Enterprise Risk Management

Similar documents
Analyzing Risks in Healthcare. February 12, 2014

Strategic Risk Management for School Board Trustees

How To Use Risk It

Enterprise Risk Management

Beyond risk identification Evolving provider ERM programs

The College of New Jersey Enterprise Risk Management and Higher Education For Discussion Purposes Only January 2012

Introduction to Enterprise Risk Management at UVM DRAFT

An Effective Approach to Transition from Risk Assessment to Enterprise Risk Management

Understanding Enterprise Risk Management. Presented by Dorothy Gjerdrum Arthur J Gallagher

The New International Standard on the Practice of Risk Management A Comparison of ISO 31000:2009 and the COSO ERM Framework

11/12/2013. Role of the Board. Risk Appetite. Strategy, Planning and Performance. Risk Governance Framework. Assembling an effective team

The Role of Internal Audit in Risk Governance

Risk Assessment & Enterprise Risk Management

Department of Veterans Affairs VA Directive VA Enterprise Risk Management (ERM)

Take the right steps 9 principles for building the Risk Intelligent Enterprise

Policy : Enterprise Risk Management Policy

RSA ARCHER OPERATIONAL RISK MANAGEMENT

RISK MANAGEMENT OVERVIEW 2011 RISK CONFERENCE SPONSORED BY THE FEDERAL RESERVE BANK OF CHICAGO AND DEPAUL UNIVERSITY

Business Continuity Management

Moving Forward with IT Governance and COBIT

STANDARD. Risk Assessment. Supply Chain Risk Management: A Compilation of Best Practices

Hand IN Hand: Balanced Scorecards

Enterprise-Wide Risk Assessment

1.20 Appendix A Generic Risk Management Process and Tasks

Business Continuity Management

Enterprise Risk Management in Colleges and Universities

Enterprise Risk Management: Taking the First Steps

IRM CERTIFICATE AND DIPLOMA OUTLINE SYLLABUS

Enterprise Risk Management

A Risk-Based Audit Strategy November 2006 Internal Audit Department

ENTERPRISE RISK MANAGEMENT FRAMEWORK

ENTERPRISE RISK MANAGEMENT POLICY

ENTERPRISE RISK MANAGEMENT FOR BANKS

Cybersecurity The role of Internal Audit

International Diploma in Risk Management Syllabus

Risk and Contingency Planning. Today s Topics. Key Terms. A Vital Component of Your ICD-10 Program

UNITED NATIONS OFFICE FOR PROJECT SERVICES. ORGANIZATIONAL DIRECTIVE No. 33. UNOPS Strategic Risk Management Planning Framework

Risk Management Plan

Enterprise Risk Management for International Schools

THE SOUTH AFRICAN HERITAGE RESOURCES AGENCY ENTERPRISE RISK MANAGEMENT FRAMEWORK

fs viewpoint

Business Continuity for Cyber Threat

Program Management Professional (PgMP) Examination Content Outline

Governance Guideline SEPTEMBER 2013 BC CREDIT UNIONS.

Operational Risk Management - The Next Frontier The Risk Management Association (RMA)

The Role of the Board in Enterprise Risk Management

Consumer Goods and Services

GAINING CONTROL: Building Your Existing Framework into an ERM Model

Enterprise risk management and business continuity management Together at last

Tying It All Together: Practical ERM Integration. Richard Scanlon Vice President Enterprise Risk Management CIGNA Corporation

Fraud Risk Management

Why you should adopt the NIST Cybersecurity Framework

ERM006 ERM and Business Continuity Management: Together at Last RIMS Annual Conference April 13, 2016

DoDEA Personnel Center HR Competency Definitions

Tailoring enterprise risk management strategies to the Main-Street insurer

Integrated Risk Management:

How To Save Money At The University Of California

Corporate Social Responsibility: Implications for Human Resources and Talent Engagement

Organizational Change Management: A Best Practice to Effective ERM Implementation

Project Risk Management

CA HalvesThe Cost Of Testing IT Controls For Sarbanes-Oxley Compliance With Unified Processes.

Developing a Corporate Governance Framework

Governance and Risk Management in the Public Sector. Fernando A. Fernandez Inter-American Development Bank (202)

COBIT 5 for Risk. CS 3-7: Monday, July 6 4:00-5:00. Presented by: Nelson Gibbs CIA, CRMA, CISA, CISM, CGEIT, CRISC, CISSP ngibbs@pacbell.

