Enterprise Risk Management (ERM) How Internal Audit Can Add Great Value

Transcription

1 ASSOCIATION OF HEALTHCARE INTERNAL AUDITORS 2009 ANNUAL CONFERENCE Charting a Course for Excellence Enterprise Risk Management (ERM) How Internal Audit Can Add Great Value to Your Organization s ERM Process Session - A3, Monday August 31, 2009 Part I 3:10pm 4pm, Part II 4:10pm 5pm Glen C. Mueller, CPA, CIA, CISA, CISM VP- Audit, Compliance, & Information Security Scripps Health

2 Today s Objectives Session A3 Part I: 3:10pm to 4:00pm Discuss Key Drivers for Enterprise Risk Management (ERM) Case Study: Scripps Health s Phase I in ERM Journey, the Business Risk Assessment Session A3 Part II: 4:10pm to 5:00pm Review Internal Audit s Role in ERM Begin thinking About Two Different, but Related Enterprise Risk Management Frameworks and How They Impact Internal Audit Approach - COSO ER and IT Governance Institute s The Risk IT Framework Both Sessions: Learn What Others are Doing in Regards to ERM/ IA and Provide Ideas for You to Take Back to Your Organization 1

3 What is Enterprise Risk Management? A definition ERM is a structured and disciplined approach that aligns strategy, processes, people, p technology, and knowledge with the purpose of evaluating and managing the uncertainties the enterprise faces as it creates value. Aligns with strategic intent and related objectives Includes all business risks, not just financial ones Integrates into the management process becoming every manager s responsibility Addresses both the hard and soft sides of risk management 2

4 Key Drivers for Enterprise Risk Management (ERM) 1. Standard and Poor s and Other Rating Agencies Are Now Considering ERM in their Corporate Ratings 2. Board of Directors and Audit Committees are Now Asking Management Questions about ERM Efforts and Plans 3. COSO ERM Framework 4. IT Governance Institute s The Risk IT Framework Key Observation: ERM is not a new concept. It has finally risen towards the top of Board of Director s priorities which means that Internal Audit and IT Audit Leadership need to be more proactive regarding their roles in the ERM space of their organization. 3

5 Institute of Internal Auditors Definition of Internal Auditing Internal auditing is an independent, objective assurance and consulting activity i designed d to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing ga systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Key Observation: Most organizations Internal Audit and IT Audit functions have been focused on control activities and have not invested enough time in the risk management and governance processes activities. 4

6 Internal Audit Roles in ERM IIA Position Paper The Institute of Internal Auditors position paper on ERM was issued in Sept (5 years ago!) and indicates which roles internal auditing should and should not play throughout the ERM process The main factors Chief Audit Executives and Audit Committees should take into account when determining internal audit's role in ERM are whether the activity raises any threats to the internal auditors' independence and objectivity, and whether it is likely to improve the organization's risk management, control, and governance processes. 5

7 Case Study: Scripps Health Phase I in the ERM Journey Business Risk Assessment

8 Scripps Approach to Business Risk Assessment Phase of ERM 1. Overview of Process Project Background and Overview Business Risk Inventory Business Risk Assessment Process Dimensions for Business Risk Assessment 2. Business Risk Assessment Results Key Risks Identified and Rated by Management Risk Rankings Results 3. Next Steps After Business Risk Assessment 7

9 Project Background and Overview Scripps Health Business Risk Assessment examined risks most likely to impact the organization during the next months with the following perspective: Across the system as a whole, including all entities, hospitals, and facilities With a strategic view of achieving business strategies and objectives i.e., from the standpoint of the CEO Forward looking Aligned with vision, mission, and strategy of the organization In essence, the business risk assessment was concerned with risks and risk events that have the potential to affect Scripps Health s growth trajectory and ability to meet its goals 8

10 Project Background and Overview (continued) The objectives of the Business Risk Assessment phase of the ERM framework were to identify, assess, and prioritize Scripps Health s key organizational level risks using qualitative measures in order to develop an organizational prioritized corporate-wide risk profile 9

11 Project Background and Overview (continued) Scripps Health s CEO engaged Oliver Wyman (a division of Marsh) to plan and facilitate the application of the risk assessment process with the senior executive team (23 most senior executives). This project included: 1. Detailed one-on-one interviews with members of the senior executive team and other key individuals involved in risk management functions to elicit their views on critical risks 2. Analysis and compilation of the risk interviews i 3. Validation of the key risks identified and the scales to be used in assessing the risks by senior executive team and others interviewed 4. Evaluation by the senior executive team of the risks and current management effectiveness in a facilitated workshop 10

12 Healthcare Provider Business Risk Inventory (BRI) A preliminary business risk inventory of 100+ potential risks for healthcare providers was provided by Oliver Wyman and used for conducting interviews of the senior executive team. The inventory was further customized to reflect certain additional risks or different terminology identified by participants in their interviews. These risks were further discussed and rated in a workshop. Internal Risks Operational External Risks Strategic Financial Compliance Process Management Information Human Capital Integrity Technology Capital availability Competitor Demographic changes Economy Financial markets Growth Market share Mergers and acquisitions Capital allocation Debt rating Financial performance Accreditation Anti-trust Conflict of interest Business continuity Change response Environmental Health and safety Quality of care Accounting information Budget and forecasting Decision making Compensation and benefits Competencies/ skills Hiring/ retention Unionization Code of conduct Conflict of interest Ethical decisionmaking Access to technology Availability of technology Data integrity and security e-commerce Information security IT capacity IT disaster recovery xxxx xxxxx xxxxxx 11

13 One-Day Workshop With Senior Executive Team for Risk Rating The facilitated workshop by Oliver Wyman was the cornerstone of the methodology used for Scripps Health s Business Risk Assessment and focused on gaining a deeper understanding of the 11 key organizational risks as determined by the interview process. The methodology is adapted from the Delphi Method which is a rigorous and systematic self-assessment process used to reach consensus quickly on subjects where little statistical data is available. By interviewing subject matter experts (management) and encouraging open dialogues during the workshop, supported by data identified during the interviews and the anonymous workshop voting results, the Scripps Health senior executive team gained a deeper understanding of the organization s key risks The workshop participants assessed risks on the basis of potential impact and likelihood. Impact was measured in terms of the following factors: patient safety, image/reputation, business interruption, and revenue/ net operating income Likelihood was based on the probability of the risk occurring over the next months 12

14 Senior Executives Workshop methodology and process (continued) Following the impact and likelihood votes, participants voted on current risk management effectiveness. Participants considered how well a risk is managed given current management capabilities (i.e., people/ organizational structure, processes, technologies, policies, analytics and reporting/communication). The risks with the greatest gaps between inherent risk and current management capabilities should be further analyzed to determine if additional risk management efforts are required. For a particular risk, there is no set desired alignment between inherent risk and management effectiveness ratings. Rather, the appropriateness of the relationship needs to be evaluated based on the strategic or operational importance of the objective at risk, the organization s risk appetite, and the capacity of the organization to increase management effectiveness in a cost-effective manner. 13

15 Senior Executives Workshop methodology and process (continued) For a particular risk, there is no set desired alignment between inherent risk and management effectiveness ratings. Rather, the appropriateness of the relationship needs to be evaluated based on the strategic or operational importance of the objective at risk, the organization s risk appetite, and the capacity of the organization to increase management effectiveness in a costeffective manner. 14

16 Risks Were Assessed/ Prioritized Using Three Dimensions The scales for each of these risk dimensions were determined for our organization: Likelihood Impact Current Risk Management Effectiveness 15

17 Risks Were Assessed/ Prioritized Using Three Dimensions (continued) Impact Measures the expected impact to the organization from the occurrence of a risk that would impair Scripps Health s ability to execute its initiatives and strategies Considers s the impact to Scripps Health s performance in the market, revenue and reputation before consideration for risk management activities 16

18 Risks Were Assessed/ Prioritized Using Three Dimensions (continued) Likelihood Measures the expected probability of a risk occurring over the course of the next months that would impair Scripps Health s ability to execute its initiatives and strategies Assumes minimal controls or risk management activities are in place 17

19 Risks Were Assessed/ Prioritized Using Three Dimensions (continued) Current Risk Management Effectiveness Measures how well a risk is managed given current management capabilities which includes People/ organizational structure Process Technology Analytics Policies, procedures Reporting and communication Considers the current activities not anticipated future activities 18

20 Risk Impact Scale Participants evaluated the impact of the 11 key risks on Scripps Health over the next months. The impact of a risk related to its potential effect on the organization s business objectives before consideration of management effectiveness Impact Patient Image/ Business Revenue/net ranking safety reputation interruption operating income 9 Catastrophic xxxxxxxx National media coverage; government investigation Total cessation of business for one month $xxx MM+ operating revenue $xx MM+ net operating income 7 Major xxxxxx Headline in regional media Week-long business disruption $xxx - xxx MM operating revenue $xx-xx MM net operating income 5 Moderate xxxxxxx Lead story in local media Business interruption over 3-5 days $ xx-xx MM operating revenue $x-xx MM Net operating income 3Minor xxxxxxx Articles in local media Business interruption over 24 hours $xx-xx MM operating revenue $x-x MM Net operating income 1 Insignificant xxxxxxxxx Water-cooler talk and rumors in the local marketplace Business interruption for 2-4 hours Less than $xx MM operating revenue Less than $x MM net operating income 19

21 Risk Likelihood Scale Participants evaluated how likely it is that an event or action would take place assuming minimal controls are in effect. The scale was applied using a month time frame and from the perspective of Scripps Health. Scale Frequency 9 Very Likely Will occur more than once per year 8 7 Likely Will occur once per year 6 5 Possible Will occur once every five years 4 3 Unlikely Will occur once every ten years 2 1 Rare Less than once every thirty years 20

22 Current Risk Management Effectiveness Scale Participants i t considered d the current capabilities of Scripps Health in managing its organization-wide risks Capabilities include: People/organizational structure, process, technologies, analytics, lti policies, lii procedures, reporting and communication Voting scale 9 Comprehensive or overly effective 7 Strong 5 Moderate Description Xxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxx Xxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxx Xxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxx 3 Limited xxxxxxxxxxxxxxxxxxxxxxxxxxxxx Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 1 Weak Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 21

23 Summary Results Scripps Health Business Risk Assessment

24 Inherent Risk Profile The map below presents management s assessment of each of the 11 critical risks impact and likelihood with minimal risk management efforts Inherent risk map Impact and likelihood assessments (top right quadrant expanded) Imp pact G D J FB E K I A H C Likelihood Catastrophic Impact Major J G F B E D K I A H C Scripps 11 Key risks A Risk x B Risk x C Risk x D Risk x E Risk x F Rick x G Risk x H Risk x I Risk X J Risk x K Risk x Moderate Possible Likely Highly likely Likelihood 23

25 Summary of Managed Risk Profile (Gap analysis) This chart indicates gaps between the inherent risk level and current risk management effectiveness and is organized in descending order according to gap. Inherent risk ratings are depicted by the line, and management effectiveness ratings are depicted by the bars. Note: certain Tier 2 Risks can be drivers for Tier 1 Risks (for example Capital Allocation and Systematization) Scripps Internal Inherent Gap analysis Audit and IT Audit Plans Added risk Inherent risk vs. management effectiveness Significant Hours Catastrophic 9 in Tier 1 Risk Tier 1 risks Areas Tier 2 risks Major 7 Risk mgmt. effectiveness 9 Comprehensive 7 Strong Gap represents residual or unmitigated risk Moderate 5 Gap 5 Moderate Minor 3 3 Limited Minimal 1 1 Weak Risk x Risk x Risk x Risk x Risk x Risk x Risk x Risk x Risk x Risk x Risk x Mgmt. effect Inherent risk Gap Note: Inherent risk = (impact + likelihood)/2 24

26 Planned Risk Management Activities for Tier I Risks Designate a senior level risk owner(s) responsible for ensuring risk management effectiveness (completed) Conduct inventory of current management effectiveness activities and measurements for success to build on those initially identified in the workshop Conduct deeper analysisa sof exposures es and management age e capabilities Develop appropriate and cost effective risk mitigation strategies Develop action plans including risk based tracking metrics Conduct scheduled monitoring of risk trends and management action plan status Key Observation: The above actions look very similar to a risk assessment process that would be conducted by internal auditors or IT Auditors. 25

27 Current Management Effectiveness Activities Measurement and Documentation Each senior level risk owner(s) should designate a cross functional team, including 1-2 people independent of specific risk management activities, to measure and ddocument thow well a risk kis managed given understanding current management capabilities which include the following areas: People / Organization Structure Process Technologies Analytics Policies, procedures Reporting and communication 26

28 Value Add of Conducting a Facilitated Drill Down for Each of the Tier I Risks Detailed root cause and driver analysis Detailed risk action plans for Tier 1 risks A customized risk analysis and action planning process that can be applied by organization going forward Risk action plan templates A customized risk action plan reporting process and dashboard Trained individuals to support and apply the process going forward Increase risk awareness and risk management process knowledge amongst management team 27

29 Enterprise Risk Management Frameworks You and your organization to consider the body of knowledge on risk management and Enterprise Risk Management and develop a framework and game plan for addressing this important area. There is no right or wrong answer in terms of what framework or model to adopt as there are many similarities and you must choose an approach that fits your organizational and management culture for sustained success. As Internal Auditors the two Frameworks you must become more familiar with are the COSO ERM Model and the IT Governance Institute s The Risk IT Framework. There is one wrong answer on an approach to ERM and that is to do nothing! 28

30 Session A3 Part II: 4:10pm to 5:00pm Today s Objectives Review Internal Audit s RoleinERM Begin Thinking About Two Different, but Related Enterprise Risk Management Frameworks and How They Impact Internal Audit Approach - COSO ER - IT Governance Institute s The Risk IT Framework 3. Learn What Others are Doing in Regards to Internal Audit and ERM and Provide Ideas for You to Take Back to Your Organization 29

31 Institute of Internal Auditors Definition of Internal Auditing Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Key Observation: Most organizations Internal Audit and IT Audit functions have been focused on control activities and have not invested enough time in the risk management and governance processes activities. 30

32 Internal Audit Roles in ERM IIA Position Paper The Institute of Internal Auditors position paper on ERM was issued in Sept (5 years ago!) and indicates which roles internal auditing should and should not play throughout the ERM process The main factors Chief Audit Executives and Audit Committees should take into account when determining internal audit's role in ERM are whether the activity raises any threats to the internal auditors' independence and objectivity, and whether it is likely to improve the organization's risk management, control, and governance processes. 31

33 Internal Audit Roles in ERM (continued) Core Internal Audit Roles in Regard to ERM Giving assurance on risk management processes. Giving assurance that risks are correctly evaluated. Evaluating risk management processes. Evaluating the reporting of key risks. Reviewing the management of key risks. 32

34 Internal Audit Roles in ERM (continued) Legitimate Internal Audit Roles with Appropriate Independence and Objectivity Mitigations Facilitating identification and evaluation of risks. Coaching management in responding to risks. Coordinating ERM activities. Consolidating the reporting on risks. Maintaining and developing the ERM framework. Championing i establishment t of ERM. Developing risk management strategy for board approval. 33

35 Internal Audit Roles in ERM (continued) Roles Internal Audit should NOT undertake Setting the risk appetite. Imposing risk management processes. Management assurance on risks. Making decisions on risk responses. Implementing risk responses on management's behalf. Accountability for risk management. 34

36 Two Important ERM Frameworks to Consider in Developing Your Organization s ERM Approach COSO ERM Model IT Governance Institute The Risk IT Framework Key Observation: Anything you can learn by understanding ERM y y gy y g frameworks used by Big Four Accounting Firms, Protiviti, Oliver Wyman, and other organizations will help you gain greater perspective and determine the best approach for introducing and integrating this important concept into your organization.

37 The COSO ERM Framework The eight components of the COSO framework are interrelated 36

38 ERM as Defined by COSO: a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Source: COSO Enterprise Risk Management Integrated Framework COSO. 37

39 IT risk is the business risk associated with the use, ownership, operation, involvement, influence and adoption of IT within an enterprise. IT risk consists of IT-related events that could potentially impact the business. v 0.1 revised 3Feb09 38

40 The Risk IT Framework IT risk can be categorized in different ways: IT service delivery risk, associated with the performance and availability of IT services, and which can bring destruction or reduction of value to the enterprise IT solution delivery/benefit realization risk, associated with the contribution of IT to new or improved business solutions, usually in the form of projects and programmes IT benefit realization risk, associated with (missed) opportunities to use technology to improve efficiency or effectiveness of business processes, or to use technology as an enabler for new business initiatives 39

41 Workshop Participants Sharing and Discussion Learn What Others in the Audience are Doing in Regards to Internal Audit and ERM and Provide Ideas for You to Take Back to Your Organization 40

42 Reference Resources 1. AICPA - A Unified Approach to Risk Management March The Role of Internal Audit in Auditing Enterprise-Wide Risk Management 3. The Role of U.S. Corporate Boards in Enterprise Risk Management ($395) 4. Enterprise Risk Management Integrated Framework 2004 (#990015) 5. Deloitte Beyond 404: Responding to COSO s New Enterprise Risk Management Framework 6. Enterprise Risk Management in the Financial Services Industry: International Benchmark Survey 41

43 Reference Resources 7. 7th Annual Global CEO Survey, Managing Risk: An Assessment of CEO Preparedness 8. KPMG Audit Committee Institute s survey, The Audit Committee Journey: Looking Back, Thinking Ahead 9. Enterprise Risk Management: Standard & Poor's To Apply Enterprise Risk Analysis To Corporate Ratings Enterprise Governance: Getting the Balance Right PWC Internal Audit 2012 (Risk Centric Approach) com/extweb/pwcpublications nsf/docid/e5066ff9ca2ed6ec f6 12. New York Stock Exchange Corporate Governance Rules 42

44 Further Thoughts and Ideas! Let me know and share Glen C. Mueller, Scripps Health