Enterprise Risk Management Program Development Update. Finance & Audit Committee Meeting September 25, 2015

Similar documents
Catching Fraud During a Recession Through Superior Internal Controls. FICPA s 25 th Annual Accounting Show. J. Stephen Nouss September 29, 2010

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

Enterprise Risk Management

Compliance Monitoring and Enforcement Program Implementation Plan. Version 1.7

KING III COMPLIANCE ANALYSIS

ERM: Risk Maps and Registers. Performing an ISO Risk Assessment

Internal Audit Challenges & Opportunities Speaker: Laurie Shen, Director, Grant Thornton LLP

DECISION 10/2014/GB OF THE GOVERNING BOARD OF THE EUROPEAN POLICE COLLEGE ADOPTING THE EUROPEAN POLICE COLLEGE S INTERNAL CONTROL STANDARDS AND

A Vision of an ISO Compliant Company by Bruce Hawkins, MRG, Inc.

Figure 1: COSO Enterprise Risk Management Cube

Internal Oversight Division. Internal Audit Strategy

Session 7: Corporate Governance

Internal audit strategic planning Making internal audit s vision a reality during a period of rapid transformation

Guidance Note: Corporate Governance - Audit Committee. March Ce document est aussi disponible en français.

WELLS FARGO & COMPANY CORPORATE GOVERNANCE GUIDELINES

Final Audit Report. Follow-up Audit of Emergency Preparedness and Response. March Canada

Sarbanes-Oxley Act of 2002 Can private businesses benefit from it?

1. Definition & Mission

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

CSR / Sustainability Governance and Management Assessment By Coro Strandberg President, Strandberg Consulting

IPO Readiness. Sarbanes-Oxley Compliance & Other Considerations. Presented by:

CHARTER OF THE AUDIT COMMITTEE NATIONWIDE MUTUAL INSURANCE COMPANY NATIONWIDE MUTUAL FIRE INSURANCE COMPANY NATIONWIDE CORPORATION

Governance Guideline SEPTEMBER 2013 BC CREDIT UNIONS.

Risk Management Strategy

A Practical Approach to Enterprise Risk Management

Ethical leadership and corporate citizenship. Applied. Applied. Applied. Company s ethics are managed effectively.

Enterprise Risk Management: Aligning Risk with Strategy & Performance June 26, :45 p.m. 4:45 p.m.

CORPORATE GOVERNANCE GUIDELINES

Using a Compliance Program Assessment to Elevate Institutional Compliance Effectiveness

CERTIFICATIONS IN HUMAN RESOURCES. SPHRi TM Senior Professional in Human Resources - International TM SPHRi. Exam Content Outline

INFORMATION SERVICES FY 2018 FY 2020

TOYOTA FINANCIAL SERVICES (SOUTH AFRICA) LIMITED

KPMG s Audit Committee Institute

Practice Guide. Developing the Internal Audit Strategic Plan

RSA Archer Compliance Management 5.2 Webcast

Quality Assessments what you need to know

Advisory Services Governance, Risk & Compliance

Extended Enterprise Risk Management

2014 BOARD OF DIRECTORS SELF-ASSESSMENT MIDCONTINENT INDEPENDENT SYSTEM OPERATOR, INC.

Portfolio Management Professional (PfMP)

DIRECTOR TRAINING AND QUALIFICATIONS: SAMPLE SELF-ASSESSMENT TOOL February 2015

LeiningerCPA, Ltd. RISK MANAGEMENT POLICY STATEMENT

CEO Performance Planning and Review Process

KING III CHECKLIST. We do it better

International Finance Corporation

Security Operations Manual

Audit of the Management of Projects within Employment and Social Development Canada

EXECUTIVE COMPENSATION

Asset management Overview, principles and terminology

Framing the future of corporate governance Deloitte Governance Framework. Center for Board Effectiveness

Fraud Risk Management

The Future of Internal Auditing:

Enhancing Governance Through Internal Audit Activities

ENTERPRISE RISK MANAGEMENT USING DATA ANALYTICS. Dan Julevich and Chris Dawes April 17, 2015

Role of Operational Risk in the Product Lifecycle Presented By: Chris Nestore, SVP Head of Operational Risk Management, TD Bank

MISSION STATEMENT. Board Mission Statement and Charter February DTCC Public (White)

External Quality Assurance Review of the Office of the Auditor General Proposed Statement of Work for the Audit Sub- Committee.

King lll Principle Comments on application in 2013 Reference in 2013 Integrated Report

Strengthening Your Enterprise Risk Management Process

UNIVERSITY OF COLORADO DEPARTMENT OF INTERNAL AUDIT 2018 AUDIT PLAN As of June 1, 2017

Don t make the same mistake twice! Avoiding repeat violations of Reliability Standards

MPAC BOARD OF DIRECTORS MANDATE

and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment

GUYANA POWER AND LIGHT INC.

This document contains a summary of the Group s application of all of the principles contained in King III.

Internal Control Questionnaire and Assessment

AUDITING. Auditing PAGE 1

LEADERSHIP OPPORTUNITY EXECUTIVE DIRECTOR

Plans for a Balanced Scorecard Approach to Information Security Metrics

GOLD FIELDS LIMITED. ( GFI or the Company ) BOARD CHARTER. (Approved by the Board of Directors on 16 August 2016)

Compliance Program Effectiveness Guide

Developing an Integrated Anti-Fraud, Compliance, and Ethics Program

Review of Duke Energy Florida, LLC Internal Audit Function

CHARTER FEDERAL RESERVE BANK OF RICHMOND BOARD OF DIRECTORS AUDIT AND RISK COMMITTEE

Associate Vice President of Facilities Management

Public Company Accounting Oversight Board

Internal Controls and Risk Management Report

Enhancing Audit Committee Excellences through Internal Audit. 21 November 2017

SOLUTION BRIEF RSA ARCHER AUDIT MANAGEMENT

Strategic Direction #7 Business Operations. Final Report

2013 COSO Internal Control Framework Update. September 5, 2013

Content Specification Outline

Joint Operations (JO) Contactor Health Environment and Safety Management (CHESM) Standardized Operational Excellence (OE) Process

Measuring the value of internal audit in the banking industry

RISK AND AUDIT COMMITTEE TERMS OF REFERENCE

POSSE System Review. January 30, Office of the City Auditor 1200, Scotia Place, Tower Jasper Avenue Edmonton, Alberta T5J 3R8

PRUDENTIAL FINANCIAL, INC. CORPORATE GOVERNANCE PRINCIPLES AND PRACTICES

WELLS FARGO & COMPANY AUDIT AND EXAMINATION COMMITTEE CHARTER

METROPOLITAN TRANSPORTATION AUTHORITY

Benchmarking Report Share, Compare, Validate SAMPLE. Year: 2017 Your Organization Date

Overall Winner Highlights: FIS

Program Management Professional (PgMP)

SPTF Universal Standards for. Social Performance. Management. Version 2.0, Published August 2016

Understanding Changes to the Certified Internal Auditor Program for 2013

BOC HONG KONG (HOLDINGS) LIMITED. Mandate of the Remuneration Committee

risk and compliance department business plan

Considerations when Choosing a Managed IT Services Provider. ebook

Safety Perception / Cultural Surveys

2014 Integrated Internal Control Plan. FRCC Spring Compliance Workshop April 8-10, 2014

Transcription:

Enterprise Risk Management Program Development Update Finance & Audit Committee Meeting September 25, 2015

Enterprise Risk Management Presentation Topics Enterprise Risk Management ( ERM ) Overview Lead Roles - LIPA/PSEG-LI ERM Process Status of the 2015 ERM Cycle Summary of Results of the 2015 ERM Cycle Key Risks Comparison to Others in Utility Sector Internal Audit/Review ERM Cycle Areas of Improvement - Next Steps Finance & Audit ( F&A ) Committee Next Steps 2

ERM Overview ERM Overview Enterprise Risk Management ( ERM ) increases risk awareness, ensures the appropriate management of risks, and provides transparency. Encourages a comprehensive perspective of risks by assessing existing risk and mitigation efforts at both LIPA and PSEG-LI. Aligns Management s efforts to prevent risk events from occurring or mitigating risk events when they are unavoidable or outside LIPA s control. Formally identifies a Key Risk Owner for each high risk area. Key Risk Owner responsibilities include: Monitoring of mitigation efforts impacting their risks Reporting on risks and mitigation efforts on a regular basis Fulfills key recommendations from the Northstar Operations Audit Report (Chapter 7 Enterprise Risk Management and Strategic Planning ) dated September 13, 2013. 3

Lead Roles - LIPA/PSEG-LI ERM Process ERMC T. Falcone (Chairman), B. Chu, C. Horowitz, K. Kane, J. Little, M. Simione; and J. Bell (legal advisor to ERMC) Adopt ERM Procedures Manual, update as needed Review and approve ERM Program Timeline (Appendix Pg. 19) Determine the ERA working group Interview: F&A Committee members, LIPA & PSEG-LI Officers, Directors and Managers Determine appropriate owners for each Key Risk/Key Risk Category Approve appropriateness of risk mitigation: Completeness of documentation articulating risk mitigating activities/processes Determine tolerance or comfort with existing amount / level of risk mitigation Ensure ERM process is compliant with Board approved Policy Work with Internal Audit Department, conduct assessment of overall effectiveness of ERM program, and identify areas for enhancement 4

Lead Roles - LIPA/PSEG-LI ERM Process Director of Risk Management C. Horowitz Initiate and lead ERA effort Consolidate ERA results, mapping of ERA to Risk Framework * Develop and lead Risk Prioritization process to rank Risks Catalog Key Risk Mitigation Activities assigned by Risk Owners Review Risk Mitigation Activities with Risk Owners and address potential concerns Continuously monitor risk, including regular touch points with Risk Owners Provide ERMC with regular Risk Mitigation status updates Draft and present regular updates for the F&A Committee (no less than annually) *Identifies list of Environment Risks, Process Risks and Information for Decision-Making Risks - approximately 85 Risk components (Appendix Pg. 18) 5

Status of the 2015 ERM Cycle Protiviti retained by LIPA to assist with: Development of LIPA ERM Framework [Completed] Board Policy [Approved August 6 th, 2015] Delegates responsibilities to LIPA s ERMC and Staff Facilitate initial LIPA/PSEG-LI ERM Cycle [Completed] Enterprise-wide Risk Assessment ( ERA ) activities Risk Mitigation Worksheets ( RMW ) Draft LIPA s internal Policies, Procedures and Controls Manual for ERM [Near Completion] Details ERA and ERM Process ERM Process Timeline Monitoring Process [In Development] 6

Summary of Results of the 2015 ERM Cycle Following the 2015 ERA, LIPA identified the following Key Risk Categories to the organization, which will be monitored continuously: Rate Case and Success of Financial Policy Outsource & Partnership Relationship Concerns Cyber Security Personnel & Human Resources Concerns Understanding & Delivering on Customer Expectations and Needs External Influences & Interests NOTE: The above are potential risk events which are deemed to be key to monitor and take mitigating action on, and should not be interpreted as expected events, nor as events which have already occurred. 7

Summary of Results of the 2015 ERM Cycle Following the 2015 ERA, LIPA has identified the following Key Risk Categories to the organization: Outsource & Partnership Relationship Concerns Description: LIPA and its external service providers need to perform at best-in-class levels to deliver on LIPA's mission, goals & objectives, and improve customer perception of the Long Island electric utility. Risk Mitigation Activities: Maintain continuous oversight functions; participate in monthly PSEG-LI Scorecard Reporting meetings and PSEG-LI Monthly Management Board Review meetings; prepare audit universe as part of LIPA s 2016 oversight activities plan. Personnel & Human Resources Concerns Description: Success of LIPA, particularly in its OSA oversight role, requires attracting and retaining qualified staff. Risk Mitigation Activities: Create interim succession plan; implement utility industry training requirements and include as part of all employees 2016 performance evaluation goals; establish employee development program for continuous improvement; institute a competitive compensation program in 2016 to attract and retain qualified workforce. Understanding & Delivering on Customer Expectations and Needs Description: Customers desires for higher reliability and/or expanded distributed energy resources must align with the required infrastructure changes and costs. Improved emergency response an important customer requirement. Risk Mitigation Activities: LIPA and DPS annual review of the Emergency Response Plan (ERP) and contingencies; review of PSEG-LI reliability metrics, storm response and capital budgeting and capital development. 8

Summary of Results of the 2015 ERM Cycle Following the 2015 ERA, LIPA has identified the following Key Risk Categories to the organization: External Influences & Interests Description: Relationships with key stakeholders are important in order for the organization to efficiently conduct business. Risk Mitigation Activities: Oversight of PSEG-LI Public Relations programs; increase LIPA engagement with public stakeholders; implement focused Public Relations program and public hearings. Cyber Security Description: Properly secure key IT systems from outside attack or interference. Risk Mitigation Activities: Cyber security audit; NERC CIP-5 rule compliance of PSEG-LI control systems and data networks; User Access process technologies, and-lipa and PSEG-LI review of cyber security insurance products. Rate Case and Success of Financial Policy Description: Rate case includes LIPA s financial policy goals, which include improved credit ratings and achieving key financial ratios to reduce the cost of electric service for customers over time. Risk Mitigation Activities: Rate plan filing included sound financial plan; communication with financial community; improved access to financial and operating data. 9

Summary of Results of the 2015 ERM Cycle Following the 2015 ERA, PSEG-LI has identified the following Key Risk Categories to focus on, which will be monitored continuously by both organizations: Outcome of the Rate Case Managing the Utility in Compliance with the OSA Cyber Security Personnel & Human Resources Concerns Understanding & Delivering on Customer Expectations and Needs Regulations, External Influences & Interests NOTE: The above are potential risk events which are deemed to be key to monitor and take mitigating action on, and should not be interpreted as expected events, nor as events which have already occurred. 10

Summary of Results of the 2015 ERM Cycle Following the 2015 ERA, PSEG-LI has identified the following Key Risk Categories: Managing the Utility in Compliance with the OSA Description: The OSA must fairly and completely measure PSEG-LI s performance. OSA metrics and goals may not remain relevant throughout contract term. Risk Mitigation Activities: On-going monitoring of performance metrics to ensure compliance with the OSA; periodic review of metrics to assure relevance. Personnel & Human Resources Concerns Description: Success of organization requires ability to attract and retain qualified driven staff. Risk Mitigation Activities: Leadership Risk Management; employee training and development; employment branding. Understanding & Delivering on Customer Expectations and Needs Description: Customer s desires for improved reliability and increased renewable energy technologies must align with the required infrastructure changes and costs. Improved emergency response an important customer requirement. Risk Mitigation Activities: Customer communication; customer satisfaction initiatives; review of the monthly Scorecard Report and key operating metrics. 11

Summary of Results of the 2015 ERM Cycle Following the 2015 ERA, PSEG-LI has identified the following Key Risk Categories: Regulations, External Influences & Interests Description: Relationships with all key stakeholders are important in order for the organization to efficiently conduct business. Risk Mitigation Activities: Strategic staffing; increase engagement with planning committees for project development; focused Public Relations program geared towards community outreach. Cyber Security Description: Key IT systems may be susceptible to outside attack or interference. Systems may include business systems with non-public information or operations systems that would interfere with substations, power generation or T&D infrastructure. Risk Mitigation Activities: Compliance with NERC Cybersecurity Standards; User Access processes and technology. Outcome of the Rate Case Description: The rate case may affect PSEG-LI s ability to achieve its goals required under the OSA and LIPA Reform Act. Risk Mitigation Activities: Daily rate case calls and activities; monthly Management Review Board meetings, monthly Scorecard Report meetings; 2016 O&M budget submittal. 12

Key Risks Comparison to Others in Utility Sector Executive Perspectives on Top Risks for 2015 * Key Issues Being Discussed in the Boardroom and C-Suite Energy and Utilities Regulatory changes and heightened regulatory scrutiny Economic conditions in markets we currently serve Cybersecurity threats Resistance to change Succession challenges and ability to attract and retain top talent LIPA has identified many of these risks for 2015 * Research Conducted by North Carolina State University s ERM Initiative and Protiviti 13

Internal Audit s Role: Internal Audit/Review Assess the appropriateness of the ERM Program Policies, Procedures and Controls Manual established by the ERMC Determine the effectiveness of the processes used by LIPA and PSEG-LI to identify Key Risks and Emerging Risks Perform an appraisal of the ERM processes in place at LIPA and PSEG-LI to measure, monitor, manage and mitigate Key Risks Report observations to the F&A Committee no less than annually 14

ERM Cycle Areas of Improvement - Next Steps Next Steps for ERM Process Improvement: Continue documenting existing Risk Mitigation efforts taken by LIPA and PSEG-LI Develop greater participation and communications across entire staff at LIPA and PSEG-LI throughout ERM process Implement continuous Risk Management-Risk Owner feedback mechanism: Has Key Risk occurred? If so, was Mitigation Activity effective to minimize impact within desired risk tolerance Is there any new Emerging Risks that require ERMC or Senior Management s immediate attention? Reach out to other Municipal entities to gain insights into other ERM programs Benchmark LIPA s ERM Program Monitoring and Reporting Move from manual process to automated process by implementing ERM monitoring software Review reporting documentation needs and frequency across various levels of management up to and including the Board 15

Finance & Audit Committee - Next Steps Next Steps for F&A Committee ERM Review: LIPA Staff to reflect 2015 ERM cycle results in 2016 Goals and Operating Budgets LIPA Staff to continually monitor Key Risks and/or Emerging Risks and periodically report back to the F&A Committee Internal Audit will schedule a review of the ERM process and report observations to the F&A Committee ERMC to meet with the F&A Committee during the 1 st Quarter of 2016 prior to the kick-off of the 2016 ERM cycle 16

Appendix Appendix 17

ERM Risk Framework Customer Wants Technological Innovation Stakeholder Expectations Capital Availability Legal Environment Regulatory Environment Financial Markets Catastrophic Loss Asset Location/ Community Concerns External Influence & Interests FINANCIAL Price Interest Rate Commodity Basis Volatility Liquidity Cash Flow Concentration Commodity Volatility Credit Default Concentration Settlement Rating Customer Satisfaction Human Resources Knowledge Capital Efficiency Capacity Partnering EMPOWERMENT Leadership Authority/Limit Outsourcing Performance Incentives Change Readiness Communications INFORMATION TECHNOLOGY Integrity Access Availability Infrastructure Cyber Security OPERATIONS Performance Gap Cycle Time Supply Chain Physical Asset Reliability Rate Case GOVERNANCE Organizational Culture Ethical Behavior Board Effectiveness Succession Planning Compliance REPUTATION Image and Branding Stakeholder Relations INTEGRITY Management Fraud Employee Fraud Third-Party Fraud Illegal Acts Unauthorized Use Compliance Business Interruption Service Failure Environmental Health and Safety Transition STRATEGIC Environmental Scan Business Model Regulator Model Business Portfolio Organizational Structure Measurement (Strategic) Resource Allocation Planning Life Cycle PUBLIC REPORTING Financial Reporting Evaluation Internal Control Evaluation Executive Certification Pension Fund Regulatory Reporting OPERATIONAL Budgets and Planning Service Pricing Contract Commitment Measurement (Operations) Alignment Accounting Information 18

ERM Program Timeline ERM Activity: Review / Revise Risk Framework Responsible Party: ERMC January February March April May June July August September October November December Kick-off annual ERM effort at first F&A Committee Meeting; Summarize Prior Year Results Risk Owners to Complete Questionnaire; Follow-up Meetings (as needed) DRM; F&A Committee Management; DRM Risk Consolidation / Mapping ERMC Develop Risk Prioritization Meeting Presentation(s) DRM Risk Prioritization Voting Session(s) Management; DRM Analyze Prioritization; Identify Key Risks / Categories Identify Risk Owners; Prepare Risk Mitigation Worksheets Risk Owners to Document Existing Risk Mitigation Processes Assess Existing Mitigation Efforts; Identify Gap Remediation Identify Budgetary Requirements for New Risk Mitigation, and include in budget for next year Present ERA Results to F&A Committee Continued Monitoring of Risk Mitigation from Prior Year ERM Implementation of New Risk Mitigation (If no budget required; e.g., process improvement) Implementation of New Risk Mitigation (If incremental budget required) Routine Review of Risk Mitigation; Internal Audit Review of Key Processes Present Update on Risk Mitigation and Monitoring to F&A Committee Routine Communication between Risk Owners, ERMC, others ERMC Management; ERMC Risk Owners ERMC; Risk Owners Risk Owners DRM; F&A Committee DRM; Risk Owners DRM; Risk Owners DRM; Risk Owners ERMC; Risk Owners; IA DRM; F&A Committee DRM, Risk Owners 19

Newly Developed ERM Policy Core Provisions of the Enterprise Risk Management Policy: Mandates an annual effort to identify significant risks to achieving the mission, goals and objectives of the Authority, including those which are: Known to already exist Emerging risks which may be faced in the future Risks which affect LIPA s service provider s performance and fulfilment of contractual obligations Incorporates a process for documenting existing risk mitigation for the most significant risks, and identifying if additional risk mitigation activities should be developed New risk mitigation development will be tied to the Authority s existing budget development process, so that if any additional risk mitigation is required, it can be appropriately budgeted and provided for The most significant risks, and their corresponding mitigation efforts shall be continuously monitored (year-round) for effectiveness of mitigation and to identify any changes to known risks Policy requires regular reports on risk and risk mitigation to the F&A Committee 20

Risk Mitigation Monitoring Dashboard [ In Development ] Category # 1 2 3 4 Risk Category Outsource & Partnership Relationship Concerns Personnel & Human Resources Concerns Understanding & Delivering on Customer Expectations and Needs External Influences & Interests Total # of Risk Mitigation Tasks Tasks Deemed to be Sufficiently Mitigating Risk Mitigation Task with Room for Improvement Task not Yet Assessed 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 5 Cyber Security 0 0 0 0 6 Rate Case and Success of Financial Policy Risk Mitigation Monitoring LIPA 0 0 0 0 TOTALS 0 0 0 0 21

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback