Enterprise Risk Management

Transcription

1 Enterprise Risk Management Identifying & Assessing Enterprise Risk Steve Nouss, Partner Adam Ross, Senior Manager 1

2 Session objectives Define and understand the importance of enterprise risk management (ERM) Understand the alignment of ERM with the COSO internal control framework ERM roadmap and COSO ERM framework Understand d the role of Internal Audit An overview of Open Compliance & Ethics Group (OCEG) 2

3 Enterprise risk management Defined " a process, effected by an entity's board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives " Source: COSO ERM Integrated Framework, Executive Summary, September

4 Enterprise risk management Why is ERM important? Every entity, whether for-profit or not-for-profit, exists to realize value for its stakeholders Value is created, preserved or eroded by management decisions in all activities, from setting strategy to operating the enterprise day-to-day 4

5 Enterprise risk management What does it mean to me? Sponsored by Board of Directors AND management Enterprise-wide all components and aspects of the organization (vertical and horizontal) Summary of ALL potential risk areas to the hospital Determination of risk threshold or "appetite" Determination of how to mitigate risks identified consistent with risk threshold 5

6 What is Internal Audit today? The IIA defines internal audit as: an independent, objective assurance and consulting activity designed to add value and improve an organization's operations It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes The key question every internal auditor must answer is: "What objectives are we to address?" 6

7 The universe of organizational objectives Every successful organization lives within an operational world that includes four critical elements: Strategic intent: what we want to accomplish and when Operational reality: the processes, people and technology we employ to achieve the strategic vision Reporting needs and requirements: internal and external reporting Legal and regulatory compliance requirements: what we can and cannot do, when and where 7

8 The universe of risks Every organization faces risks on three primary fronts: In their environment: competitors, governments, lenders, regulators, innovators, etc In their operations: production quality, efficiency, information systems, employee capabilities and integrity, etc In the information and related technology they use and/or produce that is critical for making decisions (planning, pricing, commitments, budgeting, g financial reporting, etc) 8

9 Research says 271 risk management executives in North America and Europe were recently surveyed by the Conference Board 90% want to build ERM into their processes Only 10% have built ERM into their processes Source: Internal Auditor Magazine 7,500 Chief Audit Executives worldwide were recently surveyed by the IIA Research Foundation Only 6% have fully implemented ERM Source: Internal Auditor Magazine 9

10 The ERM value proposition Focuses management attention on the truly important risks risks with potential to significantly impact earnings or even endanger company survival Makes ALL risks known to management, rather than some risks Develops a strategic, company-wide approach to risk management and mitigation using all the available tools: derivatives, insurance, internal controls and strategic action Integrates risk management into critical decision-making processes, such as strategic planning 10

11 The ERM value proposition continued Identifies the risks inherent in current strategy and business model before the competition to provide sustainable competitive advantage Determines risk appetite of the company in context of management t& community expectations ti 11

12 The Simplicity of ERM In the end, effectively controlling those risks boils down to four key steps: Set objectives What do you want to accomplish? Identify and prioritize risks What events/actions could significantly prevent the organization from achieving those objectives? Plan and execute a response Avoid, reduce, share, or accept tthe risk k( (or a combination) Monitor and continuously re-evaluate Develop a plan to ensure that the conclusions above are still relevant and operating as intended d 12

13 The COSO internal control framework The original COSO Internal Control Integrated Framework started out as a tool to help organizations ensure that they had procedures in place to consistently achieve their objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations 13

14 COSO Internal Control framework to COSO ERM framework STRATEGIC OPERATIONS REPORTING COMPLIANCE INTERNAL ENVIRONMENT CONTROL ENVIRONMENT RISK ASSESSMENT CONTROL ACTIVITIES INFORMATION & COMMUNICATION MONITORING OBJECTIVE SETTING EVENT IDENTIFICATION RISK ASSESSMENT RISK RESPONSE CONTROL ACTIVITIES INFORMATION & COMMUNICATION MONITORING 14

15 The COSO ERM framework The COSO ERM Framework: 1 Adds the "Strategic" objective 2 Broadens the "Financial Reporting" objective to all Reporting 3 Enhances the components to more effectively address objective setting and risk assessment

16 COSO ERM framework Strategic objective: Typically the purview of management Oversight by the Board Limited Internal Audit involvement Limited tools available INTERNAL ENVIRONMENT OBJECTIVE SETTING EVENT IDENTIFICATION RISK ASSESSMENT RISK RESPONSE CONTROL ACTIVITIES INFORMATION & COMMUNICATION MONITORING 16

17 COSO ERM framework Operations objective: Line management responsibility Executive management oversight Significant Internal Audit involvement Limited available tools INTERNAL ENVIRONMENT OBJECTIVE SETTING EVENT IDENTIFICATION RISK ASSESSMENT RISK RESPONSE CONTROL ACTIVITIES INFORMATION & COMMUNICATION MONITORING 17

