Enterprise Risk Management Focusing on the Right Risks

Transcription

1 2014 CliftonLarsonAllen LLP Enterprise Risk Management Focusing on the Right Risks VGFOA 2015 Fall Conference October 22, 2015 CLAconnect.com

2 Session Objectives 1.Identify factors driving the need for enterprise risk management 2.Discuss a process for identifying, assessing, and prioritizing risks 3.Recognize key items to consider for enhancing risk management in your organization 2

3 Factors Driving Organizations to Implement Enterprise Risk Management Why Do You Do It? 3

4 What is ERM? Enterprise risk management is a process, effected by the entity s board of directors, management, and other personnel, applied in strategy-setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within the risk appetite, to provide reasonable assurance regarding the achievement of objectives. - COSO Enterprise Risk Management Integrated Framework 2004 Organizational definitions of enterprise risk management (ERM) can vary widely. At its basic core, it involves having a better understanding of the risks your organization faces, and having a sustainable and repeatable process to successfully mitigate them. 4

5 Benefits of ERM Create a more risk-aware culture Align risk appetite and strategy Enhance risk response decisions Minimize operational surprises and losses Identify and manage cross-enterprise risks Provide integrated responses to multiple risks Seize opportunities Support cost management efforts Improve operational performance Provide better basis for allocating resources And thereby: Restore and/or retain stakeholder trust and confidence Protect and increase value for the organization and your customers 5

6 What Types of Risks Are Local Governments Focusing On? Many local governments are realizing that they need to focus on the full spectrum of risk categories to ensure that they have identified their true top risks, and focusing on the right things. Risks are specific to the particular local government but in addition to traditional risk categories such as finance, organizations may identify risks in areas such as: Legislative and Regulatory change Economic Environment Vendor Management Human Capital Management Affiliated Organizations Business Continuity Fraud Cyber Infrastructure Social Media Federal Regulatory Compliance State Regulatory Compliance Safety and Security Reputation management 6

7 Determining the right level of ERM Obtain feedback from governance/board Risk appetite Strategy Is there a sustainable process to make risk management more than a one-time event? Specifically scope projects to ensure a ERM is a component 7

8 Questions Many Organizations Are Asking What is our appetite for risk and what is our tolerance for deviating from expected results? What risks should we be focusing on? Do we know what our true top risks are? Once we know what the risks are, how prepared are we to address them? How well are we doing with the risks we are focusing on? Do we have a sustainable process to make risk management more than a one-time event? How do we capture future risks and integrate them into the process? How aligned are we as an organization to make this happen? 8

9 Identifying, Assessing, and Prioritizing Risk on an Enterprise- Wide Basis How Do You Do It? 9

10 How to go about the ERM Process Scope an approach to ERM Determine who within your organization is discussing and assessing risks Understand and define the risk approach Establish goals for the assessment Collect data on risks: interviews, surveys, heat map Communicate with board members 1 0

11 Evaluating Risk Management Capability Two Key Questions on Risk Management Capabilities 1. Where is your organization in terms of risk management capabilities? 2. Where do you need to be? Many organizations are assessing their current risk management state and setting goals for their next ERM milestone. 11

12 Most Organizations Rely on Multiple Sources for Answers However, risk oversight and an integrated approach is usually lacking Finance Internal Control, Disclosure, Credit, Liquidity, Commodity, Risk Analytics and Modeling Information Management IT Security, Data Integrity, Information Adequacy, Business Process/Continuity Risks Operations Compliance and Ethics Ethics and Business Conduct, and Regulatory Compliance Risks Business Development Market and Strategy Risks General Counsel Legal and Intellectual Property Internal Audit Risk informed audits, risks to internal control, key exposures and vulnerabilities, and assurance Security Risks to property and people Quality of care, Customer Relations, Market and Pricing, Competitive, People/Process/Asset Performance, Environmental and Safety Risks Insurance Property, Casualty, Liability, and Hazards ERM provides a means to better understand, communicate, and respond to the risk knowledge that exists in the organization. 12

