Enterprise Risk Management Integrating With Strategy And .
Enterprise Risk ManagementIntegrating with Strategy andPerformance:Enterprise Risk Management Integrating withTheAuditor’sTheRoleStrategy andPerformance:Auditor’s RoleJoe Maleszewski,JoeInspectorGeneral andDirectorof ComplianceMaleszewski,VicePresidentfor AuditMay 17, 2018 Florida Agricultural and Mechanical Universitywww.flbog.eduAugust 25, 20211
Presentation Outline Risk Risk Management Enterprise Risk Management Risk Management Frameworks COSO ERM Framework Role of Audit Q&A2
RISK: AS OLD AS TIME3
Risk DefinedRisk is the probability that an event willoccur and adversely affect theachievement of objectives.4
Risk Assessment DefinedRisk Assessment is the identification andanalysis of risks to the achievement of anorganization's objectives for the purposeof determining how those risks should bemanaged.5
TRADITIONAL RISK MANAGEMENT V. ERMTraditional Risk ManagementEnterprise Risk edEnterprise-wideLittle or no knowledge of overallorganizational risksBroad perspective on overallorganizational riskFocused on preventing loss withinbusiness unit (tactical)Focused on enhancing value,capitalizing on opportunities, andmanaging all risks across entireorganization (strategic)Scope: physical and financial assetsScope: entire asset portfolioSiloed risk mitigationEnterprise-wide risk mitigation6
ERM MilestonesYEARMILESTONE1900sRisk Management: Logical, disciplined approach to future uncertainties1974Gustave Hamilton Risk Management Circle1987COSO: Report on Fraudulent Financial Reporting1992COSO: Internal Controls: Integrated FrameworkCadbury Report: Financial Aspect of Corporate GovernanceCoCo: Canadian Institute of Chartered Accountant’s Criteria for Control Framework1993Chief Risk Officer1995First Risk Management Standard: AS/NZS 43601996COBIT: IT Governance1999GAO: Standards for Internal Control in Federal Government2004COSO: ERM – Integrated Framework2009ISO 31000: Suite of Risk Management Standards2016OMB: Circular A-123 requires Federal Agencies to implement ERM and InternalControls2017COSO: ERM – Integrating with Strategy and Performance7
About COSO . . . 600,000professionals Originally formed in1985, COSO is a jointinitiative of five privatesector organizationsand is dedicated toproviding thoughtleadership through thedevelopment offrameworks andguidance on enterpriserisk management(ERM), internalcontrol, and frauddeterrence.8
9
10
Renewed Focus on ERM Economic Recessions and Corporate Scandals Constant Change in Operational Environment– New Threats and Vulnerabilities Increasing Public Scrutiny Increasing Expectations from Government(Do More with Less) Increasing Compliance Requirements11
What is ERM? Enterprise Risk Management (ERM) is defined bythe Committee of Sponsoring Organizations(COSO) as “a process, effected by an entity’sboard of directors, management and otherpersonnel, applied in strategy-setting and acrossthe enterprise, designed to identify potentialevents that may affect the entity, and managerisk to be within its risk appetite, to providereasonable assurance regarding the achievementof entity objectives.”12
ERM Provides a comprehensive and systematic approachto more proactive and holistic risk management Provides a common lexicon of risk terminology, andprovides direction and guidance for implementingERM Requires that organizations examine their completeportfolio of risks, consider how those risks interrelate,and that management develop an appropriate riskmitigation approach to address these risks in amanner consistent with the organization’s strategyand risk appetite13
ERM PROGRAM CHARACTERISTICS Enterprise-wide approachExecutive-level sponsorshipDefined accountabilityIntentionalSystematic and structuredDefined risk appetiteEstablishment and communication of riskmanagement process goals and activitiesMonitored treatment plans14
ERM is not A silver bullet to prevent risks from occurring A methodology or a checklist of items thatneed to be completed that guarantee results The only way organizations can take a moreproactive approach to managing risk15
ERM Challenges ERM is too costly to implement! Current staff already have a huge workload! We don’t have resources for ERM! How do staff know what risks they “own?” We already do risk assessments!16
Key Reminders Each organization is unique.Each organization needs a tailored approach.ERM is not a compliance exercise.ERM is a mindset.ERM facilitates information-sharing.ERM facilitates decision-making.17
