How Internal Audit Can Help Promote Effective ERM

Similar documents
Energize Your Enterprise Risk Management

Applying COSO s Enterprise Risk Management Integrated Framework

Applying COSO s Enterprise Risk Management Integrated Framework. September 29, 2004

ก ก Tools and Techniques for Enterprise Risk Management (ERM)

Enterprise Risk Management Integrated Framework

Risk Management Policy and Framework

Risk Management. Policy No. 14. Document uncontrolled when printed DOCUMENT CONTROL. SSAA Vic

Understanding and Optimizing Legal & Regulatory Risk Management

There are many definitions of risk and risk management.

MEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework

Business Auditing - Enterprise Risk Management. October, 2018

Enterprise Risk Management for Water Utilities. Justin Carlton, CMA, MBA Financial Analyst Tualatin Valley Water District

BERGRIVIER MUNICIPALITY. Risk Management Risk Appetite Framework

Executive Board Annual Session Rome, May 2015 POLICY ISSUES ENTERPRISE RISK For approval MANAGEMENT POLICY WFP/EB.A/2015/5-B

D7 Risk Management Policy

INTEGRATING RISK MANAGEMENT AND BUSINESS CONTINUITY

Audit Report Internal Financial Controls. GF-OIG March 2015 Geneva, Switzerland

1st Capacity Building Seminar on Enterprise Risk Management

ENTERPRISE RISK MANAGEMENT Framework

Delivering Clarity to Credit Unions Through Expertise and Experience

Best Practices in ENTERPRISE RISK MANAGEMENT. [ Managing Risks Holistically ]

ENTERPRISE RISK MANAGEMENT (ERM) The Conceptual Framework

Introduction. The Assessment consists of: A checklist of best, good and leading practices A rating system to rank your company s current practices.

Introduction. The Assessment consists of: Evaluation questions that assess best practices. A rating system to rank your board s current practices.

Enterprise Risk Management (ERM) & Compliance

Breakout Session: Treasury

Five Lines of Assurance: A New Paradigm in Internal Audit & ERM

Certified Enterprise Risk Professional (CERP) Test Content Outline

ENTERPRISE RISK MANAGEMENT POLICY FRAMEWORK

SOLID GROUP INC. ENTERPRISE RISK MANAGEMENT POLICY

Unraveling the Myths & Mysteries of ERM and Global Credit Risk Management

Group Financial Statements

An Introduction to Enterprise Risk Management. Mark Brown, SVP, Chief Financial Officer First Carolina Corporate Credit Union

The OCEG Open Risk Classification using XBRL

Section Defining Risk Management. 11. Principles of Risk Management

UNITED NATIONS JOINT STAFF PENSION FUND. Enterprise-wide Risk Management Policy

Enterprise Risk Management Sources. Universe. Tolerance. Appetite

Assessing the Adequacy of Risk Management Using ISO 31000

Sunera Canada ULC. Effective Fraud Risk Assessment Annual Fraud Program. October 21, 2016

Risk Management Framework

Enhancing Our Risk Appetite Framework. A Case Study

How we manage risk. Risk philosophy. Risk policy. Risk framework

Excellence in Risk Management via Enterprise Risk Management. Presentation to: Audit Committee Ashok K. Roy, Ph.D., CIA, CFSA, CBA September 18, 2015

Enterprise Risk Management From Book to Board Room

INTEGRATED RISK MANAGEMENT GUIDELINE

Integrating Environmental, Social, and Governance Risks into Enterprise Risk Management. 7 May 2018

Enterprise Risk Management Program

Preview of Observations from 2016 Inspections of Auditors of Issuers

Auditing Liquidity Risk. An Overview

Own Risk Solvency Assessment (ORSA) Linking Risk Management, Capital Management and Strategic Planning

RISK MANAGEMENT FRAMEWORK

RISK REGISTER POLICY AND PROCEDURE

Beyond ERM - The Roles, Responsibilities and Costs of Risk Management March 28, 2012

Session 7 Evolution of ERM Across Industries An ERM Practitioner s Perspective. Danielle Harrison, Chief Risk Officer, The Co-operators Group

Risk Evaluation, Treatment and Reporting

RISK MANAGEMENT - CORPORATE COMPLIANCE & ETHICS

Susan Schmidt Bies: Enterprise perspectives in financial institution supervision

Enterprise Risk Management Policy Adopted by the AMP Limited Board on 2 February 2017

RISK MANAGEMENT FRAMEWORK OVERVIEW

The Strategic Value of Enterprise Risk Management for Federal Agencies

Operational Risk Management

Fraud Risk Assessment CARRIE KENNEDY, PARTNER DUSTIN BIRASHK, PARTNER

Takeaways from the AICPA s 2018 Conference on Current SEC and PCAOB Developments

RISK MANAGEMENT - CORPORATE COMPLIANCE & ETHICS

Risk Management Policy

M_o_R (2011) Foundation EN exam prep questions

ENTERPRISE RISK MANAGEMENT (ERM) GOVERNANCE POLICY PEDERNALES ELECTRIC COOPERATIVE, INC.

Risk Oversight: What boards need going forward

Business Continuity Management and ERM

ERM/ORSA Training Thai General Insurance Association (TGIA)

Policy No. Contact Brian Orpin Version 3.0 Issue Date 28/11/2014 Telephone Review Date IA Date 09/08/2013

INTERNAL AUDIT AND OPERATIONAL RISK T A C K L I N G T O D A Y S E M E R G I N G R I S K S T O G E T H E R

2018 THE STATE OF RISK OVERSIGHT

Pillar 3 Disclosure Statement

Advanced Issues in Auditing & Monitoring Introductory Discussion

Thirty-Second Board Meeting Risk Management Policy

BERMUDA INSURANCE (GROUP SUPERVISION) RULES 2011 BR 76 / 2011

8/2/2011. Dealing with Audit Findings August 3, Mary Pockl & Mike Zeno. Webinar Control Panel

GUIDELINE ON ENTERPRISE RISK MANAGEMENT

Sections of the ORSA Report

ENTERPRISE RISK MANAGEMENT (ERM) POLICY Republic Glass Holdings Corporation. Purpose. Goals

Risk Concentrations Principles

REPUTATION RISK ON THE RISE

The Proactive Quality Guide to. Embracing Risk

CORPORATE RISK MANAGEMENT POLICY

Aon Risk Maturity Index

Practical aspects of determining and applying a risk appetite for SMEs

ENSURING EFFECTIVE GOVERNANCE AND FINANCIAL REPORTING

DRAFT 3/18/14 Financial Analysis Handbook 2014 Annual/2015 Quarterly

What does the WEF Global Risks Report have to do with my Risk Management program? GRM016 Speakers:

GOV : Enterprise Risk Management Policy

Presentation by: Nasumba Kizito Kwatukha CPA,CIA, CISA,CFE,CISSP,CRMA,CISM,IIK 6 th JULY 2017

28 July May October 2016

The Role of Finance and Accounting as Critical Players in ERM and ORSA

SERBA DINAMIK GROUP BERHAD RISK MANAGEMENT CHARTER

Certification of Internal Control: Final Certification Rules

BERMUDA MONETARY AUTHORITY THE INSURANCE CODE OF CONDUCT FEBRUARY 2010

Chapter 2. Tax Control Framework. 6/15/13 Chapter 2 Tax Control Framework. 1. From risk management to opportunity management. 2. Tax control framework

Approved by: Diocesan Council 17 December 2015

Operational Risk Framework - Auditor s Perspective. Mr. Syed Rehan Ashraf United Gulf Bank SVP / Head of Credit & Risk Management

Transcription:

How Internal Audit Can Help Promote Effective ERM Alan N. Siegfried, MBA, CPA, CIA, CISA, CBA, CRMA, CFSA, CCSA, CITP, CGMA, CSP June 18, 2014

Alan Siegfried Professional Bio Principal and Managing Director, Quetzal GRC, LLC Over 30 years of private and public sector experience in accounting, internal auditing, risk management, internal controls, information technology auditing processes, operations, and business processes and strategy Board and Audit Committee member Bon Secours Health System, Audit Committee member UNICEF Former Internal Audit Partner at Ernst & Young, Deloitte and Grant Thornton Former Director of Internal Audit Bank-Fund Staff FCU Former Auditor General Inter-American Development Bank and Chief Audit Executive First Maryland Bancorp Former Chairman of Board and member of the IIA s North American Board and member of the IIA s Professional Certification Board Widely published and frequent speaker at international internal auditing and risk management events, teach graduate internal audit courses U of MD Holds 11 professional auditing, risk management and accounting related designations and certifications

Presentation Topics Risk and Risk Management Characteristics of Effective Risk Management Role of Internal Audit Consultant vs. Evaluator Conclusions

Credit Union ERM Why we are here Enterprise Risk Management is becoming top of mind for many credit unions Board/supervisory committee members Senior management Regulatory examiners External auditors Credit unions want to more clearly understand: The benefits of ERM The goals, objectives, and deliverables of ERM The most efficient way to implement ERM

Risk Management Related Trends Competitive Marketplace Globalization Legal Requirements Complex Business Transactions Short Product Cycles Explosion of Technology And, they are interconnected with a cascading impact

What is Driving ERM? Huge changes in the operating environment Margins are eroding Delinquencies & charge-offs have increased drastically Fee income is steadily becoming more important Regulations are changing GAAP is inadequate and may very likely change IT Risk management requirements will increase Efficiency (output/input) is critical Less room for errors and surprises i.e. risk Regulators are extending risk management requirements

Key Risk Data NC State University study found: 91% of respondents felt at least somewhat strongly that the number and complexity of risks has increased over the last 5 years 69% of respondents have experienced a significant operational surprise over the last 5 years Source: NC State University s ERM Initiative Report on the Current State of Enterprise Risk Oversight

What s Different About ERM? Criteria IT Security Internal Audit Compliance ERM Customer IT, NCUA Supervisory Committee, Board of Directors Scope Goals Standards Penalties Documents Information Technology Privacy, Confidentiality Survivability COBIT, NIST, OCTAVE Fines, Legal costs, member costs, NCUA actions, Reputation Automated and Compiled Operations, financial reporting, IT Assurance, operational efficiency, deficiency reporting & mitigation NCUA, Regulatory Agencies, Governments Various Avoid fines and legal costs. Pass the test. Preset standards Board, executive management, members, employees Strategy, operations, policy Understand goals, proactively guide actions to achieve them IIA, AICPA Various COSO 2013, ISO 31000 Management reputation, undetected control deficiencies Fines, legal costs, corrective action costs Poor business decisions. Ineffective business practices Manual and Detailed Mixed and Detailed Just Enough

Evolution of Audit & ERM Best Practice Audit Approach Management Defined Risk Assessment COSO Framework (ERM) COSO 2013 Framework <1990 s 1990 s 2004 2013

What is Risk? The possibility of an event occurring that will have an impact on the achievement of objectives. A Prerequisite to any risk discussion in an organization: You must know the organization s objectives Risk is measured in terms of impact and likelihood. The Institute of Internal Auditors (IIA)

V. Low Low Impact Medium High V. High Risk Heat Map H I A G M D E B O H K A B C D E Key Risks Perception of financial soundness Lack of business continuity plan Attract profitable member relationships Risk of loss of member data Ability to build brand (penetration) F N P J L F G Innovate products for customers Systematically meet regulatory requirements H Manage instances of internal fraud I Manage instances of external fraud C J Third-party/vendor risk K Lack of robust internal control system L Ability to meet customer demands for credit L V. Low Low Medium Likelihood High V. High H M N O P Ability to manage market risk Ability to manage credit risk Ability to access capital Ability to grow operations in current environment

Risk Management Decision Matrix Multiple Inter-related Scenarios Panic (Run, Scurry, Flee) Real Options (Maintain Ability to Change Course) Multiple Scenarios Single Scenario Immediate/On-Going Simple Risk & Control Development (Prevent) Short Term Monitor, Measure, and Respond (Detect) Long Term

Risk and Cost Relationship Exposure High Priority Activities The Risk Management Curve Optimum Level of Effort Risk should be accepted Level of Effort

What is Risk Management? The processes performed and actions taken by management to understand and deal with uncertainties (i.e., risks and opportunities) that could affect the organization s ability to achieve its objectives.

Managing Performance Organizational Performance Objectives & Initiatives Uncertainty Projects Partners Competition Customers Technology People Money

COSO Definition of ERM ERM is a process, effected by an entity s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. Committee of Sponsoring Organizations of the Treadway Commission (COSO 2004) (see www.coso.org)

Risk Management Principles State your objectives Identify most critical areas of risk (risk assessment) Keep in mind that you may not have seen the impact yet! Gather and analyze the relevant data Exercise sound judgment Identify potential root causes (WCGW) Determine best response Document and train Monitor, audit, and assure (and measure) Assess Risk Manage Risk

What is ERM supposed to do? Quickly identify emerging risks and problem areas before they escalate and cause serious harm Reduce the incidence of serious negative surprises that undermine stakeholder confidence Enable the organization to more effectively take advantage of opportunities Reduce response time for emerging risks Demonstrate to stakeholders that reasonable risk management processes are in place Provide an efficient way to manage and measure risks consistently across the enterprise

Traditional Risk Management Approach Strategic Market Risks Operations Risks Finance Risks Human Capital Risks IT Risks Legal Risks Reputation Risks Silo or Stove-Pipe Risk Management

ERM Brings Risks Together Valuation Creation and Preservation Enterprise Focus on Risks Strategic Market Risks Operations Risks Finance Risks Human Capital Risks IT Risks Legal Risks Reputation Risks Key Message: Senior Management is facilitating the aggregation and interactions of those risk exposures to evolve from Risk Management to Risk Intelligence

What is ERM NOT supposed to do? Be just one more audit

Risk Management Compared to Audit Audit Independent from Management Assurance Evaluators & Recommenders Protects Assets Risk Management Part of Management (like HR, Accounting, IT) Support Deciders & Implementers Seeks Profit High Likelihood/Low Impact Low Likelihood/High Impact Evaluates Controls Is a Control

What is ERM NOT supposed to do? Be just one more audit Be just one more compliance exercise Be done by ONLY audit or risk management Risk management is part of the decision making process Prevent healthy risk taking A good risk manager is a good risk taker

Rewarded Versus Unrewarded Risks Rewarded Risks (Opportunities to take risk) Risks that are expected to bring some benefit if properly managed Interest Rate Risk Credit Risk Liquidity Risk Strategic Risks Unrewarded Risks Those for which there is only a downside Transaction Risk Compliance Risks Reputation Risk Financial Reporting (Accounting) Risk

Managing Three Types of Risk Risks that impact the entire CU Industry Risks that threaten the entire Credit Union Risks that threaten a part of the credit uniion

Increasing ERM Program Focus Maintaining a Balanced Focus on Risk Creating Value Senior Management ERM Agenda Board and Supervisory Committee Oversight Risk Mgmt STRATEGIC RISKS Executive Risk Dashboard\Report SWOT (risk review) with strategic planning EXECUTION RISKS Credit, Market Risk Management Processes Operational Risk Focus Risk Analysis Techniques Protecting Assets OPERATIONS & COMPLIANCE RISKS Procedures, Controls, Insurance Business Area Risk Reviews Key Risk Indicators Early-warning Signals The ERM program should help the organization to maintain a balanced focus on value creation (rewarded risk taking) as well as value protection (unrewarded risk mitigation). The program must be periodically assessed for effectiveness and continuously improved

NCUA/AICPA to COSO Mapping NCUA/AICPA Risk Category Strategy Reputation Interest Rate Transaction Credit Liquidity Compliance Accounting Fraud Information Technology COSO Category Strategy Strategy Financial Operations Strategy Financial Compliance Reporting Operations Operations

Effective Enterprise Risk Management Nine Principles for Building a Risk Intelligent Enterprise The Risk Intelligent Enterprise Common Definition of Risk Common Risk Framework Roles & Responsibilities Transparency for Governing Bodies Common Risk Infrastructure Executive Management Responsibility Objective Assurance and Monitoring Business Unit Responsibility Support of Pervasive Functions Copyright 2009 Deloitte Development LLC. All rights reserved.

ERM Organizational Maturity Ad-hoc/chaotic Depends primarily on individual heroics, capabilities and verbal wisdom 1: Unaware No focus on risk interlinkages Limited alignment of risk to strategy Disparate monitoring Reaction to adverse events by specialists Discrete roles established for small sets of risks 2: Fragmented Policies, risk authorities defined and communicated Routine risk assessments Communication of key risks to the Board Executive Committee Dedicated team Primarily qualitative Reactive 3: Top-down Coordinated risk management activities across silos Risk appetite is defined Enterprise-wide risk monitoring, measuring and reporting Training Integrated response to adverse events Rapid escalation Proactive 4: Systematic Embedded in decisionmaking Early-warning risk indicators Linkage to performance measurement and incentives Risk modeling and scenarios Industry benchmarking Sustainable Technology implementation 5: Risk intelligent Un-rewarded risk Rewarded risk Do we comply with relevant laws and regulations? Do we have integrated management information? Are we doing the things right? Are we doing the right things? Copyright 2009 Deloitte Development LLC. All rights reserved.

Internal Audit s Role in ERM Core internal audit roles in regard to ERM Assurance on the risk management processes Assurance that risks are correctly evaluated Evaluating risk management processes Evaluating the reporting of key risks Reviewing management of key risks Legitimate IA roles with safeguard Facilitating identification & evaluation of risks Coaching management in responding to risk Coordinating ERM activities Consolidated reporting on risks Maintaining & Developing ERM framework Developing RM strategy for board approval Championing 15 establishment of ERM Roles internal audit should not undertake Setting the risk appetite Imposing risk management processes Management insurance on risks Taking decisions on risk responses Accountability for risk management Implementing risk responses

Internal Audit s Role in ERM Advisor or Evaluator

Questions Alan N. Siegfried, CPA, CIA, MBA Managing Director Quetzal GRC Alan.Siegfried@QuetzalGRC.com 410-570-5400

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback