Enterprise Risk Management Defined and Explained

Similar documents
Agenda. Enterprise Risk Management Defined. The Intersection of Enterprise-wide Risk Management (ERM) and Business Continuity Management (BCM)

Strengthening Your Enterprise Risk Management Process

5 Core Must-Haves for Improved Internal Audit Performance. Copyright 2018 AuditBoard Inc. 1

Evolving Core Tasks for Improved Internal Audit Performance. Copyright 2018 AuditBoard Inc. 1

Enterprise Risk Management Montana State Fund

EY Center for Board Matters. Leading practices for audit committees

Treasury and Risk- Vision 2009 March 25 th, 2009 Michele L. Turner- Sr. Manager Operations Enterprise Risk Management (OERM)

Enterprise Risk Management Program Development Update. Finance & Audit Committee Meeting September 25, 2015

A Risk Management Framework for the CGIAR System

Gleim CIA Review Updates to Part Edition, 1st Printing June 2018

A Risk Management Framework for the CGIAR System

Enterprise Risk Management. Focus on the Future June 2017

Executive Summary. Exhibit 1- Streamlined communication to the Board of Directors

STATEMENT ON RISK MANAGEMENT AND INTERNAL CONTROL

From Dictionary.com. Risk: Exposure to the chance of injury or loss; a hazard or dangerous chance

Risk Advisory Services Developing your organisation s governance for competitive advantage

716 West Ave Austin, TX USA

Next-generation enterprise risk management

DIRECTOR TRAINING AND QUALIFICATIONS: SAMPLE SELF-ASSESSMENT TOOL February 2015

Successful ERM Program Standards. Definitions of Enterprise Risk Management (ERM)

Risk Management in the 21 st Century Ameren Business Risk Management

Role of Board of Directors in Risk Management. CPA Erick Audi Thursday, 15 th November 2018

Session 7: Corporate Governance

1. Definition & Mission

THE CLOUD, RISKS AND INTERNAL CONTROLS. Presented By William Blend, CPA, CFE

Enterprise Risk Management Handbook. June, 2010

Standards for Internal Control in New York State Government 2016 Update

LI & FUNG LIMITED ANNUAL REPORT 2016

Third Party Risk Management ( TPRM ) Transformation

CITIBANK N.A JORDAN. Governance and Management of Information and Related Technologies Guide

Citizens Property Insurance Corporation Business Continuity Framework

Catching Fraud During a Recession Through Superior Internal Controls. FICPA s 25 th Annual Accounting Show. J. Stephen Nouss September 29, 2010

Enterprise Risk Management

Aligning and Integrating ERM and Business Process. Federal ERM Summit September 9, :00-12:00

Executive Summary THE OFFICE OF THE INTERNAL AUDITOR. Internal Audit Update

Fear, Uncertainty, Doubt

Risk Management at Statistics Canada

Risk Management Culture: The Linkage Between Ethics & Compliance and ERM September 14, 2009

Sample Corporate Risk Management Policy

B U S I N E S S R I S K M A N A G E M E N T L T D

METROPOLITAN TRANSPORTATION AUTHORITY

Statement on Risk Management and Internal Control

Risk Management Guidelines of the CGIAR System

Internal Controls and Fraud Risks

International Standards for the Professional Practice of Internal Auditing (Standards)

Risk Management Developing an Effective Audit Plan

29/11/2017. Risk Management Policy

Advisory Services Governance, Risk & Compliance

COSO ERM: Integrating with Strategy and Performance. Paul J. Sobel, CIA, QIAL, CRMA COSO Chairman

AUDITING. Auditing PAGE 1

Governance Institute of Australia Ltd

Enterprise Risk Management

RISK MANAGEMENT REPORT

INTERNAL AUDIT PLAN AND CHARTER 2018/19

Information governance for the real world

The Role of the Chief Risk Office and the Board s Role in Risk Oversight

Our Approach to Risk Management

Internal Auditors and Enterprise Risk Management (ERM) ICPAK Presentation

HCCA Audit & Compliance Committee Conference. February 29-March 1, Drivers of ERM. Enterprise Risk Management in Healthcare.