Where’s the Value? The biggest value in ERMframeworks lies in theirpromotion of continuousimprovement, diligentmanagement practices,and ongoing monitoring.18
RISK MANAGEMENT FRAMEWORKSFRAMEWORKDESCRIPTIONAS/NZS 4360Australian and New Zealand Standard on RiskManagement (1995)ISO 31000International Organization for Standardization (ISO)based on AS/NZS 4360COSOEnterprise Risk Management Framework:Integrating with Strategy and Performance(2004 2017)19
AS/NZS Framework20
ISO 31000 – Framework21
Enterprise RiskManagementFramework:Integrating withStrategy andPerformance(June 2017)Enterprise Risk Management Framework:Integrating with Strategy and Performance 2017Committee of Sponsoring Organizations of theTreadway Commission (COSO). All rights reserved.Used with permission.22
10 Key Things to Know aboutthe Framework23
1) Provides a New Document Structure Framework focused on fewer components(five) Uses focused call-out examples to emphasizekey points Follows the business model versus isolatedrisk management processEnterprise Risk Management Framework: Integrating with Strategy and Performance 2017 Committee ofSponsoring Organizations of theTreadway Commission (COSO). All rights reserved. Used with permission.24
2) Introduces Principles 20 key principles within each of the five componentsEnterprise Risk Management Framework: Integrating with Strategy and Performance 2017 Committee ofSponsoring Organizations of theTreadway Commission (COSO). All rights reserved. Used with permission.25
1.Exercises Board Risk Oversight - Board of directors provides oversightof strategy and carries out governance responsibilities to supportmanagement in achieving strategy and business objectives.2.Establishes Operating Structures - Organization establishes operatingstructures in the pursuit of strategy and business objectives.3.Defines Desired Culture - Organization defines desired behaviors thatcharacterize entity’s desired culture.4.Demonstrates Commitment to Core Values - Organizationdemonstrates commitment to entity’s core values.5.Attracts, Develops, and Retains Capable Individuals - Organizationcommitted to building human capital in alignment with strategy andbusiness objectives.Enterprise Risk Management Framework: Integrating with Strategy and Performance 2017 Committee ofSponsoring Organizations of theTreadway Commission (COSO). All rights reserved. Used with permission.26
6. Analyzes Business Context - Organization considerspotential effects of business context on risk profile.7. Defines Risk Appetite - Organization defines risk appetite incontext of creating, preserving, and realizing value.8. Evaluates Alternative Strategies - Organization evaluatesalternative strategies and potential impact on risk profile.9. Formulates Business Objectives - Organization considersrisk while establishing business objectives at various levelsthat align and support strategy.Enterprise Risk Management Framework: Integrating with Strategy and Performance 2017 Committee ofSponsoring Organizations of theTreadway Commission (COSO). All rights reserved. Used with permission.27
10. Identifies Risk - Organization identifies risk that impactsperformance of strategy and business objectives.11. Assesses Severity of Risk - Organization assesses riskseverity.12. Prioritizes Risks - organization prioritizes risks as basis forselecting risk responses.13. Implements Risk Responses - Organization identifies andselects risk responses.14. Develops Portfolio View - Organization develops andevaluates portfolio view of risk.Enterprise Risk Management Framework: Integrating with Strategy and Performance 2017 Committee ofSponsoring Organizations of theTreadway Commission (COSO). All rights reserved. Used with permission.28
15. Assesses Substantial Change - Organization identifiesand assesses changes that may substantially affectstrategy and business objectives.16. Reviews Risk and Performance - Organization reviewsentity performance and considers risk.17. Pursues Improvement in Enterprise Risk Management- Organization pursues improvement of enterprise riskmanagement.Enterprise Risk Management Framework: Integrating with Strategy and Performance 2017 Committee ofSponsoring Organizations of theTreadway Commission (COSO). All rights reserved. Used with permission.29
18. Leverages Information Systems - Organizationleverages entity’s information and technology systemsto support enterprise risk management.19. Communicates Risk Information - Organization usescommunication channels to support enterprise riskmanagement.20. Reports on Risk, Culture, and Performance Organization reports on risk, culture, and performanceat multiple levels and across entity.Enterprise Risk Management Framework: Integrating with Strategy and Performance 2017 Committee ofSponsoring Organizations of theTreadway Commission (COSO). All rights reserved. Used with permission.30
