IIA Tucson Chapter April 2014

Discussion topics Enterprise Risk Management (ERM) Vendor Management (VM) Business Continuity Planning (BCP) and Disaster

Recovery (DR) Tying the 3 together

2 2

IIA Tucson Chapter April 2014

Enterprise Risk Management What do you mean by enterprise and what risks are

you talking about? ▪ Executives Rarely Manage ▪ http://www.youtube.com/watch?v=laKprX-HP94 ▪ Everything Really Matters ▪ Everything Reasonably Matters ▪ Everything [within] Relative Meaning [and context]

4 4

Why ERM is important

Adapted from Source –Drive Strategy to Execution with ERM (Protiviti webinar 12/07/11)

5 5

History & Notes COSO released

guidance on ERM in 2004 IMA published an ERM

comparative document in 2006

6 6

Broad Focus of the Risk Management program Enhance risk awareness and dialogue Reduce operational surprises and losses Align risk appetite and strategy Anticipate and manage cross-departmental/

functional risks within the credit union

*** adapted from COSO ERM framework

7 7

Strategic alignment

8 8

Communication alignment Group therapy

9 9

Risk Appetite and Risk Tolerance Terms are used interchangeably but this is not

recommended. In the COSO Framework they have difference places in discussion and context:

10 10

Risk Appetite and Risk Tolerance …risk appetite is “the amount of

risk, on a broad level, the organization is willing to accept in the pursuit of value” and is used as a “guidepost”

11 11

Risk Appetite Broad based willingness in pursuit of a mission. Ties

in with company culture, ethics, values; Tone at the Top.

Risk Tolerance A measurement that is specific to an objective,

provides a range of outcomes, and is in the context of a particular event or strategy

12 12

RISK APPETITE

Balanced?

Cook at home or fast food?

Time of day

Meals skipped

On the run or take time

13 13

RISK APPETITE

14

In pursuit of pancake breakfast

15 15

RISK TOLERANCE

Risk Appetite Qualitative - define by asking these questions: ▪ What are we willing to do? ▪ What are we not willing to do? ▪ How will we get there? (parameters)

Quantitative – define by understanding: ▪ Values and culture ▪ Strategic priorities ▪ Capacity ▪ Policies and limits

16 16

Risk Appetite

http://www.coso.org/documents/ERM-Understanding%20%20Communicating%20Risk%20Appetite-WEB_FINAL_r9.pdf

17 17

Risk Tolerance Think of risk tolerance like budgeting…range of

outcomes and scenario planning

(graphic sourced) http://www.coso.org/documents/COSOKRIPaperFull-FINALforWebPostingDec110_000.pdf

18 18

Risk Appetite Risk appetite is simply the formalization of basic

business principles such as: ▪ Making risk-taking explicit, ▪ Making decisions based on risk-reward tradeoffs, ▪ Understanding potential outcomes of different

decisions, and ▪ Deciding whether the organization is comfortable with

the risk associated with different decisions

(source) http://www.mgt.ncsu.edu/erm/index.php/articles/entry/risk-appetite-right/

19 19

Components of risk Inherent risk Residual risk

20 20

Measuring risk Likelihood (potential) Impact (severity)

21 21

22

Heat Map

Exercise: risks during a camping trip

23 23

Assessing risk

24 24

Risk Name / ID

Risk Description Likelihood Impact

Inherent Risk Controls Likelihood Impact

Residual Risk ***

Describe

*** Controls Testing >>>Key Controls Test results Addtl Consid

ReductionPotential

4 ways of addressing risks (risk response) Avoid Accept (monitor) Mitigate (control) Transfer - share

25 25

26

Heat Map – measure both InhErent risk is what you are Inclined to Encounter. REsidual risk is dependent on how you REact with REsources.

COSO thought paper on risk assessment Review link http://www.coso.org/documents/COSOAnncsOnlineSurvy2GainInpt4Updt2IntrnlCntrlIntgratdFr

mwrk%20-%20for%20merge_files/COSO-ERM%20Risk%20Assessment%20inPractice%20Thought%20Paper%20OCtober%202012.pdf

27 27

Addressing risks using Internal Audit

28 28

Risk Response

Risk Level Score Range Risk Response

Extreme 19.5 - 25 Mitigate, monitor. Avoid risk, if possible. Perform traditional detailed audit.

High 12.5 - 19.4 Mitigate, monitor. Perform traditional audit or informal audit (review, analysis, consulting ***REDBOOK).

Substantial 9.5-12.4 Mitigate and monitor risk. Reduce the likelihood (loss prevention) by creating or enhancing internal controls, and/or reduce the impact (loss reduction) by transferring or sharing the risk w/ others (e.g., insurance, agreements, etc.).

Medium 4.5 - 9.4 Accept risk. Monitor risk and ensure that internal controls in place are appropriate and effective. Consider process improvement opportunities.

Low 1 - 4.4 Accept risk. Evaluate internal controls for possible “over controlling”. Process Improvement opportunities for “low hanging fruit”.

Measuring risk (additional considerations) Velocity Persistence [Response] Readiness Risk bias (perception)

Adapted from Source –Drive Strategy to Execution with ERM (Protiviti webinar 12/07/11)

29 29

Monitoring risk Leading – Key Risk Indicator (KRI) Lagging – Key Performance Indicator (KPI)

Example: credit risk ▪ KRI – unemployment stats, local business changes (budget

cuts, layoffs, employer closes shop) ▪ KPI – delinquency stats, charge off stats

30 30

Risk categories monitored NCUA Defined 7 ▪ Credit ▪ Interest Rate ▪ Liquidity ▪ Transaction ▪ Compliance ▪ Strategic ▪ Reputation

Plus 2 ▪ Concentration risk ▪ Operations risk

31 31

Reputation risk Easiest one to consider. This is “headline risk”.

32 32

Building a risk profile Needs to be easy to digest By department By process By source category – internal, external, strategic By events and strategy***

http://erm.ncsu.edu/library/article/category-effective-risk-management#.U0mgAPldWPM

33 33

Using ERM for strategic advantage To get board buy-in you should focus on the

strategic level and talk about the big things that could shift the business – (review question list***)

34 34

Using ERM for strategic advantage (cont.) Protect what we are good at ▪ Crown jewels***

Identify risks ▪ What risks do we currently face (known, KPIs, KRIs) ▪ What risks might we face (unknown, emerging, KRIs)

*** adapted from materials from erm.ncsu.edu

35 35

Using ERM for strategic advantage (cont.) Strategic goals/objectives ▪ Initiatives - the how of the strategy. Focus on the how to

determine risks to be measured and monitored ▪ What does completion of a goal look like?

▪ Additional questions: does a new strategy add to or take away from a current advantage?

*** sourced from materials from erm.ncsu.edu

36 36

Distinguishing ERM from Internal Controls (IA) ERM is applied in the strategy-setting process while internal

control is applied to address many of the risks identified in strategy setting.

ERM encompasses objective setting, whereas internal control is applied to established objectives.

The ERM framework deals with alternative risk responses (risk avoidance, acceptance, sharing and reduction), while the internal control framework deals primarily with risk reduction.

37 37

Distinguishing ERM from IA (cont.) The ERM framework is applied in

strategy setting and addresses strategic objectives. Internal control is more tactical, directed to execution of the business and to reducing risk to the achievement of objectives.

38 38

Build links between risks Use scenario and event planning to identify how

one event or risk can cause multiple risks to occur at the same time. Quantify the magnified impact ▪ Vendor breach causes data theft, need alternative

Watch for small items that can build up to big stuff – do we have external auditors in the house? (SUD) ▪ Financial Restatement ▪ Direct TV clip http://www.ispot.tv/ad/7f64/directv-hang-gliding

39 39

Emerging risks (and opportunities) – CU examples NCUA letters to credit unions Other regulator actions (CFPB) Headlines Competition Unique sources

40 40

Consumer Financial Protection Bureau (CFPB) Financial services oversight Changing regulatory disclosures (mortgages, credit

card statements) Asking the public (complaints DB – July 2011 to June

2013 = 176,700 consumer complaints) Reviewing and providing commentary: ▪ ODP ▪ Add-on products ▪ Student loans

41 41

Black Swans (risks) Negative impacts ▪ Terrorism attacks on 9/11

Blue Oceans (opportunities) Positive impacts ▪ Amazon ▪ iTunes ▪ Cell phones

42 42

Risk identification & prioritization expanded (sourced from Cornerstone ERM slides/call)

43

iTunes First mover effect: Napster in 1999. Grew to 80M users. iPod

development and iTunes launched April 2003. ▪ Downloads: 1M first week, 1B 2006, 10B 2010, 25B 2013 ▪ Songs avail: 200k to 260M in 2013

▪ Record Industry: Profits of $38B 2003 to $16.5B 2012

From owning to convenience: Pandora and Spotify Sources http://www.rollingstone.com/music/news/itunes-10th-anniversary-how-steve-jobs-turned-the-industry-upside-down-20130426 and http://entertainment.time.com/2013/04/28/happy-10th-birthday-itunes/

44 44

4 ways of addressing opportunities (response) Accept Enhance Exploit Share (joint venture)

45 45

Summary part 1 - for ERM to provide value it should be Linked to strategy Honest picture of current state (risks) Be proactive (emerging risks and opportunities)

Adapted from erm.ncsu.edu materials

46 46

Summary part 2 – risk is unavoidable Risk in doing something ▪ Walmart

http://thecolbertreport.cc.com/videos/kzu5qm/walmart-s-employee-food-drive

47 47

Summary part 2 – risk is unavoidable Risk in doing nothing

▪ (WSJ) Target Security Staff Raised Alarm Before Data Breach:

▪ (Bloomberg) Regulator Didn’t Act on Evidence of Defective GM Air Bags

48 48

So where do I start? Frameworks Execution Resources

49 49

Frameworks IMA article- use this as a starting point COSO ISO 31000

50 50

ERM Framework examples

51 51

ERM Framework examples

52 52

ERM Execution The selected framework ▪ How fancy ▪ How formal ▪ How structured

The way it will function ▪ CRO or Committee (it can be both) ▪ How often do we meet to discuss ▪ How do we track emerging risks/issues and reprioritize

53 53

Resources IIA “internal audit and…” RIMS “strategic risk mgmt.”

54 54

Resources (and certifications) IIA RIMS

55 55

Resources NC State University – ERM Initiative

http://erm.ncsu.edu/ http://erm.ncsu.edu/library/article/internal-audits-role-in-risk-management#.U0mctGdOX4Y http://erm.ncsu.edu/library/article/getting-started-with-erm#.U0meyGdOX4Z

56 56

Resources COSO has thought papers that are free

http://www.coso.org/guidance.htm

57 57

Resources The AICPA has released some

guidance: Case Studies on ERM. Implementations Practical

Illustrations for Launching Effective Enterprise Risk Oversight. ▪ Beasley and Hancock

Risk Assessment for mid-sized companies.

▪ Scott McKay

58 58

Resources http://www.cgma.org/Resources/Tools/essential-

tools/Pages/risk-heat-maps.aspx

59 59

Resources “Can Internal Audit Be a Command Center for

Risk?” ▪ By leveraging the necessary technology and data, IA can contribute insights

such as the following: Cyber risk, Strategic risk, Investment risk

▪ http://deloitte.wsj.com/riskandcompliance/

http://deloitte.wsj.com/riskandcompliance/2014/04/16/can-internal-audit-be-a-command-center-for-risk/?mod=wsjrc_hp_deloitte

60 60

Questions, final thoughts

Jon Bruflat – CPA, CRMA AVP Enterprise Risk Management Vantage West Credit Union jon.bruflat@vantagewest.org

61 61