The Board’s Role In Risk Management
The Board’s Role in Risk Management(Nine Questions Every Board Member Should Ask)January 28, 2016BDO USA, LLP, a Delaware limited liability partnership, isthe U.S. member of BDO International Limited, a UKcompany limited by guarantee, and forms part of theinternational BDO network of independent member firms.CPE AND SUPPORTCPE Participation Requirements ‒ To receive CPE credit for thiswebcast:You’ll need to actively participate throughout the program.Be responsive to at least 75% of the participation pop-ups. Please refer the CPE & Support Handout in the Handouts section for moreinformation about group participation and CPE certificates. Q&A:Submit all questions using the Q&A feature on the lower right corner ofthe screen. At the end of the presentation, the presenter(s) will reviewand answer all questions submitted.Technical Support:If you should have technical issues, please contact LearnLive: Click on the Live Chat icon under the Support tab, OR Call: 1-888-228-4088Page 21
WITH YOU TODAYGerard ZackManaging DirectorBDO USA, LLPAmy RojikPartnerBDO USA, LLPWashington, D.C.Direct: (202) 644-5404gzack@bdo.comBoston, MADirect: (617) 239-7005arojik@bdo.comPage 3LEARNING OBJECTIVES AND AGENDA Understand what makes risk management so much more essential today thanever before Determine the best risk management governance structure for yourorganization (board, committee, management, etc.) Identify the strengths and weaknesses of your organization’s risk managementframework and processes Identify the right questions to ask in fulfilling your responsibilities as a boardmemberPage 42
ASK YOURSELF TWO WARM-UP QUESTIONS:1. Could all of your organization’s senior managersidentify the top ten risks that the organization faces, aswell as the strategies being employed to address eachof these risks?2. Could all board members explain the organization’sapproach to risk management?Page 5RISKA possible event or circumstance thatcan have negative influences on theorganization Internal or external Varying degrees of controlIncludes lostopportunityPage 63
Click to edit Master title styleINTRODUCTION TO RISK MANAGEMENT A Brief History of Risk Management Factors that Make Risk Management More Essential thanEverClient name - Event - Presentation titlePage 7A BRIEF HISTORY OF RISK MANAGEMENTTimeThe Evolution of Risk Management1970sXHazard Risks1990sXStrategic, Operational,Financial Risks ("ERM")2010sXComprehensive andIntegrated RiskManagementPage 84
WHAT MAKES IT SO ESSENTIAL?1. It is the glue that connects strategy with allof our day-to-day activities2. It is expected by stockholders, customers,regulators, auditors, and others3. It is the key to minimizing corporate liability(e.g., vicarious liability of the organizationfor actions taken by employees, agents, etc.)Page 9DO WE NEED ANY MORE EXAMPLES OFPOOR RISK MANAGEMENT?1. Automobile and other product recalls2. Oil spills and other man-made accidents3. Insufficient preparation for natural disasters4. Acquisitions gone bad5. Accounting fraudsPage 105
ACCOUNTING FRAUDS? Yes – poor risk management is at the heart ofmost accounting frauds and other intentionalacts of non-compliance Vast majority of accounting frauds triggeredby falling short of a financial target Risks leading to the fraud:1. Unrealistic targets (a strategic or operational risk),or2. Under-performing (target was okay, but unforeseenoperational or market risks)Page 11REQUIREMENTS FOR RISK MANAGEMENTDodd-Frank Act:Requires board-level risk committees for public bank holdingcompanies and certain non-public financial institutionsSEC:Disclosure Requirement in Proxy Statements (starting 2010)requires companies to describe the board’s role in theoversight of riskCOSO:Framework for internal controls requires risk assessmentsPage 126
COSO – INTERNAL CONTROLPrinciple 7:“The organization identifies risks to theachievement of its objectives across the entityand analyzes risks as a basis for determining howthe risks should be managed.”Internal Control – Integrated Framework (2013)Committee of Sponsoring Organizations (COSO)Page 13COSO – INTERNAL CONTROLPrinciple 8:“The organization considers the potential forfraud in assessing risks to the achievement ofobjectives.”Internal Control – Integrated Framework (2013)Committee of Sponsoring Organizations (COSO)Page 147
