Find out whether and what risks exist in each business unit, various important business activities and important business processes of the enterprise. Risk type

Clearly define and describe the identified risks and their characteristics, and analyze and describe the likelihood of risk occurrence and the conditions under which the risk occurs. Possibility of risk occurrence

The degree of impact on the company's achievement of goals, the value of risks, etc. influence level

Qualitative and quantitative methods should be combined for risk identification, analysis, and evaluation.

Risk analysis should include analysis of the relationship between risks so that risks can be managed in a unified and centralized manner from a risk strategy perspective.

Draw a risk coordinate map, compare various risks, and initially determine the order and strategy for managing various risks.

Risk assessment should be implemented by relevant functional departments and business units of the enterprise organization, or intermediaries with strong professional capabilities can also be hired.

Enterprises should implement dynamic management of risk management information.

Self-examination and inspection of risk management work should be carried out regularly, and reports should be submitted to the enterprise risk management functional department in a timely manner.

Regularly inspect the risk management situation of each department, evaluate risk management solutions across departments and business units, and report to the general manager of the enterprise or the senior management personnel entrusted by him to be in charge of risk management work.

The risk management work of each functional department (including the risk management functional department) should be supervised and evaluated at least once a year, and the supervision and evaluation report should be submitted to the board of directors or the risk management committee and audit committee under the board of directors.

Submit a comprehensive risk management annual report;

Review risk management strategies and major risk management solutions;

Review the judgment standards for major decisions, major risks, major events and important business processes;

Review risk assessment reports for major decisions;

Review the comprehensive risk management supervision and evaluation audit report submitted by the internal audit department;

Review the risk management organizational structure and its responsibilities plan;

Handle other matters related to comprehensive risk management authorized by the board of directors.

Study and propose a comprehensive risk management work report;

Research and propose judgment standards and mechanisms for major decisions, major risks, major events and important business processes across functional departments;

Research and propose risk assessment reports for major cross-functional decisions;

Research and propose risk management treatments and cross-functional major risk management solutions;

Responsible for evaluating the effectiveness of comprehensive risk management and researching and proposing improvement plans for comprehensive risk management;

Responsible for organizing and establishing risk management information systems;

Responsible for organizing and coordinating the daily work of comprehensive risk management;

Responsible for guiding and supervising relevant functional departments, business units and holding subsidiaries to carry out comprehensive risk management work;

Handle other related work of risk management.

The internal audit department is responsible to the audit committee, and the audit committee is responsible to the board of directors;

In terms of risk management, the internal audit department is mainly responsible for researching and proposing a comprehensive risk management supervision and evaluation system, formulating relevant supervision and evaluation systems, carrying out supervision and evaluation, and issuing supervision and evaluation audit reports;

Meet regularly with external and internal auditors without management attendance;

If differences of opinion among members of the audit committee cannot be reconciled internally, they should be submitted to the board of directors for resolution;

The audit committee should review its authority and effectiveness every year and report to the board of directors on necessary personnel changes;

One of the main activities of the audit committee is to verify compliance with external reporting;

It helps to maintain the independence of internal audit and review the status, scope of functions, technical capabilities, and professional responsibilities of internal audit in the organization.

Risk appetite and risk tolerance are developed for the company's material risks;

Risk appetite for major risks is a major corporate decision and should be determined by the board of directors.

Factors to consider: individual risks, interrelationships, overall shape, industry factors

The key lies in quantification: risk preference can only be qualitative, but risk tolerance must be quantitative.

risk measurement method

Difficulties in risk quantification: method errors, data, information systems, integrated management

It should be aimed at the company's major risks and be able to reflect the current status of the company's major risk management;

It should be applied in the enterprise's risk assessment and adjusted at any time according to changes in risks;

It should be used to measure the operating effectiveness of the comprehensive risk management system.

Risk exposure: Unidentified risks may be immaterial

Risk avoidance: avoid, stop or quit, completely insulate

Risk transfer: insurance, non-insurance risk transfer, risk securitization

Risk transformation: does not reduce total risk (strategic adjustments, use of derivatives, such as relaxing credit standards for transactions, increasing accounts receivable, expanding sales)

Risk hedging: financial derivatives, diversified operations, various customer groups

Risk compensation: loss compensation (accrued reserves, contingency capital, transaction price plus risk premium)

Risk control: reduce losses and reduce probabilities

Allocate resources to significant risks that require priority management.

Risk management strategies must be adjusted with changes in corporate operating conditions, changes in business strategies, and changes in the external environment.

1. It does not change the possibility of the risk occurring, nor does it change the degree of direct loss caused by the risk;

2. Risk financial management requires judging the pricing of risks, so the quantitative standards are high;

3. The scope of application does not include goodwill, etc., and it is difficult to eliminate losses caused by strategic mistakes;

4. It is highly technical and inherently risky, and improper use can easily cause heavy losses.

loss financing

venture capital

emergency capital

Insurance

Professional self-insurance

(1) Establish a standardized corporate governance structure and rules of procedure.

