1、 外文翻译 原文 Gaining Competitive Advantage from Compliance and Rick Management Material Source: From Strategy to Execution Author: Amit Chatterjee and David Milam INTRODUCTION Risk management has been around for decades in nancial services, using highly evolved risk modeling and analysis to manage marke
2、t and credit risk.Risk is generally dened as the potential for loss caused by an event or series of events that can adversely affect the achievement of company objectives. However, organizations are realizing that effective risk management can create opportunities as well as mitigate problems. In ot
3、her words, a successful risk management philosophy focuses not only on risk avoidance and protecting existing assets, but also on enhancing future growth opportunities and creating competitive differentiation.Unfortunately, many organizations fail to fully achieve these risk management benets. The g
4、reatest threats to a company can arise when multiple risk factors combine to blindside management often with disastrous results. How can you avoid such disasters? By automatically identifying and monitoring top enterprise risks, giving lines of business (LOB) the tools to effectively mitigate risks,
5、 and presenting risk in the context of corporate strategy and performance. With this approach, you provide executives with a clear understanding of the most important and potentially damaging risks your company faces. GOVERNANCE, RISK, AND COMPLIANCE: WHY A HOLISTIC APPROACH WILL HELP Many companies
6、 react tactically to the growing demands of regulatory agencies, stakeholders, and even customers. Unfortunately, this tactical response which often includes extensive manual effort and one-off compliance solutions is costly and becoming even more expensive. AMR Research reports that companies will
7、spend $29.9 billion in 2007 alone for GRC-related activities up 8.5 percent from the previous year. Approximately two-thirds of this cost is in people because fragmented GRC efforts tend to result in “people-powered GRC,” where inefcient processes are often duplicated across departments. Companies t
8、hat have relied on relatively informal, manual processes to identify and assess risks are now realizing that this approach is not only expensive but unsustainable. As external expectations increase, so does the cost of compliance as companies allocate more people to risk and compliance management ta
9、king away resources from other revenue-producing areas of the business. AMR reports that “companies are turning the corner and adopting a systemic approach to risk management, using technology to support the process. Risk management is emerging as a structured, strategic approach to identifying, ass
10、essing, and potentially remedying issues before they become public problems.” AMRs observation means that leading organizations arent simply reacting to the newest compliance regulation with a project-based response. Instead, they are adopting a unied risk-based GRC strategy that guides employees, s
11、tandardizes processes, and uses technology to embed risk management into business processes at every level of the organization. A comprehensive GRC solution should encompass not only risk mitigation but also risk taking as a means to value creation. By taking a holistic approach to GRC, you can incr
12、ease shareholder value, minimize costs, master uncertainty, and optimize the opportunity to free resources for innovation and growth. A best practice approach to managing GRC: Automatically identies and monitors top enterprise risks ;Enables lines of business to effectively mitigate risks by embeddi
13、ng risk management into existing business processes ;Plans for cross-enterprise risk scenarios ;Adds risk analysis to strategy and decision-making processes CHALLENGES: MITIGATING RISK AND MANAGING COMPLIANCE For many companies, moving to a strategic, risk-based approach to GRC is hampered by poor v
14、isibility, fragmented operations, and after-the-fact responses. Lets take a moment to look at how these conditions affect risk management. The rst problem for many organizations is poor visibility into the status of risks across the enterprise. Driving this lack of visibility is the substantial manu
15、al effort required by many risk management processes. Most risk managers send out periodic surveys to LOB managers, in hopes of better assessing the risks their organization faces. However, since the input is manually captured in forms or spreadsheets, it is difcult to track progress or follow up on
16、 errant responses. In addition, the potential impact of risks can change rapidly. This means that the information gathered by risk managers is quickly obsolete, making manual risk identication and tracking ineffective. In addition, many large or diverse companies nd that risks are managed within the