MINIMIZE CORPORATE LIABILITY“DOJ and SEC will give meaningful credit to acompany that implements in good faith acomprehensive, risk-based compliance program,even if that program does not prevent aninfraction in a low risk area because greaterattention and resources had been devoted to ahigher risk area.”A Resource Guide to the U.S. Foreign Corrupt Practices Act (2012)Page 15MINIMIZE CORPORATE LIABILITY“The organization shall periodically assess therisk of criminal conduct and shall takeappropriate steps to design, implement ormodify each requirement [of the program] toreduce the risk of criminal conduct.”United States Sentencing GuidelinesChapter 8 – Sentencing OrganizationsPage 168
AT THE BROADEST LEVEL,RISK MANAGEMENT IS IMPORTANT BECAUSE: Every entity exists to realize value for its stakeholders,and Value is created, preserved, or eroded by managementdecisions in all activities, from setting strategy tooperating the enterprise day-to-dayPage 17WHAT BOARD MEMBERS SHOULD KNOW(i.e., Where are most mistakes made?) Nine Questions that Every Board Member Should AskAbout Their Organization’s Risk ManagementPractices9
EVERYONE HAS A ROLE Board Oversight and direction Senior Management Implement, execute, monitor, report Staff Roles tailored to position, risk awarenessPage 19QUESTION NO. 1Is there a sound governance structurein place for risk management, withwell defined roles and open dialogueregarding risk?Page 2010
THE ROLE OF THE BOARD“An area of increasing importance for boards and which isclosely related to corporate strategy is oversight of thecompany’s risk management. Such risk managementoversight will involve oversight of the accountabilities andresponsibilities for managing risks, specifying the typesand degree of risk that a company is willing to accept inpursuit of its goals, and how it will manage the risks itcreates through its operations and relationships.”G20/OECD Principles of Corporate Governance (2015)Page 21THREE COMMON MODELSRisk management oversight by:1. The full board of directors2. Adding to the responsibilities of an existingcommittee (e.g. audit)3. Establishing a new standing committee solelydevoted to risk managementUnder all three models, day-to-day risk managementshould be centered around a senior managementofficial (e.g., Chief Risk Officer)Page 2211
ROLES OF THE BOARD AND MANAGEMENTERM ComponentBoard/CommitteeSenior ManagementERM planSupport, track progressDevelop and implementRisk toleranceDebate and approveEstablish and manageRisk policiesApprove and monitorDevelop and implementRisk strategiesDebate, approve, monitorFormulate and executeKey risksProvide input and oversightManage and measureRisk reportingMonitor, feedbackAnalysis and contextPage 23RISK COMMITTEE CHARTER Committee and charter referenced in thecompany’s governing documents (articles,etc.) Charter includes details of committee’s: MembershipProcesses (frequency of meetings, etc.)ResponsibilitiesAuthorityReportingPage 2412
QUESTION NO. 2Is there a clear understanding of theorganization’s appetite to take on risk?Page 25RISK APPETITEThe amount of risk, on a broad level, an entity is willing to accept inpursuit of value. It reflects the entity’s risk management philosophy, andin turn influences the entity’s culture and operating style. Riskappetite guides resource allocation. Risk appetite [assists theorganization] in aligning the organization, people, and processes in[designing the] infrastructure necessary to effectively respond to andmonitor risks.Page 2613
WHERE IS THE SWEET SPOT OF RISK AND RETURN?Too Risk AverseOptimalExcessive RiskReturnRiskPage 27THREE KEY STEPS TO ADOPTING RISK APPETITE1.2.3.Management develops, with board review and concurrence, a view ofthe organization’s overall risk appetite.This view of risk appetite is translated into a written or oral form thatcan be shared across the organization.Management monitors the risk appetite over time, adjusting how it isexpressed as business and operational conditions warrantPage 2814
HOW TO ASSESS RISK APPETITEPage 29QUESTION NO. 3Is the risk assessment process linkedto objectives and strategy establishedat the organizational and businessunit levels?Page 3015
