iia tucson chapter april 2014 - chapters site - home · pdf filecoso released guidance on erm...
TRANSCRIPT
IIA Tucson Chapter April 2014
Discussion topics Enterprise Risk Management (ERM) Vendor Management (VM) Business Continuity Planning (BCP) and Disaster
Recovery (DR) Tying the 3 together
2 2
IIA Tucson Chapter April 2014
Enterprise Risk Management What do you mean by enterprise and what risks are
you talking about? ▪ Executives Rarely Manage ▪ http://www.youtube.com/watch?v=laKprX-HP94 ▪ Everything Really Matters ▪ Everything Reasonably Matters ▪ Everything [within] Relative Meaning [and context]
4 4
Why ERM is important
Adapted from Source –Drive Strategy to Execution with ERM (Protiviti webinar 12/07/11)
5 5
History & Notes COSO released
guidance on ERM in 2004 IMA published an ERM
comparative document in 2006
6 6
Broad Focus of the Risk Management program Enhance risk awareness and dialogue Reduce operational surprises and losses Align risk appetite and strategy Anticipate and manage cross-departmental/
functional risks within the credit union
*** adapted from COSO ERM framework
7 7
Strategic alignment
8 8
Communication alignment Group therapy
9 9
Risk Appetite and Risk Tolerance Terms are used interchangeably but this is not
recommended. In the COSO Framework they have difference places in discussion and context:
10 10
Risk Appetite and Risk Tolerance …risk appetite is “the amount of
risk, on a broad level, the organization is willing to accept in the pursuit of value” and is used as a “guidepost”
11 11
Risk Appetite Broad based willingness in pursuit of a mission. Ties
in with company culture, ethics, values; Tone at the Top.
Risk Tolerance A measurement that is specific to an objective,
provides a range of outcomes, and is in the context of a particular event or strategy
12 12
RISK APPETITE
Balanced?
Cook at home or fast food?
Time of day
Meals skipped
On the run or take time
13 13
RISK APPETITE
14
In pursuit of pancake breakfast
15 15
RISK TOLERANCE
Risk Appetite Qualitative - define by asking these questions: ▪ What are we willing to do? ▪ What are we not willing to do? ▪ How will we get there? (parameters)
Quantitative – define by understanding: ▪ Values and culture ▪ Strategic priorities ▪ Capacity ▪ Policies and limits
16 16
Risk Appetite
http://www.coso.org/documents/ERM-Understanding%20%20Communicating%20Risk%20Appetite-WEB_FINAL_r9.pdf
17 17
Risk Tolerance Think of risk tolerance like budgeting…range of
outcomes and scenario planning
(graphic sourced) http://www.coso.org/documents/COSOKRIPaperFull-FINALforWebPostingDec110_000.pdf
18 18
Risk Appetite Risk appetite is simply the formalization of basic
business principles such as: ▪ Making risk-taking explicit, ▪ Making decisions based on risk-reward tradeoffs, ▪ Understanding potential outcomes of different
decisions, and ▪ Deciding whether the organization is comfortable with
the risk associated with different decisions
(source) http://www.mgt.ncsu.edu/erm/index.php/articles/entry/risk-appetite-right/
19 19
Components of risk Inherent risk Residual risk
20 20
Measuring risk Likelihood (potential) Impact (severity)
21 21
22
Heat Map
Exercise: risks during a camping trip
23 23
Assessing risk
24 24
Risk Name / ID
Risk Description Likelihood Impact
Inherent Risk Controls Likelihood Impact
Residual Risk ***
Describe
*** Controls Testing >>>Key Controls Test results Addtl Consid
ReductionPotential
4 ways of addressing risks (risk response) Avoid Accept (monitor) Mitigate (control) Transfer - share
25 25
26
Heat Map – measure both InhErent risk is what you are Inclined to Encounter. REsidual risk is dependent on how you REact with REsources.