17、 walls of functional or departmental silos. Because of this siloed approach, there is little transparency across organizational boundaries and individual business managers can be caught off-guard by events happening in other groups. For example, a supply-chain risk leads to slowed production, which
18、affects the ability to deliver product to customers, ultimately resulting in a risk to sales revenue. This fragmented approach to risk management makes it almost impossible to evaluate risk interdependencies and the potential impact of multiple risk events happening at once. Finally, many organizati
19、ons consider risks “after the fact” and separately from the overall strategy or goals of the organization. Most companies use a bottom-up perspective to tackle risk management, often identifying hundreds or thousands of potential risks in total. The solution? Taking an approach that aligns risk mana
20、gement with well-understood corporate objectives, so risks are managed in the business context in which they occur. With this kind of proactive and “top-down” approach, risk management becomes infused into the corporate culture, and you can quickly identify gaps, track interdependent risks together,
21、 and allocate resources to mitigate risk for the greatest overall impact. STRATEGICALLY APPROACHING GRC: THE BENEFITS A holistic, strategic approach to GRC can form the basis for successful risk management and compliance. By providing a new level of transparency and condence across the enterprise an
22、d beyond GRC delivers value to the board, LOB management, and key external stakeholders. When companies adopt a strategic approach to risk management, they can expect to generate signicant benets, including increased shareholder value and lower GRC spending. As noted in the Deloitte Research study,
23、80 percent of the companies that suffered the greatest losses in value were exposed to more than one type of risk and failed to recognize and manage the relationships among different types of risks. It follows that if you rely on an integrated risk management solution to identify and manage interdep
24、endencies among all the risks facing your company, you will make better nancial and operational decisions, reducing the likelihood of suffering major losses in value. In addition, institutional investors and rating agencies which can signicantly affect your cost of capital or market capitalization i
25、ncreasingly reward an organization for its capability to understand and manage GRC. “The most important contribution that risk management can make is to help managers make better operational decisions as their businesses face an increasingly uncertain future,” points out David M. Johnson, managing d
26、irector at Protiviti and head of the companys Technology Risk practice. “Therefore, risk responses should support the organizations value creation objectives by monitoring and managing risk and performance variability inherent in its future operations while protecting accumulated shareholder wealth
27、from unacceptable losses.” A second major benet of taking a strategic approach to GRC is the ability to lower the overall cost of your compliance and risk management initiatives. An integrated GRC approach can replace many separate projects, isolated tools, and most important the manual work of inte
28、grating the individual risks into a cohesive risk analysis. With a unied GRC approach, you can avoid duplication of effort, signicantly reducing the number of people and the amount of time you need to be in compliance with regulations and manage your risks. As you progress along the maturity curve o
29、f a strategic, platform approach, you will merge more and more individual GRC projects into the holistic GRC framework, reducing the cost of GRC as you go. HOW TO IMPLEMENT A HOLISTIC APPROACH TO GRC A unied, holistic approach to GRC starts with a strategic four-step approach to risk management. Fir
30、st is risk planning, setting the stage for risk management processes. Next is identifying and analyzing risks, by collecting information from business experts around the organization. Third is developing responses or mitigation plans for identied risks. Finally, continually monitoring ongoing risks
31、using dashboard reporting and automated alerts to notify management at all levels of the company when a risk situation changes. Risk Planning Lets take a closer look at risk planning. To begin the risk management cycle, your risk managers, LOB owners, and executives need to consider those questions:
32、What types of risks can cause the greatest loss of value for your company? Which risks will keep you from reaching company goals? What key risk indicators (KRIs) do you need to track for each identied risk? In the planning phase, you should evaluate and document the risk prole, or “risk-bearing appe
33、tite,” for each business unit, as well as for your entire enterprise. For example, based on current capitalization, how much loss can your LOB absorb? There are some parts of your business where you may want to take more risks for a new business area, for example while you may want to manage other p
34、roduct lines more conservatively. Risk Identification and Analysis The next step within the risk management cycle is risk identication and analysis. In this step, your organization identies and prioritizes all key risks both internal and external to your organization. Risk identication and analysis
35、is: Embedded into all key business processes; Automated for early risk identication; Evaluated in a structured and consistent manner. Risk Response Once you have identied critical risks, the next step is developing an effective response strategy. The strategy could fall anywhere along a continuum, f
36、rom “watch” or “research” to “actively mitigate” or “control.” Your companys response strategy will be unique and each risk may have several possible responses. Addressing single risks may not always resolve the highest-priority problems. Instead, crucial issues are often the result of not being abl
37、e to correctly identify what happens when multiple risks occur simultaneously and interact, combining to become a severe risk. Clearly, these risks are related and should be evaluated together, not separately. However, in a siloed approach, the cross-company visibility needed to make the connection
38、and develop mitigation strategies is missing. A single GRC system helps bring together risks from across your organization, making risk interdependencies easier to identify. Risk Monitoring The nal phase in the risk management cycle is the proactive monitoring of ongoing risk. To be most effective,
39、risk monitoring should be targeted and offer a risk-based approach to compliance with risk policies. This can help optimize opportunities while mitigating risks based on individual risk proles. Role-based dashboards can be an effective way to monitor risk and make more informed business decisions. F
40、or example, dashboards for risk management professionals may provide an enterprise-wide view of the status of the risk management process, while dashboards for business unit managers would show how risks affect their specic business targets.In general, dashboards help answer the following questions:
41、 What and where are our top risks? Have risk levels changed for key activities or opportunities? How many incidents or losses have we had? Are we assessing our risks in accordance with company policy? What risks or combinations of risks could prevent us from achieving our corporate objectives? Anoth
42、er aspect of effectively monitoring risk is to incorporate a risk-based approach to nancial and business controls. With Sarbanes-Oxley (SOX) and other regulations gobbling up management mindshare, the “checklist” approach that many companies take can result in uneven controls, such as over controlli
43、ng low-level risks. Over controlling risks not only frustrates employees, it can lead to missed opportunities because it takes longer than necessary to react to a given situation. On the other hand, under controlling a situation leaves the company unnecessarily exposed to risk. Leading companies avo
44、id both under and over controlling by adopting a risk-based approach to compliance and control management. 译文 从合规及风险管理中获得竞争优势 资料来源 : 从战略到执行 作者: 阿米特查特吉和大卫米勒 姆 1 引 言 风险管理已经在金融服务 方面 存在了几十年 , 常常 使用高度进化的风险建模 来分析 市场和信用风险管理。风险一般定义为造成损失的潜在事件或一系列可以 对公司 实现的目标产生不利影响 的 事件 。然而,组织正 认识到有效的风险管理可 以创造机会以及减轻问题。换言之,一个成
45、功的风险管理理念不仅注重风险规避和保护现有 资产,而且 会 提高未来的增长机会,创造竞争优势。不幸的是,许多组织未能完全实现这些风险管理的好处。 在 公司 出 现 最大 威胁时,可能会出现多种危险因素结合起来,管理盲区往往是灾难性的。如何避免这样的灾难? 应 通过自动识别和监测一流企业的风险,让企业 用 ( LOB)的工具,以有效 降低风险,并提出履约风险和上下文中的企业战略。通过这种方法,你提供了最重要的管理人员 : 一个 能 清楚 地 认识潜在的破坏性 及 你的公司所面临的风险 的人 。 2 为什么一个整体方法将有 助于 治理风险和法规遵循 许多公司的反应战术 是 客户不断增长的需求,甚至
46、 是 监管机构 、 利益相关者 引起的 。不幸的是,这种战术的回应通常包括大量的手动工作和一次性遵从解决方案 , 代价高昂,而且 现在 变 得更加昂贵。 AMR 研究公司报告说,公司将动用 299 亿元用于 仅 2007 年有关的集选区 就 活动了 8.5%, 以 前大约 是 成本的三分之二 。 因为对 支离破碎 的 集选区的努力往往导致 “ 以人供电集选区 ” ,其中低效的进程往往是重复的 。 跨部门 是 因为正规的公司比较有依靠, 而且 已意识到 用 手动流程 来 确定和评估风险不仅费用昂贵而 且 无法持续。 由于增加 了外界的期望,我们所面临的合规性成本使公司投入了更多的人及合规风险管理
47、,以远离其他创收业务领域的资源。 AMR 的报告说 :“ 公司正在走出谷底,并采用系统性的风险管理方法,利用 这一 技术来支持进程。风 险管理是一种新兴的结构, 用 以确定新的战略方针 、 评估和纠正问题, 这样 才可能成为公共问题。 ” AMR 的观测手段 、 领导组织不只是最新反应救灾 所 遵守监管 的 一个项目。相反,他们正采取一个基于集选区的统一的风险战略 来 引导员工 、 规范流程,并采用风险管理 使 业务流程技术嵌入 到 每个组织级别 中 。一个集选区的解决方案应该全面, 这 不仅 可以 降低风险,而且风险 是 创造价值的一种手段。通过采取集选区,你可以增加股东价值,降低成本,掌握
48、不确定性,优化和增长机会, 得到 免费资源的创新 。 用 最佳实践的方法来管理集选区 : 自动识别和监控顶尖企业风 险 ; 使 用 业务流程线,以有效地缓解风险的现有业务风险管理 的 嵌 入 ; 计划跨企业的风险情 况 ; 增加风险分析, 使 战略和决策 符合 事 实 。 3 挑战:降低风险和管理合 规 对于许多公司来说,移动到战略 、 风险为本的方法 (GRC)是阻碍了能见度差 ,分散经营 后 再 实事求是的答复。让我们花点时间来看看这些条件如何影响风险管理 的。 许多组织的第一个问题是 到了整个 企业 的 风险能见度低的状态 。 能见度 缺乏动力,主要是管理需要大量手工操作很多风险过程。大
49、多数风险管理者发出的 LOB 经理定期调查, 在 更好地评估风险 组织所面临的希望 。然而,由于手工输入电子表格的形 式 被俘,这是难以追踪进度或后续反应 容易 犯错误。此外,风险的潜在影响变化很快。这意味着 风险管理人员所收集的信息是很快就会过时,使手工风险识别和跟踪无效 的。 此外, 许多大型或多样化的公司发现风险的功能 和 部门内 墙壁发射井 的 管理。 由于这种孤立的做法, 有跨越组织边界和个体工商户管理缺乏透明度就 可能会因为卷入在其他群众性事件 外 而掉以轻心 。例如,一个供应链风险导致生产放缓,从而影响产品的能力,最终导致销售收入的一个风险。这种分散的风险管理方法 , 使得它在多个风险事件的发生 中 几乎不可能 存在 相互依赖性和风险评估后的潜在影响。 最后,许多组织认 识 “ 风险 ” 的事实后,独自组织总体战略目标。大多数公司使用一种自下而上的角度来处理风险管理,往往找出数百或上千 种 风险的潜力。 该解决方 案 是用 一种方法 对齐它们
