that
include bonus incentives serve to motivate and
reinforce
outstanding performance
–
although reward systems
should be structured, and
controls in
place, to avoid undue temptation to misrepresent
reported results.
Disciplinary actions
send a message that violations of expected
behavior will not be
tolerated.
培训政策能够通过对未来职能与责任的沟通,
以及包含诸如培训学校和研习
班、
模拟案例研究和扮演角色练习等活动,
来加强业绩和行为的期望水平。
根据
定期业绩评价所进行的调换
与晋升,
反映了主体对于提升合格员工的承诺。
包括
分红激励在内的竞争性报酬计划能够考虑到鼓励和强化突出业绩的作用——尽
管奖金制度应该严密并且有效地控制,
以避免对报告结果的不实呈报产生不当的
诱惑。惩戒行动所传递的信息则是对期望行为的偏离将不会得到宽宥。
It is essential that employees be
equipped to tackle new challenges as issues and
risks
throughout the entity change and
become more complex
–
driven
in part by rapidly
changing
technologies and increasing competition. Education
and training, whether
classroom
instruction, self-study, or on-the-job training,
must help personnel keep
pace and deal
effectively with the evolving environment. Hiring
competent people
and providing one-time
training are not enough. The education process is
ongoing.
随着贯穿于主体之中的问题和风险的变化和愈加复杂——部分原因在
于急
剧变革的技术和日益激烈的竞争,
很有必要把员工武装起来
以应对新的挑战。
教
育和培训,
不管是
课堂讲授、
自学还是在职培训,
都必须有助于个人跟上环境变<
/p>
革的步伐并能有效地应对。
雇用胜任的人员和提供一次性培训是不
够的。
教育过
程是持续的。
Implications
影响
It is difficult to overstate the
importance of an entity’s i
nternal
environment and the
impact
–
positive or negative
–
it can have on other
enterprise risk management
components.
The impact of an ineffective internal environment
can be far-reaching,
possibly resulting
in financial loss, a tarnished public image, or a
business failure.
一个主体内部环境的重要性和它对企业风险管理
的其他构成要素所能产生
的正面或负面影响,怎么强调都不过分。一个无效的内部环境的
影响会很广泛,
可能会导致财务损失、损害公众形象、或经营失败。
An energy company generally was
thought to have effective enterprise risk
management since it had high-powered
and respected senior managers, a prestigious
board of directors, an innovative
strategy, well-designed information systems and
control activities, extensive policy
manuals prescribing risk and control functions,
and
comprehensive reconciling and
supervisory routines. Its internal environment,
however, was significantly flawed.
Management participated in highly questionable
business practices, and the board
turned a “blind
-
eye.” The
company was found t
o
have
misreported financial results and suffered a loss
of shareholder confidence, a
liquidity
crisis, and destruction of entity value.
Ultimately the company went into one
of
the largest bankruptcies in history.
一般
认为某能源公司有着有效的企业风险管理,
因为它有强有力而受人尊敬
< br>的高层管理者、
声望卓著的董事会、
富有创新意识的战略
、
设计良好的信息系统
和控制活动、描述和控制职能的广泛的政
策手册,以及全面的调整和监督途径。
但是,
它的内部环境却有
重大缺陷。
管理当局参与了十分可疑的经营业务,
而董
事会却视而不见。
这家公司被发现曾经误报财务成果,
< br>损害了股东信心,
遭遇了
偿债危机,毁灭了主体的价值。
最终这家公司陷入了历史上最大的破产案之一。
The
attitude and concern of top management for
effective enterprise risk management
must be definitive and clear, and
permeate the organization. It is not sufficient to
say
the r
ight words. An
attitude of “do as I say, not as I do” will only
bring about a
n
ineffective
environment.
高层管理当局对有效风险管理的态度和关注必须明确而清晰
,
并渗透到组织
之中。光说得正确是不够的。那种“按我说的去
做,而不是按我做的去做”的态
度,只会带来一个无效的环境。
3
目标设定
3. OBJECTIVE SETTING
Chapter Summary: Objectives are set at
the strategic level, establishing a basis for
operations, reporting, and compliance
objectives. Every entity faces a variety of risks
from external and internal sources, and
a precondition to effective event identification,
risk assessment, and risk response is
establishment of objectives. Objectives are
aligned with the entity’s risk
appetite, which drives risk tolerance levels for
the entity.