COSO thought paper on risk assessment Review link http://www.coso.org/documents/COSOAnncsOnlineSurvy2GainInpt4Updt2IntrnlCntrlIntgratdFr
mwrk%20-%20for%20merge_files/COSO-ERM%20Risk%20Assessment%20inPractice%20Thought%20Paper%20OCtober%202012.pdf
27 27
Addressing risks using Internal Audit
28 28
Risk Response
Risk Level Score Range Risk Response
Extreme 19.5 - 25 Mitigate, monitor. Avoid risk, if possible. Perform traditional detailed audit.
High 12.5 - 19.4 Mitigate, monitor. Perform traditional audit or informal audit (review, analysis, consulting ***REDBOOK).
Substantial 9.5-12.4 Mitigate and monitor risk. Reduce the likelihood (loss prevention) by creating or enhancing internal controls, and/or reduce the impact (loss reduction) by transferring or sharing the risk w/ others (e.g., insurance, agreements, etc.).
Medium 4.5 - 9.4 Accept risk. Monitor risk and ensure that internal controls in place are appropriate and effective. Consider process improvement opportunities.
Low 1 - 4.4 Accept risk. Evaluate internal controls for possible “over controlling”. Process Improvement opportunities for “low hanging fruit”.
Measuring risk (additional considerations) Velocity Persistence [Response] Readiness Risk bias (perception)
Adapted from Source –Drive Strategy to Execution with ERM (Protiviti webinar 12/07/11)
29 29
Monitoring risk Leading – Key Risk Indicator (KRI) Lagging – Key Performance Indicator (KPI)
Example: credit risk ▪ KRI – unemployment stats, local business changes (budget
cuts, layoffs, employer closes shop) ▪ KPI – delinquency stats, charge off stats
30 30
Risk categories monitored NCUA Defined 7 ▪ Credit ▪ Interest Rate ▪ Liquidity ▪ Transaction ▪ Compliance ▪ Strategic ▪ Reputation
Plus 2 ▪ Concentration risk ▪ Operations risk
31 31
Reputation risk Easiest one to consider. This is “headline risk”.
32 32
Building a risk profile Needs to be easy to digest By department By process By source category – internal, external, strategic By events and strategy***
http://erm.ncsu.edu/library/article/category-effective-risk-management#.U0mgAPldWPM
33 33
Using ERM for strategic advantage To get board buy-in you should focus on the
strategic level and talk about the big things that could shift the business – (review question list***)
34 34
Using ERM for strategic advantage (cont.) Protect what we are good at ▪ Crown jewels***
Identify risks ▪ What risks do we currently face (known, KPIs, KRIs) ▪ What risks might we face (unknown, emerging, KRIs)
*** adapted from materials from erm.ncsu.edu
35 35
Using ERM for strategic advantage (cont.) Strategic goals/objectives ▪ Initiatives - the how of the strategy. Focus on the how to
determine risks to be measured and monitored ▪ What does completion of a goal look like?
▪ Additional questions: does a new strategy add to or take away from a current advantage?
*** sourced from materials from erm.ncsu.edu
36 36
Distinguishing ERM from Internal Controls (IA) ERM is applied in the strategy-setting process while internal
control is applied to address many of the risks identified in strategy setting.
ERM encompasses objective setting, whereas internal control is applied to established objectives.
The ERM framework deals with alternative risk responses (risk avoidance, acceptance, sharing and reduction), while the internal control framework deals primarily with risk reduction.
37 37
Distinguishing ERM from IA (cont.) The ERM framework is applied in
strategy setting and addresses strategic objectives. Internal control is more tactical, directed to execution of the business and to reducing risk to the achievement of objectives.