13 Two Sides of the Risk Coin RISK TYPES Unrewarded Risk: Risks that must be taken Regulatory compliance is a good example Rewarded Risk: Risks where you have an option to take Strategy and business decisions, where value can be created Fail to manage the unrewarded risks and bad things happen Fail to take the right amount of rewarded risks and you don t fully reap the reward 13

14 Communicate & Consult Monitor & Review 2014 CliftonLarsonAllen LLP Two Popular Risk Frameworks COSO integrated framework AS/NZ - ISO 31000:2009 Establish the Context Identify Risks Analyze Risks Evaluate Risks Assess Risk Treat Risks 14

15 Risk Tier Definitions Tier 1 Risks Highest Risks to the Enterprise Tier 2 Risks Medium Vulnerability Tier 3 Risks Lowest Vulnerability Risk is identified as highest overall risks to the organization Risks at this level are small in number and will require immediate and significant attention Risk is clearly a key enterprise risk but may not require same level of attention as a Tier 1 risk Requires on-going monitoring and oversight however frequency of updates is less than Tier 1 Risk is still considered a key enterprise level risk but may not require additional mitigation responses beyond the current efforts Requires on-going monitoring to ensure status is stable Attorney Client Privilege Attorney Work Product FOIA Exempt 15

16 Goals of an Enterprise-Wide Risk Assessment An enterprise risk assessment gives organizations insight into risks in multiple categories. Benefits of ERM: Understand both financial and non-financial risks Develop a sustainable risk assessment process that can be used in future years Utilize a common risk rating criteria for multiple risk types Generate a prioritized risk register Develop risk mitigation strategies for the key risks vs. attempting to cover all Implement leading practices Manage risk more effectively and efficiently Develop data for reporting to governance/board 16

17 Goals of an Specific Risk Assessment Specific risk assessment gives organizations insight into risks for a sole purpose. Benefits of Specific Risk Assessment: Understand both financial and non-financial risks Connect risks to the governance/board report An opportunity to utilize a common risk rating criteria for multiple risk types 17

18 Illustrative Basic Risk Dashboard Using a Risk Heat Map The risk assessment process facilitates the identification of risks by rating the Impact, Vulnerability and Speed of Onset. The overall types of impact of the risk can be based on multiple impact including: Financial Reputation Legal/Regulatory Customers Employees Operations The overall vulnerability of the risk can be based on factors such as: Existing controls and mitigation efforts Risk management capability Prior risk experience Speed of Onset is based on how quickly the risk could occur 18

19 Risk Impact on Value 2014 CliftonLarsonAllen LLP Framework for Assessing Risk and Organizing Risk Response Focus on vulnerabilities to value loss or creation not just likelihood Set Risk Appetite (Thresholds) Assess Impact Key Performance Indicators Qualitative Quantitative High MARCI Chart Risk Mapping First Effectiveness Then Efficiency Assurance of Preparedness A Enhance Risk Mitigation M Illustrative Outcomes Financial Reputation Legal Regulatory Stakeholder Expectations Assess Vulnerability Control effectiveness Cost of risk experience Prevailing failure modes / contributing factors Complexity and change Risk management capability (detect, prevent, correct, escalate) Low R Redeploy Resources Cumulative Impact? CI Measure for Cumulative Impact Vulnerability High Likelihood Degree of difficulty Cost / ROI Time to implement Set Priorities Select Risk Response Acceptance Avoidance Prevention Detection Correction Escalation 19

20 Impact Low Moderate High 2014 CliftonLarsonAllen LLP Tiering Risks Consider the Impact and Vulnerability of the risk and tiering the risks. The risks have been organized in a tiered fashion to demonstrate which risks should be considered the highest priority, which are secondary, and which may require less attention today. When plotted on the chart below, the risk priorities typically fall in the following manner: Tier 1 risks primarily fall in the higher Red area Top priority risks to the organization Risks require further analysis of response options Risks should have a risk owner Risks will receive the primary attention in short term Tier 2 risks typically fall in the Yellow or lower Red area Key risks but timeline is not as critical Risks could have a risk owner Tier 3 risks can fall in Yellow or Green areas Risks are tracked but existing mitigation is sufficient FCPS Risk Heat Map Low Moderate High Vulnerability Attorney Client Privilege Attorney Work Product FOIA Exempt 20

