DeVry Approach to ERM

Transcription

1 IIA Chicago Chapter 53 rd Annual Seminar April 15, 2013, Donald E. Stephens Convention DeVry Approach to ERM Elizabeth Truelove McDermott, CPA Vice President, Audit, Ethics & Compliance Services

2 DeVry s ERM Approach April 15, 2013 IIA Chicago Chapter 53 rd Annual Seminar 2

3 DeVry s ERM Program Ownership Roles & Responsibilities Board of Directors & CEO The Board of Directors has ultimate accountability for all risk but can delegate responsibility to senior management ERM Steering Committee ERM Oversight Clearinghouse for risks, policy, appetite setting, and governance Business Areas Manage Risks Risk identification Risk self-assessments Strategy and actions to address risk within policy Ensure compliance with ERM policies and procedures Provide assertions on risk exposure ERM Champions Supports ERM Steering Committee, Management, and the Board ERM Program Management Governance, policy, and appetite implementation and coordination Risk assessment methods Measurement, aggregation, reporting rules and tools Monitor risk exposure status and report to Board Internal Audit Provides Independent Assurance Monitor, advise, coordinate and facilitate ERM process Objective review of risk management process Independent assurance to management and Board on assertions of risk exposure April 15, 2013 IIA Chicago Chapter 53 rd Annual Seminar 3

4 DeVry - Strategic Plan Key Risk Indicators April 15, 2013 IIA Chicago Chapter 53 rd Annual Seminar 4

5 Inputs to DeVry s Audit Plan April 15, 2013 IIA Chicago Chapter 53 rd Annual Seminar 5

6 Lessons Learned Buy in from CEO & executive team is imperative to the program s success Engage management; broad constituency Integration of risk discussions and ERM monitoring into everyday business is essential not a documentation exercise Keep business focused on what has meaning for them; make sure they re not duplicating efforts Build common language and common metrics Integrate risk management with strategic planning Clear communication and identification of management s and the board s responsibilities is key April 15, 2013 IIA Chicago Chapter 53 rd Annual Seminar 6

7 IIA Chicago Chapter 53 rd Annual Seminar April 15, 2013, Donald E. Stephens Convention SIRVA Risk Management Approach David Doney, CIA, CPA Vice President - Internal Audit SIRVA, Inc.

8 Risk Management Strategic risk assessment Strategic & Operational SOC 2&3 Operational Audits External audit SOX program Financial Reporting Legal & Regulatory L&R risk assessment IA focus: Strengthening practices within categories April 15, 2013 IIA Chicago Chapter 53 rd Annual Seminar 8

9 Legal & Regulatory Approach Identify laws/regulations and related risks Prioritize risks for additional review Identify controls and remediate compliance gaps IA facilitating meetings with SIRVA Legal Department and other contacts Information captured in standard template CFO, Legal, and other business leaders determine prioritization within silos General Counsel completed initial prioritization across silos Phase Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Law and Risk Inventory Risk Prioritization Control Identification (Key Areas) Gap Identification Remediation Planning Remediation ( ) April 15, 2013 IIA Chicago Chapter 53 rd Annual Seminar 9

10 Operational: IT / SOC 2&3 AICPA Principles (4 ITGC & Privacy) AICPA Criteria 190 SIRVA Controls 128 Tests 20 assigned to IA April 15, 2013 IIA Chicago Chapter 53 rd Annual Seminar 10

11 Strategic Risk CEO & Board review strategic planning materials from each business in detail Variation across businesses in how this information was presented to board IA proposed strategic risk template in 2012; will re-visit in 2013 Concept was to take strategic plans & budgets and standardize risk elements # 1 Strategic Goal or Objective (Top 3-5) Example: Increase number of shipments from X to Y Supporting Metric(s) # Risk Rank Owner Response Shipment count via alternate channels R1.1 Risk is capacity constraints that limit volume growth during busy season H Name Initiative 1 Committed fleet count R1.2 Risk is loss of key agents. M Name Initiative Example: Improve margin per shipment (from X/shipment to Y in Channel A and Y/shipment to Z in Channel B.) Example: Implement productivity initiatives to reduce SG&A from X% to Y% of revenue. % Agents adopting new R2.1 Risk is system enhancements are not implemented on system schedule. Margin per shipment R2.2 Risk is we do not build an optimal pricing engine and price escalation methodology. SG&A costs per R3.1 Risk is system rollouts are not implemented onschedule headcount Costs per bill; % R3.2 Risk is we are unable to identify and reduce billing rework. shipments with >1 bill M Name Initiative 3 H Name Initiative 4 H Name Initiative 5 M Name Initiative 6 4 Example: Maintain safety scores exceeding industry standard. FMCSA safety measures R4.1 Risk is that Agents are not effectively monitored for safety compliance H Name Initiative 7 April 15, 2013 IIA Chicago Chapter 53 rd Annual Seminar 11

12 IA Role in Risk Mgmt IA in project manager / facilitator role L&R risk assessment Financial control / SOX update SOC 2/3 efforts Annual audit planning meetings IA maintains templates or database of risk and control information IA assisted with L&R risk template design and edit of input IIA Standards: IA should evaluate RM practices Consider helping build processes initially within silos April 15, 2013 IIA Chicago Chapter 53 rd Annual Seminar 12

13 Lessons Learned No ERM? Pick a silo and make its risk assessment better Board support needed; one board member s questions resulted in L&R risk assessment Management appreciates IA: Taking on project management role Maintaining database of risk and control information Edit and review of risk and control information Feedback on risk prioritization Keep subject experts focused on surfacing risks and controls; IA can handle the project administration Easily customized database technology very helpful Develop next steps / plans for improving risk assessment in each silo April 15, 2013 IIA Chicago Chapter 53 rd Annual Seminar 13

14 Risk Mgmt Next Steps Strategic / Ops Revisit template concept after April refresh of strategic plan Financial Reporting Expand control information with exception tolerance and follow-up details Legal / Regulatory Complete initial risk inventory and prioritization Execute projects in key areas (e.g., FCPA, Mortgage) IT Continue annual reporting of key risks to audit committee Continue executing SOC 2/3 assessment Complete template for other areas Management Risk Committee with Enterprise Scope Establish formal management risk committee for all areas of risk Select top issues in each category for Board discussion April 15, 2013 IIA Chicago Chapter 53 rd Annual Seminar 14

15 IIA Chicago Chapter 53 rd Annual Seminar April 15, 2013, Donald E. Stephens Convention United Airlines Approach to ERM Steve Goepfert, CIA, CPA, CRMA Vice President - Internal Audit United Airlines United Airlines

16 ERM Executive Committee Executive Vice President and Chief Financial Officer (chair) Vice Chairman & Chief Revenue Officer Executive Vice President HR & Labor Relations Executive Vice President & General Counsel Secretary Executive Vice President Communication & Government Affairs Executive Vice President & Chief Operating Officer Senior Vice President & Chief Information Officer Senior Vice President Finance & Treasurer Senior Vice President Strategy & Business Development Sr. Vice President Marketing & Loyalty Vice President Internal Audit Managing Director Retirement Investments Senior Project Manager Enterprise Risk P&I April 15, 2013 IIA Chicago Chapter 53 rd Annual Seminar 16

17 Risk Categories and Risk Owners External - Financial External Economic or Physical Governmental Operational and/or Commercial Jet Fuel SVP Finance & Treasurer Capital Markets SVP Finance & Treasurer Economic Events Vice Chairman & Chief Revenue Officer Safety/Health Pandemic EVP & COO Compliance Requirements EVP & General Counsel Secretary R 5 G 92 B 173 Regulatory Changes EVP Communication & Government Affairs IT Systems SVP & CIO Labor Issues EVP HR & Labor Relations R 124 G 132 B 138 R 237 G 183 B 43 R 146G 164 B 177 Security EVP & COO Vendor Issues SVP Finance & Treasury R 100 G 125 B 143 R 98 G 169 B 227 R 197 G 171 B 133 Change Management SVP Strategy & Business Development 17

18 Risk velocity is a key dimension to consider along with impact and likelihood of occurrence Score Velocity 15 H 14 H 14 H 12 H 12 L 12 L 11 L 11 L 11 L 10 H 10 H 10 H 10 H 10 H Score Velocity 9 H 9 H 9 H 9 L 7 H 7 L 6 H 6 H 6 H 6 L 6 L 3 L 2 L 18

19 Key Risks Risk Jet Fuel Price Increase Significant Recession Unavailability of Mission Critical IT Systems Data Privacy: Non-Compliance with Regulatory Requirements Major Aircraft Accident/Incident (Hull Loss) Labor Strike (or Threat) Disrupts or Grounds Airline External/Natural Event (e.g. Health Pandemic, Natural Disasters) European Union Emissions Trading Scheme (EU ETS) Regulation Catastrophic Sabotage (Terrorism Event) Political Instability (Geopolitical) 19

20 IIA Chicago Chapter 53 rd Annual Seminar April 15, 2013, Donald E. Stephens Convention ERM for CAE s John Covell FCA, CIA, CRMA, Managing Director Templer Charters Consulting

21 Role of Internal Audit in ERM April 15, 2013 IIA Chicago Chapter 53 rd Annual Seminar 21

22 ISO ERM Model April 15, 2013 IIA Chicago Chapter 53 rd Annual Seminar 22

23 COSO ERM Model April 15, 2013 IIA Chicago Chapter 53 rd Annual Seminar 23

24 Lessons Learned from ERM Implementations Engage Senior Management and Board of Directors Start by focusing on strategy and related strategic risks Keep it simple / build on existing risk activities Look at emerging risks What risks could bring the business down? ERM is a journey not a destination April 15, 2013 IIA Chicago Chapter 53 rd Annual Seminar 24

25 More Complex ERM Issues Black Swans Risk appetite and tolerance Complex risk taking (e.g., JP Morgan synthetic derivatives) Risk measurement and metrics Reporting to Senior Management and the Board Board risk oversight April 15, 2013 IIA Chicago Chapter 53 rd Annual Seminar 25

26 ERM Resources COSO ERM Guidance ISO 3100 Guidance COSO ERM White Papers Getting Started Role of the Board Risk Appetite Risk Indicators 2012 IIA book on ERM by Paul Sobel & Kurt Reding April 15, 2013 IIA Chicago Chapter 53 rd Annual Seminar 26

27 What do you think? Share your thoughts about this presentation on Twitter using the hashtag Follow us on Not on Twitter? Visit our Social Media booth in the Exhibit Hall to join the conversation today!