本章摘要:设定战略层次的目标,为
经营、报告和合规目标奠定了基础。每
一个主体都面临来自外部和内部的一系列风险,<
/p>
确定目标是有效的事项识别、
风险评估和风险应对的前提。目标与
主体的风险容量相协调,后者决定了主
体的风险容限水平。
Objective setting is a precondition to
event identification, risk assessment, and risk
response. There must first be
objectives before management can identify and
assess
risks to their achievement and
take necessary actions to manage the risks.
目标设定是事项识别、
风险评估和风险应对的前提。
在管理当局识别和评估
实现目标的风险并采取行动来管理风险之前,首先必须有目标。<
/p>
Strategic Objectives
战略目标
An entity’s
mission sets out in broad terms what the entity
aspires to achieve.
Whatever
term is used, such as “mission,” “vision,” or
“purpose,” it is important tha
t
management ? with board oversight ?
explicitly establish the entity’s
broad
-based
reason for
being. From this, management sets strategic
objectives, formulates strategy,
and
establishes related operations, compliance, and
reporting objectives for the
organization. While
an
entity’s mission and strategic objectives are
generally stable
,
its
strategy and many related objectives are more
dynamic and adjusted for changing
internal and external conditions. As
they change, strategy and related objectives are
realigned with strategic objectives.
一个主体的使命从广义上确定了该主体希望实现什么。不管采用什么术语,
< br>诸如“使命”(
mission
)、“愿景”(
vision
)或是“目的”(
purpose
),重
要的是管理当局——在董事会的监督下——明确确定了主
体存在的广泛意义上
的原因。由此,管理当局设定战略目标,进行战略规划,并为确定相
关的经营、
合规和报告目标。
尽管一个主体的使命和战略目标一
般是稳定的,
但是它的战略
和许多相关的目标却更多是动态的,
并且会随着内部和外部条件的变化而调整。
随着它们的变化,战略和相关的目标会重新调
整以便与战略目标相协调。
Strategic
objectives are high-
level goals,
aligned with and supporting the
entity’
s
mission/vision.
Strategic objectives reflect management’s choice
as to how the entit
y
will
seek to create value for its stakeholders.
战略目标是高层次的目标,它与主体的使命
/
愿景相协
调,并支持后者。战
略目标反映了管理当局就主体如何努力为它的利益相关者创造价值所
作出的选
择。
In
considering alternative ways to achieve its
strategic objectives, management
identifies risks associated with a
range of strategy choices and considers their
implications. Various event
identification and risk assessment techniques,
discussed
below and in later chapters,
can be used in the strategy-setting process. In
this way,
enterprise risk management
techniques are used in setting strategy and
objectives.
在考虑实现战略目标的备选方式时,
管理当局要识别与一系列战略选择相关
联的风险,
并考虑它们的
影响。
下文和后续章节讨论的各种事项识别和风险评估
技术,<
/p>
可以应用到战略制订过程中。
通过这种方式,
企业风险管理技术被应用到
制订战略和目标之中。
Related Objectives
相关目标
Establishing
the right objectives that support and are aligned
with the selected strategy,
relative to
all entity activities, is critical to success. By
focusing first on strategic
objectives
and strategy, an entity is positioned to develop
related objectives at an
entity level,
achievement of which will create and preserve
value. Entity-level
objectives are
linked to and integrated with more specific
objectives that cascade
through the
organization to sub objectives established for
various activities, such as
sales,
production, and engineering, and infrastructure
functions.
相对于主体的所有活动而言,
制订支持
选定的战略并与之相协调的正确的目
标是成功的关键。
通过首先
关注战略目标和战略,
主体可能建立主体层次上的相
关目标,<
/p>
它们的实现将会创造和保持价值。
主体层次的目标与更多的目标相
关联
和整合,
这些具体目标贯穿于整个组织,
< br>细化为针对诸如销售、
生产和工程设计
等各项活动和基础
职能机构所确立的次级目标。
By setting
objectives at the entity and activity levels, an
entity can identify critical
success
factors. These are key things that must go right
if goals are to be attained.
Critical
success factors exist for an entity, a business
unit, a function, a department, or
an
individual. By setting objectives, management can
identify measurement criteria
for
performance, with a focus on critical success
factors.
通过设定主体和活动层次的目标,主体能够识别关键成功因素(
critical
success factors
)。要想达到目的,就必须正确处理好这些关键的事情。关键
成功因素存在于
主体、业务单元、职能机构、部门或分部之中。通过设定目标,
管理当局能够根据对关键
成功因素的关注来确定业绩的计量标准。
Where
objectives are consistent with prior practice and
performance, the linkage
among
activities is known. However, where objectives
depart from an entity
’s pas
t
practices, management must address the
linkages or run increased risks. In such cases,
there is an even greater need for
business unit objectives or sub-objectives that
are
consistent with the new direction.
如果目标与以前的活动和业绩相一致,各项活动的联系就是已知的。但是,
如果目标与主体过去的活动相背离,
管理当局就必须指明这种联系或者应对更
大
的风险。
在这种情况下,
就更需要与
新的方向相一致的业务单元目标或次级目标。
Objectives need to be readily
understood and measurable. Enterprise risk
management
requires that personnel at
all levels have a requisite understanding of the
entity’
s
objectives as they
rel
ate to the individual’s sphere of
influence. All employees mus
t
have a mutual understanding of what is
to be accomplished and a means of measuring
what is being accomplished.
目标需要得到充分了解和可计量。
企业风险管理要求各个层级的人员根据各
自影响范围的不同对主体的目标有必要的了解。
所有员工都必须对要实现什么
有
共同的认识,并且有办法去计量实现的情况。
Categories of Related Objectives
相关目标的类别
Despite the diversity of objectives
across entities, certain broad categories are
established:
?
Operations Objectives
–
These pertain to the
effectiveness and efficiency of the
entity’s operations,
includi
ng performance and profitability
goals and safeguarding
resources
against loss. They vary based on management’s
choices about structur
e and
performance.
?
Reporting Objectives
–
These pertain to the
reliability of reporting. They include
internal and external reporting and may
involve financial and non-financial
information.
?
Compliance Objectives
–
These pertain to adherence
to relevant laws and
regulations. They
are dependent on external factors and tend to be
similar across all
entities in some
cases and across an industry in others.
尽管不同主体的目标各不相同,但是大致上可以分成以下几类:
●
经营目标——这些目标与主体经营
的有效性和效率有关,
包括业绩和赢利目标
< br>以及保护资源不受损失。它们因管理当局对结构和业绩的选择而异。
●
报告目标——这些目标与报告的可
靠性有关。
它们包括内部和外部报告,
可能
涉及到财务和非财务信息。
●
合规目标——这些目标与符合相关法律和法规有关。
它们取决于
外部因素,
在
情况下对所有主体而言都很类似,而在另一些情况
下则在一个行业内有共性。
Certain
objectives follow from the business an entity is
in. Some companies, for
example, submit
information to environmental agencies, and
publicly traded
companies file
information with securities regulators. These
externally imposed
requirements are
established by law or regulation, and fall into
the reporting or
compliance categories
or, in these examples, both.
特定的目标取决于主体
所从事的经营业务。
例如,
一些公司向环境机构提交
信息,
而公开上市的公司则向证券监管机构申报信息。
这些外部施加的要求是通
过法律或法规的形式建立的,
它们
属于报告目标或合规目标,
或者像这些例子中
的那样两者都是。
Conversely, operations
objectives, as well as those for internal
management reporting,
are based more on
preferences, judgments, and management style. They
vary widely
among entities simply
because informed, competent, and honest people may
select
different objectives. Regarding
product development, for example, one entity
chooses
to be an early adapter, another
a quick follower, and yet another a slow lagger.
