Four Approaches to Enterprise Risk Management... and Opportunities inSarbanes-Oxley Compliance

vonJames Roth

1. Auflage

Four Approaches to Enterprise Risk Management... and Opportunities in Sarbanes-Oxley Compliance – Roth

schnell und portofrei erhältlich bei beck-shop.de DIE FACHBUCHHANDLUNG

The Institute of Internal Auditors

Verlag C.H. Beck im Internet:www.beck.de

ISBN 978 0 89413 600 3

v

CONTENTS

Foreword ............................................................................................................................ ixAbout the Author ............................................................................................................... xiAcknowledgments ............................................................................................................ xiii

EXECUTIVE SUMMARY ................................................................................................. 1 Myths and Realities ....................................................................................................... 2 The Real ERM Opportunities in Sarbanes-Oxley Compliance ..................................... 6 Summary of Case Studies.............................................................................................. 7 Suggestions for Expanding Sarbanes-Oxley Compliance into ERM ........................... 10

CHAPTER 1: WHAT IS ERM? ........................................................................................ 13 ERM — Key Concepts ................................................................................................ 15 The COSO ERM Framework — Comparison to COSO Control Framework ............ 16 The COSO ERM Framework — the Eight Components ............................................ 18 Chapter Summary ....................................................................................................... 19

CHAPTER 2: ROBUST ERA AT COUNTRYWIDE FINANCIAL CORPORATION ....................................................................................... 21 Time Line — ERM/ERA ............................................................................................ 22 Time Line — Sarbanes-Oxley ...................................................................................... 24 Risk Categories and Subcategories .............................................................................. 26 CORAD ...................................................................................................................... 28 Governance Structure .................................................................................................. 56 Other Risk Management Activities within ERA ......................................................... 58 COSO ERM Framework as Applied to CFC .............................................................. 60 Benefits of ERA at Countrywide ................................................................................. 61 Conclusion .................................................................................................................. 62

CHAPTER 3: TAILORED ERM AT “ALPHA” COMPANY .......................................... 63 Risk Governance ......................................................................................................... 65 Management Processes ................................................................................................ 66 Enterprise Risk Management ...................................................................................... 67 Portfolio View, Risk Appetite, and Use in Strategic Planning ...................................... 68 Conclusion .................................................................................................................. 69

Four Approaches to Enterprise Risk Management

vi

CHAPTER 4: SARBANES-OXLEY AND ERM REINFORCING EACH OTHER: AQUILA, INC. ...................................................................................... 71 Early Efforts ................................................................................................................ 71 Business Reorganization and Evolution of Risk Assessment Techniques .................... 72 The Current ERM Thrust ........................................................................................... 76 Phase 1 .................................................................................................................. 76 Phase 2 .................................................................................................................. 79 Integration of Sarbanes-Oxley Work into Phase 2 ................................................ 79 Phase 3 .................................................................................................................. 83 The Big Picture ............................................................................................................ 83 Conclusion .................................................................................................................. 87

CHAPTER 5: ERM IN THE PUBLIC SECTOR: TEXAS STATE COMPTROLLER OF PUBLIC ACCOUNTS ...................................... 89 Evolution of RSA/ERM ............................................................................................. 89 The RSA Session ......................................................................................................... 91 Risk Reports and Risk Appetite .................................................................................. 95 RSA and Sarbanes-Oxley .......................................................................................... 103 RSA and COSO ERM .............................................................................................. 103 Conclusion ................................................................................................................ 105

APPENDIX A: “Building on Section 404” ....................................................................... 107 The Journey to ERM ................................................................................................. 107 Linking Section 404 to COSO ERM ......................................................................... 110 A Difficult Journey .................................................................................................... 116

APPENDIX B: Survey and Focus Group Results .............................................................. 117 Sarbanes-Oxley Compliance Further Along Than ERM .......................................... 117 Expanding Sarbanes-Oxley Compliance into ERM .................................................. 118 Benefits and Barriers ................................................................................................. 118 Integrating Sarbanes-Oxley Compliance into ERM .................................................. 120 Benefits and Barriers ................................................................................................. 121 Use of the COSO Frameworks .................................................................................. 122

Contents

vii

EXHIBITS

Alpha Company3A. Enterprise Risk Management at Alpha Company .................................................... 1253B. Mapping of Risk Areas and Categories to Governance Structure ............................. 1413C. Enterprise Risk 2005 Assessment .............................................................................. 151

Aquila Inc4A. Risk Tolerance for Audit Findings ............................................................................ 1594B. Risk Management Capability Characteristics for State Organization ....................... 1634C. Risk Management Capability Characteristics for Call Center ................................... 1734D. Risk Categories for Executive Workshops ................................................................. 1834E. Risk Assessment Criteria ........................................................................................... 1894F. Risk Assessment Survey............................................................................................. 1934G. COSO-based Capabilities Maturity Assessment ....................................................... 1974H. Sarbanes-Oxley Risk Assessment Matrix.................................................................. 2114I. Risk Tolerances for Sarbanes-Oxley-related Audit Findings ...................................... 2154J. Brainstorming Tool for Business Plan Risk Assessment ............................................. 2194K. Risk Assessment Template for Business Planning ..................................................... 2254L. Risk Assessment Tool for Projects ............................................................................. 227

Texas State Comptroller of Public Accounts5. Risk Self Assessment Participant Handbook .............................................................. 241

The IIA Research Foundation Board of Trustees ............................................................ 255The IIA Research Foundation Board of Research and Education Advisors ................... 257The IIA Research Foundation Chairman’s Circle ............................................................ 259