THE ROLE OF FINANCE AND ACCOUNTING IN ENTERPRISE RISK MANAGEMENT

Integrating Balanced Scorecard and Enterprise Risk Management

NEEDS BASED PLANNING FOR IT DISASTER RECOVERY

APPLICATION OF KING III CORPORATE GOVERNANCE PRINCIPLES 2014

Feature. Developing an Information Security and Risk Management Strategy

APPLICATION OF THE KING III REPORT ON CORPORATE GOVERNANCE PRINCIPLES

Business Resiliency Business Continuity Management - January 14, 2014

Get More Out of Your Risk Assessment. Austin Chapter of the IIA

strategic workforce planning: building blocks to success

STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES. ENTERPRISE RISK MANAGEMENT Framework

Leadership Competency Self Assessment

We all manage risk, every day

Exhibit 1: Structure of a heat map

How To Write A Workforce Strategy

University of Wisconsin Platteville IT Governance Model Final Report Executive Summary

FlyntGroup.com. Enterprise Risk Management and Business Impact Analysis: Understanding, Treating and Monitoring Risk

Applying Integrated Risk Management Scenarios for Improving Enterprise Governance

Business Continuity Position Description

University of St. Gallen Law School Law and Economics Research Paper Series. Working Paper No June 2007

Page 1. Executive Briefing, January 2013 Sheila Upton. Information Management and Big Data a Framework for Success

National Cyber Security Policy -2013

Institute for Business Continuity Training 1623 Military Road, # 377 Niagara Falls, NY

CDC UNIFIED PROCESS PRACTICES GUIDE

ENTERPRISE RISK MANAGEMENT FRAMEWORK

Business Continuity Plan

Accenture Risk Management. Industry Report. Life Sciences

Performing a Compliance Risk Assessment for Compliance Auditing & Monitoring in Healthcare Organizations

Overview TECHIS Carry out risk assessment and management activities

Fraud Prevention and Deterrence

CDC UNIFIED PROCESS PRACTICES GUIDE

PMI Risk Management Professional (PMI-RMP) Exam Content Outline

San Francisco International Airport Enterprise Risk Management

Transcription:

2013 Government Accounting and Auditing Update Enterprise Risk Management Understanding and Implementing an ERM Framework Mike Sargent, Director- CliftonLarsonAllen May 2013 cliftonlarsonallen.com

Discussion Objectives Discuss the current risk environment for the public sector and drivers for enhanced risk management Define Enterprise Risk Management (ERM) and the benefits to public sector organizations Define and describe an ERM framework and methodology Discuss key steps and success factors for establishing an ERM program 262

Risk Management Has Not Always Been Effective No shortage of risk events in today s world In the news every day Stakeholders are demanding much more visibility into how risks are managed Existing risk management practices are often deemed insufficient; no shortage of people and organizations who want to improve the processes Risks and the resulting impacts have led to major negative issues for organizations of all types public and private 263

The Two Sides of the Risk Coin RISK TYPES Unrewarded Risk: Risks that must be taken Regulatory Compliance is a good example Rewarded Risk: Risks where you have an option to take Strategy and business decisions, where value can be created Fail to manage the Unrewarded Risks and bad things happen Fail to take the right amount of Rewarded Risks and you don t fully reap the reward

Questions Many Organizations Are Asking What is our organization s appetite for risk and what is our tolerance for deviating from expected results? What risks should we be focusing on? Do we know what our true top risks are? Once we know what the risks are, how prepared are we to address them? How well are we doing with the risks we are focusing on? Do we have a sustainable process to make risk management more than a one time event? How do we capture future risks and integrate them into the process? How aligned are we as an organization to make this happen? 265

What is Enterprise Risk Management? Enterprise risk management is a process, effected by the entity s board of directors, management, and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of objectives. - COSO Enterprise Risk Management Integrated Framework 2004 266

Is ERM relevant for public organizations? ERM is just as valuable to the public sector as it is to the corporate sector Leading practices in risk management developed in private industry can be leveraged by the public sector Every organization, regardless of type, has a need to understand risks that might impact it s ability to fulfill it s mission no one is immune to risk. The Public Sector faces unprecedented challenges in terms of key risk areas Health care, Aging infrastructure, Revenue constraints, Population growth, etc. 267

Benefits of ERM Create a more risk aware culture Align risk appetite and strategy Enhance risk response decisions Minimize operational surprises and losses Identify and manage cross-enterprise risks Provide integrated responses to multiple risks Seize opportunities Support cost management efforts Improve operational performance Provide better basis for allocating resources And thereby: Restore and/or retain constituent trust and confidence Protect and increase value for the organization and those you serve 268

Examples of Risk Categories for the Public Sector Operations Regulatory Compliance Reporting Service Delivery Employment and Staffing Strategy Physical Security Cyber Security Economic Conditions Financial Privacy and Data Protection Recruitment and Talent Management Supply Chain Labor & Employment Issues Insurance Natural Disasters 269

What is a Risk Framework? A conceptual tool used to provide guidance on understanding and addressing the risks faced by an organization Provides a methodology to follow supports and sustains risk management in an organization Commonly used ERM frameworks: Enterprise risk management - Integrated Framework of the Committee of Sponsoring Organizations (COSO) AS/NZS 4360:2004 - The Australia and New Zealand Risk Management Standard AS/NZS ISO 31000:2009 - Risk Management Principles and Guidelines 270

Two Popular Risk Frameworks COSO integrated framework AS/NZ - ISO 31000:2009 Establish the Context Communicate & Consult Identify Risks Analyze Risks Evaluate Risks Assess Risk Monitor & Review Treat Risks 271

Establish the Context Objective Defines the external and internal issues an organization has to consider when managing risk Communicate & Consult Establish the Context Identify Risks Analyze Risks Evaluate Risks Assess Risk Treat Risks Monitor & Review External constituent needs, environment, external factors that might impact objectives Internal employees, governance structure, culture Example Data Sources Business Plans Strategic Plans Stakeholder Analyses Previous Risk Information 272

Identify Risks Objective Generate a comprehensive list of relevant risks as foundation for overall risk assessment process Approach Engage key internal/external stakeholders and business units Cast Your Net Communicate & Consult Establish the Context Identify Risks Analyze Risks Evaluate Risks Assess Risk Treat Risks Monitor & Review Example Data Sources Interviews, Workshops, Focus Groups Constituent Surveys Peer Organization Research Previous Risk Assessments Call Center/Action Center Data 273

Analyze Risks Objective Gather relevant data to assist in the effective evaluation of risks Approach Generate rating criteria Impact Likelihood Vulnerability Velocity / Speed of onset See What You Caught Communicate & Consult Establish the Context Identify Risks Analyze Risks Evaluate Risks Assess Risk Treat Risks Monitor & Review Example Data Sources Qualitative Rating and Assessment Analysis by Subject Matter Specialists Group Consensus Discussions 274

Evaluate Risks Objective Determine the relative importance of risks facing the organization and set priorities accordingly Approach Iterative process to reengage stakeholders and subject matter experts Could use both quantitative and qualitative techniques Communicate & Consult Establish the Context Identify Risks Analyze Risks Evaluate Risks Assess Risk Treat Risks Monitor & Review Example Data Sources Interviews Focus Groups / Workshops Qualitative Analysis Sort Them Out By Size 275

Treat Risks Objective Develop risk mitigation strategies Approach Identify treatment options Avoid Accept Reduce Transfer Assess treatment options Prepare and implement risk treatment plans Communicate & Consult Establish the Context Identify Risks Analyze Risks Evaluate Risks Assess Risk Treat Risks Example Data Sources Risk Mitigation Teams Cost/Benefit Analysis Contingency Planning Insurance Options Monitor & Review 276

Monitor and Review Objective Monitor the effectiveness of risk treatment strategies and determine if they are achieving desired results Approach Develop monitoring methodologies Establish Key Risk Indicators Conduct routine monitoring and reporting Audit the process and the results Communicate & Consult Establish the Context Identify Risks Analyze Risks Evaluate Risks Assess Risk Treat Risks Example Data Sources Internal Audit Programs Risk Progress Reports Monitor & Review 277

Communicate and Consult Objective Maintain a dialogue between the organization and the stakeholders regarding the risk management process Approach Regular outreach with stakeholders to ensure a thorough understanding of the goals and progress of the ERM program Communicate & Consult Establish the Context Identify Risks Analyze Risks Evaluate Risks Assess Risk Treat Risks Monitor & Review Tools & Techniques Meetings With Constituents/Stakeholders Newsletters/Press Releases Outreach Policies 278

Evaluating Risk Management Capability Where is your organization in terms of risk management capabilities? Where do you need to be? How can you develop a process to assess risk and proactively develop policy responses to issues such as decreasing tax revenue, the economic downturn, federal and state fiscal issues, increased need for constituent services, etc? Never before has it been more vital for states and localities to develop an effective assessment of their strategic risks and take proactive measures to manage them. 279

The ERM Journey Ad-hoc Highly dependent on individual knowledge and actions Reactionary response to risk events Some risk categories with defined roles Mostly focused on un-rewarded risks Leadership drives process Defined policies and procedures for risk assessments Enterprise wide risk register Management aware of and addresses the key risks Risk events managed on an integrated basis Fully integrated risk management program Risk escalation processes in place Organization begins to leverage the rewarded risks Risk Management fully integrated into culture Strategic use of risk information on a regular basis Sustainable and ongoing program Organization fully addresses all risk types Un-rewarded Risk Rewarded Risk

A High Level Process for Establishing ERM Determine the Vision for Your ERM Program Identify, Assess and Prioritize Your Risks Assess Your Risk Management Capabilities Develop and Implement Your ERM Plan

Considerations for Moving Forward Gain senior executive commitment and involvement More than passive support is needed Critical to get the program moving and overcome silo mentality Establish accountability and responsibilities Develop the process and keep it going Leverage what you already have Build on your existing risk processes you have more than you think! 282

Considerations for Moving Forward Focus on a few key risks Identify many, focus on the most critical Focus on the cultural/change management process Risk aware culture is one of the first tangible ERM benefits 283

Mike Sargent Director, Risk Management Services mike.sargent@cliftonlarsonallen.com 317-569-6200 cliftonlarsonallen.com twitter.com/ CLA_CPAs facebook.com/ cliftonlarsonallen linkedin.com/company/ cliftonlarsonallen 284

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information