national society of accountants for questionaires and conference calls ... operations risks to...
Post on 21-Apr-2018
216 Views
Preview:
TRANSCRIPT
©20
12 CliftonLarsonA
llen LLP
©
A Practical & Tactical Approach to Implementing Enterprise Risk Implementing Enterprise Risk
Management (ERM)
National Society of Accountants forNational Society of Accountants for Cooperatives (NSAC)
Jennifer Leary, Partner – National Risk Management
©2012 CliftonLarsonAllen LLP1 111
Speaker Bio – Jen LearyJennifer (Jen) Leary, CPA, National Partner – Risk Management for CliftonLarsonAllen
Jen is a National technical partner in CLA’s Business RiskServices consulting practice. She has more than 16 years ofexperience serving clients in a variety of industries on bothinternal and external audit engagements and in variousinternal and external audit engagements and in variousconsulting roles.
Her professional background includes over a decade with an international accounting firm serving clients in the U S andinternational accounting firm serving clients in the U.S. and throughout Europe and Asia. She is also a noted speaker on various topics and trainer of our internal and external teams including Enterprise Risk Management , Internal Controls Process Improvement, Contract Compliance and Acquisitions Consulting.
©2012 CliftonLarsonAllen LLP2
Agenda Topics
1. Briefly summarize ERM (the “technical”)
2. Understanding the ERM maturity model and where you may fit (the “practical”)and where you may fit (the practical )
3. Developing an action plan for implementation (the “tactical”)
4. Questions & Answers4. Questions & Answers
©2012 CliftonLarsonAllen LLP3
PART ONE OF FOUR
Briefly summarize ERM
(the “technical”)(the technical )
©2012 CliftonLarsonAllen LLP4
Why Discuss ERM?
All entities face inherent risk and uncertainty, and the challenge for management is to determine what level of risks to accept as it strives to grow and deliver value, and what costs to incur to manage/mitigate risks throughout the process.
©2012 CliftonLarsonAllen LLP5
What Is Risk Governance?
Directors and management evaluatingmanagement evaluating, monitoring and improving their processes
Compliance
improving their processes for overseeing the company’s framework of
Risk
company s framework of risk assessment and risk management activities
Governance
management activities.
©2012 CliftonLarsonAllen LLP6
Increasing Demand for Enhanced Governance and Risk Oversight
• 2012 Dodd‐Frank Act Rules
o compensation committee independence
o disclosure of pay‐for‐performance, pay ratios, and hedging by employees and directors
o recovery of executive compensation
o reporting over conflict minerals essential for business
o disclosure of government payments to resource extraction issuers, companies engaging in commercial development of oil, natural gas, and minerals
• 2010 SEC Rules to Enhance Corporate Governance Disclosures• 2010 SEC Rules to Enhance Corporate Governance Disclosures
o director and nominee qualifications and legal proceedings
o diversity and director nominations
o board leadership structure and role in risk oversight
o accelerated disclosure of shareholder voting resultso accelerated disclosure of shareholder voting results
• COSO – Enterprise Risk Management Framework
o Provides an organizational scope, emphasis, and program to broaden risk management to an enterprise‐wide emphasis and integrate into corporate strategyp g p gy
• Sarbanes‐Oxley, 2002
o Calls for enterprise‐wide documentation and testing of controls over financial reporting risk
©2012 CliftonLarsonAllen LLP7
Many organizations’ response is to enhance their corporate governance processes by developing and implementing an Enterprise Risk Management process
Evaluating Risk Information: AON 2011 Survey Source: www.aon.com
Industry Sources of Identified Risk
Board Input and Scenario Planning
7%External Service Providers
8%
Other11%
Senior Management Intuition and Experience
8%
42%Business Unit registers Key Risk Indicator
32%
©2012 CliftonLarsonAllen LLP8
Risk Information – AON Survey Source: www.aon.com
Top 10 Risks Facing Organizations:1. Economic Slowdown
2. Regulatory/legislative changes
3 I d titi3. Increased competition
4. Damage to reputation and brand
5. Business interruption5 us ess te upt o
6. Failure to innovate/meet customer needs
7. Failure to attract or retain top talent
8. Commodity price risk
9. Technology failure/system failure
©2012 CliftonLarsonAllen LLP9
10. Cash flow/liquidity risk
PART TWO OF FOUR
Understanding the ERM maturity model and where you may fit y y
(the “practical”)
©2012 CliftonLarsonAllen LLP10
How Are Organizations Implementing?Based on a GAIN Benchmark Study (IIA), the Status of ERM integration
efforts are as follows:
D i d d/ ERM Specific Initiatives Designed and/or Implemented
Periodic enterprise risk assessments performed 52%
Risks aggregated at the corporate level 49%
Enterprise-wide established policies and risk committees 30%
Risk management integrated into business initiatives 30%Risk management integrated into business initiatives 30%
Enterprise risk dashboard 30%
Risk training and knowledge sharing programs 26%
Enterprise wide risk tolerance levels andrisk limits consistent 20%
Risk tolerances linked to strategic objectives 12%
©2012 CliftonLarsonAllen LLP11
A Model for Evaluating Risk Management Capability
1. How capable is your Organization today to manage its risk profile? 2. How capable does it need to be?3. How can it get to its desired state?