21 Problems With the Likelihood Model Little or no predictive value in context of typical planning horizons 80 percent of all major value losses are high impact / low likelihood Biases management to direct resources to high impact / high likelihood events at the expense of high impact / low likelihood events Typically focuses on single events rather than a series of events or domino effect Audit activities are often misdirected to the red zone Better Approach Focus on preparedness and vulnerability Inverse relationship High preparedness = Low vulnerability Low preparedness = High vulnerability 21

22 Shortcomings of the COSO Approach Estimating Likelihood and Impact Uncertainty of potential events is evaluated from two perspectives likelihood and impact. Likelihood represents the possibility that a given event will occur, while impact represents its effect... It is important that the analysis be rational and careful The time horizon used to assess risks should be consistent with the time horizon of the related strategy and objectives For example, a company operating in California may consider the risk of an earthquake disrupting its business operations. Without a specified risk assessment time horizon, the likelihood of an earthquake exceeding 6.0 on the Richter scale is high, perhaps virtually certain. On the other hand, the likelihood of such an earthquake occurring within two years is substantially lower. By establishing a time horizon, the entity gains greater insight into the relative importance of the risk and an enhanced ability to compare multiple risks. COSO ERM September 2004 p

23 Illustrative Local Gov t Impact Profile OVERALL RISK IMPACT PROFILE Strategic Risk Material Operational & Process Risk Material Board Governance Significant Sovereign/ Political Significant Human Resources Significant Health and Safety Material Human Resource Significant Legal Significant Knowledge Capital Significant Policies and Procedures Material Competition Significant External/ Industry Factors Significant Efficiency Material Communication Significant Organization Structure Significant Succession Planning Material Capacity Significant Physical Assets Material Strategic Planning / Budgeting Material Reputational - Stakeholder Relations/ Customers Material Scalability Material Information Technology - Access Material Resource Availability Material Catastrophic Loss Material Functional Effectiveness Significant Information Technology - Availability Significant Partnering Significant Information Technology - Infrastructure Significant Environmental Significant 23

24 Illustrative Basic Risk Dashboard Example of a Basic Risk Report Risk Description Risk Direction Risk Response Status Risk Owner Status of Additional Risk Management Activities Initiated Failure to comply with federal regulatory standards Mr. Avoid Performing review of last 12 months of adverse compliance Developing action plans for key trend areas identified from the review Inaccurate billing for services Ms. Accept Assess customer concerns Measure customer satisfaction Insufficient business continuity planning Mr. Reduce A project has been initiated to develop appropriate business continuity plans for all major operations and facilities. Inadequate IT backup and disaster recovery processes Ms. Transfer Key steps have been completed to improve IT BCM: consolidated and improved the data center, documented processes, and retrained personnel. 24

25 Tier 1 Human Capital - Instructional Risk Description Lack of ability to hire and retain skilled works and central staff due to excessive workload and decreased funding. Average Ratings Impact: 4.16 Vulnerability: 3.90 Examples - Workload demands cause some employees in specific departments to work hours per week. - Employee morale decreases in overworked situations - Personnel are assigned to the wrong task and do not receive proper training. Comments Provided by Survey Respondents: Entity too often finds itself reacting to stakeholder concerns rather than proactively pursuing continuous improvement. In addition, the entity tends to rely to deeply on internal solution rather than identifying best practices from other entities nationwide. Cuts to central staff have significantly decreased morale and increased dissatisfied employees. I believe we are at a high risk factor for losing skilled and valuable employees to other systems and careers. I feel that we have taken some steps to mitigate our vulnerability here, but that more needs to be done. I believe that employees, for the most part, will put their all into their jobs. Because they want to be responsive, they spend extra hours getting things done. The hours spent are not conductive to a good balance in life. At times, people in some offices are bypassed because they are not viewed as the go to person. As a results, the go to person is tremendously stressed. I would like to see the hiring process go beyond a thirty minute panel interview and one follow up. 25

26 Risk Prioritization and Response Sessions Evaluating the cost-benefit of various risk response options can be standardized using an evaluation template to standardize the analysis of different response options Example Risk Response Evaluation Matrix: Financial Systems and Internal Reporting Risk Description: the possibility of revenue loss or non-compliance due to poor alignment of financial systems functionality and internal reporting requirements. Options Available Costs Benefits Accept Reduce Vulnerability Reduce Impact Transfer Avoid Retain current risk by working with current architecture >Minimal incremental cash expenses >Continued risk of loss >Continued or perhaps accelerated obsolescence of systems Lower cash outlays to address problem Minimal organizational disruption Implement new system that better fits business requirements $X Licensing fee $X implementation $X maintenance fee Organizational disruption during transition $X estimated avoided loss Enhanced reporting and better business decision-making Enhance business processes and manual reconciliations $X implementation Organizational disruption during transition Ongoing inefficiency costs $X estimated avoided loss Outsource financial systems operation to third party vendor $X implementation $X annual fee $X per transaction fee Loss of organizational capability Loss of organizational control $X MM annual cost savings Enhanced reporting flexibility and support Where practicable Not practicable Not practicable Residual Risks? No Yes Yes Yes Not practicable 26

27 Information About Key Items to Consider for Enhancing Risk Management in Organizations What Could The Risks Be? 27

28 Major Types of Risk and Risk Areas (Examples) Financial operations The risks associated with the organization s financial viability and the way the organization maintains its financial records. Accounting /Revenue Cycle Financial Reporting and Disclosure Governance, Independence Treasury and Investments Tax UBI, Payroll Withholding, Intermediate Sanctions, Returns -990s, and 501C3 Status Financing Bonds Internal Controls Internal Audit Contracting / Purchasing (Materials Management) Group Purchasing Organization Relationships Construction Service delivery The risks associated with the delivery of services Quality - Safeguarding of Practice Regulatory Compliance Institution Licensing and Accreditation Marketing/ Community Outreach Compliance and legal matters Federal and State Regulations Stark IRS Tax Anti-Kickback HIPAA Anti Trust 28

29 Major Types of Risk and Risk Areas (cont.) Employment and staffing The risks associated with the organization s delivery and management of its human resources including employed, contracted, and credentialed providers. Labor Relations Wage and Hourly - Compensation Employment Practices Hiring and Firing, EEO, ADA Education, Training, Development Staffing Retention, Recruitment, Performance Evaluations, Levels Pension and Benefits - Insurance Worker s Compensation Contract Labor Agency, Nurses Organization and strategic Environment The risks associated with external factors, strategic direction, and issues related to organizational structure and culture. Strategy M&A Advocacy Tax Exempt Limitations Public Relations Reputational Organization and Governance Mission Market Forces (Competition) Disaster Planning Physical Security Emerging Technologies (Innovations) Systems Integration 29

30 Major Types of IT Risk and IT Risk Areas (Examples) IT computing environment Risks associated with the organization s IT systems Hardware Software System interfaces Databases System and data criticality (system s importance to the organization) System and data sensitivity Data backup and recovery process Logical access Password Administration Direct access to data Physical access to data centers/facilities/equipment Lack of segregation of duties Network security and availability System security policies System security architecture Operational environment of IT systems Functional requirements of IT system Users of the IT system Management of data changes 30

31 External ERM Resources Committee of Sponsoring Organizations The Risk Management Society The Risk Management Association 31

32 CLA Resources Articles and Whitepapers ACA Pensions: GASB 68 Uniform grant guidance Events Calendar Webinar Recordings Government-Agencies.aspx?ind=State and local 32

33 2014 CliftonLarsonAllen LLP Questions? Greg Bussink- Principal Phone number Taylor Powell- Senior Consultant CLAconnect.com twitter.com/ CLAconnect facebook.com/ cliftonlarsonallen linkedin.com/company/ cliftonlarsonallen 33