ENTERPRISE RISK MANAGEMENT USING DATA ANALYTICS Dan Julevich and Chris Dawes April 17, 2015
Agenda ERM What, Why, How? ERM Keys to Success Fail, Survive, or Thrive? ERM Current State Overview ERM Leading Practices Data Analytics with ERM Industry Trends Health Plans Industry Trends Evolution of Analytics Managing Enterprise Risk Profile of Trusted Advisors Continuous Monitoring 2
ERM What is it? What is Enterprise Risk Management? A discipline for managing uncertainty ISO 31000 A company s process to identify, assess, and manage risk that could interfere with achieving any of its corporate objectives Richard M. Steinberg 3
What kind of risks are we talking about? Strategic Financial Operational Information Systems Compliance Reputation External Basically, anything that can mess up a company s ability to achieve its goals and objectives 4
ERM Why do companies do it? Senior management understands its value Risk awareness leads to better decisions Increased likelihood of reaching strategic objectives Competitive advantage Boards of Directors demand it Regulators require it 5
ERM How do companies do it? Identify Assess Respond Communicate Monitor Repeat! 6
ERM Keys to success Define Measure Customize the approach Get stakeholder input Simplify Demonstrate action 7
Fail, Survive, or Thrive? 8
ERM Current state overview 25% of senior executives believe their organization has a complete formal enterprise risk management process No difference from prior year Larger companies, public companies, and financial services companies higher ( 45%) 23% describe their organization s level of risk management maturity as Mature or Robust Larger companies, public companies, and financial services companies higher ( 33%) Source: ERM Initiative at North Carolina State University 2015 Report on the Current State of Enterprise Risk Oversight http://erm.ncsu.edu/ 9
ERM Current state overview 30% describe their ERM process as systematic, robust, and repeatable with regular reporting of top risks to the board Large companies (55%), Public companies (59%) 48% believe that existing risk exposures are considered mostly or extensively when evaluating new strategic initiatives. However, 36% do no formal assessments of emerging strategic, market, or industry risks Source: ERM Initiative at North Carolina State University 2015 Report on the Current State of Enterprise Risk Oversight http://erm.ncsu.edu/ 10
ERM Current state overview 42% believe that a barrier or significant barrier to ERM is that it is seen as a competing priority to other initiatives at the organization. A similar percentage believes that there are insufficient resources allocated for ERM 60% have not provided or only minimally provided training and guidance on risk management. Source: ERM Initiative at North Carolina State University 2015 Report on the Current State of Enterprise Risk Oversight http://erm.ncsu.edu/ 11
ERM Current state overview 68% indicate that the board of directors is asking somewhat to extensively for increased senior executive involvement in risk oversight Large companies 86%; Public companies 88% Source: ERM Initiative at North Carolina State University 2015 Report on the Current State of Enterprise Risk Oversight http://erm.ncsu.edu/ 12
ERM Leading practices End to End Perspective Key Risk Indicators Resident Contrarian Data Analytics Only 10 percent of respondents describe their utilization of technology to monitor KRIs as very or extensive, 22 percent rate their use as moderate, and 29 percent describe their use as slight. (1) Surprisingly, nearly 40 percent of respondents do not employ technology at all in the KRI monitoring process. (1) The bottom line: 9 in 10 respondents appear to be underutilizing the ability of technology to enhance and streamline the riskmonitoring process. (1) (1) Source: PULSE OF INTERNAL AUDIT: Navigating an Increasingly Volatile Risk Environment, MARCH 2015, The Institute of Internal Auditors 13
Industry Trends (Health Plans) Health Plans are revamping organizational approaches in partnering and utilizing data analytics to monitor and measure key performance indicators to help understand enterprise risk. Organizations are making significant investments to enhance C suite and Board of Directors reporting, dashboards, operational performance and risk monitoring reporting C Suite leadership and the Board of Directors are looking to data analytic programs to help drive growth and reduce G&A, while managing and mitigating risk Health plans are moving toward integrated monitoring of operational performance and compliance Health plans are organizing around their business in order to optimize organizational structure Source: PwC Use and Distribution Limited Solely to Authorized Personnel 14
Industry Trends: Evolution of Analytics Health plans are evolving their analytics with the most significant focus on several core fundamental areas Focus Area Description Results Achieved Integration of regulatory / compliance requirements into operational performance reporting Health plans are re designing operational reports to ensure that how they manage their business is coupled with how they meet regulatory and compliance requirements Improved operational performance Increased regulatory compliance Reduced level of effort related to organizational compliance Transformation of management and executive-level dashboards Evolving analytics for compliance-related audits and reviews Health plans are evolving dashboards to implement more predictive capabilities to trend compliance and integrate indicator flags to detect operational or compliance failures More progressive payers are using targeted sampling methodology aligned with that of CMS, as opposed to random, statistically valid sampling Implemented proactive approach to managing both compliance and operational performance Increased regulatory compliance Reduced effort by business areas to support audits Enhanced value to the business in streamlining remediation and prevention efforts Profiling of providers to link compliance, care management and quality together Use and Distribution Limited Solely to Authorized Personnel Health plans are comparing quality measures across providers with relevant data sets (HEDIS, claims) to look at the end to end care management value chain Source: PwC Enhanced view into the linkage of quality performance to outcomes, down to provider level Remaining on pace with direction regulators are headed 15
Managing Enterprise Risk Corporate Goals & Risk Areas Senior leadership sets the priorities Risk areas are identified (What could go wrong?) Management Controls Management establishes processes, controls, and reporting to achieve corporate priorities and to monitor and respond to risk areas Internal Audit Validates design and operational effectiveness of controls and key business processes Data Analytics Tools and techniques that span across functional areas Management uses analytics to report and monitor operational performance Internal audit uses analytics to validate transactions against risk area metrics 16
Managing Enterprise Risk Data and Analytics Driven Enterprise Risk Corporate priorities, goals, and risks Internal Audit Validation and verification of controls Reduced Risk Business Ownership, management and the monitoring of controls 17 Use and Distribution Limited Solely to Authorized Personnel
Profile of Trusted Advisors 18 Use and Distribution Limited Solely to Authorized Personnel Source: PwC 2014 State of Internal Audit Survey
Managing Enterprise Risk Driver: Lower cost to operate controls Reduce business efforts to operate controls (useful for clients with many manual controls) Identify business exceptions and control breakdowns sooner Increase business flexibility through moving toward realtime detective controls Achieve more coverage of risk Remove obvious pain points Stop known problematic transactions Driver: Lower cost to evaluate controls Lower the cost of compliance efforts Identify control breakdowns sooner Lower the cost of business self-assessment of controls Achieve better visibility of the compliance framework and the overall state of risk Organize risks and controls in a more meaningful fashion Policy management to support controls Continuous Transaction Monitoring (CTM) Solution Document the controls in your Continuous Control Monitoring (CCM) Solution Implement controls in your Continuous Transaction Monitoring (CTM) Solution Continuous Control Monitoring (CCM)Solution 19 Source: PwC Use and Distribution Limited Solely to Authorized Personnel
Examples of Continuous Monitoring: Focusing on Continuous Transaction Monitoring (CTM) and Continuous Controls Monitoring (CCM) CCM CTM Automated controls Master data Transactional data Exceptions relating to Exceptions relating to Exceptions relating to business configuration settings or governance of master transactions within the ERP parameters in the ERP data in the ERP system system based on available system transaction data An exception is reported if the tolerance amount for the three way match control for accounts payable invoices is changed An exception is reported if the credit authorization approval control is turned off An exception is reported if the general ledger field structures have been modified in the master table An exception is reported if changes (including creation, modification and deletion) are made to critical attributes defined in vendor master data An exception is reported if changes have been made to the general ledger account code options and/or account mapping for automatic system processing functions An exception is reported if a purchase order is created on the same day that goods were received for a transaction An exception is reported if a manual journal entry has unusual accounts and/or descriptors An exception is reported if an employee receives more than one pay distribution in a pay period A CCM strategy for configurable controls provides Management with a proactive mechanism to identify when key application control settings have been changed A CTM strategy for master file data provides Management with a proactive mechanism to verify that the integrity of the master file architecture and content is not compromised A CTM strategy for transaction data provides Management with a proactive mechanism to identify potential control exceptions and fraudulent activity 20 Source: PwC Use and Distribution Limited Solely to Authorized Personnel
Discussion Point How have you seen organizations successfully integrate data analytics into an enterprise-wide risk process? 21
Summary ERM Key to Success Define, Measure, Customize, and Simplify ERM Current State Below expectations but there is reason for optimism ERM Leading Practices End to End, KRIs, Contrarian View, Data Analytics ERM with Data Analytics Data based decisions, Tools, Skills, Transactions, Business rules, and data structure are key 22
QUESTIONS? ASK? AWAY 23
Resources NC State University Poole College of Management ERM Initiative http://poole.ncsu.edu/erm/ RIMS Strategic and Enterprise Risk Center http://www.rims.org/resources/erm/pages/default.aspx Norman Marks on Governance, Risk Management, and Audit http://normanmarks.wordpress.com/ PwC State of the Internal Audit Profession http://www.pwc.com/us/en/risk assuranceservices/publications/pwc 2014 state of profession.jhtml 24