• Tone set at the top
• Policies procedures
• Integrated response to adverse events
• Performance
• Built into decision‐making
• Conformance with enterprise risk
g
• Ad‐hoc / chaotic; depends primarily on individual
• Reaction to adverse events by specialists
• Discrete roles established for small set of risks
• Policies, procedures, risk authorities defined and communicated
• Business function
P i il lit ti
• Performance linked metrics
• Rapid escalation
• Cultural transformation underway
management processes is incentivized
• Intelligent risk taking
heroics, capabilities and verbal wisdom • Typically finance,
insurance, compliance
• Primarily qualitative
• Reactive
underway
• Bottom‐up
• Proactive
• Sustainable
• “Risk management is everyone’s job”
1: Tribal & Heroic
2: SpecialistSilos
3: Top‐Down
4: Systemic 5: Risk
Intelligent
U d d Ri k Rewarded Risk
©2012 CliftonLarsonAllen LLP12
Un‐rewarded Risk
IMA Maturity Model for ERM
©2012 CliftonLarsonAllen LLP13
PART THREE OF FOUR
Developing an action plan for implementation p
(the “tactical”)
©2012 CliftonLarsonAllen LLP14
DISTINCT ERM ROADS AVAILABLE
Option 1 ‐ Implementing a Full‐Scale ERM Model
l i f ll f h d ib d d‐ Implementing a full program as further described and documented through facilitated sessions, documentation and meetingsdocumentation and meetings
Option 2 ‐ Implementing an ERM‐Lite Model
‐ Implementing a top‐level assessment using surveys, interview questionaires and conference calls
Option 3 ‐ A hybrid (customize your own model including “the best of both” for your organization
©2012 CliftonLarsonAllen LLP15
A Typical Framework for Implementation
Phase 2 Phase 3 Phase 4Phase 1
Assess
Assess enterprise risks and k
Recommend
Detailed d ti t
Implement, Operate & Continuously Improve
Buy‐InUnderstand, Accept,
risk management capability
recommendations to resolve capability gaps in effectiveness & efficiency
Implement sustainable IERM capabilities
Value Proposition Pilot test Define authorities, requirements, Deploy tools
Commit to Pilot
Value Proposition
Clarify needs & expectations
Executive awareness and commitment
Agree on scope criteria
Set risk appetite and key
performance metrics
Assess vulnerability to selected key risks
Qualify before quantify
Define authorities, requirements, resources
Design sustainable process
Identify capabilities for design
Design change management
Proof of Concept
Deploy tools
Train personnel
Monitor & Report
Integrate into core management processes
Change managementAgree on scope, criteria, process
Establish IERM as a priority
Communicate
y q y
Assess interactions and risk experience
Assess current capabilities
Develop risk profile
Identify gaps & set priorities
Proof of Concept
Decision to proceed Change management
Continuously improve
©2012 CliftonLarsonAllen LLP16
Identify gaps & set priorities
Questions Process Owners Should be Able to Answer
For each of your risks:
H d hi i k l hi i bj i ?• How does this risk relate to achieving your objectives?
• What is the organization’s appetite for risk or what is its tolerance for deviating from expected results?
• What is your state of preparedness?
• How do you know? How confident are you?
• What are the risks where you really need to improve our risk management?
• Which of these risks are most likely to occur and why?
• What is your overall risk mitigation plan?• What is your overall risk mitigation plan?
• How will you monitor the effectiveness of the plan?
• Are there other risks on or over the horizon that you need to start to prepare for now?
©2012 CliftonLarsonAllen LLP17
Most organizations rely on multiple sources for answersHowever, risk oversight and an integrated approach is usually lacking
General Counsel Finance
Internal Control, Disclosure, Credit,
I t l A dit
Legal and Intellectual Property, , ,
Liquidity, Commodity, Risk Analytics & Modeling Compliance and Ethics
Ethics and Business Conduct, and Regulatory Compliance Risks
B i D l t
Information Management
IT Security, Data Integrity, Information Adequacy, Business
Process/Continuity Risks
Internal Audit
Risk informed audits, risks to internal control, key exposures and
vulnerabilities, and assurance
Regulatory Compliance Risks
Business Development
Market and Strategy RisksSecurity
Risks to property and peopleOperations
Insurance
Property, Casualty, Liability, and Hazards
Quality of care, Customer Relations, Market and Pricing, Competitive,
People/Process/Asset Performance, Environmental and Safety Risks
©2012 CliftonLarsonAllen LLP18
ERM provides a means to better understand, communicate and respond to the risk knowledge that exists in the organization
An Integrated ERM Approach
RISK OVERSIGHT & INSIGHT Board & Executive Management
Alternatives, Decisions, Scenarios & Events
ENTERPRISEVALUE
ENTERPRISE RISKS
GOVERNANCEEthics/Decision AuthorityOversight/Independence
Strategy & Execution
RiskTaking
STAKEHOLDERVALUE
Oversight/IndependenceCompensation/Other
STRATEGYStrategic Plan/Acquisitions/ Divestitures Succession PlanningBrand/Marketing /PricingReputational
PeopleProcess
Technology
ReportingRisk
Avoidance
Operations Risk
AvoidanceRevenueGrowth
OPERATIONSService DeliveryInventory ManagementStaffing and EmploymentQuality StandardsCost Management
INFRASTRUCTURECompliance
Risk Avoidance
OperatingMargin
AssetEfficiency
INFRASTRUCTUREComplianceFinance & Accounting TaxInformation TechnologyInsurance BCPSafety/Physical SecurityL l/IP/Liti ti
Expectations
Legal/IP/LitigationEnvironmental / Other
EXTERNAL FACTORSCompetition/Economic ConditionsGeo‐political/RegulatoryActivism/Public SafetyNatural Disasters/OtherSTAKEHOLDER VALUE
©2012 CliftonLarsonAllen LLP19
Rewarded risk can drive value. Unrewarded risk can destroy value.
Natural Disasters/OtherSTAKEHOLDER VALUE
Top 10 Steps of Implementing an ERM Program
1. Obtain Executive Team and Board of Directors Buy‐In and Support– Hold a meeting to discuss ERM and the Organization’s need to implementHold a meeting to discuss ERM and the Organization s need to implement
– Assign risk governance oversight responsibility
– Assign a Chief Risk Officer – A “champion” within the Organization
– Communicate requirements of ERMCommunicate requirements of ERM
2. Define the elements of your ERM program in simple, clearly defined terms– Remember, risk is neutral. It can be either positive (an opportunity) or negative
(an issue).
– Risk – The possibility of an event occuring that would negatively affect the achievements of objectives.
k l l f k l l bl h d ’ l– Risk Tolerance – Levels of risk clearly established in an Organization’s internal environment.
– Opportunity – Attempting to increase the Organization’s value by taking on risk.
Risk Appetite The level of risk that an Organization is willing to take on as part
©2012 CliftonLarsonAllen LLP20
– Risk Appetite – The level of risk that an Organization is willing to take on as part of its process to set objectives.
Illustrative ERM Roles & Responsibilities
Party ResponsibilityMonthly or as
Needed Quarterly Semi-annually
Board / Audit Committee
Establish risk appetite; Review enterprise risks
Review all relevant riskCommittee Review enterprise risks
Executive Management(select group or working committee)
Set policy, prioritize and allocate resources for overall corporate risks
Review risks and allocate resourcesProvide guidance for significant new risks
Review risks and allocate resources
Review risks and allocate resources; report updates to Board / Audit Committee
ERM Team(PMO, Council, Committee, etc.)
Manage process, tools and data
Coordinate and assist Assist with reporting and review
Assist with reporting and review Monitor program effectiveness
Division A Identify assess & Report/escalate Report all Review risks with Division A Management Team
Identify, assess & monitor risks relevant to division
Report/escalate significant new risks
Report all relevant risk
Review risks with Executive Management
Division B Management Team
Identify, assess & monitor risks relevant to division
Report/escalate significant new risks
Report all relevant risk
Review risks with Executive Management
Team division
Division C Management Team
Identify, assess & monitor risks relevant to division
Report/escalate significant new risks
Report all relevant risk
Review risks with Executive Management
f
©2012 CliftonLarsonAllen LLP21
Corporate Management Team
Identify, assess & monitor risks relevant to corporate functions
Report/escalate significant new risks
Report all relevant risk
Review risks with Executive Management
Top 10 Steps of Implementing an ERM Program
3. Determine your Organization’s Risk Tolerance
‐ How much risk is this organization willing to accept? High? Low? Moderate?How much risk is this organization willing to accept? High? Low? Moderate?
‐ How does your strategic plan fit in?
4. Determine Materiality ranges at the entity level and by business units, as applicable
For Example:For Example:
Measure Low‐End of Range High‐End of RangeRevenue 1% 5%Revenue 1% 5%Assets 0.25% 0.50%Equity 1% 5%
©2012 CliftonLarsonAllen LLP22
Top 10 Steps of Implementing an ERM Program
5. Identify a Risk Inventory Library with the help of a facilitated session
6. Determine the probability of significant risks occuring and their magnitude
7 Determine how risks will be managed7. Determine how risks will be managed
8. Develop a detailed Activity‐level Risk Assessment
9. Confirm and develop the level of reporting needed by Executive Management and the Board of Directors
10. Establish communication protocal & management of the on‐going ERM process
©2012 CliftonLarsonAllen LLP23
Overall Risk Profile – Library IndexComplianceFinancial/
Reporting RiskOperational & Process RiskGovernance & Strategic Risk
Strategic Risk Operational & Process Risk Financial/ Reporting Risk
Compliance
Business Model Innovation Customer Satisfaction
Environmental Interest Rate `
Regulatory ReportingSatisfaction Reporting
Board Governance
Capital Availability
Human Resources
Health and Safety Currency Migrant Labor
Human Resource Political Product Development
Human Resources
PermanentEquity
International Trade Laws
Competition Legal Efficiency Outsourcing Commodity Product Safetyp g y g yIndustry
ConsolidationsIndustry Capacity Performance
Incentives Liquidity Anti-Trust
Energy & Material Costs Ethics Scalability
Information Technology
Integrity
Concentration Customer/
Credit/Other I f iBudget and
Planning Succession
PlanningCommodity Contracting
Information Technology Availability
Collateral
Product Availability
Image and Branding Partnering
Information Technology -
InfrastructureCash Flow
Infrastructure Contract
Commitment Reputational Product/Service
Failure Fraud & Illegal
ActsOpportunity Cost
Investment Valuation
Catastrophic Loss Business Interruption
Internal Control Environment
Resource Pensions &
©2012 CliftonLarsonAllen LLP24
Availability Health/WelfareFinancial
Reporting
Major Types of IT Risk and IT Risk Areas
IT Computing Environment• Hardware, Software
• System interfaces, Databases
• System and data criticality (system’s importance to the organization) & sensitivity
• Data backup and recovery process
Logical Access• Password Administration
• Direct and Physical access to data, data centers/facilities/equipment
• Lack of segregation of duties
Network Security and Availability
• System security policies & architecture
Operational Environment of IT systems• Functional requirements of IT system
©2012 CliftonLarsonAllen LLP25
• Functional requirements of IT system• Users of the IT system• Management of data changes
Risk Rankings ‐ Framework
• We recommend utilizing a numeric risk ranking model as partWe recommend utilizing a numeric risk ranking model as part of the risk assessment
• Depending on the potential risk universe, to further delineate and differentiate risks, we recommend using the following:
• Likelihood• Likelihood
• Impact
• Tolerance
• Pervasiveness
©2012 CliftonLarsonAllen LLP26
Prioritized Risk Profile
High 1.Supply Chain: People2. Competitor3. Customer5 Availability
nce
5. Availability11. Infrastructure: Systems Utilization12. Alignment13. Customer: Payors14. Planning
15. Business Model16. Regulatory/Legal17 Communication
6. Infrastructure: Systems Development7. Customer: Employees8. Financial Markets9. Price10. Supply Chain: Capital
Sign
ifica
n 17. Communication18. Compliance
19. HR: Management20. Sovereign/Political21. Product/Service Development22. HR: Employee Capabilities
26. Access27. Ethics28 Performance Measurement
23. Reputation24. Accounting Information25. Budget & Planning
28. Performance Measurement29. Supply Chain: Materials30. Investor Relations31. Liquidity32. Leadership33. Business Interruption34. Authority Limit
36. Catastrophic Loss37. Unauthorized Use38. Credit39. Mission
HighLikelihoodLow
Lowy
35. Product/Service Pricing
High Moderate Low
40. Fraud41. Financial Reporting
©2012 CliftonLarsonAllen LLP27
1
High Moderate Low
Results – Sample Heat Map
©2012 CliftonLarsonAllen LLP28
Critical Success Factors
• Gain Board / senior executive commitment and involvement
• Establish management accountability and responsibilities
• Demonstrate tangible results and link to value objectives
• Build the process into the way the enterprise does business
• Obtain supporting charter, policies, and procedures
• Focus on the cultural/change management process
• Monitor and continuously improve• Monitor and continuously improve
©2012 CliftonLarsonAllen LLP29
PART FOUR OF FOUR
Questions and Answers
©2012 CliftonLarsonAllen LLP30
top related