Using Enterprise Risk Management to Reduce Costs and Enhance Performance in a Time of Fiscal Stress

Transcription

1 KPMG GOVERNMENT INSTITUTE Using Enterprise Risk Management to Reduce Costs and Enhance Performance in a Time of Fiscal Stress 2013 MACPA Government & Not for Profit Conference Jeffrey C. Steinhoff, Executive Director, KPMG Government Institute, and Managing Director, KPMG Federal Advisory April 26, 2013 ADVISORY

2 Agenda Cover five issues Answer the questions: Why ERM? What is ERM? Application of the COSO framework to government Successful ERM implementation and the role of the CFO The concept of risk appetite The importance of remediating risks 1

3 Why ERM?

4 Why ERM? Unsustainable current budget deficits and long-term fiscal paths Considerable gulf between public expectations and its view of government performance Urgent need to reduce spending on overhead and otherwise take-out costs Choices between wants and needs in the context of value and affordability Structured consideration of costs and benefits 2

5 Unsustainable current budget deficits and long-term fiscal paths The numbers tell the story: GAO fiscal simulation Health care Aging population Burden of crushing debt Part of a global economy Trade deficit Lagging national savings rate Aging infrastructure Intergovernmental interdependencies 3

6 What is ERM?

7 The Circle of Risk 1974: Gustav Hamilton The Circle of Risk Assessment Control Financing Communications 4

8 Committee of Sponsoring Organizations of the Treadway Commission (COSO) 1985: Establishment of COSO American Accounting Association, AICPA, Financial Executives Institute, Institute of Internal Auditors and Institute of Management Accountants 2004: Issuance of the COSO Enterprise Risk Management Integrated Framework Value is maximized when management sets strategy and objectives to strike a balance between growth and return goals and related risks and efficiently and effectively deploys resources in pursuit of the entity s objectives. ERM helps an entity get to where it want to go and avoid pitfalls and surprises along the way. 5

9 The Federal Managers Financial Integrity Act of 1982 Broad focus on management controls program and financial Internal control is an integral component of an organization s management that provides reasonable assurance that the following objectives are being achieved: effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations. Internal control, in the broadest sense, includes the plan of organization, the methods and procedures adopted by management to meet its goals. Internal control includes processes for planning, organizing, directing, controlling and reporting on agency operations. Source: The Federal Managers Financial Integrity Act of 1982 (Public Law , September 8, 1982) 6

10 OMB Circular A-123, Management s Responsibility for Internal Control Federal managers must carefully consider the appropriate balance between controls and risk in their programs and operations. Too many controls can result in inefficient and ineffective government; agency managers must ensure an appropriate balance between the strength of controls and the relative risk associated with particular programs and operations. The benefits of controls should not outweigh the cost. Source: OMB Circular A-123, Management s Responsibility for Internal Control, December 1,

11 Application of the COSO Framework to Government

12 Applying COSO s Four Underlying ERM Framework Principles to Government 1. Every entity exists to provide stakeholder value. The degree to which needed public services are provided in a manner that is both effective and efficient Source: COSO, Enterprise Risk Management Integrated Framework, January

13 Applying COSO s Four Underlying ERM Framework Principles to Government (Continued) 2. All entities face uncertainty and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. Making trade-offs in establishing the level of acceptable risk to assume in the public interest and in wisely spending taxpayer dollars Source: COSO, Enterprise Risk Management Integrated Framework, January

14 Applying COSO s Four Underlying ERM Framework Principles to Government (Continued) 3. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables management to more effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value. By collectively considering the full range of risks across the enterprise, government is better positioned to: Prioritize risks that may jeopardize mission effectiveness and efficiency Consider options Take actions that address root causes of risks that transcend organizations in an agency Manage expectations and reduce surprises Take advantage of opportunities to improve service delivery Identify and eliminate redundant or ineffective controls Take out costs by: strategically targeting risks assessing value of possible actions in context of enterprise mission as a whole Source: COSO, Enterprise Risk Management Integrated Framework, January

15 Applying COSO s Four Underlying ERM Framework Principles to Government (Continued) 4. Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity s objectives. Viewing risk from an enterprise perspective aligning risk appetite and strategy Source: COSO, Enterprise Risk Management Integrated Framework, January

