Leveraging ERM & Compliance. About me DISCLAIMER

Transcription

1 Leveraging ERM & Compliance Helen Goodwin, CCEP, Ethics and Compliance Professional Jana Utter, CCEP, Vice President ERM, Centene Corporation SCCE Utilities and Energy Compliance Conference February About me ENERGY FINANCIAL HEALTH Texas Eastern Panhandle Eastern Great Plains Energy KCPL MISO Fiserv, Inc. Centene Corp Accounting Initiated retail Initiated Enterprise Oversaw Corporate Lead Enterprise natural gas trading Risk Insurance Risk Tax desk Launched Initiating NAIC Natural Gas Trader Managed KCPL s Corporate ORSA Reporting regional accounts Compliance Program Initiated Enterprise Risk Oversaw Process Improvement, SSAE 16, and Records COMMON THEME Regulation, Regulation, Regulation. 2 DISCLAIMER The views and opinions expressed in this presentation are based on the experiences of the presenter. These views and opinions do not necessarily represent those of Centene Corp. 3 1

2 Building Upon Your Enterprise Risk Program Can Help You Navigate the Rough Waters of Compliance and Ethics Risks Chart the Course: Join efforts with ERM to map compliance related risk coordinates Stay On Course: Use the ERM Risk Assessment as your lighthouse to see potential risks Maintain the Deck Log: Keep a scorecard to check your accuracy of compliance and ethics risk findings 4 CHART THE COURSE The value of partnering with ERM 5 KEY POINTS Join efforts with ERM to map compliance related risk coordinates while the focus of ERM and Compliance may differ, alignment is important. Apply the Three Lines of Defense Consider Organizational Structure Leverage Communication Channels 6 2

3 The Three Lines of Defense Board of Directors and Board Committees Executive and Oversight Committee Enterprise Risks Strategic Risks Risks Emerging Risks 1 st Line of Defense Operational Process / Risk Ownership and Control 2 nd Line of Defense Corporate Risk and Compliance Functions Enterprise Risk Compliance Information Security Financial Controls Quality Supporting frameworks and processes for risk and compliance management, monitoring, and improvement 3 rd Line of Defense Internal Audit Independent and comprehensive assurance for governance, risk, and controls External Auditors Regulators 7 The Second Line of Defense Supporting frameworks and processes for risk and compliance management, monitoring, and improvement Compliance IT Compliance Enterprise Risk Quality/ Process Continuity Physical Security IT Security Financial Controls/SOX Operational Controls/SSAE 16 Records 8 Advantages of 2 nd Line Partnering Identify common themes and connected processes Supports Executive and the Board Presenting the 2 nd Line reports within the same forum allows the governance and oversight functions to gain a holistic view of risks Enterprise Risk Report includes high-level view of compliance risk assessments and reporting Builds upon and reiterates risk-related information received by the 1 st Line Executive and the Board are able to hear and see how risks ebb and flow within the company Supports External Reviews Consistency in the governance and reporting structure and the framework for 2 nd Line reporting streamlines reviews for both the company and the reviewers 9 3

4 2 nd Line of Defense Organizational Structure Example Chief Risk Officer Corporate Compliance and Ethics CISO Continuity / Disaster Recovery Enterprise Risk Quality / Process Improvement Records Information Security IT Compliance Physical Security Risk (Insurable Risks) Financial Controls Operational Controls 10 The Third Line of Defense Independent and comprehensive assurance for governance, risk, and controls Internal Audit Findings Sharing IA reports with the 2 nd Line informs and validates 2 nd Line risk identification Risk Assessments Sharing 2 nd Line risk reports & assessments informs the 3 rd Line & serves as inputs for audit focus consideration 11 Challenges & Pitfalls ERM and Compliance aren t the same Challenges ERM and Compliance are complementary but each have a different focus ERM = focuses on all areas of risks, including Compliance and Ethics Compliance = focused on Compliance and Ethics risks with other risk areas addressed as needed Pitfalls Inconsistent reporting to Executive Mgmt. and the Board Both functions typical produce corporatelevel periodic risk reports Lack of collaboration between ERM and Compliance may cause confusion 12 4

5 Overcoming Challenges & Pitfalls Charting the Course Together Partner Remember that both ERM and Corporate Compliance are part of the 2 nd LoD Common purpose to help the company achieve its strategic objectives while effectively managing risks Don t forget about joining forces with the other 2 nd LoDs too! Coordinate Share risk frameworks, risk assessments, mitigation plans, and risk reports To the extent possible, framework methodologies should be similar or complementary (i.e. scaling, dashboards) Risk reports with the same audience should be co-reviewed 13 Keep your Shipmates Informed Communication channels with the 1 st Line of Defense Market Steer clear of 2 nd Line confusion and burden I thought I just did a risk assessment?!? Demonstrate coordinated and integrated processes for corporate-wide risk and control information Raise Awareness Don t operate in a vacuum How does ERM and Corporate Compliance benefit me? Leverage 2 nd LoD risk info to be helpful to the front line Train Avoid feelings of uncertainty and lack of understanding How can I be sure I m compliant?/i didn t know I needed to do that! Is this issue a risk? Equip the ship! Share knowledge and highlight best practices 14 Keep the Communication Channels Open Even if your 2 nd Lines of Defense are not organizationally structured under a Chief Risk Officer, you can still establish open channels for sharing risk information. Quality ERM Corporate Compliance Board Executive Mgmt Oversight Committee Physical Security CISO Continuity 15 5

6 The ERM Viewpoint Mature ERM processes create a risk aware culture which cascades to supporting a culture of compliance. The ERM Process Risk Identification Uncover compliance issues Risk Assessment Evaluate severity Risk Mitigation Holistic remediation plans 16 Building Upon Your Enterprise Risk Program Can Help You Navigate the Rough Waters of Compliance and Ethics Risks Chart the Course: Join efforts with ERM to map compliance related risk coordinates Stay On Course: Use the ERM Risk Assessment as your lighthouse to see potential risks Maintain the Deck Log: Keep a scorecard to check your accuracy of compliance and ethics risk findings 17 STAY ON COURSE Leveraging Risk Assessments 18 6

7 A Deeper Dive into Risk Assessments Not all risk assessments are created equal but the results may reveal hidden themes. Focus of various risk assessments differ Identifying root cause helps to remediate risks and close gaps Surveys may address cultural and organizational gaps 19 2 nd Lines 3 rd Line Streamlining Risk Assessments for the 1 st Lines Compliance/Ethics Compliance Gaps Risk Assessment Remediation Timely sharing of information about independent risk assessments helps the Areas to holistically approach mitigation/remediation/action plans. Ops IT System Ops IT Apps 20 Reporting for Risks Oversight by one Executive level committee for corporate-level risk reporting. Executive Oversight Committee Corporate Risk/Compliance Functions & Internal Audit ERM Compliance & Ethics Internal Audit Areas Operations IT System Operations IT Applications Each member of Executive should have awareness of the issues under their purview contained in these reports but may not have had the opportunity to gain a holistic view Sharing the ERM, Compliance, and IA reports in the same meeting facilitates broader understanding of inter-related issues 21 ERM, Compliance, and Internal Audit reports capture the various types of risks of concern to Executive and the Board ERM captures all types of risks (strategic, operational, compliance, financial and sub-categories of each such as market performance, business process effectiveness, IT, quality, financial performance, and others) Corporate Compliance captures non-compliance issues and risks related to both internal and external requirements; typically identifies weak links in ethics, compliance training gaps, compliance culture (Hotline activity) Internal Audit captures control-based risks, operational process gaps, financial integrity and quality 7

8 Committee Structures Help Communication Oversight Committee Chief Risk Officer Chief Compliance Officer CISO Chief Audit Executive Board of Directors Chief Risk Officer Chief Compliance Officer CISO Chief Audit Executive A seat at the table will support consistency in: Knowledge and understanding of issues Communication Reporting Risk Oversight Committee CRO, CCO, CISO, CAE Corporate Compliance Committee CRO, CCO, CISO, CAE 22 Information Security Committee CRO, CCO, CISO, CAE Staying on Course Periodic Assessments ERM and Compliance processes include periodic rechecks Progress of mitigation and remediation plans Reassessment of issues and risk Monitoring effectiveness of mitigation and remediation Internal Audit processes include periodic monitoring Tracking of Action Plans Closure of noted gaps Risk assessment for Annual Audit Plan development 23 Keeping the Deck in Check! Using Surveys to Gauge the Winds Identifying needed tweaks in the efforts of the ERM and Compliance/Ethics teams may avoid rough waters ahead Corporate Employee Engagement Surveys may gauge awareness levels and culture relating to risk and compliance Cultural Diagnostic (Corporate Executive Board) measurement tool for assessing the ethics culture of the company; tool provides for customized questions which can be used to also assess the risk culture Committee Self-Assessments results of Oversight and Board Committee(s) may provide helpful feedback Results may provide Corporate Compliance/Ethics and ERM with opportunities to further collaborate to address gaps or streamline efforts 24 8

9 Watching for Obstacles Compliance Risks Keep in mind that being compliant may not mean that business operations can rest easy controls needed to demonstrate compliance are not enough to guard against risks. 25 Building Upon Your Enterprise Risk Program Can Help You Navigate the Rough Waters of Compliance and Ethics Risks Chart the Course: Join efforts with ERM to map compliance related risk coordinates Stay On Course: Use the ERM Risk Assessment as your lighthouse to see potential risks Maintain the Deck Log: Keep a scorecard to check your accuracy of compliance and ethics risk findings 26 MAINTAIN THE DECK LOG Maturing the Crew 27 9

10 Risk Registers Keep It Going! Reflecting upon your journey and maintaining a strong knowledge base of information and experiences will help you and the organization grow. Residual Risk Monitoring Building Deeper Awareness Advancing Training 28 Don t Lose Sight ---Let past experiences guide the future Risk Registers log past and present concerns for current and future reference. Internal Audit Compliance ERM Risk Knowledge Base Info Security Continuity 29 Keep past experiences in check Risk Impact Likelihood Level of Control Risk Score [Residual Risk Level] Previous Risk Score Risk # % Yes Risk # % No Risk # % No Review Requested Risk Score = 100 less the result of Impact x Likelihood multiplied by % of Level of Control Periodic risk assessments of both mitigated and active risks helps to keep risks under tow Reassessing mitigated risks helps to ensure corrective actions and remediation plans targeted the correct root cause If the residual risk score increases, a review is needed If the residual risk score is higher than desired, further mitigation should be considered 30 10

11 Foster the Culture Awareness Sharing experiences raises awareness What did you do to mitigate risks? Did you identify the real issues? What did you learn? What would you do differently? Training Weave training into the program As ERM and Compliance processes mature, new elements are added to the framework New elements can also be externally driven Use new elements as an opportunity to refresh and advance knowledge 31 Opportunity to Share How do ERM and Compliance & Ethics align and interact at your organizations? How do your organizations address Three Lines of Defense? 32 Opportunity to Share Why do companies with Compliance and ERM programs in place fail? How have your organizations utilized risk assessments and surveys? 33 11

12 Opportunity to Share How do your organizations maintain a robust knowledge base of risk and compliance issues? How have your organizations matured ERM and Compliance & Ethics? 34 12