3) Incorporates New Graphics Graphic has stronger ties to the businessmodelEnterprise Risk Management Framework: Integrating with Strategy and Performance 2017 Committee ofSponsoring Organizations of theTreadway Commission (COSO). All rights reserved. Used with permission.31
4) Focuses on integration Integrating ERM with business practices results in betterinformation that supports improved decision-making and leadsto enhanced performance. It helps organizations to:o Anticipate risks earlier or more explicitly, opening upmore options for managing the riskso Identify and pursue existing and new opportunitieso Respond to deviations in performance more quickly andconsistentlyo Develop and report a more comprehensive andconsistent portfolio view of risko Improve collaboration, trust, and information-sharingEnterprise Risk Management Framework: Integrating with Strategy and Performance 2017 Committee ofSponsoring Organizations of theTreadway Commission (COSO). All rights reserved. Used with permission.32
5) Emphasizes Value Enhances value focus – how entities create, preserve,and realize value Embeds value throughout the framework, as evidenced by its:o Prominence in core definition of enterprise risk managemento Extensive discussion in principleso Linkage to risk appetiteo Focus on the ability to manage risk to acceptable levelsEnterprise Risk Management Framework: Integrating with Strategy and Performance 2017 Committee ofSponsoring Organizations of theTreadway Commission (COSO). All rights reserved. Used with permission.33
6) Links to Strategy Explores strategy from three perspectives:o Possibility of strategy and business objectives not aligningwith mission, vision and valueso Implications from the strategy choseno Risk to executing the strategyEnterprise Risk Management Framework: Integrating with Strategy and Performance 2017Committee of Sponsoring Organizations of theTreadway Commission (COSO). All rights reserved. Used with permission.34
7) Links to Performance Enables achievement of strategy by activelymanaging risk and performance Focuses on how risk is integral to performance by:o Exploring how enterprise risk management practicessupport risk identification and assessment that impactperformanceo Discussing tolerance for variations in performance Manages risk in the context of achieving strategy andbusiness objectives – not as individual risksEnterprise Risk Management Framework: Integrating with Strategy and Performance 2017 Committee ofSponsoring Organizations of theTreadway Commission (COSO). All rights reserved. Used with permission.35
8) Recognizes Importance of Culture Addresses the growing focus, attention and importance of culturewithin enterprise risk management Influences all aspects of enterprise risk management Explores culture within broader context of overall core Depicts culture behavior within a risk spectrum Explores possible effects of culture on decision-making Explores alignment of culture between individual and entity behaviorEnterprise Risk Management Framework: Integrating with Strategy and Performance 2017 Committee ofSponsoring Organizations of theTreadway Commission (COSO). All rights reserved. Used with permission.36
9) Focuses on Decision-making Explores how enterpriserisk management drivesrisk aware decisionmaking Highlights how riskawareness optimizes andaligns decisions impactingperformance Explores how risk awaredecisions affect risk profileEnterprise Risk Management Framework: Integrating with Strategy and Performance 2017 Committee ofSponsoring Organizations of theTreadway Commission (COSO). All rights reserved. Used with permission.37
10) Builds links to internal control Document does not replace theInternal Control –IntegratedFramework The frameworks are distinct andcomplementary Both use a components-andprinciples structure Aspects of internal controlcommon to enterprise riskmanagement are not repeated Some aspects of internal controlare developed further in thisframeworkEnterprise Risk Management Framework: Integrating with Strategy and Performance 2017Committee of Sponsoring Organizations of theTreadway Commission (COSO). All rights reserved. Used with permission.38
Role of Audit Renewed Focus on ERMo More diverse, complex riskso More opportunities for IA to lead The Evolving Role of Internal Audito Educatoro Consultanto Independent assurance provider Drawing the Boundarieso Distinguish decision-making from consulting/advisory Roleo Communicate to all involved39
Definition of Internal Auditing "Internal auditing is an independent, objectiveassurance and consulting activity designed toadd value and improve an organization’soperations. It helps an organizationaccomplish its objectives by bringing asystematic, disciplined approach to evaluateand improve the effectiveness of riskmanagement, control and governanceprocesses."40
Governance, Control, and Risk Management41
Risk Management and Standards IIA Standard 2120 – Risk Management The internal audit activity must evaluate the effectiveness andcontribute to the improvement of risk managementprocesses. 2120.C3 – When assisting management in establishing orimproving risk management processes, internal auditors mustrefrain from assuming any management responsibility byactually managing risks.42
When Lines May be Blurred Facilitating risk assessments/workshopsCoaching/educating managementCoordinating ERM activitiesMaintaining the ERM frameworkERM ChampionDeveloping ERM strategy for leadership43
What to Avoid Helps the organization set the risk appetite. Develops policies or risk managementprocesses. Determines the appropriate risk response. Implements risk responses. Ownership/accountability for riskmanagement functions.44
Internal Audit – Role in ERM45
Summary Risk Risk Management Enterprise Risk Management Risk Management Frameworks COSO ERM Framework Role of Audit Q&A46
Questions/Comments47
Gustave Hamilton Risk Management Circle. 1987: COSO: Report on Fraudulent Financial Reporting . 1992: COSO: Internal Controls: Integrated Framework. Cadbury Report: Financial Aspect of Corporate Governance: CoCo: Canadian Institute of Chartered Accountant's Criteria for Control Framework. 1993: Chief Risk Officer. 1995: FirstRisk Management .
management and Board Established risk officer or head of risk position (may not be solely focused on risk) Functioning cross-functional senior management risk committee Risk management viewed as a "partner" by the business units Resources dedicated to risk management at the enterprise level Existence of some risk policy
operational risk management as part of enterprise risk management. Keywords: Operational Risk, Enterprise Risk, Banking, Financial Services, Cyber Risk 1 Clinical Associate Professor, Managerial Economics and Decision Sciences. Kellogg School of Management Northwestern University, Evanston, IL USA. E-mail: russell-walker@kellogg.northwestern.edu
81. Risk Identification, page 29 82. Risk Indicator*, page 30 83. Risk Management Ω, pages 30 84. Risk Management Alternatives Development, page 30 85. Risk Management Cycle, page 30 86. Risk Management Methodology Ω, page 30 87. Risk Management Plan, page 30 88. Risk Management Strategy, pages 31 89. Risk
3 Enterprise Anti-Fraud Committee: Purpose: To establish governance, visibility, and direction for enterprise fraud risks, controls and response activities. Chartering committee: Enterprise Operational Risk Committee (EORC) Key Responsibilities: -Recommend:- Enterprise Fraud Risk Policy updates - Enterprise-level tolerances-Manage:- Enterprise fraud risk standards
Risk is the effect of uncertainty on objectives (e.g. the objectives of an event). Risk management Risk management is the process of identifying hazards and controlling risks. The risk management process involves four main steps: 1. risk assessment; 2. risk control and risk rating; 3. risk transfer; and 4. risk review. Risk assessment
Tunnelling Risk Assessment 0. Abstract 1. Introduction and scope 2. Use of risk management 3. Objectives of risk assessment 4. Risk management in early design stages 5. Risk management during tendering and contract negotiation 6. Risk management during construction 7. Typical components of risk management 8. Risk management tools 9. References .
Enterprise Risk Management Enterprise risk management is a process, applied in strategy setting across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. COSO COSO's ERM Framework
Risk Matrix 15 Risk Assessment Feature 32 Customize the Risk Matrix 34 Chapter 5: Reference 43 General Reference 44 Family Field Descriptions 60 ii Risk Matrix. Chapter 1: Overview1. Overview of the Risk Matrix Module2. Chapter 2: Risk and Risk Assessment3. About Risk and Risk Assessment4. Specify Risk Values to Determine an Overall Risk Rank5