16 Successful ERM Implementation and the Role of the CFO

17 Implementation Establish clear ownership by agency s top leadership Be prepared to accept certain risks instead of setting up costly, fail-safe systems to attempt to avoid all risks set up appropriate level of control Understand the higher degree of sophistication needed to make complex risk and cost trade-offs Establish and clearly communicate risk goals and objectives Put in place well-designed policies and procedures, covering: assessment, identification, categorization and remediation Fully integrate ERM into fiber of organization Prepare for cultural transformation Focus on the important Don t boil the ocean! Clearly communicate program to staff and key stakeholders Not enough to just say do it Focus on results and avoid bureaucracy not a paperwork exercise 12

18 Governance Clear responsibilities for implementation established across the agency Role of a chief risk officer and/or an ERM support staff Fact-based trade-offs between control and cost, and between the relative importance of risk associated with different programs and operations Supported by analysis of costs and alternatives Education to help avoid the lost in translation syndrome Accountability for and enforcement of results A continuous process Not a one and done exercise Keep one step ahead as risks can be ever-changing 13

19 Other Implementation Considerations Carefully consider information technology risks Establish a fraud risk management program: Prevention Detection Response 14

20 Getting Started COSO identified several keys to success, such as: Using incremental steps to build ERM Focusing initially on a small number of top risks Following seven initial action steps: 1. Seek board and senior management leadership, involvement and oversight 2. Select a strong leader to drive the ERM initiative 3. Establish a management risk committee or working group 4. Conduct the initial enterprise-wide risk assessment and develop an action plan 5. Inventory the existing risk management practices 6. Develop initial risk reporting 7. Develop the next phase of action plans and ongoing communications Source: COSO, Embracing Enterprise Risk Management Practical Approaches for Getting Started, Mark L. Firgo and Richard J. Anderson, January

21 CFOs Leadership Role Enterprise risk management takes a top-down look across the agency. In a high-performing organization, the CFO is viewed as the enterprise leader for risk management and helps ensure that the agency head and senior management team understand the concepts of risk management as it applies to the enterprise, including the tools, processes and procedures to effectively consider enterprise risk. Source: The KPMG Executive Guide to High Performance in Federal Financial Management, KPMG Government Institute, June 2009 ( 14

22 The Concept of Risk Appetite

23 Defining the Risk Appetite Reflects the agency s mission and strategy, including: organizational objectives, strategic plans and stakeholder expectations Acknowledges a willingness and capacity to take on for some level of risk and a tolerance for loss or reasonably quantifiable negative events Incorporates a governance and reporting framework that helps ensure day-to-day decisions are made in line with the organization s risk appetite Includes quantitative and qualitative performance measures and addresses the skills, resources, and technology required to manage and monitor risk exposures in the context of risk appetite Is periodically reviewed and reconsidered to: Address emerging issues and evolving expectations of government Ensure there is accountability and transparency for results Source: Understanding and Articulating the Risk Appetite, KPMG LLP, KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved NSS 15

24 Establishing the Risk Appetite May Start with Asking Fundamental Questions What do we lose sleep over? What do we not want to see on the news or in blogs? What are the expectations of stakeholders? What do we want to make sure happens and happens well? What problems have developed or emerged in other organizations that could be a problem in our agency as well? What controls are now in place? Do we know how they are working? Do we know about their cost and benefits? What level of control can we reasonably afford and how do we get the most bang for the buck? What changes in the agency or externally that may have introduced new risks? 16

25 Achieving Stakeholder Buy-in Stakeholder communication Establishes the risk appetite Considers costs and benefits Includes risks assumed and trade-off considerations Avoids unpleasant surprises 17

26 The Importance of Remediating Risks

27 The Importance of Remediation When risks exceed risk appetite, capitalize on the ERM process Develop remediation plans based upon: What is expected How it is to be accomplished What resources are available When it is expected to be completed Who is responsible and accountable for results Requires Timely action Strong commitment of top management Where possible, leverage advanced business analytics, including continuous monitoring tools 18

28 When the Cost-benefit Equation is Out of Kilter Streamline/eliminate redundant and unneeded controls and processes Aim for simplification, efficiency, and maximizing results Move to greater standardization and shared services Break down stove-piped processes and eliminate one-off systems Challenge one size does not fit all adage to justify different systems and processes where one system and process would get the job done Reinforce the reality that management infrastructure people and systems will continue to shrink due to spending cuts Expect continued challenge of doing more with less and less View ERM as a tool to help facilitate cost take-out Leverage Big Data and Big Analytics 19

29 Unlocking Enormous Value of Data Presents Opportunity for Meaningful Cost Savings and Reduced Fraud, Waste and Abuse Big Data Large volumes of complex data that exceeds the capacity of traditional tools for storage, analysis and reporting, both structured and unstructured data and text 15 of the 17 industry sectors in the US more stored data than the Library of Congress 2012 World Economic Forum data declared an economic asset, like currency or gold Not a system or tool issue Data map Gap analysis System and tools review Schedule of activities 20

30 Final Thoughts Almost four decades old and battle-tested in public and private organizations around the world Make full use of ERM to effectively and efficiently concentrate on areas of highest risk and importance to the mission of the enterprise Accept that current fiscal situation demands bold action to reduce costs and still deliver optimal public services View today s budget challenges as opportunity to strengthen and streamline processes and procedures and to balance risks and rewards, costs and benefits Play an important role in providing needed leadership and technical assistance across your agency Take up the ERM banner use its full potential to reduce the cost of government and enhance program delivery in a time of fiscal stress 21

31 Available at kpmginstitutes.com/government-institute Forensic Auditing A Window to Identifying and Combating Fraud, Waste and Abuse, AGA Journal of Government Financial Management, Summer 2008, Vol. 57, No. 2, and AGA Weblog, June 23, 2008, Jeffrey C. Steinhoff, Executive Director, KPMG Government Institute The KPMG Executive Guide to High Performance in Federal Financial Management, KPMG Government Institute, June 2009 Understanding and Articulating the Risk Appetite, KPMG LLP, 2009 Fraud Risk Management: Developing a Strategy for Prevention, Detection and Response, KPMG LLP Continuous Auditing/Continuous Monitoring: Using Technology to Drive Value by Managing Risk and Improving Performance, KPMG LLP A Practical Look at How Government Agencies Can Reduce Improper Payments, KPMG Government Institute, March 2011 A Practical Look at Winning the Fight Against Improper Payments, AGA Journal of Government Financial Management, Spring 2011, Vol. 60, No. 1, Jeffrey C. Steinhoff, Executive Director, KPMG Government Institute Managing the Risk of Fraud and Misconduct: Meeting the Challenges of a Global, Regulated, and Digital Environment, Richard H. Girgenti, J.D., CFE, and Timothy P. Hedley, Ph.D. (New York: The McGraw-Hill Companies, Inc., 2011) Falsifying Government Claims and Insider Trading Feds are Vigilant in Wake of Economic Crisis, ACFE Fraud Magazine, November/December 2011, Richard H. Girgenti, J.D., CFE, National Leader Forensic Services, KPMG LLP Don t Delay The Time Has Come to Use the Full Potential of Enterprise Risk Management to Reduce Costs and Enhance Program Delivery, AGA Journal of Government Financial Management, Winter 2011, Vol. 60, No. 4, Jeffrey C. Steinhoff, Executive Director, KPMG Government Institute, and Geoffrey L. Weber, Principal, KPMG LLP Federal Advisory Practice 22

32 About the KPMG Government Institute The KPMG Government Institute was established to serve as a strategic resource for governments, higher education and non-profit entities seeking to achieve high standards of accountability, transparency, and performance. The Institute is forum for ideas, a place to share leading practices, and a source of thought leadership as a catalyst to help address difficult challenges. For More Information: kpmginstitutes.com/government-institute 23

33 For Further Information Jeffrey C. Steinhoff, CGFM, CPA, CFE, CGMA Executive Director, KPMG Government Institute Managing Director, Federal Advisory, KPMG LLP kpmginstitutes.com/government-institute 24

34 The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. The KPMG name, logo and "cutting through complexity" are registered trademarks or trademarks of KPMG International.