(2) The board of directors is responsible for the establishment, improvement and effective implementation of internal control. The Board of Supervisors supervises the establishment and implementation of internal controls by the Board of Directors. Managers are responsible for organizing and leading the daily operation of the enterprise's internal controls.

(3) An audit committee shall be established under the board of directors. The Audit Committee is responsible for reviewing the company’s internal controls and supervising the effective implementation of internal controls and Internal control self-evaluation, coordination of internal control audits and other related matters. The person in charge of the audit committee should have Appropriate independence, good professional ethics and professional competence.

Corporate governance structure: 1.General requirements 2. Division of labor 3. Audit Committee

(4) Set up internal institutions, clarify responsibilities and authorities, and assign rights and responsibilities to each responsible unit.

(5) Strengthen internal audit work and ensure the independence of the internal audit organization, staffing and work. The internal audit institution shall supervise and inspect the effectiveness of internal controls in conjunction with internal audit supervision. The internal audit institution shall report internal control deficiencies discovered during supervisory inspections in accordance with the enterprise's internal audit procedures; The company has the right to report directly to the board of directors, its audit committee and the board of supervisors any major deficiencies in internal control discovered during supervisory inspections.

Internal organization: 4.General requirements 5. Internal audit

(6) Formulate and implement human resources policies for sustainable development.

(7) Take professional ethics and professional competence as important criteria for selecting and hiring employees, and effectively strengthen employee training and Continue education and continuously improve the quality of employees.

(8) To strengthen cultural construction, directors, supervisors, managers and other senior managers should play a leading role in the construction of corporate culture. (company culture)

(9) Strengthen legal education and enhance the legal awareness of directors, supervisors, managers and other senior managers and employees.

6.7 Human Resources 8. Corporate culture construction 9. Legal education

(1) According to the set control objectives, collect relevant information comprehensively, systematically and continuously, and conduct risk assessment in a timely manner.

(2) Accurately identify internal risks and external risks related to achieving control objectives, and determine the corresponding risk tolerance. Risk tolerance is the risk limit that an enterprise can bear, including overall risk tolerance and acceptable risk levels at the business level.

(3) Identify internal risks.

(4) Identify external risks.

(5) Use a combination of qualitative and quantitative methods to analyze and rank the identified risks according to their likelihood of occurrence and their degree of impact, Determine the focus and priority risks for control.

(6) Based on the results of risk analysis and risk tolerance, weigh risks and benefits and determine risk response strategies.

(7) Comprehensive use of risk response strategies to achieve effective control of risks.

(8) Combined with different development stages and business expansion situations, continue to collect information related to risk changes, conduct risk identification and analysis, and timely adjust risk response strategies.

control measures

(8) Enterprises should comprehensively use control measures based on internal control objectives, combined with risk response strategies, to implement effective control over various businesses and matters.

(9) Enterprises should establish a major risk early warning mechanism and an emergency response mechanism, clarify risk early warning standards, and ensure that emergencies are handled promptly and properly.

(1) Establish an information and communication system, clarify the collection, processing and transmission procedures of internal control-related information, ensure timely communication of information, and promote the effective operation of internal control.

(2) Reasonably screen, check, and integrate the various internal and external information collected to improve the usefulness of the information.

(3) Communicate and feedback internal control-related information within the enterprise and between the enterprise and the outside world. Important information should be communicated to the board of directors, supervisory board and management in a timely manner.

(4) Use information technology to promote the integration and sharing of information and give full play to the role of information technology in information and communication.

(5) Establish an anti-fraud mechanism and adhere to the principle of equal emphasis on punishment and prevention, focusing on prevention ① Embezzle or misappropriate corporate assets without authorization or use other illegal methods to obtain improper benefits; ② False records, misleading statements or major omissions in financial accounting reports and information disclosure; ③Abuse of power by directors, supervisors, managers and other senior managers; ④ Relevant institutions or personnel collude to commit fraud.

(6) Establish a reporting and complaint system and a whistleblower protection system. The reporting and complaint system and whistleblower protection system should be communicated to all employees in a timely manner.

(1) Develop an internal control and supervision system to clarify the responsibilities and authority of the internal audit institution and other internal institutions in internal supervision. Daily supervision: routine and continuous supervision and inspection; Special supervision: targeted supervision and inspection of one or certain aspects of internal control. The scope and frequency of special supervision should be determined based on the results of risk assessment and the effectiveness of daily supervision.

(2) Develop internal control defect identification standards, which include design defects and operational defects; For major deficiencies discovered during internal supervision, the relevant responsible units or responsible persons shall be held accountable.

(3) Regularly conduct self-evaluation of the effectiveness of internal control and issue an internal control self-evaluation report. ① The internal audit department or specialized agency can be authorized to be responsible for the specific organization and implementation of internal control evaluation; ② Internal control deficiencies are divided into major deficiencies, important deficiencies and general deficiencies according to their degree of impact; ③Major defects shall be finally determined by the board of directors.

(4) Properly preserve relevant records or materials during the establishment and implementation of internal controls to ensure the verifiability of the establishment and implementation of internal controls.

1) Stimulates the imagination of experts and helps discover new risks and new solutions;

2) Involvement of major stakeholders facilitates comprehensive communication;

3) Fast and easy to carry out.

1) Participants may lack the necessary technology or knowledge to make effective suggestions;

2) The implementation process of the brainstorming method and the opinions put forward by participants are easily scattered, making it difficult to ensure comprehensiveness;

3) Special circumstances may arise during group discussions, causing some people with important opinions to remain silent while others become the protagonist of the discussion.

1) Because opinions are anonymous, experts are more likely to express unpopular opinions;

2) All opinions have the same weight to prevent the opinions of important people from dominating;

3) Experts do not have to gather in one place at one time, making it easier to implement;

4) The final opinions formed by experts are widely representative.

1) The opinions of authoritative people will inevitably affect the opinions of others;

2) Some experts may be unwilling to express opinions that are different from others due to human feelings;

3) Some experts may be unwilling to modify their original opinions out of pride;

4) The process is complicated and takes a long time, which is the main shortcoming of the Delphi method.

It is clear, easy to operate, and the larger the organization, the more complex the process, and the more superior it can be.

The effectiveness of this method depends on the level of expertise of the professional.

Simple qualitative method, intuitive and clear.

1) Subjective judgments need to be made on risk importance level standards, risk occurrence likelihood, consequence severity, etc., which may affect the accuracy of use;

2) Risk importance levels are determined through mutual comparison, so the importance level of the overall risk cannot be obtained through mathematical operations;

3) If it is necessary to further explore the causes of risks, this method is too simple and lacks empirical proof and data support.

Ability to calculate the probability of a system with repairability and multiple degraded states.

1) Whether it is a failure or maintenance, it is assumed that the probability of state change is fixed;

2) All events are statistically independent, so future states are independent of all past states, unless the two states are closely connected;

3) Need to understand the various probabilities of state changes;

4) The knowledge about matrix operations is relatively complex and difficult for non-professionals to understand.

1) Provide a clear graphical explanation of the details of the decision-making problem;

2) Be able to calculate the optimal path to a situation.

1) Large decision trees may be too complex and difficult to communicate with others;

2) There may be a tendency to oversimplify the environment in order to be able to represent it in a tree diagram.

Provide valuable reference information for decision makers; clearly indicate the direction for risk analysis; help enterprises formulate emergency plans.

1) The required data are often lacking and cannot provide reliable parameter changes;

2) The analysis uses formula calculations and does not consider the probability of changes in various uncertain factors in the future.

It can provide relatively accurate simulation results for situations that will not change much in the future.

1) When there is large uncertainty, simulating some scenarios may not be realistic enough;

2) There are high requirements for the validity of data and the ability of analysts and decision-makers to develop realistic scenarios;

3) As a decision-making tool, the scenarios used may lack a sufficient basis and the data may be random.

1) ETA uses clear graphics to show potential scenarios after the initial matters analyzed and the impact of mitigating the success or failure of the system or function;

2) It explains timing, dependencies, and cumbersome domino effects;

3) It vividly embodies the sequence of events.

1) All potential initial events must be identified, and some important initial events may be missed;

2) The event tree only analyzes the success and failure status of a certain system, and does not consider delayed success or recovery matters;

3) Any path depends on what happened at previous branch points on the path.

·Forward projection is to infer the future based on historical experience and data.

·Backcasting is to connect unknown imaginary events and consequences with a known event and consequences, and attribute future risk events to the initial event that caused the risk event for which there is data, so as to evaluate and evaluate the risk. analyze.

·The side extrapolation method is to use data from similar projects to extrapolate.

1) Simple and easy to implement when the data is sufficient and reliable;

2) The results are highly accurate and have a wide range of applications.

1) Since the premises and environment of historical events have changed, they may not necessarily apply today or in the future;

2) The causal relationship of events is not considered, and sometimes expert or collective experience correction must be added to the processing of historical data.

1) Widely applicable to the analysis of failure modes of human equipment and systems as well as hardware, software and programs;

2) Identify component failure modes, their causes and impact on the system, and express them in a readable form;

3) Problems can be found in the early stages of design, thus avoiding expensive equipment modifications;

4) Identify individual failure modes to suit system safety needs.

1) Only a single failure mode can be identified, and multiple failure modes cannot be identified at the same time;

2) Unless fully controlled and focused, this method is time-consuming and expensive.