Sharon Hale and John Argodale May 28, 2015
2 From Dictionary.com Enterprise: A project undertaken or to be undertaken, especially one that is important or difficult or that requires boldness or energy Risk: Exposure to the chance of injury or loss; a hazard or dangerous chance Management: The act of directing, or controlling to bring about or succeed in accomplishing, sometimes despite difficulty or hardship
What is Enterprise Risk Management (ERM)? All large organizations operate in environments marked by inherent risk. Risk can take many forms: Risk of not meeting organizational goals and objectives Risks affecting the organization s mission and operations Risk of not complying with laws, policies, and regulations Cost and schedule risk associated with major programs and initiatives Financial risks Reputational risks Personnel and cultural risks Risk of fraud, waste, and abuse ERM is a process that: Is governed by the entity s senior management Is applied strategically across the entire enterprise Is designed to systemically identify events that may present risk Establishes the enterprise s tolerance or appetite for risk Identifies those risks that need to be actively managed Designs and implements controls to manage risks Monitors control effectiveness Establishes an appropriate risk response Provides reasonable assurance that the entity will achieve its objectives 3
Committee of Sponsoring Organizations (COSO) of the Treadway Commission 4 Developed the COSO Framework for ERM Supported by five private sector organizations: Institute of Management Accountants (IMA) American Accounting Association (AAA) American Institute of Certified Public Accountants (AICPA) Institute of Internal Auditors (IIA) Financial Executives International (FEI) Provides thought leadership for governance, internal controls, ethics and ERM Defines enterprise risk management as: a process, affected by an entity s board of directors, management and other personnel, applied in a strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
5 The COSO ERM Framework Widely-accepted best practice for establishing ERM capabilities Used extensively by Federal agencies and the private sector The Government Accountability Office (GAO) Standards for Internal Control in the Federal Government are built upon the COSO framework Prescribes eight interrelated components required to be executed in order to achieve strategic, operational, reporting, and compliance objectives The eight risk management functions collectively comprise a comprehensive risk management framework Designed to be implemented across all organizational levels
Primary Operational Risk Management Functions COSO and industry best practices prescribe that a comprehensive ERM program fully addresses eight core risk management functions. Functions* Internal Environment/ Governance Objective Setting Risk Identification Risk Assessment Risk Response Primary Operational Risk Management Functions Description Setting the risk culture by defining the way the organization views and addresses risks and controls. The risk management governance structure is established to assign authority and responsibility. Coordination with executive leadership to align operational, compliance, and reporting objectives with risk tolerance. Identification of risk events that may affect the organization s ability to implement its strategy and achieve its objectives and performance goals. Evaluation of likelihood and impact of identified risk events as well as the existing controls that mitigate either the chance of an event occurring and/or the impact if it does occur. Selection of risk response options to minimize residual risk. Control Activities Information & Communication Monitoring Implementation of policies and procedures to execute and monitor risk responses. Identification, capture, and communication of relevant risk information across all organizational levels. Continuous monitoring and oversight to identify opportunities for improvement. * Based on COSO ERM Integrated Framework 6
LOW MEDIUM HIGH Catastrophic MINIMUM MAXIMUM Melt Down Big Mess Trouble Problem Concern Issue Minimal 7 7
8 Relationship of ERM Internal Controls Governance ERM Internal Controls Internal Controls
Anticipated Changes to Office of Management and Budget (OMB) Circular No. A-123 for Fiscal Year (FY) 2016 Draft tentatively titled Management s Responsibility for Risk Management and Internal Control OMB s vision for FY 2016 Update The goal of Circular A-123 is to modernize efforts to implement the Federal Managers Financial Integrity Act (FMFIA) so that it will evolve our existing internal control framework to be more value-added and provide for stronger risk management Detailed framework for evaluating control deficiencies Reinforces corrective action planning requirements to address the root causes of control deficiencies Introduces ERM to provide for more effective risk management and internal control in the Federal Government Adopts additional COSO framework guidance Emphasizes governance and internal control relationships Revised Annual Statement of Assurance Internal controls over operations and compliance Internal controls over financial reporting Guidance on service organizations user controls Alignment with audit terminology significant condition vs. reportable condition OMB A-123 Update Briefing, April 28, 2015 9
Most Organizations Implement Some Risk Management Elements but are not Fully Optimized 10
Challenges to Implementing an ERM Framework 11 Leadership Culture Governance Policies not Aligned to Risk Appetite Risk Standardization, Response, and Coordination Communication Organizational Silos Command and Control Structures Compliance Focus Personnel and Resource Constraints Technology to Enable Effective and Efficient Risk Management Business Process and System Complexity and Maturity IT General and Application Controls
12 The Value Proposition The cost of preventive internal controls vs. cost of cleaning up Collaboration between program offices and traditional support offices Chief Financial Officer (CFO)/A-123 staff Building partnerships with stakeholders to support their cases A more risk enabled performance management culture A sustainable approach for an Audit Steady environment Strategic alignment: Improve likelihood of achieving objectives Effectiveness: Doing the right things and seizing opportunities Efficiency: Achieving strategic objectives in a cost effective manner
ERM Supports Audit Readiness and Enhance the Managers Internal Control Program Internal Controls Framework 1 Opportunities MONITORING INFORMATION AND COMMUNICATION CONTROL ACTIVITIES RISK ASSESSMENT CONTROL ENVIRONMENT GAO and COSO set five objectives for development of an agency s Internal Controls Program: Monitoring: Performance report, review, and systematic oversight Information and Communication: Agency communications Control Activities: Approvals and clear control owners Risk Assessment: Establish process risk self assessment capabilities and risk ranking and prioritization Control Environment: Establish and communicate tone at the top and develop policies and procedures 1 Source: GAO Internal Controls Framework Guidelines and Committee of Sponsoring Organizations (COSO) Internal Control Framework UNIT A UNIT B ACTIVITY 1 ACTIVITY 2 ACTIVITY 3 Implementing an effective ERM program provides opportunities to: Evolve controls from manual to automated or detective to preventive Rationalize business processes based on complexity and implement process risk self assessments Achieve and sustain a cost beneficial audit ready and audit steady business environment Map business processes Identify risks Link controls to risks Develop key risk indicators 13
Characteristics and Benefits of an Optimized ERM Program 14 Characteristics Benefits Senior management sets the tone from the top Governance structure holds appropriate personnel accountable Repeatable business processes that address an organization s operational risks Methodology includes assessments, risk data capture, analytics, and reporting Objective is to improve risk response as an interrelated risk portfolio Governance, policies, and standards centrally managed Decentralized execution Improve Performance Reduce operational losses and surprises Improve compliance Increase change capability Inform operational management decisions Facilitate risk self-identification Support for management assurance statement Optimize Costs Aggregate risk transfer and acceptance decisions Eliminate overlapping and unnecessary controls and activities Align risk thresholds to business strategy Instill Confidence Protect reputation Integrate risk into planning and strategy Better align resources to missions Reduce waste, fraud, mismanagement Enhance the Managers Internal Control Program (MICP)
Approach to Evolve ERM from Current Level to Optimized 15 Key Success Factors for Enabling an Optimized Risk Management Program 1 Involve all staff in risk management activities Promote A Risk Set up recognition and reward initiatives Management Define risk management as part of the requirement Culture for all management positions 6 Implement Concise Risk Assessment Processes Develop efficient, targeted Process Risk Self Assessments (PRSA) Emphasize value to Commands and Field Leverage existing documentation to develop process maps of key processes and programs 2 Drive Risk Active engagement from senior leadership in risk Management From processes and meetings Distribute communications and policies directly from Top leadership 7 Focus Working Groups and Committees Working groups and committees should be mindful of the risks associated with the objectives and outcomes they are trying to achieve 3 Establish Open Communication Channels Communicate the organization s efforts and involve all employees 8 Leverage Internal Control Point of Contacts (POC) Leverage the organization s existing MICP personnel and structure 4 Create simple, understandable terminology and tools Use Common Risk for Command, Field, Installation and Programs Language and Leverage facilitators and risk and control Subject Tools Matter Experts (SME) in working sessions to improve standardization of risk data 9 Develop Adequate Guidance Set up a forum of managers where they are able to identify their problems/risks and share best practices 5 Develop risk dashboards for Commands and Field as 10 Communicate Risk well as senior leadership Provide Dedicated Management Demonstrate linkage of risk management processes to Training Performance measures of business performance and measures of risk thresholds Provide risk management training to help integrate risk management tactics
16 What is Process Risk Self Assessment? A robust, standard approach designed to assess the effectiveness of risk management and control processes and report results A methodology for focusing on significant risks and key controls A standard process providing documented support for the Annual Statement of Assurance and a means to generate risk and control data A bottoms-up approach to systematically implement operational risk management capabilities to detect, prevent, and correct risk events A method to improve risk management and reduce loss A means to provide decision makers information to support control assessments and enable risk-informed decisions
Process Risk Self Assessments Ensure Controls are Effectively Executed 17 More Effective / Desirable Less Effective / Desirable Systemic Preventive (e.g., System edit prevents unapproved action) Systemic Detective (e.g., System report identifies unapproved activity) Manual Preventive (e.g., Employees receive annual training on policy requirements) Manual Detective (e.g., Employee reviews receipts for any non-approved activity) Key Components Written policies for executing selected risk responses Processes and procedures Management and human capital assigned as risk and process owners Review of performance measures Progress to Date Policies and procedures and reference manuals developed with reference to risk activities Opportunities to Enhance Control Activities Implement policies and procedures that assign risk responses to process owners Establish clear accountability by establishing process and control owners Leverage control testing as part of the Process Risk Self Assessment process to review control quality
Four Process Steps Drive Process Risk Self Assessment 18 Track metrics Monitor Risk Management performance Follow up on corrective action Monitor Identify Collect critical process list Create/update process maps Identify critical processes Capture and catalog processes Maintain Risk Management Tool Create customized dashboard reports Generate reports for all risk stakeholders Report Evaluate Perform process-based risks and controls assessments Analyze risk events, evaluate results, and implement corrections
OBJECTIVE: Get the chicks safely across the road 19
RISK: The chicks may be too small to safely cross the drain 20
RISK ASSESSMENT: Failed to assess risk of crossing the drain 21
RISK RESPONSE: Call the fire department 22
RESULTS: All the chicks are safe 23