Active Essex Risk Management Strategy

Generating value within the Risk Ecosystem Risk powers performance

A robust and systematic review.

Boards and internal audit: Working together to strengthen risk management

Enterprise Risk Management at

Enterprise Risk Management

In Control: Getting Familiar with the New COSO Guidelines. CSMFO Monterey, California February 18, 2015

The COSO Risk Framework: A reference for internal control? Transition from COSO I to COSO II

Enterprise Risk Management

KING IV TM APPLICATION REPORT

Figure 1: COSO Enterprise Risk Management Cube

Sample Strategy and Value Oversight Policy

COSO ERM: Integrating with Strategy and Performance. Paul J. Sobel COSO Chairman Chief Risk Officer Georgia-Pacific

Risk Management Strategy

Gleim CPA Review Updates to Business Environment and Concepts 2018 Edition, 1st Printing March 2018

Corporate Governance Principles 2015

Governance Guideline SEPTEMBER 2013 BC CREDIT UNIONS.

King IV application report In pursuit of growth

Risk Appetite Statement

INTERNAL AUDITING THAT MATTERS. Norman Marks April 2017

Oversight by Board, Risk Management & Audit Committee (RMAC) and other committees. Second line of defense

To: Identify your chief goals and objectives Identify risks Prioritize the risks to achieving objectives Determine which controls/processes to review

REPORT 2016/033 INTERNAL AUDIT DIVISION

Texas Tech University System

Charter for Enterprise Risk Management

Fraud Risk Management

Internal Controls and Risk Management Report

Using a Compliance Program Assessment for Strategic Impact

WFP s 2018 enterprise risk management policy

Toyota Financial Services (South Africa) Limited: King III Principles

October 2014 FC 156/15. Hundred and Fifty-sixth Session. Rome, 3-7 November Progress Report on an Accountability and Internal Control Framework

ERM: Risk Maps and Registers. Performing an ISO Risk Assessment

Enterprise Risk Management (ERM) How Internal Audit Can Add Great Value

CGIAR System Management Board Audit and Risk Committee Terms of Reference

FY19 Enterprise Risk Management Assessment. Board Meeting December 5, 2018

International Standards for the Professional Practice of Internal Auditing (Standards)

Compliance, Internal Audit, and Risk Management: What do they look like at a Managed Care Plan?

MPAC BOARD OF DIRECTORS MANDATE

Chatham-Kent Health Alliance. Internal Control Framework Assessment - Executive Summary

From Backyard Business to Public Company

Leveraging Internal Audit and Corporate Compliance for Effective Risk Management

Transcription:

Enterprise Risk Management Defined and Explained Council of Engineering and Scientific Society Executives ACCESSE16 July 27, 2016 Paul Klein Managing Director Not-for-Profit Atlantic Coast Market Territory Business Advisory Services Leader

Defining risk Threats The probability of damage, injury, liability, loss, or other negative consequence that is caused by external or internal vulnerabilities, and that may be avoided through preemptive action. Opportunities The lost prospects of achieving positive outcomes due to conservative management that relies on eliminating potential negative consequences through avoidance. 2

Evolution of risk management Traditionally, risk management focused on minimizing insurable risks due to accidental loss Risk management evolved to include other risk transfer and risk mitigation strategies Enterprise risk management further elaborates this in the context of threats to achieving strategic goals and opportunities to advance the mission 3

What is ERM? a process, effected by an entity s board of directors, management and other personnel, applied in a strategy setting across the enterprise, designed to identify potential events that may affect the entity, and to manage risk to be within its risk appetite, providing reasonable assurance regarding the achievement of entity objectives. - Source: COSO ERM Integrated Framework, Executive Summary, September 2004 4

Differences between Enterprise and Internal Audit risk assessments Internal Audit Risk Assessment Focus on internal, controllable risks Risks viewed in the context of vulnerabilities Risk managed through controls that reduce/eliminate risk Evaluation of risk owned by internal auditor Enterprise Risk Assessment Focus on internal and external risks Risks viewed in the context of organizational strategy Risk managed through a broader variety of techniques Evaluation of risk owned by everyone 5

ERM objectives Provide increased visibility to the most significant risks impacting the institution Provide a platform for broad discussion and evaluation of appropriate levels of risk-taking consistent with risk tolerances Focus management s risk management efforts by identifying and reporting emerging risks that could jeopardize the institution s mission and strategy Serve as a foundation for an on-going risk monitoring process Provide the leadership team with increased visibility to the most significant risks to the institution 6

ERM scope Strategic risks that may impact the institution s ability to achieve its strategic priorities and fulfill its mission Financial risks that may affect stewardship and accountability for organizational assets Business, operational, program risks Regulatory compliance Reputational risks Information technology risk Emergency preparedness 7

Current state of ERM ERM processes at many institutions are still developing For-profits are further along in their ERM efforts than NFPs, partly due to regulatory requirements and stockholder demand for greater value Most organizations need to place a stronger focus on strategic risks While Boards are recognizing their risk oversight responsibilities, the level of oversight still varies greatly 8

Sample NFP Risk Universe Strategy and Initiatives: Vision and Direction Planning and Execution Measurement and Monitoring Organizational Structure Restructuring and Alignment Innovation Brand and Reputation Partnerships and Collaborations: Integration Alliances and Partnerships Communication: Policy and advocacy Crisis Communications Employee Communication Media Communications Market Dynamics: Competition Demand Socio-Political Strategic Operations Program Service & Delivery Membership model Supplier / Vendor Management Contract Commitment Procurement Infrastructure and Assets Project Planning and Management Construction and Maintenance People: Culture Recruiting and Retention Development and Performance Measurement Succession Planning Compensation and Benefits Information Technology: Security/Access Availability/Continuity Application Development Data Integrity IT Project Management Network Planning Hazards: Natural Events Terrorism and Malicious Events Disaster Response Safety Governance: Board Performance Tone at the Top Control Environment Social Responsibility Policies and Procedures Code of Conduct : Ethics Fraud Legal: Contracts Liability IP Infringement Compliance Regulatory compliance: Labor Practices - EEOC Environment - EPA Data Protection and Privacy Health and Safety EH&S Financial Liquidity and Credit: Income diversification Debt Management Credit and Collections (posttransaction) Insurance Healthcare costs Accounting External Reporting and Disclosure Internal Reporting Tax: Tax Strategy and Planning Reputational Image and Branding: Public Relations Brand perception Media Stakeholder Relations: Member Relevance Donor Communication Constituent Expectations 9

Participation in the ERM process Board of Directors Oversee the ERM program Set the tone for organizational risk appetite Review the risks identified by management Endorse management s assessment of risks Review effectiveness of risk mitigation efforts Monitor compliance with risk mitigation policies and procedures as well as changes in the risk environment 10

Participation in the ERM process Key questions the Board should be asking How often are we refreshing our assessment of top risks? Who is accountable for results? How are we monitoring and managing the top risks? What progress are we making to further mitigate top risks? Do we have responses prepared for extreme events (the black swans )? 11

Participation in the ERM process Management Implement and manage ERM processes Align ERM program to strategic goals and objectives Set tone for staff Identify and prioritize risks Establish risk responses and mitigation practices Report to the Board 12

High level ERM process Risk Response ERM Strategy and Framework Ongoing Communication, Reporting, and Monitoring Action Planning Strategic Risk Assessment 13

Using ERM as a strategic advantage Low value ERM Compliance focused Large inventory of risks and extensive risk mapping Risk mitigation to safeguard the organization Risk management activities are separate from strategic and operational decision-making Perceived as a necessary effort Delegated to lower level staff High value ERM Value and opportunity focused Fewer risks focused on significant gains/losses Risk optimization to maximize value Risk management is incorporated in strategic and operational decision-making Perceived as a cultural imperative Participation at all levels of the organization 14

Getting your ERM initiative started Seek board and senior management leadership, involvement, and oversight Select a strong leader to drive the ERM initiative Establish a risk management committee or working group From COSO: Embracing Enterprise Risk Management Perfect is the enemy of good enough! The most important thing is to get started 15

ERM the project Phase 1 Phase 2 Phase 3 Phase 4 Phase 5 Understand Business Environment Develop Risk Universe and Assess Risks Determine Risk Responses Design Ongoing ERM Processes Monitor Risk Universe Train and embed ERM guiding principles and processes 16

Implementing ERM Review relevant documentation Conduct an ERM kick-off meeting Conduct an introductory training session for senior management Facilitate Board dialog on risk Interview senior management and select Board of Directors Establish a committee responsible for risk management processes and activities PHASE 1 UNDERSTAND THE BUSINESS ENVIRONMENT 17

Implementing ERM Define the glossary of risk terminology Establish a framework for describing and evaluating risks Create risk register Confirm and hone the list with management Evaluate risks, assessing risk impact, likelihood, velocity, duration Identify risk categories and common themes Prioritize risks PHASE 2 DEVELOP RISK UNIVERSE AND ASSESS RISKS 18

Risk evaluation framework IMPACT Overall Risk Rating Description Low Medium High Strategy Achievement of strategic goals is delayed; customers are inconvenienced; minimal attrition can be expected (<1%) Achievement of strategic goals are blocked / management must reconsider initiatives; customer attrition is likely Existential risk to the organization; significant impediment to attracting and retaining customers Operations Financial Personnel Technology Changes required may be accomplished within operating budget parameters without significantly affecting other initiatives Changes require significant use of resources and requires Board action; unrestricted net assets stays mostly intact (<=$500k) Changes require significant use of resources and requires Board action; significantly erodes unrestricted net assets (>$500k) Legal / Compliance Low probability of successful lawsuit / sanctions against the organization (<15%); financial exposure is minimal (<$10,000) Heightened probability of successful lawsuit / sanctions against the organization (15%-50%); financial exposure would leave unrestricted net assets mostly intact (<=$500k) High probability of successful lawsuit / sanctions against the organization (>50%); financial exposure of a successful suit significantly erodes unrestricted net assets (>$500k) Fraud Minor amount of resources affected by fraud. Control structure exists, but does not operate sufficiently to prevent/deter/detect fraud. Significant amount of resources affected by fraud. Control structure exists, but does not operate sufficiently to prevent/deter/detect fraud -or- Minor amount of resources affected by fraud, but control structure is insufficient to prevent/deter/detect fraud (control design weakness). Significant amount of resources affected by fraud. Control structure is insufficient to prevent/deter/ detect fraud (control design weakness). Opportunity Little or minimal loss of potential revenue opportunity by not mitigating the identified risk Material loss of potential revenue (<=$500k) opportunity Significant loss of potential revenue (>$500k) opportunity Reputation Little to no external reaction expected; only a small constituency or interest group takes note External reaction expected from a broad constituency or interest group, but unorganized Significant external reaction expected from a broad constituency or interest group; risk event is noted on a national scale; causes constituents to organize against the organization or distance themselves from the organization 19

Risk evaluation framework Overall Risk Rating Description Low Medium High VELOCITY Speed which risk creates impact Slow (Greater than 24 months) Moderate (12-24 months) Fast (Less than 12 months) Anticipated duration that impact will be felt Short (Less than 6 months) Moderate (6-12 months) Long (Greater than 12 months) LIKELIHOOD Remote Unlikely Possible More Likely than Not Probable Nearly Certain Probability of Occurrence < 5% in one year -oronce in 20 years 5-20% in one year -oronce in 15-20 years 20-40% in one year -oronce in 10-15 years 40-60% in one year -oronce in 5-10 years 60-80% in one year -oronce in 2-5 years > 80% in one year -oronce in 1-2 years 20

Sample risk categories Strategy Operations Technology Personnel Finance Compliance Regulations Reputation Governance Fraud Environment 21

Overall Impact Strategy Operations Financial Compliance Fraud Legal Personnel Opportunity Reputation Technology Likelihood Velocity Duration Trend Sample risk register ample Risk Catalog IMPACT Risk Area Short name Risk Description Emergency Business continuity Failure to recover from an event that significantly preparedness disrupts operations and threatens business continuity Emergency preparedness Emergency preparedness Natural disasters Violence or Terrorism Failure to maintain practices for emergency/disaster preparedness in the event of natural disasters An act of violence / terrorism affects the facility or neighborhood, resulting in business interruption, injury, or damage to facilities. Financial Exchange rate volatility Impact of exchange rate variations when doing business internationally Financial Financial fraud Failure to protect the organization against any financial (e.g., treasury and cash management) fraud or malpractice Brand Protecting IP Failure to adequately protect intellectual property from unauthorized access or sharing by users High Low High High Low Low Low Low Low Low Low Possible Fast Short Increasing High Low High Medium Low Low Low Low Low Low Low Remote Fast Medium Steady High Low High Medium Low Low Low Low Low Low Low Remote Fast Medium Steady Medium Low Low Medium Low Low Low Low Low Low Low Possible Fast Short Increasing High Low Low High Medium High Medium Low Low High Low Remote Slow Medium Steady High Low Low High Low Low Low Low Low Low Low More Likely than Not Medium Medium Increasing Strategy Government funding, mandates, and embargos Failure to adapt to the shift in government funding to agencies and research institutions, as well as to mandates and embargos on government funding Medium Medium Low Medium Low Low Low Low Low Low Low Probable Medium Long Increasing Technology IT security practices Failure to create and maintain adequate security measures to safeguard against threats, including security policies and procedures High Low High High Low Low Low Low Medium Low High Possible Medium Medium Increasing Technology Protect enterprise data Failure to properly secure enterprise data from data servers and employee computers High Low Medium High Low Low Low Low Low Medium Medium Possible Fast Medium Steady 0 Technology Protect malicious activity of Failure to adequately monitor and protect access to Medium Low Medium Medium Low Low Low Low Low Medium Medium Possible Medium Medium Steady vendors various SaaS (cloud-based) systems from malicious usage by vendors 22

Implementing ERM Map risk management activities Ascertain institutional risk tolerance/appetite Assess gaps in risk response capabilities Develop an action plan to further reduce risk exposure Review analysis and plans with executives and the Board Execute approved action plans PHASE 3 DETERMINE RISK RESPONSES 23

ERM working document Risk Events Current Risk Profile Current Risk Mitigation Activities Required Action Items Future Risk Profile Impact Likelihood Impact Likelihood 1 2 3 4 5 6 7 8 9 24

Tips for improving your ERM efforts Align responses to your risk appetite Description Action Intolerable Highly undesirable Manageable Negligible Completely avoid/eliminate risk Accept risk only if essential and there is a limited possibility/extent of failure Accept risk if benefits outweigh negative consequences (justified risk) Manage impacts Accept possibility of failure if it maximizes returns monitor risk for changes in risk profile 25

LIKELIHOOD Sample ERM heat map Area of Focus: Technology RISK EVENTS H 1 1 2 Cyber threats Back-up and recovery 3 Optimizing systems 4 5 6 IT governance Access to budgets Technology investments M 9 10 3 6 4 7 5 8 2 7 8 Help desk Policies & procedures 9 Mobility 10 Availability/reliability 11 Supplier/contractor activity L 11 12 13 12 13 End-user training Balancing costs L M H IMPACT 26

Implementing ERM Design continuous risk assessment process that is embedded in the ERM program Design monitoring and event identification process Align strategic planning with ERM processes Design communication and reporting process Create long-term awareness and training plan PHASE 4 DESIGN ONGOING ERM PROCESSES 27

Implementing ERM Monitor changes to identified enterprise risks Discuss new and emerging risks Reassess action plans Update risk universe and prioritization Report progress to executives and the Board PHASE 5 MONITOR RISK UNIVERSE 28

Benefits of ERM Create clarity of definition and consensus regarding risk Protect assets of the organization, especially reputation Prevent/reduce impact of risks Provide transparency and accountability Increase constituent confidence Unify behavior/culture around risk management Establish linkage to strategic planning Prioritize allocation of resources (to most significant risks) Support mission success 29

Additional resources for management, Board members, and audit committees Publications for not-for-profit organizations www.grantthornton.com/nfp 30

Questions / Comments 31

Contact information Paul Klein Managing Director Not-for-Profit Atlantic Coast Market Territory Business Advisory Services Leader T 215.814.1736 E Paul.Klein@us.gt.com 32

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback