From Dictionary.com. Risk: Exposure to the chance of injury or loss; a hazard or dangerous chance

Similar documents
Enterprise Risk Management: Developing a Model for Organizational Success. White Paper

Catching Fraud During a Recession Through Superior Internal Controls. FICPA s 25 th Annual Accounting Show. J. Stephen Nouss September 29, 2010

Enterprise Risk Management: Aligning Risk with Strategy & Performance June 26, :45 p.m. 4:45 p.m.

AUDITING. Auditing PAGE 1

Fraud Risk Management

Strengthening Your Enterprise Risk Management Process

Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

Enterprise Risk Management. Applying enterprise risk management to environmental, social and governance-related risks.

COSO 2013: Updated internal control framework

INTEGRATING ENTERPRISE RISK MANAGEMENT IN THE FEDERAL GOVERNMENT. Partnership for Public Service September 10, 2015

BUSINESS CPA EXAM REVIEW V 3.0. For Exams Scheduled After March 31, 2017

METROPOLITAN TRANSPORTATION AUTHORITY

1/12/2016. Standards for Internal Control in the Federal Government. Standards for Internal Control in the Government

IT Audit at Brown. A collaboration between the Information Technology and Internal Audit Teams

EFFICIENT USE OF AUDIT COMMITTEES

Internal Control Integrated Framework. May 2013

Internal Control. Meeting Federal Requirements for Accountability. Robert Black, Senior Instructor 3 June 2016 PDI Orlando, FL

In Control: Getting Familiar with the New COSO Guidelines. CSMFO Monterey, California February 18, 2015

Strengthening Control and integrity: A Checklist for government Managers

Advisory Services Governance, Risk & Compliance

2014 Integrated Internal Control Plan. FRCC Spring Compliance Workshop April 8-10, 2014

ERM: Risk Maps and Registers. Performing an ISO Risk Assessment

STANDING ADVISORY GROUP MEETING

A Discussion About Internal Controls February 2016

ISACA. The recognized global leader in IT governance, control, security and assurance

Enterprise Risk Management 2016

LEVERAGING COSO ACROSS THE THREE LINES OF DEFENSE

Taking ERM to a. 6 GRC Today / October 2015

Enterprise Risk Management Demystified

COSO Internal Control Integrated Framework Proposed Update

A Risk Management Framework for the CGIAR System

Sarbanes-Oxley Act of 2002 Can private businesses benefit from it?

The Future of Internal Auditing:

COMPLIANCE AT LARGER INSTITUTIONS. November 11 13, Robert F. Roach Chief Compliance Officer New York University

Clarifying the Role of. Enterprise Risk Management

The COSO Approach to Enterprise Risk Management

Miles CPA Review: BEC Q Updates for 2017 Edition

Tactical Implementation of Enterprise Risk Management

Audit of Entity Level Controls

Enterprise Risk Management, Compliance, and Management Advisory Services: An Integrated Approach. SCCE s Higher Education Compliance Conference

Heads Up. Control Integrated Framework. COSO Enhances Its Internal. In This Issue: Enhancements in the 2013 Framework

Effective implementation of COSO s new anti-fraud guidance

DIRECTOR TRAINING AND QUALIFICATIONS: SAMPLE SELF-ASSESSMENT TOOL February 2015

Enterprise Risk Management Program

SOLUTION BRIEF RSA ARCHER AUDIT MANAGEMENT

REPORT 2016/033 INTERNAL AUDIT DIVISION

An Assessment of Texas State Government. Implementation of Enterprise Risk Management Principles

Risk Assessment and Risk Acceptance Overview

Dallas Center for Performance Excellence (CPE) Executive Summary

Risk Based Internal Audit Plan

More than 2000 organizations use our ERM solution

Enterprise Risk Management Handbook. June, 2010

Department of Navy Audit Update

RISK MANAGEMENT FRAMEWORKS: Adapt, Don t Adopt. Here s a primer on how to use two well-known approaches.

Business Context of ISO conform Internal Financial Control Assessment

1. Definition & Mission

Advisory on UNESCO s Enterprise Risk Management. Internal Oversight Service Audit Section. IOS/AUD/2016/05 Original: English.

Critical Success Factor in ERM Implementation

RSA ARCHER MATURITY MODEL: AUDIT MANAGEMENT

ECQA Certified Profession. Governance SPICE Model. Internal Financial Control Assessor Training Programme

PART 6 - INTERNAL CONTROL

Report. Quality Assessment of Internal Audit at <Organisation> Draft Report / Final Report

2013 COSO Internal Control Framework Update. September 5, 2013

Introductions. Enterprise Risk Management. Thinus Nienaber. Why are You here? Where are You coming from? Where are You going?

That Was Then, This Is Now. COSO Updates its 1992 Classic Internal Control-Integrated Framework

LIVING IN THE REAL WORLD THE LEGAL AND INSURANCE ASPECTS OF SMS

Present and functioning: Fine-tuning your ICFR using the COSO update

Governance SPICE. Using COSO and COBIT Process Assessment Models BPM GOSPEL

Tools & Techniques II: Lead Auditor

The Social Marketer vs. the Social Enterprise Social media in financial institutions is in transition.

Developing an Integrated Anti-Fraud, Compliance, and Ethics Program

Risk Management Strategy

Informed Decision Making

Audit Training-of-Trainers Workshop, November 2014, Vienna Components of internal control within organization

Protecting Fixed Assets: Internal Controls for Non Profits

Prince William County Public Schools Annual Audit Plan

LeiningerCPA, Ltd. RISK MANAGEMENT POLICY STATEMENT

ISO Revisions. ISO 9001 Whitepaper. The importance of risk in quality management. Approaching change

Developing a successful governance strategy. By Muhammad Iqbal Hanafri, S.Pi., M.Kom. IT GOVERNANCE STMIK BINA SARANA GLOBAL

Enterprise risk management Protecting and enhancing value Advisory

Session 7: Corporate Governance

Improve GRC Maturity through Combined Assurance

ENTERPRISE RISK MANAGEMENT USING DATA ANALYTICS. Dan Julevich and Chris Dawes April 17, 2015

Enterprise Risk Management

Integrating COSO s Fraud Risk Management Guide on an Enterprise Scale

ENTERPRISE RISK MANAGEMENT THE KEY TO BUSINESS SUCCESS By Phil Griffiths FCA

Beyond Compliance. Leveraging Internal Control to Build a Better Business: A Response to Sarbanes-Oxley Sections 302 and 404

Risk Intelligent Enterprise Risk Management (ERM) Dolores Atallo-Hazelgreen, Firm Director

International Finance Corporation

KEY SUCCESS FACTORS FOR MAJOR PROGRAMS THAT LEVERAGE IT. The 7-S for Success Framework

7 Key Trends in Enterprise Risk Management

What We Will Cover Today

Research paper on risk management in the light of the results of the global survey of 2012

CORPORATE GOVERNANCE THEORY, SCOPE AND IMPORTANCE

Analytics in Auditing Is a Game Changer

An Update of COSO s Internal Control Integrated Framework. December 2011

NYSARC/CP Compliance Seminar: Risk Assessments. May 2, 2016 Robert Hussar and Melissa Zambri

Framing the future of corporate governance Deloitte Governance Framework. Center for Board Effectiveness

Training Fees 4,250 US$ per participant for Public Training includes Materials/Handouts, tea/coffee breaks, refreshments & Buffet Lunch

Internal Controls and Risk Management Report

Transcription:

Sharon Hale and John Argodale May 28, 2015

2 From Dictionary.com Enterprise: A project undertaken or to be undertaken, especially one that is important or difficult or that requires boldness or energy Risk: Exposure to the chance of injury or loss; a hazard or dangerous chance Management: The act of directing, or controlling to bring about or succeed in accomplishing, sometimes despite difficulty or hardship

What is Enterprise Risk Management (ERM)? All large organizations operate in environments marked by inherent risk. Risk can take many forms: Risk of not meeting organizational goals and objectives Risks affecting the organization s mission and operations Risk of not complying with laws, policies, and regulations Cost and schedule risk associated with major programs and initiatives Financial risks Reputational risks Personnel and cultural risks Risk of fraud, waste, and abuse ERM is a process that: Is governed by the entity s senior management Is applied strategically across the entire enterprise Is designed to systemically identify events that may present risk Establishes the enterprise s tolerance or appetite for risk Identifies those risks that need to be actively managed Designs and implements controls to manage risks Monitors control effectiveness Establishes an appropriate risk response Provides reasonable assurance that the entity will achieve its objectives 3

Committee of Sponsoring Organizations (COSO) of the Treadway Commission 4 Developed the COSO Framework for ERM Supported by five private sector organizations: Institute of Management Accountants (IMA) American Accounting Association (AAA) American Institute of Certified Public Accountants (AICPA) Institute of Internal Auditors (IIA) Financial Executives International (FEI) Provides thought leadership for governance, internal controls, ethics and ERM Defines enterprise risk management as: a process, affected by an entity s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

5 The COSO ERM Framework Widely-accepted best practice for establishing ERM capabilities Used extensively by Federal agencies and the private sector The Government Accountability Office (GAO) Standards for Internal Control in the Federal Government are built upon the COSO framework Prescribes eight interrelated components required to be executed in order to achieve strategic, operational, reporting, and compliance objectives The eight risk management functions collectively comprise a comprehensive risk management framework Designed to be implemented across all organizational levels

Primary Operational Risk Management Functions COSO and industry best practices prescribe that a comprehensive ERM program fully addresses eight core risk management functions. Functions* Internal Environment/ Governance Objective Setting Risk Identification Risk Assessment Risk Response Primary Operational Risk Management Functions Description Setting the risk culture by defining the way the organization views and addresses risks and controls. The risk management governance structure is established to assign authority and responsibility. Coordination with executive leadership to align operational, compliance, and reporting objectives with risk tolerance. Identification of risk events that may affect the organization s ability to implement its strategy and achieve its objectives and performance goals. Evaluation of likelihood and impact of identified risk events as well as the existing controls that mitigate either the chance of an event occurring and/or the impact if it does occur. Selection of risk response options to minimize residual risk. Control Activities Information & Communication Monitoring Implementation of policies and procedures to execute and monitor risk responses. Identification, capture, and communication of relevant risk information across all organizational levels. Continuous monitoring and oversight to identify opportunities for improvement. * Based on COSO ERM Integrated Framework 6

LOW MEDIUM HIGH Catastrophic MINIMUM MAXIMUM Melt Down Big Mess Trouble Problem Concern Issue Minimal 7 7

8 Relationship of ERM Internal Controls Governance ERM Internal Controls Internal Controls

Anticipated Changes to Office of Management and Budget (OMB) Circular No. A-123 for Fiscal Year (FY) 2016 Draft tentatively titled Management s Responsibility for Risk Management and Internal Control OMB s vision for FY 2016 Update The goal of Circular A-123 is to modernize efforts to implement the Federal Managers Financial Integrity Act (FMFIA) so that it will evolve our existing internal control framework to be more value-added and provide for stronger risk management Detailed framework for evaluating control deficiencies Reinforces corrective action planning requirements to address the root causes of control deficiencies Introduces ERM to provide for more effective risk management and internal control in the Federal Government Adopts additional COSO framework guidance Emphasizes governance and internal control relationships Revised Annual Statement of Assurance Internal controls over operations and compliance Internal controls over financial reporting Guidance on service organizations user controls Alignment with audit terminology significant condition vs. reportable condition OMB A-123 Update Briefing, April 28, 2015 9

Most Organizations Implement Some Risk Management Elements but are not Fully Optimized 10

Challenges to Implementing an ERM Framework 11 Leadership Culture Governance Policies not Aligned to Risk Appetite Risk Standardization, Response, and Coordination Communication Organizational Silos Command and Control Structures Compliance Focus Personnel and Resource Constraints Technology to Enable Effective and Efficient Risk Management Business Process and System Complexity and Maturity IT General and Application Controls

12 The Value Proposition The cost of preventive internal controls vs. cost of cleaning up Collaboration between program offices and traditional support offices Chief Financial Officer (CFO)/A-123 staff Building partnerships with stakeholders to support their cases A more risk enabled performance management culture A sustainable approach for an Audit Steady environment Strategic alignment: Improve likelihood of achieving objectives Effectiveness: Doing the right things and seizing opportunities Efficiency: Achieving strategic objectives in a cost effective manner

ERM Supports Audit Readiness and Enhance the Managers Internal Control Program Internal Controls Framework 1 Opportunities MONITORING INFORMATION AND COMMUNICATION CONTROL ACTIVITIES RISK ASSESSMENT CONTROL ENVIRONMENT GAO and COSO set five objectives for development of an agency s Internal Controls Program: Monitoring: Performance report, review, and systematic oversight Information and Communication: Agency communications Control Activities: Approvals and clear control owners Risk Assessment: Establish process risk self assessment capabilities and risk ranking and prioritization Control Environment: Establish and communicate tone at the top and develop policies and procedures 1 Source: GAO Internal Controls Framework Guidelines and Committee of Sponsoring Organizations (COSO) Internal Control Framework UNIT A UNIT B ACTIVITY 1 ACTIVITY 2 ACTIVITY 3 Implementing an effective ERM program provides opportunities to: Evolve controls from manual to automated or detective to preventive Rationalize business processes based on complexity and implement process risk self assessments Achieve and sustain a cost beneficial audit ready and audit steady business environment Map business processes Identify risks Link controls to risks Develop key risk indicators 13

Characteristics and Benefits of an Optimized ERM Program 14 Characteristics Benefits Senior management sets the tone from the top Governance structure holds appropriate personnel accountable Repeatable business processes that address an organization s operational risks Methodology includes assessments, risk data capture, analytics, and reporting Objective is to improve risk response as an interrelated risk portfolio Governance, policies, and standards centrally managed Decentralized execution Improve Performance Reduce operational losses and surprises Improve compliance Increase change capability Inform operational management decisions Facilitate risk self-identification Support for management assurance statement Optimize Costs Aggregate risk transfer and acceptance decisions Eliminate overlapping and unnecessary controls and activities Align risk thresholds to business strategy Instill Confidence Protect reputation Integrate risk into planning and strategy Better align resources to missions Reduce waste, fraud, mismanagement Enhance the Managers Internal Control Program (MICP)

Approach to Evolve ERM from Current Level to Optimized 15 Key Success Factors for Enabling an Optimized Risk Management Program 1 Involve all staff in risk management activities Promote A Risk Set up recognition and reward initiatives Management Define risk management as part of the requirement Culture for all management positions 6 Implement Concise Risk Assessment Processes Develop efficient, targeted Process Risk Self Assessments (PRSA) Emphasize value to Commands and Field Leverage existing documentation to develop process maps of key processes and programs 2 Drive Risk Active engagement from senior leadership in risk Management From processes and meetings Distribute communications and policies directly from Top leadership 7 Focus Working Groups and Committees Working groups and committees should be mindful of the risks associated with the objectives and outcomes they are trying to achieve 3 Establish Open Communication Channels Communicate the organization s efforts and involve all employees 8 Leverage Internal Control Point of Contacts (POC) Leverage the organization s existing MICP personnel and structure 4 Create simple, understandable terminology and tools Use Common Risk for Command, Field, Installation and Programs Language and Leverage facilitators and risk and control Subject Tools Matter Experts (SME) in working sessions to improve standardization of risk data 9 Develop Adequate Guidance Set up a forum of managers where they are able to identify their problems/risks and share best practices 5 Develop risk dashboards for Commands and Field as 10 Communicate Risk well as senior leadership Provide Dedicated Management Demonstrate linkage of risk management processes to Training Performance measures of business performance and measures of risk thresholds Provide risk management training to help integrate risk management tactics

16 What is Process Risk Self Assessment? A robust, standard approach designed to assess the effectiveness of risk management and control processes and report results A methodology for focusing on significant risks and key controls A standard process providing documented support for the Annual Statement of Assurance and a means to generate risk and control data A bottoms-up approach to systematically implement operational risk management capabilities to detect, prevent, and correct risk events A method to improve risk management and reduce loss A means to provide decision makers information to support control assessments and enable risk-informed decisions

Process Risk Self Assessments Ensure Controls are Effectively Executed 17 More Effective / Desirable Less Effective / Desirable Systemic Preventive (e.g., System edit prevents unapproved action) Systemic Detective (e.g., System report identifies unapproved activity) Manual Preventive (e.g., Employees receive annual training on policy requirements) Manual Detective (e.g., Employee reviews receipts for any non-approved activity) Key Components Written policies for executing selected risk responses Processes and procedures Management and human capital assigned as risk and process owners Review of performance measures Progress to Date Policies and procedures and reference manuals developed with reference to risk activities Opportunities to Enhance Control Activities Implement policies and procedures that assign risk responses to process owners Establish clear accountability by establishing process and control owners Leverage control testing as part of the Process Risk Self Assessment process to review control quality

Four Process Steps Drive Process Risk Self Assessment 18 Track metrics Monitor Risk Management performance Follow up on corrective action Monitor Identify Collect critical process list Create/update process maps Identify critical processes Capture and catalog processes Maintain Risk Management Tool Create customized dashboard reports Generate reports for all risk stakeholders Report Evaluate Perform process-based risks and controls assessments Analyze risk events, evaluate results, and implement corrections

OBJECTIVE: Get the chicks safely across the road 19

RISK: The chicks may be too small to safely cross the drain 20

RISK ASSESSMENT: Failed to assess risk of crossing the drain 21

RISK RESPONSE: Call the fire department 22

RESULTS: All the chicks are safe 23

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback