Using Risk Management Frameworks
advertisement
Using Risk Management Frameworks Lawrence Lake Managing Director Protiviti Inc. What are Risk Management Frameworks and Why have them? What is a Risk Control Matrix, COSO, COBIT, Risk Universe, Key Controls, Critical Controls? Using them in SOA, ERA or Revenue Cycle © 2003 Protiviti Inc. 2 Business risks are greater today than ever • Globalization means increased exposure to international events • Need for efficiencies, innovation and differentiation to compete • We now know the unthinkable can happen • Financial reporting is now a risk area • Application is uneven at companies “applying EWRM” We live in unpredictable times © 2003 Protiviti Inc. 3 Why is business risk a priority? • Points of view from a recent survey – Many executives see an array of ever-increasing business risks – Business risk management practices require improvement – Substantial revisions in business risk management have either been made or will be made – Senior executives want more confidence that all potentially significant risks are identified and managed © 2003 Protiviti Inc. Source: FEI survey 4 Gartner reveals top five business issues • Cost constraints • Security of data and privacy • Stakeholder returns • Managing business risk • Innovation © 2003 Protiviti Inc. The Gartner Group, based upon interviews and surveys 5 Key indicators of need • Management wants increased confidence that all potentially significant risks are identified and managed Key decisions are made without a systematic evaluation of risk and reward trade-offs • Risk management isn’t integrated with strategic and business planning • Risks are not systematically identified, sourced, measured and managed • Units of the organization are managing similar risks differently • Inability to measure performance on a risk-adjusted basis • Capital investment process requires improvement • Increasing demands for more information relating to risks and internal controls from the board and investors © 2003 Protiviti Inc. 6 A common framework will accelerate progress • We need a common language • We need criteria against which to benchmark • Now we can communicate more effectively • Familiarity of concepts is useful • Application guidance is critical piece • Issuance of framework is only the beginning © 2003 Protiviti Inc. 7 Traditional Risk Universe Framework © 2003 Protiviti Inc. 8 Risk Control Matrix Regulation Risk Category Regulation Risk Category Control Description Program Type Owner Control Ranking Tested (Y/N) Test Plan Regulatory guidance Regulatory Control Example- Written Policies and Procedures (OIG) Regulation Risk Category Owner Control Ranking Vendor commitment to General compliance is documented in written code of conduct document. Vendor Primary Vendor sign off on program contract specifying intention to comply with TAP internal guidelines and code of conduct. Pharmaceutical Secondary Manufacture Control Description Regulatory guidance OIG Implementing Written Policies and Procedures Develop and distribute written standards of conduct, as well as written policies, procedures, and protocols that verbalize the company's commitment to compliance. (section C) Program Type General Tested (Y/N) Test Plan Obtain copy of vendor compliance documentation (e.g., code of conduct) Review contract with vendor to ensure contract exists specifying requirements and vendor signature occurs © 2003 Protiviti Inc. 9 Control Levels • Entity-level Controls – Entity-level controls are those controls that management relies upon to establish the appropriate “tone at the top” relative to financial reporting. An entity-level assessment for each control entity should be conducted as early as possible in the evaluation process • Process-Level Controls – Process level controls are usually directly involved with initiating, recording, processing or reporting transactions • General IT and Application Controls – General IT controls typically impact a number of individual applications and data in the technology environment – Application controls relate primarily to the controls programmed within an application that can be relied upon to mitigate business process-level risks © 2003 Protiviti Inc. 10 Control Levels – Examples of Entity-Level Controls COSO Component Attributes Risk Assessment • • • • Control Environment • • • • Information and Communication Control Activities Monitoring © 2003 Protiviti Inc. Entity-wide objectives Activity-level objectives Risk Identification Managing Change Integrity and ethical values Commitment to competence Board of Directors or Audit Committee Management’s philosophy and operating style • Organizational structure • Assignment of authority and responsibility • Human resource policies and procedures • External and internal information is identified, captured, processed and reported • Effective communication down, across, up the organization • Policies, procedures, and actions to address risks to achievement of stated objectives • Ongoing monitoring • Separate evaluations • Reporting deficiencies Source: Section 404 FAQs, Question 40. Application: Address attributes for each COSO component -- For each attribute, evaluate appropriate points of focus, as illustrated below for ONE attribute, Human Resource Policies and Procedures Points of Focus: • Is there a process for defining the level of competence needed for specific jobs, including the requisite knowledge and skills? • Are there human resource policies and processes for acquiring, recognizing, rewarding, and developing personnel in key positions? • Is the background of prospective employees checked and references obtained? • Are performance expectations clearly defined and reinforced with appropriate performance measures? • Are employee retention, promotion and performance evaluation processes effective? • Is the established code of conduct reinforced and disciplinary action taken when warranted? • Are everyone’s control-related responsibilities clearly articulated and carried out? 11 Control Types • • Manual vs. System-based controls – Manual controls predominantly depend upon the manual execution by one or more individuals – Automated controls predominantly rely upon programmed applications or IT systems to execute a step or perhaps prevent a transaction from occurring without manual decision or interaction – There are also system-dependant manual controls, e.g., controls that are manual (comparing one thing to another) but what is being compared is system-generated and not independently collaborated; therefore, the manual control is dependant on reliability of system processing Preventive vs. Detective controls – Preventive controls, either people-based or systems-based, are designed to prevent errors or omissions from occurring and are generally positioned at the source of the risk within a business process – Detective controls are processes, either people-based or systems-based, that are designed to detect and correct an error (or fraud) or an omission within a timely manner prior to completion of a stated objective (e.g., begin the next transaction processing cycle, close the books, prepare final financial reports, etc.) © 2003 Protiviti Inc. 12 Control Reliability • • • As transaction volumes increase and with increasingly complex calculations, systemsbased controls are often more reliable than people-based controls because they are less prone to mistakes than human beings, if designed, operated, maintained and secured effectively A shift toward an anticipatory, proactive approach to controlling risk requires greater use of preventive controls than the reactive ‘find and fix’ approach embodied in a detective control MORE RELIABLE/ DESIRABLE Systems-Based, Preventive Control Systems-Based, Detective Control People-Based, Preventive Control LESS RELIABLE/ DESIRABLE People-Based, Detective Control NOTE: The above framework is intended to apply to process-level controls. It does not always apply at the entity-level, e.g., the internal audit function. Effectively designed controls that prevent risk at the source free up people resources to focus on the critical tasks of the business © 2003 Protiviti Inc. 13 What is a Critical Control? Definitions: • KEY CONTROL: An activity or task performed by management or other personnel designed to provide reasonable assurance regarding the achievement of certain objectives as well as mitigating the risk of an unanticipated outcome. Significant reliance is placed upon this control’s effective design and operation. Upon failure of the key control, the risk of occurrence of an undesired activity would not be mitigated regardless of other controls identified. In other words, reasonable assurance of achieving the process’ objectives could not be obtained. • CRITICAL CONTROL: The FIRST subset of key controls; these controls have a pervasive impact on financial reporting (segregation of duties, system and data access, change controls, physical safeguards, authorizations, input controls, reconciliations, review process, etc.) and have the most direct impact on achieving financial statement assertions. Upon failure of a critical control, the risk of occurrence of an undesired activity would not be mitigated regardless of other controls identified within ANY process. Failure of critical controls would affect the ability of management to achieve not only process objectives, but also the company’s financial statement objectives. © 2003 Protiviti Inc. 14 Control Types • Primary vs. secondary controls – Primary controls are controls that are especially critical to the mitigation of risk and the ultimate achievement of one or more financial reporting assertions for each significant account balance, class of transactions and disclosure; these are the controls that managers and process owners primarily rely on – Secondary controls are important to the mitigation of risk and the ultimate achievement of one or more financial reporting assertions, but are not considered “critical” by management and process owners; while these controls are significant, there are compensating controls that also assist in achieving the assertions • Controls over routine processes vs. controls over non-routine processes – Controls over routine processes are the manual and automated controls over transactions – Controls over non-routine processes are the manual and automated controls over estimates and period-end adjustments; these controls often address the greatest risks in the financial reporting process and are most susceptible to management override © 2003 Protiviti Inc. 15 Control Levels – Examples of Common Process-Level Control Activities Pervasive Process-Level Controls* • • • • • • • • • • • Establish and communicate objectives Authorize and approve Establish boundaries and limits Assign key tasks to quality people Establish accountability for results Measure performance Facilitate continuous learning Segregate incompatible duties Restrict process system and data access Create physical safeguards Implement process/systems change controls • Maintain redundant/backup capabilities *Controls affecting multiple processes, including entitylevel and general IT controls ** Controls specific to a process, including programmed application controls Specific Process-Level Controls** • Obtain prescribed approvals • Establish transaction/document control • Establish processing/transmission control totals • Establish/verify sequencing • Validate against predefined parameters • Test samples/assess process performance • Recalculate computations • Perform reconciliations • Match and compare • Independently analyze results for reasonableness • Independently verify existence • Verify occurrence with counterparties • Report and resolve exceptions • Evaluate reserve requirements © 2003 Protiviti Inc. 16 What is the COSO ERM Framework? © 2003 Protiviti Inc. 17 SOA and the COSO Framework Complying with SOA Section 404 in the Context of the COSO Framework The COSO Framework is recommended by the SEC as an accepted internal control framework to guide corporate compliance with SOA 404. COSO requires an entity-level (or “tone at the top”) internal control focus and an activity or process level focus (the right side of the cube), with the three objectives of effectiveness and efficiency of operations (including safeguarding of assets), reliability of financial reporting, and compliance with applicable laws and regulations (across the top of the cube). Our approach captures the five components of internal control: the control environment, risk assessment, control activities, information/communication, and monitoring. © 2003 Protiviti Inc. 18 The COSO ERM Framework • Began over four years ago • COSO concluded a broadly recognized common structure for ERM is needed • Framework developed through input from many sources, including members of the five COSO organizations • Originally Authored by PwC • COSO-appointed advisory council provided input and guidance to the process © 2003 Protiviti Inc. 19 The COSO ERM Framework… • Was initiated in May 2001 before the events leading to The Sarbanes-Oxley Act of 2002 • Speaks to many of the issues currently facing organizations – How does an organization determine the appropriate level of risk for the value it seeks to create for stakeholders – How does an organization communicate its risk policy to stakeholders • Final Version released September 2004 © 2003 Protiviti Inc. 20 The COSO ERM Framework… • Details essential components and concepts of enterprise risk management for all organizations, regardless of size • Identifies the interrelationships between enterprise risk management and internal control • Is intended to be comprehensive and holistic approach • Is intended for application across many sectors and organizations © 2003 Protiviti Inc. 21 ERM provides a pathway for supporting ongoing compliance AND moving beyond compliance • An enterprise-wide risk assessment process infuses the disclosure process with new risks more timely as they emerge • ERM builds upon the disclosure infrastructure to broaden the focus on transparency beyond financial reporting • ERM instills the discipline needed to continuously improve risk management capabilities • The COSO ERM Framework: – Provides a much needed common language – Illustrates how ERM is built around the Internal Control – Integrated Framework © 2003 Protiviti Inc. 22 The COSO Framework provides an understanding of the components of ERM Enterprise Risk Management: Internal Environment Risk Assessment Risk Response Control Activities SUBSIDIARY Event Identification BUSINESS UNIT Objective Setting DIVISION Is a process Is effected by people Is applied in strategy setting Is applied across the enterprise Is designed to identify potential events Manages risks with risk appetite Provides reasonable assurance Supports achievement of objectives ENTITY-LEVEL • • • • • • • • G CE NS TIN GIC IAN TE TIO OR L A A P R MP ER RE ST CO OP Information & Communication Monitoring © 2003 Protiviti Inc. Source: COSO proposed ERM Framework 23 The COSO ERM Framework – Internal Environment Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring • • • • • • • • • • Risk management philosophy Risk culture Board of directors Integrity and ethical values Commitment to competence Management’s philosophy and operating style Risk appetite Organizational structure Assignment of authority and responsibility Human resources policies and practices Key points: • Reinforces “control environment” • Adds key risk elements © 2003 Protiviti Inc. Source: COSO proposed ERM Framework 24 The COSO ERM Framework – Objective Setting Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring • • • • • Strategic objectives Related objectives Selected objectives Risk appetite Risk tolerance Key points: • Integration with strategic management • Integration with business planning (operations) • Integration with performance measurement • Integration with compliance function © 2003 Protiviti Inc. Source: COSO proposed ERM Framework 25 The COSO ERM Framework – Event Identification Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring • • • • • • Events Factors influencing strategy and objectives Methodologies and techniques Event interdependencies Event categories Risks and opportunities Key points: • • • • Focus on objectives Need a common language Group into “families” Understanding interdependencies is foundation for model building © 2003 Protiviti Inc. Source: COSO proposed ERM Framework 26 The COSO ERM Framework – Risk Assessment Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication • • • • Inherent and residual risk Likelihood and impact Methodologies and techniques Correlation Key points: • Focus on events • Need a common process • Correlations enable more effective measurement Monitoring © 2003 Protiviti Inc. Source: COSO proposed ERM Framework 27 Prioritize Risks © 2003 Protiviti Inc. 28 The COSO ERM Framework – Risk Response Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication • • • • Identify risk response Evaluate possible risk responses Select responses Portfolio view Key points: • Several responses available • Choices are strategic and tactical • This makes risk management “real” to operators Monitoring © 2003 Protiviti Inc. Source: COSO proposed ERM Framework 29 The COSO ERM Framework – Control Activities Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities Information & Communication Monitoring • • • • • Integration with risk response Types of control activities General controls Application controls Entity specific Key points: • Integral to risk response • Similar to integrated framework • Emphasize preventive and systemsbased controls © 2003 Protiviti Inc. Source: COSO proposed ERM Framework 30 The COSO ERM Framework – Information & Communication Internal Environment Objective Setting Event Identification Risk Assessment Risk Response • Information • Strategic and integrated systems • Communication Key points: • Similar to integrated framework but expanded focus Control Activities Information & Communication Monitoring © 2003 Protiviti Inc. Source: COSO proposed ERM Framework 31 The COSO ERM Framework – Monitoring Internal Environment • Separate evaluations • Ongoing evaluations Objective Setting Event Identification Risk Assessment Key points: • Similar to integrated framework but expanded focus Risk Response Control Activities Information & Communication Monitoring © 2003 Protiviti Inc. Source: COSO proposed ERM Framework 32 The COSO ERM Framework – What’s the message? • There are a multitude of possible elements that make up an ERM solution – the COSO framework lists many of these elements • Companies have different objectives, strategies, structure, culture, risk appetite and financial wherewithal -- no two ERM solutions are alike • The specific policies, processes, skillsets, reports, methodologies and systems comprising the elements defining the solution for one company may differ from another company • Companies looking for off-the-shelf ERM solutions are setting themselves up for disappointment – in terms of what they find or the results they get © 2003 Protiviti Inc. 33 Recognize that ERM is a journey not a destination and requires a change process How will we know we are successful? Why do we need to begin our journey? rs ive Dr Future State How do we get there? © 2003 Protiviti Inc. What elements need to be put in place? ts ain Where are we now? “Achievable Goal” tr ns Co Current State SK RI G SIN ENT A M S E CR AGE ITIE N I IL N MA P A B CA What are the expected outcomes? What are the obstacles along the way? 34 Risk management focus, scope and emphasis are often limited Risk Management Focus Objective Scope Emphasis Application © 2003 Protiviti Inc. Business Risk Management Enterprise Risk Management Financial and hazard risks and internal controls Business risk and internal controls Business risk and internal controls Preserve enterprise value Preserve enterprise value Create and preserve enterprise value Treasury, insurance and operations involved Business managers accountable (risk-byrisk) Strategy, people, process, technology and knowledge aligned to manage risk on an enterprise-wide basis Financial and operations Management Strategy Selected risk areas, units and processes Selected risk areas, units and processes Enterprise-wide “CURRENT STATE” CAPABILITIES “FUTURE STATE” VISION 35 Know Your End Game The Journey can start with SOA Implement Ongoing Compliance Structure Enterprise Risk Management Sustainability of the Control Structure Improve Quality, Cost and Time Value Contributed DRIVERS Protect and Enhance Enterprise Value INDUSTRY -- All Operational Effectiveness and Efficiency INDUSTRY -- All Other Compliance INDUSTRY -- Health care, FSI Section 404 and 302 Integration Self -Assessment INDUSTRY -- All Comply with 302 and 404 © 2003 Protiviti Inc. Section 404 Compliance Time • • • • Improve governance Improve risk evaluation Improve strategy setting Achieve business objectives • Improve quality • Reduce costs • Compress time • Comply with other regulations • Comply with SOA • Reinforce process owner accountability • Identify areas to address • Comply with SOA Voluntary Required 36 COBIT’s Control Framework Starts from the premise that IT needs to deliver the information that the enterprise needs to achieve its objectives. Promotes process focus and process ownership Divides IT into 34 processes belonging to four domains and provides a high level control objective for each Looks at fiduciary, quality and security needs of enterprises,providing seven information criteria that can be used to generically define what the business requires from IT Is supported by a set of over 300 detailed control objectives Planning Acquiring & Implementing Delivery & Support Monitoring Effectiveness Efficiency Availability Integrity Confidentiality Reliability Compliance © 2003 Protiviti Inc. 37 The CobiT Framework’s Principles Business Requirements IT Processes IT Resources © 2003 Protiviti Inc. 38 The CobiT Framework’s Principles © 2003 Protiviti Inc. 39 COBIT Cube Information Criteria ia r c u Fid y Se y ri t u c rc e IT Re s Activities ou Processes s Domains People Application Systems Technology Facilities Data IT Processes ty ali u Q © 2003 Protiviti Inc. 40 Sarbanes-Oxley, COSO and CobiT® IT controls should consider the overall governance framework to support the quality and integrity of information. M o Ev nit a l or ua a n te d De liv Su e r pp a n or d t Ac I m qu pl ire em a e n nd t Pl O an rg a n an d iz e COBIT Objectives Control Activities Section 404 Risk Assessment Section 302 COSO Components Control Environment Information and Communication Monitoring Controls in IT are relevant to both financial reporting And disclosure requirements of Sarbanes-Oxley. © 2003 Protiviti Inc. Competency in all five layers of COSO’s framework are necessary to achieve an integrated control program. 41 Implementing an ERM Framework What We Need? © 2003 Protiviti Inc. 42 Define and implement the ERM solution • Following is an illustrative approach for facilitating a change process • The objective is to craft a future goal state for risk management within the organization and sustain the journey toward realizing that goal Define Project Scope Create ERM Vision Build ERM Business Case Manage ERM Journey Continuously Improve ERM Capabilities © 2003 Protiviti Inc. 43 Define project scope Define Project Scope • Articulate the problem to be solved (the “business motivation”) • Define project sponsor • Organize working committee of senior executives • Articulate “current state” • Inventory existing risk management initiatives © 2003 Protiviti Inc. 44 Create ERM vision Create ERM Vision • Define risk management vision, goals and objectives • Define “future goal state” • Understand the “journey elements” needed to make the future state happen – Foundation elements – Process elements – Enhancement elements © 2003 Protiviti Inc. 45 Identify the relevant journey elements INCREASING RISK MANAGEMENT CAPABILITIES EWRM Value Proposition Categories of ERM Journey Elements FOUNDATION ELEMENTS Adopt common language Establish oversight and governance PROCESS ELEMENTS Assess risk and develop strategies Design/ implement capabilities ENHANCEMENT ELEMENTS Establish Improve Quantify Continuously sustainable multiple risks enterprise improve enterprise- performance competitive advantage wide A “journey element” consists of the processes, people, reports, methodologies, technology, or a combination thereof, integrated within the ERM solution to achieve the expected outcomes specified in the business case © 2003 Protiviti Inc. 46 Examples of foundation elements Adopt common language Does the company have: A common language for risks and risk management? • Risk model • Risk management glossary Possible Journey elements • Process classification scheme • Other relevant frameworks • Improved dialogue about risk and its sources, drivers or root causes • More organized process for sharing of information Possible expected outcomes • Increase chances of identifying all key risks • Enable people from multiple disciplines to focus on issues faster Establish oversight and governance Overall an effective oversight structure and governance? • Overall risk management policy • Top-down communications of risk management direction • Organizational oversight structure, with Board oversight • Risk management oversight committee(s) and management accountability • Designated senior executive responsible for risk management (I.e., a CRO) • Integrated risk management and governance processes • Business risk management staff function • Achieve clarity as to risk management role, purpose and accountabilities • Get things done quicker by executives empowered to act © 2003 Protiviti Inc. 47 The company’s selected “journey elements” build COSO ERM components Categories of ERM Journey Elements FOUNDATION Internal Environment PROCESS ENHANCEMENT Quantify multiple risks Enterprise wide Improve enterprise performance Establish sustainable competitive advantage X X X X X X X X X X X Adopt common language Establish oversight and governance Assess risk and develop strategies Design/ implement capabilities Continuously improve X X X X X Objective Setting Event Identification X X X X X Risk Assessment X X X X X Risk Response X X X X X X X Control Activities X X X X X X X X X X X X X X X X Information & Communication Monitoring X X X X © 2003 Protiviti Inc. 48 Build ERM business case Build ERM Business Case • Articulate the ERM vision, including the desired journey elements and expected outcomes • Describe the overall effort • Analyze the related costs and benefits and provide the economic justification for going forward • Provide a context for monitoring progress over time © 2003 Protiviti Inc. 49 Manage ERM journey Manage ERM Journey • Organize the ERM journey to understand and respond to sponsor expectations, address change issues, manage journey risks/constraints and communicate relevant messages often • Develop journey management plan, laying out the appropriate sequence of elements • Monitor journey performance • Assess journey impact • Manage discrete projects to deliver the journey elements according to the selected priority and appropriate sequence © 2003 Protiviti Inc. 50 Continuously improve ERM capabilities Continuously Improve ERM Capabilities • Continuously improve capabilities to move the company up the capability maturity curve © 2003 Protiviti Inc. 51