These
choices affect the structure,
skills, staffing, and controls of the research and
development function. Consequently, no
one formulation of objectives is optimal for
all entities.
相反,经营目标,以及那些内部
管理报告目标,更多地建立在偏好、判断和
管理风格的基础上。
它们在不同的主体之间存在着广泛的区别,
因为知情、
胜任
和诚实的人可能会选择不同的目标。
例如,
在产品开发方面,
一个主体选择去充
当早期的改进者,
而另一个则选择作为一个快速的跟随者,
而再另外的一个则选
择迟缓的落伍者。
这些选择会影响研究与开发职能机构的结构、
技能、
人员和控
制。因此,对所有主体而言都是的
目标模式是不会有的。
Operations
Objectives
经营目标
Operations objectives relate to the
effectiveness and efficiency of the
entity’
s
operations. They
include related sub-objectives for operations,
directed at enhancing
operating
effectiveness and efficiency in moving the
enterprise toward its ultimate
goal.
经营目标关系到主体经营的有效性和效率。它们包括相关的次级经营目标,
< br>其目的在于在推动主体实现其终极目的的过程中提高经营的有效性和效率。
Operations objectives need to reflect
the particular business, industry, and economic
environments in which the entity
functions. The objectives need, for example, to be
relevant to competitive pressures for
quality, reduced cycle times to bring products to
market, or changes in technology.
Management must ensure that objectives reflect
reality and the demands of the
marketplace, and are expressed in terms that allow
meaningful performance measurements. A
clear set of operations objectives, linked to
sub-objectives, is fundamental to
success. Operations objectives provide a focal
point
for directing allocated
resources; if an entity’s operations objectives
are not clear o
r
well
conceived, its resources may be misdirected.
经营目标需要反映主体运营所处的特定的经营、
行业和经济环境。
例如,
经营目
标需要与有关质量的竞争压力、<
/p>
缩短将产品投入市场的周转时间或者技术的变革
相关。
管理当局必须确保这些目标反映了现实和市场需求,
并且以有利于进行有<
/p>
意义的业绩计量的方式表达出来。
一套与次级目标相关联的清晰的
经营目标,
对
成功而言是至关重要的。
经营目标为引导所配置的资源提供了一个焦点,
如果一
个主体的
经营目标不清晰或者构想不完善,它的资源就可能会被误导。
Reporting Objectives
报告目标
Reliable
reporting provides management accurate and
complete information
appropriate for
its intended purpose. It supports management’s
decision making an
d
monitoring of the entity’s activities
and performance. Examples of such
reports
include results of marketing
programs, daily sales flash reports, production
quality,
and employee and customer
satisfaction results. Reporting also relates to
reports
prepared for external
dissemination, such as financial statements and
footnote
disclosures, management’s
discussion and analysis, and reports filed with
regulator
y
agencies.
可靠的报告为管理当局提供适合其既定目的的准确而完整的信息。
它支持管
理当局的决策和对主体活动和业绩的监控。
这类报告的例子包括市场
营销计划的
成果、
逐日销售快报、
生产
质量和员工与客户满意度结果。
报告还涉及到为传播
而编制的报
告,例如财务报表与附注披露、管理当局的讨论与分析(
MD
&
A
)以
及向监管机构提交的报告。
Compliance Objectives
合规目标
Entities
must conduct their activities, and often must take
specific actions, in
accordance with
relevant laws and regulations. These requirements
may relate to
markets, pricing, taxes,
the environment, employee welfare, and
international trade.
Applicable laws
and regulations establish minimum standards of
behavior, which the
entity integrates
into its compliance objectives. For example,
occupational health and
safety
regulations cause one company to define its
objective as, “Package and
label all
chemicals in accordance with
regulations.” In this case, policies and
procedures dea
l
with
communication programs, site inspections, and
training. An entity’s complianc
e
record can significantly
–
either positively or
negatively
–
affect its
reputation in the
community and
marketplace.
主体从事活动必须符合相关的法律和法规,
通常还必须采取具体措施。
这些
要求可能涉及到市场、
定价、税收、环境、员工福利和国际贸易。适用的法律和
法规确定了最低的行为准则,<
/p>
主体将其纳入合规目标之中。
例如,
健康
和案例法
规导致一家公司将其目标确定为
“根据法规包装和标注
所有的药品”
。
在这种情
况下,
要制订重重和程序来处理沟通项目、
现场检查和培训。
一个主体的合规记
录可能会对它在社会和市场上的声誉产生极大的正面或负面影
响。
Subcategories
次级分类
The
categories of objectives are part of the common
language established by this
framework,
facilitating understanding and communication. An
entity may, however,
find it useful to
discuss a subset of one or more objectives
categories, to facilitate
communication, internally or
externally, on a narrower topic. A company might,
for
instance, decide to communicate the
effectiveness of a part of the reporting category,
say, enterprise risk management over
external reporting, or perhaps over only external
financial reporting. Doing so enables
the communication to stay within the context of
this enterprise risk management
framework, while allowing communications on
specific subsets of categories.
目标的类别是本框架所建立的共同语言的一部分,
它有助于理解和沟通。
但
是,
一个主体可能会发现讨论一个或多个目
标类别的子集对于针对一个较窄的主
题所进行的内部或外部沟通很有用。
举例来说,
一家公司可能会决定针对报告目
标的一部分
,
比方说对外报告或者仅仅是对外财务报告的企业风险管理的有效性
进行沟通。
这样做能够使沟通停留在这个企业风险管理框架的范围之内,
同时又
允许针对各个类别的特定子集进行沟通。
Overlap of Objectives
目标的交叉
An
objective in one category may overlap or support
an objective in another. The
category
in which an objective falls sometimes depends on
circumstances. For
example, providing
reliable information to business unit management
to manage and
control production
activities may serve to achieve both operations
and reporting
objectives. And, to the
extent the information is used for reporting
environmental data
to the government,
it serves compliance objectives.
某一类别中的
一项目标可能会与另一类中的一项目标交叉或相互支持。
一项
目
标所归属的类别有时要视情况而定。
举例来说,
为业务单元的管
理当局管理和
控制生产活动而提供可靠的信息,可能同时为经营目标和报告目标服务。而
且,
从这些信息被用来向政府报告环境数据的角度来看,它又为合规目标服务。
Some entit
ies use
another category of objectives, “safeguarding of
resources,”
sometimes
referred to as “safeguarding of assets,” which
overlaps with the othe
r
categories of objectives. Viewed
broadly, safeguarding of assets deals with
prevention
of loss of an
entit
y’s assets or resources, whether
through theft, waste, inefficiency, o
r
what turns out to be simply bad
business decisions
–
such as
selling product at too low
a price,
failing to retain key employees or prevent patent
infringement, or incurring
unforeseen
liabilities. These are primarily operations
objectives, although certain
aspects of
safeguarding can fall under the other categories.
Where legal or regulatory
requirements
apply, these become compliance objectives. On the
other hand, properly
reflecting
asset losses in the entity’s financial
statements represents a reportin
g
objective.
一些主体采用另一个目标类别,“保护
资源”,有时也称为“保护资产”,
它与其他的目标类别有交叉。
从广义的角度看,
保护资产致力于防止主体的资产
或资源由于
盗窃、
浪费、
低效率或者仅仅因为糟糕的经营决策——例如以过
低的
价格销售产品、
未能留念关键员工或未能防止专利侵权或者
发生未预见到的债务
等——而遭受损失。
尽管保护的某些特定方
面可以归入其他的类别,
但是它们主
要是经营目标。如果适用于
法律或法规要求,它们又变成合规目标。另一方面,
在主体的财务报表中恰当地反映资产
损失代表着一项报告目标。
When considered
in conjunction with public reporting, a narrower
definition of
safeguarding of assets
often is used, dealing with prevention or timely
detection of
unauthorized acquisition,
u
se, or disposition of an entity’s
assets. For furthe
r
discussion of this category of
objectives, reference should be made to
Internal
Control
–
Integrated
Framework
, including the
Addendum to Reporting to External
Parties
module.
如
果与公开的报告联系起来考虑,
通常采用保护资产的狭义定义,
即致力于
防止或及时对主体资产未经授权的采购、
使用或出让。
为了进一步讨论这类目标,
应该参考
《
内部控制-整合框架》
,
它包括
“向外
部各方报告的附录”
这个模块。
Achievement of Objectives
目标的实现
An
appropriate process for objective setting is a
critical component of enterprise risk
management. Although objectives provide
the measurable targets toward which the
entity moves in conducting its
activities, they have differing degrees of
importance
and priority. Accordingly,
while an entity should have reasonable assurance
that
certain objectives are achieved,
that may not be the case for all objectives.
恰当的目标设定过程是企业风险管理的一个至关重要的构成要素。
尽管目标
为主体从事活动提供了可计量的基准。但是它们的重要性和优先程度各不相同。
因此,
虽然一个主体应该合理保证实现特定的目标,
但是并不是对所有目标而言
都这样。
Effective enterprise risk management
provides reasonable assurance that an
entity’
s
reporting
objectives are being achieved. Similarly, there
should be reasonable
assurance that
compliance objectives are being achieved.
Achieving reporting and
compliance
objectives is largely within the entity’s control.
That is, once th
e
objectives
have been determined, the entity has control over
its ability to do what is
needed to
meet them.
有效的企业风险管理为主体的报告目标得以实现提供合理保证。
同样,
必须
合理保证合规目标的实现。
报告和合规目标的实现更多的是在主体的控制范围之
内。
也就是说,
一旦确定了目标,
主体对其从事满
足目标所需要的活动的能力具
有控制力。
But there is a difference when it comes
to strategic and operations objectives, because
their achievement
is not
solely within the entity’s control. An entity may
perform a
s
intended, yet be
outperformed by a competitor. It is subject to
external events
–
such
as a change in government, poor
weather, and the like
–
where an occurrence is
beyond its
control. It may even have considered some of these
events in its
objective-setting process
and treated them as having a low likelihood, with
a
contingency plan in case they
occurred. However, such a plan only mitigates the
impact of external events. It does not
ensure that the objectives will be achieved.
但是如果说到战略目标和经营目标,
就有所不同,
因为它们的实现并不完全
在主体的控制范围之内。
主体可能像预
期的那样动作,
也可能会被竞争者所超越。
这是由于外部事项—
—例如政府的变动、
恶劣的天气以及类似的情况——的发生
超出
了它的控制范围。
在目标设定过程中甚至可能已经考虑了某些这类事项,
将
它们当作具有较低可能性事项,
一旦它们发生就采用
一项权变计划来处理。
但是,
这种计划只能缓解外部事项的影响
。它不能确保目标的实现。
Enterprise risk
management over operations focuses primarily on
developing
consistency of objectives
and goals throughout the organization; identifying
key
success factors and risks;
assessing the risks and making informed responses;
implementing appropriate risk responses
and establishing needed controls; and timely
reporting of performance and
expectations. For strategic and operations
objectives,
enterprise risk management
can provide reasonable assurance that management
and,
in its oversight role, the board
are made aware, in a timely manner, of the extent
to
which the entity is moving toward
achievement of these objectives.
针对经营的企
业风险管理主要专注于确定贯穿于整个组织的目标和目的的
一致性,
识别关键成功因素的风险,
评估风险并作出知情的应对,
实
施恰当的风
险应对并建立必要的控制,
以及及时报告业绩和期望
。
对于战略和经营目标,
企
业风险管理
能够合理保证管理当局和发行监督职责的董事会及时地知悉主体实
现这些目标的程度。<
/p>
Selected Objectives
选定的目标
As part of
enterprise risk management, management not only
selects objectives and
considers how
they support the entity’s mission, but also
ensures that they align wit
h
the entity’s risk appetite.
Misalignment could result in n
ot
accepting enough risk to
achieve the
objectives or, conversely, accepting too much
risk. Effective enterprise
risk
management does not dictate which objectives
management should choose, but
-
-
-
-
-
-
-
-
-
上一篇:对照常用统计质量管理中英文对照表模板
下一篇:物业管理服务现场中英文对照