18 COSO ERM framework Reporting objective: Accounting and Legal department's responsibility Executive management and audit committee oversight Internal Audit involvement driven by active Audit Committee Available tools original COSO Framework INTERNAL ENVIRONMENT OBJECTIVE SETTING EVENT IDENTIFICATION RISK ASSESSMENT RISK RESPONSE CONTROL ACTIVITIES INFORMATION & COMMUNICATION MONITORING 18

19 COSO ERM framework Compliance objective: Legal and/or Compliance department's responsibility Executive management and board oversight Minimal to moderate Internal Audit involvement Tools - OIG workplan, Joint Commission, HIPAA, etc INTERNAL ENVIRONMENT OBJECTIVE SETTING EVENT IDENTIFICATION RISK ASSESSMENT RISK RESPONSE CONTROL ACTIVITIES INFORMATION & COMMUNICATION MONITORING 19

20 ERM capability maturity Basic Determine risk treatment strategies Establish business risk inventory Align business unit risks with objectives Create common language for risks, control activities and monitoring Communicate risk taking expectations to senior managers 20

21 ERM capability maturity Intermediate Basic ERM plus Quantify key risks to best extent t possible Identify key risk metrics to report on Create risk policy and procedure manual Analyze risks' root cause and impact Integrate effects of risk types 21

22 ERM capability maturity Advanced Intermediate ERM plus Strategic t planning Annual budget process Stakeholder communications Management scorecards Remuneration 22

23 Example of "basic" ERM approach Identify risk universe Narrow to common risk themes Rank risks (impact, likelihood, etc) Develop cost / benefit analysis Present to Board Develop & execute risk management plan 23

24 Enterprise risk assessment Assessment factors Impact The relative significance or consequences to the organization in terms of financial impact, reporting and disclosure, loss of assets, disruption of business, violation of law or impairment of image and reputation ti Change The relative significance of recent (the last months) or planned (the next months) changes in business activities (including products, services, mergers, acquisitions) as well as people, processes and technology with the organization 24

25 Enterprise risk assessment Assessment factors Problems The relative presence or significance of reported or historical issues, control weaknesses or problems as it relates to people, processes or technology Complexity The inherent level of difficulty or complexity as it relates to the ability of personnel to understand, monitor, oversee, calculate, reperform or directly control a specific activity, task or process 25

26 ERM approach Keep it simple to succeed Leverage other risk management initiatives Utilize a quantitative and standard questionnaire Interview all key stakeholders to ensure all perspectives are captured the first time Incorporate known organization and industry risks up front Focus on pervasive risks first (top-down) 26

27 The role of Internal Audit Provide assurance on risk management processes Provide assurance that risks are correctly evaluated Evaluate risk management processes Evaluate the reporting of key risks Review the management of key risks Source: the IIA's position paper, The Role of Internal Auditing in Enterprise-wide Risk Management 27

28 The role of Internal Audit with safeguards Facilitate identification and evaluation of risks Coach management in responding to risks Coordinate ERM activities Consolidate the reporting on risks Maintain and develop the ERM framework Champion establishment of ERM Develop risk management strategy for board approval Source: The IIA's position paper, The Role of Internal Auditing in Enterprise-wide Risk Management 28

29 The role of Internal Audit Play an important role in monitoring ERM but do not have primary responsibility for its implementation or maintenance Assist management and the board or audit committee in the process by: Monitoring Reporting Examining improvements Evaluating Recommending Source: COSO 9/29/2004 presentation titled, Applying COSO s Enterprise Risk Management Integrated Framework 29

30 The role of Internal Audit Do not Set the risk appetite Impose risk management processes Management assurance on risks Make decisions on risk management or responses Implement risk responses on management's behalf Become accountable for risk management Source: The IIA's position paper, The Role of Internal Auditing in Enterprise-wide id Risk Management 30

31 ERM best practices and lessons learned Do Establish a Risk Management Committee and Charter Identify a risk champion supported by the CEO Understand that ERM is a journey and not a project Provide a holistic definition of business risk Include consultants, but do not let them drive ERM 31

32 ERM best practices and lessons learned Do not Underestimate the impact of existing culture Undersell ERM as a business risk assessment Implement ERM as a part-time job Take on too much at one time 32

33 ERM output Enterprise risk analysis Hospital area / process Risk rating Lab specimen charge entry and billing 35 Conflict of interest 28 Operating room 33 Information security 32 Joint ventures 37 Downtime procedures / business continuity 33 Physician networks 29 Budgeting & forecasting 34 Fundraising / development 23 Risk Rating rated from 1 (low) to 5 (high) High Medium Low 33

34 ERM output SWOT analysis Strengths Positive "tone at the top" promotes attention to risk management activities and internal controls Considerable use of committees to address and monitor important matters Weaknesses Certain medical records are distributed are may not be properly p secured Certain contracts may not be reviewed and/or approved by the Legal department New Chief Investment Officer and review of investment strategy may result in an increased rate of return Heightened patient satisfaction will increase brand recognition and revenue Opportunities Pressure on ability to contain costs On-going compliance with federal and state requirements and changes in those requirements Frequency of leadership changes may dilute long-term focus and strategy Threats 34

35 ERM output Internal Audit plan # Audit Area Audit Freq FY 09 FY 10 FY 11 Internal Audit Plan 1 Accounting function segregation of duties analysis 2 Reimbursement Fraud risk and anti-fraud controls IT security / vulnerability assessment 5 Materials Management Operating room # Information Privacy

36 ERM output Internal Audit plan # Audit Area Audit Freq FY 09 FY 10 FY 11 Annual recurring internal audit activities # General audit administration, planning & reporting Follow-up on prior year observations 35 Risk assessment (and audit plan) update # External audit support Total estimated hours: (Note: illustrative hours only; columns don't foot) 36

37 OCEG Framework Open Compliance & Ethics Group The OCEG Framework provides common ground for several disciplines and integrates the most important features of existing and emerging standards and frameworks Integrates areas of commonality, overlap and best practices into a baseline foundation Ensures alignment with important existing and emerging standards / frameworks 37

38 OCEG Involvement 200+ experts 100+ companies 12+ industries Board members, CEOs CCOs, CROs, Ethics Officers, HR Executives, CTO/CIOs Law-makers, regulators Investors, creditors, ratings agencies 25+ specific interviews of CCOs and compliance programs 90+ companies participate in benchmarking study (500 data points) Steering Committee Leadership Council 38

39 OCEG Leadership Council Aon* Archer Daniels Midlands Baker Hughes CISCO Corpedia Education Dell Deloitte & Touche DuPont Ernst & Young EthicsPoint Freddie Mac Gevity Global Compliance Grant Thornton Interactive Alchemy Littler Mendelson LRN Lyondell Chemical Marsh Microsoft PETCO PricewaterhouseCoopers Qwest Roche Diagnostics Sears Staples The Integrity Institute Unilever Wachovia Corporation 39

40 OCEG Integration OCEG integrates effective practices associated with multiple disciplines into a framework for managing compliance and ethics Governance Compliance / Legal Management Ethics Management Risk Management Internal Audit Human Capital Management Training Development / Design Change Management Quality Management 40

41 OCEG Framework overview Company Domains provide topic or industry- specific information that integrates with and assumes the Foundation is in place Companies can build on top of these models to customize and configure their capability to address unique requirements Domains Foundation The Foundation describes common elements of an effective compliance and ethics program that apply to all domain areas 41

42 OCEG Risk Area Domain Guidelines Risk Area Domain Guidelines identify a number of areas to which most organizations are exposed Each organization is unique and will focus on specific domains as appropriate Company Domains Foundation Industry Domain Guidelines provide guidelines that address industry-specific specific factors 42

43 OCEG Domain Guidelines Industry Domain Guidelines Fi nance/ Ba anking surance In Bi iotech Au uto Ch hemical Te elecom/ Te ech Oi il/gas He ealth ca are Hi igher ed Ph harma Ut tility Ot thers Company sk Area Doma ain Guide elines Ri governance anti-corruption financial assurance information management employment intellectual property environmental international transactions product quality / safety competitive practices workplace health / safety government dealings (USA) Domains Foundation 43

44 OCEG foundation C1 Ethical Culture C2 Governance Culture C3 Risk Culture C4 Human Capital Culture E1 Monitoring E2 Periodic Evaluation E3 Continuous Improvement P1 Scope/Objectives P2 Event Identification P3 Risk Assessment P4 Strategy 44 Company Domains Foundation R1 Organization R2 Code of Conduct R3 Policies/Procedures R4 Training R5 Reporting/Disclosures R6 Human Capital R7 Communication/Messaging R8 Issue/Question Management R9 Special Investigations R10 Crisis Management R11 Information Management R12 Technology R13 Physical Infrastructure R14 Vendor Management

45 COSO & OCEG Integration CONTROL ENVIRONMENT RISK ASSESSMENT CONTROL ACTIVITIES ACTIV VITY 1 CTIVITY 2 A BIZ UNIT A B BIZ UNIT OCEG focuses on the Control Environment and Compliance Risks INFORMATION & COMMUNICATION MONITORING 45

46 COSO ERM & OCEG Integration OCEG Culture INTERNAL ENVIRONMENT OBJECTIVE SETTING Plan Respond EVENT IDENTIFICATION RISK ASSESSMENT RISK RESPONSE CONTROL ACTIVITIES INFORMATION & COMMUNICATION Evaluate MONITORING 46

47 Questions? Comments? Observations? 47

48 Contact information Steve Nouss Grant Thornton LLP Advisory Services Partner P E SteveNouss@gtcom Adam Ross Grant Thornton LLP Advisory Services Senior Manager P E AdamRoss@gtcom 48