38 38
Build links between risks Use scenario and event planning to identify how
one event or risk can cause multiple risks to occur at the same time. Quantify the magnified impact ▪ Vendor breach causes data theft, need alternative
Watch for small items that can build up to big stuff – do we have external auditors in the house? (SUD) ▪ Financial Restatement ▪ Direct TV clip http://www.ispot.tv/ad/7f64/directv-hang-gliding
39 39
Emerging risks (and opportunities) – CU examples NCUA letters to credit unions Other regulator actions (CFPB) Headlines Competition Unique sources
40 40
Consumer Financial Protection Bureau (CFPB) Financial services oversight Changing regulatory disclosures (mortgages, credit
card statements) Asking the public (complaints DB – July 2011 to June
2013 = 176,700 consumer complaints) Reviewing and providing commentary: ▪ ODP ▪ Add-on products ▪ Student loans
41 41
Black Swans (risks) Negative impacts ▪ Terrorism attacks on 9/11
Blue Oceans (opportunities) Positive impacts ▪ Amazon ▪ iTunes ▪ Cell phones
42 42
Risk identification & prioritization expanded (sourced from Cornerstone ERM slides/call)
43
iTunes First mover effect: Napster in 1999. Grew to 80M users. iPod
development and iTunes launched April 2003. ▪ Downloads: 1M first week, 1B 2006, 10B 2010, 25B 2013 ▪ Songs avail: 200k to 260M in 2013
▪ Record Industry: Profits of $38B 2003 to $16.5B 2012
From owning to convenience: Pandora and Spotify Sources http://www.rollingstone.com/music/news/itunes-10th-anniversary-how-steve-jobs-turned-the-industry-upside-down-20130426 and http://entertainment.time.com/2013/04/28/happy-10th-birthday-itunes/
44 44
4 ways of addressing opportunities (response) Accept Enhance Exploit Share (joint venture)
45 45
Summary part 1 - for ERM to provide value it should be Linked to strategy Honest picture of current state (risks) Be proactive (emerging risks and opportunities)
Adapted from erm.ncsu.edu materials
46 46
Summary part 2 – risk is unavoidable Risk in doing something ▪ Walmart
http://thecolbertreport.cc.com/videos/kzu5qm/walmart-s-employee-food-drive
47 47
Summary part 2 – risk is unavoidable Risk in doing nothing
▪ (WSJ) Target Security Staff Raised Alarm Before Data Breach:
▪ (Bloomberg) Regulator Didn’t Act on Evidence of Defective GM Air Bags
48 48
So where do I start? Frameworks Execution Resources
49 49
Frameworks IMA article- use this as a starting point COSO ISO 31000
50 50
ERM Framework examples
51 51
ERM Framework examples
52 52
ERM Execution The selected framework ▪ How fancy ▪ How formal ▪ How structured
The way it will function ▪ CRO or Committee (it can be both) ▪ How often do we meet to discuss ▪ How do we track emerging risks/issues and reprioritize
53 53
Resources IIA “internal audit and…” RIMS “strategic risk mgmt.”
54 54
Resources (and certifications) IIA RIMS
55 55
Resources NC State University – ERM Initiative
http://erm.ncsu.edu/ http://erm.ncsu.edu/library/article/internal-audits-role-in-risk-management#.U0mctGdOX4Y http://erm.ncsu.edu/library/article/getting-started-with-erm#.U0meyGdOX4Z
56 56
Resources COSO has thought papers that are free
http://www.coso.org/guidance.htm
57 57
Resources The AICPA has released some
guidance: Case Studies on ERM. Implementations Practical
Illustrations for Launching Effective Enterprise Risk Oversight. ▪ Beasley and Hancock
Risk Assessment for mid-sized companies.
▪ Scott McKay
58 58
Resources http://www.cgma.org/Resources/Tools/essential-
tools/Pages/risk-heat-maps.aspx
59 59
Resources “Can Internal Audit Be a Command Center for
Risk?” ▪ By leveraging the necessary technology and data, IA can contribute insights
such as the following: Cyber risk, Strategic risk, Investment risk
▪ http://deloitte.wsj.com/riskandcompliance/
http://deloitte.wsj.com/riskandcompliance/2014/04/16/can-internal-audit-be-a-command-center-for-risk/?mod=wsjrc_hp_deloitte
60 60
Questions, final thoughts
Jon Bruflat – CPA, CRMA AVP Enterprise Risk Management Vantage West Credit Union [email protected]
61 61