Enterprise Risk Management (ERM)“ a process, effected by an entity's board of directors,management and other personnel, applied in strategysetting and across the enterprise, designed to identifypotential events that may affect the entity, and managerisks to be within its risk appetite, to provide reasonableassurance regarding the achievement of entity objectives.”Source: COSO Enterprise Risk Management – IntegratedFramework. 2004.COSO Committee of Sponsoring Organizations(Outside the U.S. the risk management model commonly used is ISO 31000)Page 31QUESTION NO. 4Does the organization have acomprehensive process in place foridentifying potential risks?Page 3216
IDENTIFYING RISKSMethods: Focus groups Interviews Surveys Monitoring of internal data External sources (surveys,studies, competitors, etc.)Best Practices: Document inherent risks (i.e.,including risks that are assumedto be well controlled) Centralize accumulation ofidentified risks Have a process for theidentification and documentationof risks outside of the formal riskassessment process Don’t be afraid to tackle thedifficult risks!Page 33QUESTION NO. 5Has the organization adopted a riskmanagement framework that hasbeen properly customized to its needs?Page 3417
THE COSO ERM FRAMEWORKEntity objectives (and risks) can be viewed in thecontext of four categories: StrategicOperationsReportingCompliancePage 35A TYPICAL FRAMEWORK & PROCESS1. Establish risk appetite2. Determine classification system for risks3. Identify inherent (gross) risks4. Assess risks using agreed-upon criteria (e.g., impact,likelihood, velocity, trend, etc.)5. Consider effectiveness of existing controls6. Measure residual (net) risk7. If residual risk tolerable risk, design and implement riskmitigation8. Monitor and reportPage 3618
EXAMPLE OF AN IMPACT ASSESSMENT SCALEFOR THE RISK OF FRAUDRating54Descriptor Catastrophic Major3Moderate2Minor1IncidentalDefinitionFinancial loss to organization is in excess of 100 millionInternational long-term media coverageWidespread employee morale issues and multiple senior leaders leaveIncident must be reported to authorities; significant sanctions and financialpenalties result Financial loss to organization is between 20 million and 100 millionNational long-term media coverageWidespread employee morale problems and turnoverIncident must be reported to authorities and sanctions against company result Financial loss to organization is between 1 million and 20 millionShort-term regional or national media coverageWidespread employee morale problemsIncident must be reported to authorities and immediate corrective action isnecessaryFinancial loss to organization is between 10,000 and 1 millionLimited local media coverageGeneral employee morale problemsIncident is reportable to authorities, but no follow-upFinancial loss to organization is less than 10,000No media coverageIsolated employee dissatisfactionEvent does not need to be reported to authorities Page 37EXAMPLE: ASSESSING LIKELIHOODBased on Annual FrequencyBased on Probability of nition5Very frequentMore thantwenty timesper yearAlmost certain 90% chance ofoccurrence4FrequentSix to twentytimes per yearLikely65% to 90% chance ofoccurrence3ReasonablyfrequentTwo to fivetimes per yearReasonably possible35% to 65% chance ofoccurrence2OccasionalOnce per yearUnlikely10% to 35% chance ofoccurrence1RareLess than onceper yearRemote 10% chance ofoccurrencePage 3819
QUESTION NO. 6How does the organization evaluatethe extent to which existing controlsand processes mitigate the identifiedrisks?Page 39RESIDUAL RISKInherent Risk Effectivenessof InternalControlsResidual RiskThe effectiveness of internal controls can also be “scored” to arrive atthe net/residual risk (benefit of controls should not result in net risk ofzero, only to “low”)Map risks to specific controlsID which controls mitigate likelihood (generally preventive anddirective controls) and which mitigate impact (generally detective andcorrective)Page 4020
QUESTION NO. 7Are risk metrics properly aligned withidentified risks and organizationalstrategy?Page 41RISK METRICS Link each risk to relevant data Internal and external data Categories of risk data: Leading indicatorsInternal control indicators (i.e. breakdowns in controls)Event indicatorsLagging indicators Centralized vs. de-centralized data monitoring Dashboard reportingPage 4221
QUESTION NO. 8How have risk awareness and riskmanagement been embedded into thedaily activities of the organization?Page 43EMBED RISK MANAGEMENT VIA:1. Training2. Periodic communications (e-mails, newsletters, etc.)3. Strategic planning4. Budgeting5. Corporate governance6. Training programs7. Staff meetings8. Performance measurement and evaluationPage 4422
QUESTION NO. 9Is there an ongoing dialogue aboutrisk within and between each level ofthe organization?Page 45KEEP THE DIALOGUE OPEN Risk management is an ongoing process, not a periodic step Internal risk committee Brainstorm the “unknown” risks (it’s easy to talk only about the“known” risks) Periodic reporting to board/committee The board needs to know “what are our organization’s most critical risks andwhat are we doing about them?”Page 4623
8.0EXAMPLE DASHBOARD OF A HEAT MAPHighHighVery High826.0434.0Moderate to High510High1172.0ImpactModerate to High1Low to ModerateLowLow to Moderate12960.02.04.06.08.010.012.0LikelihoodPage 47MAKING RISK MANAGEMENT WORK Return on Investment Common attributes of successful risk management Sustainability24
WHEN ERM WORKS PROPERLY It does more than enable the organization to identify risksin a more timely manner and deal with those risks It helps to identify opportunities for the organization It enhances the strategic, operational, and financialplanning processesPage 49THE RETURN ON YOUR ERM INVESTMENTFewer RiskEventsLessen Impactof Risk EventsIncreasedOrganizationalSuccessCapitalize onOpportunitiesBetterAllocation ofResourcesPage 5025
COMMON ERM ATTRIBUTES &D BEST PRACTICE RESULTSAttributeBest Practice ResultProgramMindsetNot a once-and done exerciseFormalMeasurementIntegrated and cross-functional portfolio view ofrisk, no silos, with consideration to both up anddownside risksEstablishedScopeAll key risks addressed, not just financial (e.g.,operational and strategic)ProgramPurposeLong-term approach to using risk-informeddecision making to govern the organization in away that increase organizational valuePage 51BUILDING SUSTAINABILITY INTO YOURRISK MANAGEMENT ableTools andTemplatesSupported mProperlyGovernedAligned WiththeOrganization’sCulturePage 5226
GET TO KNOW BDOBDO commits significant resources to keep our professionals and our clients up to date oncurrent and evolving technical, governance, industry and reporting developments. Visithttp://www.bdo.com for all of our offerings.To begin receiving email notifications regarding BDO publications and event invitations (liveand web-based), visit https://www.bdo.com/member/registration and create a userprofile. If you already have an account on BDO’s website, visit the My Profile page to loginand manage your account preferences https://www.bdo.com/member/my-profile.Page 53GET TO KNOW BDOINDUSTRY EXPERIENCEIndustry experience has emerged at the top of the list of what businesses need and expect from theiraccountants and advisors. The power of industry experience is perspective - perspective we bring to helpyou best leverage your own capabilities and resources.BDO’s industry focus is part of who we are and how we serve our clients, and has been for over acentury. We demonstrate our experience through knowledgeable professionals, relevant client work andparticipation in the industries we serve.A variety of publications and insights depicting specific industry issues, emerging trends anddevelopments are available. For further information on the following BDO industries, please visithttps://www.bdo.com/industries. Asset ManagementBroker DealersConsumer BusinessFinancial ServicesGaming, Hospitality & LeisureGovernment ContractingHealthcareInsurance Manufacturing & DistributionNatural ResourcesNonprofit & EducationPrivate EquityPublic SectorReal Estate & ConstructionRestaurantsTechnology & Life SciencesPage 5427
EVALUATIONWe continually try and improve our programming and appreciateconstructive feedback.Following the program, we will be sending out a thank you e-mail thatcontains a link to a brief evaluation.Thank you in advance for your participation!Page 55CONCLUSIONThank you for your participation!Certificate Availability – If you participated the entire time and responded to atleast 75% of the polling questions, click the Participation tab to access the printcertificate button.Please exit the interface by clicking the red “X” in the upper right hand cornerof your screen.Page 5628
SPEAKER BIOGRAPHIESBDO KNOWLEDGE Webinar Series ‒ Name of sessionPage 57BIOGRAPHYGerard M. ZackCFE, CPA, CIA, CRMABDO ConsultingManaging Directorgzack@bdo.comDirect: 202-644-5404Gerry Zack has more than 30 years of experience providingclients with fraud, compliance, and operational riskassessment and mitigation, enterprise risk management,internal and external audit, and investigative services. He hasexperience designing and delivering internal risk managementand risk awareness programs for organizations, as well asanti-fraud and corruption training and education programs fora wide variety of industries and companies worldwide. Inaddition to serving clients, he held the position of ChiefOperating Officer for an international scientific organizationfor two years, where he oversaw the risk managementfunction of the organization.Among Mr. Zack’s credentials is a Certification in RiskManagement Assurance. For more than 8 years, he has servedon the faculty of the Association of Certified FraudExaminers, providing anti-fraud training to companies of allsizes, including multinational organizations, and was electedto their Board of Regents for 2014 and 2015, serving as Chairfor 2015. He is a frequent speaker at national conferences,including several times at AICPA industry conferences. He willbe speaking on fraud risk assessments at the 2016 IIA RegionalConference in Memphis this May.Page 5829
BDO is the brand name for BDO USA, LLP, a U.S. professional services firm providing assurance, tax, advisory and consulting services to a widerange of publicly traded and privately held companies. For more than 100 years, BDO has provided quality service through the activeinvolvement of experienced and committed professionals. The firm serves clients through 63 offices and more than 450 independent alliancefirm locations nationwide. As an independent Member Firm of BDO International Limited, BDO serves multi-national clients through a globalnetwork of 1,408 offices in 154 countries.BDO USA, LLP, a Delaware limited liability partnership, is the U.S. member of BDO International Limited, a UK company limited by guarantee,and forms part of the international BDO network of independent member firms. BDO is the brand name for the BDO network and for each of theBDO Member Firms. For more information please visit: www.bdo.com.Material discussed is meant to provide general information and should not be acted on without professional advice tailored to your firm’sindividual needs. 2016 BDO USA, LLP. All rights reserved.BDO KNOWLEDGE Webinar Series ‒ Name of sessionPage 5930
Internal Control – Integrated Framework (2013) Committee of Sponsoring Organizations (COSO) COSO – INTERNAL CONTROL Page 14 Principle 8: “The organization considers the potential for fraud in assessing risks to the achievement of objectives.” Internal Control – Integrated Framework (2013) Committee of Sponsoring Organizations (COSO)
May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)
Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .
On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.
̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions
Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have
Chính Văn.- Còn đức Thế tôn thì tuệ giác cực kỳ trong sạch 8: hiện hành bất nhị 9, đạt đến vô tướng 10, đứng vào chỗ đứng của các đức Thế tôn 11, thể hiện tính bình đẳng của các Ngài, đến chỗ không còn chướng ngại 12, giáo pháp không thể khuynh đảo, tâm thức không bị cản trở, cái được
Le genou de Lucy. Odile Jacob. 1999. Coppens Y. Pré-textes. L’homme préhistorique en morceaux. Eds Odile Jacob. 2011. Costentin J., Delaveau P. Café, thé, chocolat, les bons effets sur le cerveau et pour le corps. Editions Odile Jacob. 2010. Crawford M., Marsh D. The driving force : food in human evolution and the future.
Le genou de Lucy. Odile Jacob. 1999. Coppens Y. Pré-textes. L’homme préhistorique en morceaux. Eds Odile Jacob. 2011. Costentin J., Delaveau P. Café, thé, chocolat, les bons effets sur le cerveau et pour le corps. Editions Odile Jacob. 2010. 3 Crawford M., Marsh D. The driving force : food in human evolution and the future.
