How Internal Audit Can Help Promote Effective ERM - ACUIA

How Internal Audit Can Help PromoteEffective ERMAlan N. Siegfried, MBA, CPA, CIA, CISA, CBA, CRMA,CFSA, CCSA, CITP, CGMA, CSPJune 18, 2014

Alan Siegfried Professional Bio Principal and Managing Director, Quetzal GRC, LLC Over 30 years of private and public sector experience in accounting, internalauditing, risk management, internal controls, information technologyauditing processes, operations, and business processes and strategy Board and Audit Committee member Bon Secours Health System, AuditCommittee member UNICEF Former Internal Audit Partner at Ernst & Young, Deloitte and Grant Thornton Former Director of Internal Audit Bank-Fund Staff FCU Former Auditor General Inter-American Development Bank and Chief AuditExecutive First Maryland Bancorp Former Chairman of Board and member of the IIA’s North American Boardand member of the IIA’s Professional Certification Board Widely published and frequent speaker at international internal auditing andrisk management events, teach graduate internal audit courses U of MD Holds 11 professional auditing, risk management and accounting relateddesignations and certifications

Presentation Topics Risk and Risk Management Characteristics of Effective RiskManagement Role of Internal Audit Consultant vs. Evaluator Conclusions

Credit Union ERM – Why we are here Enterprise Risk Management is becoming top of mind formany credit unions‒ Board/supervisory committee members‒ Senior management‒ Regulatory examiners‒ External auditorsCredit unions want to more clearly understand:‒ The benefits of ERM‒ The goals, objectives, and deliverables of ERM‒ The most efficient way to implement ERM

Risk Management Related irementsComplex BusinessTransactionsShort Product CyclesExplosion of TechnologyAnd, they are interconnected – with a cascading impact

What is Driving ERM? Huge changes in the operating environment– Margins are eroding– Delinquencies & charge-offs have increased drastically– Fee income is steadily becoming more important– Regulations are changing– GAAP is inadequate and may very likely change– IT Risk management requirements will increase Efficiency (output/input) is critical Less room for errors and surprises – i.e. risk Regulators are extending risk management requirements

Key Risk DataNC State University study found: 91% of respondents felt at least somewhatstrongly that the number and complexity ofrisks has increased over the last 5 years 69% of respondents have experienced asignificant operational surprise over thelast 5 yearsSource: NC State University’s ERM Initiative“Report on the Current State of Enterprise Risk Oversight”

What’s Different About ERM?CriteriaIT SecurityInternal AuditComplianceERM“Customer” IT, NCUA SupervisoryCommittee, Board ofDirectors NCUA, RegulatoryAgencies,Governments Board, executivemanagement,members, employeesScope InformationTechnology Operations, financialreporting, IT Various Strategy, operations,policyGoals Privacy,ConfidentialitySurvivability Assurance, operationalefficiency, deficiencyreporting & mitigation Avoid fines andlegal costs. “Passthe test”. Presetstandards Understand goals,proactively guideactions to achievethemStandards COBIT, NIST,OCTAVE IIA, AICPA Various COSO 2013, ISO31000Penalties Fines, Legalcosts, membercosts, NCUAactions,Reputation Managementreputation, undetectedcontrol deficiencies Fines, legal costs,corrective actioncosts Poor businessdecisions. Ineffectivebusiness practicesDocumentsAutomated andCompiledManual and DetailedMixed and Detailed “Just Enough”

Evolution of Audit & ERMBest PracticeAuditApproach ��sCOSOFramework(ERM)2004COSO 2013Framework2013

What is Risk?The possibility of an event occurring that will have an impacton the achievement of objectives.A Prerequisite to any risk discussion in an organization:You must know the organization’s objectivesRisk is measured in terms of impact and likelihood.The Institute of Internal Auditors (IIA)

Risk Heat MapV. HighKey RisksMediumMADGIBE OFNPJHV. LowV. LowLKLLowImpactHighHCLowMediumLikelihoodHighV. HighHAPerception of financial soundnessBLack of business continuity planCAttract profitable member relationshipsDRisk of loss of member dataEAbility to build brand (penetration)FInnovate products for customersGSystematically meet regulatoryrequirementsHManage instances of internal fraudIManage instances of external fraudJThird-party/vendor riskKLack of robust internal control systemLAbility to meet customer demands forcreditMAbility to manage market riskNAbility to manage credit riskOAbility to access capitalPAbility to grow operations in currentenvironment

Risk Management Decision MatrixMultipleInter-relatedScenariosPanic(Run, Scurry, Flee)Real Options(Maintain Abilityto Change Course)Simple Risk &ControlDevelopment(Prevent)Monitor, Measure,and diate/On-GoingShort TermLong Term

Risk and Cost RelationshipExposureThe Risk Management CurveHigh Priority ActivitiesOptimum Level of EffortRisk should be acceptedLevel of Effort

What is Risk Management?The processes performed and actions taken bymanagement to understand and deal withuncertainties (i.e., risks and opportunities) thatcould affect the organization’s ability to achieve itsobjectives.

Managing PerformanceOrganizational PerformanceObjectives & ustomersTechnologyPeopleMoney

COSO Definition of ERMERM is a process, effected by an entity’s board ofdirectors, management, and other personnel, applied instrategy setting and across the enterprise, designed toidentify potential events that may affect the entity,manage risks to be within its risk appetite, to providereasonable assurance regarding the achievement ofentity objectives.Committee of Sponsoring Organizations of the TreadwayCommission(COSO 2004) (see www.coso.org)

Risk Management Principles State your objectives Identify most critical areas of risk (riskassessment)– Keep in mind that you may not have seenthe impact yet! Gather and analyze the relevant dataAssessRisk Exercise sound judgment Identify potential root causes (WCGW) Determine best response Document and train Monitor, audit, and assure (and measure)ManageRisk

What is ERM supposed to do?– Quickly identify emerging risks and problem areas beforethey escalate and cause serious harm– Reduce the incidence of serious negative surprises thatundermine stakeholder confidence– Enable the organization to more effectively takeadvantage of opportunities– Reduce response time for emerging risks– Demonstrate to stakeholders that reasonable riskmanagement processes are in place– Provide an efficient way to manage and measure risksconsistently across the enterprise

Traditional Risk Management RisksHumanCapitalRisksIT RisksLegal Risks“Silo” or “Stove-Pipe” Risk ManagementReputationRisks

ERM Brings Risks TogetherValuation Creation and PreservationEnterprise Focus on ksHumanCapitalRisksIT RisksLegal RisksReputationRisksKey Message:Senior Management is facilitating the aggregation and interactions of those riskexposures to evolve from Risk Management to Risk Intelligence

What is ERM NOT supposed to do? Be just one more audit

Risk Management Compared to AuditAuditIndependent fromManagementAssuranceEvaluators &RecommendersProtects AssetsRisk ManagementPart of Management (likeHR, Accounting, IT)SupportDeciders & ImplementersSeeks ProfitHigh Likelihood/Low Impact Low Likelihood/High ImpactEvaluates ControlsIs a Control

What is ERM NOT supposed to do? Be just one more audit Be just one more compliance exercise Be done by ONLY audit or risk management‒ Risk management is part of the decisionmaking process Prevent healthy risk taking‒ A good risk manager is a good risk taker

Rewarded Versus Unrewarded RisksRewarded Risks (Opportunities to take risk) Risks that are expected to bring some benefit if properlymanaged Interest Rate Risk Credit Risk Liquidity Risk Strategic RisksUnrewarded Risks Those for which there is only a downside Transaction Risk Compliance Risks Reputation Risk Financial Reporting (Accounting) Risk

Managing Three Types of RiskRisks that impact the entireCU IndustryRisks that threaten the entireCredit UnionRisks that threaten a part ofthe credit uniion

Maintaining a Balanced Focus on RiskCreating Value Senior Management ERM Agenda Board and Supervisory Committee Oversight Risk MgmtIncreasing ERMProgram FocusSTRATEGICRISKSEXECUTIONRISKS Executive Risk Dashboard\Report SWOT (risk review) with strategic planning Credit, Market Risk Management Processes Operational Risk Focus Risk Analysis TechniquesOPERATIONS & COMPLIANCERISKS Procedures, Controls, Insurance Business Area Risk Reviews Key Risk Indicators Early-warning SignalsProtectingAssets The ERM program should help the organization to maintain a balanced focus on value creation (rewarded risktaking) as well as value protection (unrewarded risk mitigation). The program must be periodically assessed foreffectiveness and continuously improved

NCUA/AICPA to COSO MappingNCUA/AICPA Risk CategoryCOSO CategoryStrategyStrategyReputationStrategyInterest rtingFraudOperationsInformation TechnologyOperations

Effective Enterprise Risk ManagementNine Principles for Building aRisk Intelligent EnterpriseThe Risk IntelligentEnterpriseCommon Definition of RiskCommon Risk FrameworkRoles & ResponsibilitiesTransparency for Governing BodiesCommon Risk InfrastructureExecutive Management ResponsibilityObjective Assurance and MonitoringBusiness Unit ResponsibilitySupport of Pervasive FunctionsCopyright 2009 Deloitte Development LLC. All rights reserved.

ERM Organizational Maturity Ad-hoc/chaotic Dependsprimarily onindividualheroics,capabilities andverbal wisdom1: Unaware No focus onrisk interlinkages Limitedalignment ofrisk to strategy Disparatemonitoring Reaction toadverse eventsby specialists Discrete rolesestablished forsmall sets ofrisks2: Fragmented Policies, riskauthoritiesdefined andcommunicated Routine riskassessments Communicationof key risks tothe Board ExecutiveCommittee Dedicated team Primarilyqualitative Reactive Coordinatedriskmanagementactivities acrosssilos Risk appetite isdefined Enterprise-widerisk monitoring,measuring andreporting Training Integratedresponse toadverse events Rapidescalation Proactive3: Top-down4: SystematicUn-rewarded riskDo we complywith relevantlaws andregulations? Embedded indecisionmaking Early-warningrisk indicators Linkage toperformancemeasurementand incentives Risk modelingand scenarios Industrybenchmarking Sustainable Technologyimplementation5: RiskintelligentRewarded riskDo we haveintegratedmanagementinformation?Are we doingthe thingsright?Are we doingthe rightthings?Copyright 2009 Deloitte Development LLC. All rights reserved.

Internal Audit’s Role in ERMCore internal audit rolesin regard to ERMLegitimate IA roles withsafeguardRoles internal auditshould not undertakeAssurance on the riskmanagement processesFacilitating identification& evaluation of risksSetting the risk appetiteAssurance that risks arecorrectly evaluatedCoaching managementin responding to riskImposing riskmanagement processesEvaluating riskmanagement processesCoordinating ERMactivitiesManagement insuranceon risksEvaluating the reportingof key risksConsolidated reportingon risksTaking decisions on riskresponsesReviewing managementof key risksMaintaining & DevelopingERM frameworkAccountability for riskmanagementDeveloping RM strategyfor board approvalImplementing riskresponsesChampioning15establishment of ERM

Internal Audit’s Role in ERMAdvisor or Evaluator

QuestionsAlan N. Siegfried, CPA, CIA, MBAManaging Director Quetzal GRCAlan.Siegfried@QuetzalGRC.com410-570-5400

Assurance on the risk management processes Assurance that risks are correctly evaluated Evaluating risk management processes Evaluating the reporting of key risks Reviewing management of key risks Facilitating identification & evaluation of risks Coaching management in responding to risk Coordinating ERM activities Consolidated reporting on risks